[asterisk-bugs] [Asterisk 0017717]: [patch] dynamic_exclude_static option results in ACL errors
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Jul 26 13:00:50 CDT 2010
The following issue has been UPDATED.
======================================================================
https://issues.asterisk.org/view.php?id=17717
======================================================================
Reported By: mmichelson
Assigned To: mmichelson
======================================================================
Project: Asterisk
Issue ID: 17717
Category: Channels/chan_sip/General
Reproducibility: always
Severity: minor
Priority: normal
Status: ready for testing
Asterisk Version: 1.8.0-beta1
JIRA: SWP-1951
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2010-07-26 09:44 CDT
Last Modified: 2010-07-26 13:00 CDT
======================================================================
Summary: [patch] dynamic_exclude_static option results in ACL
errors
Description:
As reported on the Asterisk-dev mailing list by Dennis DeDonatis, the
dynamic_exclude_static option in sip.conf will cause error messages to be
printed. Here is my response to the original e-mail on -dev regarding the
subject:
"The error messages are a result of having the "dynamic_exclude_static"
option enabled in sip.conf. The idea behind the option is to create a
"contactdeny" ACL for the current peer's IP address so that if another
endpoint tries to send a REGISTER to Asterisk with that same IP address
in its contact header, Asterisk will deny the registration attempt.
I took a look at the code in 1.6.2, and I'm convinced this option is not
working as intended, at least not in most cases. The problem is that on
an initial load of chan_sip, the current peer's IP address has not been
set (it's all 0s) when the host is parsed. The result is that a
contactdeny of 0.0.0.0/32 is likely getting created most of the time. On
reloads, the problem may be worse because if you are changing the host
line for a peer, then the code may end up creating an ACL based on the
peer's old IP address instead of its new one.
In 1.8.0-beta1, The section is different since we are using the new
netsock2 API that allows for IPv6 addresses to be used. We attempt to
get a string representation of the peer's IP address, which like in
1.6.2 is all 0s at the time the host line is parsed. The result is the
literal string "(null)." We then try to pass this off to the ACL code,
which of course says that it is a badly-formatted IP address. The result
is the trio of messages starting with the getaddrinfo error, leading to
the "Invalid IP address" warning, and leading then to the "Bad ACL
entry" error. So it seems like the increased number of error messages in
1.8.0-beta1 has actually exposed a bug that exists in earlier Asterisks
as well.
The proper fix in both 1.6.2 and 1.8 is to wait and add the contactdeny
ACL after the peer's IP address is known to be set to a valid value.
This may be as easy as moving a block of code lower down in the
build_peer() function than it currently is."
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2010-07-26 13:00 lmadsen JIRA => SWP-1951
======================================================================
More information about the asterisk-bugs
mailing list