<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13974">View Change</a></p><div style="white-space:pre-wrap">Approvals:
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: implement ACL mechanism for ICE and STUN addresses.<br><br>A pure blacklist is not good enough, we need a whitelist mechanism as<br>well, and the simplest way to do that is to re-use existing ACL<br>infrastructure.<br><br>This makes it simpler to blacklist say an entire block (/24) except a<br>smaller block (eg, a /29 or even a /32). Normally you'd need to<br>recursively split the block, so if you want to blacklist a /24 except<br>for a /29 you'd end up with a blacklit for a /25, /26, /27 and /28. I<br>feel that having an ACL instead of a blacklist only is clearer.<br><br>Change-Id: Id57a8df51fcfd3bd85ea67c489c85c6c3ecd7b30<br>Signed-off-by: Jaco Kroon <jaco@uls.co.za><br>---<br>M configs/samples/rtp.conf.sample<br>A doc/CHANGES-staging/res_rtp_asterisk_cli.txt<br>M res/res_rtp_asterisk.c<br>3 files changed, 127 insertions(+), 103 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/rtp.conf.sample b/configs/samples/rtp.conf.sample</span><br><span>index a94707e..f002449 100644</span><br><span>--- a/configs/samples/rtp.conf.sample</span><br><span>+++ b/configs/samples/rtp.conf.sample</span><br><span>@@ -69,12 +69,14 @@</span><br><span> ; the wildcard 0.0.0.0 address. e.g., A PJSIP endpoint binding RTP to a</span><br><span> ; specific address using the bind_rtp_to_media_address and media_address</span><br><span> ; options. Or the PJSIP endpoint specifies an explicit transport that binds</span><br><span style="color: hsl(0, 100%, 40%);">-; to a specific IP address.</span><br><span style="color: hsl(120, 100%, 40%);">+; to a specific IP address. Blacklisting is done via ACL infrastructure</span><br><span style="color: hsl(120, 100%, 40%);">+; so it's possible to whitelist as well.</span><br><span> ;</span><br><span style="color: hsl(0, 100%, 40%);">-; e.g. stun_blacklist = 192.168.1.0/255.255.255.0</span><br><span style="color: hsl(0, 100%, 40%);">-; stun_blacklist = 10.32.77.0/255.255.255.0</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_acl = named_acl</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_deny = 0.0.0.0/0</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_permit = 1.2.3.4/32</span><br><span> ;</span><br><span style="color: hsl(0, 100%, 40%);">-; stun_blacklist =</span><br><span style="color: hsl(120, 100%, 40%);">+; For historic reasons stun_blacklist is an alias for stun_deny.</span><br><span> ;</span><br><span> ; Hostname or address for the TURN server to be used as a relay. The port</span><br><span> ; number is optional. If omitted the default value of 3478 will be used.</span><br><span>@@ -90,17 +92,19 @@</span><br><span> ; Password used to authenticate with TURN relay server.</span><br><span> ; turnpassword=</span><br><span> ;</span><br><span style="color: hsl(0, 100%, 40%);">-; Subnets to exclude from ICE host, srflx and relay discovery. This is useful</span><br><span style="color: hsl(0, 100%, 40%);">-; to optimize the ICE process where a system has multiple host address ranges</span><br><span style="color: hsl(0, 100%, 40%);">-; and/or physical interfaces and certain of them are not expected to be used</span><br><span style="color: hsl(0, 100%, 40%);">-; for RTP. For example, VPNs and local interconnections may not be suitable or</span><br><span style="color: hsl(0, 100%, 40%);">-; necessary for ICE. Multiple subnets may be listed. If left unconfigured,</span><br><span style="color: hsl(0, 100%, 40%);">-; all discovered host addresses are used.</span><br><span style="color: hsl(120, 100%, 40%);">+; An ACL can be used to determine which discovered addresses to include for</span><br><span style="color: hsl(120, 100%, 40%);">+; ICE, srflx and relay discovery. This is useful to optimize the ICE process</span><br><span style="color: hsl(120, 100%, 40%);">+; where a system has multiple host address ranges and/or physical interfaces</span><br><span style="color: hsl(120, 100%, 40%);">+; and certain of them are not expected to be used for RTP. For example, VPNs</span><br><span style="color: hsl(120, 100%, 40%);">+; and local interconnections may not be suitable or necessary for ICE. Multiple</span><br><span style="color: hsl(120, 100%, 40%);">+; subnets may be listed. If left unconfigured, all discovered host addresses</span><br><span style="color: hsl(120, 100%, 40%);">+; are used.</span><br><span> ;</span><br><span style="color: hsl(0, 100%, 40%);">-; e.g. ice_blacklist = 192.168.1.0/255.255.255.0</span><br><span style="color: hsl(0, 100%, 40%);">-; ice_blacklist = 10.32.77.0/255.255.255.0</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_acl = named_acl</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_deny = 0.0.0.0/0</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_permit = 1.2.3.4/32</span><br><span> ;</span><br><span style="color: hsl(0, 100%, 40%);">-; ice_blacklist =</span><br><span style="color: hsl(120, 100%, 40%);">+; For historic reasons ice_blacklist is an alias for ice_deny.</span><br><span> ;</span><br><span> ; The MTU to use for DTLS packet fragmentation. This option is set to 1200</span><br><span> ; by default. The minimum MTU is 256.</span><br><span>diff --git a/doc/CHANGES-staging/res_rtp_asterisk_cli.txt b/doc/CHANGES-staging/res_rtp_asterisk_cli.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..7b5516d</span><br><span>--- /dev/null</span><br><span>+++ b/doc/CHANGES-staging/res_rtp_asterisk_cli.txt</span><br><span>@@ -0,0 +1,18 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: res_rtp_asterisk</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+The blacklist mechanism in res_rtp_asterisk for ICE and STUN was converted to</span><br><span style="color: hsl(120, 100%, 40%);">+an ACL mechanism.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+As such six now options are now available:</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ice_deny</span><br><span style="color: hsl(120, 100%, 40%);">+ice_permit</span><br><span style="color: hsl(120, 100%, 40%);">+ice_acl</span><br><span style="color: hsl(120, 100%, 40%);">+stun_deny</span><br><span style="color: hsl(120, 100%, 40%);">+stun_permit</span><br><span style="color: hsl(120, 100%, 40%);">+stun_acl</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+These options have their obvious meanings as used elsewhere.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Backwards compatibility was maintained by adding {stun,ice}_blacklist as</span><br><span style="color: hsl(120, 100%, 40%);">+aliases for {stun,ice}_deny.</span><br><span>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c</span><br><span>index 366539f..05a993f 100644</span><br><span>--- a/res/res_rtp_asterisk.c</span><br><span>+++ b/res/res_rtp_asterisk.c</span><br><span>@@ -84,6 +84,7 @@</span><br><span> #include "asterisk/data_buffer.h"</span><br><span> #ifdef HAVE_PJPROJECT</span><br><span> #include "asterisk/res_pjproject.h"</span><br><span style="color: hsl(120, 100%, 40%);">+#include "asterisk/security_events.h"</span><br><span> #endif</span><br><span> </span><br><span> #define MAX_TIMESTAMP_SKEW 640</span><br><span>@@ -212,13 +213,15 @@</span><br><span> static int turnport = DEFAULT_TURN_PORT;</span><br><span> static pj_str_t turnusername;</span><br><span> static pj_str_t turnpassword;</span><br><span style="color: hsl(120, 100%, 40%);">+static struct stasis_subscription *acl_change_sub = NULL;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static struct ast_ha *ice_blacklist = NULL; /*!< Blacklisted ICE networks */</span><br><span style="color: hsl(0, 100%, 40%);">-static ast_rwlock_t ice_blacklist_lock = AST_RWLOCK_INIT_VALUE;</span><br><span style="color: hsl(120, 100%, 40%);">+/*! ACL for ICE addresses */</span><br><span style="color: hsl(120, 100%, 40%);">+static struct ast_acl_list *ice_acl = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+static ast_rwlock_t ice_acl_lock = AST_RWLOCK_INIT_VALUE;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-/*! Blacklisted networks for STUN requests */</span><br><span style="color: hsl(0, 100%, 40%);">-static struct ast_ha *stun_blacklist = NULL;</span><br><span style="color: hsl(0, 100%, 40%);">-static ast_rwlock_t stun_blacklist_lock = AST_RWLOCK_INIT_VALUE;</span><br><span style="color: hsl(120, 100%, 40%);">+/*! ACL for STUN requests */</span><br><span style="color: hsl(120, 100%, 40%);">+static struct ast_acl_list *stun_acl = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+static ast_rwlock_t stun_acl_lock = AST_RWLOCK_INIT_VALUE;</span><br><span> </span><br><span> /*! \brief Pool factory used by pjlib to allocate memory. */</span><br><span> static pj_caching_pool cachingpool;</span><br><span>@@ -3424,6 +3427,21 @@</span><br><span> }</span><br><span> </span><br><span> #ifdef HAVE_PJPROJECT</span><br><span style="color: hsl(120, 100%, 40%);">+static void acl_change_stasis_cb(void *data, struct stasis_subscription *sub, struct stasis_message *message);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \internal</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Resets and ACL to empty state.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * \return Nothing</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+static void rtp_unload_acl(ast_rwlock_t *lock, struct ast_acl_list **acl)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_wrlock(lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ *acl = ast_free_acl_list(*acl);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_unlock(lock);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \internal</span><br><span> * \brief Checks an address against the ICE blacklist</span><br><span>@@ -3435,17 +3453,17 @@</span><br><span> */</span><br><span> static int rtp_address_is_ice_blacklisted(const pj_sockaddr_t *address)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- char buf[PJ_INET6_ADDRSTRLEN];</span><br><span> struct ast_sockaddr saddr;</span><br><span style="color: hsl(0, 100%, 40%);">- int result = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ int result = 0;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_sockaddr_parse(&saddr, pj_sockaddr_print(address, buf, sizeof(buf), 0), 0);</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_rdlock(&ice_blacklist_lock);</span><br><span style="color: hsl(0, 100%, 40%);">- if (!ice_blacklist || (ast_apply_ha(ice_blacklist, &saddr) == AST_SENSE_ALLOW)) {</span><br><span style="color: hsl(0, 100%, 40%);">- result = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_sockaddr_from_pj_sockaddr(&saddr, address) < 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to convert pj_sockddr_t to ast_sockaddr - ICE blacklisting (default)\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_unlock(&ice_blacklist_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_rdlock(&ice_acl_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ result |= ast_apply_acl_nolog(ice_acl, &saddr) == AST_SENSE_DENY;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_unlock(&ice_acl_lock);</span><br><span> </span><br><span> return result;</span><br><span> }</span><br><span>@@ -3464,14 +3482,11 @@</span><br><span> */</span><br><span> static int stun_address_is_blacklisted(const struct ast_sockaddr *addr)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- int result = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ int result = 0;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_rdlock(&stun_blacklist_lock);</span><br><span style="color: hsl(0, 100%, 40%);">- if (!stun_blacklist</span><br><span style="color: hsl(0, 100%, 40%);">- || ast_apply_ha(stun_blacklist, addr) == AST_SENSE_ALLOW) {</span><br><span style="color: hsl(0, 100%, 40%);">- result = 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_unlock(&stun_blacklist_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_rdlock(&stun_acl_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ result |= ast_apply_acl_nolog(stun_acl, addr) == AST_SENSE_DENY;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_unlock(&stun_acl_lock);</span><br><span> </span><br><span> return result;</span><br><span> }</span><br><span>@@ -8868,75 +8883,16 @@</span><br><span> AST_CLI_DEFINE(handle_cli_rtcp_set_stats, "Enable/Disable RTCP stats"),</span><br><span> };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-#ifdef HAVE_PJPROJECT</span><br><span style="color: hsl(0, 100%, 40%);">-/*!</span><br><span style="color: hsl(0, 100%, 40%);">- * \internal</span><br><span style="color: hsl(0, 100%, 40%);">- * \brief Clear the configured blacklist.</span><br><span style="color: hsl(0, 100%, 40%);">- * \since 13.16.0</span><br><span style="color: hsl(0, 100%, 40%);">- *</span><br><span style="color: hsl(0, 100%, 40%);">- * \param lock R/W lock protecting the blacklist</span><br><span style="color: hsl(0, 100%, 40%);">- * \param blacklist List to clear</span><br><span style="color: hsl(0, 100%, 40%);">- *</span><br><span style="color: hsl(0, 100%, 40%);">- * \return Nothing</span><br><span style="color: hsl(0, 100%, 40%);">- */</span><br><span style="color: hsl(0, 100%, 40%);">-static void blacklist_clear(ast_rwlock_t *lock, struct ast_ha **blacklist)</span><br><span style="color: hsl(0, 100%, 40%);">-{</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_wrlock(lock);</span><br><span style="color: hsl(0, 100%, 40%);">- ast_free_ha(*blacklist);</span><br><span style="color: hsl(0, 100%, 40%);">- *blacklist = NULL;</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_unlock(lock);</span><br><span style="color: hsl(0, 100%, 40%);">-}</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">-/*!</span><br><span style="color: hsl(0, 100%, 40%);">- * \internal</span><br><span style="color: hsl(0, 100%, 40%);">- * \brief Load the blacklist configuration.</span><br><span style="color: hsl(0, 100%, 40%);">- * \since 13.16.0</span><br><span style="color: hsl(0, 100%, 40%);">- *</span><br><span style="color: hsl(0, 100%, 40%);">- * \param cfg Raw config file options.</span><br><span style="color: hsl(0, 100%, 40%);">- * \param option_name Blacklist option name</span><br><span style="color: hsl(0, 100%, 40%);">- * \param lock R/W lock protecting the blacklist</span><br><span style="color: hsl(0, 100%, 40%);">- * \param blacklist List to load</span><br><span style="color: hsl(0, 100%, 40%);">- *</span><br><span style="color: hsl(0, 100%, 40%);">- * \return Nothing</span><br><span style="color: hsl(0, 100%, 40%);">- */</span><br><span style="color: hsl(0, 100%, 40%);">-static void blacklist_config_load(struct ast_config *cfg, const char *option_name,</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_t *lock, struct ast_ha **blacklist)</span><br><span style="color: hsl(0, 100%, 40%);">-{</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_variable *var;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_wrlock(lock);</span><br><span style="color: hsl(0, 100%, 40%);">- for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {</span><br><span style="color: hsl(0, 100%, 40%);">- if (!strcasecmp(var->name, option_name)) {</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_ha *na;</span><br><span style="color: hsl(0, 100%, 40%);">- int ha_error = 0;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- na = ast_append_ha("d", var->value, *blacklist, &ha_error);</span><br><span style="color: hsl(0, 100%, 40%);">- if (!na) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_WARNING, "Invalid %s value: %s\n",</span><br><span style="color: hsl(0, 100%, 40%);">- option_name, var->value);</span><br><span style="color: hsl(0, 100%, 40%);">- } else {</span><br><span style="color: hsl(0, 100%, 40%);">- *blacklist = na;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- if (ha_error) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR,</span><br><span style="color: hsl(0, 100%, 40%);">- "Bad %s configuration value line %d: %s\n",</span><br><span style="color: hsl(0, 100%, 40%);">- option_name, var->lineno, var->value);</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- ast_rwlock_unlock(lock);</span><br><span style="color: hsl(0, 100%, 40%);">-}</span><br><span style="color: hsl(0, 100%, 40%);">-#endif</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">-static int rtp_reload(int reload)</span><br><span style="color: hsl(120, 100%, 40%);">+static int rtp_reload(int reload, int by_external_config)</span><br><span> {</span><br><span> struct ast_config *cfg;</span><br><span> const char *s;</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_flags config_flags = { (reload && !by_external_config) ? CONFIG_FLAG_FILEUNCHANGED : 0 };</span><br><span> </span><br><span> #ifdef HAVE_PJPROJECT</span><br><span> struct ast_variable *var;</span><br><span> struct ast_ice_host_candidate *candidate;</span><br><span style="color: hsl(120, 100%, 40%);">+ int acl_subscription_flag = 0;</span><br><span> #endif</span><br><span> </span><br><span> cfg = ast_config_load2("rtp.conf", "rtp", config_flags);</span><br><span>@@ -8972,8 +8928,6 @@</span><br><span> turnusername = pj_str(NULL);</span><br><span> turnpassword = pj_str(NULL);</span><br><span> host_candidate_overrides_clear();</span><br><span style="color: hsl(0, 100%, 40%);">- blacklist_clear(&ice_blacklist_lock, &ice_blacklist);</span><br><span style="color: hsl(0, 100%, 40%);">- blacklist_clear(&stun_blacklist_lock, &stun_blacklist);</span><br><span> #endif</span><br><span> </span><br><span> #if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)</span><br><span>@@ -9107,11 +9061,45 @@</span><br><span> }</span><br><span> AST_RWLIST_UNLOCK(&host_candidates);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* Read ICE blacklist configuration lines */</span><br><span style="color: hsl(0, 100%, 40%);">- blacklist_config_load(cfg, "ice_blacklist", &ice_blacklist_lock, &ice_blacklist);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_wrlock(&ice_acl_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_wrlock(&stun_acl_lock);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* Read STUN blacklist configuration lines */</span><br><span style="color: hsl(0, 100%, 40%);">- blacklist_config_load(cfg, "stun_blacklist", &stun_blacklist_lock, &stun_blacklist);</span><br><span style="color: hsl(120, 100%, 40%);">+ ice_acl = ast_free_acl_list(ice_acl);</span><br><span style="color: hsl(120, 100%, 40%);">+ stun_acl = ast_free_acl_list(stun_acl);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {</span><br><span style="color: hsl(120, 100%, 40%);">+ const char* sense = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_acl_list **acl = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (strncasecmp(var->name, "ice_", 4) == 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ sense = var->name + 4;</span><br><span style="color: hsl(120, 100%, 40%);">+ acl = &ice_acl;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (strncasecmp(var->name, "stun_", 5) == 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ sense = var->name + 5;</span><br><span style="color: hsl(120, 100%, 40%);">+ acl = &stun_acl;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ continue;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (strcasecmp(sense, "blacklist") == 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ sense = "deny";</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (strcasecmp(sense, "acl") && strcasecmp(sense, "permit") && strcasecmp(sense, "deny")) {</span><br><span style="color: hsl(120, 100%, 40%);">+ continue;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_append_acl(sense, var->value, acl, NULL, &acl_subscription_flag);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_unlock(&ice_acl_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_rwlock_unlock(&stun_acl_lock);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (acl_subscription_flag && !acl_change_sub) {</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_subscribe(ast_security_topic(), acl_change_stasis_cb, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ stasis_subscription_accept_message_type(acl_change_sub, ast_named_acl_change_type());</span><br><span style="color: hsl(120, 100%, 40%);">+ stasis_subscription_set_filter(acl_change_sub, STASIS_SUBSCRIPTION_FILTER_SELECTIVE);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!acl_subscription_flag && acl_change_sub) {</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> #endif</span><br><span> #if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)</span><br><span> if ((s = ast_variable_retrieve(cfg, "general", "dtls_mtu"))) {</span><br><span>@@ -9136,7 +9124,7 @@</span><br><span> </span><br><span> static int reload_module(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- rtp_reload(1);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(1, 0);</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span>@@ -9154,6 +9142,16 @@</span><br><span> ast_pjproject_caching_pool_destroy(&cachingpool);</span><br><span> pj_shutdown();</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void acl_change_stasis_cb(void *data, struct stasis_subscription *sub, struct stasis_message *message)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (stasis_message_type(message) != ast_named_acl_change_type()) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* There is no simple way to just reload the ACLs, so just execute a forced reload. */</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(1, 1);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span> #endif</span><br><span> </span><br><span> static int load_module(void)</span><br><span>@@ -9234,7 +9232,7 @@</span><br><span> return AST_MODULE_LOAD_DECLINE;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- rtp_reload(0);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(0, 0);</span><br><span> </span><br><span> return AST_MODULE_LOAD_SUCCESS;</span><br><span> }</span><br><span>@@ -9254,6 +9252,10 @@</span><br><span> host_candidate_overrides_clear();</span><br><span> pj_thread_register_check();</span><br><span> rtp_terminate_pjproject();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_unload_acl(&ice_acl_lock, &ice_acl);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_unload_acl(&stun_acl_lock, &stun_acl);</span><br><span> #endif</span><br><span> </span><br><span> return 0;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13974">change 13974</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13974"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 17 </div>
<div style="display:none"> Gerrit-Change-Id: Id57a8df51fcfd3bd85ea67c489c85c6c3ecd7b30 </div>
<div style="display:none"> Gerrit-Change-Number: 13974 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Jaco Kroon <jaco@uls.co.za> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>