20 Nov
2009
20 Nov
'09
9:15 p.m.
[please keep the list CC-d because others may also be interested in the
solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is complicated, i
am using
uac_replace_from and uac_auth.
I am using failure route to process authentication if necessary and
redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set only
speex in UAC to get it ;) ). Ok SER send request to second provider, i use
uac_replace_from once again in my LOAD_AUTH route
then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from field
and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one?
The first should work, at least the from header should be rewritten by
the function.
The second authentication will not work this way (if it requires a
different from header) because the proxy "remembers" for the header
changes done before the first t_relay() function call and applies the
same header modifications also for any other branch added from failure
route. Hence, the outgoing SIP request to the second provider will
contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route if
you do not need to reuse them later from failure route. Modifications
done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again before
uac_auth, but got config error as i can't use uac_replace_from in
failure_route.
I think you already use this function from failure route because it is
in a route block that is included from failure route. The only
difference is that the syntax checker does not recognize the issue. I am
not familiar with uac_replace_from() but after having a quick look at
the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original
From HF when the response if forwarded. If you use textops module then
you need to restore the header manually.
no. Maybe i should
call uac_replace_from in branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
Thanks
20 Nov
20 Nov
11:07 p.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Hmmm...
Thank you very much for support
I use
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
now replace work strange i can see first time it said correct to:
From: <sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.
for both - first INVITE and second with auth header
Second time i am sending to provider:
From:
<sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.From:
<sip:21100036838@terrasip.net;transport=UDP>;tag=19790648.
and then with auth header:
From: <sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.
something is wrong again :(
You can see i used flags to split first subst call from second one.
Second time it is not doing substitution, it is adding to From header
:) But then looks like uac_auth removes one :)
I don't care to restore From field, i need it just work.
uac_replace_from do nothing then caller in failure_route via sub route
second time. maybe it set From for first branch?
I want it go on list of providers and authenticate then asked.
I have branch_route, i tried to arm t_on_branch , but xlog in this route
never write anything in log. I don't know how to use branches. I just
know that if i want to call t_relay(), i should always say -
append_branch() ;) Any one can explain briefly how branches supposed to
work? Especially how to use branch_route. I feel i am nearly there. I
guess author of auc module can maybe be interested to add loading of
authentication data from database.
my number is sip:andres.moya@riki.ru (not email), anyone welcome to
call... testing
ok my logic is
if (number PSTN) {
route (PSTN_RELAY);
}
route[PSTN_RELAY]{
do first stage cr_route.....
route(LOAD_AUTH);
t_relay();
}
##### LOAD_AUTH ##########
# loading authentication information from carrierauth table
# set From field according to carrierauth information
# arguments:
# $rd - request uri doamin, sip provider carrier
# returns:
# avp(i:20) - rewrited host = $rd
# avp(i:21) - auth user
# avp(i:22) - auth pass
# avp(i:23) - auth realm
# avp(i:24) - auth domain
route[LOAD_AUTH]{
xlog ("L_INFO","LOAD_AUTH: searching authentication for host host:
$rd");
$avp(i:20)=$rd;
if ( avp_db_query(
"SELECT username, password, realm, domain FROM carrierauth WHERE
hostname='$rd'",
"$avp(i:21);$avp(i:22);$avp(i:23);$avp(i:24)") > 0 ) {
xlog ("L_INFO","LOAD_AUTH: for $rd loaded data user: $avp(i:21)
pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
# replace from_user@from_domain
xlog("L_INFO","LOAD_AUTH: changing From: ->
sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from("sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from doesnt work in failure route.
if (!isflagset(30)) {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
} else {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
}
setflag(30);
}
# we are not relaying authentications :)
remove_hf("Authorization"); # remove client authentication
# reset flag to mark no authentication yet performed
resetflag(10); # let's use 10 to know uac authentication was not
sent yet
xlog("L_INFO","LOAD_AUTH: flag 10 reset and Authorization header
clered. returning\n");
return(1);
}
failure_route[FAIL_ONE] {
xlog("L_INFO","entering failure route with code: $T_reply_code \n");
#if (t_grep_status("415")) xlog("L_INFO","415! \n");
if ( t_check_status("401|407") ) # Unathorised reply
{ xlog("L_INFO","Authentication required \n");
# have we already tried to authenticate? do we have auth
information loaded?
