git:master: kamailio.cfg: various updates - sr-dev

28 Mar 2010

Module: sip-router
Branch: master
Commit: 7fae7a58cb98266f859e2483b892edd5f3110064
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7fae7a58...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Sun Mar 28 21:03:55 2010 +0200
kamailio.cfg: various updates
- sample IP auth with permissions via define WITH_IPAUTH
- more modularity in main route block to suggest better the parts
  handling SIP server types such as REGISTRAR or LOCATION
- sample alias line
---
etc/kamailio.cfg |  240 +++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 156 insertions(+), 84 deletions(-)

diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg
index ee63ec8..1269860 100644
--- a/etc/kamailio.cfg
+++ b/etc/kamailio.cfg
@@ -1,8 +1,6 @@
 #!KAMAILIO
 #
-# $Id$
-#
-# Kamailio (OpenSER) SIP Server v3.0 - basic configuration script
+# Kamailio (OpenSER) SIP Server v3.1 - default configuration script
 #     - web: http://www.kamailio.org
 #     - git: http://sip-router.org
 #
@@ -24,6 +22,12 @@
 #     - define WITH_AUTH
 #     - add users using 'kamctl'
 #
+# *** To enable IP authentication execute:
+#     - enable mysql
+#     - enable authentication
+#     - define WITH_IPAUTH
+#     - add IP addresses with group id '1' to 'address' table
+#
 # *** To enable persistent user location execute:
 #     - enable mysql
 #     - define WITH_USRLOCDB
@@ -86,6 +90,9 @@ children=4
    based on revers DNS on IPs (default on) */
 #auto_aliases=no
+/* add local domain aliases */
+#alias="sip.mydomain.com"
+
 port=5060
/* uncomment and configure the following line if you want Kamailio to 
@@ -143,6 +150,9 @@ loadmodule "acc.so"
 #!ifdef WITH_AUTH
 loadmodule "auth.so"
 loadmodule "auth_db.so"
+#!ifdef WITH_IPAUTH
+loadmodule "permissions.so"
+#!endif
 #!endif
 /* uncomment next line for aliases support
    NOTE: a DB (like db_mysql) module must be also loaded */
@@ -231,6 +241,13 @@ modparam("auth_db", "password_column", "password")
 modparam("auth_db", "db_url",
    "mysql://openser:openserrw@localhost/openser")
 modparam("auth_db", "load_credentials", "")
+
+#!ifdef WITH_IPAUTH
+modparam("permissions", "db_url",
+	"mysql://openser:openserrw@localhost/openser")
+modparam("permissions", "db_mode", 1)
+#!endif
+
 #!endif
# ----- alias_db params -----
@@ -279,8 +296,97 @@ modparam("usrloc", "nat_bflag", 6)
# main request routing logic
-route{
+route {
+
+	# per request initial checks
+	route(REQINIT);
+
+	# NAT detection
+	route(NAT);
+
+	# handle requests within SIP dialogs
+	route(WITHINDLG);
+
+	### only initial requests (no To tag)
+
+	# CANCEL processing
+	if (is_method("CANCEL"))
+	{
+		if (t_check_trans())
+			t_relay();
+		exit;
+	}
+
+	t_check_trans();
+
+	# authentication
+	route(AUTH);
+
+	# record routing for dialog forming requests (in case they are routed)
+	# - remove preloaded route headers
+	remove_hf("Route");
+	if (is_method("INVITE|SUBSCRIBE"))
+		record_route();
+
+	# account only INVITEs
+	if (is_method("INVITE"))
+	{
+		setflag(1); # do accounting
+	}
+
+	# dispatch requests to foreign domains
+	route(SIPOUT);
+
+	### requests for my local domains
+
+	# handle presence related requests
+	route(PRESENCE);
+
+	# handle registrations
+	route(REGISTRAR);
+	if ($rU==$null)
+	{
+		# request with no Username in RURI
+		sl_send_reply("484","Address Incomplete");
+		exit;
+	}
+
+	# dispatch destinations to PSTN
+	route(PSTN);
+
+	# user location service
+	route(LOCATION);
+
+	route(RELAY);
+}
+
+
+route[RELAY] {
+#!ifdef WITH_NAT
+	if (check_route_param("nat=yes")) {
+		setbflag("6");
+	}
+	if (isflagset(5) || isbflagset("6")) {
+		route(RTPPROXY);
+	}
+#!endif
+
+	/* example how to enable some additional event routes */
+	if (is_method("INVITE")) {
