I'm trying to diagnose a problem with the OpenSIPS ( a SIP proxy ) application.

When sending two different UDP packets to the same IP and port, one call fails with -1 EPERM (Operation not permitted) whilst the other is fine.

Both of the calls are made from the same process ( at least the same PID ).

The code in question is on github.

Here's the strace output:

strace -e sendto
sendto(7, "SIP/2.0 100 Giving a try\r\nVia: S"..., 315, 0, {sa_family=AF_INET, sin_port=htons(5060), sin_addr=inet_addr("yyy.yyy.yyy.yyy")}, 16) = 315
sendto(7, "INVITE sip:myHomeDesktop@xxx"..., 1253, 0, {sa_family=AF_INET, sin_port=htons(5060), sin_addr=inet_addr("xxx.xxx.xxx.xxx")}, 16) = 1253
sendto(7, "SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP"..., 707, 0, {sa_family=AF_INET, sin_port=htons(5060), sin_addr=inet_addr("yyy.yyy.yyy.yyy")}, 16) = -1 EPERM (Operation not permitted)

It turns out that the kernel conntrack modules were dropping the packet, leading to the syscall getting the EPERM error and not sending the packets.

I found this after looking at the syslog and finding:

May 26 10:59:45 localhost kernel: nf_ct_sip: dropping packet: cannot add expectation for voice

I was completely unaware that I was using the sip conntrack module, and it's not dynamically loaded on my system (lsmod shows blank).

I circumvented the problem by turning off connection tracking for my SIP traffic with:

iptables -I OUTPUT -t raw -p udp --sport 5060 -j CT --notrack
iptables -I PREROUTING -t raw -p udp --dport 5060 -j CT --notrack