[svn-commits] mmichelson: branch mmichelson/acl-v6 r277259 - in /team/mmichelson/acl-v6: co...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Fri Jul 16 12:47:04 CDT 2010


Author: mmichelson
Date: Fri Jul 16 12:47:01 2010
New Revision: 277259

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=277259
Log:
Address Review Board comments from Simon and Olle.


Modified:
    team/mmichelson/acl-v6/configs/sip.conf.sample
    team/mmichelson/acl-v6/include/asterisk/acl.h
    team/mmichelson/acl-v6/main/acl.c

Modified: team/mmichelson/acl-v6/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/configs/sip.conf.sample?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/configs/sip.conf.sample (original)
+++ team/mmichelson/acl-v6/configs/sip.conf.sample Fri Jul 16 12:47:01 2010
@@ -1238,6 +1238,9 @@
 ;deny=0.0.0.0/0.0.0.0            ; ACL: Control access to this account based on IP address
 ;permit=192.168.0.60/255.255.255.0
 ;permit=192.168.0.60/24          ; we can also use CIDR notation for subnet masks
+;permit=fe80::/16                ; IPv6 ACLs can be specified if desired. IPv6 ACLs
+                                 ; apply only to IPv6 addresses, and IPv4 ACLs apply
+                                 ; only to IPv4 addresses.
 
 ;[cisco1]
 ;type=friend

Modified: team/mmichelson/acl-v6/include/asterisk/acl.h
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/include/asterisk/acl.h?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/include/asterisk/acl.h (original)
+++ team/mmichelson/acl-v6/include/asterisk/acl.h Fri Jul 16 12:47:01 2010
@@ -51,7 +51,6 @@
 	struct ast_sockaddr netmask;
 	int sense;
 	struct ast_ha *next;
-	unsigned char is_ipv4;
 };
 
 /*!
@@ -116,7 +115,7 @@
  * \retval AST_SENSE_ALLOW The IP address passes our ACL
  * \retval AST_SENSE_DENY The IP address fails our ACL
  */
-int ast_apply_ha(struct ast_ha *ha, struct ast_sockaddr *addr);
+int ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr);
 
 /*!
  * \brief Get the IP address given a hostname

Modified: team/mmichelson/acl-v6/main/acl.c
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/acl-v6/main/acl.c?view=diff&rev=277259&r1=277258&r2=277259
==============================================================================
--- team/mmichelson/acl-v6/main/acl.c (original)
+++ team/mmichelson/acl-v6/main/acl.c Fri Jul 16 12:47:01 2010
@@ -294,11 +294,14 @@
  * \param addr The IP address to apply the mask to.
  * \param netmask The netmask configured in the host access rule.
  * \param result The resultant address after applying the netmask to the given address
- * \retval void
+ * \retval 0 Successfully applied netmask
+ * \reval -1 Failed to apply netmask
  */
-static void apply_netmask(struct ast_sockaddr *addr, struct ast_sockaddr *netmask,
+static int apply_netmask(const struct ast_sockaddr *addr, const struct ast_sockaddr *netmask,
 		struct ast_sockaddr *result)
 {
+	int res = 0;
+
 	if (ast_sockaddr_is_ipv4(addr)) {
 		struct sockaddr_in result4 = { 0, };
 		struct sockaddr_in *addr4 = (struct sockaddr_in *) &addr->ss;
@@ -306,7 +309,7 @@
 		result4.sin_family = AF_INET;
 		result4.sin_addr.s_addr = addr4->sin_addr.s_addr & mask4->sin_addr.s_addr;
 		ast_sockaddr_from_sin(result, &result4);
-	} else {
+	} else if (ast_sockaddr_is_ipv6(addr)) {
 		struct sockaddr_in6 result6 = { 0, };
 		struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr->ss;
 		struct sockaddr_in6 *mask6 = (struct sockaddr_in6 *) &netmask->ss;
@@ -317,7 +320,12 @@
 		}
 		memcpy(&result->ss, &result6, sizeof(result6));
 		result->len = sizeof(result6);
-	}
+	} else {
+		/* Unsupported address scheme */
+		res = -1;
+	}
+
+	return res;
 }
 
 /*!
@@ -459,10 +467,19 @@
 		return ret;
 	}
 
-	apply_netmask(&ha->addr, &ha->netmask, &ha->addr);
+	if (apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
+		/* This shouldn't happen because ast_sockaddr_parse would
+		 * have failed much earlier on an unsupported address scheme
+		 */
+		char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
+		char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
+		ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
+		ast_free_ha(ha);
+		*error = 1;
+		return ret;
+	}
 
 	ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
-	ha->is_ipv4 = addr_is_v4;
 
 	ha->next = NULL;
 	if (prev) {
@@ -476,16 +493,16 @@
 	return ret;
 }
 
-int ast_apply_ha(struct ast_ha *ha, struct ast_sockaddr *addr)
+int ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
 {
 	/* Start optimistic */
 	int res = AST_SENSE_ALLOW;
-	struct ast_ha *current_ha;
+	const struct ast_ha *current_ha;
 
 	for (current_ha = ha; current_ha; current_ha = current_ha->next) {
 		struct ast_sockaddr result;
 		struct ast_sockaddr mapped_addr;
-		struct ast_sockaddr *addr_to_use;
+		const struct ast_sockaddr *addr_to_use;
 #if 0	/* debugging code */
 		char iabuf[INET_ADDRSTRLEN];
 		char iabuf2[INET_ADDRSTRLEN];
@@ -494,7 +511,7 @@
 		ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
 		ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
 #endif
-		if (current_ha->is_ipv4) {
+		if (ast_sockaddr_is_ipv4(&ha->addr)) {
 			if (ast_sockaddr_is_ipv6(addr)) {
 				if (ast_sockaddr_is_ipv4_mapped(addr)) {
 					/* IPv4 ACLs apply to IPv4-mapped addresses */
@@ -519,7 +536,10 @@
 
 		/* For each rule, if this address and the netmask = the net address
 		   apply the current rule */
-		apply_netmask(addr_to_use, &current_ha->netmask, &result);
+		if (apply_netmask(addr_to_use, &current_ha->netmask, &result)) {
+			/* Unlikely to happen since we know the address to be IPv4 or IPv6 */
+			continue;
+		}
 		if (!ast_sockaddr_cmp_addr(&result, &current_ha->addr)) {
 			res = current_ha->sense;
 		}




More information about the svn-commits mailing list