1 Release notes for SIP Express Router (ser)
2 ***********************************************
11 - textops - functions:
12 - remove_hf_re("regexp") -- filter message headers out
13 by matching the header name field against a regular
15 - avp - export new selects table to allow dissecting the content of an
16 attribute by interpreting it as a "name-addr" value
17 - auth - experimental support for one-time nonces: when enabled a nonce
18 will be accepted only for one response (each new request will
19 be challenged). See one_time_nonce.
20 - experimental support for nc checking when qop=auth
21 (fast, non-locking implementation, see nonce_count,
22 nc_array_size, nc_array_order and nid_pool_no)
23 - switched to base64 nonces
24 - record nonce generation time inside the nonce so that a
25 received nonce can be checked against ser start time
26 (if older => stale). This allows gracefully handling ser
27 restarts with different auth configs.
28 - added extra authentication checks support, to protect
29 against various reply attacks.
31 - nonce_auth_max_drift - maximum difference in seconds
32 from the current time, if a nonce appears to be
33 created in the future (if exceeded the nonce is
35 - one_time_nonce - if enabled each nonce is allowed
36 only once => each new request (including
37 retransmissions!) will be challenged. It should be
38 used only in stateful mode (so that tm deals with
39 the retransmissions). The major disadvantage is that
40 the UA won't be able to used any cached credentials
41 (=> extra messages, extra round trips, more work for
43 - otn_in_flight_no - maximum number of in-flight nonces
44 for one-time-nonces. It must be a number of the form
45 2^k (if not it will be automatically rounded down).
46 The memory used will be otn_in_flight_no/8
47 - otn_in_flight_order - like otn_in_flight_no, but
48 instead of specifying the number as 2^k, it directly
49 sets k (otn_in_flight_no=2^otn_in_flight_order)
50 - nonce_count - if enabled and qop=auth or
51 qop=auth-int, store and check received nc values
52 (for details see rfc2617 and auth/doc). It should be
53 used only in stateful mode (so that tm deals with
54 the retransmissions which would otherwise be
55 challenged). The major advantage is greatly
56 enhanced security (extremely small probability of
57 a succesfull replay attack) combine with support
58 for cached credentials (if the UAs do support qop
60 - nc_array_size - size of the array used for storing
61 nc values, default 1Mb. It will be rounded down to
62 a 2^k value. It represents the maximum number of
63 in-flight nonces supported
64 - nc_array_order - equivalent to nc_array_size, but
65 instead of specifying the size in bytes, it can
66 be used to directly set the power of 2 used
67 (nc_array_size=2^nc_array_order)
68 - nid_pool_no - number of nc and one-time-nonce array
69 and index partitions, useful for increasing
70 performance on multi-cpu systems (default 1,
72 - auth_checks_register, auth_checks_no_dlg,
73 auth_checks_in_dlg - flags specifying which extra
74 message part/parts will be checked for change before
75 allowing nonce reuse. See the auth module docs for
76 for more information (modules/auth/README).
77 - blst - new module containing script blacklist manipulations functions
78 (the source of a message can be blacklisted, removed from the
79 blacklist or checked for presence in the blacklist).
80 - tm - added t_reset_fr(), t_reset_retr(), t_reset_max_lifetime()
81 - t_relay_to renamed to t_relay_to_avp (undocumented function)
82 - t_relay() can now also take host and port parameters (e.g.
83 t_relay(host, port)), behaving like a statefull
84 forwad(host, port) version (forward to host:port using the same
85 protocol on which the message was received)
86 - t_relay_to_udp(), t_relay_to_tcp() and t_relay_to_tls() work
87 now even with no parameters: in this case the message is
88 forwarded using the request uri, but with the specified protocol
89 (equivalent to a t_relay() with a forced protocol)
90 - method for canceling unreplied branches can now be selected
91 using the new cancel_b_method tm parameter.
92 - support for adding a 503 reply source to the blacklist for
93 the time specified in the Retry-After header (see the new tm
94 parameters blst_503, blst_503_def_timeout, blst_503_min_timeout
95 and blst_503_max_timeout).
96 - different error replies for too many branches (500 but with
97 different text), resolve error (478) or send error
99 - tm can be configured not to automatically send 100 replies
100 for invites either globally (see the auto_inv_100 parameter)
101 or on a per transaction basis (see t_set_auto_inv_100(...))
102 - t_relay* error reply are delayed till the end of the script
103 to allow the script writer to overwrite them
104 - branches are always canceled hop by hop
105 - cancels for silently canceled branches (no replies ever
106 received) are automatically generated if later a provisional
107 reply arrives on such a branch
108 - noisy_ctimer is now 1 (on) by default
109 - added maximum transaction lifetime - a transaction is not
110 allowed to be active longer then this interval. See
111 t_set_max_lifetime(), max_inv_lifetime and max_noninv_lifetime.
112 - support for changing the retransmission intervals on the fly,
113 on a per transaction basis (it is enabled if tm is compiled
114 with -DTM_DIFF_RT_TIMEOUT -- default): t_set_retr(t1, t2).
115 - transaction are deleted the moment they are not referenced
116 anymore (removed the need for the delete timer) -- this
117 should improve memory usage on very busy proxies.
118 - lots of callbacks added
119 - new onsend callbacks support (require defining TMCB_ONSEND prior
121 - behaviour when receiving a CANCEL which doesn't match any
122 transaction can be selected using the unmatched_cancel param.
