updates to ensure the ACL is checked in

15 years ago · 83b53a890d
--- a/autoload_configs/acl.conf.xml
+++ b/autoload_configs/acl.conf.xml
@ -1,16 +1,16 @@
 <configuration name="acl.conf" description="Network Lists">
    <network-lists>
        <list name="trusted" default="deny">
            <node type="allow" cidr="173.203.215.241/32"/>    <!--proxy2.switchfreedom.com-->
            <node type="allow" cidr="72.249.14.242/32"/>      <!--gw01-car.dal.us.icall.net-->
            <node type="allow" cidr="8.19.97.6/32"/>          <!--sbc01-car.dal.us.icall.net-->
            <node type="allow" cidr="208.85.184.0/24"/>          <!--velocity.net-->
        </list> 
            <node type="allow" cidr="173.203.215.241/32"/>      <!--proxy2.switchfreedom.com-->
            <node type="allow" cidr="72.249.14.242/32"/>        <!--gw01-car.dal.us.icall.net-->
            <node type="allow" cidr="8.19.97.6/32"/>            <!--sbc01-car.dal.us.icall.net-->
            <node type="allow" cidr="208.85.184.0/24"/>         <!--velocity.net-->
            <node type="allow" cidr="184.106.172.9/32"/>        <!--sipproxy001-prod-ord.2600hz.com-->
        </list>
        <list name="authoritative" default="deny">
            <node type="allow" cidr="184.106.172.9/32"/>    <!--sipproxy001-prod-ord-->
            <node type="allow" cidr="204.232.212.190/32"/>  <!--sipproxy002-prod-dfw-->
            <node type="allow" cidr="184.106.157.174/32"/>  <!--sipproxy001-aa-ord-->
            <node type="allow" cidr="209.114.35.233/32"/>  <!--sipproxy001-aa-dfw-->
            <node type="allow" cidr="184.106.157.174/32"/>      <!--sipproxy001-aa-ord.2600hz.com-->
            <node type="allow" cidr="209.114.35.233/32"/>       <!--sipproxy001-aa-dfw.2600hz.com-->
            <node type="allow" cidr="184.106.170.176/32"/>      <!--sipproxy001-dev-ord.2600hz.com-->
        </list>
    </network-lists>
 </configuration>
 </configuration>
--- a/opensips/opensips.cfg
+++ b/opensips/opensips.cfg
@ -105,11 +105,12 @@ disable_tcp=no
 ######################################################################
 ## Module Loading
 ######################################################################
 mpath="/usr/local/lib64/opensips/modules/"
 mpath="/usr/lib64/opensips/modules/"
 loadmodule "memcached.so"
 loadmodule "signaling.so"
 loadmodule "sl.so"
 loadmodule "tm.so"
 loadmodule "dialog.so"
 loadmodule "maxfwd.so"
 loadmodule "rr.so"
 loadmodule "path.so"
@ -117,6 +118,7 @@ loadmodule "uri.so"
 loadmodule "textops.so"
 loadmodule "usrloc.so"
 loadmodule "nathelper.so"
 loadmodule "nat_traversal.so"
 loadmodule "dispatcher.so"
 loadmodule "mi_fifo.so"
 # loadmodule "mi_datagram.so"
@ -149,7 +151,7 @@ modparam("tm", "fr_timer", 5)
 # modparam("tm", "fr_inv_timer_avp", "$avp(i:25)")
 # modparam("tm", "tw_append",
 #    "test: ua=$hdr(User-Agent) ;avp=$avp(i:10);$rb;time=$Ts")
 # modparam("tm", "pass_provisional_replies", 0)
 modparam("tm", "pass_provisional_replies", 1)
 # modparam("tm", "syn_branch", 1)
 # modparam("tm", "onreply_avp_mode", 0)
 # modparam("tm", "disable_6xx_block", 0)
@ -221,17 +223,25 @@ modparam("usrloc", "path_column", "path")
 ## Nathelper Module Parameters
 ######################################################################
 # modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:7890")
 modparam("nathelper", "natping_interval", 30)
 modparam("nathelper", "ping_nated_only", 1)
 # modparam("nathelper", "natping_interval", 30)
 # modparam("nathelper", "ping_nated_only", 1)
 # modparam("nathelper", "natping_processes", 3)
 modparam("nathelper", "sipping_bflag", 7)
 modparam("nathelper", "sipping_from", "sip:sipcheck@184.106.172.9 ")
 # modparam("nathelper", "sipping_bflag", 7)
 # modparam("nathelper", "sipping_from", "sip:sipcheck@184.106.157.174")
 # modparam("nathelper", "sipping_method", "INFO")

