oob cfg: merged changes from last SIPit

This version of sip-router-oob.cfg was successfully tested at
SIPit 24. The changes are:
- re-organzied the NAT detection
- added lots of comments about NAT detection
- renamed the record- and loose-routes
- added an inactive ENUM route
- activated DNS NAPTR and SRV options
- disabled TCP async to allow usage of TLS
- disabled the files limit as this prevents the usage of the config as non-root
user on most systems

etc/sip-router-oob.cfg

@@ -146,7 +146,7 @@ rev_dns=no              # (cmd. line: -R)
 #user=sip-router
 #group=sip-router
 #disable_core=yes       # disables core dumping
-open_files_limit=20480  # sets the open file descriptors limit
+#open_files_limit=20480  # sets the open file descriptors limit
 #mhomed=yes             # usefull for multihomed hosts, small performance
                         # penalty
 disable_tcp=no          # be conservative about enabling TCP -- it can
@@ -195,12 +195,12 @@ dns_cache_min_ttl=60
 dns_cache_max_ttl=86400 # 1 day
 dns_cache_mem=2048 # 2 MB
 dns_cache_gc_interval=60  # garbage collection every minute
-# sip-router 2.1 specific options
-# dns_try_naptr=yes
-# dns_srv_lb=yes  # srv based load balancing
-# dns_udp_pref=3  # prefer udp (when resolving naptr record)
-# dns_tcp_pref=2  # if no udp availbale accept tcp (for naptr)
-# dns_tls_pref=-1 # ignore / don't accept tls (for naptr)
+# ser 2.1 specific options
+dns_try_naptr=yes
+dns_srv_lb=yes  # srv based load balancing
+dns_udp_pref=3  # prefer udp (when resolving naptr record)
+dns_tcp_pref=2  # if no udp availbale accept tcp (for naptr)
+dns_tls_pref=-1 # ignore / don't accept tls (for naptr)
 # dns_cache_delete_nonexpired=no
 
 # ------------------- Blacklist Parameters ----------------------------------
@@ -223,6 +223,9 @@ tcp_connect_timeout=1
 
 # Enable TLS hooks so that the TLS module can be used
 tls_enable=yes
+# This option is required if you want to use TLS as the TLS
+# module does not support the new async TCP mode yet
+tcp_async=no
 
 # -------------------- Custom Parameters ------------------------------------
 # These parameters can be modified runtime via RPC interface,
@@ -289,6 +292,7 @@ loadmodule "db_ops"
 loadmodule "exec"
 loadmodule "cfg_rpc"
 loadmodule "eval"
+#loadmodule "enum"
 #loadmodule "tls"
 
 # ----------------- Declaration of Script Flags -----------------------------
@@ -403,7 +407,7 @@ modparam("auth", "secret", "aqwedrftredswqwddcft")
 modparam("rr", "enable_full_lr", 1)
 
 # Limit the length of the AVP cookie to necessary attributes only
-modparam("rr", "cookie_filter", "(account|uac_nat|stimer)")
+modparam("rr", "cookie_filter", "(account|rproxy|stimer)")
 
 # You probably do not want that someone can simply read and change
 # the AVP cookie in your Routes, thus should really change this
@@ -539,7 +543,7 @@ route
 	route(CATCH_CANCEL);
 
 	# Check if the request is routed via Route header.
-	route(LOOSE_ROUTE);
+	route(PROCESS_ROUTES);
 
 	# Look up domain IDs
 	route(DOMAIN);
@@ -609,20 +613,20 @@ route[FORWARD]
 	# Always use the reply route to check for NATed UAS.
 	t_on_reply("REPLY_ROUTE");
 
-	# Insert a Record-Route header into all requests.
-	# This has to be done as one of the last steps to include all the
-	# RR cookies which might have been created during the script run.
-	route(RR);
-
-	# Activate the RTP proxy as the last step because it modifies the
-	# body.
-	route(RTPPROXY);
-
 	# Remove credentials to keep requests shorter
 	if (isflagset(FLAG_AUTH_OK) && !isflagset(FLAG_DONT_RM_CRED) ) {
 		consume_credentials();
 	}
 
+	# Activate the RTP proxy as the second last step because it modifies the
+	# body but also sets an dialog AVP cookie.
+	route(RTPPROXY);
+
+	# Insert a Record-Route header into all requests.
+	# This has to be done as one of the last steps to include all the
+	# RR cookies which might have been created during the script run.
+	route(RECORD_ROUTE);
+
 	# Send it out now.
 	if (!t_relay()) {
 		if (isflagset(FLAG_FAILUREROUTE)) {
@@ -652,13 +656,14 @@ route[INIT]
 		drop;
 	}
 
