[SR-Users] Empty Subnets in Permissions Module

Henning Westerholt hw at skalatan.de
Tue Sep 14 17:16:37 CEST 2021 

Hello,

please keep the list in CC.

Let’s look into the two issues one by one:

1) I had to explicitly configure the parameter:

modparam("permissions", "mask_col", "mask")
Although the documentation suggests "mask" is the default - the JSON output from "kamctl address dump" did not output this value on K5.5. (On K5.3 it outputted properly)

Do you get an error if you do not specify the mask_col like this, or something else? From the source code the default should be “mask”.

When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it returns everything as expected - including the 0.0.0.0/0<http://0.0.0.0/0> subnets.

However, when running the same commands on Kamailio 5.5, it only returns a small subset (of only 20) subnets/groups - and the selection does not appear to follow a logical selection criteria.
Additionally, it does not return any groups with a 0.0.0.0/0<http://0.0.0.0/0> subnet either.

It seems that the behaviour has changed regarding the “0” subnet, checkout the docs:

https://kamailio.org/docs/modules/devel/modules/permissions.html#permissions.p.mask_col

It will convert them to 32/128 respectively. Can you see a 0.0.0./32 in your dump?
This was changed in commit f376c82a9f8 during an extension for text files. Maybe Daniel can comment here if this was done by purpose.
Otherwise, you can open an issue on our tracker about it.

Cheers,

Henning

--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>

From: Tom Dworakowski <dworakowski.tom at gmail.com>
Sent: Tuesday, September 14, 2021 5:00 PM
To: Henning Westerholt <hw at skalatan.de>
Subject: Re: [SR-Users] Empty Subnets in Permissions Module

Hello Henning,
Thank you for looking into this for me.

I made two interesting discoveries this morning:

1) I had to explicitly configure the parameter:

modparam("permissions", "mask_col", "mask")
Although the documentation suggests "mask" is the default - the JSON output from "kamctl address dump" did not output this value on K5.5. (On K5.3 it outputted properly)

2)
When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it returns everything as expected - including the 0.0.0.0/0<http://0.0.0.0/0> subnets.

However, when running the same commands on Kamailio 5.5, it only returns a small subset (of only 20) subnets/groups - and the selection does not appear to follow a logical selection criteria.
Additionally, it does not return any groups with a 0.0.0.0/0<http://0.0.0.0/0> subnet either.

From my logs - I have noted this:
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4353, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <3769, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4355, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4359, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <1955, 84.XX.XX.66, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.231, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.33, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.34, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 80.X.X.25, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 85.X.X.124, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4363, 212.X.X.19, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4365, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4367, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <4371, 0.0.0.0, 0> inserted into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions [address.c:118]: reload_address_insert(): Tuple <3991, 0.0.0.0, 0> inserted into address hash table

At the moment of querying group id 3983 (where there is only 0.0.0.0/0<http://0.0.0.0/0>), the function returns false:
DEBUG: permissions [address.c:671]: allow_source_address(): looking for <3983, [IPv4 in hex, reversed octet order], 62281>

However, None of those addresses appear in the  "kamcmd permissions.subnetDump" output.
Moreover, if "my" group has the address 0.0.0.0/0<http://0.0.0.0/0> listed as an approved address - it will fail the test; but if I register 0.0.0.0/1<http://0.0.0.0/1> it will let me through (as my IP is < 128.0.0.0), kamcmd permissions.subnetDump will display this address.

My thoughts are that there might be another table that is not being populated - or there is a filter during the import that either drops 0.0.0.0/0<http://0.0.0.0/0> or filters it out completely?

Regards, Tom


On Tue, Sep 14, 2021 at 4:10 AM Henning Westerholt <hw at skalatan.de<mailto:hw at skalatan.de>> wrote:
Hello Tom,

I’ve done a quick comparison of the main function and the called function. On a first view it looked identically, but I looked only a few levels deep.

Do you have maybe some means to reproduce this on a test system? Then it would be probably interesting to look to the DEBUG logging of this cases. Maybe you can compare if you spot some obvious differences from the logic.

Cheers,

Henning


From: sr-users <sr-users-bounces at lists.kamailio.org<mailto:sr-users-bounces at lists.kamailio.org>> On Behalf Of Tom Dworakowski
Sent: Tuesday, September 14, 2021 4:10 AM
To: sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
Subject: [SR-Users] Empty Subnets in Permissions Module

Greetings all!

I have two deployments of Kamailio: one running version 5.3 and one 5.5 with practically identical configurations, same (MySQL and REDIS) data sources.

We have customers that we assign an ACL "group" to, where the ID of this group resolves to records in the "address" table in our MySQL database - using the "grp" field.

On the box running Kamailio 5.5, we have noticed that if a group has ip_addr=0.0.0.0, mask=0, port=0 - and we try to run the allow_source_address() - it will return false, thus failing this phase of the authentication process.

However, on Kamailio 5.3 we are not seeing this issue, i.e. if a customer is assigned a group where the ACL is 0.0.0.0/0<http://0.0.0.0/0> - it will let him through.

Has something changed that I'm not aware of?
Any suggestions on how to resolve this?

My best, Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210914/233d54ef/attachment.htm>

More information about the sr-users mailing list