Mon Jun 27 16:50:57 2011

Asterisk developer's documentation


acl.h File Reference

Access Control of various sorts. More...

#include "asterisk/network.h"
#include "asterisk/netsock2.h"
#include "asterisk/io.h"

Go to the source code of this file.

Data Structures

struct  ast_ha
 internal representation of acl entries In principle user applications would have no need for this, but there is sometimes a need to extract individual items, e.g. to print them, and rather than defining iterators to navigate the list, and an externally visible 'struct ast_ha_entry', at least in the short term it is more convenient to make the whole thing public and let users play with them. More...

Defines

#define AST_SENSE_ALLOW   1
#define AST_SENSE_DENY   0

Functions

ast_haast_append_ha (const char *sense, const char *stuff, struct ast_ha *path, int *error)
 Add a new rule to a list of HAs.
int ast_apply_ha (const struct ast_ha *ha, const struct ast_sockaddr *addr)
 Apply a set of rules to a given IP address.
void ast_copy_ha (const struct ast_ha *from, struct ast_ha *to)
 Copy the contents of one HA to another.
ast_haast_duplicate_ha_list (struct ast_ha *original)
 Duplicate the contents of a list of host access rules.
int ast_find_ourip (struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family)
 Find our IP address.
void ast_free_ha (struct ast_ha *ha)
 Free a list of HAs.
int ast_get_ip (struct ast_sockaddr *addr, const char *value)
 Get the IP address given a hostname.
int ast_get_ip_or_srv (struct ast_sockaddr *addr, const char *value, const char *service)
 Get the IP address given a hostname and optional service.
int ast_lookup_iface (char *iface, struct ast_sockaddr *address)
 Find an IP address associated with a specific interface.
int ast_ouraddrfor (const struct ast_sockaddr *them, struct ast_sockaddr *us)
 Get our local IP address when contacting a remote host.
int ast_str2cos (const char *value, unsigned int *cos)
 Convert a string to the appropriate COS value.
int ast_str2tos (const char *value, unsigned int *tos)
 Convert a string to the appropriate TOS value.
const char * ast_tos2str (unsigned int tos)
 Convert a TOS value into its string representation.


Detailed Description

Access Control of various sorts.

Definition in file acl.h.


Define Documentation

#define AST_SENSE_ALLOW   1

Definition at line 36 of file acl.h.

Referenced by apply_directmedia_ha(), ast_append_ha(), ast_apply_ha(), ast_sip_ouraddrfor(), and parse_register_contact().

#define AST_SENSE_DENY   0

Definition at line 35 of file acl.h.

Referenced by apply_directmedia_ha(), and ast_append_ha().


Function Documentation

struct ast_ha* ast_append_ha ( const char *  sense,
const char *  stuff,
struct ast_ha path,
int *  error 
)

Add a new rule to a list of HAs.

This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.

Parameters:
sense Either "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial)
stuff The IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32).
path The head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list
[out] error The integer error points to will be set non-zero if an error occurs
Returns:
The head of the HA list

Definition at line 395 of file acl.c.

References ast_ha::addr, apply_netmask(), ast_calloc, ast_debug, ast_free_ha(), ast_log(), AST_SENSE_ALLOW, AST_SENSE_DENY, ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_parse(), ast_sockaddr_stringify(), ast_strdupa, LOG_NOTICE, LOG_WARNING, ast_ha::next, parse_cidr_mask(), PARSE_PORT_FORBID, ast_ha::sense, and strsep().

Referenced by add_calltoken_ignore(), build_callno_limits(), build_device(), build_peer(), build_user(), and config_parse_variables().

