[svn-commits] oej: branch oej/deluxepine-1.4 r237134 - in /team/oej/deluxepine-1.4: channel...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Fri Jan 1 10:27:07 CST 2010


Author: oej
Date: Fri Jan  1 10:27:04 2010
New Revision: 237134

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=237134
Log:
Applying NACL in chan_sip, fixing missing stuff while considering the implementation

Modified:
    team/oej/deluxepine-1.4/channels/chan_sip.c
    team/oej/deluxepine-1.4/include/asterisk/nacl.h
    team/oej/deluxepine-1.4/main/nacl.c

Modified: team/oej/deluxepine-1.4/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/channels/chan_sip.c?view=diff&rev=237134&r1=237133&r2=237134
==============================================================================
--- team/oej/deluxepine-1.4/channels/chan_sip.c (original)
+++ team/oej/deluxepine-1.4/channels/chan_sip.c Fri Jan  1 10:27:04 2010
@@ -127,6 +127,7 @@
 #include "asterisk/rtp.h"
 #include "asterisk/udptl.h"
 #include "asterisk/acl.h"
+#include "asterisk/nacl.h"
 #include "asterisk/manager.h"
 #include "asterisk/callerid.h"
 #include "asterisk/cli.h"
@@ -1115,6 +1116,7 @@
 	int call_limit;			/*!< Limit of concurrent calls */
 	enum transfermodes allowtransfer;	/*! SIP Refer restriction scheme */
 	struct ast_ha *ha;		/*!< ACL setting */
+	struct ast_nacl *nacl;		/*!< NACL setting */
 	struct ast_variable *chanvars;	/*!< Variables to set for channel created by user */
 	int maxcallbitrate;		/*!< Maximum Bitrate for a video call */
 	int autoframing;
@@ -1177,6 +1179,7 @@
 	
 	struct sockaddr_in defaddr;	/*!<  Default IP address, used until registration */
 	struct ast_ha *ha;		/*!<  Access control list */
+	struct ast_nacl *nacl;		/*!<  NACL setting */
 	struct ast_ha *contactha;       /*!<  Restrict what IPs are allowed in the Contact header (for registration) */
 	struct ast_variable *chanvars;	/*!<  Variables to set for channel created by user */
 	struct sip_pvt *mwipvt;		/*!<  Subscription for MWI */
@@ -2612,6 +2615,7 @@
 
 	register_peer_exten(peer, FALSE);
 	ast_free_ha(peer->ha);
+	ast_nacl_detach(peer->nacl);
 	if (ast_test_flag(&peer->flags[1], SIP_PAGE2_SELFDESTRUCT))
 		apeerobjs--;
 	else if (ast_test_flag(&peer->flags[0], SIP_REALTIME))
@@ -2818,6 +2822,7 @@
 	if (option_debug > 2)
 		ast_log(LOG_DEBUG, "Destroying user object from memory: %s\n", user->name);
 	ast_free_ha(user->ha);
+	ast_nacl_detach(user->nacl);
 	if (user->chanvars) {
 		ast_variables_destroy(user->chanvars);
 		user->chanvars = NULL;
@@ -9356,7 +9361,7 @@
 	ast_string_field_set(p, exten, name);
 	build_contact(p);
 	peer = find_peer(name, NULL, 1, 0);
-	if (!(peer && ast_apply_ha(peer->ha, sin))) {
+	if (!(peer && ast_apply_ha(peer->ha, sin) && (peer->nacl ? ast_apply_ha(peer->nacl->acl, sin) : TRUE))) {
 		/* Peer fails ACL check */
 		if (peer) {
 			ASTOBJ_UNREF(peer, sip_destroy_peer);
@@ -10271,6 +10276,12 @@
 			*/
 			peer = find_peer(NULL, &p->recv, 1, 0);
 
