#include "asterisk/network.h"
#include "asterisk/netsock2.h"
#include "asterisk/io.h"
Go to the source code of this file.
Data Structures | |
struct | ast_ha |
internal representation of acl entries In principle user applications would have no need for this, but there is sometimes a need to extract individual items, e.g. to print them, and rather than defining iterators to navigate the list, and an externally visible 'struct ast_ha_entry', at least in the short term it is more convenient to make the whole thing public and let users play with them. More... | |
Defines | |
#define | AST_SENSE_ALLOW 1 |
#define | AST_SENSE_DENY 0 |
Functions | |
ast_ha * | ast_append_ha (const char *sense, const char *stuff, struct ast_ha *path, int *error) |
Add a new rule to a list of HAs. | |
int | ast_apply_ha (const struct ast_ha *ha, const struct ast_sockaddr *addr) |
Apply a set of rules to a given IP address. | |
void | ast_copy_ha (const struct ast_ha *from, struct ast_ha *to) |
Copy the contents of one HA to another. | |
ast_ha * | ast_duplicate_ha_list (struct ast_ha *original) |
Duplicate the contents of a list of host access rules. | |
int | ast_find_ourip (struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family) |
Find our IP address. | |
void | ast_free_ha (struct ast_ha *ha) |
Free a list of HAs. | |
int | ast_get_ip (struct ast_sockaddr *addr, const char *value) |
Get the IP address given a hostname. | |
int | ast_get_ip_or_srv (struct ast_sockaddr *addr, const char *value, const char *service) |
Get the IP address given a hostname and optional service. | |
int | ast_lookup_iface (char *iface, struct ast_sockaddr *address) |
Find an IP address associated with a specific interface. | |
int | ast_ouraddrfor (const struct ast_sockaddr *them, struct ast_sockaddr *us) |
Get our local IP address when contacting a remote host. | |
int | ast_str2cos (const char *value, unsigned int *cos) |
Convert a string to the appropriate COS value. | |
int | ast_str2tos (const char *value, unsigned int *tos) |
Convert a string to the appropriate TOS value. | |
const char * | ast_tos2str (unsigned int tos) |
Convert a TOS value into its string representation. |
Definition in file acl.h.
#define AST_SENSE_ALLOW 1 |
Definition at line 36 of file acl.h.
Referenced by apply_directmedia_ha(), ast_append_ha(), ast_apply_ha(), ast_sip_ouraddrfor(), and parse_register_contact().
#define AST_SENSE_DENY 0 |
struct ast_ha* ast_append_ha | ( | const char * | sense, | |
const char * | stuff, | |||
struct ast_ha * | path, | |||
int * | error | |||
) |
Add a new rule to a list of HAs.
This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.
sense | Either "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial) | |
stuff | The IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32). | |
path | The head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list | |
[out] | error | The integer error points to will be set non-zero if an error occurs |
Definition at line 395 of file acl.c.
References ast_ha::addr, apply_netmask(), ast_calloc, ast_debug, ast_free_ha(), ast_log(), AST_SENSE_ALLOW, AST_SENSE_DENY, ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_parse(), ast_sockaddr_stringify(), ast_strdupa, LOG_NOTICE, LOG_WARNING, ast_ha::next, parse_cidr_mask(), PARSE_PORT_FORBID, ast_ha::sense, and strsep().
Referenced by add_calltoken_ignore(), build_callno_limits(), build_device(), build_peer(), build_user(), and config_parse_variables().