124 - cancel_b_method - selects one of the three methods
125 for dealing with unreplied branches when the
126 transaction must be canceled. The possible values
127 are 0 (old behaviour) for stopping request
128 retransmission on the branch and act as if
129 the branch was immediately replied with a 487,
130 1 for continuing to retransmit the request until an
131 answer is received or the timeout kicks in (default)
133 2 for stopping the request retransmission and sending
134 CANCEL on the branch (not rfc conforming).
135 For more information see tm docs.
136 - blst_503 - if set and if the blacklist is used
137 (use_dst_blacklist=1), add the source of a 503 reply
139 - blst_503_def_timeout - if the Retry-After header from
140 a 503 reply is missing, use this value for the
141 blacklist timeout (in s). Depends on blst_503.
142 The default value is 0 ( do not blacklist if no
143 Retry-After is present).
144 - blst_503_min_timeot (in s) - if the 503 reply
145 Retry-After header value is less, use this value
146 for the blacklist timeout. Depends on blst_503.
147 The default value is 0.
148 - blst_503_max_timeout (in s) - if the 503 reply
149 Retry-After header value is greater, use this value
150 instead. Depends on blst_503.
151 The default value is 3600 s.
152 - auto_inv_100 - if set (default) tm will automatically
153 send an 100 reply to INVITEs (see also
154 t_set_auto_inv_100())
155 - noisy_ctimer is now 1 by default
156 - max_inv_lifetime & max_noninv_lifetime - default
157 maximum lifetimes for an invite or non-invite
158 transaction. After this interval has passed from
159 the transaction creation the transaction will be
160 either switched into the wait state or in the
161 final response retransmission state => a transaction
162 will be kept in memory for maximum:
163 max_*inv_lifetime + fr_timer /*ack w.*/ +wait_timer.
164 - unmatched_cancel - selects between forwarding cancels
165 that do not match any transaction statefully (0,
166 default value), statelessly (1) or dropping them
167 (2). Note that the statefull forwarding has an
168 additional hidden advantage: tm will be able to
169 recognize INVITEs that arrive after their CANCEL.
170 Note also that this feature could be used to try
171 a memory exhaustion DOS attack against a proxy that
172 authenticates all requests, by continuously flooding
173 the victim with CANCELs to random destinations
174 (since the CANCEL cannot be authenticated, each
175 received bogus CANCEL will create a new transaction
176 that will live by default 30s).
178 - t_reset_fr() -- resets the current transaction
179 fr_inv_timer and fr_timer to the default values
180 (set via the tm modparams fr_inv_timer and fr_timer).
181 - t_reset_retr() -- resets the current transaction
182 retransmission intervals on the fly, to the default
183 values (set via the tm modparams retr_timer1 and
185 - t_reset_max_lifetime() -- resets the current
186 transaction maximum lifetime to the default value
187 (set via the tm modparam max_inv_lifetime or
188 max_noninv_lifetime).
189 - t_grep_status("code") -- returns true if any branch
190 received code as the final reply (or if no final
191 reply was yet received, but a "code" provisional
193 - t_set_auto_inv_100(on/off) - switch automatically
194 sending 100 replies to INVITEs on/off on a per
195 transaction basis. It overrides the tm param.
197 - t_set_max_lifetime(inv, noninv) - changes the
198 maximum transaction lifetime on the fly, for the
199 current or next to be created transaction.
200 - t_set_retr(t1, t2) - changes the retransmissions
201 intervals on the fly, on a per transaction basis.
203 - sctp support (one-to-many, work in progress, for now linux
204 only with no fallback to one-to-one on full send buffers)
205 - partial cygwin (windows) support revived: core+static modules,
206 no ipv6, no tcp, no dynamic modules
207 - most of the config variables can now be changed on the fly,
208 without ser restart (migration work in progress)
209 - tcp improvements (better tcp timers, send fd cache, special
211 - dns naptr support (see dns_try_naptr and dns_<proto>_pref)
212 - dns srv based load balancing support (see dns_srv_lb)
213 - support for locking ser's pages in memory, pre-mapping
214 all the shared memory on startup (fill it with 0)
216 - devel: new PROC_INIT rank, init_child(PROC_INIT) called first
217 - futex support on linux (better behaviour when waiting on
218 long held locks, almost no performance impact otherwise)
219 - when dns search list was used for resolution, store the "link"
220 between the short name and long name in cache as CNAME record
222 new config variables:
223 disable_sctp = yes/no - disable sctp support (default auto, see enable_sctp)
224 enable_sctp = 0/1/2 - disable (0)/enable (1)/auto (2) sctp support,
226 sctp_children = number - sctp children no (similar to udp children)
227 sctp_socket_rcvbuf = number - size for the sctp socket receive buffer
228 sctp_socket_sndbuf = number - size for the sctp socket send buffer
229 sctp_autoclose = seconds - number of seconds before autoclosing an idle
230 assocation (default: 180 s).
231 sctp_send_ttl = milliseconds - number of milliseconds before an unsent
232 message/chunk is dropped (default: 32000 ms or 32 s).
233 sctp_send_retries - how many times to attempt re-sending a message on a
234 re-opened association, if the sctp stack did give up
235 sending it (it's not related to sctp protocol level
236 retransmission). Useful to improve reliability with
237 peers that reboot/restart or fail over to another
238 machine. WARNING: use with care and low values (e.g.