+		if (!(peer && ast_apply_ha(peer->ha, sin) && (peer->nacl ? ast_apply_ha(peer->nacl->acl, sin) : TRUE))) {
+			/* Peer fails ACL checks */
+			ASTOBJ_UNREF(peer, sip_destroy_peer);
+			return AUTH_ACL_FAILED;
+		}
+
 		if (peer) {
 			/* Set Frame packetization */
 			if (p->rtp) {
@@ -10744,7 +10755,7 @@
 			iterator->addr.sin_addr.s_addr ? ast_inet_ntoa(iterator->addr.sin_addr) : "(Unspecified)",
 			ast_test_flag(&iterator->flags[1], SIP_PAGE2_DYNAMIC) ? " D " : "   ", 	/* Dynamic or not? */
 			ast_test_flag(&iterator->flags[0], SIP_NAT_ROUTE) ? " N " : "   ",	/* NAT=yes? */
-			iterator->ha ? " A " : "   ", 	/* permit/deny */
+			iterator->ha ? (iterator->nacl ? " AN" : " A ") : iterator->nacl ? "  N" : "   ",
 			ntohs(iterator->addr.sin_port), status,
 			realtimepeers ? (ast_test_flag(&iterator->flags[0], SIP_REALTIME) ? "Cached RT":"") : "");
 
@@ -10753,7 +10764,7 @@
 			iterator->addr.sin_addr.s_addr ? ast_inet_ntoa(iterator->addr.sin_addr) : "(Unspecified)",
 			ast_test_flag(&iterator->flags[1], SIP_PAGE2_DYNAMIC) ? " D " : "   ", 	/* Dynamic or not? */
 			ast_test_flag(&iterator->flags[0], SIP_NAT_ROUTE) ? " N " : "   ",	/* NAT=yes? */
-			iterator->ha ? " A " : "   ",       /* permit/deny */
+			iterator->ha ? (iterator->nacl ? " AN" : " A ") : iterator->nacl ? "  N" : "   ",
 			
 			ntohs(iterator->addr.sin_port), status,
 			realtimepeers ? (ast_test_flag(&iterator->flags[0], SIP_REALTIME) ? "Cached RT":"") : "");
@@ -10770,6 +10781,7 @@
 			"Natsupport: %s\r\n"
 			"VideoSupport: %s\r\n"
 			"ACL: %s\r\n"
+			"NACL: %s\r\n"
 			"Status: %s\r\n"
 			"RealtimeDevice: %s\r\n\r\n", 
 			idtext,
@@ -10780,6 +10792,7 @@
 			ast_test_flag(&iterator->flags[0], SIP_NAT_ROUTE) ? "yes" : "no",	/* NAT=yes? */
 			ast_test_flag(&iterator->flags[1], SIP_PAGE2_VIDEOSUPPORT) ? "yes" : "no",	/* VIDEOSUPPORT=yes? */
 			iterator->ha ? "yes" : "no",       /* permit/deny */
+			iterator->nacl ? iterator->nacl->name : "-none-",
 			status,
 			realtimepeers ? (ast_test_flag(&iterator->flags[0], SIP_REALTIME) ? "yes":"no") : "no");
 		}
@@ -11189,6 +11202,7 @@
 		ast_cli(fd, "  Insecure     : %s\n", insecure2str(ast_test_flag(&peer->flags[0], SIP_INSECURE_PORT), ast_test_flag(&peer->flags[0], SIP_INSECURE_INVITE)));
 		ast_cli(fd, "  Nat          : %s\n", nat2str(ast_test_flag(&peer->flags[0], SIP_NAT)));
 		ast_cli(fd, "  ACL          : %s\n", (peer->ha?"Yes":"No"));
+		ast_cli(fd, "  NACL         : %s\n", (peer->nacl == NULL?"<none>" : peer->nacl->name));
 		ast_cli(fd, "  T38 pt UDPTL : %s\n", ast_test_flag(&peer->flags[1], SIP_PAGE2_T38SUPPORT_UDPTL)?"Yes":"No");
 #ifdef WHEN_WE_HAVE_T38_FOR_OTHER_TRANSPORTS
 		ast_cli(fd, "  T38 pt RTP   : %s\n", ast_test_flag(&peer->flags[1], SIP_PAGE2_T38SUPPORT_RTP)?"Yes":"No");
@@ -11278,6 +11292,7 @@
 		astman_append(s, "SIP-AuthInsecure: %s\r\n", insecure2str(ast_test_flag(&peer->flags[0], SIP_INSECURE_PORT), ast_test_flag(&peer->flags[0], SIP_INSECURE_INVITE)));
 		astman_append(s, "SIP-NatSupport: %s\r\n", nat2str(ast_test_flag(&peer->flags[0], SIP_NAT)));
 		astman_append(s, "ACL: %s\r\n", (peer->ha?"Y":"N"));
+		astman_append(s, "NACL: %s\r\n", (peer->nacl == NULL?"" : peer->nacl->name));
 		astman_append(s, "SIP-CanReinvite: %s\r\n", (ast_test_flag(&peer->flags[0], SIP_CAN_REINVITE)?"Y":"N"));
 		astman_append(s, "SIP-PromiscRedir: %s\r\n", (ast_test_flag(&peer->flags[0], SIP_PROMISCREDIR)?"Y":"N"));
 		astman_append(s, "SIP-UserPhone: %s\r\n", (ast_test_flag(&peer->flags[0], SIP_USEREQPHONE)?"Y":"N"));
@@ -11364,6 +11379,7 @@
 		print_group(fd, user->pickupgroup, 0);
 		ast_cli(fd, "  Callerid     : %s\n", ast_callerid_merge(cbuf, sizeof(cbuf), user->cid_name, user->cid_num, "<unspecified>"));
 		ast_cli(fd, "  ACL          : %s\n", (user->ha?"Yes":"No"));
+		ast_cli(fd, "  NACL         : %s\n", (user->nacl ? user->nacl->name : ""));
 		ast_cli(fd, "  Codec Order  : (");
 		print_codec_to_cli(fd, &user->prefs);
 		ast_cli(fd, ")\n");
@@ -17716,6 +17732,7 @@
 	ASTOBJ_INIT(user);
 	ast_copy_string(user->name, name, sizeof(user->name));
 	oldha = user->ha;
+	ast_nacl_detach(user->nacl);
 	user->ha = NULL;
 	ast_copy_flags(&user->flags[0], &global_flags[0], SIP_FLAGS_TO_COPY);
 	ast_copy_flags(&user->flags[1], &global_flags[1], SIP_PAGE2_FLAGS_TO_COPY);
@@ -17747,6 +17764,8 @@
 					user->chanvars = tmpvar;
 				}
 			}
+		} else if (!strcasecmp(v->name, "nacl")) {
+			user->nacl = ast_nacl_attach(v->value);
 		} else if (!strcasecmp(v->name, "permit") ||
 				   !strcasecmp(v->name, "deny")) {
 			user->ha = ast_append_ha(v->name, v->value, user->ha);
@@ -17943,6 +17962,7 @@
 	/* If we have realm authentication information, remove them (reload) */
 	clear_realm_authentication(peer->auth);
 	peer->auth = NULL;
+	ast_nacl_detach(peer->nacl);
 