00396 { 00397 struct ast_ha *ha; 00398 struct ast_ha *prev = NULL; 00399 struct ast_ha *ret; 00400 char *tmp = ast_strdupa(stuff); 00401 char *address = NULL, *mask = NULL; 00402 int addr_is_v4; 00403 00404 ret = path; 00405 while (path) { 00406 prev = path; 00407 path = path->next; 00408 } 00409 00410 if (!(ha = ast_calloc(1, sizeof(*ha)))) { 00411 return ret; 00412 } 00413 00414 address = strsep(&tmp, "/"); 00415 if (!address) { 00416 address = tmp; 00417 } else { 00418 mask = tmp; 00419 } 00420 00421 if (!ast_sockaddr_parse(&ha->addr, address, PARSE_PORT_FORBID)) { 00422 ast_log(LOG_WARNING, "Invalid IP address: %s\n", address); 00423 ast_free_ha(ha); 00424 if (error) { 00425 *error = 1; 00426 } 00427 return ret; 00428 } 00429 00430 /* If someone specifies an IPv4-mapped IPv6 address, 00431 * we just convert this to an IPv4 ACL 00432 */ 00433 if (ast_sockaddr_ipv4_mapped(&ha->addr, &ha->addr)) { 00434 ast_log(LOG_NOTICE, "IPv4-mapped ACL network address specified. " 00435 "Converting to an IPv4 ACL network address.\n"); 00436 } 00437 00438 addr_is_v4 = ast_sockaddr_is_ipv4(&ha->addr); 00439 00440 if (!mask) { 00441 parse_cidr_mask(&ha->netmask, addr_is_v4, addr_is_v4 ? "32" : "128"); 00442 } else if (strchr(mask, ':') || strchr(mask, '.')) { 00443 int mask_is_v4; 00444 /* Mask is of x.x.x.x or x:x:x:x:x:x:x:x variety */ 00445 if (!ast_sockaddr_parse(&ha->netmask, mask, PARSE_PORT_FORBID)) { 00446 ast_log(LOG_WARNING, "Invalid netmask: %s\n", mask); 00447 ast_free_ha(ha); 00448 if (error) { 00449 *error = 1; 00450 } 00451 return ret; 00452 } 00453 /* If someone specifies an IPv4-mapped IPv6 netmask, 00454 * we just convert this to an IPv4 ACL 00455 */ 00456 if (ast_sockaddr_ipv4_mapped(&ha->netmask, &ha->netmask)) { 00457 ast_log(LOG_NOTICE, "IPv4-mapped ACL netmask specified. " 00458 "Converting to an IPv4 ACL netmask.\n"); 00459 } 00460 mask_is_v4 = ast_sockaddr_is_ipv4(&ha->netmask); 00461 if (addr_is_v4 ^ mask_is_v4) { 00462 ast_log(LOG_WARNING, "Address and mask are not using same address scheme.\n"); 00463 ast_free_ha(ha); 00464 if (error) { 00465 *error = 1; 00466 } 00467 return ret; 00468 } 00469 } else if (parse_cidr_mask(&ha->netmask, addr_is_v4, mask)) { 00470 ast_log(LOG_WARNING, "Invalid CIDR netmask: %s\n", mask); 00471 ast_free_ha(ha); 00472 if (error) { 00473 *error = 1; 00474 } 00475 return ret; 00476 } 00477 00478 if (apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) { 00479 /* This shouldn't happen because ast_sockaddr_parse would 00480 * have failed much earlier on an unsupported address scheme 00481 */ 00482 char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask)); 00483 char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr)); 00484 ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr); 00485 ast_free_ha(ha); 00486 if (error) { 00487 *error = 1; 00488 } 00489 return ret; 00490 } 00491 00492 ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW; 00493 00494 ha->next = NULL; 00495 if (prev) { 00496 prev->next = ha; 00497 } else { 00498 ret = ha; 00499 } 00500 00501 { 00502 const char *addr = ast_strdupa(ast_sockaddr_stringify(&ha->addr)); 00503 const char *mask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask)); 00504 00505 ast_debug(1, "%s/%s sense %d appended to acl for peer\n", addr, mask, ha->sense); 00506 } 00507 00508 return ret; 00509 }
int ast_apply_ha | ( | const struct ast_ha * | ha, | |
const struct ast_sockaddr * | addr | |||
) |
Apply a set of rules to a given IP address.
The list of host access rules is traversed, beginning with the input rule. If the IP address given matches a rule, the "sense" of that rule is used as the return value. Note that if an IP address matches multiple rules that the last one matched will be the one whose sense will be returned.
ha | The head of the list of host access rules to follow | |
addr | An ast_sockaddr whose address is considered when matching rules |
AST_SENSE_ALLOW | The IP address passes our ACL | |
AST_SENSE_DENY | The IP address fails our ACL |
Definition at line 511 of file acl.c.
References ast_ha::addr, apply_netmask(), ast_copy_string(), ast_debug, ast_inet_ntoa(), AST_SENSE_ALLOW, ast_sockaddr_cmp_addr(), ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_is_ipv4_mapped(), ast_sockaddr_is_ipv6(), ast_ha::netmask, ast_ha::next, and ast_ha::sense.
Referenced by apply_directmedia_ha(), ast_sip_ouraddrfor(), authenticate(), check_access(), check_peer_ok(), parse_register_contact(), register_verify(), and skinny_register().
