}
} else if (!strcasecmp(v->name, "nat")) {
ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT);
+ ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* Default to "force_rport" */
if (!strcasecmp(v->value, "no")) {
ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT);
- } else if (!strcasecmp(v->value, "force_rport")) {
- ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
} else if (!strcasecmp(v->value, "yes")) {
- ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
+ /* We've already defaulted to force_rport */
ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP);
ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP);
} else if (!strcasecmp(v->value, "comedia")) {
ast_format_cap_add(cap, ast_format_set(&tmp_fmt, AST_FORMAT_H263, 0));
}
+static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
+ int global_nat, specific_nat;
+
+ if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
+ ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make\n");
+ ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
+ ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
+ ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
+ ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
+ }
+}
+
/*! \brief Re-read SIP.conf config file
\note This function reloads all config data, except for
active peers (with registrations). They will only
ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
- ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
- ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
+ ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
+ ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
+ ast_set_flag(&global_flags[0], SIP_NAT_FORCE_RPORT); /*!< Default to nat=force_rport */
ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine));
ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot));
}
peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
if (peer) {
+ display_nat_warning(cat, reason, &peer->flags[0]);
ao2_t_link(peers, peer, "link peer into peers table");
if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) {
ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");
; for their media streams is not actual port number that will be used on the nearer
; side of the NAT.
;
+; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
+; the nat setting in a peer definition, then the peer username will be discoverable
+; by outside parties as Asterisk will respond to different ports for defined and
+; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
+; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
+; other, then valid users with settings differing from those in the general section will
+; be discoverable.
+;
; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
; to receive them on.
type=friend
[natted-phone](!,basic-options) ; another template inheriting basic-options
- nat=yes
directmedia=no
host=dynamic
[public-phone](!,basic-options) ; another template inheriting basic-options
- nat=no
directmedia=yes
[my-codecs](!) ; a template for my preferred codecs
;description=Courtesy Phone ; Description of the peer. Shown when doing 'sip show peers'.
;host=192.168.0.23 ; we have a static but private IP address
; No registration allowed
-;nat=no ; there is not NAT between phone and Asterisk
;directmedia=yes ; allow RTP voice traffic to bypass Asterisk
;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone
;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time
;regexten=1234 ; When they register, create extension 1234
;callerid="Jane Smith" <5678>
;host=dynamic ; This device needs to register
-;nat=yes ; X-Lite is behind a NAT router
;directmedia=no ; Typically set to NO if behind NAT
;disallow=all
;allow=gsm ; GSM consumes far less bandwidth than ulaw
;type=friend
;secret=blah
;qualify=200 ; Qualify peer is no more than 200ms away
-;nat=yes ; This phone may be natted
- ; Send SIP and RTP to the IP address that packet is
- ; received from instead of trusting SIP headers
;host=dynamic ; This device registers with us
;directmedia=no ; Asterisk by default tries to redirect the
; RTP media stream (audio) to go directly from
projects / asterisk/asterisk.git / commitdiff