From 90a5862f304a4580d7781ead5d2ac439de72b0ae Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Wed, 11 Feb 2015 16:36:02 +0700 Subject: [PATCH 01/12] rate-limiter-role for sip requests --- kamailio/default.cfg | 7 + kamailio/local.cfg | 1 + kamailio/rate-limiter-role.cfg | 249 +++++++++++++++++++++++++++++++++ 3 files changed, 257 insertions(+) create mode 100644 kamailio/rate-limiter-role.cfg diff --git a/kamailio/default.cfg b/kamailio/default.cfg index 2dbb4e1..f204a0a 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -189,6 +189,9 @@ include_file "antiflood-role.cfg" #!ifdef TRAFFIC-FILTER-ROLE include_file "traffic-filter-role.cfg" #!endif +#!ifdef RATE-LIMITER-ROLE +include_file "rate-limiter-role.cfg" +#!endif ####### Permissions module ########## loadmodule "permissions.so" @@ -217,6 +220,10 @@ route route(TRAFFIC_FILTER); #!endif + #!ifdef RATE-LIMITER-ROLE + route(DOS_PREVENTION); + #!endif + #!ifdef WEBSOCKETS-ROLE route(HANDLE_WEBSOCKETS); #!endif diff --git a/kamailio/local.cfg b/kamailio/local.cfg index 69b1000..4d7357b 100644 --- a/kamailio/local.cfg +++ b/kamailio/local.cfg @@ -17,6 +17,7 @@ debug = L_INFO # # #!trydef WEBSOCKETS-ROLE # # #!trydef TLS-ROLE # # #!trydef ANTIFLOOD-ROLE +# # #!trydef RATE-LIMITER-ROLE ################################################################################ ## SERVER INFORMATION diff --git a/kamailio/rate-limiter-role.cfg b/kamailio/rate-limiter-role.cfg new file mode 100644 index 0000000..398ec4d --- /dev/null +++ b/kamailio/rate-limiter-role.cfg @@ -0,0 +1,249 @@ +######## DoS prevention module ######## +modparam("htable", "timer_interval", 10) +modparam("htable", "htable", "rps=>size=8;initval=0;autoexpire=60") +modparam("htable", "htable", "rpm=>size=8;initval=0;autoexpire=180") +modparam("htable", "htable", "tps=>size=8;initval=0;autoexpire=60") +modparam("htable", "htable", "tpm=>size=8;initval=0;autoexpire=180") +modparam("htable", "htable", "rate_limits=>initval=-1;autoexpire=60") # initval = -1 means that record is expired and we need an update from DB + +#!trydef RATE_LIMIT_MESSAGE "Over rate Limit" + +route[DOS_PREVENTION_REPLY] { + setflag(FLAG_IS_REPLY); + route(DOS_PREVENTION); +} + +route[DOS_PREVENTION] { + + # Initially we do not want to get data + $var(with-realm-request) = "false"; + $var(with-realm-total) = "false"; + $var(with-device-request) = "false"; + $var(with-device-total) = "false"; + $var(method-key) = "Method"; + $var(method-value) = "\"TOTAL\""; + + # SIP methods INVITE and REGISTER have personal counters + if ((is_method("INVITE") || is_method("REGISTER"))) { + $var(lrpm_realm) = $fd+"/"+$rm+"/min"; + $var(lrps_realm) = $fd+"/"+$rm+"/sec"; + + $var(lrpm_device) = $fU+"@"+$fd+"/"+$rm+"/min"; + $var(lrps_device) = $fU+"@"+$fd+"/"+$rm+"/sec"; + $var(method-value) = "\"" + $rm + "\""; + } + + # For BYE method we use REALM from To SIP header + if (is_method("BYE")) { + xlog("L_WARNING","$ci|RL-realm log| Fixup for BYE method with IP in from URI: use to-domain"); + $var(ltpm_realm) = $td+"/TOTAL/min"; + $var(ltps_realm) = $td+"/TOTAL/sec"; + $var(ltpm_device) = $fU+"@"+$td+"/TOTAL/min"; + $var(ltps_device) = $fU+"@"+$td+"/TOTAL/sec"; + $var(entity) = $td; + } else { + $var(ltpm_realm) = $fd+"/TOTAL/min"; + $var(ltps_realm) = $fd+"/TOTAL/sec"; + $var(ltpm_device) = $fU+"@"+$fd+"/TOTAL/min"; + $var(ltps_device) = $fU+"@"+$fd+"/TOTAL/sec"; + $var(entity) = $fd; + } + + # REALM check + if ((is_method("INVITE") || is_method("REGISTER"))) { + if ($sht(rate_limits=>$var(lrpm_realm)) == -1 + || $sht(rate_limits=>$var(lrps_realm)) == -1) { + xlog("L_INFO", "$ci|RL-realm log| Can't find HASHed rate for $var(entity) with $rm method"); + $var(with-realm-request) = "true"; + } + } + + if ($sht(rate_limits=>$var(ltpm_realm)) == -1 + || $sht(rate_limits=>$var(ltps_realm)) == -1) { + xlog("L_INFO", "$ci|RL-realm log| Can't find HASHed rate for $var(entity) with $rm method"); + $var(with-realm-total) = "true"; + } + + if (not_empty("$fU")) { + if (is_method("BYE")) { + xlog("L_WARNING","$ci|RL-realm log| Fixup for BYE method with IP in from URI: use to-domain"); + $var(entity) = $fU+"@"+$td; + } else { + $var(entity) = $fU+"@"+$fd; + } + + #DEVICE check + if ((is_method("INVITE") || is_method("REGISTER"))) { + if ($sht(rate_limits=>$var(lrpm_device)) == -1 + || $sht(rate_limits=>$var(lrps_device)) == -1) { + xlog("L_INFO", "$ci|RL-device log| Can't find HASHed rate for $var(entity) with $rm method"); + $var(with-device-request) = "true"; + } + } + + if ($sht(rate_limits=>$var(ltpm_device)) == -1 || $sht(rate_limits=>$var(ltps_device)) == -1) { + xlog("L_INFO", "$ci|RL-device log| Can't find HASHed rate for $var(entity) with $rm method"); + $var(with-device-total) = "true"; + } + } + + if ((is_method("INVITE") || is_method("REGISTER")) + && (($var(with-device-request) == "true" && $var(with-device-total) == "true") + || ($var(with-realm-request) == "true" && $var(with-realm-total) == "true"))) { + $var(method-key) = "Method-List"; + $var(method-value) = "[\"" + $rm + "\", \"TOTAL\"]"; + } + + if ( $var(with-device-request) == "true" + || $var(with-device-total) == "true" + || $var(with-realm-request) == "true" + || $var(with-realm-total) == "true" ) { + + avp_printf("$avp(s:query-request)", "{\"Entity\" : \"$var(entity)\", \"$var(method-key)\" : $var(method-value), \"Event-Category\" : \"rate_limit\", \"Event-Name\" : \"query\", \"With-Realm\" : $var(with-realm-request)}"); + xlog("L_INFO", "$ci|RL log| Query: $avp(s:query-request)"); + if (kazoo_query("frontier", "sbc_config", $avp(s:query-request), "$var(amqp_result)")) { + xlog("L_INFO", "$ci|RL log| Response: $var(amqp_result)"); + + kazoo_json($var(amqp_result), "Realm.Minute." + $rm, "$var(realm-min)"); + kazoo_json($var(amqp_result), "Realm.Second." + $rm, "$var(realm-sec)"); + kazoo_json($var(amqp_result), "Realm.Minute.TOTAL", "$var(realm-min-total)"); + kazoo_json($var(amqp_result), "Realm.Second.TOTAL", "$var(realm-sec-total)"); + kazoo_json($var(amqp_result), "Device.Minute." + $rm, "$var(device-min)"); + kazoo_json($var(amqp_result), "Device.Second." + $rm, "$var(device-sec)"); + kazoo_json($var(amqp_result), "Device.Minute.TOTAL", "$var(device-min-total)"); + kazoo_json($var(amqp_result), "Device.Second.TOTAL", "$var(device-sec-total)"); + + if ( not_empty("$var(realm-min)") ) { + $sht(rate_limits=>$var(lrpm_realm)) = $(var(realm-min){s.int}); + xlog("L_INFO", "$ci|RL-realm