>>> >>> The first option is sub-optimal, I don't want all our routers having a >>> drop-this-packet "firewall" line for various reasons. The second >>> option I've started to like more and more. There's two ways to resolve >>> this: >>> - I just make sure I add an iptables call somewhere in the startup script, >>> or >>> - I/We add an RFC6263 configuration option to Mediaproxy that does >>> more or less the same >>> >>> The iptables call would drop all 0 length UDP messages sent to the >>> mediaproxy ports. >>> >>> Am I wrong in my thinking? >>> >> Once the call is up (a single RTP packet was received from each endpoint) >> MediaProxy will setup a conntrack rule, and the Linux kernel will do the >> relaying. This means that MediaProxy itself cannot inspect the RTP packets >> at that point, because they are not traversing user-space code anymore. > As far as understood, what Andreas wants to do is to drop such packages from > iptables rule, not necessarily from media relay software. >
Yes, indeed. I was pointing out that option 2 (adding RFC6263 config option to MediaProxy) is not feasible due to its architecture, but doing it with iptables is perfectly fine :-) Regards, -- Saúl Ibarra Corretgé AG Projects _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
