Various sorts of access control. More...

#include "asterisk.h"
#include "asterisk/network.h"
#include <ifaddrs.h>
#include "asterisk/acl.h"
#include "asterisk/channel.h"
#include "asterisk/utils.h"
#include "asterisk/lock.h"
#include "asterisk/srv.h"
#include "asterisk/cli.h"

Include dependency graph for acl.c:

Go to the source code of this file.

Data Structures
struct	dscp_codepoint

Functions
static int	acl_new (struct ast_acl *pointer, const char name)

static struct ast_ha *	append_ha_core (const char sense, const char stuff, struct ast_ha path, int error, int port_flags)

int	ast_acl_list_is_empty (struct ast_acl_list *acl_list)
	Determines if an ACL is empty or if it contains entries. More...

void	ast_acl_output (int fd, struct ast_acl_list acl_list, const char prefix)
	output an ACL to the provided fd More...

void	ast_append_acl (const char sense, const char stuff, struct ast_acl_list *path, int error, int *named_acl_flag)
	Add a rule to an ACL struct. More...

struct ast_ha *	ast_append_ha (const char sense, const char stuff, struct ast_ha path, int error)
	Add a new rule to a list of HAs. More...

struct ast_ha *	ast_append_ha_with_port (const char sense, const char stuff, struct ast_ha path, int error)
	Add a new rule with optional port to a list of HAs. More...

enum ast_acl_sense	ast_apply_acl (struct ast_acl_list acl_list, const struct ast_sockaddr addr, const char *purpose)
	Apply a set of rules to a given IP address. More...

static enum ast_acl_sense	ast_apply_acl_internal (struct ast_acl_list acl_list, const struct ast_sockaddr addr, const char *log_prefix)

enum ast_acl_sense	ast_apply_acl_nolog (struct ast_acl_list acl_list, const struct ast_sockaddr addr)
	Apply a set of rules to a given IP address, don't log failure. More...

enum ast_acl_sense	ast_apply_ha (const struct ast_ha ha, const struct ast_sockaddr addr)
	Apply a set of rules to a given IP address. More...

void	ast_copy_ha (const struct ast_ha from, struct ast_ha to)
	Copy the contents of one HA to another. More...

struct ast_acl_list *	ast_duplicate_acl_list (struct ast_acl_list *original)
	Duplicates the contests of a list of lists of host access rules. More...

static struct ast_ha *	ast_duplicate_ha (struct ast_ha *original)

struct ast_ha *	ast_duplicate_ha_list (struct ast_ha *original)
	Duplicate the contents of a list of host access rules. More...

int	ast_find_ourip (struct ast_sockaddr ourip, const struct ast_sockaddr bindaddr, int family)
	Find our IP address. More...

struct ast_acl_list *	ast_free_acl_list (struct ast_acl_list *acl_list)
	Free a list of ACLs. More...

void	ast_free_ha (struct ast_ha *ha)
	Free a list of HAs. More...

int	ast_get_ip (struct ast_sockaddr addr, const char hostname)
	Get the IP address given a hostname. More...

int	ast_get_ip_or_srv (struct ast_sockaddr addr, const char hostname, const char *service)
	Get the IP address given a hostname and optional service. More...

void	ast_ha_join (const struct ast_ha ha, struct ast_str *buf)
	Convert HAs to a comma separated string value. More...

void	ast_ha_join_cidr (const struct ast_ha ha, struct ast_str *buf)
	Convert HAs to a comma separated string value using CIDR notation. More...

void	ast_ha_output (int fd, const struct ast_ha ha, const char prefix)
	output an HA to the provided fd More...

int	ast_ouraddrfor (const struct ast_sockaddr them, struct ast_sockaddr us)
	Get our local IP address when contacting a remote host. More...

int	ast_str2cos (const char value, unsigned int cos)
	Convert a string to the appropriate COS value. More...

int	ast_str2tos (const char value, unsigned int tos)
	Convert a string to the appropriate TOS value. More...

const char *	ast_tos2str (unsigned int tos)
	Convert a TOS value into its string representation. More...

static void	debug_ha_sense_appended (struct ast_ha *ha)

static int	get_local_address (struct ast_sockaddr *ourip)

static int	parse_cidr_mask (struct ast_sockaddr addr, int is_v4, const char mask_str)
	Parse a netmask in CIDR notation. More...

static int	resolve_first (struct ast_sockaddr addr, const char name, int flag, int family)

static void	score_address (const struct sockaddr_in sin, struct in_addr best_addr, int *best_score)

Variables
static const struct dscp_codepoint	dscp_pool1 []

Detailed Description

Various sorts of access control.

Author: Mark Spencer marks.nosp@m.ter@.nosp@m.digiu.nosp@m.m.co.nosp@m.m

Definition in file acl.c.

Function Documentation

◆ acl_new()

static int acl_new	(	struct ast_acl **	pointer,
		const char *	name
	)

static

Definition at line 305 of file acl.c.

References ast_acl::acl, ACL_NAME_LENGTH, ast_calloc, ast_copy_string(), and ast_acl::name.

Referenced by ast_append_acl(), and ast_duplicate_acl_list().

  {
  struct ast_acl *acl;
  if (!(acl = ast_calloc(1, sizeof(*acl)))) {
  return 1;
  }
 
  *pointer = acl;
  ast_copy_string(acl->name, name, ACL_NAME_LENGTH);
  return 0;
 }

◆ append_ha_core()

static struct ast_ha* append_ha_core	(	const char *	sense,
		const char *	stuff,
		struct ast_ha *	path,
		int *	error,
		int	port_flags
	)

static

Definition at line 576 of file acl.c.

References ast_ha::addr, ast_calloc, ast_free_ha(), ast_log, AST_SENSE_ALLOW, AST_SENSE_DENY, ast_sockaddr_apply_netmask(), ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_parse(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify(), ast_strdupa, DEBUG_ATLEAST, debug_ha_sense_appended(), LOG_NOTICE, LOG_WARNING, ast_ha::netmask, ast_ha::next, NULL, parse_cidr_mask(), PARSE_PORT_FORBID, PARSE_PORT_MASK, ast_ha::sense, strsep(), and tmp().

Referenced by ast_append_ha(), and ast_append_ha_with_port().

 {
  struct ast_ha *ha;
  struct ast_ha *prev = NULL;
  struct ast_ha *ret;
  char *tmp, *list = ast_strdupa(stuff ?: "");
  char *address = NULL, *mask = NULL;
  int addr_is_v4;
  int allowing = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
 
  ret = path;
  while (path) {
  prev = path;
  path = path->next;
  }
 
  while ((tmp = strsep(&list, ","))) {
  uint16_t save_port;
 
  if (!(ha = ast_calloc(1, sizeof(*ha)))) {
  if (error) {
  *error = 1;
  }
  return ret;
  }
 
  address = strsep(&tmp, "/");
  if (!address) {
  address = tmp;
  } else {
  mask = tmp;
  }
 
  if (*address == '!') {
  ha->sense = (allowing == AST_SENSE_DENY) ? AST_SENSE_ALLOW : AST_SENSE_DENY;
  address++;
  } else {
  ha->sense = allowing;
  }
 
  if (!ast_sockaddr_parse(&ha->addr, address, port_flags)) {
  ast_log(LOG_WARNING, "Invalid IP address: %s\n", address);
  ast_free_ha(ha);
  if (error) {
  *error = 1;
  }
  return ret;
  }
 