00396 {
00397    struct ast_ha *ha;
00398    struct ast_ha *prev = NULL;
00399    struct ast_ha *ret;
00400    char *tmp = ast_strdupa(stuff);
00401    char *address = NULL, *mask = NULL;
00402    int addr_is_v4;
00403 
00404    ret = path;
00405    while (path) {
00406       prev = path;
00407       path = path->next;
00408    }
00409 
00410    if (!(ha = ast_calloc(1, sizeof(*ha)))) {
00411       return ret;
00412    }
00413 
00414    address = strsep(&tmp, "/");
00415    if (!address) {
00416       address = tmp;
00417    } else {
00418       mask = tmp;
00419    }
00420 
00421    if (!ast_sockaddr_parse(&ha->addr, address, PARSE_PORT_FORBID)) {
00422       ast_log(LOG_WARNING, "Invalid IP address: %s\n", address);
00423       ast_free_ha(ha);
00424       if (error) {
00425          *error = 1;
00426       }
00427       return ret;
00428    }
00429 
00430    /* If someone specifies an IPv4-mapped IPv6 address,
00431     * we just convert this to an IPv4 ACL
00432     */
00433    if (ast_sockaddr_ipv4_mapped(&ha->addr, &ha->addr)) {
00434       ast_log(LOG_NOTICE, "IPv4-mapped ACL network address specified. "
00435             "Converting to an IPv4 ACL network address.\n");
00436    }
00437 
00438    addr_is_v4 = ast_sockaddr_is_ipv4(&ha->addr);
00439 
00440    if (!mask) {
00441       parse_cidr_mask(&ha->netmask, addr_is_v4, addr_is_v4 ? "32" : "128");
00442    } else if (strchr(mask, ':') || strchr(mask, '.')) {
00443       int mask_is_v4;
00444       /* Mask is of x.x.x.x or x:x:x:x:x:x:x:x variety */
00445       if (!ast_sockaddr_parse(&ha->netmask, mask, PARSE_PORT_FORBID)) {
00446          ast_log(LOG_WARNING, "Invalid netmask: %s\n", mask);
00447          ast_free_ha(ha);
00448          if (error) {
00449             *error = 1;
00450          }
00451          return ret;
00452       }
00453       /* If someone specifies an IPv4-mapped IPv6 netmask,
00454        * we just convert this to an IPv4 ACL
00455        */
00456       if (ast_sockaddr_ipv4_mapped(&ha->netmask, &ha->netmask)) {
00457          ast_log(LOG_NOTICE, "IPv4-mapped ACL netmask specified. "
00458                "Converting to an IPv4 ACL netmask.\n");
00459       }
00460       mask_is_v4 = ast_sockaddr_is_ipv4(&ha->netmask);
00461       if (addr_is_v4 ^ mask_is_v4) {
00462          ast_log(LOG_WARNING, "Address and mask are not using same address scheme.\n");
00463          ast_free_ha(ha);
00464          if (error) {
00465             *error = 1;
00466          }
00467          return ret;
00468       }
00469    } else if (parse_cidr_mask(&ha->netmask, addr_is_v4, mask)) {
00470       ast_log(LOG_WARNING, "Invalid CIDR netmask: %s\n", mask);
00471       ast_free_ha(ha);
00472       if (error) {
00473          *error = 1;
00474       }
00475       return ret;
00476    }
00477 
00478    if (apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
00479       /* This shouldn't happen because ast_sockaddr_parse would
00480        * have failed much earlier on an unsupported address scheme
00481        */
00482       char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
00483       char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
00484       ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
00485       ast_free_ha(ha);
00486       if (error) {
00487          *error = 1;
00488       }
00489       return ret;
00490    }
00491 
00492    ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
00493 
00494    ha->next = NULL;
00495    if (prev) {
00496       prev->next = ha;
00497    } else {
00498       ret = ha;
00499    }
00500 
00501    {
00502       const char *addr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
00503       const char *mask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
00504 
00505       ast_debug(1, "%s/%s sense %d appended to acl for peer\n", addr, mask, ha->sense);
00506    }
00507 
00508    return ret;
00509 }

int ast_apply_ha ( const struct ast_ha ha,
const struct ast_sockaddr addr 
)

Apply a set of rules to a given IP address.

The list of host access rules is traversed, beginning with the input rule. If the IP address given matches a rule, the "sense" of that rule is used as the return value. Note that if an IP address matches multiple rules that the last one matched will be the one whose sense will be returned.

Parameters:
ha The head of the list of host access rules to follow
addr An ast_sockaddr whose address is considered when matching rules
Return values:
AST_SENSE_ALLOW The IP address passes our ACL
AST_SENSE_DENY The IP address fails our ACL

Definition at line 511 of file acl.c.

