From bcd1c26d50fe239ad621491ffcdcd0110cce4eac Mon Sep 17 00:00:00 2001
From: "SIPLABS, LLC" <info@siplabs.ru>
Date: Tue, 3 Mar 2015 17:23:49 +0700
Subject: [PATCH] check User-Agent header for device

---
 kamailio/acl-role.cfg | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/kamailio/acl-role.cfg b/kamailio/acl-role.cfg
index 50234a4..e5a4d7a 100644
--- a/kamailio/acl-role.cfg
+++ b/kamailio/acl-role.cfg
@@ -89,7 +89,6 @@ route[ACL_CHECK] {
             kazoo_json($var(acl-response), "Realm.Order",       "$var(acl-realm-order)");
             kazoo_json($var(acl-response), "Realm.CIDR",        "$var(acl-realm-cidr)");
             kazoo_json($var(acl-response), "Realm.CIDR.length", "$var(acl-realm-cidr-len)");
-            kazoo_json($var(acl-response), "Realm.User-Agent",  "$var(acl-realm-ua)");
             kazoo_json($var(acl-response), "Device.Order",      "$var(acl-device-order)");
             kazoo_json($var(acl-response), "Device.CIDR",       "$var(acl-device-cidr)");
             kazoo_json($var(acl-response), "Device.CIDR.length","$var(acl-device-cidr-len)");
@@ -193,21 +192,23 @@ route[ACL_CHECK_DEVICE] {
 }
 
 route[ACL_CHECK_DEVICE_ALLOW] {
-    if (not_empty("$var(acl-device-cidr)")) {
-        $var(i) = 0;
-        xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)");
-        while($var(i) < $var(acl-device-cidr-len)) {
-            kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)");
-            xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)");
-            if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) {
-                $sht(acl=>$var(device)/$si) = 1;
-                xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n");
-                return;
+    if (!not_empty("$var(acl-device-ua)") || (not_empty("$var(acl-device-ua)") && $ua =~ $var(acl-device-ua))) {
+        if (not_empty("$var(acl-device-cidr)")) {
+            $var(i) = 0;
+            xlog("L_INFO", "$ci |ACL-realm| checking $var(acl-device-cidr-len) record(s)");
+            while($var(i) < $var(acl-device-cidr-len)) {
+                kazoo_json($var(acl-device-cidr), "[$var(i)]", "$var(record)");
+                xlog("L_INFO", "$ci |ACL-realm| checking if $si is in $var(record)");
+                if (($var(record) == ACL_IP_ADDR_ANY) || is_in_subnet("$si", $var(record))) {
+                    $sht(acl=>$var(device)/$si) = 1;
+                    xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is permitted by ACL for $var(device)\n");
+                    return;
+                }
+                $var(i) = $var(i) + 1;
             }
-            $var(i) = $var(i) + 1;
+        } else {
+            xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)");
         }
-    } else {
-        xlog("L_INFO", "$ci |ACL-realm| undefined CIDR in response for $var(device)");
     }
     # Remember in CACHE and DENY
     $sht(acl=>$var(device)/$si) = 0;
@@ -219,6 +220,15 @@ route[ACL_CHECK_DEVICE_ALLOW] {
 }
 
 route[ACL_CHECK_DEVICE_DENY] {
+    if (not_empty("$var(acl-device-ua)") && !($ua =~ $var(acl-device-ua))) {
+        $sht(acl=>$var(device)/$si) = 0;
+        if (!isflagset(FLAG_IS_REPLY)) {
+            sl_send_reply(ACL_CODE_DENY, ACL_MESSAGE_DENY);
+        }
+        xlog("L_INFO", "$ci |ACL| $var(sip-packet) from $si is rejected by ACL for $var(device)\n");
+        exit;
+    }
+
     if (not_empty("$var(acl-device-cidr)")) {
         $var(i) = 0;
         xlog("L_INFO", "$ci |ACL-device| checking $var(acl-device-cidr-len) record(s)");