is the peer_tag_avp used on allow_source_address_group?
Kelvin Chua
then the documentation has to be changed:
1.4. Address Permissions
The module can be used to determine if an address (IP address and port) matches any of the IP subnets stored in cached Kamailio database table. Port 0 in cached database table matches any port. IP address and port to be matched can be either taken from the request (allow_source_address) or given as pvar arguments (allow_address).
Addresses stored in cached database table can be grouped together into one or more groups specified by a group identifier (positive integer value, i.e., equal or greater than 1). Group identifier is given as argument to allow_address and allow_source_address functions.
As a side effect of matching the address, non-NULL tag (see tag_col module parameter) is added as value to peer_tag AVP if peer_tag_avp module parameter has been defined.
Kelvin Chua
On Sun, Jan 5, 2014 at 4:47 AM, Juha Heinanen jh@tutpro.com wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
here is a patch against 4.0.5 to make this work with the address table
--- kamailio-4.0.5/modules/permissions/hash.c 2013-12-20 11:42:46.000000000 -0500 +++ kamailio-4.0.5/modules/permissions/hash.c 2014-01-06 05:48:54.000000000 -0500 @@ -486,13 +486,24 @@ { struct addr_list *np; str addr_str; + int_str avp_val;
addr_str.s = (char*)addr->u.addr; addr_str.len = 4;
+ get_tag_avp(&tag_avp, &tag_avp_type); + for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) { + if ( np->tag.s != NULL ) { + avp_val.s.s = (char *)np->tag.s; + avp_val.s.len = strlen(avp_val.s.s); + if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, avp_val) != 0) { + LM_ERR("failed to set of tag_avp failed\n"); + return -1; + } + } return np->grp; } }
Kelvin Chua
On Mon, Jan 6, 2014 at 1:09 PM, Kelvin Chua kelchy@gmail.com wrote:
then the documentation has to be changed:
1.4. Address Permissions
The module can be used to determine if an address (IP address and port) matches any of the IP subnets stored in cached Kamailio database table. Port 0 in cached database table matches any port. IP address and port to be matched can be either taken from the request (allow_source_address) or given as pvar arguments (allow_address).
Addresses stored in cached database table can be grouped together into one or more groups specified by a group identifier (positive integer value, i.e., equal or greater than 1). Group identifier is given as argument to allow_address and allow_source_address functions.
As a side effect of matching the address, non-NULL tag (see tag_col module parameter) is added as value to peer_tag AVP if peer_tag_avp module parameter has been defined.
Kelvin Chua
On Sun, Jan 5, 2014 at 4:47 AM, Juha Heinanen jh@tutpro.com wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
can you make the patch for master branch? It has to be added there.
Cheers, Daniel
On 06/01/14 11:54, Kelvin Chua wrote:
here is a patch against 4.0.5 to make this work with the address table
--- kamailio-4.0.5/modules/permissions/hash.c2013-12-20 11:42:46.000000000 -0500 +++ kamailio-4.0.5/modules/permissions/hash.c2014-01-06 05:48:54.000000000 -0500 @@ -486,13 +486,24 @@ { struct addr_list *np; str addr_str;
int_str avp_val;addr_str.s = (char*)addr->u.addr; addr_str.len = 4;
get_tag_avp(&tag_avp, &tag_avp_type);for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) { +if ( np->tag.s != NULL ) { +avp_val.s.s = (char *)np->tag.s; +avp_val.s.len = strlen(avp_val.s.s); +if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, avp_val) != 0) { +LM_ERR("failed to set of tag_avp failed\n"); +return -1; +} +} return np->grp; } }
Kelvin Chua
On Mon, Jan 6, 2014 at 1:09 PM, Kelvin Chua <kelchy@gmail.com mailto:kelchy@gmail.com> wrote:
then the documentation has to be changed: 1.4. Address Permissions The module can be used to determine if an address (IP address and port) matches any of the IP subnets stored in cached Kamailio database table. Port 0 in cached database table matches any port. IP address and port to be matched can be either taken from the request (allow_source_address) or given as pvar arguments (allow_address). Addresses stored in cached database table can be grouped together into one or more groups specified by a group identifier (positive integer value, i.e., equal or greater than 1). Group identifier is given as argument to allow_address and allow_source_address functions. As a side effect of matching the address, non-NULL tag (see tag_col module parameter) is added as value to peer_tag AVP if peer_tag_avp module parameter has been defined. Kelvin Chua On Sun, Jan 5, 2014 at 4:47 AM, Juha Heinanen <jh@tutpro.com <mailto:jh@tutpro.com>> wrote: Kelvin Chua writes: > is the peer_tag_avp used on allow_source_address_group? based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function. -- juha _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
On 04/01/14 21:47, Juha Heinanen wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group().
