So Im looking at a way of implementing IP Network ACL's in kamailio..
block all except specific subnets etc..
it seems I can do what I need with the IPOps module and is_in_subnet but is_in_subnet will only take 1 CIDR notation subnet, and I want to be able to put ( For example ) 192.168.1.1/24,172.16.10.1/24 in there ... ( or any number of subnets really )
is there a benevolent kamailio developer on the list who is able to add this simple feature for me ?
On 2014-01-13 06:06, jay binks wrote:
So Im looking at a way of implementing IP Network ACL's in kamailio..
block all except specific subnets etc..
it seems I can do what I need with the IPOps module and is_in_subnet but is_in_subnet will only take 1 CIDR notation subnet, and I want to be able to put ( For example ) 192.168.1.1/24,172.16.10.1/24 [1] in there ... ( or any number of subnets really )
is there a benevolent kamailio developer on the list who is able to add this simple feature for me ?
Perhaps the allow_address family of functions from the permissions module [1] may provide the functionality you need. The address table [2] supports subnet definitions.
-elactrum
-- Sincerely
Jay
Links:
[1] http://kamailio.org/docs/modules/stable/modules/permissions.html [2] http://kamailio.org/docs/db-tables/kamailio-db-devel.html#id1170202288420
On Monday 13 January 2014 13:06:56 jay binks wrote:
So Im looking at a way of implementing IP Network ACL's in kamailio..
block all except specific subnets etc..
[multiple cidrs]
is there a benevolent kamailio developer on the list who is able to add this simple feature for me ?
I'm using mysql to do this, but a little math makes it work from any source. usr_preference contains stuff like 0.0.0.0/0 or something stricter, implicit denies for users without acl records.
route[ACL] { if(!avp_db_query("select value from usr_preferences where username='$au' and attribute='acl' and inet_aton(substring_index(value,'/',1))&(1 << 32) - 1 & ~((1 << (32 - substring_index(value,'/',-1))) - 1)=inet_aton('$si')&(1 << 32) - 1 & ~((1 << (32 - substring_index(value,'/',-1))) - 1)")) { sl_send_reply("403", "Not Allowed by ACL"); exit; }
return; }
While I could to this as you said, my DB Server does not have inet_aton ... ( Im using db_cassandra )
My DB simply returns a single string with a list of comma separated values. I then used s.select and while to achieve what I wanted.
$var(i) = 0; while ( $(avp(i:2){s.select,$var(i),,}) != '' ) { if (is_in_subnet( $si , $(avp(i:2){s.select,$var(i),,}) )) { << DO SOMETHING >> break; }; $var(i) = $var(i) + 1; }
sorry for any confusion.... avp(i:2) looks like 192.168.1.0/24,172.16.1.0/24
this should be fine for now, but how good would it be if ipops module could handle this in a single function call ?
On 14 January 2014 20:17, Daniel Tryba daniel@pocos.nl wrote:
On Monday 13 January 2014 13:06:56 jay binks wrote:
So Im looking at a way of implementing IP Network ACL's in kamailio..
block all except specific subnets etc..
[multiple cidrs]
is there a benevolent kamailio developer on the list who is able to add this simple feature for me ?
I'm using mysql to do this, but a little math makes it work from any source. usr_preference contains stuff like 0.0.0.0/0 or something stricter, implicit denies for users without acl records.
route[ACL] { if(!avp_db_query("select value from usr_preferences where username='$au' and attribute='acl' and inet_aton(substring_index(value,'/',1))&(1 << 32) - 1 & ~((1 << (32 - substring_index(value,'/',-1))) - 1)=inet_aton('$si')&(1 << 32) - 1 & ~((1 << (32 - substring_index(value,'/',-1))) - 1)")) { sl_send_reply("403", "Not Allowed by ACL"); exit; }
return;}
--
POCOS B.V. - Croy 9c - 5653 LC Eindhoven Telefoon: 040 293 8661 - Fax: 040 293 8658 http://www.pocos.nl/ - http://www.sipo.nl/ K.v.K. Eindhoven 17097024
-
Daniel Tryba -
elactrum@jamailca.com -
jay binks