239 1-3) to avoid "multiplying" traffic to unresponding
241 server_id = number - A configurable unique server id that can be used to
242 discriminate server instances within a cluster of
243 servers when all other information, such as IP adddresses
245 loadpath = <modules path> - directory where to load the modules from (-L
246 equivalent); modules can be loaded simply by specifying their name
247 (loadmodule "maxfwd")
248 tcp_fd_cache = yes | no (default yes) - if enabled FDs used for sending
249 will be cached inside the process calling tcp_send (performance increase
250 for sending over tcp at the cost of slightly slower connection closing and
252 tcp_buf_write = yes | no (default no) - if enabled all the tcp writes that
253 would block / wait for connect to finish, will be queued and attempted
254 latter (see also tcp_conn_wq_max and tcp_wq_max).
255 tcp_conn_wq_max = bytes (default 32 K) - maximum bytes queued for write
256 allowed per connection. Attempting to queue more bytes would result
257 in an error and in the connection being closed (too slow). If
258 tcp_write_buf is not enabled, it has no effect.
259 tcp_wq_max = bytes (default 10 Mb) - maximum bytes queued for write allowed
260 globally. It has no effect if tcp_write_buf is not enabled.
261 tcp_defer_accept = yes | no (default no) on freebsd / number of seconds
262 before timeout on linux (default disabled) - tcp accepts will be
263 delayed until some data is received (improves performance on proxies
264 with lots of opened tcp connections). See linux tcp(7) TCP_DEFER_ACCEPT
265 or freebsd ACCF_DATA(0). For now linux and freebsd only.
266 WARNING: the linux TCP_DEFER_ACCEPT is buggy (<=2.6.23) and doesn't
267 work exactly as expected (if no data is received it will retransmit
268 syn acks for ~ 190 s, irrespective of the set timeout and then it will
269 silently drop the connection without sending a RST or FIN). Try to
270 use it together with tcp_syncnt (this way the number of retrans.
271 SYNACKs can be limited => the timeout can be controlled in some way).
272 tcp_delayed_ack = yes | no (default yes when supported) - initial ACK for
273 opened connections will be delayed and sent with the first data
274 segment (see linux tcp(7) TCP_QUICKACK). For now linux only.
275 tcp_syncnt = number of syn retr. (default not set) - number of SYN
276 retransmissions before aborting a connect attempt (see linux tcp(7)
277 TCP_SYNCNT). Linux only.
278 tcp_linger2 = seconds (not set by default) - lifetime of orphaned sockets
279 in FIN_WAIT2 state (overrides tcp_fin_timeout on, see linux tcp(7)
280 TCP_LINGER2). Linux only.
281 tcp_keepalive = yes | no (default yes) - enables keepalive for tcp.
282 tcp_keepidle = seconds (not set by default) - time before starting to send
283 keepalives, if the connection is idle. Linux only.
284 tcp_keepintvl = seconds (not set by default) - time interval between
285 keepalive probes, when the previous probe failed. Linux only.
286 tcp_keepcnt = number (not set by default) - number of keepalives sent before
287 dropping the connection. Linux only.
288 tcp_crlf_ping = yes | no (set by default) - enable CRLF keepalives aka
290 pmtu_discovery = 0 | 1 (default 0) - set DF bit in outbound IP if enabled
291 dns_srv_lb = yes | no (default no) - enable dns srv weight based load
292 balancing (see doc/dns.txt)
293 dns_try_naptr = yes | no (default no) - enable naptr support
294 (see doc/dns.txt for more info)
295 dns_{udp,tcp,tls,sctp}_pref = number - ser preference for each protocol
296 when doing naptr lookups. By default dns_udp_pref=30, dns_tcp_pref=20,
297 dns_tls_pref=10 and dns_sctp_pref=20. To use the remote site preferences
298 set all dns_*_pref to the same positive value (e.g. dns_udp_pref=1,
299 dns_tcp_pref=1, dns_tls_pref=1, dns_sctp_pref=1). To completely ignore
300 NAPTR records for a specific protocol, set the corresponding protocol
301 preference to -1 (or any other negative number). (see doc/dns.txt for
303 dns_search_full_match = yes | no (default yes) - when name was resolved
304 using dns search list, check the domain added in the answer matches with
305 one from the search list (small performance hit, but more safe)
306 mlock_pages = yes |no (default no) - locks all ser pages into memory making
307 it unswappable (in general one doesn't want his sip proxy swapped out :-))
308 shm_force_alloc = yes | no (default no) - tries to pre-fault all the
309 shared memory, before starting. When on start time will increase, but
310 combined with mlock_pages will guarantee ser will get all its memory from
311 the beginning (no more kswapd slow downs)
312 real_time = <int> (flags) (default off). - sets real time priority
313 for all the ser processes, or the timers.
314 Possible values: 0 - off
317 4 - all processes, except the timers
318 Example: real_time= 7 => everything switched to real time priority.
319 rt_prio = <int> (default 0) - real time priority used for everything except
320 the timers, if real_time is enabled
321 rt_policy= <0..3> (default 0)- real time scheduling policy, 0 = SCHED_OTHER,
322 1= SCHED_RR and 2=SCHED_FIFO
323 rt_timer1_prio=<int> (default 0) - like rt_prio but for the "fast" timer
324 process (if real_time & 1)
325 rt_timer1_policy=<0..3> (default 0) - like rt_policy but for the "fast" timer
326 rt_timer2_prio=<int> (default 0) - like rt_prio but for the "slow" timer
327 rt_timer2_policy=<0..3> (default 0) - like rt_policy but for the "slow" timer
328 tcp_source_ipv4 = IPv4 address
329 tcp_source_ipv6 = IPv6 address
330 Set the given source IP for all outbound TCP connections.
331 If setting the IP fails the TCP connection will use the default.
332 dns_cache_init = on | off (default on) - if off, the dns cache is not
333 initialized at startup and cannot be enabled runtime, that saves some
335 dst_blacklist_init = on | off (default on) - if off, the blacklist
336 is not initialized at startup and cannot be enabled runtime,
337 that saves some memory.