 	for (; v || ((v = alt) && !(alt=NULL)); v = v->next) {
 		if (!devstate_only) {
@@ -18044,6 +18064,8 @@
 					ASTOBJ_UNREF(peer, sip_destroy_peer);
 					return NULL;
 				}
+			} else if (!strcasecmp(v->name, "nacl")) {
+				peer->nacl = ast_nacl_attach(v->value);
 			} else if (!strcasecmp(v->name, "permit") || !strcasecmp(v->name, "deny")) {
 				peer->ha = ast_append_ha(v->name, v->value, peer->ha);
 			} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {

Modified: team/oej/deluxepine-1.4/include/asterisk/nacl.h
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/include/asterisk/nacl.h?view=diff&rev=237134&r1=237133&r2=237134
==============================================================================
--- team/oej/deluxepine-1.4/include/asterisk/nacl.h (original)
+++ team/oej/deluxepine-1.4/include/asterisk/nacl.h Fri Jan  1 10:27:04 2010
@@ -27,20 +27,29 @@
  */
 
 /*! \brief Structure for named ACL */
-struct named_acl; 
+/*! \brief Structure for named ACL */
+struct ast_nacl {
+	char name[MAXHOSTNAMELEN];		/*!< Name of this ACL */
+	struct ast_ha *acl;			/*!< The actual ACL */
+	int rules;				/*!< Number of ACL rules */
+	int delete;				/*!< Mark this object for deletion */
+	int manipulated;			/*!< Manipulated by CLI or manager */
+	char owner[20];				/*!< Owner (module) */
+	char desc[80];				/*!< Description */
+};
 
