[SR-Users] Permissions sometimes does not find group

Romain Untereiner romain at cantoo.co
Tue May 18 12:29:38 CEST 2021


Yes it is set in the table:

group | ip_addr | mask | port | tag
ZZZ | X.X.X.X | 24 | 5060 | NULL

And I can confirm the IP and Port I see in the traces should match X.X.X.X/24 & 5060, and as mentioned before I could see that few ms before (99.99% of the cases), same IP and Port were correctly allowed and the group was found.

Is there some more advanced debugging I could setup to dive into allow_source_address_group() behavior?

Thanks

Romain Untereiner
Co founder at Cantoo
www.cantoo.co
Le 18 mai 2021 à 12:18 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> Hmm, do you have port set for the records in the address table? I notice you print it in the log message...
> Cheers,
> Daniel
> On 18.05.21 11:15, Romain Untereiner wrote:
> > Hello Daniel,
> >
> > Thanks for your quick answer!
> >
> > I indeed need to identify the group ID too.
> >
> > Here’s how I handle it (inspired from https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address):
> >
> > ‘''
> > $var(group) = allow_source_address_group();
> >
> > if ($var(group) != -1) {
> >     xlog("L_INFO", "$si : $sp is allowed through group: $var(group)\n");
> >     [...]
> > } else {
> >     xlog("L_INFO", "$si : $sp is not allowed - allow_source_address_group returned -1\n");
> >     xlog("L_INFO", "Rejecting $ci with 403 'Forbidden'\n");
> >     sl_send_reply("403", "Forbidden");
> >     exit;
> > }
> > ‘''
> >
> > Best regards,
> >
> > Romain Untereiner
> > Co founder at Cantoo
> > www.cantoo.co
> > Le 18 mai 2021 à 08:44 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> > > Hello,
> > >
> > > On 17.05.21 12:11, Romain Untereiner wrote:
> > > > Hello all,
> > > >
> > > > I am having some trouble with Permissions module of Kamailio,
> > > > regarding the allow_source_address_group() function. In 99.9% of the
> > > > cases the IP of our partner is allowed as expected, but randomly it
> > > > can fail (returning -1 for the same IP address that was allowed for
> > > > many other calls in the meantime).
> > > >
> > > > I can’t understand why it fails and why only « sometimes » - I confirm
> > > > this append on the same Kamailio box, with same IP and Port of the
> > > > partner.
> > > >
> > > > In my custom logs:
> > > > « X.X.X.X:YYYY is allowed through group Z » —> as expected
> > > > and sometimes (like 1% of the cases): « X.X.X.X:YYYY is not allowed
> > > > -  allow_source_address_group returned -1»
> > > >
> > > > It is maybe to note that in the address table, this range is defined
> > > > as /24 and not /32. Until now it never happened on /32 defined address
> > > > but I don’t know if it can be correlated.
> > > >
> > > > Would someone have a clue on this?
> > > >
> > > > Versions:
> > > > - kamailio 5.5.0 (x86_64/linux) d4c1a1
> > > > - debian 9 stretch
> > > > - postgresql 11.7
> > >
> > > how do you test the return code of the function? Paste here the snippet
> > > of the config where the function is used.
> > >
> > > Then, do you really need the goup id of the address or just to match the
> > > address?
> > >
> > > Cheers,
> > > Daniel
> > >
> > > --
> > > Daniel-Constantin Mierla -- www.asipto.com
> > > www.twitter.com/miconda -- www.linkedin.com/in/miconda
> > > Kamailio Advanced Training - Online
> > > May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
> > > * https://www.asipto.com/sw/kamailio-advanced-training-online/
> > >
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - Online
> May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
>  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210518/a897a879/attachment.htm>


More information about the sr-users mailing list