if (isflagset(10) || $avp(i:21)==$null ) # auth was already sent
or we don't have auth info
{
xlog("Authentication to $avp(i:20) provider as
$avp(i:21)@$avp(i:24) failed\n");
t_reply("503","Authentication failed");
avp_delete("$avp(i:20)");
avp_delete("$avp(i:21)");
avp_delete("$avp(i:22)");
avp_delete("$avp(i:23)");
avp_delete("$avp(i:24)");
exit(); # :(
}
# if call from here LOAD_AUTH will look for original uri, not
rewriten before
if( !is_avp_set("$avp(i:20)") || $avp(i:20)=='') { # if
LAOD_AUTH was not done yet
route (LOAD_AUTH); # loads auth avps and rewrite 'from' field
}
# this avps loaded before by LOAD_AUTH
# avp(i:20) - rewrited host
# avp(i:21) - auth user
# avp(i:22) - auth pass
# avp(i:23) - auth realm
# avp(i:24) - auth domain
xlog ("L_INFO","for $rd using: $avp(i:21) pass: $avp(i:22) realm:
$avp(i:23) domain: $avp(i:24)");
remove_hf("Authorization"); # remove client authentication
if (uac_auth()) # adding auth header
{xlog ("\nMessage:\n$mb\n\n");
xlog("L_INFO","Authorization header set, sending...\n");
# mark that auth was performed
setflag(10);
# next time i want t_check_status look at some other errstatus
t_drop_replies();
t_on_failure("FAIL_ONE");
# repeat the request with auth response this time
append_branch(); # ???
t_relay();
exit;
}
}
# In case of failure on PSTN provider, send it to an alternative route:
# if ( t_check_status("415|480|408|5[0-9][0-9]")) {
if ( isflagset(11) && t_check_status("415|480|408|5[0-9][0-9]")) {
# next time i want t_check_status look at some other errstatus
t_drop_replies();
xlog("L_INFO", "FAIL_ONE: got code $T_reply_code will try next
carrier domain\n");
revert_uri();
if (!cr_next_domain("$avp(s:carrier)", "$avp(s:domain)",
"$avp(s:rc_pstn_num)",
"$avp(s:rc_host)", "$T_reply_code",
"$avp(s:domain)")) {
xlog("L_ERR", "cr_next_domain failed\n");
exit;
}
if (!cr_route("$avp(s:carrier)", "$avp(s:domain)",
"$avp(s:rc_pstn_num)", "$avp(s:rc_pstn_num)",
"call_id")) {
xlog("L_ERR", "cr_route failed\n");
exit;
}
route(LOAD_AUTH);
xlog("L_INFO", "FAIL_ONE: done LOAD_AUTH, relaying to next
provider: $rd\n");
t_on_failure("FAIL_ONE");
append_branch();
if (!t_relay()) {
xlog("L_ERR", "t_relay to $rd failed\n");
exit;
}
exit;
}
#!ifdef WITH_NAT
if (is_method("INVITE")
&& (isbflagset("6") || isflagset(5))) {
unforce_rtp_proxy();
}
#!endif
if (t_is_canceled()) {
exit;
}
t_reply("404","Not found");
}
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be
interested in
the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is
complicated, i am using
uac_replace_from and uac_auth.
I am using failure route to process authentication if necessary and
redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set
only speex in UAC to get it ;) ). Ok SER send request to second
provider, i use
uac_replace_from once again in my LOAD_AUTH route
then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from
field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one?
The first should work, at least the from header should be rewritten by
the function.
The second authentication will not work this way (if it requires a
different from header) because the proxy "remembers" for the header
changes done before the first t_relay() function call and applies the
same header modifications also for any other branch added from failure
route. Hence, the outgoing SIP request to the second provider will
contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route
if you do not need to reuse them later from failure route.
Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again
before uac_auth, but got config error as i can't use uac_replace_from
in failure_route.
I think you already use this function from failure route because it is
in a route block that is included from failure route. The only
difference is that the syntax checker does not recognize the issue. I
am not familiar with uac_replace_from() but after having a quick look
at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original
From HF when the response if forwarded. If you use textops module then
you need to restore the header manually.
no. Maybe i should call uac_replace_from in
branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
>
> Thanks
11:19 p.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Hmmm...
