[asterisk-dev] [Code Review]: named_acls: Named ACLs - a system for creating and applying ACLs with named profiles which can be shared

Kevin Fleming reviewboard at asterisk.org
Mon Jun 11 14:49:34 CDT 2012 


> On June 11, 2012, 12:54 p.m., Paul Belanger wrote:
> > /trunk/configs/acl.conf.sample, lines 20-23
> > <https://reviewboard.asterisk.org/r/1978/diff/1/?file=28608#file28608line20>
> >
> >     It would be good to also implement Tilghman's '!' negation element to negate acls (like he did with codecs[1]).
> >     
> >     ;permit=!all_acls,local_acls
> >     
> >     [1] http://svnview.digium.com/svn/asterisk?view=revision&revision=334574
> 
> jrose wrote:
>     I'm not sure on this one. What does that mean exactly?
>     
>     Would that be like... if I have two ACLs where one is a subset of the other that some of the settings would be removed (which I don't think would work)? or that the permits/denies would be inverted (simple enough)?
>     
>     Also, the option in the current form would be
>     acl=!all_acls
>     acl=local_acls
>     
>     In the places I've attached this, I haven't included any support for comma separated items.
>

I don't think the negation concept would be very practical here, as the items being potentially negated are themselves lists of entries, and each entry has its own allow/deny semantic. If this were to be implemented, it would mean that the 'sense' of the negated ACL would be inverted, but that's beyond the scope of this patch anyway.


- Kevin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1978/#review6440
-----------------------------------------------------------


On June 8, 2012, 2:04 p.m., jrose wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/1978/
> -----------------------------------------------------------
> 
> (Updated June 8, 2012, 2:04 p.m.)
> 
> 
> Review request for Asterisk Developers, Mark Michelson, Terry Wilson, and Olle E Johansson.
> 
> 
> Summary
> -------
> 
> This feature is based on oej's deluxepine (or something like that) branch with a similarly named feature.  ACLs are defined in acl.conf and can be used by pretty much anything that has ACL options permit/deny (acl='aclname').  acl= works similarly to permit= and deny= in that it simply appends to the working ACL, so they can be combined with other uses of permit/deny/acl.
> 
> Also in use in this patch are twilson's new config options.
> 
> Since named acls are duplicated when used in another configuration, configurations that use named acls need to be updated if acl.conf is reloaded. This is accomplished with a new event type and the consumption of that event is demonstrated currently only in manager.conf
> If this seems like a proper approach to this problem, that will be replicated across other consumers of named acls.
> 
> NOTE: This code is very much WIP and not intended for merging.
> 
> 
> Diffs
> -----
> 
>   /trunk/CHANGES 368662 
>   /trunk/channels/chan_h323.c 368662 
>   /trunk/channels/chan_iax2.c 368662 
>   /trunk/channels/chan_mgcp.c 368662 
>   /trunk/channels/chan_sip.c 368662 
>   /trunk/channels/chan_skinny.c 368662 
>   /trunk/channels/chan_unistim.c 368662 
>   /trunk/configs/acl.conf.sample PRE-CREATION 
>   /trunk/configs/iax.conf.sample 368662 
>   /trunk/configs/manager.conf.sample 368662 
>   /trunk/configs/sip.conf.sample 368662 
>   /trunk/configs/skinny.conf.sample 368662 
>   /trunk/include/asterisk/acl.h 368662 
>   /trunk/include/asterisk/event_defs.h 368662 
>   /trunk/main/acl.c 368662 
>   /trunk/main/asterisk.c 368662 
>   /trunk/main/manager.c 368662 
>   /trunk/main/named_acl.c PRE-CREATION 
> 
> Diff: https://reviewboard.asterisk.org/r/1978/diff
> 
> 
> Testing
> -------
> 
> Various tests for configuring and using named acls were performed, and a task for writing comprehensive testsuite tests is in the queue.  Additionally, various means of reloading the configuration have been performed, and so far they pan out aside from a bug with an unchanged acl.conf which is a generic problem against config options accidentally introduced a little while back.
> 
> 
> Thanks,
> 
> jrose
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120611/688c8a94/attachment-0001.htm>

More information about the asterisk-dev mailing list