[sr-dev] git:master: kamailio.cfg: various updates

Sun Mar 28 21:06:13 CEST 2010

Module: sip-router
Branch: master
Commit: 7fae7a58cb98266f859e2483b892edd5f3110064
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7fae7a58cb98266f859e2483b892edd5f3110064

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Sun Mar 28 21:03:55 2010 +0200

kamailio.cfg: various updates

- sample IP auth with permissions via define WITH_IPAUTH
- more modularity in main route block to suggest better the parts
  handling SIP server types such as REGISTRAR or LOCATION
- sample alias line

---

 etc/kamailio.cfg |  240 +++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 156 insertions(+), 84 deletions(-)

diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg
index ee63ec8..1269860 100644
--- a/etc/kamailio.cfg
+++ b/etc/kamailio.cfg
@@ -1,8 +1,6 @@
 #!KAMAILIO
 #
-# $Id$
-#
-# Kamailio (OpenSER) SIP Server v3.0 - basic configuration script
+# Kamailio (OpenSER) SIP Server v3.1 - default configuration script
 #     - web: http://www.kamailio.org
 #     - git: http://sip-router.org
 #
@@ -24,6 +22,12 @@
 #     - define WITH_AUTH
 #     - add users using 'kamctl'
 #
+# *** To enable IP authentication execute:
+#     - enable mysql
+#     - enable authentication
+#     - define WITH_IPAUTH
+#     - add IP addresses with group id '1' to 'address' table
+#
 # *** To enable persistent user location execute:
 #     - enable mysql
 #     - define WITH_USRLOCDB
@@ -86,6 +90,9 @@ children=4
    based on revers DNS on IPs (default on) */
 #auto_aliases=no
 
+/* add local domain aliases */
+#alias="sip.mydomain.com"
+
 port=5060
 
 /* uncomment and configure the following line if you want Kamailio to 
@@ -143,6 +150,9 @@ loadmodule "acc.so"
 #!ifdef WITH_AUTH
 loadmodule "auth.so"
 loadmodule "auth_db.so"
+#!ifdef WITH_IPAUTH
+loadmodule "permissions.so"
+#!endif
 #!endif
 /* uncomment next line for aliases support
    NOTE: a DB (like db_mysql) module must be also loaded */
@@ -231,6 +241,13 @@ modparam("auth_db", "password_column", "password")
 modparam("auth_db", "db_url",
 	"mysql://openser:openserrw@localhost/openser")
 modparam("auth_db", "load_credentials", "")
+
+#!ifdef WITH_IPAUTH
+modparam("permissions", "db_url",
+	"mysql://openser:openserrw@localhost/openser")
+modparam("permissions", "db_mode", 1)
+#!endif
+
 #!endif
 
 # ----- alias_db params -----
@@ -279,8 +296,97 @@ modparam("usrloc", "nat_bflag", 6)
 
 # main request routing logic
 
-route{
+route {
+
+	# per request initial checks
+	route(REQINIT);
+
+	# NAT detection
+	route(NAT);
+
+	# handle requests within SIP dialogs
+	route(WITHINDLG);
+
+	### only initial requests (no To tag)
+
+	# CANCEL processing
+	if (is_method("CANCEL"))
+	{
+		if (t_check_trans())
+			t_relay();
+		exit;
+	}
+
+	t_check_trans();
+
+	# authentication
+	route(AUTH);
+
+	# record routing for dialog forming requests (in case they are routed)
+	# - remove preloaded route headers
+	remove_hf("Route");
+	if (is_method("INVITE|SUBSCRIBE"))
+		record_route();
+
+	# account only INVITEs
+	if (is_method("INVITE"))
+	{
+		setflag(1); # do accounting
+	}
+
+	# dispatch requests to foreign domains
+	route(SIPOUT);
+
+	### requests for my local domains
+
+	# handle presence related requests
+	route(PRESENCE);
+
+	# handle registrations
+	route(REGISTRAR);
 
+	if ($rU==$null)
+	{
+		# request with no Username in RURI
+		sl_send_reply("484","Address Incomplete");
+		exit;
+	}
+
+	# dispatch destinations to PSTN
+	route(PSTN);
+
+	# user location service
+	route(LOCATION);
+
+	route(RELAY);
+}
+
+
+route[RELAY] {
+#!ifdef WITH_NAT
+	if (check_route_param("nat=yes")) {
+		setbflag("6");
+	}
+	if (isflagset(5) || isbflagset("6")) {
+		route(RTPPROXY);
+	}
+#!endif
+
+	/* example how to enable some additional event routes */
+	if (is_method("INVITE")) {
+		#t_on_branch("BRANCH_ONE");
+		t_on_reply("REPLY_ONE");
+		t_on_failure("FAIL_ONE");
+	}
+
+	if (!t_relay()) {
+		sl_reply_error();
+	}
+	exit;
+}
+
+# Per SIP request initial checks
+route[REQINIT] {
 	if (!mf_process_maxfwd_header("10")) {
 		sl_send_reply("483","Too Many Hops");
 		exit;
@@ -291,10 +397,10 @@ route{
 		xlog("Malformed SIP message from $si:$sp\n");
 		exit;
 	}
+}
 