Thank you very much for support
I use
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
now replace work strange i can see first time it said correct to:
From: <sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.
for both - first INVITE and second with auth header
Second time i am sending to provider:
From:
<sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.From:
<sip:21100036838@terrasip.net;transport=UDP>;tag=19790648.
and then with auth header:
From: <sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=19790648.
something is wrong again :(
You can see i used flags to split first subst call from second one.
Second time it is not doing substitution, it is adding to From header
:) But then looks like uac_auth removes one :)
I don't care to restore From field, i need it just work.
uac_replace_from do nothing then caller in failure_route via sub route
second time. maybe it set From for first branch?
I want it go on list of providers and authenticate then asked.
I have branch_route, i tried to arm t_on_branch , but xlog in this route
never write anything in log. I don't know how to use branches. I just
know that if i want to call t_relay(), i should always say -
append_branch() ;) Any one can explain briefly how branches supposed to
work? Especially how to use branch_route. I feel i am nearly there. I
guess author of auc module can maybe be interested to add loading of
authentication data from database.
my number is sip:andres.moya@riki.ru (not email), anyone welcome to
call... testing
ok my logic is
if (number PSTN) {
route (PSTN_RELAY);
}
route[PSTN_RELAY]{
do first stage cr_route.....
route(LOAD_AUTH);
t_relay();
}
##### LOAD_AUTH ##########
# loading authentication information from carrierauth table
# set From field according to carrierauth information
# arguments:
# $rd - request uri doamin, sip provider carrier
# returns:
# avp(i:20) - rewrited host = $rd
# avp(i:21) - auth user
# avp(i:22) - auth pass
# avp(i:23) - auth realm
# avp(i:24) - auth domain
route[LOAD_AUTH]{
xlog ("L_INFO","LOAD_AUTH: searching authentication for host host:
$rd");
$avp(i:20)=$rd;
if ( avp_db_query(
"SELECT username, password, realm, domain FROM carrierauth WHERE
hostname='$rd'",
"$avp(i:21);$avp(i:22);$avp(i:23);$avp(i:24)") > 0 ) {
xlog ("L_INFO","LOAD_AUTH: for $rd loaded data user: $avp(i:21)
pass: $avp(i:22) realm: $avp(i:23) domain: $avp(i:24)");
# replace from_user@from_domain
xlog("L_INFO","LOAD_AUTH: changing From: ->
sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from("sip:$avp(i:21)@$avp(i:24)");
#uac_replace_from doesnt work in failure route.
if (!isflagset(30)) {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
} else {
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
}
setflag(30);
}
# we are not relaying authentications :)
remove_hf("Authorization"); # remove client authentication
# reset flag to mark no authentication yet performed
resetflag(10); # let's use 10 to know uac authentication was not sent
yet
xlog("L_INFO","LOAD_AUTH: flag 10 reset and Authorization header
clered. returning\n");
return(1);
}
failure_route[FAIL_ONE] {
xlog("L_INFO","entering failure route with code: $T_reply_code \n");
#if (t_grep_status("415")) xlog("L_INFO","415! \n");
if ( t_check_status("401|407") ) # Unathorised reply
{ xlog("L_INFO","Authentication required \n");
# have we already tried to authenticate? do we have auth
information loaded?
if (isflagset(10) || $avp(i:21)==$null ) # auth was already sent
or we don't have auth info
{
xlog("Authentication to $avp(i:20) provider as
$avp(i:21)@$avp(i:24) failed\n");
t_reply("503","Authentication failed");
avp_delete("$avp(i:20)");
avp_delete("$avp(i:21)");
avp_delete("$avp(i:22)");
avp_delete("$avp(i:23)");
avp_delete("$avp(i:24)");
exit(); # :(
}
# if call from here LOAD_AUTH will look for original uri, not
rewriten before
if( !is_avp_set("$avp(i:20)") || $avp(i:20)=='') { # if LAOD_AUTH
was not done yet
route (LOAD_AUTH); # loads auth avps and rewrite 'from' field
}
# this avps loaded before by LOAD_AUTH
# avp(i:20) - rewrited host
# avp(i:21) - auth user
# avp(i:22) - auth pass
# avp(i:23) - auth realm
# avp(i:24) - auth domain
xlog ("L_INFO","for $rd using: $avp(i:21) pass: $avp(i:22) realm:
$avp(i:23) domain: $avp(i:24)");
remove_hf("Authorization"); # remove client authentication
if (uac_auth()) # adding auth header
{xlog ("\nMessage:\n$mb\n\n");
xlog("L_INFO","Authorization header set, sending...\n");
# mark that auth was performed
setflag(10);
# next time i want t_check_status look at some other errstatus
t_drop_replies();
t_on_failure("FAIL_ONE");
# repeat the request with auth response this time
append_branch(); # ???
