[Serusers] Trasting field "To" - sr-users

7 Oct 2004


      Hi serusers!
We have an intention to realize some scheme, where the registered
client will be able to redirect the received calls to PSTN according
to his rights (or belonging to certain group).
We suppose the "TO" field to be reliable in case of forced exchanging
of "TO" field content with URI for all incoming calls (but not from
local IP address).
The questions are:
1. Is it possible and how we can do it?
if (method=="INVITE") {
    if (!src_ip==195.234.147.65 && !src_ip==127.0.0.1) {
            append_hf("P-hint: replace to with url\r\n");
    	subst('/^To: (.*)$/To: sip:uri/ig');
???                                         ~~~
    };
};
2. Would it be effective (taking into account the existence of
Click-to-dial and other similar applicftions)?
/etc/ser/ser.cfg
----------------
fork=yes
##! Uncomment these lines to enter debugging mode
##!debug=9                 # debug level (cmd line: -dddddddddd)
##!fork=no
##!log_stderror=yes
#!check_via=no    # (cmd. line: -v)
#!dns=no           # (cmd. line: -r)
#!rev_dns=no      # (cmd. line: -R)
children=4
alias=cint.ru
listen=195.234.147.65
listen=127.0.0.1
port=5060
user=root
group=apache
fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/lib/ser/modules/mysql.so"
loadmodule "/usr/lib/ser/modules/usrloc.so"
loadmodule "/usr/lib/ser/modules/sl.so"
loadmodule "/usr/lib/ser/modules/registrar.so"
loadmodule "/usr/lib/ser/modules/auth.so"
loadmodule "/usr/lib/ser/modules/auth_db.so"
loadmodule "/usr/lib/ser/modules/group.so"
loadmodule "/usr/lib/ser/modules/rr.so"
loadmodule "/usr/lib/ser/modules/tm.so"
loadmodule "/usr/lib/ser/modules/acc.so"
loadmodule "/usr/lib/ser/modules/nathelper.so"
loadmodule "/usr/lib/ser/modules/maxfwd.so"
loadmodule "/usr/lib/ser/modules/textops.so"
loadmodule "/usr/lib/ser/modules/uri.so"
##!loadmodule "/usr/lib/ser/modules/exec.so"
##!loadmodule "/usr/lib/ser/modules/domain.so"
#loadmodule "/usr/lib/ser/modules/cpl-c.so"
# ----------------- setting module-specific parameters
modparam("usrloc", "db_url","")
modparam("usrloc", "db_mode", 1)
modparam("auth_db", "db_url","")
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("group", "db_url","")
modparam("group", "use_domain", 1)
modparam("rr", "enable_full_lr", 1)
modparam("acc", "db_url","")
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)
modparam("acc", "log_flag", 3)
modparam("acc", "log_missed_flag", 4)
modparam("acc", "failed_transactions", 1)
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 30)  # Ping interval 30 s
modparam("nathelper", "ping_nated_only", 1)    # Ping only clients behind NAT
# -------------------------  request routing logic
# main routing logic
route{
    ##! Uncoment next 1 string for debug
    setflag(9);
# initial sanity checks -- messages with
        # max_forwards==0, or excessively long requests
        if (!mf_process_maxfwd_header("10")) {
                if (isflagset(9)) log (1, "REPLY: 483 - Too Many Hops");
                sl_send_reply("483","Too Many Hops");
                break;
        };
        if (msg:len >=  max_len ) {
                if (isflagset(9)) log (1, "REPLY: 513 - Message too big");
                sl_send_reply("513", "Message too big");
                break;
        };
        # !! Nathelper
        # Special handling for NATed clients; first, NAT test is
        # executed: it looks for via!=received and RFC1918 addresses
        # in Contact (may fail if line-folding is used); also,
        # the received test should, if completed, should check all
        # vias for rpesence of received
        if (nat_uac_test("3")) {
                # Allow RR-ed requests, as these mayindicate that
                # a NAT-enabled proxy takes care ofit; unless it is
                # a REGISTER
                if (method == "REGISTER" || ! search("^Record-Route:")) {
    	    ##!log("LOG: Someone trying to register from private IP, rewriting\n");
                    # This will work only for user agents that support symmetric
                    # communication. We tested quite many of them and majority is
                    # smart enough to be symmetric. In some phones it takes a configuration
                    # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is
                    # called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of signalling
                    if (method == "INVITE") {
                        fix_nated_sdp("1"); # Add direction=active to SDP
                    };
                    force_rport(); # Add rport parameter to topmost Via
                    setflag(6);    # Mark as NATed
                };
        };
    
        # anti-spam -- if somene claims to belong to our domain in From,
    	    # challenge him (skip REGISTERs -- we will chalenge them later)
##!    	    if (search("(From|F):.*@cint.ru")) {
    	    if (search("(From|F):.*@cint.ru") || search("(From|F):.*@sip.cint.ru")) {
            	    # invites forwarded to other domains, like FWD may cause subsequent 
            	    # request to come from there but have iptel in From -> verify
            	    # only INVITEs (ignore FIFO/UAC's requests, i.e. src_ip==fox)
                    if  (method == "INVITE" || method == "SUBSCRIBE") {
                	    if  (proxy_authorize("cint.ru", "subscriber")) {
    			    if (isflagset(9)) log(1, "LOG: PROXY AUTHORIZE - OK\n")
    		    } else {
    			    if (isflagset(9)) log(1, "LOG: PROXY AUTHORIZE - ERROR, SEND CHALLANGE\n")
                    		    proxy_challenge("cint.ru", "0");
                    		    break;
    		    };
                    	    # to maintain outside credibility of our proxy, we enforce
                    	    # username in From to equal digest username; user with
                    	    # "john.doe" id could advertise "bill.gates" in From otherwise;
                	    if (!check_from()) {
                            	    if (isflagset(9)) log(1, "REPLY: 403 - Insufficient From and digest\n");
                            	    sl_send_reply("403", "Insufficient From and digest");
                            	    break;
                    	    };
                    	    # we better don't consume credentials -- some requests may be
                    	    # spiraled through our server (sfo at iptel->7141 at iptel) and the
                    	    # subsequent iteration may challenge too, for example because of
                    	    # iptel claim in From; UACs then give up because they
                    	    # already submitted credentials for the given realm
                    	    #consume_credentials();
                    }; # non-REGISTER from other domain
    	    } else if ((method == "INVITE" || method == "SUBSCRIBE" || method=="REGISTER" ) && !(uri == myself)) {
            	    # and we serve our gateway too (we RR requests to it, so that
            	    # its address may show up in subsequent requests after loose_route
        	    if (isflagset(9)) log (1, "REPLY: 403 - No relaying");
            	    sl_send_reply("403", "No relaying");
            	    break;
    	    };
# we record-route all messages -- to make sure that
        # subsequent messages will go through our proxy; that's
        # particularly good if upstream and downstream entities
        # use different transport protocol
        if (!method=="REGISTER") record_route();
if (isflagset(9) && method=="INVITE") log(1, "LOG: INVITE\n");
    if (isflagset(9) && method=="MESSAGE") log(1, "LOG: MESSAGE\n");
    	if (isflagset(9) && method=="BYE") log(1, "LOG: BYE\n");
    	if (isflagset(9) && method=="CANCEL" ) log(1, "LOG: CANCEL\n");
    if ( method == "REGISTER" || method=="INVITE" || method=="BYE" || method == "CANCEL" ) {
        	# save messages in mysqlfor CDRTool
    		##!exec_msg("/usr/local/etc/ser/sertrace.py; exit 1");
        	setflag(1); setflag(2); /* set for accounting (the same value as in  log_flag!) */
    	if (isflagset(9)) { setflag(3); setflag(4); }; /* Temporay (for debug) */
    }; #end of cdrtool
# subsequent messages withing a dialog should take the
        # path determined by record-routing
        if (loose_route()) {
                # mark routing logic in request
                append_hf("P-hint: rr-enforced\r\n");
                route(1);
                break;
        };
if (!uri==myself) {
                # mark routing logic in request
                append_hf("P-hint: outbound\r\n");
                route(1);
                break;
        };
if (method=="INVITE") {
    		if (!src_ip==195.234.147.65 && !src_ip==127.0.0.1) {
    	    append_hf("P-hint: replace to with url\r\n");
    	    #subst('/^To: (.*)$/To: sip:uri/ig');
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    	};
        };
if (uri==myself) {
                if (method=="REGISTER") {