 ######################################################################
 ## NAT Traversal Module Parameters
 ######################################################################
 modparam("nat_traversal", "keepalive_interval", 60)
 modparam("nat_traversal", "keepalive_method", "OPTIONS")
 modparam("nat_traversal", "keepalive_from", "sip:keepalive@ping.sip.2600hz.com")
 modparam("nat_traversal", "keepalive_state_file", "/tmp/opensips_keepalive_state")

 ######################################################################
 ## Dispatcher Module Parameters
 ######################################################################
 modparam("dispatcher", "list_file", "/usr/local/etc/opensips/dispatcher.list")
 modparam("dispatcher", "list_file", "/etc/opensips/dispatcher.list")
 modparam("dispatcher", "flags", 2)
 modparam("dispatcher", "use_default", 0)
 modparam("dispatcher", "force_dst", 1)
@ -242,7 +252,7 @@ modparam("dispatcher", "cnt_avp", "$avp(i:274)")
 modparam("dispatcher", "hash_pvar", "$avp(i:273)")
 # modparam("dispatcher", "setid_pvar", "$var(setid)")
 modparam("dispatcher", "ds_ping_method", "OPTIONS")
 modparam("dispatcher", "ds_ping_from", "sip:sipcheck@184.106.172.9:5060")
 modparam("dispatcher", "ds_ping_from", "sip:sipcheck@184.106.157.174:5060")
 modparam("dispatcher", "ds_ping_interval", 10)
 # modparam("dispatcher", "ds_ping_sock", "udp:10.80.25.168:5080")
 modparam("dispatcher", "ds_probing_threshhold", 3)
@ -290,11 +300,18 @@ route
        exit;
    }

    if (src_ip==myself) 
    {
        xlog("L_WARN", "Src IP [$ou] from [$si:$sp]");

        exit;
    }

    xlog("L_INFO", "Received [$rm] [$ou] from [$si:$sp]");
    xlog("L_DBG", "    From: [$fu]");
    xlog("L_DBG", "      To: [$tu]");

    if (is_method("OPTIONS"))
    if (is_method("OPTIONS|SUBSCRIBE"))
    {
        xlog("L_NOTICE", "      Method [$rm] is not supported, sending 503 to [$si:$sp]");

@ -305,39 +322,16 @@ route

    t_on_reply("1");

    if (nat_uac_test("18"))
    {
        xlog("L_INFO", "      Source port is different from the port in Via, force rport");

        force_rport();

        fix_nated_contact();

        if (has_body("application/sdp"))
        {
            xlog("L_INFO", "      Fixing nated SDP, rewritting media and origin with [$si]");

            fix_nated_sdp("10");
        }

        # If this leads to a sucessfull register then flag 5 will cause nat=yes to be append to the contact
        # and (when appropriate) the use of the nat_compensator reply branch
        setflag(5);
    }
    t_on_failure("1");

    if (has_totag())
    {
        if (subst_uri('/(sip:.*);nat=yes/\1/'))
        {
            xlog("L_INFO", "      Set reply branch for NAT compensation on this message in the existing dialog");

            t_on_reply("nat_compensator");
        }

        # sequential request withing a dialog should
        # take the path determined by record-routing
        if (loose_route())
        {
            append_hf("P-hint: rr-enforced\r\n");

            if (is_method("INVITE"))
            {
                # even if in most of the cases is useless, do RR for
@ -348,6 +342,13 @@ route
                #record_route();
            }

            if ((ds_is_in_list("$si", "$sp", "1") || ds_is_in_list("$si", "$sp", "2")) && is_method("ACK")) 
            {
                xlog("L_INFO", "      Stored [$tU] as belonging to media server [$fd]");

                cache_store("memcached_callid_hash", "$tU ", "$fd", 3600);
            }

            # route it out to whatever destination was set by loose_route()
            # in $du (destination URI).
            route(1);
@ -430,33 +431,38 @@ route
    }