Cheers, Daniel
checking the source code, looks like, it's not being set at all on any of those functions
Kelvin Chua
On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla miconda@gmail.comwrote:
Hello,
On 04/01/14 21:47, Juha Heinanen wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group().
Cheers, Daniel
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
sorry my bad, it is available on the other address functions, just not on the allow_source_address_group. anyway, here is the patch to master
diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c index 3a16581..c80a3f2 100644 --- a/modules/permissions/hash.c +++ b/modules/permissions/hash.c @@ -486,13 +486,23 @@ int find_group_in_addr_hash_table(struct addr_list** table, { struct addr_list *np; str addr_str; + int_str avp_val;
addr_str.s = (char*)addr->u.addr; addr_str.len = 4;
+ get_tag_avp(&tag_avp, &tag_avp_type); for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) { + if ( np->tag.s != NULL ) { + avp_val.s.s = (char *)np->tag.s; + avp_val.s.len = strlen(avp_val.s.s); + if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, avp_val) != 0) { + LM_ERR("failed to set of tag_avp failed\n"); + return -1; + } + } return np->grp; } }
Kelvin Chua
On Mon, Jan 6, 2014 at 7:59 PM, Kelvin Chua kelchy@gmail.com wrote:
checking the source code, looks like, it's not being set at all on any of those functions
Kelvin Chua
On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla < miconda@gmail.com> wrote:
Hello,
On 04/01/14 21:47, Juha Heinanen wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group().
Cheers, Daniel
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Your patch seemed to be only for matching against individual IP addresses, I added also for subnet matching. Can you try with the patch from next commit?
- http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0c67042f...
Cheers, Daniel
On 06/01/14 13:09, Kelvin Chua wrote:
sorry my bad, it is available on the other address functions, just not on the allow_source_address_group. anyway, here is the patch to master
diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c index 3a16581..c80a3f2 100644 --- a/modules/permissions/hash.c +++ b/modules/permissions/hash.c @@ -486,13 +486,23 @@ int find_group_in_addr_hash_table(struct addr_list** table, { struct addr_list *np; str addr_str;
int_str avp_val; addr_str.s = (char*)addr->u.addr; addr_str.len = 4;get_tag_avp(&tag_avp, &tag_avp_type); for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) {if ( np->tag.s != NULL ) {avp_val.s.s = (char *)np->tag.s;avp_val.s.len = strlen(avp_val.s.s);if (add_avp(tag_avp_type|AVP_VAL_STR,tag_avp, avp_val) != 0) {
LM_ERR("failed to set oftag_avp failed\n");
return -1;}} return np->grp; } }Kelvin Chua
On Mon, Jan 6, 2014 at 7:59 PM, Kelvin Chua <kelchy@gmail.com mailto:kelchy@gmail.com> wrote:
checking the source code, looks like, it's not being set at all on any of those functions Kelvin Chua On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla <miconda@gmail.com <mailto:miconda@gmail.com>> wrote: Hello, On 04/01/14 21:47, Juha Heinanen wrote: Kelvin Chua writes: is the peer_tag_avp used on allow_source_address_group? based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function. the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group(). Cheers, Daniel -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
np is undefined in find_group_in_subnet_table() it should be:
@@ -717,7 +728,16 @@ int find_group_in_subnet_table(struct subnet* table, while (i < count) { if ( ((table[i].port == port) || (table[i].port == 0)) && (ip_addr_match_net(addr, &table[i].subnet, table[i].mask)==0)) + { + if (tag_avp.n && table[i].tag.s) { + val.s = table[i].tag; + if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, val) != 0) { + LM_ERR("setting of tag_avp failed\n"); + return -1; + } + } return table[i].grp; + } i++; }
Kelvin Chua
On Tue, Jan 7, 2014 at 5:33 AM, Daniel-Constantin Mierla miconda@gmail.comwrote:
Your patch seemed to be only for matching against individual IP addresses, I added also for subnet matching. Can you try with the patch from next commit?
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0c67042f...
Cheers, Daniel
On 06/01/14 13:09, Kelvin Chua wrote:
sorry my bad, it is available on the other address functions, just not on the allow_source_address_group. anyway, here is the patch to master
diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c index 3a16581..c80a3f2 100644 --- a/modules/permissions/hash.c +++ b/modules/permissions/hash.c @@ -486,13 +486,23 @@ int find_group_in_addr_hash_table(struct addr_list** table, { struct addr_list *np; str addr_str;
int_str avp_val; addr_str.s = (char*)addr->u.addr; addr_str.len = 4;get_tag_avp(&tag_avp, &tag_avp_type); for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) {if ( np->tag.s != NULL ) {avp_val.s.s = (char *)np->tag.s;avp_val.s.len = strlen(avp_val.s.s);if (add_avp(tag_avp_type|AVP_VAL_STR,tag_avp, avp_val) != 0) {
LM_ERR("failed to set of tag_avpfailed\n");
return -1;}} return np->grp; } }Kelvin Chua
On Mon, Jan 6, 2014 at 7:59 PM, Kelvin Chua kelchy@gmail.com wrote:
checking the source code, looks like, it's not being set at all on any of those functions
Kelvin Chua
On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla < miconda@gmail.com> wrote:
Hello,
On 04/01/14 21:47, Juha Heinanen wrote:
Kelvin Chua writes:
is the peer_tag_avp used on allow_source_address_group?
based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function.
the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group().
