[asterisk-commits] oej: branch oej/deluxepine-1.4 r242038 - in /team/oej/deluxepine-1.4: ./ chan...

Thu Jan 21 14:53:59 CST 2010

Author: oej
Date: Thu Jan 21 14:53:55 2010
New Revision: 242038

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=242038
Log:
Add some documentation

Added:
    team/oej/deluxepine-1.4/README.nacl   (with props)
Modified:
    team/oej/deluxepine-1.4/channels/chan_sip.c
    team/oej/deluxepine-1.4/main/nacl.c

Added: team/oej/deluxepine-1.4/README.nacl
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/README.nacl?view=auto&rev=242038
==============================================================================

--- team/oej/deluxepine-1.4/README.nacl (added)
+++ team/oej/deluxepine-1.4/README.nacl Thu Jan 21 14:53:55 2010
@@ -1,0 +1,25 @@
+Edvina AB
+Olle E. Johansson
+
+
+
+
+Named ACLs - why?
+-----------------
+
+This branch includes an implementation of named ACLs. ACL is an acronym for
+"Access Control Lists" and is something that we have implemented in Asterisk
+for IP-based filtering of SIP messages, manager access and in various channel
+drivers.
+
+The current ACLs are implemented either module-wide or per device. With a named
+ACL we have one ACL in memory that can be referred to from other modules.
+These modules doesn't copy the ACL, just point to it. When it changes, it's
+automatically applied to all objects that use it.
+
+The implementation has a PBX-wide list of ACLs that can be used from all
+modules that implement NACLs. Each NACL can be changed from the AMI, manager
+interface, and the CLI. Modules can also automatically change a Named ACL
+if needed. This can have be done for matching of devices or implementing
+dynamic blacklists.
+

Propchange: team/oej/deluxepine-1.4/README.nacl
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/oej/deluxepine-1.4/README.nacl
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/oej/deluxepine-1.4/README.nacl
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: team/oej/deluxepine-1.4/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/channels/chan_sip.c?view=diff&rev=242038&r1=242037&r2=242038
==============================================================================
--- team/oej/deluxepine-1.4/channels/chan_sip.c (original)
+++ team/oej/deluxepine-1.4/channels/chan_sip.c Thu Jan 21 14:53:55 2010
@@ -585,6 +585,7 @@
 
 /*! \brief Global list of addresses dynamic peers are not allowed to use */
 static struct ast_ha *global_contact_ha = NULL;
+static struct ast_nacl *global_nacl = NULL;
 static int global_dynamic_exclude_static = 0;
 
 /* Object counters */
@@ -9361,15 +9362,12 @@
 	ast_string_field_set(p, exten, name);
 	build_contact(p);
 	peer = find_peer(name, NULL, 1, 0);
-	if (!(peer && ast_apply_ha(peer->ha, sin) && (peer->nacl ? ast_apply_ha(peer->nacl->acl, sin) : TRUE))) {
+	if (peer) {
+		if (!(ast_apply_ha(peer->ha, sin) && (peer->nacl ? ast_apply_ha(peer->nacl->acl, sin) : TRUE))) {
 		/* Peer fails ACL check */
-		if (peer) {
 			ASTOBJ_UNREF(peer, sip_destroy_peer);
 			res = AUTH_ACL_FAILED;
-		} else
-			res = AUTH_NOT_FOUND;
-	}
-	if (peer) {
+		}
 		/* Set Frame packetization */
 		if (p->rtp) {
 			ast_rtp_codec_setpref(p->rtp, &peer->prefs);
@@ -16730,6 +16728,12 @@
 		ast_set_flag(&req, SIP_PKT_DEBUG);
 	if (pedanticsipchecking)
 		req.len = lws2sws(req.data, req.len);	/* Fix multiline headers */
+	if (global_nacl && !ast_apply_ha(global_nacl->acl, &sin)) {
+		if (ast_test_flag(&req, SIP_PKT_DEBUG)) {
+			ast_verbose("\n<--- SIP read from %s:%d - dropped due to ACL %s\n", ast_inet_ntoa(sin.sin_addr), ntohs(sin.sin_port), global_nacl->name);
+		}
+		return 1;
+	}
 	if (ast_test_flag(&req, SIP_PKT_DEBUG))
 		ast_verbose("\n<--- SIP read from %s:%d --->\n%s\n<------------->\n", ast_inet_ntoa(sin.sin_addr), ntohs(sin.sin_port), req.data);
 
@@ -18273,6 +18277,7 @@
 
 	ast_free_ha(global_contact_ha);
 	global_contact_ha = NULL;
+	ast_nacl_detach(global_nacl);
 
 	/* First, destroy all outstanding registry calls */
 	/* This is needed, since otherwise active registry entries will not be destroyed */
@@ -18406,6 +18411,11 @@
 			ast_copy_string(default_context, v->value, sizeof(default_context));
 		} else if (!strcasecmp(v->name, "subscribecontext")) {
 			ast_copy_string(default_subscribecontext, v->value, sizeof(default_subscribecontext));
+  		} else if (!strcasecmp(v->name, "nacl")) {
+			global_nacl = ast_nacl_attach(v->value);
+			if (!global_nacl) {
+				ast_log(LOG_WARNING, "'%s' is not a valid NACL name - line %d.\n", v->value, v->lineno);
+			}
   		} else if (!strcasecmp(v->name, "allowguest")) {
 			global_allowguest = ast_true(v->value) ? 1 : 0;
 		} else if (!strcasecmp(v->name, "realm")) {
@@ -19637,6 +19647,8 @@
 	ast_free_ha(global_contact_ha);
 	close(sipsock);
 	sched_context_destroy(sched);
+	ast_nacl_detach(global_nacl);
+	ast_free_ha(global_contact_ha);
 		
 	return 0;
 }

Modified: team/oej/deluxepine-1.4/main/nacl.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/nacl.c?view=diff&rev=242038&r1=242037&r2=242038
==============================================================================
--- team/oej/deluxepine-1.4/main/nacl.c (original)
+++ team/oej/deluxepine-1.4/main/nacl.c Thu Jan 21 14:53:55 2010
@@ -677,6 +677,7 @@
 			if (nacl) {
 				nacl->delete = FALSE;
 				ast_free_ha(nacl->acl);	/* Delete existing ACL (locking needed indeed) */
+				nacl->acl = NULL;
 				ao2_ref(nacl, -1);	/* The find operation adds a ref */
 			} else {
 				nacl = ast_nacl_add(cat, "config");