  /* Be pedantic and zero out the port if we don't want it */
  if ((port_flags & PARSE_PORT_MASK) == PARSE_PORT_FORBID) {
  ast_sockaddr_set_port(&ha->addr, 0);
  }
 
  /* If someone specifies an IPv4-mapped IPv6 address,
  * we just convert this to an IPv4 ACL
  */
  if (ast_sockaddr_ipv4_mapped(&ha->addr, &ha->addr)) {
  ast_log(LOG_NOTICE, "IPv4-mapped ACL network address specified. "
  "Converting to an IPv4 ACL network address.\n");
  }
 
  addr_is_v4 = ast_sockaddr_is_ipv4(&ha->addr);
 
  if (!mask) {
  parse_cidr_mask(&ha->netmask, addr_is_v4, addr_is_v4 ? "32" : "128");
  } else if (strchr(mask, ':') || strchr(mask, '.')) {
  int mask_is_v4;
  /* Mask is of x.x.x.x or x:x:x:x:x:x:x:x variety */
  if (!ast_sockaddr_parse(&ha->netmask, mask, PARSE_PORT_FORBID)) {
  ast_log(LOG_WARNING, "Invalid netmask: %s\n", mask);
  ast_free_ha(ha);
  if (error) {
  *error = 1;
  }
  return ret;
  }
  /* If someone specifies an IPv4-mapped IPv6 netmask,
  * we just convert this to an IPv4 ACL
  */
  if (ast_sockaddr_ipv4_mapped(&ha->netmask, &ha->netmask)) {
  ast_log(LOG_NOTICE, "IPv4-mapped ACL netmask specified. "
  "Converting to an IPv4 ACL netmask.\n");
  }
  mask_is_v4 = ast_sockaddr_is_ipv4(&ha->netmask);
  if (addr_is_v4 ^ mask_is_v4) {
  ast_log(LOG_WARNING, "Address and mask are not using same address scheme.\n");
  ast_free_ha(ha);
  if (error) {
  *error = 1;
  }
  return ret;
  }
  } else if (parse_cidr_mask(&ha->netmask, addr_is_v4, mask)) {
  ast_log(LOG_WARNING, "Invalid CIDR netmask: %s\n", mask);
  ast_free_ha(ha);
  if (error) {
  *error = 1;
  }
  return ret;
  }
 
  /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
  * restore it */
  save_port = ast_sockaddr_port(&ha->addr);
 
  if (ast_sockaddr_apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
  /* This shouldn't happen because ast_sockaddr_parse would
  * have failed much earlier on an unsupported address scheme
  */
  char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
  char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
  ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
  ast_free_ha(ha);
  if (error) {
  *error = 1;
  }
  return ret;
  }
 
  ast_sockaddr_set_port(&ha->addr, save_port);
 
  if (prev) {
  prev->next = ha;
  } else {
  ret = ha;
  }
  prev = ha;
 
  if (DEBUG_ATLEAST(3)) {
  debug_ha_sense_appended(ha);
  }
  }
 
  return ret;
 }

◆ ast_acl_list_is_empty()

int ast_acl_list_is_empty ( struct ast_acl_list * acl_list )

Determines if an ACL is empty or if it contains entries.

Parameters

acl_list The ACL list being checked

Return values

0	- the list is not empty
1	- the list is empty

Definition at line 541 of file acl.c.

References AST_LIST_FIRST, AST_LIST_LOCK, and AST_LIST_UNLOCK.

Referenced by _sip_show_peer(), _sip_show_peers_one(), acl_to_str(), apply_acl(), apply_contact_acl(), apply_endpoint_acl(), apply_endpoint_contact_acl(), contact_acl_to_str(), handle_cli_iax2_show_peer(), handle_cli_iax2_show_users(), handle_showmanager(), sip_show_user(), and sip_show_users().

 {
  struct ast_acl *head;
 
  if (!acl_list) {
  return 1;
  }
 
  AST_LIST_LOCK(acl_list);
  head = AST_LIST_FIRST(acl_list);
  AST_LIST_UNLOCK(acl_list);
 
  if (head) {
  return 0;
  }
 
  return 1;
 }

◆ ast_acl_output()

void ast_acl_output	(	int	fd,
		struct ast_acl_list *	acl,
		const char *	prefix
	)

output an ACL to the provided fd

This function can be used centrally to output HAs as used in ACLs from other modules. It follows the format as originally used for named ACLs in named_acl.c.

Parameters

fd	The file-descriptor to which to output the ACL.
acl	The ACL to output.
prefix	If you need a specific prefix output on each line, give it here, may be NULL.

Since: 13.33.0, 16.10.0, 17.4.0

Definition at line 1099 of file acl.c.

References ast_acl::acl, ast_cli(), ast_ha_output(), AST_LIST_LOCK, AST_LIST_TRAVERSE, AST_LIST_UNLOCK, ast_strlen_zero, ast_acl::is_realtime, ast_acl::list, and ast_acl::name.

Referenced by handle_showmanager().

 {
  struct ast_acl *acl;
 
  AST_LIST_LOCK(acl_list);
  AST_LIST_TRAVERSE(acl_list, acl, list) {
  ast_cli(fd, "%sACL: %s%s\n---------------------------------------------\n",
  prefix ?: "", ast_strlen_zero(acl->name) ? "(unnamed)" : acl->name,
  acl->is_realtime ? " (realtime)" : "");
 
  ast_ha_output(fd, acl->acl, prefix);
  }
  AST_LIST_UNLOCK(acl_list);
 
 }

◆ ast_append_acl()

void ast_append_acl	(	const char *	sense,
		const char *	stuff,
		struct ast_acl_list **	path,
		int *	error,
		int *	named_acl_flag
	)

Add a rule to an ACL struct.

This adds a named ACL or an ACL rule to an ast_acl container. It works in a similar way to ast_append_ha.

Parameters

	sense	Can be any among "permit", "deny", or "acl" this controls whether the rule being added will simply modify the unnamed ACL at the head of the list or if a new named ACL will be added to that ast_acl.
	stuff	If sense is 'permit'/'deny', this is the ip address and subnet mask separated with a '/' like in ast_append ha. If it sense is 'acl', then this will be the name of the ACL being appended to the container.
	path	Address of the ACL list being appended
[out]	error	The int that error points to will be set to 1 if an error occurs.
[out]	named_acl_flag	This will raise a flag under certain conditions to indicate that a named ACL has been added by this operation. This may be used to indicate that an event subscription should be made against the named ACL subsystem. Note: This flag may be raised by this function, but it will never be lowered by it.

Definition at line 430 of file acl.c.

References ast_acl::acl, acl_new(), ast_append_ha(), ast_calloc, AST_LIST_FIRST, AST_LIST_HEAD_INIT, AST_LIST_INSERT_HEAD, AST_LIST_INSERT_TAIL, AST_LIST_LOCK, AST_LIST_TRAVERSE, AST_LIST_UNLOCK, ast_log, ast_named_acl_find(), ast_skip_blanks(), ast_strdupa, ast_strlen_zero, ast_acl::is_invalid, ast_acl::is_realtime, LOG_ERROR, ast_acl::name, NULL, strsep(), and tmp().

Referenced by __init_manager(), acl_handler(), build_peer(), build_user(), endpoint_acl_handler(), reload_config(), and rtp_reload().