340 - check defines and includes used at compile time and if different
341 force rebuilding everything in the current dir (creates a new file:
342 makecfg.lst that stores the compile defines & includes used at compile
344 - make cfg / config support: store the build config in an autogenerated file
345 (config.mak) and use it for future compiles (e.g.:
346 make cfg include_modules=mysql skip_modules=print CPU=pentium-m; make all).
347 Main advantages are easier usage and faster builds (e.g. make proper is
348 +16 times faster, make clean ~9 times, make with previously generated
349 config is 2.6 times faster and a make that has nothing to do is ~9 times
362 - tls - new module that enables tls support (set enable_tls=yes
363 in the config file and load the tls module)
364 - ctl - new fifo/unixsocket/xmlrpc like module, using a space
365 efficient binary encoding for the requests.
366 It supports multiple clients on tcp, udp, unix stream or
367 unix datagram modes. By default (no modparams) it opens
368 one unix stream control socket in /tmp/ser_ctl.
369 It also includes extended fifo support: multiple fifos,
370 fifo over tcp, udp and unix sockets (see ctl/ctl.cfg).
371 Use utils/sercmd/sercmd to send commands to it.
372 - dispatcher - added hashing after request uri and to uri
373 - added a new flag parameter which can be used (for now) to
374 select only the username or the username, host and port when
375 hashing after an uri (to, from or request uri)
376 - improved uri hashing (password is ignored, port is used only
378 - tm - aggregate challenges (WWW/Proxy-Authenticate) from all the
379 401 & 407 if the final reply is a 401/407. To turn this off
380 and fall back to the old behaviour set tm aggregate_challenges
382 - if a relayed 503 is the final reply, replace it by a 500
383 - if a 503 reply is received try the dns based failover
384 (forward to another ip if the original destination uri
385 resolved to several SRV, A or AAAA records)
386 - on 6xx immediately cancel all the branches for which a
387 provisional response was received and wait for all the
388 branches to finish (either timeout, the 487 from the CANCEL
389 or a final response still on the wire in the moment the
391 - better final reply selection: 6xx is preferred over other
392 negative replies; from several 4xx prefer 401, 407, 415, 420,
393 484 (in this order). For all the other cases, return the lowest
395 - special functions for checking for timeout, if a reply was
396 received or if the current transaction was canceled
397 - dns failover and dst blacklist support
398 - migrated to the new timers (tm timers completely rewritten)
399 - improved speed and less memory usage
400 - much more precise retransmissions timing
401 - params: - retr_timer1p1, retr_timer1p2, retr_timer1p3 removed
402 and replaced by retr_timer1 and retr_timer2
403 - all timer values are now expressed in milliseconds
404 (they were in seconds before).
405 Affected params: fr_timer, fr_inv_timer, wt_timer,
406 delete_timer, retr_timer1, retr_timer2
407 - retr_timer1 (first retransmission) changed to 500 ms
408 - delete_timer changed to 200 ms
409 - unix_tx_timeout expressed now in milliseconds; default
410 value changed to 500 ms
412 - t_branch_timeout() -- returns true if the failure
413 route is executed for a branch that did timeout
414 (failure_route only).
415 - t_branch_replied() -- returns true if the failure
416 route is executed for a branch that did receive at
417 least one reply in the past (the current reply
418 is not taken into account). It can be used
419 together with t_branch_timeout() to distinguish
420 between a remote side that doesn't respond (some
421 provisional reply received) and one that is completely
422 dead. (failure_route only)
423 - t_any_timeout() -- returns true if any of the current
424 transaction branches did timeout.
425 - t_any_replied() -- returns true if at least one branch
426 of the current transaction received one reply in the
427 past. If called from a failure_route or an
428 onreply_route, the "current" reply is not taken into
430 - t_is_canceled() -- returns true if the current
431 transaction has been canceled.
432 - new t_set_fr(timeout_fr_inv, timeout_fr) -- allows
433 changing the transaction timer from script, even if
434 the transaction was already created (see tm docs for
436 - t_relay will not stop script execution anymore in case of
438 - textops - search() can be used in the onsend_route where it will search
439 on the "new" message (after applying all script changes, adding
440 Vias a.s.o) and not on the original message
443 - compiled by default with tls hooks support (so that no recompile is
444 needed before loading the tls module and enabling the tls support)
445 - enable_tls config option added (the reverse of disable_tls)
446 - added STUN keep-alive functionality in accordance with
447 draft-ietf-behave-rfc3489bis-04.txt
448 - dns cache and dns failover support added (see doc/dns.txt)
449 - destination blacklist added -- destinations to which forwarding fails
450 (send error, tm timeout a.s.o) are temporarily added to a blacklist which
451 is consulted before each send => faster send error detection
452 in the near future (see doc/dst_blacklist.txt)
453 - default log level switched to 0 (only messages < L_WARN will be printed
455 - separate memdbg log level which controls the memory/malloc related
456 debug messages (to see them ser must be compiled with malloc debuging:
457 -DDBG_QM_MALLOC or -DDBG_FM_MALLOC and memdbg must be <= debug )
458 - added named routes: names can be used instead of numbers in all the
459 route commads or route declarations. route(number) is equivalent to
466 - added named flags, declared at the beginning of the config file with:
467 flags flag1_name[:position], flag2_name ...
