[asterisk-bugs] [JIRA] (ASTERISK-24874) Asterisk 11/13 Named ACLs don't work as expected

Corey Farrell (JIRA) noreply at issues.asterisk.org
Tue Apr 14 14:58:33 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225899#comment-225899 ] 

Corey Farrell commented on ASTERISK-24874:
------------------------------------------

I've done some additional testing, I think you must be somehow including 'lan_acl' onto the same peer more than once.  Though this reports an error, it doesn't actually prevent the config from loading, and the ACL is applied to the peer.  Really the following should probably be warnings, not errors.
{noformat}
[2015-04-11 13:02:03] ERROR[12818] acl.c: Named ACL 'lan_acl' is already included in the ast_acl container.
[2015-04-11 13:02:03] ERROR[12818] chan_sip.c: Bad ACL entry in configuration line 1653 : lan_acl
{noformat}

I was able to reproduce this with the following in sip.conf:
{noformat}
[phones](!)
acl=lan_acl

[test1](phones)
type=friend
acl=lan_acl

[test2](phones,phones)
type=friend
{noformat}

So either including the same template twice, or including the template to a peer then adding the same ACL.  In this example config both peers (test1 and test2) effectively include acl=lan_acl twice.

> Asterisk 11/13 Named ACLs don't work as expected
> ------------------------------------------------
>
>                 Key: ASTERISK-24874
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24874
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 11.16.0, 13.2.0
>         Environment: AstLinux 1.2.2, Linux 3.2
>            Reporter: Michael Keuter
>            Assignee: Michael Keuter
>         Attachments: full_log
>
>
> When I use this ACL configuration:
> acl.conf:
> {noformat}
> [lan_acl]
> deny=0.0.0.0/0.0.0.0
> permit=192.168.0.0/255.255.255.0
> [vpn_acl]
> deny=0.0.0.0/0.0.0.0
> permit=192.168.0.0/255.255.255.0
> permit=10.8.0.0/255.255.255.0
> {noformat}
> sip.conf:
> {noformat}
> [phones](!)
> ;deny=0.0.0.0/0.0.0.0
> ;permit=192.168.0.0/255.255.255.0
> acl=lan_acl
> {noformat}
> I get these error messages:
> {noformat}
> Mar 13 13:46:51 localhost local0.err asterisk[1722]: ERROR[1761]: acl.c:541 in ast_append_acl: Named ACL 'lan_acl' is already included in the ast_acl container.
> Mar 13 13:46:51 localhost local0.err asterisk[1722]: ERROR[1761]: chan_sip.c:30923 in build_peer: Bad ACL entry in configuration line 761 : lan_acl
> {noformat}
> It gets worse when I try to include one named ACL into another as mentioned in the examples, in this case acl.conf is not loaded at all:
> {noformat}
> [vpn_acl]
> acl=lan_acl
> permit=10.8.0.0/255.255.255.0
> {noformat}
> I get these errors:
> {noformat}
> Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: config_options.c:589 in aco_process_var: Could not find option suitable for category 'vpn_acl' named 'acl' at line 87 of
> Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: config_options.c:402 in process_category: In acl.conf: Processing options for vpn_acl failed
> Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: named_acl.c:328 in ast_named_acl_find: Attempted to find named ACL 'vpn_acl', but the ACL configuration isn't available.
> Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: acl.c:541 in ast_append_acl: Named ACL 'vpn_acl' is already included in the ast_acl container.
> Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: chan_sip.c:30923 in build_peer: Bad ACL entry in configuration line 15 : vpn_acl
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list