 {
  struct ast_acl *acl = NULL;
  struct ast_acl *current;
  struct ast_acl_list *working_list;
 
  char *tmp, *list;
 
  /* If the ACL list is currently uninitialized, it must be initialized. */
  if (*path == NULL) {
  struct ast_acl_list *list;
  list = ast_calloc(1, sizeof(*list));
  if (!list) {
  /* Allocation Error */
  if (error) {
  *error = 1;
  }
  return;
  }
 
  AST_LIST_HEAD_INIT(list);
  *path = list;
  }
 
  working_list = *path;
 
  AST_LIST_LOCK(working_list);
 
  /* First we need to determine if we will need to add a new ACL node or if we can use an existing one. */
  if (strncasecmp(sense, "a", 1)) {
  /* The first element in the path should be the unnamed, base ACL. If that's the case, we use it. If not,
  * we have to make one and link it up appropriately. */
  current = AST_LIST_FIRST(working_list);
 
  if (!current || !ast_strlen_zero(current->name)) {
  if (acl_new(&acl, "")) {
  if (error) {
  *error = 1;
  }
  AST_LIST_UNLOCK(working_list);
  return;
  }
  // Need to INSERT the ACL at the head here.
  AST_LIST_INSERT_HEAD(working_list, acl, list);
  } else {
  /* If the first element was already the unnamed base ACL, we just use that one. */
  acl = current;
  }
 
  /* With the proper ACL set for modification, we can just pass this off to the ast_ha append function. */
  acl->acl = ast_append_ha(sense, stuff, acl->acl, error);
 
  AST_LIST_UNLOCK(working_list);
  return;
  }
 
  /* We are in ACL append mode, so we know we'll be adding one or more named ACLs. */
  list = ast_strdupa(stuff);
 
  while ((tmp = strsep(&list, ","))) {
  struct ast_ha *named_ha;
  int already_included = 0;
 
  /* Remove leading whitespace from the string in case the user put spaces between items */
  tmp = ast_skip_blanks(tmp);
 
  /* The first step is to check for a duplicate */
  AST_LIST_TRAVERSE(working_list, current, list) {
  if (!strcasecmp(current->name, tmp)) { /* ACL= */
  /* Inclusion of the same ACL multiple times isn't a catastrophic error, but it will raise the error flag and skip the entry. */
  ast_log(LOG_ERROR, "Named ACL '%s' occurs multiple times in ACL definition. "
  "Please update your ACL configuration.\n", tmp);
  if (error) {
  *error = 1;
  }
  already_included = 1;
  break;
  }
  }
 
  if (already_included) {
  continue;
  }
 
  if (acl_new(&acl, tmp)) {
  /* This is a catastrophic allocation error and we'll return immediately if this happens. */
  if (error) {
  *error = 1;
  }
  AST_LIST_UNLOCK(working_list);
  return;
  }
 
  /* Attempt to grab the Named ACL we are looking for. */
  named_ha = ast_named_acl_find(tmp, &acl->is_realtime, &acl->is_invalid);
 
  /* Set the ACL's ast_ha to the duplicated named ACL retrieved above. */
  acl->acl = named_ha;
 
  /* Raise the named_acl_flag since we are adding a named ACL to the ACL container. */
  if (named_acl_flag) {
  *named_acl_flag = 1;
  }
 
  /* Now insert the new ACL at the end of the list. */
  AST_LIST_INSERT_TAIL(working_list, acl, list);
  }
 
  AST_LIST_UNLOCK(working_list);
 }

◆ ast_append_ha()

struct ast_ha* ast_append_ha	(	const char *	sense,
		const char *	stuff,
		struct ast_ha *	path,
		int *	error
	)

Add a new rule to a list of HAs.

This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.

Parameters

	sense	Either "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial)
	stuff	The IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32).
	path	The head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list
[out]	error	The integer error points to will be set non-zero if an error occurs

Returns: The head of the HA list

Definition at line 713 of file acl.c.

References append_ha_core(), and PARSE_PORT_FORBID.

Referenced by acl_handler_fn(), add_calltoken_ignore(), ast_append_acl(), AST_TEST_DEFINE(), build_callno_limits(), build_device(), build_gateway(), build_ha(), config_parse_variables(), named_acl_find_realtime(), reload_config(), and transport_localnet_handler().

 {
  return append_ha_core(sense, stuff, path, error, PARSE_PORT_FORBID);
 }

◆ ast_append_ha_with_port()

struct ast_ha* ast_append_ha_with_port	(	const char *	sense,
		const char *	stuff,
		struct ast_ha *	path,
		int *	error
	)

Add a new rule with optional port to a list of HAs.

Since: 13.31.0, 16.8.0, 17.2.0

This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.

Parameters

	sense	Either "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial)
	stuff	The IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32). A port can be provided by placing it after the IP address, separated with a ':'.
	path	The head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list
[out]	error	The integer error points to will be set non-zero if an error occurs

Returns: The head of the HA list

Definition at line 718 of file acl.c.

References append_ha_core().

Referenced by ip_identify_match_handler(), ip_identify_match_host_lookup(), and pjsip_enable_logger_host().

 {
  return append_ha_core(sense, stuff, path, error, 0);
 }

◆ ast_apply_acl()

enum ast_acl_sense ast_apply_acl	(	struct ast_acl_list *	acl_list,
		const struct ast_sockaddr *	addr,
		const char *	purpose
	)

Apply a set of rules to a given IP address.

Similar to the above, only uses an acl container, which is a whole slew of ast_ha lists. It runs ast_apply_ha on each of the ast_ha structs contained in the acl container. It will deny if any of the ast_ha lists fail, and it will pass only if all of the rules pass.

Parameters

acl_list	The head of the list of ACLs to evaluate
addr	An ast_sockaddr whose address is considered when matching rules
purpose	Context for which the ACL is being applied - Establishes purpose of a notice when rejected

Return values

AST_SENSE_ALLOW	The IP address passes our ACLs
AST_SENSE_DENY	The IP address fails our ACLs

Definition at line 800 of file acl.c.

References ast_apply_acl_internal().

Referenced by apply_acl(), apply_contact_acl(), apply_endpoint_acl(), apply_endpoint_contact_acl(), auth_http_callback(), authenticate(), check_access(), check_peer_ok(), parse_register_contact(), register_verify(), and sip_allow_anyrtp_remote().

  {
  return ast_apply_acl_internal(acl_list, addr, purpose ?: "");
 }

◆ ast_apply_acl_internal()

static enum ast_acl_sense ast_apply_acl_internal	(	struct ast_acl_list *	acl_list,
		const struct ast_sockaddr *	addr,
		const char *	log_prefix
	)

static

Definition at line 758 of file acl.c.

References ast_acl::acl, ast_apply_ha(), AST_LIST_LOCK, AST_LIST_TRAVERSE, AST_LIST_UNLOCK, ast_log, AST_SENSE_ALLOW, AST_SENSE_DENY, ast_sockaddr_stringify_addr(), ast_strlen_zero, ast_acl::is_invalid, ast_acl::list, LOG_NOTICE, LOG_WARNING, and ast_acl::name.

Referenced by ast_apply_acl(), and ast_apply_acl_nolog().