Cheers, Daniel
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla - http://www.asipto.comhttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Thanks for spotting it. Should be fixed in master branch now.
Daniel
On 07/01/14 05:00, Kelvin Chua wrote:
np is undefined in find_group_in_subnet_table() it should be:
@@ -717,7 +728,16 @@ int find_group_in_subnet_table(struct subnet* table, while (i < count) { if ( ((table[i].port == port) || (table[i].port == 0)) && (ip_addr_match_net(addr, &table[i].subnet, table[i].mask)==0))
{if (tag_avp.n && table[i].tag.s) {val.s = table[i].tag;if (add_avp(tag_avp_type|AVP_VAL_STR,tag_avp, val) != 0) {
LM_ERR("setting of tag_avpfailed\n");
return -1;}} return table[i].grp;} i++; }Kelvin Chua
On Tue, Jan 7, 2014 at 5:33 AM, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
Your patch seemed to be only for matching against individual IP addresses, I added also for subnet matching. Can you try with the patch from next commit? - http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0c67042fa629ee4744cfc31a15e571b7340b0881 Cheers, Daniel On 06/01/14 13:09, Kelvin Chua wrote:sorry my bad, it is available on the other address functions, just not on the allow_source_address_group. anyway, here is the patch to master diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c index 3a16581..c80a3f2 100644 --- a/modules/permissions/hash.c +++ b/modules/permissions/hash.c @@ -486,13 +486,23 @@ int find_group_in_addr_hash_table(struct addr_list** table, { struct addr_list *np; str addr_str; + int_str avp_val; addr_str.s = (char*)addr->u.addr; addr_str.len = 4; + get_tag_avp(&tag_avp, &tag_avp_type); for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if (((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) { + if ( np->tag.s != NULL ) { + avp_val.s.s = (char *)np->tag.s; + avp_val.s.len = strlen(avp_val.s.s); + if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, avp_val) != 0) { + LM_ERR("failed to set of tag_avp failed\n"); + return -1; + } + } return np->grp; } } Kelvin Chua On Mon, Jan 6, 2014 at 7:59 PM, Kelvin Chua <kelchy@gmail.com <mailto:kelchy@gmail.com>> wrote: checking the source code, looks like, it's not being set at all on any of those functions Kelvin Chua On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla <miconda@gmail.com <mailto:miconda@gmail.com>> wrote: Hello, On 04/01/14 21:47, Juha Heinanen wrote: Kelvin Chua writes: is the peer_tag_avp used on allow_source_address_group? based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function. the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group(). Cheers, Daniel -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users-- Daniel-Constantin Mierla -http://www.asipto.com http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> -http://www.linkedin.com/in/miconda
for example, allow_source_address() executes next function:
int match_addr_hash_table(struct addr_list** table, unsigned int group, ip_addr_t *addr, unsigned int port) { struct addr_list *np; str addr_str; avp_value_t val;
addr_str.s = (char*)addr->u.addr; addr_str.len = 4;
for (np = table[perm_hash(addr_str)]; np != NULL; np = np->next) { if ( (np->grp == group) && ((np->port == 0) || (np->port == port)) && ip_addr_cmp(&np->addr, addr)) {
if (tag_avp.n && np->tag.s) { val.s = np->tag; if (add_avp(tag_avp_type|AVP_VAL_STR, tag_avp, val) != 0) { LM_ERR("setting of tag_avp failed\n"); return -1; } }
return 1; } }
return -1; }
... and I see an avp being added over the tag_avp. Is it another one?
Daniel On 06/01/14 12:59, Kelvin Chua wrote:
checking the source code, looks like, it's not being set at all on any of those functions
Kelvin Chua
On Mon, Jan 6, 2014 at 7:37 PM, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
Hello, On 04/01/14 21:47, Juha Heinanen wrote: Kelvin Chua writes: is the peer_tag_avp used on allow_source_address_group? based on fast scan of permissions module source, it appears that peer_tag_avp is set only by allow_trusted function. the peer tag avp should be set also for allow_address() and allow_source_address(). I don't think it is set for allow_source_address_group(). Cheers, Daniel -- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda <http://twitter.com/#%21/miconda> - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Juha Heinanen -
Kelvin Chua