Hello,

 

please keep the list in CC.

 

Let’s look into the two issues one by one:

 

1) I had to explicitly configure the parameter:

modparam("permissions", "mask_col", "mask")

Although the documentation suggests "mask" is the default - the JSON output from "kamctl address dump" did not output this value on K5.5. (On K5.3 it outputted properly) 

 

Do you get an error if you do not specify the mask_col like this, or something else? From the source code the default should be “mask”.

 

When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it returns everything as expected - including the 0.0.0.0/0 subnets.

 

However, when running the same commands on Kamailio 5.5, it only returns a small subset (of only 20) subnets/groups - and the selection does not appear to follow a logical selection criteria.

Additionally, it does not return any groups with a 0.0.0.0/0 subnet either.

 

It seems that the behaviour has changed regarding the “0” subnet, checkout the docs:

 

https://kamailio.org/docs/modules/devel/modules/permissions.html#permissions.p.mask_col

 

It will convert them to 32/128 respectively. Can you see a 0.0.0./32 in your dump?

This was changed in commit f376c82a9f8 during an extension for text files. Maybe Daniel can comment here if this was done by purpose.

Otherwise, you can open an issue on our tracker about it.

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: Tom Dworakowski <dworakowski.tom@gmail.com>
Sent: Tuesday, September 14, 2021 5:00 PM
To: Henning Westerholt <hw@skalatan.de>
Subject: Re: [SR-Users] Empty Subnets in Permissions Module

 

Hello Henning,

Thank you for looking into this for me.

 

I made two interesting discoveries this morning:

 

1) I had to explicitly configure the parameter:

modparam("permissions", "mask_col", "mask")

Although the documentation suggests "mask" is the default - the JSON output from "kamctl address dump" did not output this value on K5.5. (On K5.3 it outputted properly) 

 

2)

When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it returns everything as expected - including the 0.0.0.0/0 subnets.

 

However, when running the same commands on Kamailio 5.5, it only returns a small subset (of only 20) subnets/groups - and the selection does not appear to follow a logical selection criteria.

Additionally, it does not return any groups with a 0.0.0.0/0 subnet either.

 

From my logs - I have noted this:

Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4353, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <3769, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4355, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4359, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <1955, 84.XX.XX.66, 0> inserted into address hash table 
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.231, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.33, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.34, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 80.X.X.25, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 85.X.X.124, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 212.X.X.19, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4365, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4367, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4371, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <3991, 0.0.0.0, 0> inserted into address hash table

 

At the moment of querying group id 3983 (where there is only 0.0.0.0/0), the function returns false:

DEBUG: permissions [address.c:671]: allow_source_address(): looking for <3983, [IPv4 in hex, reversed octet order], 62281>

 

However, None of those addresses appear in the  "kamcmd permissions.subnetDump" output.

Moreover, if "my" group has the address 0.0.0.0/0 listed as an approved address - it will fail the test; but if I register 0.0.0.0/1 it will let me through (as my IP is < 128.0.0.0), kamcmd permissions.subnetDump will display this address.

 

My thoughts are that there might be another table that is not being populated - or there is a filter during the import that either drops 0.0.0.0/0 or filters it out completely? 

 

Regards, Tom

 

 

On Tue, Sep 14, 2021 at 4:10 AM Henning Westerholt <hw@skalatan.de> wrote:

Hello Tom,

 

I’ve done a quick comparison of the main function and the called function. On a first view it looked identically, but I looked only a few levels deep.

 

Do you have maybe some means to reproduce this on a test system? Then it would be probably interesting to look to the DEBUG logging of this cases. Maybe you can compare if you spot some obvious differences from the logic.

 

Cheers,

 

Henning

 

 

From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of Tom Dworakowski
Sent: Tuesday, September 14, 2021 4:10 AM
To: sr-users@lists.kamailio.org
Subject: [SR-Users] Empty Subnets in Permissions Module

 

Greetings all!

 

I have two deployments of Kamailio: one running version 5.3 and one 5.5 with practically identical configurations, same (MySQL and REDIS) data sources.

 

We have customers that we assign an ACL "group" to, where the ID of this group resolves to records in the "address" table in our MySQL database - using the "grp" field.

 

On the box running Kamailio 5.5, we have noticed that if a group has ip_addr=0.0.0.0, mask=0, port=0 - and we try to run the allow_source_address() - it will return false, thus failing this phase of the authentication process.

 

However, on Kamailio 5.3 we are not seeing this issue, i.e. if a customer is assigned a group where the ACL is 0.0.0.0/0 - it will let him through.

 

Has something changed that I'm not aware of?

Any suggestions on how to resolve this?

 

My best, Tom