[Asterisk-code-review] ACL: ast_apply_acl_nolog - identical to ast_apply_acl but without log... (asterisk[13])

Jaco Kroon asteriskteam at digium.com
Thu Dec 5 10:06:00 CST 2019


Jaco Kroon has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/13370 )


Change subject: ACL: ast_apply_acl_nolog - identical to ast_apply_acl but without logging.
......................................................................

ACL: ast_apply_acl_nolog - identical to ast_apply_acl but without logging.

Due to use in res_rtp_asterisk there is a need to be able to apply an
ACL without logging any invalid/denies.  It's probably sensible to at
least validate the ACL once directly after load and report invalid ACLs.

Change-Id: I256169229d945ca7c1bbf228fc492d91df345843
Signed-off-by: Jaco Kroon <jaco at uls.co.za>
---
M include/asterisk/acl.h
M main/acl.c
2 files changed, 34 insertions(+), 5 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/70/13370/1

diff --git a/include/asterisk/acl.h b/include/asterisk/acl.h
index bda1c76..b8a4f72 100644
--- a/include/asterisk/acl.h
+++ b/include/asterisk/acl.h
@@ -213,6 +213,20 @@
 enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose);
 
 /*!
+ * \brief Apply a set of rules to a given IP address, don't log failure.
+ *
+ * \details
+ * Exactly like ast_apply_acl, except that it will never log anything.
+ *
+ * \param acl_list The head of the list of ACLs to evaluate
+ * \param addr An ast_sockaddr whose address is considered when matching rules
+ *
+ * \retval AST_SENSE_ALLOW The IP address passes our ACLs
+ * \retval AST_SENSE_DENY The IP address fails our ACLs
+ */
+enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr);
+
+/*!
  * \brief Get the IP address given a hostname
  *
  * \details
diff --git a/main/acl.c b/main/acl.c
index 1d628e6..5028587 100644
--- a/main/acl.c
+++ b/main/acl.c
@@ -725,7 +725,7 @@
 	}
 }
 
-enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose)
+static enum ast_acl_sense ast_apply_acl_internal(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *log_prefix)
 {
 	struct ast_acl *acl;
 
@@ -739,16 +739,22 @@
 	AST_LIST_TRAVERSE(acl_list, acl, list) {
 		if (acl->is_invalid) {
 			/* In this case, the baseline ACL shouldn't ever trigger this, but if that somehow happens, it'll still be shown. */
-			ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr),
-					ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+			if (log_prefix) {
+				ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n",
+						log_prefix, ast_sockaddr_stringify_addr(addr),
+						ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+			}
 			AST_LIST_UNLOCK(acl_list);
 			return AST_SENSE_DENY;
 		}
 
 		if (acl->acl) {
 			if (ast_apply_ha(acl->acl, addr) == AST_SENSE_DENY) {
-				ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr),
-						ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+				if (log_prefix) {
+					ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n",
+							log_prefix, ast_sockaddr_stringify_addr(addr),
+							ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+				}
 				AST_LIST_UNLOCK(acl_list);
 				return AST_SENSE_DENY;
 			}
@@ -760,6 +766,15 @@
 	return AST_SENSE_ALLOW;
 }
 
+
+enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose) {
+	return ast_apply_acl_internal(acl_list, addr, purpose ?: "");
+}
+
+enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr) {
+	return ast_apply_acl_internal(acl_list, addr, NULL);
+}
+
 enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
 {
 	/* Start optimistic */

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/13370
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Change-Id: I256169229d945ca7c1bbf228fc492d91df345843
Gerrit-Change-Number: 13370
Gerrit-PatchSet: 1
Gerrit-Owner: Jaco Kroon <jaco at uls.co.za>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20191205/37239c56/attachment-0001.html>


More information about the asterisk-code-review mailing list