<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>It needs to be fixed if there is an issue, even if happens during
reload. I looked only a bit at the code and I tried to figure out
what could be the situations when matching can fail due to
internal operations. First we have to identify the case, then it
will be fixed.<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 18.05.21 14:50, Romain Untereiner
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c62e6ce4-dd60-4082-9744-fbcf0a7e0352@Spark">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageBodySection">
<div dir="auto">Thanks for the hints!<br>
<br>
I didn’t think about the potential correlation with rpc
reloads. Yes, we proceed to reloads during runtime but I can’t
remember if theses 2 events (reloading and not allowing $si)
happened at the same time.<br>
<br>
It has a quite minor impact anyway but I felt I was doing
something wrong. <br>
<br>
So I’ll actively monitor these 2 events’ occurrences to see if
there’s a link. And if not I might touch the source code of
permissions module. I’ll revert to you with some more detailed
diagnostic.<br>
<br>
Thanks again for the help, for your reactivity and for all the
work you put inside our beloved Kamailio!<br>
<br>
PS: I might soon open new threads here for other minor issues
I’m having</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont"><b>Romain Untereiner</b><br>
Co founder at <a href="https://www.cantoo.co"
moz-do-not-send="true"><i>Cantoo</i></a><br>
<a href="www.cantoo.co" moz-do-not-send="true">www.cantoo.co</a></div>
</div>
<div name="messageReplySection">Le 18 mai 2021 à 12:45 +0200,
Daniel-Constantin Mierla <a class="moz-txt-link-rfc2396E" href="mailto:miconda@gmail.com"><miconda@gmail.com></a>, a écrit :<br>
<blockquote type="cite" style="border-left-color: grey;
border-left-width: thin; border-left-style: solid; margin: 5px
5px;padding-left: 10px;">
<p><br>
</p>
<div class="moz-cite-prefix">On 18.05.21 12:29, Romain
Untereiner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a249094e-f9be-471d-b0d2-869f0ab142aa@Spark">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div name="messageBodySection">
<div dir="auto">Yes it is set in the table: <br>
<br>
group | ip_addr | mask | port | tag<br>
ZZZ | X.X.X.X | 24 | 5060 | NULL<br>
<br>
And I can confirm the IP and Port I see in the traces
should match X.X.X.X/24 & 5060, and as mentioned
before I could see that few ms before (99.99% of the
cases), same IP and Port were correctly allowed and the
group was found.<br>
<br>
Is there some more advanced debugging I could setup to
dive into allow_source_address_group() behavior?<br>
</div>
</div>
</blockquote>
<p>The source code is available, so you can edit and add more
log messages in the corresponding functions inside the
permissions module, then re-compile/re-install, if you want
to go that path.</p>
<p>Do you reload records from the address table at runtime via
rpc? If yes, do you think it happened at the same time with
the matching failure? Trying to see what can be ruled out or
not ...</p>
<p>Cheers,<br>
Daniel<br>
</p>
<blockquote type="cite"
cite="mid:a249094e-f9be-471d-b0d2-869f0ab142aa@Spark">
<div name="messageBodySection">
<div dir="auto"><br>
Thanks</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont"><b>Romain Untereiner</b><br>
Co founder at <a href="https://www.cantoo.co"
moz-do-not-send="true"><i>Cantoo</i></a><br>
<a href="www.cantoo.co" moz-do-not-send="true">www.cantoo.co</a></div>
</div>
<div name="messageReplySection">Le 18 mai 2021 à 12:18
+0200, Daniel-Constantin Mierla <a
class="moz-txt-link-rfc2396E"
href="mailto:miconda@gmail.com" moz-do-not-send="true"><miconda@gmail.com></a>,
a écrit :<br>
<blockquote type="cite" style="border-left-color: grey;
border-left-width: thin; border-left-style: solid;
margin: 5px 5px;padding-left: 10px;">
<p>Hmm, do you have port set for the records in the
address table? I notice you print it in the log