469 flags test, a:1, b:2 ;
472 if (isflagset(a)){ # equiv. to isflagset(1)
475 resetflag(b); # equiv. to resetflag(2)
476 - added return [val] which returns from a route. if no value is specified, or
477 a route reaches its end without executing a return statement, it returns 1.
478 If return is used in the top level route is equivalent with exit [val].
479 - drop /exit [n] now will end the script execution
480 exit n will exit with code n (usefull in onreply/onsend routes where
481 if script code !=0 a reply is generated/the message is sent or to force
483 - added $? which can be used to check the return code of the last executed
484 route{} (e.g. route(1); if ($?==1){ /* ... */}else if ($?==2) ... )
485 - onsend_route added: special route executed before a request is sent.
486 Only a limited number of commands are allowed (drop, if
487 + all the checks, msg flag manipulations, send(), log(),
488 textops::search()). In this route the final destination
489 of the message is available an can be checked (with
490 snd_ip, snd_port, to_ip, to_port, snd_proto, snd_af).
491 This route is executed only when forwarding requests.
492 It's not executed for replies, retransmissions, or
493 locally generated messages (e.g. via fifo uac).
495 onsend_route{ if(to_ip==1.2.3.4 && !isflagset(12)){
496 log(1, "message blocked\n");
500 - onsend_route specific checks:
501 - snd_ip, snd_port - behave like src_ip/src_port, but contain the
502 ip/port ser will use to send the message
503 - to_ip, to_port - like above, but contain the ip/port the message will
504 be sent to (not to be confused with dst_ip/dst-port, which are the
505 destination of the original message: ser's ip and port on which the
506 message was received)
507 - snd_proto, snd_af - behave like proto/af but contain the
508 protocol/address family that ser will use to send the message
509 - msg:len - when used in an onsend_route, msg:len will contain the length
510 of the message on the wire (after all the changes in the script are
511 applied, Vias are added a.s.o) and not the lentgh of the original
513 - timer: - improved performance/precision, new api, see doc/timers.txt
514 - tcp: - improved performance (io event handling), using OS specific
516 - 1024 connections limit removed (see tcp_max_connections)
517 - resolver: - timeouts, retries a.s.o can now be set from ser.cfg
518 (see below dns_* and man resolv.conf(6)).
519 The maximum time a dns request can take (before failing) is:
520 (dns_retr_time*dns_retr_no)*(search_list_domains)
521 If dns_try_ipv6 is yes, mutliply it again by 2.
522 The fastest possible dns config (max 1s):
526 dns_use_search_list=no
527 - default on reply route added: onreply_route {.. } will add a default
528 onreply route that will be executed for any reply (usefull to catch
529 replies without using tm)
530 - branch_routes added (tm triggered), only a very limited number of commands
531 are available (see tm docs)
532 - avps directly accessible from script with %avp_name (variable style)
533 new config variables:
534 enable_tls/disable_tls = enable/disable tls support, default disable.
535 Note: a tls "engine" is still needed (e.g. the tls module must
536 be loaded, enable_tls by itself is not enough).
537 exit_timeout = seconds - how much time ser will wait for all the shutdown
538 procedures to complete. If this time is exceeded, all the remaining
539 processes are immediately killed and ser exits immediately (it might
540 also generate a core dump if the cleanup part takes too long).
541 Default: 60 s. Use 0 to disable.
542 stun_refresh_interval = number in millisecond (default 0); value for
543 attribute REFRESH INTERVAL
544 stun_allow_stun = 0 | 1 (off | on - default 1); use STUN or not if compiled
545 stun_allow_fp = 0 | 1 (off | on - default 1); use FINGERPRINT attribute
546 use_dns_cache = on | off (default on)
547 use_dns_failover = on | off (default off)
548 dns_cache_flags = number (default 0)
549 dns_cache_negative_ttl = number in seconds (default 60)
550 dns_cache_min_ttl = time in seconds (default 0)
551 dns_cache_max_ttl = time in seconds (default MAXINT)
552 dns_cache_mem = maximum memory used for the dns cache in Kb (default 500 K)
553 dns_cache_gc_interval = interval in seconds after which the dns cache is
554 garbage collected (default: 120 s)
555 use_dst_blacklist = on | off (default off)
556 dst_blacklist_expire = time in s (default 60)
557 dst_blacklist_mem = maximum memory used for the blacklist in Kb (default 250
559 dst_blacklist_gc_interval = interval in seconds after which the destination
560 blacklist is garbage collected (default 60)
561 tos = number - ip type of service (TOS) value
562 dns_try_ipv6 = yes/no - if yes and a dns lookup fails, it will retry it
563 for ipv6 (AAAA record). Default: yes
564 dns_retr_time = time - time in s before retrying a dns request.
565 Default: system specific, depends also on the/etc/resolv.conf content
567 dns_retr_no = no. - number of dns retransmissions before giving up.
568 Default: see above (usually 4)
569 dns_servers_no = no. - how many dns servers from the ones defined in
570 /etc/resolv.conf will be used. Default: all of them.
571 dns_use_search_list= yes/no - if no, the search list in /etc/resolv.conf
572 will be ignored (=> fewer lookups => gives up faster). Default: yes.
573 HINT: even if you don't have a search list defined, setting this option
574 to "no" will still be "faster", because an empty search list is in
575 fact search "" (so even if the search list is empty/missing there will
576 still be 2 dns queries, eg. foo+'.' and foo+""+'.')
577 tcp_connection_lifetime = value (s) - how long the lifetime of a
578 tcp connection will be exteneded after an IO event (accept, connect,
579 read, write). Default: 120 s.
