[Serusers] Trasting field "To"

Hi serusers! We have an intention to realize some scheme, where the registered client will be able to redirect the received calls to PSTN according to his rights (or belonging to certain group). We suppose the "TO" field to be reliable in case of forced exchanging of "TO" field content with URI for all incoming calls (but not from local IP address). The questions are: 1. Is it possible and how we can do it? if (method=="INVITE") { if (!src_ip==195.234.147.65 && !src_ip==127.0.0.1) { append_hf("P-hint: replace to with url\r\n"); subst('/^To: (.*)$/To: <sip:uri>/ig'); ??? ~~~ }; }; 2. Would it be effective (taking into account the existence of Click-to-dial and other similar applicftions)? /etc/ser/ser.cfg ---------------- fork=yes ##! Uncomment these lines to enter debugging mode ##!debug=9 # debug level (cmd line: -dddddddddd) ##!fork=no ##!log_stderror=yes #!check_via=no # (cmd. line: -v) #!dns=no # (cmd. line: -r) #!rev_dns=no # (cmd. line: -R) children=4 alias=cint.ru listen=195.234.147.65 listen=127.0.0.1 port=5060 user=root group=apache fifo="/tmp/ser_fifo" # ------------------ module loading ---------------------------------- # Uncomment this if you want to use SQL database loadmodule "/usr/lib/ser/modules/mysql.so" loadmodule "/usr/lib/ser/modules/usrloc.so" loadmodule "/usr/lib/ser/modules/sl.so" loadmodule "/usr/lib/ser/modules/registrar.so" loadmodule "/usr/lib/ser/modules/auth.so" loadmodule "/usr/lib/ser/modules/auth_db.so" loadmodule "/usr/lib/ser/modules/group.so" loadmodule "/usr/lib/ser/modules/rr.so" loadmodule "/usr/lib/ser/modules/tm.so" loadmodule "/usr/lib/ser/modules/acc.so" loadmodule "/usr/lib/ser/modules/nathelper.so" loadmodule "/usr/lib/ser/modules/maxfwd.so" loadmodule "/usr/lib/ser/modules/textops.so" loadmodule "/usr/lib/ser/modules/uri.so" ##!loadmodule "/usr/lib/ser/modules/exec.so" ##!loadmodule "/usr/lib/ser/modules/domain.so" #loadmodule "/usr/lib/ser/modules/cpl-c.so" # ----------------- setting module-specific parameters modparam("usrloc", "db_url","") modparam("usrloc", "db_mode", 1) modparam("auth_db", "db_url","") modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") modparam("group", "db_url","") modparam("group", "use_domain", 1) modparam("rr", "enable_full_lr", 1) modparam("acc", "db_url","") modparam("acc", "db_flag", 1) modparam("acc", "db_missed_flag", 2) modparam("acc", "log_flag", 3) modparam("acc", "log_missed_flag", 4) modparam("acc", "failed_transactions", 1) modparam("registrar", "nat_flag", 6) modparam("nathelper", "natping_interval", 30) # Ping interval 30 s modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT # ------------------------- request routing logic # main routing logic route{ ##! Uncoment next 1 string for debug setflag(9); # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { if (isflagset(9)) log (1, "REPLY: 483 - Too Many Hops"); sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= max_len ) { if (isflagset(9)) log (1, "REPLY: 513 - Message too big"); sl_send_reply("513", "Message too big"); break; }; # !! Nathelper # Special handling for NATed clients; first, NAT test is # executed: it looks for via!=received and RFC1918 addresses # in Contact (may fail if line-folding is used); also, # the received test should, if completed, should check all # vias for rpesence of received if (nat_uac_test("3")) { # Allow RR-ed requests, as these mayindicate that # a NAT-enabled proxy takes care ofit; unless it is # a REGISTER if (method == "REGISTER" || ! search("^Record-Route:")) { ##!log("LOG: Someone trying to register from private IP, rewriting\n"); # This will work only for user agents that support symmetric # communication. We tested quite many of them and majority is # smart enough to be symmetric. In some phones it takes a configuration # option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is # called "symmetric media" and "symmetric signalling". fix_nated_contact(); # Rewrite contact with source IP of signalling if (method == "INVITE") { fix_nated_sdp("1"); # Add direction=active to SDP }; force_rport(); # Add rport parameter to topmost Via setflag(6); # Mark as NATed }; }; # anti-spam -- if somene claims to belong to our domain in From, # challenge him (skip REGISTERs -- we will chalenge them later) ##! if (search("(From|F):.*@cint.ru")) { if (search("(From|F):.*@cint.ru") || search("(From|F):.*@sip.cint.ru")) { # invites forwarded to other domains, like FWD may cause subsequent # request to come from there but have iptel in From -> verify # only INVITEs (ignore FIFO/UAC's requests, i.e. src_ip==fox) if (method == "INVITE" || method == "SUBSCRIBE") { if (proxy_authorize("cint.ru", "subscriber")) { if (isflagset(9)) log(1, "LOG: PROXY AUTHORIZE - OK\n") } else { if (isflagset(9)) log(1, "LOG: PROXY AUTHORIZE - ERROR, SEND CHALLANGE\n") proxy_challenge("cint.ru", "0"); break; }; # to maintain outside credibility of our proxy, we enforce # username in From to equal digest username; user with # "john.doe" id could advertise "bill.gates" in From otherwise; if (!check_from()) { if (isflagset(9)) log(1, "REPLY: 403 - Insufficient From and digest\n"); sl_send_reply("403", "Insufficient From and digest"); break; }; # we better don't consume credentials -- some requests may be # spiraled through our server (sfo at iptel->7141 at iptel) and the # subsequent iteration may challenge too, for example because of # iptel claim in From; UACs then give up because they # already submitted credentials for the given realm #consume_credentials(); }; # non-REGISTER from other domain } else if ((method == "INVITE" || method == "SUBSCRIBE" || method=="REGISTER" ) && !