[asterisk-dev] [Code Review] Make ACLs IPv6-capable

Mark Michelson mmichelson at digium.com
Wed Jul 14 17:02:13 CDT 2010


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/784/#review2391
-----------------------------------------------------------



/trunk/main/acl.c
<https://reviewboard.asterisk.org/r/784/#comment5276>

    I have no idea why Review Board is formatting this comment and the one below like this.


- Mark


On 2010-07-14 16:59:33, Mark Michelson wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/784/
> -----------------------------------------------------------
> 
> (Updated 2010-07-14 16:59:33)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> A recent change to Asterisk made Asterisk IPv6 ready and made SIP and RTP IPv6-capable. In order to have a more complete conversion to IPv6 in chan_sip, I felt that ACLs should be capable of handling IPv6 addresses, too. The main meat of this code is in main/acl.c. The rest of the changes are just to comply with the changed API in include/asterisk/acl.h.
> 
> The approach taken here was to use only IPv6 addresses in ACLs. If an IPv6 ACL is specified in a config file, then it is translated into an IPv4-mapped IPv6 address. The main reason for doing this was to have a uniform approach for applying a netmask to a given address.
> 
> Some notes:
> * I do a lot of manual setting of sin_addr6::sin6_addrs rather than using ast_sockaddr_parse() or getaddrinfo(). The reason for this is to avoid unnecessary system calls when applying host access rules. The only time ast_sockaddr_parse() is used is in ast_append_ha(), which called when reading configs. ast_apply_ha() will never call these functions.
> * I made a decision that a /0 or 0.0.0.0 netmask when applied to an IPv4 address would not be converted to an IPv4-mapped IPv6 address. Rather, it is simply made into an all 0s (i.e. unspecified) IPv6 address. The reason for this is that /0 netmasks are used for "permit all" or "deny all" rules. By converting to an IPv4-mapped IPv6 address, most IPv6 traffic will not match the access rule, which I think would be unexpected to most people.
> 
> Please feel free to let me know if you know of easier ways to implement the changes I made to main/acl.c
> 
> In addition to the changes to main/acl.c, I have added new test cases to tests/test_acl.c. Let me know if you have any good ideas for further test cases that can be added.
> 
> 
> Diffs
> -----
> 
>   /trunk/channels/chan_iax2.c 276530 
>   /trunk/channels/chan_sip.c 276530 
>   /trunk/channels/chan_skinny.c 276530 
>   /trunk/include/asterisk/acl.h 276530 
>   /trunk/main/acl.c 276530 
>   /trunk/main/manager.c 276530 
>   /trunk/tests/test_acl.c 276530 
> 
> Diff: https://reviewboard.asterisk.org/r/784/diff
> 
> 
> Testing
> -------
> 
> invalid_acl and acl both pass in tests/test.acl
> 
> 
> Thanks,
> 
> Mark
> 
>




More information about the asterisk-dev mailing list