580 tcp_poll_method = poll|select|epoll_et|epoll-lt|kqueue|devpoll - poll
581 method used (by default the best one for the current OS is selected)
582 tcp_max_connections = no. - maximum number of tcp connections (if the number
583 is exceeded no new tcp connections will be accepted). Default: 2048.
586 utils/sercmd - command line serctl like tool for interrogating ser ctl
587 module (uses the binrpc encoding). Supports various
588 connection methods (udp, tcp, unix stream & datagram sockets),
589 reply formating (see -f, e.g. sercmd -f "pid:%v %v\n" core.ps)
590 , interactive mode, command line completion (if compiled with
593 WARNING: - older 0.10.99-dev version (< 0.10.99-dev46) returned a 480 reply
594 on invite transaction timeout, if a provisional reply was received. Newer
595 versions reverted to returning 408 on all timeouts (one can use
596 t_branch_timeout() and t_branch_replied() to distinguish between the two
601 0.9.4 fixes/improvements (0.9.4 is a bug fix release for 0.9.3)
605 - mutlicast options are set for all the sockets
606 - mediaproxy: memory leak, unchecked memory allocations
607 - postgress: some bugs and cleanups (compiles cleanly now)
608 - tm: shm cloned lumps (SER-55)
609 - tm: t_fifo: 64-bit fix
610 - tm: dst_uri clone fix
611 - tm: t_newtran/t_restransmit* races (!)
615 - serctl, better ISA detection, signals
617 - multicast options are properly set
627 - alpha experimental support
628 - mips2/cobalt experimental support
630 - OS X (darwin) support
631 - sparc32 single cpu highly experimental support
635 - enum - support for more than one NAPTR
636 - msilo - explicit multidomain support -- recipient's user ID is stored in
637 the columns username and domain -- r_uri column kept for compatibility
638 reasons (will be removed in future) but not filled by this version of
640 - mysql - implements a connection pool, all modules will use same connection
641 to access the database
642 - nathelper received port test (flag 16 for nat_uac_test): compares the
643 source port of the message with sip port in the first Via and returns
645 - permsions - support for multiple allow/deny files, allow_register function
646 - TM has a new parameter: restart_fr_on_each_reply. If set (default)
647 fr_inv timer will be restarted for each provisional reply, if not set
648 it will be restarted only for the first reply and for replies >=180
649 (but only if increasing, eg.: 180, 181 ...). Usefull when dealing with bad
650 UAs that re-transmit 180s.
651 - TM saves the avp list into transactions, and make it available into
652 callbacks, failure and reply routes.
653 - TM contains new command - t_write_unix("/tmp/sems.sock", "announcement")
654 sends a message using unix socket interface instead of FIFO interface.
655 - TM contains new config variable - unix_tx_timeout -- it specifies the
656 transmit timeout of t_write_sock
657 - VM functionality was transfered into TM module. Instead of fetching the
658 email value from DB (as VM), TM looks for the "email" attribute to get the
660 vm() function was replaced with t_write_req()
661 vm_reply() fifo functions was replcated by TM with t_reply() fifo function
662 NOTE!! because current version of SEMS/AA try to send reply via vm_reply,
663 it will not work with the TM version.
664 - xlog - printing the body of any header by specifying the name; new
665 specifiers for user-agent, message buffer, message length, message's flags,
669 - avp / avp_db / avp_radius - load and check avps per caller or callee
670 - avpops - flexible module for operations with avps and database, introducing
671 a pseudo-varible support in SER configuration file
672 - cpl-c - implementation of Call Processing Language
673 - dispatcher - implements a dispatcher for incoming requests using hashes
674 over parts of the request to select the destination
675 - diversion - implements the Diversion extensions as per
676 draft-levy-sip-diversion-08
677 - flatstore - simple module that implements very fast inserts for accounting
679 - gflags - keeps a bitmap of flags in shared memory and may be used to change
680 behaviour of server based on value of the flags
681 - options - answer server options requests
682 - speeddial - provides on-server speed dial facilities
683 - uri_db - split from uri module, performs various checks related to SIP URI
687 - vm - the functionality was transfered to tm module (see t_write_req(...)
692 UNIX domain socket server implemented
694 - command line: removed -p port and extended -l:
695 -l [proto:]addr[:port] , where proto=udp|tcp and
696 addr= host|ip_address|interface_name. The format is the same
697 as for listen in the config file. ipv6 addresses must be enclosed in
699 - added from_uri & to_uri: behave exactly like uri but use the
701 (e.g.: if (from_uri==myself) ..., if (to_uri=~"^sip:test@")... )
702 - config: better escape support in strings (e.g. \", \<cr>, \x0a, \012)
703 - bad network addresses are now automatically fixed
704 (e.g. 192.168.1.80/27 => 192.168.1.64/27)
705 - avp (Attribute-Value Pair) support added
706 - avp alias support added
707 - multicast support added (see mcast_loopback & mcast_ttl)
708 - saving of procces group id enabled, if the -G option is specified
709 (a safe way to quickly kill all ser processes)
710 - core dump-ing is enabled by default, see also disable_core_dump
711 - protocol and port can be specified in the alias and listen lines, e.g.:
712 alias= tcp:foo.bar:* udp:test.bar:5080 foo.com
713 listen= eth0 tcp:eth0:5065 udp:127.0.0.1 [3ffe::1]
714 - multiple operator support: ==, != for special operations (e.g myself, ip)
715 ==, !=, ~= for strings
716 ==, !=, >, <, >=, <= for integers
717 - database api changed to support usage of different drivers
718 simultaneously. The database URL must start now with the name of the
719 driver (module). Example: for mysql the DB URL
720 'sql://user:password@dbhost:port/database' must be specified now as
721 'mysql://user:password@dbhost:port/database'
722 - new config variables:
723 mcast_loopback = <yes/no> - loopback sent multicast datagram, default no.
