[asterisk-commits] jrose: branch jrose/nacl_branch r368556 - in /team/jrose/nacl_branch: ./ chan...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Jun 5 13:59:02 CDT 2012
Author: jrose
Date: Tue Jun 5 13:58:57 2012
New Revision: 368556
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=368556
Log:
Finish changes to named_acl.c and remaining acl consumers.
Added:
team/jrose/nacl_branch/configs/acl.conf.sample (with props)
Modified:
team/jrose/nacl_branch/CHANGES
team/jrose/nacl_branch/channels/chan_iax2.c
team/jrose/nacl_branch/channels/chan_mgcp.c
team/jrose/nacl_branch/channels/chan_sip.c
team/jrose/nacl_branch/channels/chan_skinny.c
team/jrose/nacl_branch/configs/iax.conf.sample
team/jrose/nacl_branch/configs/manager.conf.sample
team/jrose/nacl_branch/configs/sip.conf.sample
team/jrose/nacl_branch/configs/skinny.conf.sample
team/jrose/nacl_branch/main/named_acl.c
Modified: team/jrose/nacl_branch/CHANGES
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/CHANGES?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/CHANGES (original)
+++ team/jrose/nacl_branch/CHANGES Tue Jun 5 13:58:57 2012
@@ -31,6 +31,13 @@
* The minimum DTMF duration can now be configured in asterisk.conf
as "mindtmfduration". The default value is (as before) set to 80 ms.
(previously it was only available in source code)
+ * Named ACLs can now be specified in acl.conf and used in configurations that
+ use ACLs. As a general rule, if some derivative of 'permit' or 'deny' is
+ used to specify an ACL, a similar form of 'acl' will append a named ACL to the
+ working ACL in the same way. For example, SIP's contact ACL can be modified
+ with 'contactdeny', 'contactpermit', and now 'contactacl'. In addition, some
+ CLI commands have been added to provide informational and configuration reload
+ capabilities to this feature ('acl show <named acl>' and 'acl reload').
CLI Changes
-------------------
Modified: team/jrose/nacl_branch/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/channels/chan_iax2.c?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/channels/chan_iax2.c (original)
+++ team/jrose/nacl_branch/channels/chan_iax2.c Tue Jun 5 13:58:57 2012
@@ -12559,6 +12559,8 @@
} else if (!strcasecmp(v->name, "permit") ||
!strcasecmp(v->name, "deny")) {
peer->ha = ast_append_ha(v->name, v->value, peer->ha, NULL);
+ } else if (!strcasecmp(v->name, "acl")) {
+ peer->ha = ast_append_named_acl(peer->ha, v->value);
} else if (!strcasecmp(v->name, "mask")) {
maskfound++;
inet_aton(v->value, &peer->mask);
Modified: team/jrose/nacl_branch/channels/chan_mgcp.c
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/channels/chan_mgcp.c?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/channels/chan_mgcp.c (original)
+++ team/jrose/nacl_branch/channels/chan_mgcp.c Tue Jun 5 13:58:57 2012
@@ -4052,6 +4052,8 @@
} else if (!strcasecmp(v->name, "permit") ||
!strcasecmp(v->name, "deny")) {
gw->ha = ast_append_ha(v->name, v->value, gw->ha, NULL);
+ } else if (!strcasecmp(v->name, "acl")) {
+ gw->ha = ast_append_named_acl(gw->ha, v->value);
} else if (!strcasecmp(v->name, "port")) {
gw->addr.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "context")) {
Modified: team/jrose/nacl_branch/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/channels/chan_sip.c?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/channels/chan_sip.c (original)
+++ team/jrose/nacl_branch/channels/chan_sip.c Tue Jun 5 13:58:57 2012
@@ -28928,6 +28928,10 @@
if (ha_error) {
ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
}
+ } else if (!strcasecmp(v->name, "acl")) {
+ if (!ast_strlen_zero(v->value)) {
+ peer->ha = ast_append_named_acl(peer->ha, v->value);
+ }
} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
int ha_error = 0;
if (!ast_strlen_zero(v->value)) {
@@ -28936,12 +28940,18 @@
if (ha_error) {
ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
}
+ } else if (!strcasecmp(v->name, "contactacl")) {
+ if (!ast_strlen_zero(v->value)) {
+ peer->contactha = ast_append_named_acl(peer->contactha, v->value);
+ }
} else if (!strcasecmp(v->name, "directmediapermit") || !strcasecmp(v->name, "directmediadeny")) {
int ha_error = 0;
peer->directmediaha = ast_append_ha(v->name + 11, v->value, peer->directmediaha, &ha_error);
if (ha_error) {
ast_log(LOG_ERROR, "Bad directmedia ACL entry in configuration line %d : %s\n", v->lineno, v->value);
}
+ } else if (!strcasecmp(v->name, "directmediaacl")) {
+ peer->directmediaha = ast_append_named_acl(peer->directmediaha, v->value);
} else if (!strcasecmp(v->name, "port")) {
peer->portinuri = 1;
if (!(port = port_str2int(v->value, 0))) {
Modified: team/jrose/nacl_branch/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/channels/chan_skinny.c?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/channels/chan_skinny.c (original)
+++ team/jrose/nacl_branch/channels/chan_skinny.c Tue Jun 5 13:58:57 2012
@@ -7449,7 +7449,11 @@
CDEV->ha = ast_append_ha(v->name, v->value, CDEV->ha, NULL);
continue;
}
- } else if (!strcasecmp(v->name, "allow")) {
+ } else if (!strcasecmp(v->name, "acl")) {
+ if (type & (TYPE_DEVICE)) {
+ CDEV->ha = ast_append_named_acl(CDEV->ha, v->value);
+ }
+ } else if (!strcasecmp(v->name, "allow")) {
if (type & (TYPE_DEF_DEVICE | TYPE_DEVICE)) {
ast_parse_allow_disallow(&CDEV->confprefs, CDEV->confcap, v->value, 1);
continue;
Added: team/jrose/nacl_branch/configs/acl.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/configs/acl.conf.sample?view=auto&rev=368556
==============================================================================
--- team/jrose/nacl_branch/configs/acl.conf.sample (added)
+++ team/jrose/nacl_branch/configs/acl.conf.sample Tue Jun 5 13:58:57 2012
@@ -1,0 +1,49 @@
+;
+; Named Access Control Lists (ACLs)
+;
+; A convenient way to share acl definitions
+;
+; This configuration file is read on startup
+;
+; CLI Commands
+; -----------------------------------------------------------
+; acl show Show all named ACLs configured
+; acl show <named acl> Show contents of a particular named ACL
+; acl reload Reload configuration file
+;
+;
+; Any confuration that uses ACLs made to be able to used named ACLs will
+; append a named ACL with the 'acl' option in its configuration in a similar
+; fashion to the usual 'permit' and 'deny' options. Example:
+; acl=my_named_acl
+;
+; can be combined with additional uses of the acl option as well as 'permit'
+; and 'deny' and the resulting ACL will follow the same order as it was
+; defined in. So if a config denies a1, permits a2, uses an acl that denies a3
+; and permits a4, and denies a5, the resulting acl will follow that same order.
+;
+;
+;[example_named_acl1]
+;permit=209.16.236.73/255.255.255.0
+;
+;[example_named_acl2]
+;deny=10.24.20.171/255.255.255.0
+;deny=10.24.20.103/255.255.255.0
+;
+; example_named_acl1 above shows an example of whitelisting. When whitelisting, the
+; named ACLs should follow a deny that blocks everything (like deny=0.0.0.0/0.0.0.0)
+; While deny and permit can work in tandem within an nacl, the later an acl item appears
+; in an ACL, the more prominent its effect is, so combining the following two examples
+; will only result in one usable address:
+;
+;[bad_combination_part1]
+;deny=0.0.0.0/0.0.0.0
+;permit=10.24.20.1/255.255.255.0
+;[bad_combination)part2]
+;deny=0.0.0.0/0.0.0.0
+;permit=10.24.20.2/255.255.255.0
+;
+; Using both acls back to back would mean the second deny overrides the first permit,
+; so only the last permit would be useful. For that reason, it's probably simpler in general
+; to use purely white/blacklists when defining ACLs and simply precede them with deny/permit
+; all depending on which is used.
