[asterisk-dev] res_pjsip_acl: endpoint specific ACL

[Dmitriy Serov]

Hello.
And Sorry for my english :)

https://issues.asterisk.org/jira/browse/ASTERISK-24890

I continue to migrate from asterisk 11 to 13.2 and continues to face 
problems of compatibility.
chan_sip has a very good ability to limit registration for a particular 
PEER to the specified set of IP addresses. I have not found such an 
opportunity in res_pjsip.
ACL offers only limit of the IP packet or contact without being tied to 
a particular endpoint. Because registration restrictions by IP require 
only part of endpoints, then using version 13.2 all registrations are 
unprotected, insecure.
I propose to implement an option to specify the endpoint in ACL section.

Studying the implementation of res_pjsip_acl and chan_sip come to the 
conclusion that it is much easier to do new named option "acl" in the 
endpoint section.
But the realization of this prevents that the module res_pjsip 
(endpoint) knows nothing about res_pjsip_acl (pjsip ACL).
Using ACL only from acl.conf is a bad idea, because for something done 
ACL sections in pjsip.conf :)

So, the only way left - Zero to Many ENDPOINTs can be associated with an 
ACL object.
Where is the ACL test code should be placed?
- in acl_on_rx_msg (res_pjsip_acl)
- in registrar_on_rx_request (res_pjsip_registrar). Oh, That would be 
the best place, but there is also nothing is known about the ACL.

res_pjsip_acl can parse ACL and register them with name format 
'endpoint_<endpoint_name>_<acl_name>'. In registrar_on_rx_request can 
test ACL with names like 'endpoint_<endpoint_name>_%'.
And of course acl_on_rx_msg should ignore ACL, which are binded to 
endpoints.

What do you think about this implementation? Maybe there is a better 
approach?

Dmitriy Serov