message...</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 18.05.21 11:15, Romain
Untereiner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:045797a5-d71c-4a3b-afd0-d9b8301373fe@Spark">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div name="messageBodySection">
<div dir="auto">Hello Daniel,<br>
<br>
Thanks for your quick answer! <br>
<br>
I indeed need to identify the group ID too.<br>
<br>
Here’s how I handle it (inspired from <a
href="https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address"
target="_blank" moz-do-not-send="true">https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address</a>):<br>
<br>
‘''<br>
$var(group) = allow_source_address_group();<br>
<br>
if ($var(group) != -1) {<br>
xlog("L_INFO", "$si : $sp is allowed through
group: $var(group)\n");<br>
[...]<br>
} else {<br>
xlog("L_INFO", "$si : $sp is not allowed -
allow_source_address_group returned -1\n");<br>
xlog("L_INFO", "Rejecting $ci with 403
'Forbidden'\n");<br>
sl_send_reply("403", "Forbidden");<br>
exit;<br>
}<br>
‘''<br>
<br>
Best regards,</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont"><b>Romain Untereiner</b><br>
Co founder at <a href="https://www.cantoo.co"
moz-do-not-send="true"><i>Cantoo</i></a><br>
<a href="www.cantoo.co" moz-do-not-send="true">www.cantoo.co</a></div>
</div>
<div name="messageReplySection">Le 18 mai 2021 à 08:44
+0200, Daniel-Constantin Mierla <a
class="moz-txt-link-rfc2396E"
href="mailto:miconda@gmail.com"
moz-do-not-send="true"><miconda@gmail.com></a>,
a écrit :<br>
<blockquote type="cite" style="border-left-color:
grey; border-left-width: thin; border-left-style:
solid; margin: 5px 5px;padding-left: 10px;">Hello,<br>
<br>
On 17.05.21 12:11, Romain Untereiner wrote:<br>
<blockquote type="cite">Hello all,<br>
<br>
I am having some trouble with Permissions module
of Kamailio,<br>
regarding the allow_source_address_group()
function. In 99.9% of the<br>
cases the IP of our partner is allowed as
expected, but randomly it<br>
can fail (returning -1 for the same IP address
that was allowed for<br>
many other calls in the meantime). <br>
<br>
I can’t understand why it fails and why only
« sometimes » - I confirm<br>
this append on the same Kamailio box, with same
IP and Port of the<br>
partner.<br>
<br>
In my custom logs:<br>
« X.X.X.X:YYYY is allowed through group Z »
—> as expected<br>
and sometimes (like 1% of the cases):
« X.X.X.X:YYYY is not allowed<br>
- allow_source_address_group returned -1»<br>
<br>
It is maybe to note that in the address table,
this range is defined<br>
as /24 and not /32. Until now it never happened
on /32 defined address<br>
but I don’t know if it can be correlated.<br>
<br>
Would someone have a clue on this?<br>
<br>
Versions:<br>
- kamailio 5.5.0 (x86_64/linux) d4c1a1<br>
- debian 9 stretch<br>
- postgresql 11.7<br>
</blockquote>
<br>
how do you test the return code of the function?
Paste here the snippet<br>
of the config where the function is used.<br>
<br>
Then, do you really need the goup id of the
address or just to match the<br>
address?<br>
<br>
Cheers,<br>
Daniel<br>
<br>
--<br>
Daniel-Constantin Mierla -- <a
class="moz-txt-link-abbreviated"
href="http://www.asipto.com"
moz-do-not-send="true">www.asipto.com</a><br>
<a class="moz-txt-link-abbreviated"
href="http://www.twitter.com/miconda"
moz-do-not-send="true">www.twitter.com/miconda</a>
-- <a class="moz-txt-link-abbreviated"
href="http://www.linkedin.com/in/miconda"
moz-do-not-send="true">www.linkedin.com/in/miconda</a><br>
Kamailio Advanced Training - Online<br>
May 17-20, 2021 (Europe Timezone) - June 7-10,
2021 (America Timezone)<br>
* <a class="moz-txt-link-freetext"
href="https://www.asipto.com/sw/kamailio-advanced-training-online/"
moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a><br>
<br>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com" moz-do-not-send="true">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
</body>
</html>