Default to nat=yes; warn when nat in general and peer differ

It is possible to enumerate SIP usernames when the general and user/peer nat settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport and the other was nat=no. In order to address this problem, it was decided to switch the default behavior to nat=yes/force_rport as it is the most commonly used option and to strongly discourage setting nat per-peer/user when at all possible. For more discussion of the issue, please see: http://lists.digium.com/pipermail/asterisk-dev/2011-November/052191.html (closes issue ASTERISK-18862) Review: https://reviewboard.asterisk.org/r/1591/ ........ Merged revisions 345776 from http://svn.asterisk.org/svn/asterisk/branches/1.4 ........ Merged revisions 345800 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2 ........ Merged revisions 345828 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 345830 from http://svn.asterisk.org/svn/asterisk/branches/10 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@345831 65c4cc65-6c06-0410-ace0-fbb531ad65f3
author: Terry Wilson <twilson@digium.com> 2011-11-21 21:09:59 +0000
committer: Terry Wilson <twilson@digium.com> 2011-11-21 21:09:59 +0000
commit: 32d0faac9cb7576520d326ddd15d9fc7a0b47252 (patch)
tree: f75414aa3d0e226e2cc130bf5f91e27c70a4d62c /configs
parent: 298d015828a638a8ab0f07f8f8205ef04026bdd8 (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
index 3c77a88be..cb492161e 100644
--- a/configs/sip.conf.sample
+++ b/configs/sip.conf.sample
@@ -824,6 +824,14 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ; for their media streams is not actual port number that will be used on the nearer
 ; side of the NAT.
 ;
+; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
+; the nat setting in a peer definition, then the peer username will be discoverable
+; by outside parties as Asterisk will respond to different ports for defined and
+; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
+; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
+; other, then valid users with settings differing from those in the general section will
+; be discoverable.
+;
 ; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
 ; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
 ; to receive them on.
@@ -1212,12 +1220,10 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
         type=friend
 
 [natted-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=yes
         directmedia=no
         host=dynamic
 
 [public-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=no
         directmedia=yes
 
 [my-codecs](!)                    ; a template for my preferred codecs
@@ -1257,7 +1263,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;description=Courtesy Phone      ; Description of the peer. Shown when doing 'sip show peers'.
 ;host=192.168.0.23               ; we have a static but private IP address
                                  ; No registration allowed
-;nat=no                          ; there is not NAT between phone and Asterisk
 ;directmedia=yes                 ; allow RTP voice traffic to bypass Asterisk
 ;dtmfmode=info                   ; either RFC2833 or INFO for the BudgeTone
 ;call-limit=1                    ; permit only 1 outgoing call and 1 incoming call at a time
@@ -1287,7 +1292,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;regexten=1234                   ; When they register, create extension 1234
 ;callerid="Jane Smith" <5678>
 ;host=dynamic                    ; This device needs to register
-;nat=yes                         ; X-Lite is behind a NAT router
 ;directmedia=no                  ; Typically set to NO if behind NAT
 ;disallow=all
 ;allow=gsm                       ; GSM consumes far less bandwidth than ulaw
@@ -1361,9 +1365,6 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;type=friend
 ;secret=blah
 ;qualify=200                     ; Qualify peer is no more than 200ms away
-;nat=yes                         ; This phone may be natted
-                                 ; Send SIP and RTP to the IP address that packet is
-                                 ; received from instead of trusting SIP headers
 ;host=dynamic                    ; This device registers with us
 ;directmedia=no                  ; Asterisk by default tries to redirect the
                                  ; RTP media stream (audio) to go directly from
author	Terry Wilson <twilson@digium.com>	2011-11-21 21:09:59 +0000
committer	Terry Wilson <twilson@digium.com>	2011-11-21 21:09:59 +0000
commit	32d0faac9cb7576520d326ddd15d9fc7a0b47252 (patch)
tree	f75414aa3d0e226e2cc130bf5f91e27c70a4d62c /configs
parent	298d015828a638a8ab0f07f8f8205ef04026bdd8 (diff)