 {
  struct ast_acl *acl;
 
  /* If the list is NULL, there are no rules, so we'll allow automatically. */
  if (!acl_list) {
  return AST_SENSE_ALLOW;
  }
 
  AST_LIST_LOCK(acl_list);
 
  AST_LIST_TRAVERSE(acl_list, acl, list) {
  if (acl->is_invalid) {
  /* In this case, the baseline ACL shouldn't ever trigger this, but if that somehow happens, it'll still be shown. */
  if (log_prefix) {
  ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n",
  log_prefix, ast_sockaddr_stringify_addr(addr),
  ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
  }
  AST_LIST_UNLOCK(acl_list);
  return AST_SENSE_DENY;
  }
 
  if (acl->acl) {
  if (ast_apply_ha(acl->acl, addr) == AST_SENSE_DENY) {
  if (log_prefix) {
  ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n",
  log_prefix, ast_sockaddr_stringify_addr(addr),
  ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
  }
  AST_LIST_UNLOCK(acl_list);
  return AST_SENSE_DENY;
  }
  }
  }
 
  AST_LIST_UNLOCK(acl_list);
 
  return AST_SENSE_ALLOW;
 }

◆ ast_apply_acl_nolog()

enum ast_acl_sense ast_apply_acl_nolog	(	struct ast_acl_list *	acl_list,
		const struct ast_sockaddr *	addr
	)

Apply a set of rules to a given IP address, don't log failure.

Exactly like ast_apply_acl, except that it will never log anything.

Parameters

acl_list	The head of the list of ACLs to evaluate
addr	An ast_sockaddr whose address is considered when matching rules

Return values

AST_SENSE_ALLOW	The IP address passes our ACLs
AST_SENSE_DENY	The IP address fails our ACLs

Definition at line 804 of file acl.c.

References ast_apply_acl_internal(), and NULL.

Referenced by rtp_address_is_ice_blacklisted(), and stun_address_is_blacklisted().

  {
  return ast_apply_acl_internal(acl_list, addr, NULL);
 }

◆ ast_apply_ha()

enum ast_acl_sense ast_apply_ha	(	const struct ast_ha *	ha,
		const struct ast_sockaddr *	addr
	)

Apply a set of rules to a given IP address.

The list of host access rules is traversed, beginning with the input rule. If the IP address given matches a rule, the "sense" of that rule is used as the return value. Note that if an IP address matches multiple rules that the last one matched will be the one whose sense will be returned.

Parameters

ha	The head of the list of host access rules to follow
addr	An ast_sockaddr whose address is considered when matching rules

Return values

AST_SENSE_ALLOW	The IP address passes our ACL
AST_SENSE_DENY	The IP address fails our ACL

Definition at line 808 of file acl.c.

References ast_ha::addr, ast_copy_string(), ast_debug, ast_log, AST_SENSE_ALLOW, ast_sockaddr_apply_netmask(), ast_sockaddr_cmp_addr(), ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_is_ipv4_mapped(), ast_sockaddr_is_ipv6(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify(), LOG_ERROR, ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by ast_apply_acl_internal(), ast_sip_ouraddrfor(), AST_TEST_DEFINE(), ip_identify_match_check(), ip_identify_match_host_lookup(), pjsip_log_test_addr(), and skinny_register().

 {
  /* Start optimistic */
  enum ast_acl_sense res = AST_SENSE_ALLOW;
  const struct ast_ha *current_ha;
 
  for (current_ha = ha; current_ha; current_ha = current_ha->next) {
  struct ast_sockaddr result;
  struct ast_sockaddr mapped_addr;
  const struct ast_sockaddr *addr_to_use;
  uint16_t save_port;
 #if 0 /* debugging code */
  char iabuf[INET_ADDRSTRLEN];
  char iabuf2[INET_ADDRSTRLEN];
  /* DEBUG */
  ast_copy_string(iabuf, ast_sockaddr_stringify(addr), sizeof(iabuf));
  ast_copy_string(iabuf2, ast_sockaddr_stringify(&current_ha->addr), sizeof(iabuf2));
  ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
 #endif
  if (ast_sockaddr_is_ipv4(&current_ha->addr)) {
  if (ast_sockaddr_is_ipv6(addr)) {
  if (ast_sockaddr_is_ipv4_mapped(addr)) {
  /* IPv4 ACLs apply to IPv4-mapped addresses */
  if (!ast_sockaddr_ipv4_mapped(addr, &mapped_addr)) {
  ast_log(LOG_ERROR, "%s provided to ast_sockaddr_ipv4_mapped could not be converted. That shouldn't be possible.\n",
  ast_sockaddr_stringify(addr));
  continue;
  }
  addr_to_use = &mapped_addr;
  } else {
  /* An IPv4 ACL does not apply to an IPv6 address */
  continue;
  }
  } else {
  /* Address is IPv4 and ACL is IPv4. No biggie */
  addr_to_use = addr;
  }
  } else {
  if (ast_sockaddr_is_ipv6(addr) && !ast_sockaddr_is_ipv4_mapped(addr)) {
  addr_to_use = addr;
  } else {
  /* Address is IPv4 or IPv4 mapped but ACL is IPv6. Skip */
  continue;
  }
  }
 
  /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
  * restore it */
  save_port = ast_sockaddr_port(addr_to_use);
 
  /* For each rule, if this address and the netmask = the net address
  apply the current rule */
  if (ast_sockaddr_apply_netmask(addr_to_use, &current_ha->netmask, &result)) {
  /* Unlikely to happen since we know the address to be IPv4 or IPv6 */
  continue;
  }
 
  ast_sockaddr_set_port(&result, save_port);
 
  if (!ast_sockaddr_cmp_addr(&result, &current_ha->addr)
  && (!ast_sockaddr_port(&current_ha->addr)
  || ast_sockaddr_port(&current_ha->addr) == ast_sockaddr_port(&result))) {
  res = current_ha->sense;
  }
  }
  return res;
 }

◆ ast_copy_ha()

void ast_copy_ha	(	const struct ast_ha *	from,
		struct ast_ha *	to
	)

Copy the contents of one HA to another.

This copies the internals of the 'from' HA to the 'to' HA. It is important that the 'to' HA has been allocated prior to calling this function

Parameters

from	Source HA to copy
to	Destination HA to copy to

Return values

void

Definition at line 255 of file acl.c.

References ast_ha::addr, ast_sockaddr_copy(), ast_ha::netmask, and ast_ha::sense.

Referenced by add_calltoken_ignore(), ast_duplicate_ha(), and build_callno_limits().

 {
  ast_sockaddr_copy(&to->addr, &from->addr);
  ast_sockaddr_copy(&to->netmask, &from->netmask);
  to->sense = from->sense;
 }

◆ ast_duplicate_acl_list()

struct ast_acl_list* ast_duplicate_acl_list ( struct ast_acl_list * original )

Duplicates the contests of a list of lists of host access rules.

A deep copy of an ast_acl list is made (which in turn means a deep copy of each of the ast_ha structs contained within). The returned value is allocated on the heap and must be freed independently of the input paramater when finished.

Parameters

original The ast_acl_list to copy

Return values

The	new duplicated ast_acl_list

Definition at line 316 of file acl.c.

References ast_acl::acl, acl_new(), ast_calloc, ast_duplicate_ha_list(), ast_free_acl_list(), AST_LIST_HEAD_INIT, AST_LIST_INSERT_TAIL, AST_LIST_LOCK, AST_LIST_TRAVERSE, AST_LIST_UNLOCK, ast_log, ast_acl::is_invalid, ast_acl::is_realtime, ast_acl::list, LOG_ERROR, ast_acl::name, and NULL.

