feat: TCP NAT traversal — Via alias, outbound proxy, connection reuse#109
Merged
shenjinti merged 2 commits intorestsend:mainfrom Apr 1, 2026
Merged
feat: TCP NAT traversal — Via alias, outbound proxy, connection reuse#109shenjinti merged 2 commits intorestsend:mainfrom
shenjinti merged 2 commits intorestsend:mainfrom
Conversation
Three changes for reliable SIP over TCP behind NAT with load-balanced proxy clusters: 1. Via alias parameter (RFC 5923): Add ;alias to Via header for TCP/TLS connections, telling the proxy to reuse this connection for sending requests back. Essential for receiving INVITEs behind NAT. 2. Outbound proxy support on Registration: New outbound_proxy field (Option<SocketAddr>) that overrides transport destination while keeping the domain in SIP headers (Request-URI, From, To). Allows pinning to a DNS-resolved proxy IP for NAT consistency — prevents re-registration from resolving to a different proxy node. 3. TCP connection reuse in transport layer: Include local addresses from TCP/TLS client connections in the address list used for Via/Contact headers. Without this, only listener addresses are returned, and TCP client connections are invisible for header construction. Also fixes message inspector ordering: call before_send before computing destination so the inspector can modify headers that affect routing. Registration changes: - Outbound proxy inherits transport type from request URI (e.g., TCP) - Contact preservation across re-registrations: preserve URI params (transport=tcp) instead of clearing contact on 200 OK, preventing loss of transport parameter on re-register - Supported: path, outbound header in REGISTER (RFC 3327 / RFC 5626) so proxies that support Path-based routing record the correct edge node for the TCP connection
bevenky
force-pushed
the
fix/tcp-nat-traversal
branch
from
09d5155 to
228fe48
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three changes for reliable SIP over TCP behind NAT with load-balanced proxy clusters:
1. Via alias parameter (RFC 5923)
Add
;aliasto Via header for TCP/TLS connections, telling the proxy to reuse this connection for sending requests back. Essential for receiving INVITEs behind NAT where the proxy's B2BUA leg may come from a different cluster node.2. Outbound proxy support on Registration
New
outbound_proxy: Option<SocketAddr>field onRegistrationthat overrides transport destination while keeping the domain in SIP headers (Request-URI, From, To). Allows pinning to a DNS-resolved proxy IP for NAT consistency — prevents re-registration from resolving to a different proxy node and breaking the NAT mapping.3. TCP connection reuse in transport layer
Include local addresses from TCP/TLS client connections in the address list used for Via/Contact headers. Without this, only listener addresses are returned, and TCP client connections are invisible for header construction.
Additional fixes
before_sendbefore computing destination so the inspector can modify headers that affect routingtransport=tcp) across re-registrations instead of clearing contact on 200 OKSupported: path, outboundto REGISTER (RFC 3327 / RFC 5626) so proxies that support Path-based routing record the correct edge nodeContext
These changes are needed for production use with SIP providers that use load-balanced proxy clusters (e.g.,
phone.plivo.comresolves to multiple IPs). Without them:Test plan