724 mcast_ttl = number - set multicast ttl, default OS specific (usually 1).
725 sock_mode = <permissions> (e.g. sock_mode=0600: default value = 0660)
726 ser unix sockets and fifo will be created with this permissions
727 (old name fifo_mode is still supported, but deprecated)
728 sock_user = username|"uid"
729 sock_group = groupname|"gid"
730 change the owner and/or group of the ser unix sockets or fifo
731 Short example config snippet:
732 sock_mode=0600 # ser socket/fifo mode
733 sock_user="www-data" # ser socket/fifo owner
735 user=nobody # ser user (ser will suid to it)
736 disable_core_dump= yes|no
737 by default core dump limits are set to unlimited or a high enough
738 value, set this config variable o yes to disable core dump-ing
739 (will set core limits to 0)
740 open_files_limit= number
741 if set and bigger than the current open file limit, ser will try
742 to increase its open file limit to this number. Note: ser must be
743 started as root to be able to increase a limit past the hard limit
744 (which, for open files, is 1024 on most systems)
745 tcp_connect_timeout= seconds
746 time before an ongoing connect will be aborted
747 tcp_send_timeout= seconds
748 time after a tcp connection will be closed if it is not available
749 for writing in this interval (and ser wants to send something on it)
750 tcp_accept_aliases= yes|no
751 if a message received over a tcp connection has "alias" in its via
752 a new tcp alias port will be created for the connection the message
753 came from (the alias port will be set to the via one).
754 Based on draft-ietf-sip-connect-reuse-00.txt, but using only the port
755 (host aliases are too dangerous IMHO, involve extra DNS
756 lookups and the need for them is questionable)
757 See force_tcp_alias for more details.
758 log_facility = LOG_LOCAL0
759 if ser logs to syslog, you can control the facility for logging. Very
760 useful when you want to divert all ser logs to a different log file.
761 See man page syslog(3) for more detailes.
762 unix_sock = "/tmp/ser.sock"
763 The name of the socket the unixsock server should listen on.
764 unix_sock_children = 1
765 The number of children that will listen on the unix domain socket.
766 unix_tx_timeout = 2000
767 Timeout (in ms) used when sending replies through unix sockets.
768 - new script commands:
769 force_send_socket([proto:]address[:port])
770 sends the message from the specified socket (it _must_ be one of the
771 sockets ser listens on). If the protocol doesn't match (e.g. udp
772 message "forced" to a tcp socket) the closest socket of the same
775 force_tcp_alias(port)
776 adds a tcp port alias for the current connection (if tcp).
777 Usefull if you want to send all the trafic to port_alias through
778 the same connection this request came from [it could help
779 for firewall or nat traversal].
780 With no parameters adds the port from the message via as the alias.
781 When the "aliased" connection is closed (e.g. it's idle for too
782 much time), all the port aliases are removed.
783 Note: by default ser closes idle connection after 3 minutes (stable)
784 or 1 minute (unstable) so to take full advantage of tcp aliases for
785 things like firewall and nat traversal, redefine TCP_CON_*TIMEOUT
786 in tcp_conn.h and recompile. Also right now there can be maximum
787 3 port aliases to a connection (you shouldn't need more than one).
788 To change this redefine TCP_CON_MAX_ALIASES in the same file
789 (set it to you desired value + 1; 1 is needed for the real port).
792 - ngrep patch for displaying new lines in captured SIP messages is no longer
793 needed; use ngrep V 1.42 with the option "-W byline"
797 ***********************************************
798 * Changes/fixes introduced in 0.8.12
799 ***********************************************
800 +--------------------------------------------------------+
801 | WARNING: if you want to use a 0.8.11 config script |
802 | with 0.8.12, replace if ( len_gt(number) ) with: |
803 | if ( msg:len > bumber ) |
804 +--------------------------------------------------------+
810 - subst('s/re/repl/flags') support
812 - added switch to check the config file (-c)
813 - changes: removed len_gt() and replaced with if (msg:len op number|max_len)
814 - multiple operator support: ==, != for special operations (e.g myself, ip)
815 ==, !=, ~= for strings
816 ==, !=, >, <, >=, <= for integers
817 - new config variables:
818 advertised_address= ip | string
819 address advertised in via and in the DST_* lumps (e.g RR)
820 This is the default value, if empty (default) the socket
821 address will be used.
822 WARNING: - don't set it unless you know what you are doing
824 - you can set anything here, no check is made
825 (e.g. foo.bar will be accepted even if
826 foo.bar doesn't exist)
828 port advertised in via and in the DST_*lumps (e.g. RR)
829 This is the default value, if empty (default) the socket
831 Same warnings as above.
832 - new script commands:
833 set_advertised_address(ip|string)
834 same as advertised_address but it affects only the current message:
835 Message host/lump address= the set_advertised one if
836 present, else advertised_address else socket address.
837 set_advertised_port(no)
838 same as advertised_port but it affects only the current
839 message; see set_advertised_address & s/address/port/g
842 - usernames are case insensitive
845 - lookup function succeeds when appending of a branch failed
848 - support for rpid stored in database (thanks to Jakob Schlyter)
852 - memory leak in digest credentials parser fixed
853 - authenticathion ha1 didn't include domain if username was of the form
854 user@domain and calculate_ha1 was set to yes (modules/auth_db)
855 - tm reply processing race condition (modules/tm), special thanks go to
857 - Many bugs in pa module fixed, works with registrar again.