 /*! \brief Add named ACL to list (done from configuration file or module) */
-struct named_acl *ast_nacl_add(const char *name, const char *owner);
+struct ast_nacl *ast_nacl_add(const char *name, const char *owner);
 
 /*! \brief Find a named ACL 
 	if deleted is true, we will find deleted items too
 	if owner is NULL, we'll find all otherwise owner is used for selection too
 */
-struct named_acl *ast_nacl_find_all(const char *name, const int deleted, const char *owner);
+struct ast_nacl *ast_nacl_find_all(const char *name, const int deleted, const char *owner);
 
 /*! \brief Find a named ACL (that is not marked with the delete flag) 
  */
-struct named_acl *ast_nacl_find(const char *name);
+struct ast_nacl *ast_nacl_find(const char *name);
 
 /*! \brief Mark all the owned NACLs
 */
@@ -50,12 +59,12 @@
 	This is to avoid Named ACLs to disappear from runtime. Even if they are deleted from the
 	configuration, they will still be around thanks to ASTOBJs
  */
-struct named_acl *ast_nacl_attach(const char *name);
+struct ast_nacl *ast_nacl_attach(const char *name);
 
 /*! \brief Detach from a named ACL. 
 	If it's marked for deletion and refcount is zero, then it's deleted
  */
-void ast_nacl_detach(struct named_acl *nacl);
+void ast_nacl_detach(struct ast_nacl *nacl);
 
 /*! \brief Initialize NACL subsystem */
 int ast_nacl_load(void);

Modified: team/oej/deluxepine-1.4/main/nacl.c
URL: http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/main/nacl.c?view=diff&rev=237134&r1=237133&r2=237134
==============================================================================
--- team/oej/deluxepine-1.4/main/nacl.c (original)
+++ team/oej/deluxepine-1.4/main/nacl.c Fri Jan  1 10:27:04 2010
@@ -55,16 +55,6 @@
 #define NACL_LOAD	1
 #define NACL_RELOAD	2
 
-/*! \brief Structure for named ACL */
-struct named_acl {
-	char name[MAXHOSTNAMELEN];		/*!< Name of this ACL */
-	struct ast_ha *acl;			/*!< The actual ACL */
-	int rules;				/*!< Number of ACL rules */
-	int delete;				/*!< Mark this object for deletion */
-	int manipulated;			/*!< Manipulated by CLI or manager */
-	char owner[20];				/*!< Owner (module) */
-	char desc[80];				/*!< Description */
-};
 
 enum nacl_ops {
 	NACL_ADD,
@@ -140,7 +130,7 @@
 */
 static void nacl_destroy(void *obj)
 {
-	struct named_acl *nacl = obj;
+	struct ast_nacl *nacl = obj;
 	if (option_debug > 2)
 		ast_log(LOG_DEBUG, "--- Destruction of NACL %s is NOW. Please have a safe distance.\n", nacl->name);
 	if (nacl->acl)
@@ -152,16 +142,16 @@
 	Internal ACLs, created by Asterisk modules, should use a name that
 	begins with "ast_". These are prevented from configuration in nacl.conf
  */
-struct named_acl *ast_nacl_add(const char *name, const char *owner)
-{
-	struct named_acl *nacl;
+struct ast_nacl *ast_nacl_add(const char *name, const char *owner)
+{
+	struct ast_nacl *nacl;
 	
 	if (ast_strlen_zero(name)) {
 		ast_log(LOG_WARNING, "Zero length name.\n");
 		return NULL;
 	}
 
-	nacl = ao2_alloc(sizeof(struct named_acl), nacl_destroy);
+	nacl = ao2_alloc(sizeof(struct ast_nacl), nacl_destroy);
 
 	ast_copy_string(nacl->name, name, sizeof(nacl->name));
 	ast_copy_string(nacl->owner, owner, sizeof(nacl->owner));
@@ -189,7 +179,7 @@
 /*! \brief ao2 function to create unique hash of object */
 static int nacl_hash_fn(const void *obj, const int flags)
 {
-	const struct named_acl *nacl = obj;
+	const struct ast_nacl *nacl = obj;
 	int ret = 0, i;
 
 	for (i = 0; i < strlen(nacl->name) && nacl->name[i]; i++)
@@ -200,7 +190,7 @@
 /*! \brief ao2 function to compare objects */
 static int nacl_cmp_fn(void *obj1, void *obj2, int flags)
 {
-	struct named_acl *nacl1 = obj1, *nacl2 = obj2;
+	struct ast_nacl *nacl1 = obj1, *nacl2 = obj2;
 	return strcmp(nacl1->name, nacl2->name) ? 0 : CMP_MATCH | CMP_STOP;
 }
 