            	if (www_authorize("cint.ru", "subscriber")) {
    			if (isflagset(9)) if (isflagset(6)) log(1, "LOG: REGISTER WWW (NAT) - OK\n") else log(1, "LOG: REGISTER WWW - OK\n");
    		} else { 
    			if (isflagset(9)) if (isflagset(6)) log(1, "LOG: REGISTER WWW (NAT) - ERROR, SEND CHALLENGE\n") else log(1, "LOG: REGISTER WWW - ERROR, SEND CHALLENGE\n");
    			www_challenge("cint.ru", "0");
                	        break;
    	        };
    		if (!check_to()) {
                            	if (isflagset(9)) log(1, "REPLY: 403 - Insufficient To and digest\n");
                            	sl_send_reply("403", "Insufficient To and digest");
    			break;
    		};
                	save("location");
                	break;
                };
    		if (method=="INVITE") {
    			if (src_ip==195.234.147.120) {strip(4);};
                };
                lookup("aliases");
                if (!uri==myself) {
                        append_hf("P-hint: outbound alias\r\n");
                        route(1);
                        break;
                };
                # native SIP destinations are handled using our USRLOC DB
                if (!lookup("location")) {
    		#if (uri=~"^sip:8644") {route(9); break;};
    		#if (uri=~"^sip:5027663") {route(9); break;};
    		if (uri=~"^sip:8644") {route(4); break;};
    		if (uri=~"^sip:810") {route(2); break;};	#int
    		if (uri=~"^sip:8[1-9]") {route(3); break;};	#ld
    		if (uri=~"^sip:[0-79]") {route(4); break;};	#local
            		if (isflagset(9)) log (1, "REPLY: 404 - Not Found");
                	sl_send_reply("404", "Not Found");
                	break;
                };
        };
        append_hf("P-hint: usrloc applied\r\n");
        route(1);
}
route[1]
{
        if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: VOIP\n");
        # !! Nathelper
        if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !search("^Route:")) {
            if (isflagset(9)) log (1, "REPLY: 479 - We don't forward to private IP addresses");
            sl_send_reply("479", "We don't forward to private IP addresses");
            break;
        };
# if client or server know to be behind a NAT, enable relay
        if (isflagset(6)) {
            force_rtp_proxy();
        };
# NAT processing of replies; apply to allt ransactions (for example,
        # re-INVITEs from public to private UA are hard to identify as
        # NATed at the moment of request processing); look at replies
        t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably
        # even for UDP2TCP
        if (!t_relay()) {
                sl_reply_error();
        };
}
# !! Nathelper
onreply_route[1] {
    # NATed transaction ?
    if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
        fix_nated_contact();
        force_rtp_proxy();
    # otherwise, is it a transaction behind a NAT and we did not
    # know at time of request processing ? (RFC1918contacts)
    } else if (nat_uac_test("1")) {
        fix_nated_contact();
    };
}
route[2] {
        if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: INT\n");
        if (!is_user_in("To", "ld")) {
    		if (!is_user_in("From", "int")) {
            		if (isflagset(9)) log(1, "REPLY: No Permission To Make International Call.\n");
            		sl_send_reply("403", "No Permission To Make International Call");
            		break;
            };
    };
        route(9);
}
route[3] {
        if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: LD\n");
        if (!is_user_in("To", "ld")) {
    		if (!is_user_in("From", "ld")) {
            		if (isflagset(9)) log(1, "REPLY: No Permission To Make Long Distance Call.\n");
            		sl_send_reply("403", "No Permission To Make Long Distance Call");
            		break;
    		};
    };
        route(9);
}
route[4] {
        if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: LOCAL\n");
        if (!is_user_in("To", "local")) {
    		if (!is_user_in("From", "local")) {
            		if (isflagset(9)) log(1, "REPLY: No Permission To Make Local Call.\n");
            		sl_send_reply("403", "No Permission To Make Local Call");
            		break;
    		};
    };
        route(9);
        break;
}
route[9] {
        if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: PSTN\n");
        prefix("0550");
        rewritehostport("195.234.147.120:5060");
        t_relay_to_udp("195.234.147.120","5060");
}