HELP-22885 anti-flood role may block media servers

removed the "sip:" prefix

kamailio/acl-role.cfg

@@ -82,7 +82,7 @@ route[ACL_CHECK] {
         else
             $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(realm) + "'}";
         xlog("L_DBG", "$ci|ACL log|Query: $var(query)");
-        sl_send_reply("100", "Attempting Kazoo query");
+        sl_send_reply("100", "Attempting K query");
         if (kazoo_query("frontier", "sbc_config", $var(query), "$var(acl-response)")) {
             xlog("L_DBG", "$ci|ACL log|Response: $var(acl-response)");
 

kamailio/antiflood-role.cfg

@@ -1,11 +1,16 @@
+
 #!trydef ANTIFLOOD_RATE_WINDOW 2
 #!trydef ANTIFLOOD_RATE_DENSITY 50
 #!trydef ANTIFLOOD_RATE_EXPIRE 4
 #!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 300
 #!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 4
 
+#!ifndef ANTIFLOOD_CACHE_PERIOD
+#!substdef "!ANTIFLOOD_CACHE_PERIOD!600!g"
+#!endif
+
 ######## Flood Prevention Hash Tables ########
-modparam("htable", "htable", "failed_auth_hash=>size=16;autoexpire=3600;")
+modparam("htable", "htable", "antiflood=>size=16;autoexpire=ANTIFLOOD_CACHE_PERIOD;initval=0")
 
 ######## Flood Prevention Module ########
 loadmodule "pike.so"
@@ -16,7 +21,9 @@ modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE)
 
 route[ANTIFLOOD_RATE_LIMIT]
 {
-    if (has_totag() || isflagset(FLAG_TRUSTED_SOURCE)) {
+    if (has_totag()
+        || isflagset(FLAG_TRUSTED_SOURCE)
+        || isflagset(FLAG_INTERNALLY_SOURCED)) {
         return;
     }
 
@@ -30,34 +37,33 @@ route[ANTIFLOOD_RATE_LIMIT]
 
 route[ANITFLOOD_AUTH_LIMIT]
 {
-    if (isflagset(FLAG_TRUSTED_SOURCE)) {
+    if (has_totag()
+        || isflagset(FLAG_TRUSTED_SOURCE)
+        || isflagset(FLAG_INTERNALLY_SOURCED)) {
         return(1);
     }
 
     if ($Au != $null &&
-        $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
+        $sht(antiflood=>$Au::$si::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
     ) {
-        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
-        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
-            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
-            append_to_reply("Retry-After: 3600\r\n");
-            sl_send_reply("500", "Retry Later");
-            exit;
-        } else {
-            $sht(failed_auth_hash=>$Au::count) = 0;
-        }
+        xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
+        $shtex(antiflood=>$Au::$si::count) = ANTIFLOOD_FAILED_AUTH_WINDOW;
+        $sht(antiflood=>$Au::$si::last) = $Ts;
+        append_to_reply("Retry-After: 3600\r\n");
+        send_reply("500", "Retry Later");
+        exit;
     }
 }
 
 route[ANTIFLOOD_SUCCESSFUL_AUTH]
 {
-    if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
-        $sht(failed_auth_hash=>$Au::count) = $null;
-    }
+    sht_rm_name_re("antiflood=>$(Au{re.subst,/\\./\\\\./g})::$(si{re.subst,/\\./\\\\./g})::.*");
+}
 
-    if ($Au != $null && $sht(failed_auth_hash=>$Au::last) != $null) {
-        $sht(failed_auth_hash=>$Au::last) = $null;
-    }
+route[ANTIFLOOD_RESET_AUTH]
+{
+    $var(user) = $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm});
+    sht_rm_name_re("antiflood=>$(var(user){re.subst,/\\./\\\\./g})::.*");
 }
 
 route[ANITFLOOD_FAILED_AUTH]
@@ -66,22 +72,23 @@ route[ANITFLOOD_FAILED_AUTH]
         return;
     }
 
-    if($sht(failed_auth_hash=>$Au::count) == $null) {
-        $sht(failed_auth_hash=>$Au::count) = 0;
-    }
+    $var(count) = $shtinc(antiflood=>$Au::$si::count);
+    $sht(antiflood=>$Au::$si::last) = $Ts;
 
-    $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
-    $sht(failed_auth_hash=>$Au::last) = $Ts;
+    xlog("L_INFO", "$ci|log|$var(count) errounous authorization response for $Au $si:$sp");
 
-    xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");
-
-   if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
+   if ($var(count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
         $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
-        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
+        if($sht(antiflood=>$Au::$si::last) > $var(exp)){
             xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
             append_to_reply("Retry-After: 3600\r\n");
-            sl_send_reply("500", "Retry Later");
+            send_reply("500", "Retry Later");
             exit;
         }
   }
 }
+
+event_route[htable:expired:antiflood] 
+{
+    xlog("L_NOTICE", "antiflood expired record $shtrecord(key) => $shtrecord(value)\n");
+}