t_relay();
exit;
}
}
# In case of failure on PSTN provider, send it to an alternative route:
# if ( t_check_status("415|480|408|5[0-9][0-9]")) {
if ( isflagset(11) && t_check_status("415|480|408|5[0-9][0-9]")) {
# next time i want t_check_status look at some other errstatus
t_drop_replies();
xlog("L_INFO", "FAIL_ONE: got code $T_reply_code will try next
carrier domain\n");
revert_uri();
if (!cr_next_domain("$avp(s:carrier)", "$avp(s:domain)",
"$avp(s:rc_pstn_num)",
"$avp(s:rc_host)", "$T_reply_code",
"$avp(s:domain)")) {
xlog("L_ERR", "cr_next_domain failed\n");
exit;
}
if (!cr_route("$avp(s:carrier)", "$avp(s:domain)",
"$avp(s:rc_pstn_num)", "$avp(s:rc_pstn_num)",
"call_id")) {
xlog("L_ERR", "cr_route failed\n");
exit;
}
route(LOAD_AUTH);
xlog("L_INFO", "FAIL_ONE: done LOAD_AUTH, relaying to next
provider: $rd\n");
t_on_failure("FAIL_ONE");
append_branch();
if (!t_relay()) {
xlog("L_ERR", "t_relay to $rd failed\n");
exit;
}
exit;
}
#!ifdef WITH_NAT
if (is_method("INVITE")
&& (isbflagset("6") || isflagset(5))) {
unforce_rtp_proxy();
}
#!endif
if (t_is_canceled()) {
exit;
}
t_reply("404","Not found");
}
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be
interested in
the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is
complicated, i am using
uac_replace_from and uac_auth.
I am using failure route to process authentication if necessary and
redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set
only speex in UAC to get it ;) ). Ok SER send request to second
provider, i use
uac_replace_from once again in my LOAD_AUTH route
then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from
field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one?
The first should work, at least the from header should be rewritten by
the function.
The second authentication will not work this way (if it requires a
different from header) because the proxy "remembers" for the header
changes done before the first t_relay() function call and applies the
same header modifications also for any other branch added from failure
route. Hence, the outgoing SIP request to the second provider will
contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route
if you do not need to reuse them later from failure route.
Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again
before uac_auth, but got config error as i can't use uac_replace_from
in failure_route.
I think you already use this function from failure route because it is
in a route block that is included from failure route. The only
difference is that the syntax checker does not recognize the issue. I
am not familiar with uac_replace_from() but after having a quick look
at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original
From HF when the response if forwarded. If you use textops module then
you need to restore the header manually.
no. Maybe i should call uac_replace_from in
branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
>
> Thanks
21 Nov
21 Nov
2:56 a.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Hi,
I made branch route and changing From there, i decided not to restore from.
ok, i doing calls two times and getting:
first time it set ok:
From: <sip:andres.moya4@sipdiscount.com>;tag=572ac509.
second time i am getting
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=572ac509.
ok
trying
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
first time it substitute ok, on next branch i got result:
From:
<sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=ee12f132.sip:andres.moya4@sipdiscount.com
Looks like both methods are broken.
ok, uac_replace is here:
LM_DBG("uri to replace [%.*s]\n",from->uri.len, from->uri.s);
LM_DBG("replacement uri is [%.*s]\n",from_uri->len, from_uri->s);
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:305]: uri to replace
[sip:mangust@riki.ru;transport=UDP]
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:306]: replacement uri is
[sip:andres.moya4@sipdiscount.com]
sip:mangust@riki.ru is original from. It is same all sequence of calls.
This is actually second call, before sending authenticated INVITE.
Actually i am calling two times uac_replace_from, for first INVITE and
for second authenticated. If doing only on first invite is ok with first
authentiation, but crashes with results described in the beginning of a
mail on second one sip provider. In any case second replace always problem.
/* build del/add lumps */
if ((l=del_lump( msg, from->uri.s-msg->buf, from->uri.len, 0))==0)
{
LM_ERR("del lump failed\n");
goto error;
}
p = pkg_malloc( from_uri->len);
if (p==0)
{
LM_ERR("no more pkg mem\n");
goto error;
}
memcpy( p, from_uri->s, from_uri->len);
if (insert_new_lump_after( l, p, from_uri->len, 0)==0)
{
LM_ERR("insert new lump failed\n");
pkg_free(p);
goto error;
}
if (from_restore_mode==FROM_NO_RESTORE)
return 0;
Result is:
From:
<sip:andres.moya4@sipdiscount.comsip:andres.moya4@sipdiscount.com>;tag=1307d94b.
if repeat with next step, try to insert sip:21100036838@terrasip.net, we
get:
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=87272c59.
I am sure i am doing something wrong, but Kamailio doing strange things
too ...
Miklos Tirpak wrote:
[please keep the list CC-d because others may also be
interested in
the solution or may know the answer better.]
On 11/20/2009 07:06 PM, Andres Moya wrote:
Can i ask one more question here. It is
complicated, i am using
uac_replace_from and uac_auth.
I am using failure route to process authentication if necessary and
redirect on next carrier.
If i authenticated with one provider, then fot let say 415 ( i set
only speex in UAC to get it ;) ). Ok SER send request to second
provider, i use
uac_replace_from once again in my LOAD_AUTH route
then uac_auth again.
Ok. now i see from ngrep that uac_replace_from did nothing in from
field and use user@domain for first provider, authentication failed :(
Which authentication fails? The first or the second one?
The first should work, at least the from header should be rewritten by
the function.
The second authentication will not work this way (if it requires a
different from header) because the proxy "remembers" for the header
changes done before the first t_relay() function call and applies the
same header modifications also for any other branch added from failure
route. Hence, the outgoing SIP request to the second provider will
contain the same from HF as the request to the first provider.
The easiest way is to apply the header modifications in branch route
if you do not need to reuse them later from failure route.
Modifications done in branch routes are valid only within that branch.
I moved uac_replace_from to my failure route to call once again
before uac_auth, but got config error as i can't use uac_replace_from
in failure_route.
I think you already use this function from failure route because it is
in a route block that is included from failure route. The only
difference is that the syntax checker does not recognize the issue. I
am not familiar with uac_replace_from() but after having a quick look
at the function I think it is safe to use it from here.
Ok i will use textops to rewrite, but it is ugly?
The main difference is that uac_replace_from() restores the original
From HF when the response if forwarded. If you use textops module then
you need to restore the header manually.
no. Maybe i should call uac_replace_from in
branch route?
I would suggest this way. Both for the first and for the second provider.
Miklos
>
> Thanks
23 Nov
23 Nov
12:41 p.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Hi,
I quickly tried to replace the From HF and add the auth header and it
works for two providers. Please check the attached config and rewrite it
as you need.
Miklos
On 11/21/2009 02:56 AM, Andres Moya wrote:
Hi,
I made branch route and changing From there, i decided not to restore from.
ok, i doing calls two times and getting:
first time it set ok:
From: <sip:andres.moya4@sipdiscount.com>;tag=572ac509.
second time i am getting
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=572ac509.
ok
trying
subst('/^From:(.*)sip:[^@]*@[a-zA-Z0-9\.]+(.*)$/From:\1sip:$avp(i:21)@$avp(i:24)\2/i');
first time it substitute ok, on next branch i got result:
From:
<sip:andres.moya4@sipdiscount.com;transport=UDP>;tag=ee12f132.sip:andres.moya4@sipdiscount.com
Looks like both methods are broken.
ok, uac_replace is here:
LM_DBG("uri to replace [%.*s]\n",from->uri.len, from->uri.s);
LM_DBG("replacement uri is [%.*s]\n",from_uri->len, from_uri->s);
# ----------- global configuration parameters ------------------------
debug=2
memdbg=3
fork=yes
log_stderror=yes
children=1
disable_tcp=1
disable_tls=1
disable_sctp=1
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5070
listen=udp:10.38.2.177:5070
flags
AUTH_ADDED;
# ------------------ module loading ----------------------------------
loadpath "/home/mtirpak/SER/git/sip-router/"
loadmodule "modules_k/sl/sl.so"
loadmodule "modules/tm/tm.so"
loadmodule "modules_k/rr/rr.so"
loadmodule "modules_k/uac/uac.so"
loadmodule "modules_k/pv/pv.so"
modparam("uac","credential","username:domain:password")
modparam("uac","auth_realm_avp","$avp(s:realm)")
modparam("uac","auth_username_avp","$avp(s:user)")
modparam("uac","auth_password_avp","$avp(s:password)")
# ------------- routing logic --------------------------------------
route {
route("first-provider");
}
route["first-provider"] {
log(0, "FIRST PROVIDER #1\n");
$avp(s:realm) = "foo.com";
$avp(s:user) = "Alice";
$avp(s:password) = "1234";
rewritehostport("10.38.2.177:5080");
resetflag(AUTH_ADDED);
t_on_failure("first-provider-failure");
t_on_branch("first-provider-prepare");
t_relay();
}
# rewrite the From header from branch route so that it is done
# separately for each branch
branch_route["first-provider-prepare"] {
uac_replace_from("sip:Alice@foo.com");
}
failure_route["first-provider-failure"] {
if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) {
log(0, "FIRST PROVIDER #2\n");
t_on_failure("first-provider-failure");
t_on_branch("first-provider-prepare");
if (!uac_auth()) {
route("second-provider");
return;
}
setflag(AUTH_ADDED);
append_branch();
t_drop_replies();
if (!t_relay()) {
route("second-provider");
return;
}
} else {
# Either the authentication did not work
# or there was another failure
log(0, "FIRST PROVIDER FAILED\n");
t_drop_replies();
route("second-provider");
}
}
route["second-provider"] {
log(0, "SECOND PROVIDER #1\n");
$avp(s:realm) = "bar.com";
$avp(s:user) = "Bob";
$avp(s:password) = "5678";
rewritehostport("10.38.2.177:5090");
resetflag(AUTH_ADDED);
t_on_failure("second-provider-failure");
t_on_branch("second-provider-prepare");
append_branch();
t_relay();
}
branch_route["second-provider-prepare"] {
uac_replace_from("sip:Bob@bar.com");
}
failure_route["second-provider-failure"] {
if (!isflagset(AUTH_ADDED) && t_check_status("401|407")) {
log(0, "SECOND PROVIDER #2\n");
t_on_failure("second-provider-failure");
t_on_branch("second-provider-prepare");
if (!uac_auth()) {
route("auth-error");
return;
}
setflag(AUTH_ADDED);
append_branch();
t_drop_replies();
if (!t_relay()) {
route("auth-error");
return;
}
} else {
log(0, "SECOND PROVIDER FAILED\n");
if (t_check_status("401|407")) {
# Does not let the 401/407 forwarded.
route("auth-error");
}
}
}
route["auth-error"] {
t_reply("500", "failed to authenticate");
drop;
}
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:305]: uri to replace
[sip:mangust@riki.ru;transport=UDP]
>>Nov 21 01:22:35 v
/usr/local/sbin/kamailio[32582]: DEBUG: uac
[from.c:306]: replacement uri is
[sip:andres.moya4@sipdiscount.com]
sip:mangust@riki.ru is original from. It is same all sequence of calls.
This is actually second call, before sending authenticated INVITE.
Actually i am calling two times uac_replace_from, for first INVITE and
for second authenticated. If doing only on first invite is ok with first
authentiation, but crashes with results described in the beginning of a
mail on second one sip provider. In any case second replace always
problem.
/* build del/add lumps */
if ((l=del_lump( msg, from->uri.s-msg->buf, from->uri.len, 0))==0)
{
LM_ERR("del lump failed\n");
goto error;
}
p = pkg_malloc( from_uri->len);
if (p==0)
{
LM_ERR("no more pkg mem\n");
goto error;
}
memcpy( p, from_uri->s, from_uri->len);
if (insert_new_lump_after( l, p, from_uri->len, 0)==0)
{
LM_ERR("insert new lump failed\n");
pkg_free(p);
goto error;
}
if (from_restore_mode==FROM_NO_RESTORE)
return 0;
Result is:
From:
<sip:andres.moya4@sipdiscount.comsip:andres.moya4@sipdiscount.com>;tag=1307d94b.
if repeat with next step, try to insert sip:21100036838@terrasip.net, we
get:
From:
<sip:andres.moya4@sipdiscount.comsip:21100036838@terrasip.net>;tag=87272c59.
I am sure i am doing something wrong, but Kamailio doing strange things
too ...
Miklos Tirpak wrote:
> [please keep the list CC-d because others may also be interested in
> the solution or may know the answer better.]
>
> On 11/20/2009 07:06 PM, Andres Moya wrote:
>> Can i ask one more question here. It is complicated, i am using
>> uac_replace_from and uac_auth.
>> I am using failure route to process authentication if necessary and
>> redirect on next carrier.
>>
>> If i authenticated with one provider, then fot let say 415 ( i set
>> only speex in UAC to get it ;) ). Ok SER send request to second
>> provider, i use
>> uac_replace_from once again in my LOAD_AUTH route
>> then uac_auth again.
>>
>> Ok. now i see from ngrep that uac_replace_from did nothing in from
>> field and use user@domain for first provider, authentication failed :(
>
> Which authentication fails? The first or the second one?
> The first should work, at least the from header should be rewritten by
> the function.
>
> The second authentication will not work this way (if it requires a
> different from header) because the proxy "remembers" for the header
> changes done before the first t_relay() function call and applies the
> same header modifications also for any other branch added from failure
> route. Hence, the outgoing SIP request to the second provider will
> contain the same from HF as the request to the first provider.
>
> The easiest way is to apply the header modifications in branch route
> if you do not need to reuse them later from failure route.
> Modifications done in branch routes are valid only within that branch.
>
>>
>> I moved uac_replace_from to my failure route to call once again
>> before uac_auth, but got config error as i can't use uac_replace_from
>> in failure_route.
>
> I think you already use this function from failure route because it is
> in a route block that is included from failure route. The only
> difference is that the syntax checker does not recognize the issue. I
> am not familiar with uac_replace_from() but after having a quick look
> at the function I think it is safe to use it from here.
>
>> Ok i will use textops to rewrite, but it is ugly?
>
> The main difference is that uac_replace_from() restores the original
> From HF when the response if forwarded. If you use textops module then
> you need to restore the header manually.
>
>> no. Maybe i should call uac_replace_from in branch route?
>
> I would suggest this way. Both for the first and for the second provider.
>
> Miklos
>
>>
>> Thanks
2:25 p.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Thank you. Looks like it is ok now. My mistake was to use uac_repace_from in
request route first time. Then i rewrite script to call replace only
from branch route everything become fine. But anyway uac_repace_from
works strange way, should maybe write something in logs.
so result is: if we need to use uac_repace_from more then once in a
transaction it should be called from branch_route only. not from request
route.
i also noted that my clients send proxy auth info on all ACK and BYE,
so i cut them in the beginning of a route:
# we now not authenticating ACKs and BYE, just to prevent relay # of
auth data to external providers
if ( is_method("ACK|BYE") &&
is_present_hf("Proxy-Authorization"))
remove_hf("Proxy-Authorization");
consume_credentials doesn't help here
Maybe i should use normal (not proxy) authentication on their INVITE?
4:51 p.m.
New subject: [sr-dev] recursive calls to failure_route strange behavior
Andres Moya schrieb:
Thank you. Looks like it is ok now. My mistake was to
use uac_repace_from in
request route first time. Then i rewrite script to call replace only
from branch route everything become fine. But anyway uac_repace_from
works strange way, should maybe write something in logs.
so result is: if we need to use uac_repace_from more then once in a
transaction it should be called from branch_route only. not from request
route.
i also noted that my clients send proxy auth info on all ACK and BYE,
so i cut them in the beginning of a route:
that's a good idea
# we now not authenticating ACKs and BYE, just to prevent relay # of
auth data to external providers
if ( is_method("ACK|BYE") &&
is_present_hf("Proxy-Authorization"))
remove_hf("Proxy-Authorization");
consume_credentials doesn't help here
consume_credentials does only work after calling one of the
authentication function.
I would add also (to be on the safe side):
remove_hf("Authorization");
Maybe i should use normal (not proxy) authentication on their INVITE?
Proxy-auth is the correct thing.
regards
klaus
5526
days inactive
5529
days old
6 comments
3 participants
participants (3)
-
Andres Moya -
Klaus Darilion -
Miklos Tirpak