00512 { 00513 /* Start optimistic */ 00514 int res = AST_SENSE_ALLOW; 00515 const struct ast_ha *current_ha; 00516 00517 for (current_ha = ha; current_ha; current_ha = current_ha->next) { 00518 struct ast_sockaddr result; 00519 struct ast_sockaddr mapped_addr; 00520 const struct ast_sockaddr *addr_to_use; 00521 #if 0 /* debugging code */ 00522 char iabuf[INET_ADDRSTRLEN]; 00523 char iabuf2[INET_ADDRSTRLEN]; 00524 /* DEBUG */ 00525 ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf)); 00526 ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2)); 00527 ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2); 00528 #endif 00529 if (ast_sockaddr_is_ipv4(&ha->addr)) { 00530 if (ast_sockaddr_is_ipv6(addr)) { 00531 if (ast_sockaddr_is_ipv4_mapped(addr)) { 00532 /* IPv4 ACLs apply to IPv4-mapped addresses */ 00533 ast_sockaddr_ipv4_mapped(addr, &mapped_addr); 00534 addr_to_use = &mapped_addr; 00535 } else { 00536 /* An IPv4 ACL does not apply to an IPv6 address */ 00537 continue; 00538 } 00539 } else { 00540 /* Address is IPv4 and ACL is IPv4. No biggie */ 00541 addr_to_use = addr; 00542 } 00543 } else { 00544 if (ast_sockaddr_is_ipv6(addr) && !ast_sockaddr_is_ipv4_mapped(addr)) { 00545 addr_to_use = addr; 00546 } else { 00547 /* Address is IPv4 or IPv4 mapped but ACL is IPv6. Skip */ 00548 continue; 00549 } 00550 } 00551 00552 /* For each rule, if this address and the netmask = the net address 00553 apply the current rule */ 00554 if (apply_netmask(addr_to_use, ¤t_ha->netmask, &result)) { 00555 /* Unlikely to happen since we know the address to be IPv4 or IPv6 */ 00556 continue; 00557 } 00558 if (!ast_sockaddr_cmp_addr(&result, ¤t_ha->addr)) { 00559 res = current_ha->sense; 00560 } 00561 } 00562 return res; 00563 }
Copy the contents of one HA to another.
This copies the internals of the 'from' HA to the 'to' HA. It is important that the 'to' HA has been allocated prior to calling this function
from | Source HA to copy | |
to | Destination HA to copy to |
void |
Definition at line 230 of file acl.c.
References ast_ha::addr, ast_sockaddr_copy(), ast_ha::netmask, and ast_ha::sense.
Referenced by add_calltoken_ignore(), ast_duplicate_ha(), and build_callno_limits().
00231 { 00232 ast_sockaddr_copy(&to->addr, &from->addr); 00233 ast_sockaddr_copy(&to->netmask, &from->netmask); 00234 to->sense = from->sense; 00235 }
Duplicate the contents of a list of host access rules.
A deep copy of all ast_has in the list is made. The returned value is allocated on the heap and must be freed independently of the input parameter when finished.
original | The ast_ha to copy |
The | head of the list of duplicated ast_has |
Definition at line 252 of file acl.c.
References ast_duplicate_ha(), and ast_ha::next.
Referenced by create_addr_from_peer().
00253 { 00254 struct ast_ha *start = original; 00255 struct ast_ha *ret = NULL; 00256 struct ast_ha *current, *prev = NULL; 00257 00258 while (start) { 00259 current = ast_duplicate_ha(start); /* Create copy of this object */ 00260 if (prev) { 00261 prev->next = current; /* Link previous to this object */ 00262 } 00263 00264 if (!ret) { 00265 ret = current; /* Save starting point */ 00266 } 00267 00268 start = start->next; /* Go to next object */ 00269 prev = current; /* Save pointer to this object */ 00270 } 00271 return ret; /* Return start of list */ 00272 }
int ast_find_ourip | ( | struct ast_sockaddr * | ourip, | |
const struct ast_sockaddr * | bindaddr, | |||
int | family | |||
) |
Find our IP address.
This function goes through many iterations in an attempt to find our IP address. If any step along the way should fail, we move to the next item in the list. Here are the steps taken:
[out] | ourip | Our IP address is written here when it is found |
bindaddr | A hint used for finding our IP. See the steps above for more details | |
family | Only addresses of the given family will be returned. Use 0 or AST_SOCKADDR_UNSPEC to get addresses of all families. |
0 | Success | |
-1 | Failure |
Definition at line 733 of file acl.c.
References ast_debug, ast_log(), ast_ouraddrfor(), ast_sockaddr_copy(), ast_sockaddr_is_any(), bindaddr, get_local_address(), LOG_WARNING, MAXHOSTNAMELEN, ourhost, PARSE_PORT_FORBID, and resolve_first().
Referenced by __oh323_rtp_create(), gtalk_get_local_ip(), jingle_create_candidates(), and load_module().