-	# Set flag for use in the onsend route
+	# Set flag for use in the onsend route (because it does not
+	# allow to use "select" statements)
 	if (@to.tag != "") {
 		setflag(FLAG_TOTAG);
 	}
 
 	# Check if the UAC is NATed and fix the message accordingly
-	route(NAT_DETECTION);
+	route(UAC_NAT_DETECTION);
 
 	# Activate accounting for all initial INVITEs. In-dialog requests
 	# are accounted by a RR cookie (see below).
@@ -690,14 +695,20 @@ route[OPTIONS_REPLY]
 
 
 # Check if the sender of the request is behind a NAT device. If so,
-# fix the request so that other devices can talk to the sender nonetheless.
+# fix the request so that other devices can talk to the sender none the less.
 #
-route[NAT_DETECTION]
+route[UAC_NAT_DETECTION]
 {
 	# Lots of UAs do not include the rport parameter in there Via
 	# header, so we put it there regardless.
 	force_rport();
-	force_tcp_alias();
+
+	# If a reliable transport was used store the connection internally
+	# so that SERs core can re-use the connection later.
+	if (proto==TCP || proto == TLS)
+	{
+		force_tcp_alias();
+	}
 
 	# Check if the request contains hints for a NATed UAC. Also, try to
 	# rewrite contacts using maddr. Using maddr is a really dubious
@@ -712,12 +723,26 @@ route[NAT_DETECTION]
 	# own.  Should you encounter such a case, a possible solution
 	# would be to store the original information as a contact parameter
 	# and restore it on its way back.
-	if (nat_uac_test("19")
-	    || (@hf_value["contact"] != "" && @contact.uri.params.maddr != ""))
+
+	# In case of UDP we test for
+	#  - private IPs in Contact
+	#  - mismatch of transport IP and IP in Via
+	#  - mismatch of transport port and port in Via
+	# in all other cases we skip the port test, because lots of clients
+	# do not correctly advertise their emphemeral port number in their Via
+	# header in case of reliable transports (although they are not behind
+	# a NAT).
+
+	# Warning: if you are dealing with SIP implementations which are
+	# running on public IP and do as-symmertic signaling for whatever
+	# reason the following check will make their signaling symmetric.
+	# If you need to support as-symmertic signaling reduce the following
+	# nat_uac_test for UDP to "3" or even "1".
+	if ((proto == UDP && nat_uac_test("19")) ||
+		(nat_uac_test("3")) ||
+		(@hf_value["contact"] && @contact.uri.params.maddr))
 	{
 		setflag(FLAG_NAT);
-		$uac_nat = 1;
-		setavpflag($uac_nat, "dialog_cookie");
 		if (method == "REGISTER") {
 			# Prepare the Contact so that the registrar module
 			# saves the source address and port as well.
@@ -732,6 +757,46 @@ route[NAT_DETECTION]
 }
 
 
+# Check if the receiver of the request is behind a NAT device. If so,
+# fix the Contact header to allow proper routing of in-dialog requests.
+route[UAS_NAT_DETECTION]
+{
+	# Fix the Contact in the reply if it contains a private IP to
+	# allow proper routing of in-dialog messages.
+	# Do the same if the contact is maddred.
+
+	# But skip 3XX responses, because we do not know the right IP for that,
+	# even if they contain private IPs.
+	if (status=~"(3[0-9][0-9])") {
+		break;
+	}
+
+	# Prevent that we over-write the Contact with the IP of our proxy when
+	# the reply loops through ourself.
+	if (src_ip == myself) {
+		break;
+	}
+
+	# In this case we check only if the Contact URI contains a private
+	# IP, because the Via header contains only informations from the UAC.
+	# Additionally we check if the port in the Contact URI differs from
+	# the port of the transport to catch UAS or ALG which put the public
+	# IP address into the Contact header, but "forget" about the port.
+
+	# Warning: if you are dealing with SIP implementations which are
+	# running on public IP and do as-symmertic signaling for whatever
+	# reason the following check will make their signaling symmetric.
+	# If you need to support as-symmertic signaling reduce the following
+	# nat_uac_test for UDP to just "1".
+	if ( (proto == UDP && nat_uac_test("33")) ||
+		(nat_uac_test("1") ||
+		(@hf_value["contact"] && @contact.uri.params.maddr)))
+	{
+		fix_nated_contact();
+	}
+}
+
+
 # Activates RTP proxy if necessary.
 #
 route[RTPPROXY]
@@ -750,29 +815,32 @@ route[RTPPROXY]
 		break;
 	} # else rtp proxy is permanently enabled
 