Propchange: team/jrose/nacl_branch/configs/acl.conf.sample
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: team/jrose/nacl_branch/configs/acl.conf.sample
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Propchange: team/jrose/nacl_branch/configs/acl.conf.sample
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: team/jrose/nacl_branch/configs/iax.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/configs/iax.conf.sample?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/configs/iax.conf.sample (original)
+++ team/jrose/nacl_branch/configs/iax.conf.sample Tue Jun 5 13:58:57 2012
@@ -520,9 +520,10 @@
; for connections with that given authentication name. Limited IP based
; access control is allowed by use of "permit" and "deny" keywords. Multiple
; rules are permitted. Multiple permitted contexts may be specified, in
-; which case the first will be the default. You can also override Caller*ID
-; so that when you receive a call you set the Caller*ID to be what you want
-; instead of trusting what the remote user provides
+; which case the first will be the default. Rules can also be appended with
+; named ACLs from acl.conf using the "acl" keyword. You can also override
+; Caller*ID so that when you receive a call you set the Caller*ID to be what
+; you want instead of trusting what the remote user provides
;
; There are three authentication methods that are supported: md5, plaintext,
; and rsa. The least secure is "plaintext", which sends passwords cleartext
Modified: team/jrose/nacl_branch/configs/manager.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/configs/manager.conf.sample?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/configs/manager.conf.sample (original)
+++ team/jrose/nacl_branch/configs/manager.conf.sample Tue Jun 5 13:58:57 2012
@@ -85,6 +85,7 @@
;secret = mysecret
;deny=0.0.0.0/0.0.0.0
;permit=209.16.236.73/255.255.255.0
+;acl=example_name ; appends a named ACL from acl.conf
;
;eventfilter=Event: Newchannel
;eventfilter=!Channel: DAHDI*
Modified: team/jrose/nacl_branch/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/configs/sip.conf.sample?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/configs/sip.conf.sample (original)
+++ team/jrose/nacl_branch/configs/sip.conf.sample Tue Jun 5 13:58:57 2012
@@ -454,6 +454,7 @@
;contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny to
;contactpermit=172.16.0.0/255.255.0.0 ; restrict at what IPs your users may
; register their phones.
+;contactacl=named_acl_example ; Also contactacl to use a named ACL from acl.conf
;engine=asterisk ; RTP engine to use when communicating with the device
@@ -952,10 +953,11 @@
;directmediadeny=0.0.0.0/0 ; Use directmediapermit and directmediadeny to restrict
;directmediapermit=172.16.0.0/16; which peers should be able to pass directmedia to each other
- ; (There is no default setting, this is just an example)
+;directmediaacl=examplenamed ; (There is no default setting, this is just an example)
; Use this if some of your phones are on IP addresses that
; can not reach each other directly. This way you can force
; RTP to always flow through asterisk in such cases.
+ ; directmediaacl allows you to use named ACLs from acl.conf
;ignoresdpversion=yes ; By default, Asterisk will honor the session version
; number in SDP packets and will only modify the SDP
@@ -1151,6 +1153,7 @@
; callingpres
; permit
; deny
+; acl
; secret
; md5secret
; remotesecret
@@ -1211,10 +1214,11 @@
; t38pt_usertpsource
; contactpermit ; Limit what a host may register as (a neat trick
; contactdeny ; is to register at the same IP as a SIP provider,
-; ; then call oneself, and get redirected to that
+; contactacl ; then call oneself, and get redirected to that
; ; same location).
; directmediapermit
; directmediadeny
+; directmediaacl
; unsolicited_mailbox
; use_q850_reason
; maxforwards
@@ -1419,6 +1423,9 @@
;permit=2001:db8::/32 ; IPv6 ACLs can be specified if desired. IPv6 ACLs
; apply only to IPv6 addresses, and IPv4 ACLs apply
; only to IPv4 addresses.
+;
+;acl=nameofacl ; ACLs can also be grabbed from the list of named ACLs
+ ; specified in acl.conf
;[cisco1]
;type=friend
Modified: team/jrose/nacl_branch/configs/skinny.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/configs/skinny.conf.sample?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/configs/skinny.conf.sample (original)
+++ team/jrose/nacl_branch/configs/skinny.conf.sample Tue Jun 5 13:58:57 2012
@@ -176,6 +176,7 @@
;version=P002F202 ; Firmware version identifier
;host=192.168.1.144
;permit=192.168.0/24 ; Optional, used for authentication
+;acl=named_acl_ex ; Optional, append named ACLs from acl.conf
;line=500
Modified: team/jrose/nacl_branch/main/named_acl.c
URL: http://svnview.digium.com/svn/asterisk/team/jrose/nacl_branch/main/named_acl.c?view=diff&rev=368556&r1=368555&r2=368556
==============================================================================
--- team/jrose/nacl_branch/main/named_acl.c (original)
+++ team/jrose/nacl_branch/main/named_acl.c Tue Jun 5 13:58:57 2012
@@ -4,7 +4,8 @@
* Copyright (C) 1999-2012, Digium, Inc.