00734 { 00735 char ourhost[MAXHOSTNAMELEN] = ""; 00736 struct ast_sockaddr root; 00737 00738 /* just use the bind address if it is nonzero */ 00739 if (!ast_sockaddr_is_any(bindaddr)) { 00740 ast_sockaddr_copy(ourip, bindaddr); 00741 ast_debug(3, "Attached to given IP address\n"); 00742 return 0; 00743 } 00744 /* try to use our hostname */ 00745 if (gethostname(ourhost, sizeof(ourhost) - 1)) { 00746 ast_log(LOG_WARNING, "Unable to get hostname\n"); 00747 } else { 00748 if (resolve_first(ourip, ourhost, PARSE_PORT_FORBID, family) == 0) { 00749 return 0; 00750 } 00751 } 00752 ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n"); 00753 /* A.ROOT-SERVERS.NET. */ 00754 if (!resolve_first(&root, "A.ROOT-SERVERS.NET", PARSE_PORT_FORBID, 0) && 00755 !ast_ouraddrfor(&root, ourip)) { 00756 return 0; 00757 } 00758 return get_local_address(ourip); 00759 }
void ast_free_ha | ( | struct ast_ha * | ha | ) |
Free a list of HAs.
Given the head of a list of HAs, it and all appended HAs are freed
ha | The head of the list of HAs to free |
void |
Definition at line 219 of file acl.c.
References ast_free, and ast_ha::next.
Referenced by __sip_destroy(), add_calltoken_ignore(), ast_append_ha(), build_callno_limits(), build_peer(), build_user(), destroy_gateway(), oh323_destroy_peer(), oh323_destroy_user(), peer_destructor(), reload_config(), sip_destroy_peer(), unload_module(), and user_destructor().
00220 { 00221 struct ast_ha *hal; 00222 while (ha) { 00223 hal = ha; 00224 ha = ha->next; 00225 ast_free(hal); 00226 } 00227 }
int ast_get_ip | ( | struct ast_sockaddr * | addr, | |
const char * | value | |||
) |
Get the IP address given a hostname.
Similar in nature to ast_gethostbyname, except that instead of getting an entire hostent structure, you instead are given only the IP address inserted into a sockaddr_in structure.
[out] | addr | The IP address is written into sin->sin_addr |
value | The hostname to look up |
0 | Success | |
-1 | Failure |
Definition at line 689 of file acl.c.
References ast_get_ip_or_srv().
Referenced by build_peer(), build_user(), config_parse_variables(), and peer_set_srcaddr().
00690 { 00691 return ast_get_ip_or_srv(addr, value, NULL); 00692 }
int ast_get_ip_or_srv | ( | struct ast_sockaddr * | addr, | |
const char * | value, | |||
const char * | service | |||
) |
Get the IP address given a hostname and optional service.
If the service parameter is non-NULL, then an SRV lookup will be made by prepending the service to the value parameter, separated by a '.' For example, if value is "example.com" and service is "_sip._udp" then an SRV lookup will be done for "_sip._udp.example.com". If service is NULL, then this function acts exactly like a call to ast_get_ip.
addr | The IP address found. The address family is used as an input parameter to filter the returned adresses. if it is 0, both IPv4 and IPv6 addresses can be returned. | |
value | The hostname to look up | |
service | A specific service provided by the host. A NULL service results in an A-record lookup instead of an SRV lookup |
0 | Success | |
-1 | Failure |
Definition at line 586 of file acl.c.
References ast_get_srv(), ast_sockaddr_set_port, PARSE_PORT_FORBID, resolve_first(), and ast_sockaddr::ss.
Referenced by ast_dnsmgr_lookup(), ast_get_ip(), create_addr(), dnsmgr_refresh(), and proxy_update().
00587 { 00588 char srv[256]; 00589 char host[256]; 00590 int srv_ret = 0; 00591 int tportno; 00592 00593 if (service) { 00594 snprintf(srv, sizeof(srv), "%s.%s", service, value); 00595 if ((srv_ret = ast_get_srv(NULL, host, sizeof(host), &tportno, srv)) > 0) { 00596 value = host; 00597 } 00598 } 00599 00600 if (resolve_first(addr, value, PARSE_PORT_FORBID, addr->ss.ss_family) != 0) { 00601 return -1; 00602 } 00603 00604 if (srv_ret > 0) { 00605 ast_sockaddr_set_port(addr, tportno); 00606 } 00607 00608 return 0; 00609 }
int ast_lookup_iface | ( | char * | iface, | |
struct ast_sockaddr * | address | |||
) |
Find an IP address associated with a specific interface.
