[asterisk-bugs] [Asterisk 0017717]: [patch] dynamic_exclude_static option results in ACL errors

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Jul 27 10:16:44 CDT 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17717 
====================================================================== 
Reported By:                mmichelson
Assigned To:                mmichelson
====================================================================== 
Project:                    Asterisk
Issue ID:                   17717
Category:                   Channels/chan_sip/General
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Asterisk Version:           1.8.0-beta1 
JIRA:                       SWP-1951 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2010-07-26 09:44 CDT
Last Modified:              2010-07-27 10:16 CDT
====================================================================== 
Summary:                    [patch] dynamic_exclude_static option results in ACL
errors
Description: 
As reported on the Asterisk-dev mailing list by Dennis DeDonatis, the
dynamic_exclude_static option in sip.conf will cause error messages to be
printed. Here is my response to the original e-mail on -dev regarding the
subject:

"The error messages are a result of having the "dynamic_exclude_static" 
option enabled in sip.conf. The idea behind the option is to create a 
"contactdeny" ACL for the current peer's IP address so that if another 
endpoint tries to send a REGISTER to Asterisk with that same IP address 
in its contact header, Asterisk will deny the registration attempt.

I took a look at the code in 1.6.2, and I'm convinced this option is not 
working as intended, at  least not in most cases. The problem is that on 
an initial load of chan_sip, the current peer's IP address has not been 
set (it's all 0s) when the host is parsed. The result is that a 
contactdeny of 0.0.0.0/32 is likely getting created most of the time. On 
reloads, the problem may be worse because if you are changing the host 
line for a peer, then the code may end up creating an ACL based on the 
peer's old IP address instead of its new one.

In 1.8.0-beta1, The section is different since we are using the new 
netsock2 API that allows for IPv6 addresses to be used. We attempt to 
get a string representation of the peer's IP address, which like in 
1.6.2 is all 0s at the time the host line is parsed. The result is the 
literal string "(null)." We then try to pass this off to the ACL code, 
which of course says that it is a badly-formatted IP address. The result 
is the trio of messages starting with the getaddrinfo error, leading to 
the "Invalid IP address" warning, and leading then to the "Bad ACL 
entry" error. So it seems like the increased number of error messages in 
1.8.0-beta1 has actually exposed a bug that exists in earlier Asterisks 
as well.

The proper fix in both 1.6.2 and 1.8 is to wait and add the contactdeny 
ACL after the peer's IP address is known to be set to a valid value. 
This may be as easy as moving a block of code lower down in the 
build_peer() function than it currently is."
====================================================================== 

---------------------------------------------------------------------- 
 (0125117) svnbot (reporter) - 2010-07-27 10:16
 https://issues.asterisk.org/view.php?id=17717#c125117 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 279786

_U  trunk/
U   trunk/channels/chan_sip.c

------------------------------------------------------------------------
r279786 | mmichelson | 2010-07-27 10:16:44 -0500 (Tue, 27 Jul 2010) | 27
lines

Merged revisions 279785 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.8

................
  r279785 | mmichelson | 2010-07-27 10:15:22 -0500 (Tue, 27 Jul 2010) | 20
lines
  
  Merged revisions 279784 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.6.2
  
  ........
    r279784 | mmichelson | 2010-07-27 10:13:24 -0500 (Tue, 27 Jul 2010) |
14 lines
    
    Fix bad behavior of dynamic_exclude_static option in sip.conf.
    
    We were attempting to create a contactdeny rule based on the peer's
    IP address before the peer's IP address had been set. By moving the
    processing further down in the function, we can ensure stuff works
    as we expect for it to.
    
    (closes issue https://issues.asterisk.org/view.php?id=17717)
    Reported by: mmichelson
    Patches: 
          17717.patch uploaded by mmichelson (license 60)
    Tested by: DennisD
  ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=279786 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-07-27 10:16 svnbot         Checkin                                      
2010-07-27 10:16 svnbot         Note Added: 0125117                          
======================================================================

More information about the asterisk-bugs mailing list