Referenced by create_addr_from_peer(), and sip_allow_anyrtp_remote().

 {
  struct ast_acl_list *clone;
  struct ast_acl *current_cursor;
  struct ast_acl *current_clone;
 
  /* Early return if we receive a duplication request for a NULL original. */
  if (!original) {
  return NULL;
  }
 
  if (!(clone = ast_calloc(1, sizeof(*clone)))) {
  ast_log(LOG_ERROR, "Failed to allocate ast_acl_list struct while cloning an ACL\n");
  return NULL;
  }
  AST_LIST_HEAD_INIT(clone);
 
  AST_LIST_LOCK(original);
 
  AST_LIST_TRAVERSE(original, current_cursor, list) {
  if ((acl_new(&current_clone, current_cursor->name))) {
  ast_log(LOG_ERROR, "Failed to allocate ast_acl struct while cloning an ACL.\n");
  ast_free_acl_list(clone);
  clone = NULL;
  break;
  }
 
  /* Copy data from original ACL to clone ACL */
  current_clone->acl = ast_duplicate_ha_list(current_cursor->acl);
 
  current_clone->is_invalid = current_cursor->is_invalid;
  current_clone->is_realtime = current_cursor->is_realtime;
 
  AST_LIST_INSERT_TAIL(clone, current_clone, list);
 
  if (current_cursor->acl && !current_clone->acl) {
  /* Deal with failure after adding to clone so we don't have to free
  * current_clone separately. */
  ast_log(LOG_ERROR, "Failed to duplicate HA list while cloning ACL.\n");
  ast_free_acl_list(clone);
  clone = NULL;
  break;
  }
  }
 
  AST_LIST_UNLOCK(original);
 
  return clone;
 }

◆ ast_duplicate_ha()

static struct ast_ha* ast_duplicate_ha ( struct ast_ha * original )

static

Definition at line 263 of file acl.c.

References ast_calloc, and ast_copy_ha().

Referenced by ast_duplicate_ha_list().

 {
  struct ast_ha *new_ha;
 
  if ((new_ha = ast_calloc(1, sizeof(*new_ha)))) {
  /* Copy from original to new object */
  ast_copy_ha(original, new_ha);
  }
 
  return new_ha;
 }

◆ ast_duplicate_ha_list()

struct ast_ha* ast_duplicate_ha_list ( struct ast_ha * original )

Duplicate the contents of a list of host access rules.

A deep copy of all ast_has in the list is made. The returned value is allocated on the heap and must be freed independently of the input parameter when finished.

Parameters

original The ast_ha to copy

Return values

The	head of the list of duplicated ast_has

Definition at line 277 of file acl.c.

References ast_duplicate_ha(), ast_free_ha(), ast_ha::next, and NULL.

Referenced by ast_duplicate_acl_list(), and ast_named_acl_find().

 {
  struct ast_ha *start = original;
  struct ast_ha *ret = NULL;
  struct ast_ha *current, *prev = NULL;
 
  while (start) {
  current = ast_duplicate_ha(start); /* Create copy of this object */
  if (!current) {
  ast_free_ha(ret);
 
  return NULL;
  }
 
  if (prev) {
  prev->next = current; /* Link previous to this object */
  }
 
  if (!ret) {
  ret = current; /* Save starting point */
  }
 
  start = start->next; /* Go to next object */
  prev = current; /* Save pointer to this object */
  }
  return ret; /* Return start of list */
 }

◆ ast_find_ourip()

int ast_find_ourip	(	struct ast_sockaddr *	ourip,
		const struct ast_sockaddr *	bindaddr,
		int	family
	)

Find our IP address.

This function goes through many iterations in an attempt to find our IP address. If any step along the way should fail, we move to the next item in the list. Here are the steps taken:

If bindaddr has a non-zero IP address, that is copied into ourip
We use a combination of gethostname and ast_gethostbyname to find our IP address.
We use ast_ouraddrfor with 198.41.0.4 as the destination IP address
We try some platform-specific socket operations to find the IP address

Parameters

[out]	ourip	Our IP address is written here when it is found
	bindaddr	A hint used for finding our IP. See the steps above for more details
	family	Only addresses of the given family will be returned. Use 0 or AST_SOCKADDR_UNSPEC to get addresses of all families.

Return values

0	Success
-1	Failure

Definition at line 1052 of file acl.c.

References ast_debug, ast_log, ast_ouraddrfor(), ast_sockaddr_copy(), ast_sockaddr_is_any(), ast_sockaddr_port, ast_sockaddr_set_port, get_local_address(), LOG_WARNING, MAXHOSTNAMELEN, ourhost, PARSE_PORT_FORBID, and resolve_first().

Referenced by ast_rtp_prop_set(), and reload_config().

 {
  char ourhost[MAXHOSTNAMELEN] = "";
  struct ast_sockaddr root;
  int res, port = ast_sockaddr_port(ourip);
 
  /* just use the bind address if it is nonzero */
  if (!ast_sockaddr_is_any(bindaddr)) {
  ast_sockaddr_copy(ourip, bindaddr);
  ast_debug(3, "Attached to given IP address\n");
  return 0;
  }
  /* try to use our hostname */
  if (gethostname(ourhost, sizeof(ourhost) - 1)) {
  ast_log(LOG_WARNING, "Unable to get hostname\n");
  } else {
  if (resolve_first(ourip, ourhost, PARSE_PORT_FORBID, family) == 0) {
  /* reset port since resolve_first wipes this out */
  ast_sockaddr_set_port(ourip, port);
  return 0;
  }
  }
  ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
  /* A.ROOT-SERVERS.NET. */
  if (!resolve_first(&root, "A.ROOT-SERVERS.NET", PARSE_PORT_FORBID, 0) &&
  !ast_ouraddrfor(&root, ourip)) {
  /* reset port since resolve_first wipes this out */
  ast_sockaddr_set_port(ourip, port);
  return 0;
  }
  res = get_local_address(ourip);
  ast_sockaddr_set_port(ourip, port);
  return res;
 }

◆ ast_free_acl_list()

struct ast_acl_list* ast_free_acl_list ( struct ast_acl_list * acl )

Free a list of ACLs.

Given the head of a list of ast_acl structs, it and all appended acl structs will be freed. This includes the ast_ha structs within the individual nodes.

Parameters

acl	The list of ACLs to free

Return values

NULL

Definition at line 233 of file acl.c.

References ast_acl::acl, ast_free, ast_free_ha(), AST_LIST_HEAD_DESTROY, AST_LIST_LOCK, AST_LIST_REMOVE_HEAD, AST_LIST_UNLOCK, ast_acl::list, and NULL.

Referenced by __init_manager(), acl_destroy(), ast_duplicate_acl_list(), build_peer(), build_user(), endpoint_destructor(), manager_free_user(), peer_destructor(), reload_config(), rtp_reload(), rtp_unload_acl(), sip_allow_anyrtp_remote(), sip_destroy_peer(), sip_pvt_dtor(), unload_module(), and user_destructor().

 {
  struct ast_acl *current;
 
  if (!acl_list) {
  return NULL;
  }
 
  AST_LIST_LOCK(acl_list);
  while ((current = AST_LIST_REMOVE_HEAD(acl_list, list))) {
  ast_free_ha(current->acl);
  ast_free(current);
  }
  AST_LIST_UNLOCK(acl_list);
 
  AST_LIST_HEAD_DESTROY(acl_list);
  ast_free(acl_list);
 
  return NULL;
 }

◆ ast_free_ha()

void ast_free_ha ( struct ast_ha * ha )

Free a list of HAs.