862 - fifo processing code will write responses only to other
863 fifos and only if they are not hard-linked, also default
864 ser fifo persmissions were changed to 0600.
866 Performance improvements
867 ========================
868 - tuned internal malloc implementation parameters to better reflect the
869 actual workload (malloc is a little bit faster now)
873 ***********************************************
874 * Changes introduced in 0.8.11
875 ***********************************************
877 +--------------------------------------------------------+
878 | CAUTION: the 0.8.11 release include changes which |
879 | are incompatible with scripts and databases used |
880 | in previous versions. Care is advised when upgrading |
881 | from previous releases to 0.8.11. |
882 +--------------------------------------------------------+
887 - TCP support and cross-transport forwarding [core]
888 - loose routing support [rr module]
890 - vm -- voicemail interface [vm]
891 - ENUM support [enum]
892 - presence agent [pa]
893 - dynamic domain management -- allows to manipulate
894 hosting of multiple domains in run-time [module]
895 - flat-text-file database support [dbtext]
896 - rich access control lists [permissions]
897 - Feature Improvements
898 - click-to-dial, which is based on improved tm/FIFO
899 that better supports external applications [tm module]
900 - web accounting -- acc module can report to serweb
901 on placed calls [acc module]
902 - improved exec module (header fields passed now
903 as environment variables to scripts) [exec module]
904 - Architectural Improvements
905 - powerpc fast locking support
907 - 64 bits arch. support (e.g. netbsd/sparc64).
908 - New Experimental Features (not tested at all yet)
909 - nathelper utility for Cisco/ATA NAT traversal [nathelper]
910 - another NAT traversal utility [mangler]
911 - postgress support [postgress]
913 - pdt module (prefix2domain) [pdt]
915 Changes to use of ser scripts
916 =============================
918 About Multiple Transport Support
919 --------------------------------
920 SER now suports multiple transport protocols: UDP and TCP. As there
921 may be UAs which support only either protocol and cannot speak to
922 each other directly, we recommend to alway record-route SIP requests,
923 to keep the transport-translating SER in path. Also, if a destination
924 transport is not known, stateful forwarding is recommended -- use of
925 stateless forwarding for TCP2UDP would result in loss of reliability.
930 - reply_route has been renamed to failure_route -- the old name caused
932 - forward_tcp and forward_udp can force SER to forward via specific
937 - radius and sql support integrated in this module; you need to
938 recompile to enable it
939 - acc_flag is now called log_flag to better reflect it relates
940 to the syslog mode (as opposed to sql/radius); for the same
941 reasons, the accounting action is now called "acc_log_request"
942 and the option for missed calls "log_missed_calls"
943 - log_fmt allows now to specify what will be printed to syslog
947 - auth module has been split in auth, auth_db, auth_radius, group
948 group_radius, uri and uri_radius
949 - all the parameters that were part of former auth module are now
950 part of auth_db module
951 - auth_db module contains all functions needed for database
953 - auth_radius contains functions needed for radius authentication
954 - group module contains group membership checking functions
955 - group_radius contains radius group membeship checking functions
956 - is_in_group has been renamed to is_user_in and places to groups
958 - check_to and check_from have been moved to the uri module
963 - im is no longer used and has been obsoleted by TM
967 - exec_uri and exec_user have been obsoleted by exec_dset;
968 exec_dset is identical to exec_uri in capabilities; it
969 additionaly passes content of request elements (header
970 fields and URI parts) in environment variables; users of
971 exec_user can use exec_dset now and use the "URI_USER"
972 variable to learn user part of URI
973 - exec_dset and exec_msg return false, if return value of
974 script does not euqal zero
975 - exec_dset takes an additional parameter, which enables
976 validation of SIP URIs returned by external application
980 - presence support for Jabber users is enabled loading the PA
981 module and using handle_subscribe("jabber") for SUBSCRIBE
982 requests to jabber user
986 - m_store has now a parameter to set what should be considered
987 for storing as destination uri. This enables support for saving
988 the messages on negative replies.
992 - radius_acc module has been removed and radius accounting
993 is now part of acc module
995 registrar/usrloc modules:
996 -------------------------
997 - multi domain support, the modules user username@domain as AOR
999 - descent modification time ordering of contacts
1000 - case sensitive/insensitive comparison of URI can be enabled
1004 - addRecordRoute has been replaced with record_route
1005 - rewriteFromRoute has been replaced with loose_route()
1006 - a new option, "enable_full_lr" can be set to make life
1007 with misimplemented UAs easier and put LR in from "lr=on"
1008 - rr module can insert two Record-Route header fields when
1009 necesarry (disconnected networks, UDP->TCP and so on)
1013 - t_reply_unsafe, used in former versions within reply_routes,
1014 is deprecated; now t_reply is used from any places in script
1015 - t_on_negative is renamed to t_on_failure -- the old name just
1016 caused too much confusion
1017 - FIFO t_uac used by some applications (like serweb) has been
1018 replaced with t_uac_dlg (which allows easier use by dialog-
1019 oriented applications, like click-to-dial)
1020 - if you wish to do forward to another destination from
1021 failure_route (reply_route formerly), you need to call t_relay
1022 or t_relay_to explicitely now
1023 - t_relay_to has been replaced with t_relay_to_udp and t_relay_to_tcp