[asterisk-commits] mmichelson: branch mmichelson/acl-v6 r277259 - in /team/mmichelson/acl-v6: co...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri Jul 16 12:47:04 CDT 2010
Author: mmichelson
Date: Fri Jul 16 12:47:01 2010
New Revision: 277259
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=277259
Log:
Address Review Board comments from Simon and Olle.
Modified:
team/mmichelson/acl-v6/configs/sip.conf.sample
team/mmichelson/acl-v6/include/asterisk/acl.h
team/mmichelson/acl-v6/main/acl.c
Modified: team/mmichelson/acl-v6/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/configs/sip.conf.sample?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/configs/sip.conf.sample (original)
+++ team/mmichelson/acl-v6/configs/sip.conf.sample Fri Jul 16 12:47:01 2010
@@ -1238,6 +1238,9 @@
;deny=0.0.0.0/0.0.0.0 ; ACL: Control access to this account based on IP address
;permit=192.168.0.60/255.255.255.0
;permit=192.168.0.60/24 ; we can also use CIDR notation for subnet masks
+;permit=fe80::/16 ; IPv6 ACLs can be specified if desired. IPv6 ACLs
+ ; apply only to IPv6 addresses, and IPv4 ACLs apply
+ ; only to IPv4 addresses.
;[cisco1]
;type=friend
Modified: team/mmichelson/acl-v6/include/asterisk/acl.h
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/include/asterisk/acl.h?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/include/asterisk/acl.h (original)
+++ team/mmichelson/acl-v6/include/asterisk/acl.h Fri Jul 16 12:47:01 2010
@@ -51,7 +51,6 @@
struct ast_sockaddr netmask;
int sense;
struct ast_ha *next;
- unsigned char is_ipv4;
};
/*!
@@ -116,7 +115,7 @@
* \retval AST_SENSE_ALLOW The IP address passes our ACL
* \retval AST_SENSE_DENY The IP address fails our ACL
*/
-int ast_apply_ha(struct ast_ha *ha, struct ast_sockaddr *addr);
+int ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr);
/*!
* \brief Get the IP address given a hostname
Modified: team/mmichelson/acl-v6/main/acl.c
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/main/acl.c?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/main/acl.c (original)
+++ team/mmichelson/acl-v6/main/acl.c Fri Jul 16 12:47:01 2010
@@ -294,11 +294,14 @@
* \param addr The IP address to apply the mask to.
* \param netmask The netmask configured in the host access rule.
* \param result The resultant address after applying the netmask to the given address
- * \retval void
+ * \retval 0 Successfully applied netmask
+ * \reval -1 Failed to apply netmask
*/
-static void apply_netmask(struct ast_sockaddr *addr, struct ast_sockaddr *netmask,
+static int apply_netmask(const struct ast_sockaddr *addr, const struct ast_sockaddr *netmask,
struct ast_sockaddr *result)
{
+ int res = 0;
+
if (ast_sockaddr_is_ipv4(addr)) {
struct sockaddr_in result4 = { 0, };
struct sockaddr_in *addr4 = (struct sockaddr_in *) &addr->ss;
@@ -306,7 +309,7 @@
result4.sin_family = AF_INET;
result4.sin_addr.s_addr = addr4->sin_addr.s_addr & mask4->sin_addr.s_addr;
ast_sockaddr_from_sin(result, &result4);
- } else {
+ } else if (ast_sockaddr_is_ipv6(addr)) {
struct sockaddr_in6 result6 = { 0, };
struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr->ss;
struct sockaddr_in6 *mask6 = (struct sockaddr_in6 *) &netmask->ss;
@@ -317,7 +320,12 @@
}
memcpy(&result->ss, &result6, sizeof(result6));
result->len = sizeof(result6);
- }
+ } else {
+ /* Unsupported address scheme */
+ res = -1;
+ }
+
+ return res;
}
/*!
@@ -459,10 +467,19 @@
return ret;
}
- apply_netmask(&ha->addr, &ha->netmask, &ha->addr);
+ if (apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
+ /* This shouldn't happen because ast_sockaddr_parse would
+ * have failed much earlier on an unsupported address scheme
+ */
+ char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
+ char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
+ ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
+ ast_free_ha(ha);
+ *error = 1;
+ return ret;
+ }
ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
- ha->is_ipv4 = addr_is_v4;
ha->next = NULL;
if (prev) {
@@ -476,16 +493,16 @@
return ret;
}
-int ast_apply_ha(struct ast_ha *ha, struct ast_sockaddr *addr)
+int ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
{
/* Start optimistic */
int res = AST_SENSE_ALLOW;
- struct ast_ha *current_ha;
+ const struct ast_ha *current_ha;
for (current_ha = ha; current_ha; current_ha = current_ha->next) {
struct ast_sockaddr result;
struct ast_sockaddr mapped_addr;
- struct ast_sockaddr *addr_to_use;
+ const struct ast_sockaddr *addr_to_use;
#if 0 /* debugging code */
char iabuf[INET_ADDRSTRLEN];
char iabuf2[INET_ADDRSTRLEN];
@@ -494,7 +511,7 @@
ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
#endif
- if (current_ha->is_ipv4) {
+ if (ast_sockaddr_is_ipv4(&ha->addr)) {
if (ast_sockaddr_is_ipv6(addr)) {
if (ast_sockaddr_is_ipv4_mapped(addr)) {
/* IPv4 ACLs apply to IPv4-mapped addresses */
@@ -519,7 +536,10 @@
/* For each rule, if this address and the netmask = the net address
apply the current rule */
- apply_netmask(addr_to_use, ¤t_ha->netmask, &result);
+ if (apply_netmask(addr_to_use, ¤t_ha->netmask, &result)) {
+ /* Unlikely to happen since we know the address to be IPv4 or IPv6 */
+ continue;
+ }
if (!ast_sockaddr_cmp_addr(&result, ¤t_ha->addr)) {
res = current_ha->sense;
}
More information about the asterisk-commits
mailing list