*
* Jonathan Rose <jrose at digium.com> - Named ACL coder
- * Olle E. Johanson <oej at something> - Named ACL concepts
+ * Olle E. Johanson <oej at something> - Provided a foundation to work from
+ * Terry wilson <twilson at digium.com> - Asterisk Config Option framework
* Mark Spencer <markster at digium.com> - Asterisk Author
*
* v1.0 - (XX-XX-12)
@@ -39,7 +40,6 @@
* so that we can only access the internal object by grabbing a reference to it. The back
* end config code uses this to atomically swap out a new config object for the old one.
*/
-
static AO2_GLOBAL_OBJ_STATIC(globals);
static void *named_acl_config_alloc(void);
@@ -59,10 +59,11 @@
.item_offset = offsetof(struct named_acl_config, named_acl_list), /*!< Could leave this out since 0 */
};
-/*! \note This is annoying. We need to be able to pass multiple types to aco_option_register as
- * an array and also be able to create the named_acl_type via intializer lists. So we make create
- * a single object array here to pass to aco_option_register. This is a case of multiple file
- * support making things slightly worse for the general case, unfortunately.
+/*! \note We need to be able to pass multiple types to aco_option_register as
+ * an array and also be able to create the named_acl_type via intializer lists.
+ * So we make create a single object array here to pass to aco_option_register.
+ * This is a case of multiple file support making things slightly worse for the
+ * general case, unfortunately.
*/
struct aco_type *named_acl_types[] = ACO_TYPES(&named_acl_type);
@@ -153,8 +154,15 @@
{
struct named_acl tmp;
struct named_acl *named_acl;
+
/*! \note This is to grab a reference to a snapshot of the configuration data */
RAII_VAR(struct named_acl_config *, cfg, ao2_global_obj_ref(globals), ao2_cleanup);
+
+ /* If the config or its named_acl_list hasn't been initialized, abort immediately. */
+ if ((!cfg) || (!(cfg->named_acl_list))) {
+ ast_log(LOG_ERROR, "Attempted to append with named ACL '%s', but the ACL configuration isn't available.\n", name);
+ return ha;
+ }
ast_copy_string(tmp.name, name, sizeof(tmp.name));
@@ -191,6 +199,11 @@
/*! \note This is to grab a reference to a snapshot of the configuration data */
RAII_VAR(struct named_acl_config *, cfg, ao2_global_obj_ref(globals), ao2_cleanup);
+ if ((!cfg) || (!cfg->named_acl_list)) {
+ ast_log(LOG_ERROR, "Attempted to show named ACL '%s', but the acl configuration isn't available.\n", name);
+ return;
+ }
+
ast_copy_string(tmp.name, name, sizeof(tmp.name));
named_acl = ao2_find(cfg->named_acl_list, &tmp, OBJ_POINTER);
@@ -217,9 +230,13 @@
/*! \note This is to grab a reference to a snapshot of the configuration data */
RAII_VAR(struct named_acl_config *, cfg, ao2_global_obj_ref(globals), ao2_cleanup);
+ ast_cli(fd, "\nacl\n---\n");
+
+ if (!cfg || !cfg->named_acl_list) {
+ ast_cli(fd, "ACL configuration isn't available.\n");
+ return;
+ }
i = ao2_iterator_init(cfg->named_acl_list, 0);
-
- ast_cli(fd, "\nnamed_acl\n----\n");
while ((o = ao2_iterator_next(&i))) {
struct named_acl *named_acl = o;
@@ -286,8 +303,10 @@
int init_named_acl()
{
+ ast_cli_register_multiple(cli_named_acl, ARRAY_LEN(cli_named_acl));
+
if (aco_info_init(&cfg_info)) {
- return -1;
+ return 0;
}
/*! \note Register the options. Not sure what the defaults should be. Change the NULLS for yourself */
@@ -295,9 +314,8 @@
aco_option_register(&cfg_info, "deny", ACO_EXACT, named_acl_types, NULL, OPT_ACL_T, 1, FLDSET(struct named_acl, ha), "deny");
if (aco_process_config(&cfg_info, 0)) {
- return -1;
- }
-
- ast_cli_register_multiple(cli_named_acl, ARRAY_LEN(cli_named_acl));
+ return 0;
+ }
+
return 0;
}
More information about the asterisk-commits
mailing list