kamailio/fast-pickup-role.cfg

@@ -35,7 +35,7 @@ route[FAST_PICKUP_ATTEMPT]
        xlog("L_INFO", "$ci|log|replaces call-id $var(replaced_call_id)");
        $var(amqp_payload_request) = '{"Event-Category" : "call_event" , "Event-Name" : "channel_status_req", "Call-ID" : "' + $var(replaced_call_id) + '", "Active-Only" : true }';
        $var(amqp_routing_key) = "call.status_req." + $(var(replaced_call_id){kz.encode});
-       sl_send_reply("100", "Attempting Kazoo query");
+       sl_send_reply("100", "Attempting K query");
        if(kazoo_query("callevt", $var(amqp_routing_key), $var(amqp_payload_request))) {
            $du = $(kzR{kz.json,Switch-URL});
            if($du != $null) {
@@ -85,13 +85,18 @@ route[FAST_PICKUP_INIT]
 {
     $var(AppName) = $(kzE{kz.json,App-Name});
     if($var(AppName) == "park") {
-       $var(Pickup) =  ";kazoo-pickup=true";
+       $var(Pickup) =  ";a-leg=true";
     } else {
+      if($(kzE{kz.json,State}) == "confirmed"){
+        $var(Pickup) =  ";early-only=true";
+      } else {
        $var(Pickup) =  "";
+      }
     }
     $sht(fp=>$(kzE{kz.json,Call-Cookie})::Switch-URI) = $(kzE{kz.json,Switch-URI});
-    $sht(fp=>$(kzE{kz.json,Call-Cookie})::Call-ID) = $(kzE{kz.json,Target-Call-ID});
-    $sht(fp=>$(kzE{kz.json,Call-Cookie})::URI) = "sip:" + $(kzE{kz.json,From-User}) + "@" + $(kzE{kz.json,To-Realm}) + $var(Pickup);
+    $sht(fp=>$(kzE{kz.json,Call-Cookie})::Call-ID) = $(kzE{kz.json,Target-Call-ID}) + $var(Pickup);
+    $sht(fp=>$(kzE{kz.json,Call-Cookie})::URI) = "sip:" + $(kzE{kz.json,From-User}) + "@" + $(kzE{kz.json,To-Realm}) ;    
 }
 
+
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

kamailio/presence-role.cfg

@@ -105,8 +105,8 @@ event_route[kazoo:consumer-event-presence-update]
 {
     $var(call-id) = $(kzE{kz.json,Call-ID});
     if( $(kzE{kz.json,Event-Package}) == "dialog") {   
-        if($sht(p=>$var(call-id)) != $(kzE{kz.json,State})) {
-             xlog("L_INFO", "$var(call-id)|log|received $(kzE{kz.json,Event-Package}) update for $(kzE{kz.json,From}) state $(kzE{kz.json,State})");
+        if($sht(p=>$var(call-id)) != $(kzE{kz.json,State}) || $(kzE{kz.json,Flush-Level}) != $null) {
+             xlog("L_INFO", "$(kzE{kz.json,Target-Call-ID})|log|received $(kzE{kz.json,Event-Package}) update for $(kzE{kz.json,From}) state $(kzE{kz.json,State})");
              $sht(p=>$(kzE{kz.json,Call-ID})) = $(kzE{kz.json,State});
              #!ifdef FAST_PICKUP-ROLE
              route(FAST_PICKUP_INIT);

kamailio/pusher-role.cfg

@@ -15,7 +15,7 @@ route[INTERNAL_TO_EXTERNAL_PUSH]
 			$var(RoutingKey) = "notification.push." + $var(TokenType) + "." + $var(TokenID);
 			$var(exchange) = "pushes";
 			$avp(kz_timeout) = 20000;
-			sl_send_reply("100", "Attempting Kazoo query");
+			sl_send_reply("100", "Attempting K query");
 			kazoo_query($var(exchange), $var(RoutingKey), $var(Payload));
 		}
 

kamailio/rate-limiter-role.cfg

@@ -105,7 +105,7 @@ route[DOS_PREVENTION] {
 
         avp_printf("$avp(s:query-request)", "{\"Entity\" : \"$var(entity)\", \"$var(method-key)\" : $var(method-value), \"Event-Category\" : \"rate_limit\", \"Event-Name\" : \"query\", \"With-Realm\" : $var(with-realm-request)}");
         xlog("L_INFO", "$ci|RL log| Query: $avp(s:query-request)");
-        sl_send_reply("100", "Attempting Kazoo query");
+        sl_send_reply("100", "Attempting K query");
         if (kazoo_query("frontier", "sbc_config", $avp(s:query-request), "$var(amqp_result)")) {
             xlog("L_INFO", "$ci|RL log| Response: $var(amqp_result)");
 

kamailio/registrar-role.cfg

@@ -82,7 +82,7 @@ route[ATTEMPT_AUTHORIZATION]
     } else {
         $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }";
         $var(amqp_routing_key) = "authn.req." + $(fd{kz.encode});
-        sl_send_reply("100", "Attempting Kazoo query");
+        sl_send_reply("100", "Attempting K query");
         if(kazoo_query("callmgr", $var(amqp_routing_key), $var(amqp_payload_request))) {
             $var(password) = $(kzR{kz.json,Auth-Password});
             $xavp(ulattrs=>custom_channel_vars) = $(kzR{kz.json,Custom-Channel-Vars});
@@ -205,6 +205,11 @@ event_route[kazoo:consumer-event-directory-reg-flush]
         xlog("L_INFO", "log|removing SIP credentials cache for $var(user)");
         $sht(auth_cache=>$var(user)) = $null;
     }
+
+    #!ifdef ANTIFLOOD-ROLE
+    route(ANTIFLOOD_RESET_AUTH);
+    #!endif
+
 }
 
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab