Hello everyone,
I have a question: is there a way to whitelist and blacklist IP addresses without using a database table?
I’m currently using the permissions module to block some traffic, but I’d also like to ban specific IPs. Ideally, I’d prefer not to use a database — I’d rather use a file-based approach, something like a permissions.allow file.
Thank you.
Hi Fernando!
you're almost there! The permissions module has the parameters default_allow_file and default_deny_file where you specify file path for each allow and deny files. In each file you specify: groupid as integer address as string netmask as optional integer port as optional integer . If 0 then any port tag as optional string
Ex.:
100 10.200.0.0 24 5060 all_the_range
If you set the above line in the allow file, it means that Kamailio will accept SIP messages from any node in the 10.200.0.0/24 range. If on the deny file, Kamailio will deny same IP range.
As for the code, I usually do:
#!ifdef WITH_ACL $var(GROUPID) = allow_address_group($si, $sp);
if ( $var(GROUPID) == 100 || !$var(GROUPID) ) { xlog("L_WARN", "INIT - $si:$sp is not in the allowed ACL Group ID !\n"); # uncomment below if you wish to return SIP 401 error to non-allowed clients #sl_reply("401", "Address not allowed"); exit; }
if (is_method("OPTIONS") && $sht(evapistatus=>state) > 0 ) { // reply to OPTIONS only if Kamailio has an EVAPI connection active sl_send_reply("200","OK"); exit; } #!endif
Where group ID 100 is a DENY group. I use DB because it is way more flexible when you have 300 Kamailio nodes..... Also, the permissions module doesn't query DB on every request, in fact it load the DB Permissions Table data into memory and refreshes every "reload_delta" parameter value. Having the data in DB is much easier, IMHO.
Hope this helps!
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
*www.kahea.ai http://www.kahea.ai / www.voip.pt http://www.voip.pt*
*OpenTelecom* - Consulting for Telecoms, Lda Tel.: +351 callto:+351+91+104+12+6691 631 11 44
Email : *sergio.charrua@voip.pt sergio.charrua@voip.pt*
This message and any files or documents attached are strictly confidential or otherwise legally protected.
It is intended only for the individual or entity named. If you are not the named addressee or have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Please also note that transmission cannot be guaranteed to be secure or error-free.
On Thu, Oct 23, 2025 at 6:59 PM Fernando Lopes via sr-users < sr-users@lists.kamailio.org> wrote:
Hello everyone,
I have a question: is there a way to whitelist and blacklist IP addresses without using a database table?
I’m currently using the permissions module to block some traffic, but I’d also like to ban specific IPs. Ideally, I’d prefer not to use a database — I’d rather use a file-based approach, something like a permissions.allow file.
Thank you. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Permissions does seem a good way to go, but really stop and ask yourself WHY you don't want to use a database, as "writing data to a file" is still a form of a database (it's not an RDBMS, but given the usage, it's a database). So, it's under this guise that I ask: What's wrong with SQLite?
Regards, Kaufman
________________________________ From: Sergio Charrua via sr-users sr-users@lists.kamailio.org Sent: Thursday, October 23, 2025 12:19 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Fernando Lopes fernandolopes20003@gmail.com; Sergio Charrua sergio.charrua@voip.pt Subject: [SR-Users] Re: Whitelisting and Blacklisting IPs Without Using a Database
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Fernando!
you're almost there! The permissions module has the parameters default_allow_file and default_deny_file where you specify file path for each allow and deny files. In each file you specify: groupid as integer address as string netmask as optional integer port as optional integer . If 0 then any port tag as optional string
Ex.:
100 10.200.0.0 24 5060 all_the_range
If you set the above line in the allow file, it means that Kamailio will accept SIP messages from any node in the 10.200.0.0/24https://urldefense.com/v3/__http://10.200.0.0/24__;!!KWzduNI!ZvN5eKoCEh3nDRUITCmQnv3GRm7Ej9APuNV3lK-esp6QP5fK5zvHUvgHKT4ojLmOaMtsc2SHHJ-LbZIcLKpeNA0$ range. If on the deny file, Kamailio will deny same IP range.
As for the code, I usually do:
#!ifdef WITH_ACL $var(GROUPID) = allow_address_group($si, $sp);
if ( $var(GROUPID) == 100 || !$var(GROUPID) ) { xlog("L_WARN", "INIT - $si:$sp is not in the allowed ACL Group ID !\n"); # uncomment below if you wish to return SIP 401 error to non-allowed clients #sl_reply("401", "Address not allowed"); exit; }
if (is_method("OPTIONS") && $sht(evapistatus=>state) > 0 ) { // reply to OPTIONS only if Kamailio has an EVAPI connection active sl_send_reply("200","OK"); exit; } #!endif
Where group ID 100 is a DENY group. I use DB because it is way more flexible when you have 300 Kamailio nodes..... Also, the permissions module doesn't query DB on every request, in fact it load the DB Permissions Table data into memory and refreshes every "reload_delta" parameter value. Having the data in DB is much easier, IMHO.
Hope this helps!
Atenciosamente / Kind Regards / Cordialement / Un saludo,
Sérgio Charrua
www.kahea.aihttps://urldefense.com/v3/__http://www.kahea.ai__;!!KWzduNI!ZvN5eKoCEh3nDRUITCmQnv3GRm7Ej9APuNV3lK-esp6QP5fK5zvHUvgHKT4ojLmOaMtsc2SHHJ-LbZIccGpFlSc$ / www.voip.pthttps://urldefense.com/v3/__http://www.voip.pt__;!!KWzduNI!ZvN5eKoCEh3nDRUITCmQnv3GRm7Ej9APuNV3lK-esp6QP5fK5zvHUvgHKT4ojLmOaMtsc2SHHJ-LbZIcXxHifu0$
OpenTelecom - Consulting for Telecoms, Lda Tel.: +351 callto:+351+91+104+12+66 91 631 11 44
Email : sergio.charrua@voip.ptmailto:sergio.charrua@voip.pt
This message and any files or documents attached are strictly confidential or otherwise legally protected.
It is intended only for the individual or entity named. If you are not the named addressee or have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Please also note that transmission cannot be guaranteed to be secure or error-free.
On Thu, Oct 23, 2025 at 6:59 PM Fernando Lopes via sr-users <sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org> wrote: Hello everyone,
I have a question: is there a way to whitelist and blacklist IP addresses without using a database table?
I’m currently using the permissions module to block some traffic, but I’d also like to ban specific IPs. Ideally, I’d prefer not to use a database — I’d rather use a file-based approach, something like a permissions.allow file.
Thank you. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.orgmailto:sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
On Oct 23, 2025, at 2:53 PM, Ben Kaufman via sr-users sr-users@lists.kamailio.org wrote:
Permissions does seem a good way to go, but really stop and ask yourself WHY you don't want to use a database, as "writing data to a file" is still a form of a database (it's not an RDBMS, but given the usage, it's a database). So, it's under this guise that I ask: What's wrong with SQLite?
+1 to this view.
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com, https://www.csrpswitch.com Tel: +1-706-510-6800
To add to this, I think you need to clearly define your requirement. Is it speed? Is it flexibility? Do you need to support CIDR kinds of lookups? Are you going to constantly be changing it?
I agree with others.. a text file is a kind of base of data :) it's just a little more of a pain to work with in some cases.
On Thu, Oct 23, 2025 at 2:16 PM Alex Balashov via sr-users < sr-users@lists.kamailio.org> wrote:
On Oct 23, 2025, at 2:53 PM, Ben Kaufman via sr-users <
sr-users@lists.kamailio.org> wrote:
Permissions does seem a good way to go, but really stop and ask yourself
WHY you don't want to use a database, as "writing data to a file" is still a form of a database (it's not an RDBMS, but given the usage, it's a database). So, it's under this guise that I ask: What's wrong with SQLite?
+1 to this view.
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com, https://www.csrpswitch.com Tel: +1-706-510-6800
Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
The first thing that comes to mind is the regex module. It can reload files during runtime using "kamcmd regex.reload" and provides regex groups to use for different purposes.
https://kamailio.org/docs/modules/stable/modules/regex.html
Just make sure to escape dots and anchor the first and last, like ^1.2.3.\4$$" so you don't get unintended matches. The double dollar is mentioned here: https://kamailio.org/docs/modules/stable/modules/regex.html#idm144
If you will have a lot of groups or ver big groups, don't forget to tune the number of groups and the size of each group:
https://kamailio.org/docs/modules/stable/modules/regex.html#regex.p.max_grou... https://kamailio.org/docs/modules/stable/modules/regex.html#regex.p.group_ma...
On Thu, Oct 23, 2025 at 10:04 AM Fernando Lopes via sr-users sr-users@lists.kamailio.org wrote:
Hello everyone,
I have a question: is there a way to whitelist and blacklist IP addresses without using a database table?
I’m currently using the permissions module to block some traffic, but I’d also like to ban specific IPs. Ideally, I’d prefer not to use a database — I’d rather use a file-based approach, something like a permissions.allow file.
Thank you. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Alex Balashov -
Ben Kaufman -
Brett Nemeroff -
Calvin E. -
Fernando Lopes -
Sergio Charrua