log| $rm DB=>HASH for $var(lrpm_realm)=$sht(rate_limits=>$var(lrpm_realm))"); + } + if ( not_empty("$var(realm-sec)") ) { + $sht(rate_limits=>$var(lrps_realm)) = $(var(realm-sec){s.int}); + xlog("L_INFO", "$ci|RL-realm log| $rm DB=>HASH for $var(lrps_realm)=$sht(rate_limits=>$var(lrps_realm))"); + } + if ( not_empty("$var(realm-min-total)") ) { + $sht(rate_limits=>$var(ltpm_realm)) = $(var(realm-min-total){s.int}); + xlog("L_INFO", "$ci|RL-realm log| $rm DB=>HASH for $var(ltpm_realm)=$sht(rate_limits=>$var(ltpm_realm))"); + } + if ( not_empty("$var(realm-sec-total)") ) { + $sht(rate_limits=>$var(ltps_realm)) = $(var(realm-sec-total){s.int}); + xlog("L_INFO", "$ci|RL-realm log| $rm DB=>HASH for $var(ltps_realm)=$sht(rate_limits=>$var(ltps_realm))"); + } + if ( not_empty("$var(device-min)") ) { + $sht(rate_limits=>$var(lrpm_device)) = $(var(device-min){s.int}); + xlog("L_INFO", "$ci|RL-device log| $rm DB=>HASH for $var(lrpm_device)=$sht(rate_limits=>$var(lrpm_device))"); + } + if ( not_empty("$var(device-sec)") ) { + $sht(rate_limits=>$var(lrps_device)) = $(var(device-sec){s.int}); + xlog("L_INFO", "$ci|RL-device log| $rm DB=>HASH for $var(lrps_device)=$sht(rate_limits=>$var(lrps_device))"); + } + if ( not_empty("$var(device-min-total)") ) { + $sht(rate_limits=>$var(ltpm_device)) = $(var(device-min-total){s.int}); + xlog("L_INFO", "$ci|RL-device log| $rm DB=>HASH for $var(ltpm_device)=$sht(rate_limits=>$var(ltpm_device))"); + } + if ( not_empty("$var(device-sec-total)") ) { + $sht(rate_limits=>$var(ltps_device)) = $(var(device-sec-total){s.int}); + xlog("L_INFO", "$ci|RL-device log| $rm DB=>HASH for $var(ltps_device)=$sht(rate_limits=>$var(ltps_device))"); + } + } else { + xlog("L_ERROR", "$ci|RL log| $rm DB unreachable for entity: $var(entity)"); + return; + } + } + + if (is_method("BYE")) { + xlog("L_WARNING","$ci|RL-device log| Fixup for BYE method with IP in from URI: use to-domain"); + $var(entity) = $td; + } else { + $var(entity) = $fd; + } + $var(entity-type) = "realm"; + if (is_method("INVITE") || is_method("REGISTER")) { + $var(lrpm) = $sht(rate_limits=>$var(lrpm_realm)); + $var(lrps) = $sht(rate_limits=>$var(lrps_realm)); + } + $var(ltpm) = $sht(rate_limits=>$var(ltpm_realm)); + $var(ltps) = $sht(rate_limits=>$var(ltps_realm)); + + + route(DO_DOS_PREVENTION); + if ( not_empty("$fU") ) { + if (is_method("BYE")) { + $var(entity) = $fU+"@"+$td; + xlog("L_WARNING","$ci|RL-device log| Fixup for BYE method with IP in from URI: use to-domain"); + } else { + $var(entity) = $fU+"@"+$fd; + } + $var(entity-type) = "device"; + if ((is_method("INVITE") || is_method("REGISTER"))) { + $var(lrpm) = $sht(rate_limits=>$var(lrpm_device)); + $var(lrps) = $sht(rate_limits=>$var(lrps_device)); + } + $var(ltpm) = $sht(rate_limits=>$var(ltpm_device)); + $var(ltps) = $sht(rate_limits=>$var(ltps_device)); + route(DO_DOS_PREVENTION); + } +} + +# This route do counting and decide either to ACCEPT or DECLINE packet +route[DO_DOS_PREVENTION] { + # Personal counters for INVITE and REGISTER + if ((is_method("INVITE") || is_method("REGISTER"))) { + $var(rpm) = $var(entity)+":"+$rm+":min:"+$timef(%Y/%m/%d_%H_%M_00); + $var(rps) = $var(entity)+":"+$rm+":sec:"+$timef(%Y/%m/%d_%H_%M_%S); + } + # Commmon counters for ALL packet including INVITE and REGISTER + $var(tpm) = $var(entity)+":TOTAL:min:"+$timef(%Y/%m/%d_%H_%M_00); + $var(tps) = $var(entity)+":TOTAL:sec:"+$timef(%Y/%m/%d_%H_%M_%S); + + # Personal debug for INVITE and REGISTER + if ((is_method("INVITE") || is_method("REGISTER"))) { + xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(rpm) = $var(lrpm)/$sht(rpm=>$var(rpm))"); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(rps) = $var(lrps)/$sht(rps=>$var(rps))"); + } + # Commmon debug for ALL packet including INVITE and REGISTER + xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(tpm) = $var(ltpm)/$sht(tpm=>$var(tpm))"); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(tps) = $var(ltps)/$sht(tps=>$var(tps))"); + + # Personal increment for INVITE and REGISTER + if ((is_method("INVITE") || is_method("REGISTER"))) { + $sht(rpm=>$var(rpm)) = $shtinc(rpm=>$var(rpm)); + $sht(rps=>$var(rps)) = $shtinc(rps=>$var(rps)); + } + # Commmon increment for ALL packet including INVITE and REGISTER + $sht(tpm=>$var(tpm)) = $shtinc(tpm=>$var(tpm)); + $sht(tps=>$var(tps)) = $shtinc(tps=>$var(tps)); + + # Personal checks for INVITE and REGISTER + if ((is_method("INVITE") || is_method("REGISTER"))) { + if ($sht(rps=>$var(rps)) > $var(lrps)) { + sl_send_reply("603", RATE_LIMIT_MESSAGE); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of $rm $var(rps) rate limits: $sht(rps=>$var(rps)) > $var(lrps))"); + exit; + } + if ($sht(rpm=>$var(rpm)) > $var(lrpm)) { + sl_send_reply("603", RATE_LIMIT_MESSAGE); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of $rm $var(rpm) rate limits: $sht(rpm=>$var(rpm)) > $var(lrpm))"); + exit; + } + } + # Commmon checks for ALL packet including INVITE and REGISTER + if ($sht(tps=>$var(tps)) > $var(ltps)) { +# if (isflagset(FLAG_IS_REPLY)) { +# xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); +# } else { + sl_send_reply("603", RATE_LIMIT_MESSAGE); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); +# } + exit; + } + if ($sht(tpm=>$var(tpm)) > $var(ltpm)) { +# if (isflagset(FLAG_IS_REPLY)) { +# xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); +# } else { + sl_send_reply("603", RATE_LIMIT_MESSAGE); + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); +# } + exit; + } +} From 57c316a61a0bdd06d48e983d1b195c25ecb50863 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Wed, 11 Feb 2015 17:10:58 +0700 Subject: [PATCH 02/12] use `RATE_LIMIT_CODE` for rate limits response --- kamailio/rate-limiter-role.cfg | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kamailio/rate-limiter-role.cfg b/kamailio/rate-limiter-role.cfg index 398ec4d..2846099 100644 --- a/kamailio/rate-limiter-role.cfg +++ b/kamailio/rate-limiter-role.cfg @@ -7,6 +7,7 @@ modparam("htable", "htable", "tpm=>size=8;initval=0;autoexpire=180") modparam("htable", "htable", "rate_limits=>initval=-1;autoexpire=60") # initval = -1 means that record is expired and we need an update from DB #!trydef RATE_LIMIT_MESSAGE "Over rate Limit" +#!trydef RATE_LIMIT_CODE "603" route[DOS_PREVENTION_REPLY] { setflag(FLAG_IS_REPLY); @@ -217,12 +218,12 @@ route[DO_DOS_PREVENTION] { # Personal checks for INVITE and REGISTER if ((is_method("INVITE") || is_method("REGISTER"))) { if ($sht(rps=>$var(rps)) > $var(lrps)) { - sl_send_reply("603", RATE_LIMIT_MESSAGE); + sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of $rm $var(rps) rate limits: $sht(rps=>$var(rps)) > $var(lrps))"); exit; } if ($sht(rpm=>$var(rpm)) > $var(lrpm)) { - sl_send_reply("603", RATE_LIMIT_MESSAGE); + sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of $rm $var(rpm) rate limits: $sht(rpm=>$var(rpm)) > $var(lrpm))"); exit; } @@ -232,7 +233,7 @@ route[DO_DOS_PREVENTION] { # if (isflagset(FLAG_IS_REPLY)) { # xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); # } else { - sl_send_reply("603", RATE_LIMIT_MESSAGE); + sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); # } exit; @@ -241,7 +242,7 @@ route[DO_DOS_PREVENTION] { # if (isflagset(FLAG_IS_REPLY)) { # xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); # } else { - sl_send_reply("603", RATE_LIMIT_MESSAGE); + sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); # } exit; From 1ec093e1236ed9c9090fec68d6a92a5508a590a1 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Wed, 11 Feb 2015 21:23:43 +0700 Subject: [PATCH 03/12] workaround for IP in domain --- kamailio/rate-limiter-role.cfg | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/kamailio/rate-limiter-role.cfg b/kamailio/rate-limiter-role.cfg index 2846099..9f7056c 100644 --- a/kamailio/rate-limiter-role.cfg +++ b/kamailio/rate-limiter-role.cfg @@ -9,6 +9,7 @@ modparam("htable", "htable", "rate_limits=>initval=-1;autoexpire=60") # init #!trydef RATE_LIMIT_MESSAGE "Over rate Limit" #!trydef RATE_LIMIT_CODE "603" +#!trydef IP_REGEX "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" route[DOS_PREVENTION_REPLY] { setflag(FLAG_IS_REPLY); route(DOS_PREVENTION); @@ -35,8 +36,8 @@ route[DOS_PREVENTION] { } # For BYE method we use REALM from To SIP header - if (is_method("BYE")) { - xlog("L_WARNING","$ci|RL-realm log| Fixup for BYE method with IP in from URI: use to-domain"); + if ($fd =~ IP_REGEX) { + xlog("L_WARNING","$ci|RL-realm log| Fixup for $rm method with IP in from URI: use to-domain"); $var(ltpm_realm) = $td+"/TOTAL/min"; $var(ltps_realm) = $td+"/TOTAL/sec"; $var(ltpm_device) = $fU+"@"+$td+"/TOTAL/min"; @@ -66,8 +67,8 @@ route[DOS_PREVENTION] { } if (not_empty("$fU")) { - if (is_method("BYE")) { - xlog("L_WARNING","$ci|RL-realm log| Fixup for BYE method with IP in from URI: use to-domain"); + if ($fd =~ IP_REGEX) { + xlog("L_WARNING","$ci|RL-realm log| Fixup for $rm method with IP in from URI: use to-domain"); $var(entity) = $fU+"@"+$td; } else { $var(entity) = $fU+"@"+$fd; @@ -152,8 +153,8 @@ route[DOS_PREVENTION] { } } - if (is_method("BYE")) { - xlog("L_WARNING","$ci|RL-device log| Fixup for BYE method with IP in from URI: use to-domain"); + if ($fd =~ IP_REGEX) { + xlog("L_WARNING","$ci|RL-device log| Fixup for $rm method with IP in from URI: use to-domain"); $var(entity) = $td; } else { $var(entity) = $fd; @@ -169,9 +170,9 @@ route[DOS_PREVENTION] { route(DO_DOS_PREVENTION); if ( not_empty("$fU") ) { - if (is_method("BYE")) { + if ($fd =~ IP_REGEX) { $var(entity) = $fU+"@"+$td; - xlog("L_WARNING","$ci|RL-device log| Fixup for BYE method with IP in from URI: use to-domain"); + xlog("L_WARNING","$ci|RL-device log| Fixup for $rm method with IP in from URI: use to-domain"); } else { $var(entity) = $fU+"@"+$fd; } From cf8c42cebc0591b7d7d3c41d6f737eb98c45a437 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Thu, 12 Feb 2015 14:33:31 +0700 Subject: [PATCH 04/12] count response codes in TOTAL counter --- kamailio/default.cfg | 11 +++++++++++ kamailio/rate-limiter-role.cfg | 36 +++++++++++++++------------------- 2 files changed, 27 insertions(+), 20 deletions(-) diff --git a/kamailio/default.cfg b/kamailio/default.cfg index f204a0a..e6c6837 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -8,6 +8,7 @@ flags FLAG_ASSOCIATE_USER: 4, FLAG_TRUSTED_SOURCE: 5, FLAG_SESSION_PROGRESS: 6; + FLAG_IS_REPLY: 7; ####### Global Parameters ######### fork = yes @@ -500,6 +501,11 @@ onreply_route[EXTERNAL_REPLY] #!ifdef NAT-TRAVERSAL-ROLE route(NAT_TEST_AND_CORRECT); #!endif + + #!ifdef RATE-LIMITER-ROLE + setflag(FLAG_IS_REPLY); + route(DOS_PREVENTION); + #!endif } onreply_route[INTERNAL_REPLY] @@ -512,6 +518,11 @@ onreply_route[INTERNAL_REPLY] route(NAT_WEBSOCKETS_CORRECT); #!endif + #!ifdef RATE-LIMITER-ROLE + setflag(FLAG_IS_REPLY); + route(DOS_PREVENTION); + #!endif + if (is_method("INVITE") && !isflagset(FLAG_SESSION_PROGRESS) && t_check_status("(180)|(183)|(200)") diff --git a/kamailio/rate-limiter-role.cfg b/kamailio/rate-limiter-role.cfg index 9f7056c..9f037b4 100644 --- a/kamailio/rate-limiter-role.cfg +++ b/kamailio/rate-limiter-role.cfg @@ -10,10 +10,6 @@ modparam("htable", "htable", "rate_limits=>initval=-1;autoexpire=60") # init #!trydef RATE_LIMIT_CODE "603" #!trydef IP_REGEX "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" -route[DOS_PREVENTION_REPLY] { - setflag(FLAG_IS_REPLY); - route(DOS_PREVENTION); -} route[DOS_PREVENTION] { @@ -26,7 +22,7 @@ route[DOS_PREVENTION] { $var(method-value) = "\"TOTAL\""; # SIP methods INVITE and REGISTER have personal counters - if ((is_method("INVITE") || is_method("REGISTER"))) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { $var(lrpm_realm) = $fd+"/"+$rm+"/min"; $var(lrps_realm) = $fd+"/"+$rm+"/sec"; @@ -52,7 +48,7 @@ route[DOS_PREVENTION] { } # REALM check - if ((is_method("INVITE") || is_method("REGISTER"))) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { if ($sht(rate_limits=>$var(lrpm_realm)) == -1 || $sht(rate_limits=>$var(lrps_realm)) == -1) { xlog("L_INFO", "$ci|RL-realm log| Can't find HASHed rate for $var(entity) with $rm method"); @@ -75,7 +71,7 @@ route[DOS_PREVENTION] { } #DEVICE check - if ((is_method("INVITE") || is_method("REGISTER"))) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { if ($sht(rate_limits=>$var(lrpm_device)) == -1 || $sht(rate_limits=>$var(lrps_device)) == -1) { xlog("L_INFO", "$ci|RL-device log| Can't find HASHed rate for $var(entity) with $rm method"); @@ -160,7 +156,7 @@ route[DOS_PREVENTION] { $var(entity) = $fd; } $var(entity-type) = "realm"; - if (is_method("INVITE") || is_method("REGISTER")) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { $var(lrpm) = $sht(rate_limits=>$var(lrpm_realm)); $var(lrps) = $sht(rate_limits=>$var(lrps_realm)); } @@ -177,7 +173,7 @@ route[DOS_PREVENTION] { $var(entity) = $fU+"@"+$fd; } $var(entity-type) = "device"; - if ((is_method("INVITE") || is_method("REGISTER"))) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { $var(lrpm) = $sht(rate_limits=>$var(lrpm_device)); $var(lrps) = $sht(rate_limits=>$var(lrps_device)); } @@ -207,8 +203,8 @@ route[DO_DOS_PREVENTION] { xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(tpm) = $var(ltpm)/$sht(tpm=>$var(tpm))"); xlog("L_INFO", "$ci|RL-$var(entity-type) log| L/C for $var(tps) = $var(ltps)/$sht(tps=>$var(tps))"); - # Personal increment for INVITE and REGISTER - if ((is_method("INVITE") || is_method("REGISTER"))) { + # Personal increment just for INVITE and REGISTER + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { $sht(rpm=>$var(rpm)) = $shtinc(rpm=>$var(rpm)); $sht(rps=>$var(rps)) = $shtinc(rps=>$var(rps)); } @@ -217,7 +213,7 @@ route[DO_DOS_PREVENTION] { $sht(tps=>$var(tps)) = $shtinc(tps=>$var(tps)); # Personal checks for INVITE and REGISTER - if ((is_method("INVITE") || is_method("REGISTER"))) { + if ((is_method("INVITE") || is_method("REGISTER")) && (!isflagset(FLAG_IS_REPLY))) { if ($sht(rps=>$var(rps)) > $var(lrps)) { sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of $rm $var(rps) rate limits: $sht(rps=>$var(rps)) > $var(lrps))"); @@ -231,21 +227,21 @@ route[DO_DOS_PREVENTION] { } # Commmon checks for ALL packet including INVITE and REGISTER if ($sht(tps=>$var(tps)) > $var(ltps)) { -# if (isflagset(FLAG_IS_REPLY)) { -# xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); -# } else { + if (isflagset(FLAG_IS_REPLY)) { + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); + } else { sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tps) rate limits: $sht(tps=>$var(tps)) > $var(ltps))"); -# } + } exit; } if ($sht(tpm=>$var(tpm)) > $var(ltpm)) { -# if (isflagset(FLAG_IS_REPLY)) { -# xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); -# } else { + if (isflagset(FLAG_IS_REPLY)) { + xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm::$rs $rr) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); + } else { sl_send_reply(RATE_LIMIT_CODE, RATE_LIMIT_MESSAGE); xlog("L_INFO", "$ci|RL-$var(entity-type) log| Out of TOTAL($rm) $var(tpm) rate limits: $sht(tpm=>$var(tpm)) > $var(ltpm))"); -# } + } exit; } } From 85cba65aaa6918a85e82e1fae86cb1ca8772a6d5 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Fri, 13 Feb 2015 15:58:40 +0700 Subject: [PATCH 05/12] acl-role --- kamailio/acl-role.cfg | 238 ++++++++++++++++++++++++++++++++++++++++++ kamailio/default.cfg | 17 +++ kamailio/local.cfg | 1 + 3 files changed, 256 insertions(+) create mode 100644 kamailio/acl-role.cfg diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg new file mode 100644 index 0000000..a45365f --- /dev/null +++ b/kamailio/acl-role.cfg @@ -0,0 +1,238 @@ +######## DoS prevention module ######## +# Default "order" is "Deny,Allow"(DA). +# So if there is no data from DB request will be permitted by default. +# +loadmodule "ipops.so" +modparam("htable", "htable", "acl=>initval=-1;autoexpire=7200") + +#!trydef ACL_MESSAGE_DENY "Rejected by ACL" +#!trydef ACL_CODE_DENY "603" +#!trydef ACL_ORDER_ALLOW_DENY "AD" +#!trydef ACL_IP_ADDR_ANY "0.0.0.0/0" + +#!trydef IP_REGEX "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" + +## Route for ACL functionality +route[ACL_CHECK] { + + if (isflagset(FLAG_IS_REPLY)) { + $var(sip-packet) = $rs; + } else { + $var(sip-packet) = $rm; + } + + # FIXUP for BYE method with IPinstead of REALM in From, take REALM fron To header + if ($fd =~ IP_REGEX) { + xlog("L_WARNING","$ci |ACL-realm| Fixup for $var(sip-packet) with IP in from URI: use to-domain"); + $var(realm) = $td; + } else { + $var(realm) = $fd; + } + + $var(acl-realm-request) = "false"; + $var(acl-device-request) = "false"; + + $var(realm-decision) = $sht(acl=>$var(realm)/$si); + + if ($var(realm-decision) == -1) { # we do not have cached decision + $var(acl-realm-request) = "true"; + } else if ($var(realm-decision) == 1 ){ # We have cached decision, let's use it + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + return; + } else { + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + exit; + } + + if (not_empty("$fU")) { + if ($fd =~ IP_REGEX) { + xlog("L_WARNING","$ci |ACL-device| Fixup for $var(sip-packet) with IP in from URI: use to-domain"); + $var(device) = $fU + "@" + $td; + } else { + $var(device) = $fU + "@" + $fd; + } + $var(device-decision) = $sht(acl=>$var(device)/$si); + + if ($var(device-decision) == -1) { # we do not have cached decision + $var(acl-device-request) = "true"; + } else if ($var(device-decision) == 1 ){ # We have cached decision, let's use it + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + return; + } else { + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + exit; + } + } + + if ($var(acl-realm-request) == "true" || $var(acl-device-request)) { + if (not_empty("$fU")) + $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(device) + "', 'With-Realm': " + $var(acl-realm-request) + "}"; + else + $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(realm) + "'}"; + xlog("L_INFO", "$ci |ACL log| Query: $var(query)"); + if (kazoo_query("frontier", "sbc_config", $var(query), "$var(acl-response)")) { + xlog("L_INFO", "$ci |ACL log| Response: $var(acl-response)"); + + kazoo_json($var(acl-response), "Realm.Order", "$var(acl-realm-order)"); + kazoo_json($var(acl-response), "Realm.CIDR", "$var(acl-realm-cidr)"); + kazoo_json($var(acl-response), "Realm.CIDR.length", "$var(acl-realm-cidr-len)"); + kazoo_json($var(acl-response), "Realm.User-Agent", "$var(acl-realm-ua)"); + kazoo_json($var(acl-response), "Device.Order", "$var(acl-device-order)"); + kazoo_json($var(acl-response), "Device.CIDR", "$var(acl-device-cidr)"); + kazoo_json($var(acl-response), "Device.CIDR.length","$var(acl-device-cidr-len)"); + kazoo_json($var(acl-response), "Device.User-Agent", "$var(acl-device-ua)"); + + } else { + xlog("L_ERROR","$ci |ACL log| DB is unreachable"); + $sht(acl=>$var(device)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + return; + } + } + + route(ACL_CHECK_REALM); + if (not_empty("$fU")) { + route(ACL_CHECK_DEVICE); + } +} + +# Check ORDER setting for REALM +route[ACL_CHECK_REALM] { + if (not_empty("$var(acl-realm-order)")) { + if ($var(acl-realm-order) == ACL_ORDER_ALLOW_DENY) { + route(ACL_CHECK_REALM_ALLOW); + } else { + route(ACL_CHECK_REALM_DENY); + } + } else { + xlog("L_INFO","$ci |ACL-realm| undefined