-	# If the message terminates a dialog turn RTP proxy off.
-	if (method == "BYE" || method == "CANCEL") {
+	# If the message terminates a dialog for which the RTP proxy 
+	# was turned on, turn it off again.
+	if ((method == "BYE" && isflagset(FLAG_RTP_PROXY)) ||
+		(method == "CANCEL")) {
 		unforce_rtp_proxy();
-		append_hf("P-RTP-Proxy: UNFORCED\r\n");
+		append_hf("P-RTP-Proxy: Off\r\n");
 		break;
 	}
 
-	# Turn the RTP proxy on for INVITEs and UPDATEs.
+	# Turn the RTP proxy on for INVITEs and UPDATEs, if they 
+	# have a body
 	if (((method=="INVITE" || method == "UPDATE") && @msg.body != "")
 	    && !isflagset(FLAG_RTP_PROXY))
 	{
 		force_rtp_proxy('r');
-		append_hf("P-RTP-Proxy: YES\r\n");
+		append_hf("P-RTP-Proxy: On\r\n");
 		setflag(FLAG_RTP_PROXY);
+		$rproxy = 1;
+		setavpflag($rproxy, "dialog_cookie");
 	}
 }
 
 
-# Handling of loose routed requests
+# Handling of Route headers
 #
-#    XXX Isn't the proper term "record routed"? This route also handles
-#        strict routed requests, doesn't it? -- martinh
-route[LOOSE_ROUTE]
+route[PROCESS_ROUTES]
 {
 	# subsequent messages withing a dialog should take the
 	# path determined by the Route headers.
@@ -791,9 +859,9 @@ route[LOOSE_ROUTE]
 			setflag(FLAG_ACC);
 		}
 
-		# Restore the NAT flag if present
-		if ($uac_nat == 1) {
-			setflag(FLAG_NAT);
+		# Restore the RTP proxy flag if present
+		if ($rproxy == "1") {
+			setflag(FLAG_RTP_PROXY);
 		}
 
 		# Restore Session Timer flag and headers.
@@ -814,7 +882,7 @@ route[LOOSE_ROUTE]
 		# out-of-dialog requests. Some in-dialog requests can't be
 		# authenticated at all, see the call-forwarding example in
 		# route[DOMAIN].
-		route(RR);
+		route(RECORD_ROUTE);
 
 		route(FORWARD);
 	}
@@ -823,7 +891,7 @@ route[LOOSE_ROUTE]
 
 # Add a Record-Route header
 #
-route[RR]
+route[RECORD_ROUTE]
 {
 	if (!isflagset(FLAG_RR_DONE) && method != "REGISTER") {
 		# We record-route all messages to make sure that
@@ -901,7 +969,6 @@ route[REGISTRAR]
 		# Read marker from master
 		if (search("^Repl-Marker: nated")) {
 			setflag(FLAG_NAT);
-			$uac_nat = 1;
 		}
 
 		# If the replicating server added its own server id to the
@@ -1363,6 +1430,21 @@ route[SESSION_TIMER]
 	}
 }
 
+# Route which checks and performs ENUM queries
+# #
+route[ENUM]
+{
+	# perform ENUM query only if the RURI contains an E.164
+	# number as uer part
+	if (uri =~ "sip:\+[0-9]?@") {
+		# if the ENUM query was successful send it right
+		# away of to the new target, otherwise do nothing
+		if (enum_query()) {
+			route(FORWARD);
+		}
+	}
+}
+
 
 # Failure route for initial INVITEs.
 #
@@ -1406,15 +1488,9 @@ failure_route[FAILURE_ROUTE]
 #
 onreply_route[REPLY_ROUTE]
 {
-	# Fix the Contact in the reply if it contains a private IP to
+	# Check and fix the Contact in the reply to
 	# allow proper routing of in-dialog messages.
-	# Do the same if the contact is maddred. See the notes in route
-	# [NAT_DETECTION] for more information.
-	if (nat_uac_test("1") ||
-	    (@hf_value["contact"] != "" && @contact.uri.params.maddr != ""))
-	{
-		fix_nated_contact();
-	}
+	route(UAS_NAT_DETECTION);
 
 	# If RTP proxy was activated and this is a 18x or 2xx reply with a
 	# body, inform RTP proxy.