Given the head of a list of HAs, it and all appended HAs are freed

Parameters

ha	The head of the list of HAs to free

Return values

void

Definition at line 222 of file acl.c.

References ast_free, and ast_ha::next.

Referenced by add_calltoken_ignore(), append_ha_core(), ast_duplicate_ha_list(), ast_free_acl_list(), AST_TEST_DEFINE(), build_callno_limits(), destroy_gateway(), destroy_named_acl(), destroy_sip_transport_state(), ip_identify_destroy(), named_acl_find_realtime(), pjsip_disable_logger(), pjsip_enable_logger_host(), pjsip_logger_session_destroy(), reload_config(), test_item_destructor(), transport_localnet_handler(), and unload_module().

 {
  struct ast_ha *hal;
  while (ha) {
  hal = ha;
  ha = ha->next;
  ast_free(hal);
  }
 }

◆ ast_get_ip()

int ast_get_ip	(	struct ast_sockaddr *	addr,
		const char *	hostname
	)

Get the IP address given a hostname.

Similar in nature to ast_gethostbyname, except that instead of getting an entire hostent structure, you instead are given only the IP address inserted into a ast_sockaddr structure.

Parameters

addr	The IP address found. The address family is used as an input parameter to filter the returned addresses. If it is AST_AF_UNSPEC, both IPv4 and IPv6 addresses can be returned.
hostname	The hostname to look up

Return values

0	Success
-1	Failure

Definition at line 1000 of file acl.c.

References ast_get_ip_or_srv(), and NULL.

Referenced by build_gateway(), build_peer(), config_parse_variables(), peer_set_srcaddr(), setup_stunaddr(), and stun_monitor_request().

 {
  return ast_get_ip_or_srv(addr, hostname, NULL);
 }

◆ ast_get_ip_or_srv()

int ast_get_ip_or_srv	(	struct ast_sockaddr *	addr,
		const char *	hostname,
		const char *	service
	)

Get the IP address given a hostname and optional service.

If the service parameter is non-NULL, then an SRV lookup will be made by prepending the service to the hostname parameter, separated by a '.' For example, if hostname is "example.com" and service is "_sip._udp" then an SRV lookup will be done for "_sip._udp.example.com". If service is NULL, then this function acts exactly like a call to ast_get_ip.

Parameters

addr	The IP address found. The address family is used as an input parameter to filter the returned addresses. If it is 0, both IPv4 and IPv6 addresses can be returned.
hostname	The hostname to look up
service	A specific service provided by the host. A NULL service results in an A-record lookup instead of an SRV lookup

Return values

0	Success
-1	Failure

Definition at line 897 of file acl.c.

References ast_get_srv(), ast_sockaddr_set_port, host, NULL, PARSE_PORT_FORBID, resolve_first(), and ast_sockaddr::ss.

Referenced by ast_get_ip(), create_addr(), dnsmgr_refresh(), internal_dnsmgr_lookup(), and proxy_update().

 {
  char srv[256];
  char host[256];
  int srv_ret = 0;
  int tportno;
 
  if (service) {
  snprintf(srv, sizeof(srv), "%s.%s", service, hostname);
  if ((srv_ret = ast_get_srv(NULL, host, sizeof(host), &tportno, srv)) > 0) {
  hostname = host;
  }
  }
 
  if (resolve_first(addr, hostname, PARSE_PORT_FORBID, addr->ss.ss_family) != 0) {
  return -1;
  }
 
  if (srv_ret > 0) {
  ast_sockaddr_set_port(addr, tportno);
  }
 
  return 0;
 }

◆ ast_ha_join()

void ast_ha_join	(	const struct ast_ha *	ha,
		struct ast_str **	buf
	)

Convert HAs to a comma separated string value.

Parameters

ha	the starting ha head
buf	string buffer to convert data to

Definition at line 723 of file acl.c.

References ast_ha::addr, AST_SENSE_ALLOW, ast_sockaddr_port, ast_sockaddr_stringify(), ast_sockaddr_stringify_addr(), ast_str_append(), ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by localnet_to_str(), and match_to_str().

 {
  for (; ha; ha = ha->next) {
  const char *addr;
 
  if (ast_sockaddr_port(&ha->addr)) {
  addr = ast_sockaddr_stringify(&ha->addr);
  } else {
  addr = ast_sockaddr_stringify_addr(&ha->addr);
  }
 
  ast_str_append(buf, 0, "%s%s/",
  ha->sense == AST_SENSE_ALLOW ? "!" : "",
  addr);
  /* Separated to avoid duplicating stringified addresses. */
  ast_str_append(buf, 0, "%s", ast_sockaddr_stringify_addr(&ha->netmask));
  if (ha->next) {
  ast_str_append(buf, 0, ",");
  }
  }
 }

◆ ast_ha_join_cidr()

void ast_ha_join_cidr	(	const struct ast_ha *	ha,
		struct ast_str **	buf
	)

Convert HAs to a comma separated string value using CIDR notation.

Parameters

ha	the starting ha head
buf	string buffer to convert data to

Definition at line 745 of file acl.c.

References ast_ha::addr, AST_SENSE_ALLOW, ast_sockaddr_cidr_bits(), ast_sockaddr_stringify_addr(), ast_str_append(), ast_ha::netmask, ast_ha::next, and ast_ha::sense.

 {
  for (; ha; ha = ha->next) {
  const char *addr = ast_sockaddr_stringify_addr(&ha->addr);
  ast_str_append(buf, 0, "%s%s/%d",
  ha->sense == AST_SENSE_ALLOW ? "!" : "",
  addr, ast_sockaddr_cidr_bits(&ha->netmask));
  if (ha->next) {
  ast_str_append(buf, 0, ",");
  }
  }
 }

◆ ast_ha_output()

void ast_ha_output	(	int	fd,
		const struct ast_ha *	ha,
		const char *	prefix
	)

output an HA to the provided fd

This function can be used centrally to output HAs as used in ACLs from other modules. It follows the format as originally used for named ACLs in named_acl.c.

Parameters

fd	The file-descriptor to which to output the HA.
ha	The HA to output.
prefix	If you need a specific prefix output on each line, give it here, may be NULL.

Since: 13.33.0, 16.10.0, 17.4.0

Definition at line 1087 of file acl.c.

References ast_ha::addr, ast_cli(), AST_SENSE_ALLOW, AST_SOCKADDR_BUFLEN, ast_sockaddr_stringify_addr(), ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by ast_acl_output(), and cli_display_named_acl().

 {
  char addr[AST_SOCKADDR_BUFLEN];
  char *mask;
  int index = 0;
  for (; ha; ha = ha->next, ++index) {
  strcpy(addr, ast_sockaddr_stringify_addr(&ha->addr));
  mask = ast_sockaddr_stringify_addr(&ha->netmask);
  ast_cli(fd, "%s%3d: %s - %s/%s\n", prefix ?: "", index, ha->sense == AST_SENSE_ALLOW ? "allow" : " deny", addr, mask);
  }
 }

◆ ast_ouraddrfor()

int ast_ouraddrfor	(	const struct ast_sockaddr *	them,
		struct ast_sockaddr *	us
	)

Get our local IP address when contacting a remote host.