(uri == myself)) { # and we serve our gateway too (we RR requests to it, so that # its address may show up in subsequent requests after loose_route if (isflagset(9)) log (1, "REPLY: 403 - No relaying"); sl_send_reply("403", "No relaying"); break; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); if (isflagset(9) && method=="INVITE") log(1, "LOG: INVITE\n"); if (isflagset(9) && method=="MESSAGE") log(1, "LOG: MESSAGE\n"); if (isflagset(9) && method=="BYE") log(1, "LOG: BYE\n"); if (isflagset(9) && method=="CANCEL" ) log(1, "LOG: CANCEL\n"); if ( method == "REGISTER" || method=="INVITE" || method=="BYE" || method == "CANCEL" ) { # save messages in mysqlfor CDRTool ##!exec_msg("/usr/local/etc/ser/sertrace.py; exit 1"); setflag(1); setflag(2); /* set for accounting (the same value as in log_flag!) */ if (isflagset(9)) { setflag(3); setflag(4); }; /* Temporay (for debug) */ }; #end of cdrtool # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; }; if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); break; }; if (method=="INVITE") { if (!src_ip==195.234.147.65 && !src_ip==127.0.0.1) { append_hf("P-hint: replace to with url\r\n"); #subst('/^To: (.*)$/To: <sip:uri>/ig'); #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ }; }; if (uri==myself) { if (method=="REGISTER") { if (www_authorize("cint.ru", "subscriber")) { if (isflagset(9)) if (isflagset(6)) log(1, "LOG: REGISTER WWW (NAT) - OK\n") else log(1, "LOG: REGISTER WWW - OK\n"); } else { if (isflagset(9)) if (isflagset(6)) log(1, "LOG: REGISTER WWW (NAT) - ERROR, SEND CHALLENGE\n") else log(1, "LOG: REGISTER WWW - ERROR, SEND CHALLENGE\n"); www_challenge("cint.ru", "0"); break; }; if (!check_to()) { if (isflagset(9)) log(1, "REPLY: 403 - Insufficient To and digest\n"); sl_send_reply("403", "Insufficient To and digest"); break; }; save("location"); break; }; if (method=="INVITE") { if (src_ip==195.234.147.120) {strip(4);}; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { #if (uri=~"^sip:8644") {route(9); break;}; #if (uri=~"^sip:5027663") {route(9); break;}; if (uri=~"^sip:8644") {route(4); break;}; if (uri=~"^sip:810") {route(2); break;}; #int if (uri=~"^sip:8[1-9]") {route(3); break;}; #ld if (uri=~"^sip:[0-79]") {route(4); break;}; #local if (isflagset(9)) log (1, "REPLY: 404 - Not Found"); sl_send_reply("404", "Not Found"); break; }; }; append_hf("P-hint: usrloc applied\r\n"); route(1); } route[1] { if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: VOIP\n"); # !! Nathelper if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")) { if (isflagset(9)) log (1, "REPLY: 479 - We don't forward to private IP addresses"); sl_send_reply("479", "We don't forward to private IP addresses"); break; }; # if client or server know to be behind a NAT, enable relay if (isflagset(6)) { force_rtp_proxy(); }; # NAT processing of replies; apply to allt ransactions (for example, # re-INVITEs from public to private UA are hard to identify as # NATed at the moment of request processing); look at replies t_on_reply("1"); # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; } # !! Nathelper onreply_route[1] { # NATed transaction ? if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") { fix_nated_contact(); force_rtp_proxy(); # otherwise, is it a transaction behind a NAT and we did not # know at time of request processing ? (RFC1918contacts) } else if (nat_uac_test("1")) { fix_nated_contact(); }; } route[2] { if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: INT\n"); if (!is_user_in("To", "ld")) { if (!is_user_in("From", "int")) { if (isflagset(9)) log(1, "REPLY: No Permission To Make International Call.\n"); sl_send_reply("403", "No Permission To Make International Call"); break; }; }; route(9); } route[3] { if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: LD\n"); if (!is_user_in("To", "ld")) { if (!is_user_in("From", "ld")) { if (isflagset(9)) log(1, "REPLY: No Permission To Make Long Distance Call.\n"); sl_send_reply("403", "No Permission To Make Long Distance Call"); break; }; }; route(9); } route[4] { if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: LOCAL\n"); if (!is_user_in("To", "local")) { if (!is_user_in("From", "local")) { if (isflagset(9)) log(1, "REPLY: No Permission To Make Local Call.\n"); sl_send_reply("403", "No Permission To Make Local Call"); break; }; }; route(9); break; } route[9] { if (method=="INVITE" && isflagset(9)) log(1, "ROUTE: PSTN\n"); prefix("0550"); rewritehostport("195.234.147.120:5060"); t_relay_to_udp("195.234.147.120","5060"); }