Broken module kmod-ipt-nathelper-rtsp in 18.06?

Is anyone able to confirm that kmod-ipt-nathelper-rtsp is still working in last releases ?
It used to work on my WNDR3800 in BB, with a 3.10 kernel. I've just upgraded to 18.06.1, the module seems to be loaded but there is no udp/rtp redirection from wan to lan.

root@OpenWrt:~# lsmod | grep rtsp
nf_conntrack           52256 15 nf_conntrack_ipv6,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_CT,nf_nat_rtsp,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat,nf_conntrack_rtsp,nf_conntrack_rtcache
nf_conntrack_rtsp       5664  1 nf_nat_rtsp
nf_nat                  9424  5 xt_nat,nf_nat_rtsp,nf_nat_redirect,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_nat_rtsp             3664  0

I believe you have to invoke the helpers now.

You shouldn't need to unless you have a VoIP server that you provide to the Public Internet...did you enable the SIP connection tracker?

How can I enable the helper ?
Actually, I'm using this helpers for TV, it's quite different from SIP tracking as there is no need to rewrite packet.

1 Like

Is this multicast...?

If so, you need something like igmpproxy, not connection tracking.

Well, it's not multicast (the provider masks the multicast with a rtsp relay in its IAD).
Edit: when I tried to open a rtsp steam, I've this log in dmesg:
> nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

In the thread I linked, that would be to set net.netfilter.nf_conntrack_helper to 1.

In iptables you would add:

-j CT --helper foo

Thanks lleachii
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
solved my isssue. But it's not a clean solution, right ?

I'm tring to build an iptables entry... without success:

root@OpenWrt:~# iptables -t raw -A OUTPUT -p tcp -m tcp --dport 554 -j CT --helper rtsp
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)

Add the entry to /etc/sysctl.conf for a "clean solution."

Are you sure you have version 18 installed? I thought the RAW table was loded automatically...

To get access to the RAW table, install kmod-ipt-raw.

Sure ! When I said "clean solution", I was refering the security warning in dmesg encouraging the CT-based firewall rules.
Obviously kmod-ipt-raw package is not pre-install on 18.06.1.

Oh, of course if gives you a message, it's a firewall helper, and you turned it on. That is a security risk.

It's preinstalled on all of my version 18 devices: