<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 18.05.21 12:29, Romain Untereiner
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a249094e-f9be-471d-b0d2-869f0ab142aa@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageBodySection">
<div dir="auto">Yes it is set in the table: <br>
<br>
group | ip_addr | mask | port | tag<br>
ZZZ | X.X.X.X | 24 | 5060 | NULL<br>
<br>
And I can confirm the IP and Port I see in the traces should
match X.X.X.X/24 & 5060, and as mentioned before I could
see that few ms before (99.99% of the cases), same IP and Port
were correctly allowed and the group was found.<br>
<br>
Is there some more advanced debugging I could setup to dive
into allow_source_address_group() behavior?<br>
</div>
</div>
</blockquote>
<p>The source code is available, so you can edit and add more log
messages in the corresponding functions inside the permissions
module, then re-compile/re-install, if you want to go that path.</p>
<p>Do you reload records from the address table at runtime via rpc?
If yes, do you think it happened at the same time with the
matching failure? Trying to see what can be ruled out or not ...</p>
<p>Cheers,<br>
Daniel<br>
</p>
<blockquote type="cite"
cite="mid:a249094e-f9be-471d-b0d2-869f0ab142aa@Spark">
<div name="messageBodySection">
<div dir="auto">
<br>
Thanks</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont"><b>Romain Untereiner</b><br>
Co founder at <a href="https://www.cantoo.co"
moz-do-not-send="true"><i>Cantoo</i></a><br>
<a href="www.cantoo.co" moz-do-not-send="true">www.cantoo.co</a></div>
</div>
<div name="messageReplySection">Le 18 mai 2021 à 12:18 +0200,
Daniel-Constantin Mierla <a class="moz-txt-link-rfc2396E" href="mailto:miconda@gmail.com"><miconda@gmail.com></a>, a écrit :<br>
<blockquote type="cite" style="border-left-color: grey;
border-left-width: thin; border-left-style: solid; margin: 5px
5px;padding-left: 10px;">
<p>Hmm, do you have port set for the records in the address
table? I notice you print it in the log message...</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 18.05.21 11:15, Romain
Untereiner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:045797a5-d71c-4a3b-afd0-d9b8301373fe@Spark">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div name="messageBodySection">
<div dir="auto">Hello Daniel,<br>
<br>
Thanks for your quick answer! <br>
<br>
I indeed need to identify the group ID too.<br>
<br>
Here’s how I handle it (inspired from <a
href="https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address"
target="_blank" moz-do-not-send="true">https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address</a>):<br>
<br>
‘''<br>
$var(group) = allow_source_address_group();<br>
<br>
if ($var(group) != -1) {<br>
xlog("L_INFO", "$si : $sp is allowed through group:
$var(group)\n");<br>
[...]<br>
} else {<br>
xlog("L_INFO", "$si : $sp is not allowed -
allow_source_address_group returned -1\n");<br>
xlog("L_INFO", "Rejecting $ci with 403
'Forbidden'\n");<br>
sl_send_reply("403", "Forbidden");<br>
exit;<br>
}<br>
‘''<br>
<br>
Best regards,</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont"><b>Romain Untereiner</b><br>
Co founder at <a href="https://www.cantoo.co"
moz-do-not-send="true"><i>Cantoo</i></a><br>
<a href="www.cantoo.co" moz-do-not-send="true">www.cantoo.co</a></div>
</div>
<div name="messageReplySection">Le 18 mai 2021 à 08:44
+0200, Daniel-Constantin Mierla <a
class="moz-txt-link-rfc2396E"
href="mailto:miconda@gmail.com" moz-do-not-send="true"><miconda@gmail.com></a>,
a écrit :<br>
<blockquote type="cite" style="border-left-color: grey;
border-left-width: thin; border-left-style: solid;
margin: 5px 5px;padding-left: 10px;">Hello,<br>
<br>
On 17.05.21 12:11, Romain Untereiner wrote:<br>
<blockquote type="cite">Hello all,<br>
<br>
I am having some trouble with Permissions module of
Kamailio,<br>
regarding the allow_source_address_group() function.
In 99.9% of the<br>
cases the IP of our partner is allowed as expected,
but randomly it<br>
can fail (returning -1 for the same IP address that
was allowed for<br>
many other calls in the meantime). <br>
<br>
I can’t understand why it fails and why only
« sometimes » - I confirm<br>
this append on the same Kamailio box, with same IP and
Port of the<br>
partner.<br>
<br>
In my custom logs:<br>
« X.X.X.X:YYYY is allowed through group Z » —> as
expected<br>
and sometimes (like 1% of the cases): « X.X.X.X:YYYY
is not allowed<br>
- allow_source_address_group returned -1»<br>
<br>
It is maybe to note that in the address table, this
range is defined<br>
as /24 and not /32. Until now it never happened on /32
defined address<br>
but I don’t know if it can be correlated.<br>
<br>
Would someone have a clue on this?<br>
<br>
Versions:<br>
- kamailio 5.5.0 (x86_64/linux) d4c1a1<br>
- debian 9 stretch<br>
- postgresql 11.7<br>
</blockquote>
<br>
how do you test the return code of the function? Paste
here the snippet<br>
of the config where the function is used.<br>
<br>
Then, do you really need the goup id of the address or
just to match the<br>
address?<br>
<br>
Cheers,<br>
Daniel<br>
<br>
--<br>
Daniel-Constantin Mierla -- <a
class="moz-txt-link-abbreviated"
href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a><br>
<a class="moz-txt-link-abbreviated"
href="http://www.twitter.com/miconda"
moz-do-not-send="true">www.twitter.com/miconda</a> --
<a class="moz-txt-link-abbreviated"
href="http://www.linkedin.com/in/miconda"
moz-do-not-send="true">www.linkedin.com/in/miconda</a><br>
Kamailio Advanced Training - Online<br>
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021
(America Timezone)<br>
* <a class="moz-txt-link-freetext"
href="https://www.asipto.com/sw/kamailio-advanced-training-online/"
moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a><br>
<br>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</body>
</html>