[SR-Users] how can I use WITH_IPAUTH when the IP may be stored in the DB as a FQDN?

canuck15 canuck15 at hotmail.com
Sat Mar 14 19:31:50 CET 2015


Thanks for this suggestion.

I ended up replacing permissions module |allow_source_address() with sql 
queries. |Not sure how well it will scale but seems to work ok on a test 
system.
|In order to use allow_source_address() I would need to save all 
returned IP addresses in the database.  The problem with that is it will 
not automatically update if DNS changes||.  I still have not ruled out 
doing that if this ends up bogging down when the server gets busy.

Excessive DNS queries/delays do not appear to be a problem with this 
because it is cached in Kamailio DNS resolver. It renews every 120 
seconds by default unless configured otherwise.

You can view the contents of the dns resolver by running "kamcmd dns.view".

Here is the replaced IPAUTH section I created for anyone who may be 
interested.

modparam("sqlops", "sqlcon", "kamailio=>unixodbc:///kamailio-connector")
.
.
.
#!ifdef WITH_IPAUTH
     if((!is_method("REGISTER")) && $au == "")
     {
         sql_query("kamailio", "SELECT ip_addr FROM address", "ka");
         if($dbr(ka=>rows)>0)
         {
             $var(dnsname) = $null;
             $var(i) = 0;
             while($var(i)<$dbr(ka=>rows))
             {
                 $var(dnsname) = $dbr(ka=>[$var(i),0]);
                 if (dns_int_match_ip("$var(dnsname)", "$si"))
                     {
                         # source IP allowed, leave the 'while' parent loop.
                         $var(i) = $dbr(ka=>rows);
                         return;
                     }
                 $var(i) = $var(i) + 1;
             }
             return;
         }
         sql_result_free("ka");
         return;
     } |


On 3/9/2015 4:27 AM, Daniel-Constantin Mierla wrote:
> Hello,
>
>
> On 08/03/15 21:38, canuck15 wrote:
>> Here is is the relevant section of kamailio.cfg
>>
>> $var(tempfU) = $fU;
>> #!ifdef WITH_IPAUTH
>>      if((!is_method("REGISTER")) && allow_source_address() && $au == "")
>>      {
>>          # Loading $fU from database using IP
>>
>>          sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host = '$si'
>> AND sippasswd IS NULL", "$var(tempfU)");
>>
>>          # source IP allowed
>>          return;
>>      }
>>
>> The problem is that when host= somefqdn.com the above will fail since
>> $si will always be an IP address as far as I can tell.  More often
>> than not host= is a fqdn and requiring it to always be an IP address
>> is not an option.  Converting it to IP before storing it in the DB is
>> also not an option because it needs to be able to work of the IP
>> address changes.
>>
>> So how can the above be done to accomodate the possibility that host=
>> somefqdn.com or an IP address.  Preferably in such a way that it can
>> scale to hundreds/thousands of rows in the database without slowing
>> things down or crashing.
> as first remark, note that permissions module can work with hostanmes in
> the address table.
>
> On the other hand, having what you want might not work. If you want to
> test if a request comes from xyz.com, doing a dns query on xyz.com can
> return a different IP than what was used for sending. If xyz.com has
> many IP addresses associated with and they do load balancing, they are
> usually returning just a subset of their IP addresses, not all of them.
>
> In this case, the best is to discover the subnet addresses used by
> xyz.com and store them in the address table, then use permissions in the
> config.
>
> Otherwise, you can try by doing a query and extract all hostnames from
> the database with sqlops and then loop through them and test with the
> functions from ipops module. You must have a fast dns server in order to
> not slow down the processing in the case you have lots of hostnames.
>
> Cheers,
> Daniel
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150314/c5dfffe6/attachment.html>


More information about the sr-users mailing list