    # is not from media servers
    if (!ds_is_in_list("$si", "$sp", "1") and !ds_is_in_list("$si", "$sp", "2"))
    {
        if(cache_fetch("memcached_callid_hash", "$ci", $avp(i:55)))
    if (!ds_is_in_list("$si", "$sp", "1") && !ds_is_in_list("$si", "$sp", "2"))
    {              
        if ($ct.fields(uri) && cache_fetch("memcached_callid_hash", "$(ct.fields(uri){uri.user})", $avp(i:55))) 
        {
            $rd = $avp(i:55);

            xlog("L_INFO", "      Reconized contact [$ct.fields(uri)] as belonging to media server [$rd]");
        }
        else if (cache_fetch("memcached_callid_hash", "$ci", $avp(i:55)))
        {
            $rd = $avp(i:55);

            xlog("L_INFO", "      Reconized call-id [$ci] as belonging to media server [$rd]");

            if ($ct.fields(uri) && is_method("INVITE")) 
            {
                xlog("L_INFO", "      Stored [$(ct.fields(uri){uri.user})] as belonging to media server [$rd]");

                cache_store("memcached_callid_hash", "$(ct.fields(uri){uri.user})", "$rd", 3600);
            }
        }
        else
        {
            xlog("L_INFO", "      Selecting domain from set 1 using round-robin");

 
            ds_select_domain("1", "4");

            t_on_failure("1");
        }
            
        remove_hf("X-AUTH-IP");

        append_hf("X-AUTH-IP: $si\r\n");

        if (isflagset(5))
        {
            xlog("L_INFO", "    This contact is behind NAT, appending nat=yes to the Contact header");

            # "nat=yes" is added to help with in-dialog re-INVITE, UPDATE, etc.
            search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
        }
    }
    } 

    # record routing
    if (!is_method("REGISTER|MESSAGE"))
@ -473,6 +479,8 @@ route

 route[1]
 {
    route("nat_test_and_correct");

    if (!t_relay())
    {
        xlog("L_ERR", "    Unable to relay [$rm] [$ru] to [$du], sending 500");
@ -485,40 +493,41 @@ route[1]
    exit;
 }

 onreply_route[1]
 route[nat_test_and_correct]
 {
    if (t_check_status("(407)|(401)"))
    if (client_nat_test("3")) 
    {
        cache_store("memcached_callid_hash", "$ci ", "$si", 60);
        xlog("L_INFO", "     NAT (SIP): Private IP in contact field or via address differs from source");

        xlog("L_INFO", "      Stored call-id [$ci] as belonging to media server [$si]");
    }
 }
        force_rport();

 onreply_route[nat_compensator]
 {
    xlog("L_INFO ", "    Compensating reply from NATed message [$rs] [$rr]");
        if ((method=="REGISTER" || method=="SUBSCRIBE" || (method=="INVITE" && !has_totag())))
        {
            xlog("L_INFO", "     NAT (SIP): Activating keep alive pings");

    if (t_check_status("(407)|(401)"))
    {
        cache_store("memcached_callid_hash", "$ci ", "$si", 60);
            nat_keepalive();
        }

        xlog("L_INFO", "      Stored call-id [$ci] for NATed reply as belonging to media server [$si]");
        fix_contact();
    }
 
    if (has_body("application/sdp"))

    if (has_body("application/sdp") && nat_uac_test("8"))
    {
        xlog("L_INFO", "      Fixing nated reply SDP, rewritting media and origin with [$si]");
        xlog("L_INFO", "     NAT (SDP): Private IP in SDP");

        fix_nated_sdp("10");
    }
 }

 onreply_route[1]
 {
    route("nat_test_and_correct");

    if (is_present_hf("Contact"))
    if (t_check_status("(407)|(401)"))
    {
        xlog("L_INFO", "      Fixing nated reply contact header");
        cache_store("memcached_callid_hash", "$ci ", "$si", 60);

        fix_nated_contact();
        #search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
        xlog("L_INFO", "      Stored call-id [$ci] as belonging to media server [$si]");
    }
 }

@ -535,12 +544,20 @@ failure_route[1]

        ds_mark_dst("p");

        if (ds_next_domain())
 #        if (ds_next_domain())
        if(ds_select_domain("1", "4"))
        {
            xlog("L_ERR", "    Hunting for avaliable media server...");

            xlog("L_INFO", "    Sent [$rm] [$ru] to [$rd]");

            if ($ct.fields(uri) && is_method("INVITE")) 
            {
                xlog("L_INFO", "      Stored [$(ct.fields(uri){uri.user})] as belonging to media server [$rd]");

                cache_store("memcached_callid_hash", "$(ct.fields(uri){uri.user})", "$rd", 3600);
            }

            t_relay();

            exit;
@ -555,3 +572,4 @@ failure_route[1]

    exit;
 }