This function will attempt to connect(2) to them over UDP using a source port of 5060. If the connect(2) call is successful, then we inspect the sockaddr_in output parameter of connect(2) to determine the IP address used to connect to them. This IP address is then copied into us.

Parameters

	them	The IP address to which we wish to attempt to connect
[out]	us	The source IP address used to connect to them

Return values

-1	Failure
0	Success

Definition at line 1005 of file acl.c.

References ast_connect(), ast_debug, ast_getsockname(), ast_log, ast_sockaddr_is_ipv6(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify_addr(), ast_strdupa, errno, LOG_ERROR, and LOG_WARNING.

Referenced by ast_find_ourip(), ast_rtp_remote_address_set(), ast_sip_ouraddrfor(), build_gateway(), find_subchannel_and_lock(), sip_acf_channel_read(), and unicast_rtp_request().

 {
  /*
  * We must create the errno string before creating the address
  * string because it could wipe out errno on the error return
  * paths.
  */
  const char *sock_err;
  int port;
  int s;
 
  /* Preserve our original address port */
  port = ast_sockaddr_port(us);
 
  s = socket(ast_sockaddr_is_ipv6(them) ? AF_INET6 : AF_INET, SOCK_DGRAM, 0);
  if (s < 0) {
  sock_err = ast_strdupa(strerror(errno));
  ast_log(LOG_ERROR, "Cannot create socket to %s: %s\n",
  ast_sockaddr_stringify_addr(them), sock_err);
  return -1;
  }
 
  if (ast_connect(s, them)) {
  sock_err = ast_strdupa(strerror(errno));
  ast_log(LOG_WARNING, "Cannot connect to %s: %s\n",
  ast_sockaddr_stringify_addr(them), sock_err);
  close(s);
  return -1;
  }
  if (ast_getsockname(s, us)) {
  sock_err = ast_strdupa(strerror(errno));
  ast_log(LOG_WARNING, "Cannot get socket name for connection to %s: %s\n",
  ast_sockaddr_stringify_addr(them), sock_err);
  close(s);
  return -1;
  }
  close(s);
 
  ast_sockaddr_set_port(us, port);
 
  ast_debug(3, "For destination '%s', our source address is '%s'.\n",
  ast_strdupa(ast_sockaddr_stringify_addr(them)),
  ast_strdupa(ast_sockaddr_stringify_addr(us)));
 
  return 0;
 }

◆ ast_str2cos()

int ast_str2cos	(	const char *	value,
		unsigned int *	cos
	)

Convert a string to the appropriate COS value.

Parameters

	value	The COS string to convert
[out]	cos	The integer representation of that COS value

Return values

-1	Failure
0	Success

Definition at line 953 of file acl.c.

Referenced by config_parse_variables(), reload_config(), and set_config().

 {
  int fval;
 
  if (sscanf(value, "%30d", &fval) == 1) {
  if (fval < 8) {
  *cos = fval;
  return 0;
  }
  }
 
  return -1;
 }

◆ ast_str2tos()

int ast_str2tos	(	const char *	value,
		unsigned int *	tos
	)

Convert a string to the appropriate TOS value.

Parameters

	value	The TOS string to convert
[out]	tos	The integer representation of that TOS value

Return values

-1	Failure
0	Success

Definition at line 967 of file acl.c.

References ARRAY_LEN, dscp_codepoint::name, and dscp_codepoint::space.

Referenced by config_parse_variables(), iax_template_parse(), reload_config(), set_config(), tos_handler(), and transport_tos_handler().

 {
  int fval;
  unsigned int x;
 
  if (sscanf(value, "%30i", &fval) == 1) {
  *tos = fval & 0xFF;
  return 0;
  }
 
  for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
  if (!strcasecmp(value, dscp_pool1[x].name)) {
  *tos = dscp_pool1[x].space << 2;
  return 0;
  }
  }
 
  return -1;
 }

◆ ast_tos2str()

const char* ast_tos2str ( unsigned int tos )

Convert a TOS value into its string representation.

Parameters

tos	The TOS value to look up

Returns: The string equivalent of the TOS value

Definition at line 987 of file acl.c.

References ARRAY_LEN, dscp_codepoint::name, and dscp_codepoint::space.

Referenced by sip_show_settings().

 {
  unsigned int x;
 
  for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
  if (dscp_pool1[x].space == (tos >> 2)) {
  return dscp_pool1[x].name;
  }
  }
 
  return "unknown";
 }

◆ debug_ha_sense_appended()

static void debug_ha_sense_appended ( struct ast_ha * ha )

static

Definition at line 566 of file acl.c.

References ast_ha::addr, ast_log, ast_sockaddr_stringify(), ast_strdupa, LOG_DEBUG, ast_ha::netmask, and ast_ha::sense.

Referenced by append_ha_core().

 {
  const char *parsed_mask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
 
  ast_log(LOG_DEBUG, "%s/%s sense %u appended to ACL\n",
  ast_sockaddr_stringify(&ha->addr),
  parsed_mask,
  ha->sense);
 }

◆ get_local_address()

static int get_local_address ( struct ast_sockaddr * ourip )

static

Definition at line 118 of file acl.c.

References ast_free, ast_malloc, ast_sockaddr_setnull(), buf, NULL, score_address(), and ast_sockaddr::ss.

Referenced by ast_find_ourip().

 {
  int s, res = -1;
 #ifdef SOLARIS
  struct lifreq *ifr = NULL;
  struct lifnum ifn;
  struct lifconf ifc;
  struct sockaddr_in *sa;
  char *buf = NULL;
  int bufsz, x;
 #endif /* SOLARIS */
 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
  struct ifaddrs *ifap, *ifaphead;
  int rtnerr;
  const struct sockaddr_in *sin;
 #endif /* BSD_OR_LINUX */
  struct in_addr best_addr;
  int best_score = -100;
  memset(&best_addr, 0, sizeof(best_addr));
 
 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
  rtnerr = getifaddrs(&ifaphead);
  if (rtnerr) {
  perror(NULL);
  return -1;
  }
 #endif /* BSD_OR_LINUX */
 
  s = socket(AF_INET, SOCK_STREAM, 0);
 
  if (s > 0) {
 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
  for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
 
  if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
  sin = (const struct sockaddr_in *) ifap->ifa_addr;
  score_address(sin, &best_addr, &best_score);
  res = 0;
 
  if (best_score == 0) {
  break;
  }
  }
  }
 #endif /* BSD_OR_LINUX */
 
  /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
 #ifdef SOLARIS
  /* Get a count of interfaces on the machine */
  ifn.lifn_family = AF_INET;
  ifn.lifn_flags = 0;
  ifn.lifn_count = 0;
  if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
  close(s);
  return -1;
  }
 
  bufsz = ifn.lifn_count * sizeof(struct lifreq);
  if (!(buf = ast_malloc(bufsz))) {
  close(s);
  return -1;
  }
  memset(buf, 0, bufsz);
 
  /* Get a list of interfaces on the machine */
  ifc.lifc_len = bufsz;
  ifc.lifc_buf = buf;
  ifc.lifc_family = AF_INET;
  ifc.lifc_flags = 0;
  if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
  close(s);
  ast_free(buf);
  return -1;
  }
 
  for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
  sa = (struct sockaddr_in *)&(ifr->lifr_addr);
  score_address(sa, &best_addr, &best_score);
  res = 0;
 
  if (best_score == 0) {
  break;
  }
  }
 
  ast_free(buf);
 #endif /* SOLARIS */
 
  close(s);
  }
 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
  freeifaddrs(ifaphead);
 #endif /* BSD_OR_LINUX */
 
  if (res == 0 && ourip) {
  ast_sockaddr_setnull(ourip);
  ourip->ss.ss_family = AF_INET;
  ((struct sockaddr_in *)&ourip->ss)->sin_addr = best_addr;
  }
  return res;
 }

◆ parse_cidr_mask()

static int parse_cidr_mask	(	struct ast_sockaddr *	addr,
		int	is_v4,
		const char *	mask_str
	)

static

Parse a netmask in CIDR notation.

