On 18.05.21 12:29, Romain Untereiner wrote:
Yes it is set in the table: 

group | ip_addr | mask | port | tag
ZZZ | X.X.X.X | 24 | 5060 | NULL

And I can confirm the IP and Port I see in the traces should match X.X.X.X/24 & 5060, and as mentioned before I could see that few ms before (99.99% of the cases), same IP and Port were correctly allowed and the group was found.

Is there some more advanced debugging I could setup to dive into allow_source_address_group() behavior?

The source code is available, so you can edit and add more log messages in the corresponding functions inside the permissions module, then re-compile/re-install, if you want to go that path.

Do you reload records from the address table at runtime via rpc? If yes, do you think it happened at the same time with the matching failure? Trying to see what can be ruled out or not ...

Cheers,
Daniel


Thanks

Romain Untereiner
Co founder at Cantoo
www.cantoo.co
Le 18 mai 2021 à 12:18 +0200, Daniel-Constantin Mierla <miconda@gmail.com>, a écrit :

Hmm, do you have port set for the records in the address table? I notice you print it in the log message...

Cheers,
Daniel

On 18.05.21 11:15, Romain Untereiner wrote:
Hello Daniel,

Thanks for your quick answer! 

I indeed need to identify the group ID too.

Here’s how I handle it (inspired from https://kamailio.org/docs/modules/5.5.x/modules/permissions.html#permissions.f.allow_source_address):

‘''
$var(group) = allow_source_address_group();

if ($var(group) != -1) {
    xlog("L_INFO", "$si : $sp is allowed through group: $var(group)\n");
    [...]
} else {
    xlog("L_INFO", "$si : $sp is not allowed - allow_source_address_group returned -1\n");
    xlog("L_INFO", "Rejecting $ci with 403 'Forbidden'\n");
    sl_send_reply("403", "Forbidden");
    exit;
}
‘''

Best regards,

Romain Untereiner
Co founder at Cantoo
www.cantoo.co
Le 18 mai 2021 à 08:44 +0200, Daniel-Constantin Mierla <miconda@gmail.com>, a écrit :
Hello,

On 17.05.21 12:11, Romain Untereiner wrote:
Hello all,

I am having some trouble with Permissions module of Kamailio,
regarding the allow_source_address_group() function. In 99.9% of the
cases the IP of our partner is allowed as expected, but randomly it
can fail (returning -1 for the same IP address that was allowed for
many other calls in the meantime). 

I can’t understand why it fails and why only « sometimes » - I confirm
this append on the same Kamailio box, with same IP and Port of the
partner.

In my custom logs:
« X.X.X.X:YYYY is allowed through group Z » —> as expected
and sometimes (like 1% of the cases): « X.X.X.X:YYYY is not allowed
-  allow_source_address_group returned -1»

It is maybe to note that in the address table, this range is defined
as /24 and not /32. Until now it never happened on /32 defined address
but I don’t know if it can be correlated.

Would someone have a clue on this?

Versions:
- kamailio 5.5.0 (x86_64/linux) d4c1a1
- debian 9 stretch
- postgresql 11.7

how do you test the return code of the function? Paste here the snippet
of the config where the function is used.

Then, do you really need the goup id of the address or just to match the
address?

Cheers,
Daniel

--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/

--  
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/