[asterisk-dev] res_pjsip_acl: endpoint specific ACL

Joshua Colp jcolp at digium.com
Mon Mar 23 19:44:00 CDT 2015


Dmitriy Serov wrote:
> Hello.
> And Sorry for my english :)
>
> https://issues.asterisk.org/jira/browse/ASTERISK-24890
>
> I continue to migrate from asterisk 11 to 13.2 and continues to face
> problems of compatibility.
> chan_sip has a very good ability to limit registration for a particular
> PEER to the specified set of IP addresses. I have not found such an
> opportunity in res_pjsip.
> ACL offers only limit of the IP packet or contact without being tied to
> a particular endpoint. Because registration restrictions by IP require
> only part of endpoints, then using version 13.2 all registrations are
> unprotected, insecure.
> I propose to implement an option to specify the endpoint in ACL section.

I think from a user perspective the nicest way is to just specify a list 
of ACLs on the endpoint itself. Specifying endpoints in the ACLs is 
cumbersome and doesn't feel right. It would also be hard to maintain.

 From an implementation perspective it's not hard. Allow ACLs to be 
specified on the endpoint. This can be a vector of strings. In 
res_pjsip_acl check the endpoint for ACLs and enforce their 
restrictions. If no ACLs are present on the endpoint enforce the global 
ACLs.

Cheers,

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org



More information about the asterisk-dev mailing list