-	# NAT detection
-	route(NAT);
-
+# Handle requests within SIP dialogs
+route[WITHINDLG] {
 	if (has_totag()) {
 		# sequential request withing a dialog should
 		# take the path determined by record-routing
@@ -324,45 +430,10 @@ route{
 		}
 		exit;
 	}
+}
 
-	#initial requests
-
-	# CANCEL processing
-	if (is_method("CANCEL"))
-	{
-		if (t_check_trans())
-			t_relay();
-		exit;
-	}
-
-	t_check_trans();
-
-	# authentication
-	route(AUTH);
-
-	# record routing for dialog forming requests (in case they are routed)
-	# - remove preloaded route headers
-	remove_hf("Route");
-	if (is_method("INVITE|SUBSCRIBE"))
-		record_route();
-
-	# account only INVITEs
-	if (is_method("INVITE")) {
-		setflag(1); # do accounting
-	}
-	if (!uri==myself)
-	/* replace with following line if multi-domain support is used */
-	##if (!is_uri_host_local())
-	{
-		append_hf("P-hint: outbound\r\n"); 
-		route(RELAY);
-	}
-
-	# requests for my domain
-
-	if( is_method("PUBLISH|SUBSCRIBE"))
-		route(PRESENCE);
-
+# Handle SIP registrations
+route[REGISTRAR] {
 	if (is_method("REGISTER"))
 	{
 		if(isflagset(5))
@@ -376,15 +447,10 @@ route{
 
 		exit;
 	}
+}
 
-	if ($rU==$null) {
-		# request with no Username in RURI
-		sl_send_reply("484","Address Incomplete");
-		exit;
-	}
-
-	route(PSTN);
-
+# USER location service
+route[LOCATION] {
 	# apply DB based aliases (uncomment to enable)
 	##alias_db_lookup("dbaliases");
 
@@ -402,39 +468,17 @@ route{
 	}
 
 	# when routing via usrloc, log the missed calls also
-	setflag(2);
-
-	route(RELAY);
-}
-
-
-route[RELAY] {
-#!ifdef WITH_NAT
-	if (check_route_param("nat=yes")) {
-		setbflag("6");
-	}
-	if (isflagset(5) || isbflagset("6")) {
-		route(RTPPROXY);
-	}
-#!endif
-
-	/* example how to enable some additional event routes */
-	if (is_method("INVITE")) {
-		#t_on_branch("BRANCH_ONE");
-		t_on_reply("REPLY_ONE");
-		t_on_failure("FAIL_ONE");
-	}
-
-	if (!t_relay()) {
-		sl_reply_error();
+	if (is_method("INVITE"))
+	{
+		setflag(2);
 	}
-	exit;
 }
 
-
 # Presence server route
-route[PRESENCE]
-{
+route[PRESENCE] {
+	if(!is_method("PUBLISH|SUBSCRIBE"))
+		return;
+
 #!ifdef WITH_PRESENCE
 	if (!t_newtran())
 	{
@@ -483,7 +527,16 @@ route[AUTH] {
 			exit;
 		}
 	} else {
-		# authenticate if from local subscriber (uncomment to enable auth)
+
+#!ifdef WITH_IPAUTH
+		if(allow_source_address())
+		{
+			# source IP allowed
+			return;
+		}
+#!endif
+
+		# authenticate if from local subscriber
 		if (from_uri==myself)
 		{
 			if (!proxy_authorize("", "subscriber")) {
@@ -505,6 +558,14 @@ route[AUTH] {
 
 			consume_credentials();
 			# caller authenticated
+		} else {
+			# caller is not local subscriber, then check if it calls
+			# a local destination, otherwise deny, not an open relay here
+			if (!uri==myself)
+			{
+				sl_send_reply("403","Not relaying");
+				exit;
+			}
 		}
 	}
 #!endif
@@ -512,7 +573,7 @@ route[AUTH] {
 }
 
 # Caller NAT detection route
-route[NAT]{
+route[NAT] {
 #!ifdef WITH_NAT
 	force_rport();
 	if (nat_uac_test("19")) {
@@ -540,6 +601,17 @@ route[RTPPROXY] {
 	return;
 }
 
+# Routing to foreign domains
+route[SIPOUT] {
+	if (!uri==myself)
+	/* replace with following line if multi-domain support is used */
+	##if (!is_uri_host_local())
+	{
+		append_hf("P-hint: outbound\r\n");
+		route(RELAY);
+	}
+}
+
 # PSTN GW routing
 route[PSTN] {
 #!ifdef WITH_PSTN


