[SR-Users] Permissions sometimes does not find group

Romain Untereiner romain at cantoo.co
Wed May 19 12:02:13 CEST 2021 

Totally aligned, thanks! I’ll need some time to proceed to some complete diagnostic but I will come back to you whenever I’ve better explanation of the behavior.

Also I’d like to touch to the permissions module in order to see what happens inside, but the issue is seen only on production, and debugging in production is a bad thing :)

As first step, we will activate soon the LM_DBG logging in our prod proxies to begin diving into this.

Cheers,

Romain Untereiner
Co founder at Cantoo
www.cantoo.co
Le 19 mai 2021 à 08:40 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> It needs to be fixed if there is an issue, even if happens during reload. I looked only a bit at the code and I tried to figure out what could be the situations when matching can fail due to internal operations. First we have to identify the case, then it will be fixed.
> Cheers,
> Daniel
> On 18.05.21 14:50, Romain Untereiner wrote:
> > Thanks for the hints!
> >
> > I didn’t think about the potential correlation with rpc reloads. Yes, we proceed to reloads during runtime but I can’t remember if theses 2 events (reloading and not allowing $si) happened at the same time.
> >
> > It has a quite minor impact anyway but I felt I was doing something wrong.
> >
> > So I’ll actively monitor these 2 events’ occurrences to see if there’s a link. And if not I might touch the source code of permissions module. I’ll revert to you with some more detailed diagnostic.
> >
> > Thanks again for the help, for your reactivity and for all the work you put inside our beloved Kamailio!
> >
> > PS: I might soon open new threads here for other minor issues I’m having
> >
> > Romain Untereiner
> > Co founder at Cantoo
> > www.cantoo.co
> > Le 18 mai 2021 à 12:45 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> > >
> > > On 18.05.21 12:29, Romain Untereiner wrote:
> > > > Yes it is set in the table:
> > > >
> > > > group | ip_addr | mask | port | tag
> > > > ZZZ | X.X.X.X | 24 | 5060 | NULL
> > > >
> > > > And I can confirm the IP and Port I see in the traces should match X.X.X.X/24 & 5060, and as mentioned before I could see that few ms before (99.99% of the cases), same IP and Port were correctly allowed and the group was found.
> > > >
> > > > Is there some more advanced debugging I could setup to dive into allow_source_address_group() behavior?
> > > The source code is available, so you can edit and add more log messages in the corresponding functions inside the permissions module, then re-compile/re-install, if you want to go that path.
> > > Do you reload records from the address table at runtime via rpc? If yes, do you think it happened at the same time with the matching failure? Trying to see what can be ruled out or not ...
> > > Cheers,
> > > Daniel
> > > >
> > > > Thanks
> > > >
> > > > Romain Untereiner
> > > > Co founder at Cantoo
> > > > www.cantoo.co
> > > > Le 18 mai 2021 à 12:18 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> > > > > Hmm, do you have port set for the records in the address table? I notice you print it in the log message...
> > > > > Cheers,
> > > > > Daniel
> > > > > On 18.05.21 11:15, Romain Untereiner wrote:
> > > > > > Hello Daniel,
> > > > > >
> > > > > > Thanks for your quick answer!
> > > > > >
> > > > > > I indeed need to identify the group ID too.
> > > > > >
> > > > > > Here’s how I handle it (inspired from https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address):
> > > > > >
> > > > > > ‘''
> > > > > > $var(group) = allow_source_address_group();
> > > > > >
> > > > > > if ($var(group) != -1) {
> > > > > >     xlog("L_INFO", "$si : $sp is allowed through group: $var(group)\n");
> > > > > >     [...]
> > > > > > } else {
> > > > > >     xlog("L_INFO", "$si : $sp is not allowed - allow_source_address_group returned -1\n");
> > > > > >     xlog("L_INFO", "Rejecting $ci with 403 'Forbidden'\n");
> > > > > >     sl_send_reply("403", "Forbidden");
> > > > > >     exit;
> > > > > > }
> > > > > > ‘''
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > > Romain Untereiner
> > > > > > Co founder at Cantoo
> > > > > > www.cantoo.co
> > > > > > Le 18 mai 2021 à 08:44 +0200, Daniel-Constantin Mierla <miconda at gmail.com>, a écrit :
> > > > > > > Hello,
> > > > > > >
> > > > > > > On 17.05.21 12:11, Romain Untereiner wrote:
> > > > > > > > Hello all,
> > > > > > > >
> > > > > > > > I am having some trouble with Permissions module of Kamailio,
> > > > > > > > regarding the allow_source_address_group() function. In 99.9% of the
> > > > > > > > cases the IP of our partner is allowed as expected, but randomly it
> > > > > > > > can fail (returning -1 for the same IP address that was allowed for
> > > > > > > > many other calls in the meantime).
> > > > > > > >
> > > > > > > > I can’t understand why it fails and why only « sometimes » - I confirm
> > > > > > > > this append on the same Kamailio box, with same IP and Port of the
> > > > > > > > partner.
> > > > > > > >
> > > > > > > > In my custom logs:
> > > > > > > > « X.X.X.X:YYYY is allowed through group Z » —> as expected
> > > > > > > > and sometimes (like 1% of the cases): « X.X.X.X:YYYY is not allowed
> > > > > > > > -  allow_source_address_group returned -1»
> > > > > > > >
> > > > > > > > It is maybe to note that in the address table, this range is defined
> > > > > > > > as /24 and not /32. Until now it never happened on /32 defined address
> > > > > > > > but I don’t know if it can be correlated.
> > > > > > > >
> > > > > > > > Would someone have a clue on this?
> > > > > > > >
> > > > > > > > Versions:
> > > > > > > > - kamailio 5.5.0 (x86_64/linux) d4c1a1
> > > > > > > > - debian 9 stretch
> > > > > > > > - postgresql 11.7
> > > > > > >
> > > > > > > how do you test the return code of the function? Paste here the snippet
> > > > > > > of the config where the function is used.
> > > > > > >
> > > > > > > Then, do you really need the goup id of the address or just to match the
> > > > > > > address?
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Daniel
> > > > > > >
> > > > > > > --
> > > > > > > Daniel-Constantin Mierla -- www.asipto.com
> > > > > > > www.twitter.com/miconda -- www.linkedin.com/in/miconda
> > > > > > > Kamailio Advanced Training - Online
> > > > > > > May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
> > > > > > > * https://www.asipto.com/sw/kamailio-advanced-training-online/
> > > > > > >
> > > > > --
> > > > > Daniel-Constantin Mierla -- www.asipto.com
> > > > > www.twitter.com/miconda -- www.linkedin.com/in/miconda
> > > > > Kamailio Advanced Training - Online
> > > > > May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
> > > > >  * https://www.asipto.com/sw/kamailio-advanced-training-online/
> > > --
> > > Daniel-Constantin Mierla -- www.asipto.com
> > > www.twitter.com/miconda -- www.linkedin.com/in/miconda
> > > Kamailio Advanced Training - Online
> > > May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
> > >  * https://www.asipto.com/sw/kamailio-advanced-training-online/
> --
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - Online
> May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
>  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210519/6ac85eab/attachment.htm>

More information about the sr-users mailing list