Order in response for $var(realm)"); + $sht(acl=>$var(realm)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + } +} + +route[ACL_CHECK_REALM_ALLOW] { + if (not_empty("$var(acl-realm-cidr)")) { + $var(i) = 0; + xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-realm-cidr-len) record(s)"); + while($var(i) < $var(acl-realm-cidr-len)) { + kazoo_json($var(acl-realm-cidr), "[$var(i)]", "$var(record)"); + xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { + $sht(acl=>$var(realm)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + return; + } + $var(i) = $var(i) + 1; + } + } else { + xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); + } + # Remember in CACHE and DENY + $sht(acl=>$var(realm)/$si) = 0; + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + exit; +} + +route[ACL_CHECK_REALM_DENY] { + $var(size) = $(kzR{kz.json,Realm.CIDR.length}); + if (not_empty("$var(acl-realm-cidr)")) { + $var(i) = 0; + xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-realm-cidr-len) record(s)"); + while($var(i) < $var(acl-realm-cidr-len)) { + kazoo_json($var(acl-realm-cidr), "[$var(i)]", "$var(record)"); + xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { + $sht(acl=>$var(realm)/$si) = 0; + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + exit; + } + $var(i) = $var(i) + 1; + } + } else { + xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); + } + # Remember in CACHE and ALLOW + $sht(acl=>$var(realm)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + return; +} + +# Check ORDER setting for DEVICE +route[ACL_CHECK_DEVICE] { + if (not_empty("$var(acl-device-order)")) { + if ($var(acl-device-order) == ACL_ORDER_ALLOW_DENY) { + route(ACL_CHECK_DEVICE_ALLOW); + } else { + route(ACL_CHECK_DEVICE_DENY); + } + } else { + xlog("L_INFO","$ci |ACL-device| undefined Order in response for $var(device)"); + $sht(acl=>$var(device)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + } +} + +route[ACL_CHECK_DEVICE_ALLOW] { + if (not_empty("$var(acl-device-cidr)")) { + $var(i) = 0; + xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)"); + while($var(i) < $var(acl-device-cidr-len)) { + kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); + xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { + $sht(acl=>$var(device)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + return; + } + $var(i) = $var(i) + 1; + } + } else { + xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)"); + } + # Remember in CACHE and DENY + $sht(acl=>$var(device)/$si) = 0; + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + exit; +} + +route[ACL_CHECK_DEVICE_DENY] { + if (not_empty("$var(acl-device-cidr)")) { + $var(i) = 0; + xlog("L_INFO", "$ci |ACL-device| checking $var(acl-device-cidr-len) record(s)"); + while($var(i) < $var(acl-device-cidr-len)) { + kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); + xlog("L_INFO", "$ci |ACL-device| checking if $si is in $var(record)"); + if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { + $sht(acl=>$var(device)/$si) = 0; + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + exit; + } + $var(i) = $var(i) + 1; + } + } else { + xlog("L_INFO", "$ci |ACL-device| undefined CIDR in response for $var(device)"); + } + # Remember in CACHE and ALLOW + $sht(acl=>$var(device)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + return; +} diff --git a/kamailio/default.cfg b/kamailio/default.cfg index e6c6837..e338c54 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -190,6 +190,9 @@ include_file "antiflood-role.cfg" #!ifdef TRAFFIC-FILTER-ROLE include_file "traffic-filter-role.cfg" #!endif +#!ifdef ACL-ROLE +include_file "acl-role.cfg" +#!endif #!ifdef RATE-LIMITER-ROLE include_file "rate-limiter-role.cfg" #!endif @@ -221,6 +224,10 @@ route route(TRAFFIC_FILTER); #!endif + #!ifdef ACL-ROLE + route(ACL_CHECK); + #!endif + #!ifdef RATE-LIMITER-ROLE route(DOS_PREVENTION); #!endif @@ -502,6 +509,11 @@ onreply_route[EXTERNAL_REPLY] route(NAT_TEST_AND_CORRECT); #!endif + #!ifdef ACL-ROLE + setflag(FLAG_IS_REPLY); + route(ACL_CHECK); + #!endif + #!ifdef RATE-LIMITER-ROLE setflag(FLAG_IS_REPLY); route(DOS_PREVENTION); @@ -518,6 +530,11 @@ onreply_route[INTERNAL_REPLY] route(NAT_WEBSOCKETS_CORRECT); #!endif + #!ifdef ACL-ROLE + setflag(FLAG_IS_REPLY); + route(ACL_CHECK); + #!endif + #!ifdef RATE-LIMITER-ROLE setflag(FLAG_IS_REPLY); route(DOS_PREVENTION); diff --git a/kamailio/local.cfg b/kamailio/local.cfg index 4d7357b..7e12270 100644 --- a/kamailio/local.cfg +++ b/kamailio/local.cfg @@ -18,6 +18,7 @@ debug = L_INFO # # #!trydef TLS-ROLE # # #!trydef ANTIFLOOD-ROLE # # #!trydef RATE-LIMITER-ROLE +# # #!trydef ACL-ROLE ################################################################################ ## SERVER INFORMATION From ce290078f0d50c5933f43807aa5f9a85e20be033 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Fri, 13 Feb 2015 16:15:10 +0700 Subject: [PATCH 06/12] do not check trusted sources --- kamailio/acl-role.cfg | 7 +++++++ kamailio/rate-limiter-role.cfg | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index a45365f..2439f9a 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -15,6 +15,13 @@ modparam("htable", "htable", "acl=>initval=-1;autoexpire=7200") ## Route for ACL functionality route[ACL_CHECK] { + # If packet came from platform or from 4 class MERA, do not check it + if (isflagset(FLAG_INTERNALLY_SOURCED) || isflagset(FLAG_TRUSTED_SOURCE) ) { + xlog("L_DEBUG", "$ci |ACL| Trusted source IP($si) ignoring"); + return; + } + + if (isflagset(FLAG_IS_REPLY)) { $var(sip-packet) = $rs; } else { diff --git a/kamailio/rate-limiter-role.cfg b/kamailio/rate-limiter-role.cfg index 9f037b4..f39a184 100644 --- a/kamailio/rate-limiter-role.cfg +++ b/kamailio/rate-limiter-role.cfg @@ -13,6 +13,12 @@ modparam("htable", "htable", "rate_limits=>initval=-1;autoexpire=60") # init route[DOS_PREVENTION] { + # If packet came from platform or from 4 class MERA, do not check it + if (isflagset(FLAG_INTERNALLY_SOURCED) || isflagset(FLAG_TRUSTED_SOURCE) ) { + xlog("L_DEBUG", "$ci |RL| Trusted source IP($si) ignoring"); + return; + } + # Initially we do not want to get data $var(with-realm-request) = "false"; $var(with-realm-total) = "false"; From 840b7fc4599c8caf5d43c70adb0f84743181c99d Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Tue, 3 Mar 2015 17:23:21 +0700 Subject: [PATCH 07/12] use "allow,deny" or "deny,allow" constants instead of "AD" or "DA" --- kamailio/acl-role.