For a mask of an IPv4 address, this should be a number between 0 and 32. For a mask of an IPv6 address, this should be a number between 0 and 128. This function creates an IPv6 ast_sockaddr from the given netmask. For masks of IPv4 addresses, this is accomplished by adding 96 to the original netmask.

Parameters

[out]	addr	The ast_sockaddr produced from the CIDR netmask
	is_v4	Tells if the address we are masking is IPv4.
	mask_str	The CIDR mask to convert

Return values

-1	Failure
0	Success

Definition at line 382 of file acl.c.

References ast_sockaddr_from_sin, ast_sockaddr::len, ast_sockaddr::ss, and V6_WORD.

Referenced by append_ha_core().

 {
  int mask;
 
  if (sscanf(mask_str, "%30d", &mask) != 1) {
  return -1;
  }
 
  if (is_v4) {
  struct sockaddr_in sin;
  if (mask < 0 || mask > 32) {
  return -1;
  }
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  /* If mask is 0, then we already have the
  * appropriate all 0s address in sin from
  * the above memset.
  */
  if (mask != 0) {
  sin.sin_addr.s_addr = htonl(0xFFFFFFFF << (32 - mask));
  }
  ast_sockaddr_from_sin(addr, &sin);
  } else {
  struct sockaddr_in6 sin6;
  int i;
  if (mask < 0 || mask > 128) {
  return -1;
  }
  memset(&sin6, 0, sizeof(sin6));
  sin6.sin6_family = AF_INET6;
  for (i = 0; i < 4; ++i) {
  /* Once mask reaches 0, we don't have
  * to explicitly set anything anymore
  * since sin6 was zeroed out already
  */
  if (mask > 0) {
  V6_WORD(&sin6, i) = htonl(0xFFFFFFFF << (mask < 32 ? (32 - mask) : 0));
  mask -= mask < 32 ? mask : 32;
  }
  }
  memcpy(&addr->ss, &sin6, sizeof(sin6));
  addr->len = sizeof(sin6);
  }
 
  return 0;
 }

◆ resolve_first()

static int resolve_first	(	struct ast_sockaddr *	addr,
		const char *	name,
		int	flag,
		int	family
	)

static

Definition at line 876 of file acl.c.

References ast_debug, ast_free, ast_log, ast_sockaddr_copy(), ast_sockaddr_resolve(), and LOG_WARNING.

Referenced by ast_find_ourip(), and ast_get_ip_or_srv().

 {
  struct ast_sockaddr *addrs;
  int addrs_cnt;
 
  addrs_cnt = ast_sockaddr_resolve(&addrs, name, flag, family);
  if (addrs_cnt > 0) {
  if (addrs_cnt > 1) {
  ast_debug(1, "Multiple addresses. Using the first only\n");
  }
  ast_sockaddr_copy(addr, &addrs[0]);
  ast_free(addrs);
  } else {
  ast_log(LOG_WARNING, "Unable to lookup '%s'\n", name);
  return -1;
  }
 
  return 0;
 }

◆ score_address()

static void score_address	(	const struct sockaddr_in *	sin,
		struct in_addr *	best_addr,
		int *	best_score
	)

static

Note: Better score than a test network, but not quite as good as RFC 1918 address space. The reason is that some Linux distributions automatically configure a Zeroconf address before trying DHCP, so we want to prefer a DHCP lease to a Zeroconf address.

Definition at line 59 of file acl.c.

References ast_inet_ntoa().

Referenced by get_local_address().

 {
  const char *address;
  int score;
 
  address = ast_inet_ntoa(sin->sin_addr);
 
  /* RFC 1700 alias for the local network */
  if (address[0] == '0') {
  score = -25;
  /* RFC 1700 localnet */
  } else if (strncmp(address, "127", 3) == 0) {
  score = -20;
  /* RFC 1918 non-public address space */
  } else if (strncmp(address, "10.", 3) == 0) {
  score = -5;
  /* RFC 1918 non-public address space */
  } else if (strncmp(address, "172", 3) == 0) {
  /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
  if (address[4] == '1' && address[5] >= '6' && address[6] == '.') {
  score = -5;
  /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
  } else if (address[4] == '2' && address[6] == '.') {
  score = -5;
  /* 172.30.0.0 - 172.31.255.255, but not 172.3.0.0 - 172.3.255.255 */
  } else if (address[4] == '3' && (address[5] == '0' || address[5] == '1')) {
  score = -5;
  /* All other 172 addresses are public */
  } else {
  score = 0;
  }
  /* RFC 2544 Benchmark test range (198.18.0.0 - 198.19.255.255, but not 198.180.0.0 - 198.199.255.255) */
  } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.') {
  score = -10;
  /* RFC 1918 non-public address space */
  } else if (strncmp(address, "192.168", 7) == 0) {
  score = -5;
  /* RFC 3330 Zeroconf network */
  } else if (strncmp(address, "169.254", 7) == 0) {
  /*!\note Better score than a test network, but not quite as good as RFC 1918
  * address space. The reason is that some Linux distributions automatically
  * configure a Zeroconf address before trying DHCP, so we want to prefer a
  * DHCP lease to a Zeroconf address.
  */
  score = -10;
  /* RFC 3330 Test network */
  } else if (strncmp(address, "192.0.2.", 8) == 0) {
  score = -15;
  /* Every other address should be publically routable */
  } else {
  score = 0;
  }
 
  if (score > *best_score) {
  *best_score = score;
  memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
  }
 }

Variable Documentation

◆ dscp_pool1

const struct dscp_codepoint dscp_pool1[]

static

Definition at line 929 of file acl.c.

Data Structures

Functions

Variables

Detailed Description

Function Documentation

◆ acl_new()

◆ append_ha_core()

◆ ast_acl_list_is_empty()

◆ ast_acl_output()

◆ ast_append_acl()

◆ ast_append_ha()

◆ ast_append_ha_with_port()

◆ ast_apply_acl()

◆ ast_apply_acl_internal()

◆ ast_apply_acl_nolog()

◆ ast_apply_ha()

◆ ast_copy_ha()

◆ ast_duplicate_acl_list()

◆ ast_duplicate_ha()

◆ ast_duplicate_ha_list()

◆ ast_find_ourip()

◆ ast_free_acl_list()

◆ ast_free_ha()

◆ ast_get_ip()

◆ ast_get_ip_or_srv()

◆ ast_ha_join()

◆ ast_ha_join_cidr()

◆ ast_ha_output()

◆ ast_ouraddrfor()

◆ ast_str2cos()

◆ ast_str2tos()

◆ ast_tos2str()

◆ debug_ha_sense_appended()

◆ get_local_address()

◆ parse_cidr_mask()

◆ resolve_first()

◆ score_address()

Variable Documentation

◆ dscp_pool1