Given an interface such as "eth0" we find the primary IP address associated with it using the SIOCGIFADDR ioctl. If the ioctl call should fail, we populate address with 0s.
iface | The interface name whose IP address we wish to find | |
[out] | address | The interface's IP address is placed into this param |
-1 | Failure. address is filled with 0s | |
0 | Success |
int ast_ouraddrfor | ( | const struct ast_sockaddr * | them, | |
struct ast_sockaddr * | us | |||
) |
Get our local IP address when contacting a remote host.
This function will attempt to connect(2) to them over UDP using a source port of 5060. If the connect(2) call is successful, then we inspect the sockaddr_in output parameter of connect(2) to determine the IP address used to connect to them. This IP address is then copied into us.
them | The IP address to which we wish to attempt to connect | |
[out] | us | The source IP address used to connect to them |
-1 | Failure | |
0 | Success |
Definition at line 694 of file acl.c.
References ast_connect(), ast_debug, ast_getsockname(), ast_log(), ast_sockaddr_is_ipv6(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify_addr(), ast_strdupa, LOG_ERROR, and LOG_WARNING.
Referenced by ast_find_ourip(), ast_sip_ouraddrfor(), find_subchannel_and_lock(), and gtalk_get_local_ip().
00695 { 00696 int port; 00697 int s; 00698 00699 port = ast_sockaddr_port(us); 00700 00701 if ((s = socket(ast_sockaddr_is_ipv6(them) ? AF_INET6 : AF_INET, 00702 SOCK_DGRAM, 0)) < 0) { 00703 ast_log(LOG_ERROR, "Cannot create socket\n"); 00704 return -1; 00705 } 00706 00707 if (ast_connect(s, them)) { 00708 ast_log(LOG_WARNING, "Cannot connect\n"); 00709 close(s); 00710 return -1; 00711 } 00712 if (ast_getsockname(s, us)) { 00713 00714 ast_log(LOG_WARNING, "Cannot get socket name\n"); 00715 close(s); 00716 return -1; 00717 } 00718 close(s); 00719 00720 { 00721 const char *them_addr = ast_strdupa(ast_sockaddr_stringify_addr(them)); 00722 const char *us_addr = ast_strdupa(ast_sockaddr_stringify_addr(us)); 00723 00724 ast_debug(3, "For destination '%s', our source address is '%s'.\n", 00725 them_addr, us_addr); 00726 } 00727 00728 ast_sockaddr_set_port(us, port); 00729 00730 return 0; 00731 }
int ast_str2cos | ( | const char * | value, | |
unsigned int * | cos | |||
) |
Convert a string to the appropriate COS value.
value | The COS string to convert | |
[out] | cos | The integer representation of that COS value |
-1 | Failure | |
0 | Success |
Definition at line 642 of file acl.c.
Referenced by config_parse_variables(), reload_config(), and set_config().
00643 { 00644 int fval; 00645 00646 if (sscanf(value, "%30d", &fval) == 1) { 00647 if (fval < 8) { 00648 *cos = fval; 00649 return 0; 00650 } 00651 } 00652 00653 return -1; 00654 }
int ast_str2tos | ( | const char * | value, | |
unsigned int * | tos | |||
) |
Convert a string to the appropriate TOS value.
value | The TOS string to convert | |
[out] | tos | The integer representation of that TOS value |
-1 | Failure | |
0 | Success |
Definition at line 656 of file acl.c.
References ARRAY_LEN, dscp_pool1, name, and dscp_codepoint::space.
Referenced by config_parse_variables(), iax_template_parse(), reload_config(), and set_config().
00657 { 00658 int fval; 00659 unsigned int x; 00660 00661 if (sscanf(value, "%30i", &fval) == 1) { 00662 *tos = fval & 0xFF; 00663 return 0; 00664 } 00665 00666 for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) { 00667 if (!strcasecmp(value, dscp_pool1[x].name)) { 00668 *tos = dscp_pool1[x].space << 2; 00669 return 0; 00670 } 00671 } 00672 00673 return -1; 00674 }
const char* ast_tos2str | ( | unsigned int | tos | ) |
Convert a TOS value into its string representation.
tos | The TOS value to look up |
Definition at line 676 of file acl.c.
References ARRAY_LEN, dscp_pool1, dscp_codepoint::name, and dscp_codepoint::space.
Referenced by sip_show_settings().
00677 { 00678 unsigned int x; 00679 00680 for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) { 00681 if (dscp_pool1[x].space == (tos >> 2)) { 00682 return dscp_pool1[x].name; 00683 } 00684 } 00685 00686 return "unknown"; 00687 }