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index 2439f9a..50234a4 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -1,5 +1,5 @@ ######## DoS prevention module ######## -# Default "order" is "Deny,Allow"(DA). +# Default "order" is "deny,allow". # So if there is no data from DB request will be permitted by default. # loadmodule "ipops.so" @@ -7,7 +7,7 @@ modparam("htable", "htable", "acl=>initval=-1;autoexpire=7200") #!trydef ACL_MESSAGE_DENY "Rejected by ACL" #!trydef ACL_CODE_DENY "603" -#!trydef ACL_ORDER_ALLOW_DENY "AD" +#!trydef ACL_ORDER_ALLOW_DENY "allow,deny" #!trydef ACL_IP_ADDR_ANY "0.0.0.0/0" #!trydef IP_REGEX "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" @@ -28,7 +28,7 @@ route[ACL_CHECK] { $var(sip-packet) = $rm; } - # FIXUP for BYE method with IPinstead of REALM in From, take REALM fron To header + # FIX for BYE method with IP instead of REALM in From, take REALM from To header if ($fd =~ IP_REGEX) { xlog("L_WARNING","$ci |ACL-realm| Fixup for $var(sip-packet) with IP in from URI: use to-domain"); $var(realm) = $td; From bcd1c26d50fe239ad621491ffcdcd0110cce4eac Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Tue, 3 Mar 2015 17:23:49 +0700 Subject: [PATCH 08/12] check User-Agent header for device --- kamailio/acl-role.cfg | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index 50234a4..e5a4d7a 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -89,7 +89,6 @@ route[ACL_CHECK] { kazoo_json($var(acl-response), "Realm.Order", "$var(acl-realm-order)"); kazoo_json($var(acl-response), "Realm.CIDR", "$var(acl-realm-cidr)"); kazoo_json($var(acl-response), "Realm.CIDR.length", "$var(acl-realm-cidr-len)"); - kazoo_json($var(acl-response), "Realm.User-Agent", "$var(acl-realm-ua)"); kazoo_json($var(acl-response), "Device.Order", "$var(acl-device-order)"); kazoo_json($var(acl-response), "Device.CIDR", "$var(acl-device-cidr)"); kazoo_json($var(acl-response), "Device.CIDR.length","$var(acl-device-cidr-len)"); @@ -193,21 +192,23 @@ route[ACL_CHECK_DEVICE] { } route[ACL_CHECK_DEVICE_ALLOW] { - if (not_empty("$var(acl-device-cidr)")) { - $var(i) = 0; - xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)"); - while($var(i) < $var(acl-device-cidr-len)) { - kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); - xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); - if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { - $sht(acl=>$var(device)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); - return; + if (!not_empty("$var(acl-device-ua)") || (not_empty("$var(acl-device-ua)") && $ua =~ $var(acl-device-ua))) { + if (not_empty("$var(acl-device-cidr)")) { + $var(i) = 0; + xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)"); + while($var(i) < $var(acl-device-cidr-len)) { + kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); + xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { + $sht(acl=>$var(device)/$si) = 1; + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + return; + } + $var(i) = $var(i) + 1; } - $var(i) = $var(i) + 1; + } else { + xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)"); } - } else { - xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)"); } # Remember in CACHE and DENY $sht(acl=>$var(device)/$si) = 0; @@ -219,6 +220,15 @@ route[ACL_CHECK_DEVICE_ALLOW] { } route[ACL_CHECK_DEVICE_DENY] { + if (not_empty("$var(acl-device-ua)") && !($ua =~ $var(acl-device-ua))) { + $sht(acl=>$var(device)/$si) = 0; + if (!isflagset(FLAG_IS_REPLY)) { + sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); + } + xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + exit; + } + if (not_empty("$var(acl-device-cidr)")) { $var(i) = 0; xlog("L_INFO", "$ci |ACL-device| checking $var(acl-device-cidr-len) record(s)"); From 8c9170a4d0705830822f628df86abe44b04a788b Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Thu, 19 Mar 2015 19:18:28 +0700 Subject: [PATCH 09/12] fix access ACL record checking --- kamailio/acl-role.cfg | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index e5a4d7a..c940cad 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -88,10 +88,8 @@ route[ACL_CHECK] { kazoo_json($var(acl-response), "Realm.Order", "$var(acl-realm-order)"); kazoo_json($var(acl-response), "Realm.CIDR", "$var(acl-realm-cidr)"); - kazoo_json($var(acl-response), "Realm.CIDR.length", "$var(acl-realm-cidr-len)"); kazoo_json($var(acl-response), "Device.Order", "$var(acl-device-order)"); kazoo_json($var(acl-response), "Device.CIDR", "$var(acl-device-cidr)"); - kazoo_json($var(acl-response), "Device.CIDR.length","$var(acl-device-cidr-len)"); kazoo_json($var(acl-response), "Device.User-Agent", "$var(acl-device-ua)"); } else { @@ -126,9 +124,8 @@ route[ACL_CHECK_REALM] { route[ACL_CHECK_REALM_ALLOW] { if (not_empty("$var(acl-realm-cidr)")) { $var(i) = 0; - xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-realm-cidr-len) record(s)"); - while($var(i) < $var(acl-realm-cidr-len)) { - kazoo_json($var(acl-realm-cidr), "[$var(i)]", "$var(record)"); + kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; + while(not_empty("$var(record)")) { xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(realm)/$si) = 1; @@ -136,6 +133,7 @@ route[ACL_CHECK_REALM_ALLOW] { return; } $var(i) = $var(i) + 1; + kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; } } else { xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); @@ -153,9 +151,8 @@ route[ACL_CHECK_REALM_DENY] { $var(size) = $(kzR{kz.json,Realm.CIDR.length}); if (not_empty("$var(acl-realm-cidr)")) { $var(i) = 0; - xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-realm-cidr-len) record(s)"); - while($var(i) < $var(acl-realm-cidr-len)) { - kazoo_json($var(acl-realm-cidr), "[$var(i)]", "$var(record)"); + kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; + while(not_empty("$var(record)")) { xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(realm)/$si) = 0; @@ -166,6 +163,7 @@ route[ACL_CHECK_REALM_DENY] { exit; } $var(i) = $var(i) + 1; + kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; } } else { xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); @@ -195,9 +193,8 @@ route[ACL_CHECK_DEVICE_ALLOW] { if (!not_empty("$var(acl-device-ua)") || (not_empty("$var(acl-device-ua)") && $ua =~ $var(acl-device-ua))) { if (not_empty("$var(acl-device-cidr)")) { $var(i) = 0; - xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)"); - while($var(i) < $var(acl-device-cidr-len)) { - kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); + kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; + while(not_empty("$var(record)")) { xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(device)/$si) = 1; @@ -205,6 +202,7 @@ route[ACL_CHECK_DEVICE_ALLOW] { return; } $var(i) = $var(i) + 1; + kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; } } else { xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)"); @@ -231,9 +229,8 @@ route[ACL_CHECK_DEVICE_DENY] { if (not_empty("$var(acl-device-cidr)")) { $var(i) = 0; - xlog("L_INFO", "$ci |ACL-device| checking $var(acl-device-cidr-len) record(s)"); - while($var(i) < $var(acl-device-cidr-len)) { - kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)"); + kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; + while(not_empty("$var(record)")) { xlog("L_INFO", "$ci |ACL-device| checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(device)/$si) = 0; @@ -244,6 +241,7 @@ route[ACL_CHECK_DEVICE_DENY] { exit; } $var(i) = $var(i) + 1; + kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; } } else { xlog("L_INFO", "$ci |ACL-device| undefined CIDR in response for $var(device)"); From 418a1820a3f96daba08b354ee122911fdf0b7628 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Thu, 19 Mar 2015 19:19:35 +0700 Subject: [PATCH 10/12] fix ACL logic --- kamailio/acl-role.cfg | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index c940cad..eb0bac1 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -45,7 +45,6 @@ route[ACL_CHECK] { $var(acl-realm-request) = "true"; } else if ($var(realm-decision) == 1 ){ # We have cached decision, let's use it xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); - return; } else { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); @@ -67,7 +66,6 @@ route[ACL_CHECK] { $var(acl-device-request) = "true"; } else if ($var(device-decision) == 1 ){ # We have cached decision, let's use it xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); - return; } else { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); @@ -77,7 +75,7 @@ route[ACL_CHECK] { } } - if ($var(acl-realm-request) == "true" || $var(acl-device-request)) { + if ($var(acl-realm-request) == "true" || $var(acl-device-request) == "true") { if (not_empty("$fU")) $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(device) + "', 'With-Realm': " + $var(acl-realm-request) + "}"; else @@ -100,9 +98,10 @@ route[ACL_CHECK] { } } - route(ACL_CHECK_REALM); - if (not_empty("$fU")) { - route(ACL_CHECK_DEVICE); + route(ACL_CHECK_REALM); + if (not_empty("$fU")) { + route(ACL_CHECK_DEVICE); + } } } From 317d8b6bdf7f2d7197c73c38aac5dfe7a004c6f0 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Thu, 19 Mar 2015 19:23:51 +0700 Subject: [PATCH 11/12] update logs --- kamailio/acl-role.cfg | 67 ++++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg index eb0bac1..d0cbcb4 100644 --- a/kamailio/acl-role.cfg +++ b/kamailio/acl-role.cfg @@ -17,7 +17,7 @@ route[ACL_CHECK] { # If packet came from platform or from 4 class MERA, do not check it if (isflagset(FLAG_INTERNALLY_SOURCED) || isflagset(FLAG_TRUSTED_SOURCE) ) { - xlog("L_DEBUG", "$ci |ACL| Trusted source IP($si) ignoring"); + xlog("L_DEBUG", "$ci|ACL|Trusted source IP($si) ignoring"); return; } @@ -30,7 +30,7 @@ route[ACL_CHECK] { # FIX for BYE method with IP instead of REALM in From, take REALM from To header if ($fd =~ IP_REGEX) { - xlog("L_WARNING","$ci |ACL-realm| Fixup for $var(sip-packet) with IP in from URI: use to-domain"); + xlog("L_WARNING","$ci|ACL-realm|Fix for $var(sip-packet) with IP in from URI: use to-domain"); $var(realm) = $td; } else { $var(realm) = $fd; @@ -44,18 +44,18 @@ route[ACL_CHECK] { if ($var(realm-decision) == -1) { # we do not have cached decision $var(acl-realm-request) = "true"; } else if ($var(realm-decision) == 1 ){ # We have cached decision, let's use it - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); } else { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); exit; } if (not_empty("$fU")) { if ($fd =~ IP_REGEX) { - xlog("L_WARNING","$ci |ACL-device| Fixup for $var(sip-packet) with IP in from URI: use to-domain"); + xlog("L_WARNING","$ci|ACL-device|Fix for $var(sip-packet) with IP in from URI: use to-domain"); $var(device) = $fU + "@" + $td; } else { $var(device) = $fU + "@" + $fd; @@ -65,24 +65,25 @@ route[ACL_CHECK] { if ($var(device-decision) == -1) { # we do not have cached decision $var(acl-device-request) = "true"; } else if ($var(device-decision) == 1 ){ # We have cached decision, let's use it - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(device)\n"); } else { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(device)\n"); exit; } } + if ($var(acl-realm-request) == "true" || $var(acl-device-request) == "true") { if (not_empty("$fU")) $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(device) + "', 'With-Realm': " + $var(acl-realm-request) + "}"; else $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(realm) + "'}"; - xlog("L_INFO", "$ci |ACL log| Query: $var(query)"); + xlog("L_DBG", "$ci|ACL log|Query: $var(query)"); if (kazoo_query("frontier", "sbc_config", $var(query), "$var(acl-response)")) { - xlog("L_INFO", "$ci |ACL log| Response: $var(acl-response)"); + xlog("L_DBG", "$ci|ACL log|Response: $var(acl-response)"); kazoo_json($var(acl-response), "Realm.Order", "$var(acl-realm-order)"); kazoo_json($var(acl-response), "Realm.CIDR", "$var(acl-realm-cidr)"); @@ -91,18 +92,18 @@ route[ACL_CHECK] { kazoo_json($var(acl-response), "Device.User-Agent", "$var(acl-device-ua)"); } else { - xlog("L_ERROR","$ci |ACL log| DB is unreachable"); + xlog("L_ERROR","$ci|ACL log|DB is unreachable"); $sht(acl=>$var(device)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(device)\n"); return; } - } route(ACL_CHECK_REALM); if (not_empty("$fU")) { route(ACL_CHECK_DEVICE); } } + } # Check ORDER setting for REALM @@ -114,9 +115,9 @@ route[ACL_CHECK_REALM] { route(ACL_CHECK_REALM_DENY); } } else { - xlog("L_INFO","$ci |ACL-realm| undefined Order in response for $var(realm)"); + xlog("L_INFO","$ci|ACL-realm|undefined Order in response for $var(realm)"); $sht(acl=>$var(realm)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); } } @@ -125,24 +126,24 @@ route[ACL_CHECK_REALM_ALLOW] { $var(i) = 0; kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; while(not_empty("$var(record)")) { - xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + xlog("L_INFO", "$ci|ACL-realm|checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(realm)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); return; } $var(i) = $var(i) + 1; kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; } } else { - xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); + xlog("L_INFO", "$ci|ACL-realm|undefined CIDR in response for $var(realm)"); } # Remember in CACHE and DENY $sht(acl=>$var(realm)/$si) = 0; if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); exit; } @@ -152,24 +153,24 @@ route[ACL_CHECK_REALM_DENY] { $var(i) = 0; kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; while(not_empty("$var(record)")) { - xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + xlog("L_INFO", "$ci|ACL-realm|checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(realm)/$si) = 0; if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(realm)\n"); exit; } $var(i) = $var(i) + 1; kazoo_json($var(acl-response), "Realm.CIDR[$var(i)]", "$var(record)");; } } else { - xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(realm)"); + xlog("L_INFO", "$ci|ACL-realm|undefined CIDR in response for $var(realm)"); } # Remember in CACHE and ALLOW $sht(acl=>$var(realm)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(realm)\n"); return; } @@ -182,9 +183,9 @@ route[ACL_CHECK_DEVICE] { route(ACL_CHECK_DEVICE_DENY); } } else { - xlog("L_INFO","$ci |ACL-device| undefined Order in response for $var(device)"); + xlog("L_INFO","$ci|ACL-device|undefined Order in response for $var(device)"); $sht(acl=>$var(device)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(device)\n"); } } @@ -194,17 +195,17 @@ route[ACL_CHECK_DEVICE_ALLOW] { $var(i) = 0; kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; while(not_empty("$var(record)")) { - xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)"); + xlog("L_INFO", "$ci|ACL-realm|checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(device)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(device)\n"); return; } $var(i) = $var(i) + 1; kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; } } else { - xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)"); + xlog("L_INFO", "$ci|ACL-realm|undefined CIDR in response for $var(device)"); } } # Remember in CACHE and DENY @@ -212,7 +213,7 @@ route[ACL_CHECK_DEVICE_ALLOW] { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(device)\n"); exit; } @@ -222,7 +223,7 @@ route[ACL_CHECK_DEVICE_DENY] { if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(device)\n"); exit; } @@ -230,23 +231,23 @@ route[ACL_CHECK_DEVICE_DENY] { $var(i) = 0; kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; while(not_empty("$var(record)")) { - xlog("L_INFO", "$ci |ACL-device| checking if $si is in $var(record)"); + xlog("L_INFO", "$ci|ACL-device|checking if $si is in $var(record)"); if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) { $sht(acl=>$var(device)/$si) = 0; if (!isflagset(FLAG_IS_REPLY)) { sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY); } - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is rejected by ACL for $var(device)\n"); exit; } $var(i) = $var(i) + 1; kazoo_json($var(acl-response), "Device.CIDR[$var(i)]", "$var(record)");; } } else { - xlog("L_INFO", "$ci |ACL-device| undefined CIDR in response for $var(device)"); + xlog("L_INFO", "$ci|ACL-device|undefined CIDR in response for $var(device)"); } # Remember in CACHE and ALLOW $sht(acl=>$var(device)/$si) = 1; - xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n"); + xlog("L_INFO", "$ci|ACL|$var(sip-packet) from $si is permitted by ACL for $var(device)\n"); return; } From fc3a91d0c9eae2f889f126a0da0246e5f3ad88c6 Mon Sep 17 00:00:00 2001 From: "SIPLABS, LLC" Date: Wed, 8 Apr 2015 15:11:09 +0700 Subject: [PATCH 12/12] Pull request issues --- kamailio/default.cfg | 18 +++++++++--------- kamailio/local.cfg | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/kamailio/default.cfg b/kamailio/default.cfg index 62ce1b4..e4aaff1 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -196,13 +196,13 @@ include_file "accounting-role.cfg" #!ifdef ANTIFLOOD-ROLE include_file "antiflood-role.cfg" #!endif -#!ifdef TRAFFIC-FILTER-ROLE +#!ifdef TRAFFIC_FILTER-ROLE include_file "traffic-filter-role.cfg" #!endif #!ifdef ACL-ROLE include_file "acl-role.cfg" #!endif -#!ifdef RATE-LIMITER-ROLE +#!ifdef RATE_LIMITER-ROLE include_file "rate-limiter-role.cfg" #endif #!ifdef PUSHER-ROLE @@ -232,7 +232,7 @@ route route(ANITFLOOD_AUTH_LIMIT); #!endif - #!ifdef TRAFFIC-FILTER-ROLE + #!ifdef TRAFFIC_FILTER-ROLE route(TRAFFIC_FILTER); #!endif @@ -240,7 +240,7 @@ route route(ACL_CHECK); #!endif - #!ifdef RATE-LIMITER-ROLE + #!ifdef RATE_LIMITER-ROLE route(DOS_PREVENTION); #!endif @@ -318,7 +318,7 @@ route[HANDLE_OPTIONS] if (isflagset(FLAG_INTERNALLY_SOURCED)) { route(INTERNAL_TO_EXTERNAL_RELAY); } else { - #!ifdef TRAFFIC-FILTER-ROLE + #!ifdef TRAFFIC_FILTER-ROLE route(FILTER_REQUEST_DOMAIN); #!endif @@ -342,7 +342,7 @@ route[HANDLE_NOTIFY] } route(INTERNAL_TO_EXTERNAL_RELAY); } else { - #!ifdef TRAFFIC-FILTER-ROLE + #!ifdef TRAFFIC_FILTER-ROLE route(FILTER_REQUEST_DOMAIN); #!endif @@ -379,7 +379,7 @@ route[HANDLE_MESSAGE] xlog("L_INFO", "$ci|log|routing to $ruid"); } route(INTERNAL_TO_EXTERNAL_RELAY); - #!ifdef TRAFFIC-FILTER-ROLE + #!ifdef TRAFFIC_FILTER-ROLE } else if (!isflagset(FLAG_TRUSTED_SOURCE) && $rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { xlog("L_WARN", "$ci|end|dropping MESSAGE request with IP domain"); @@ -590,7 +590,7 @@ onreply_route[EXTERNAL_REPLY] route(ACL_CHECK); #!endif - #!ifdef RATE-LIMITER-ROLE + #!ifdef RATE_LIMITER-ROLE setflag(FLAG_IS_REPLY); route(DOS_PREVENTION); #!endif @@ -611,7 +611,7 @@ onreply_route[INTERNAL_REPLY] route(ACL_CHECK); #!endif - #!ifdef RATE-LIMITER-ROLE + #!ifdef RATE_LIMITER-ROLE setflag(FLAG_IS_REPLY); route(DOS_PREVENTION); #!endif diff --git a/kamailio/local.cfg b/kamailio/local.cfg index 2edf815..61b964d 100644 --- a/kamailio/local.cfg +++ b/kamailio/local.cfg @@ -13,11 +13,11 @@ debug = L_INFO #!trydef PRESENCE-ROLE ## Disabled Roles - remove all but the last '#' to enable -# # #!trydef TRAFFIC-FILTER-ROLE +# # #!trydef TRAFFIC_FILTER-ROLE # # #!trydef WEBSOCKETS-ROLE # # #!trydef TLS-ROLE # # #!trydef ANTIFLOOD-ROLE -# # #!trydef RATE-LIMITER-ROLE +# # #!trydef RATE_LIMITER-ROLE # # #!trydef ACL-ROLE # # #!trydef MESSAGE-ROLE # # #!trydef PUSHER-ROLE