@@ -210,11 +200,11 @@
 	if owner is NULL, we'll find all otherwise owner is used for selection too
 	We raise the refcount on the result, which the calling function need to deref.
 */
-struct named_acl *ast_nacl_find_all(const char *name, const int deleted, const char *owner)
-{
-	struct named_acl *found = NULL;
+struct ast_nacl *ast_nacl_find_all(const char *name, const int deleted, const char *owner)
+{
+	struct ast_nacl *found = NULL;
 	struct ao2_iterator i;
-	struct named_acl *nacl = NULL;
+	struct ast_nacl *nacl = NULL;
 
 	i = ao2_iterator_init(nacl_list, 0);
 
@@ -246,7 +236,7 @@
 
 /*! \brief Find a named ACL 
 */
-struct named_acl *ast_nacl_find(const char *name)
+struct ast_nacl *ast_nacl_find(const char *name)
 {
 	return ast_nacl_find_all(name, 0, NULL);
 }
@@ -258,7 +248,7 @@
 {
 	int pruned = 0;
 	struct ao2_iterator i;
-	struct named_acl *nacl = NULL;
+	struct ast_nacl *nacl = NULL;
 
 	i = ao2_iterator_init(nacl_list, 0);
 
@@ -282,9 +272,13 @@
 	\note Deleted NACLs won't be found any more with this function, to avoid adding to the use
 		of these ACLs
  */
-struct named_acl *ast_nacl_attach(const char *name)
-{
-	struct named_acl *nacl = ast_nacl_find(name);
+struct ast_nacl *ast_nacl_attach(const char *name)
+{
+	struct ast_nacl *nacl;
+	if (!name) {
+		return NULL;
+	}
+	nacl = ast_nacl_find(name);
 	if (!nacl) {
 		return NULL;
 	}
@@ -294,7 +288,7 @@
 /*! \brief Detach from a named ACL. 
 	If it's marked for deletion and refcount is zero, then it's deleted
  */
-void ast_nacl_detach(struct named_acl *nacl)
+void ast_nacl_detach(struct ast_nacl *nacl)
 {
 	if (!nacl) {
 		return; /* What's up, doc? */
@@ -307,7 +301,7 @@
 {
 	int pruned = 0;
 	struct ao2_iterator i;
-	struct named_acl *nacl = NULL;
+	struct ast_nacl *nacl = NULL;
 
 	i = ao2_iterator_init(nacl_list, 0);
 
@@ -420,7 +414,7 @@
 #define FORMAT2 "%-40.40s %-20.20s %-5.5s %-5.5s %7s\n"
 
 	struct ao2_iterator i;
-	struct named_acl *nacl;
+	struct ast_nacl *nacl;
 
 	i = ao2_iterator_init(nacl_list, 0);
 
@@ -444,7 +438,7 @@
 /*! \brief Update NACL (or create it if it doesn't exist) */
 static int nacl_update(int fd, const char *command, const char *name, int rule, char *operation, const char *target, const char *owner)
 {
-	struct named_acl *nacl;
+	struct ast_nacl *nacl;
 	struct ast_ha *newha = NULL;
 	int insert = !strcasecmp(command, "add");
 
@@ -581,7 +575,7 @@
         const char *id = astman_get_header(m,"ActionID");
 	enum nacl_ops n_op;
 	enum rule_ops r_op = HA_UNKNOWN;
-	struct named_acl *nacl;
+	struct ast_nacl *nacl;
 	struct ast_ha *newha = NULL;
 
         char idText[256] = "";
@@ -664,7 +658,7 @@
 	struct ast_config *cfg;
 	struct ast_variable *v;
 	char *cat = NULL;
-	struct named_acl *nacl = NULL;
+	struct ast_nacl *nacl = NULL;
 	int marked = 0;
 
 




More information about the svn-commits mailing list