L7 misses packets strangely

acypkob · June 8, 2017, 7:14am

[asurkov@r4.lider.pro] /ip firewall filter> print
3    chain=forward action=log layer7-protocol=sip_register protocol=tcp src-address=10.0.0.241 dst-address=193.201.229.35 
      dst-port=5060 
 4    chain=forward action=log protocol=tcp src-address=10.0.0.241 dst-address=193.201.229.35 dst-port=5060 
 5    chain=forward action=accept layer7-protocol=sip_register
 [asurkov@r4.lider.pro] /ip firewall filter> print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN        ACTION        BYTES         PACKETS
 3    forward      log                0               0
 4    forward      log           78 393             192
 5    forward      accept       130 787             166

how’s that possible?

btw, there are matching packets for rule 3 certainly:

 2017/06/08 11:01:45.154580 10.0.0.241:43728 -> 193.201.229.35:5060
REGISTER sip:multifon.ru SIP/2.0
Via: SIP/2.0/TCP 10.0.0.241:5060;branch=z9hG4bK1072a37f
Max-Forwards: 70
From: <sip:79221810287@multifon.ru>;tag=as5b47be39
To: <sip:79221810287@multifon.ru>
Call-ID: 1972ba5a1241ab9943da531e07437dad@127.0.1.1
CSeq: 810 REGISTER
User-Agent: Asterisk PBX 11.7.0~dfsg-1ubuntu1

L7 rule used:

[asurkov@r4.lider.pro] /ip firewall filter> .. layer7-protocol print detail
 0 name="sip_register" regexp=".*REGISTER.*"

acypkob · June 8, 2017, 7:27am

ha-ha … surprise!!!
the rule works as expected just after router reboot - is it a bug or a feature? finally …

pe1chl · June 8, 2017, 8:36am

NAT sessions that are already established will not be modified by new or changed rules.
You need to either disconnect and reconnect those sessions (turn off the phone for 5 minutes or so)
or reboot the router.

acypkob · June 10, 2017, 12:37pm

this is not a phone but asterisk with few 10s tcp SIP sessions actually