View Issue Details

IDProjectCategoryView StatusLast Update
0016756CentOS-7sippublic2019-11-20 13:51
Reporterjblaberg 
PrioritynormalSeverityminorReproducibilitysometimes
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016756: nf_conntrack_sip cannot handle segmented SIP packets very well
DescriptionWhen module nf_conntrack_sip is loaded, TCP segmented SIP traffic fail under certain circumstances.
We found segmented INVITEs ending in "CSeq: 1 " (notice the trailing space) when tracing using tcpdump, which means the next segment would be starting with "INVITE<CR><LF>" which trigger as an incoming INVITE but with incorrect syntax.
It seemed like the faulty segment was just dropped and the system call "send" was hanging indefinitely.
Steps To ReproduceWe setup a SIPp instance calling to our B2BUA SIP application redirecting to another SIPp instance. When increasing call frequency we occasionally got the behaviour described above except it was for BYE, not INVITE.
Additional InformationThe work-around is easy:
Just skip the built-in sip service in firewalld, and define the ports manually in the filrewalld zone.
And rmmod nf_nat_sip + rmmod nf_conntrack_sip.
Tagsnetfilter
abrt_hash
URL

Activities

TrevorH

TrevorH

2019-11-20 13:51

manager   ~0035715

CentOS is a rebuild of the sources used to create RHEL. We do not modify anything except to remove branding and logos. You will need to submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up and rebuild it.

Issue History

Date Modified Username Field Change
2019-11-20 13:46 jblaberg New Issue
2019-11-20 13:46 jblaberg Tag Attached: netfilter
2019-11-20 13:51 TrevorH Note Added: 0035715