[asterisk-dev] [Code Review] Make ACLs IPv6-capable

Mark Michelson mmichelson at digium.com
Wed Jul 14 16:59:33 CDT 2010 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/784/
-----------------------------------------------------------

(Updated 2010-07-14 16:59:33.692720)


Review request for Asterisk Developers.


Changes
-------

Fixed some whitespace problems and added some \retval tags in main/acl.c


Summary
-------

A recent change to Asterisk made Asterisk IPv6 ready and made SIP and RTP IPv6-capable. In order to have a more complete conversion to IPv6 in chan_sip, I felt that ACLs should be capable of handling IPv6 addresses, too. The main meat of this code is in main/acl.c. The rest of the changes are just to comply with the changed API in include/asterisk/acl.h.

The approach taken here was to use only IPv6 addresses in ACLs. If an IPv6 ACL is specified in a config file, then it is translated into an IPv4-mapped IPv6 address. The main reason for doing this was to have a uniform approach for applying a netmask to a given address.

Some notes:
* I do a lot of manual setting of sin_addr6::sin6_addrs rather than using ast_sockaddr_parse() or getaddrinfo(). The reason for this is to avoid unnecessary system calls when applying host access rules. The only time ast_sockaddr_parse() is used is in ast_append_ha(), which called when reading configs. ast_apply_ha() will never call these functions.
* I made a decision that a /0 or 0.0.0.0 netmask when applied to an IPv4 address would not be converted to an IPv4-mapped IPv6 address. Rather, it is simply made into an all 0s (i.e. unspecified) IPv6 address. The reason for this is that /0 netmasks are used for "permit all" or "deny all" rules. By converting to an IPv4-mapped IPv6 address, most IPv6 traffic will not match the access rule, which I think would be unexpected to most people.

Please feel free to let me know if you know of easier ways to implement the changes I made to main/acl.c

In addition to the changes to main/acl.c, I have added new test cases to tests/test_acl.c. Let me know if you have any good ideas for further test cases that can be added.


Diffs (updated)
-----

  /trunk/channels/chan_iax2.c 276530 
  /trunk/channels/chan_sip.c 276530 
  /trunk/channels/chan_skinny.c 276530 
  /trunk/include/asterisk/acl.h 276530 
  /trunk/main/acl.c 276530 
  /trunk/main/manager.c 276530 
  /trunk/tests/test_acl.c 276530 

Diff: https://reviewboard.asterisk.org/r/784/diff


Testing
-------

invalid_acl and acl both pass in tests/test.acl


Thanks,

Mark

More information about the asterisk-dev mailing list