+		#t_on_branch("BRANCH_ONE");
+		t_on_reply("REPLY_ONE");
+		t_on_failure("FAIL_ONE");
+	}
+
+	if (!t_relay()) {
+		sl_reply_error();
+	}
+	exit;
+}
+
+# Per SIP request initial checks
+route[REQINIT] {
    if (!mf_process_maxfwd_header("10")) {
    	sl_send_reply("483","Too Many Hops");
    	exit;
@@ -291,10 +397,10 @@ route{
    	xlog("Malformed SIP message from $si:$sp\n");
    	exit;
    }
+}
-	# NAT detection
-	route(NAT);
-
+# Handle requests within SIP dialogs
+route[WITHINDLG] {
    if (has_totag()) {
    	# sequential request withing a dialog should
    	# take the path determined by record-routing
@@ -324,45 +430,10 @@ route{
    	}
    	exit;
    }
+}
-	#initial requests
-
-	# CANCEL processing
-	if (is_method("CANCEL"))
-	{
-		if (t_check_trans())
-			t_relay();
-		exit;
-	}
-
-	t_check_trans();
-
-	# authentication
-	route(AUTH);
-
-	# record routing for dialog forming requests (in case they are routed)
-	# - remove preloaded route headers
-	remove_hf("Route");
-	if (is_method("INVITE|SUBSCRIBE"))
-		record_route();
-
-	# account only INVITEs
-	if (is_method("INVITE")) {
-		setflag(1); # do accounting
-	}
-	if (!uri==myself)
-	/* replace with following line if multi-domain support is used */
-	##if (!is_uri_host_local())
-	{
-		append_hf("P-hint: outbound\r\n"); 
-		route(RELAY);
-	}
-
-	# requests for my domain
-
-	if( is_method("PUBLISH|SUBSCRIBE"))
-		route(PRESENCE);
-
+# Handle SIP registrations
+route[REGISTRAR] {
    if (is_method("REGISTER"))
    {
    	if(isflagset(5))
@@ -376,15 +447,10 @@ route{
exit;
    }
+}
-	if ($rU==$null) {
-		# request with no Username in RURI
-		sl_send_reply("484","Address Incomplete");
-		exit;
-	}
-
-	route(PSTN);
-
+# USER location service
+route[LOCATION] {
    # apply DB based aliases (uncomment to enable)
    ##alias_db_lookup("dbaliases");
@@ -402,39 +468,17 @@ route{
    }
# when routing via usrloc, log the missed calls also
-	setflag(2);
-
-	route(RELAY);
-}
-
-
-route[RELAY] {
-#!ifdef WITH_NAT
-	if (check_route_param("nat=yes")) {
-		setbflag("6");
-	}
-	if (isflagset(5) || isbflagset("6")) {
-		route(RTPPROXY);
-	}
-#!endif
-
-	/* example how to enable some additional event routes */
-	if (is_method("INVITE")) {
-		#t_on_branch("BRANCH_ONE");
-		t_on_reply("REPLY_ONE");
-		t_on_failure("FAIL_ONE");
-	}
-
-	if (!t_relay()) {
-		sl_reply_error();
+	if (is_method("INVITE"))
+	{
+		setflag(2);
    }
-	exit;
 }
-
 # Presence server route
-route[PRESENCE]
-{
+route[PRESENCE] {
+	if(!is_method("PUBLISH|SUBSCRIBE"))
+		return;
+
 #!ifdef WITH_PRESENCE
    if (!t_newtran())
    {
@@ -483,7 +527,16 @@ route[AUTH] {
    		exit;
    	}
    } else {
-		# authenticate if from local subscriber (uncomment to enable auth)
+
+#!ifdef WITH_IPAUTH
+		if(allow_source_address())
+		{
+			# source IP allowed
+			return;
+		}
+#!endif
+
+		# authenticate if from local subscriber
    	if (from_uri==myself)
    	{
    		if (!proxy_authorize("", "subscriber")) {
@@ -505,6 +558,14 @@ route[AUTH] {
consume_credentials();
    		# caller authenticated
+		} else {
+			# caller is not local subscriber, then check if it calls
+			# a local destination, otherwise deny, not an open relay here
+			if (!uri==myself)
+			{
+				sl_send_reply("403","Not relaying");
+				exit;
+			}
    	}
    }
 #!endif
@@ -512,7 +573,7 @@ route[AUTH] {
 }
# Caller NAT detection route
-route[NAT]{
+route[NAT] {
 #!ifdef WITH_NAT
    force_rport();
    if (nat_uac_test("19")) {
@@ -540,6 +601,17 @@ route[RTPPROXY] {
    return;
 }
+# Routing to foreign domains
+route[SIPOUT] {
+	if (!uri==myself)
+	/* replace with following line if multi-domain support is used */
+	##if (!is_uri_host_local())
+	{
+		append_hf("P-hint: outbound\r\n");
+		route(RELAY);
+	}
+}
+
 # PSTN GW routing
 route[PSTN] {
 #!ifdef WITH_PSTN

    