[SR-Users] Empty Subnets in Permissions Module

Tue Sep 14 18:06:30 CEST 2021

Hello Henning,

Thanks again for your clarification.

As for 1)
There is no error that appears if I don't explicitly set "mask".
The JSON output from "kamctl address dump" on K5.5 simply doesn't display
this attribute.

As for 2)
I see the code change and I can confirm it does what it's supposed to. I
registered $MY_IP/0 in the address table and it does interpret it at a /32
(and returns true).
In other words, it does detect the subnet "0" and converts it to "32"
behind the scenes.
Next, it does not appear in the kamcmd permissions.subnetDump (which makes
sense because /32 is not a subnet) but appears in the kamcmd
permissions.addressDump.

I'll try to raise an issue via GitHub and in the meantime, I'll tweak my
logic around.

Thanks again. Tom

On Tue, Sep 14, 2021 at 10:16 AM Henning Westerholt <hw at skalatan.de> wrote:

> Hello,
>
>
>
> please keep the list in CC.
>
>
>
> Let’s look into the two issues one by one:
>
>
>
> 1) I had to explicitly configure the parameter:
>
> modparam("permissions", "mask_col", "mask")
>
> Although the documentation suggests "mask" is the default - the JSON
> output from "kamctl address dump" did not output this value on K5.5. (On
> K5.3 it outputted properly)
>
>
>
> Do you get an error if you do not specify the mask_col like this, or
> something else? From the source code the default should be “mask”.
>
>
>
> When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it
> returns everything as expected - including the 0.0.0.0/0 subnets.
>
>
>
> However, when running the same commands on Kamailio 5.5, it only returns a
> small subset (of only 20) subnets/groups - and the selection does not
> appear to follow a logical selection criteria.
>
> Additionally, it does not return any groups with a 0.0.0.0/0 subnet
> either.
>
>
>
> It seems that the behaviour has changed regarding the “0” subnet, checkout
> the docs:
>
>
>
>
> https://kamailio.org/docs/modules/devel/modules/permissions.html#permissions.p.mask_col
>
>
>
> It will convert them to 32/128 respectively. Can you see a 0.0.0./32 in
> your dump?
>
> This was changed in commit f376c82a9f8 during an extension for text files.
> Maybe Daniel can comment here if this was done by purpose.
>
> Otherwise, you can open an issue on our tracker about it.
>
>
>
> Cheers,
>
>
>
> Henning
>
>
>
> --
>
> Henning Westerholt – https://skalatan.de/blog/
>
> Kamailio services – https://gilawa.com
>
>
>
> *From:* Tom Dworakowski <dworakowski.tom at gmail.com>
> *Sent:* Tuesday, September 14, 2021 5:00 PM
> *To:* Henning Westerholt <hw at skalatan.de>
> *Subject:* Re: [SR-Users] Empty Subnets in Permissions Module
>
>
>
> Hello Henning,
>
> Thank you for looking into this for me.
>
>
>
> I made two interesting discoveries this morning:
>
>
>
> 1) I had to explicitly configure the parameter:
>
> modparam("permissions", "mask_col", "mask")
>
> Although the documentation suggests "mask" is the default - the JSON
> output from "kamctl address dump" did not output this value on K5.5. (On
> K5.3 it outputted properly)
>
>
>
> 2)
>
> When I run the "kamcmd permissions.subnetDump"  on Kamailio 5.3, it
> returns everything as expected - including the 0.0.0.0/0 subnets.
>
>
>
> However, when running the same commands on Kamailio 5.5, it only returns a
> small subset (of only 20) subnets/groups - and the selection does not
> appear to follow a logical selection criteria.
>
> Additionally, it does not return any groups with a 0.0.0.0/0 subnet
> either.
>
>
>
> From my logs - I have noted this:
>
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4353, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <3769, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4355, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4359, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <1955, 84.XX.XX.66, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.231, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.33, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.34, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4363, 80.X.X.25, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4363, 85.X.X.124, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4363, 212.X.X.19, 0>
> inserted into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4365, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4367, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <4371, 0.0.0.0, 0> inserted
> into address hash table
> Sep 14 03:07:25 webrtc kamailio[5407]:  0(5407) DEBUG: permissions
> [address.c:118]: reload_address_insert(): Tuple <3991, 0.0.0.0, 0> inserted
> into address hash table
>
>
>
> At the moment of querying group id 3983 (where there is only 0.0.0.0/0),
> the function returns false:
>
> DEBUG: permissions [address.c:671]: allow_source_address(): looking for
> <3983, [IPv4 in hex, reversed octet order], 62281>
>
>
>
> However, None of those addresses appear in the  "kamcmd
> permissions.subnetDump" output.
>
> Moreover, if "my" group has the address 0.0.0.0/0 listed as an approved
> address - it will fail the test; but if I register 0.0.0.0/1 it will let
> me through (as my IP is < 128.0.0.0), kamcmd permissions.subnetDump will
> display this address.
>
>
>
> My thoughts are that there might be another table that is not being
> populated - or there is a filter during the import that either drops
> 0.0.0.0/0 or filters it out completely?
>
>
>
> Regards, Tom
>
>
>
>
>
> On Tue, Sep 14, 2021 at 4:10 AM Henning Westerholt <hw at skalatan.de> wrote:
>
> Hello Tom,
>
>
>
> I’ve done a quick comparison of the main function and the called function.
> On a first view it looked identically, but I looked only a few levels deep.
>
>
>
> Do you have maybe some means to reproduce this on a test system? Then it
> would be probably interesting to look to the DEBUG logging of this cases.
> Maybe you can compare if you spot some obvious differences from the logic.
>
>
>
> Cheers,
>
>
>
> Henning
>
>
>
>
>
> *From:* sr-users <sr-users-bounces at lists.kamailio.org> *On Behalf Of *Tom
> Dworakowski
> *Sent:* Tuesday, September 14, 2021 4:10 AM
> *To:* sr-users at lists.kamailio.org
> *Subject:* [SR-Users] Empty Subnets in Permissions Module
>
>
>
> Greetings all!
>
>
>
> I have two deployments of Kamailio: one running version 5.3 and one 5.5
> with practically identical configurations, same (MySQL and REDIS) data
> sources.
>
>
>
> We have customers that we assign an ACL "group" to, where the ID of this
> group resolves to records in the "address" table in our MySQL database -
> using the "grp" field.
>
>
>
> On the box running Kamailio 5.5, we have noticed that if a group has
> ip_addr=0.0.0.0, mask=0, port=0 - and we try to run
> the allow_source_address() - it will return false, thus failing this phase
> of the authentication process.
>
>
>
> However, on Kamailio 5.3 we are not seeing this issue, i.e. if a customer
> is assigned a group where the ACL is 0.0.0.0/0 - it will let him through.
>
>
>
> Has something changed that I'm not aware of?
>
> Any suggestions on how to resolve this?
>
>
>
> My best, Tom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210914/dded64d6/attachment.htm>