References ast_ha::addr, apply_netmask(), ast_copy_string(), ast_debug, ast_inet_ntoa(), AST_SENSE_ALLOW, ast_sockaddr_cmp_addr(), ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_is_ipv4_mapped(), ast_sockaddr_is_ipv6(), ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by apply_directmedia_ha(), ast_sip_ouraddrfor(), authenticate(), check_access(), check_peer_ok(), parse_register_contact(), register_verify(), and skinny_register().

00512 {
00513    /* Start optimistic */
00514    int res = AST_SENSE_ALLOW;
00515    const struct ast_ha *current_ha;
00516 
00517    for (current_ha = ha; current_ha; current_ha = current_ha->next) {
00518       struct ast_sockaddr result;
00519       struct ast_sockaddr mapped_addr;
00520       const struct ast_sockaddr *addr_to_use;
00521 #if 0 /* debugging code */
00522       char iabuf[INET_ADDRSTRLEN];
00523       char iabuf2[INET_ADDRSTRLEN];
00524       /* DEBUG */
00525       ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
00526       ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
00527       ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
00528 #endif
00529       if (ast_sockaddr_is_ipv4(&ha->addr)) {
00530          if (ast_sockaddr_is_ipv6(addr)) {
00531             if (ast_sockaddr_is_ipv4_mapped(addr)) {
00532                /* IPv4 ACLs apply to IPv4-mapped addresses */
00533                ast_sockaddr_ipv4_mapped(addr, &mapped_addr);
00534                addr_to_use = &mapped_addr;
00535             } else {
00536                /* An IPv4 ACL does not apply to an IPv6 address */
00537                continue;
00538             }
00539          } else {
00540             /* Address is IPv4 and ACL is IPv4. No biggie */
00541             addr_to_use = addr;
00542          }
00543       } else {
00544          if (ast_sockaddr_is_ipv6(addr) && !ast_sockaddr_is_ipv4_mapped(addr)) {
00545             addr_to_use = addr;
00546          } else {
00547             /* Address is IPv4 or IPv4 mapped but ACL is IPv6. Skip */
00548             continue;
00549          }
00550       }
00551 
00552       /* For each rule, if this address and the netmask = the net address
00553          apply the current rule */
00554       if (apply_netmask(addr_to_use, &current_ha->netmask, &result)) {
00555          /* Unlikely to happen since we know the address to be IPv4 or IPv6 */
00556          continue;
00557       }
00558       if (!ast_sockaddr_cmp_addr(&result, &current_ha->addr)) {
00559          res = current_ha->sense;
00560       }
00561    }
00562    return res;
00563 }

void ast_copy_ha ( const struct ast_ha from,
struct ast_ha to 
)

Copy the contents of one HA to another.

This copies the internals of the 'from' HA to the 'to' HA. It is important that the 'to' HA has been allocated prior to calling this function

Parameters:
from Source HA to copy
to Destination HA to copy to
Return values:
void 

Definition at line 230 of file acl.c.

References ast_ha::addr, ast_sockaddr_copy(), ast_ha::netmask, and ast_ha::sense.

Referenced by add_calltoken_ignore(), ast_duplicate_ha(), and build_callno_limits().

00231 {
00232    ast_sockaddr_copy(&to->addr, &from->addr);
00233    ast_sockaddr_copy(&to->netmask, &from->netmask);
00234    to->sense = from->sense;
00235 }

struct ast_ha* ast_duplicate_ha_list ( struct ast_ha original  ) 

Duplicate the contents of a list of host access rules.

A deep copy of all ast_has in the list is made. The returned value is allocated on the heap and must be freed independently of the input parameter when finished.

Note:
This function is not actually used anywhere.
Parameters:
original The ast_ha to copy
Return values:
The head of the list of duplicated ast_has

Definition at line 252 of file acl.c.

References ast_duplicate_ha(), and ast_ha::next.

Referenced by create_addr_from_peer().

00253 {
00254    struct ast_ha *start = original;
00255    struct ast_ha *ret = NULL;
00256    struct ast_ha *current, *prev = NULL;
00257 
00258    while (start) {
00259       current = ast_duplicate_ha(start);  /* Create copy of this object */
00260       if (prev) {
00261          prev->next = current;           /* Link previous to this object */
00262       }
00263 
00264       if (!ret) {
00265          ret = current;                  /* Save starting point */
00266       }
00267 
00268       start = start->next;                /* Go to next object */
00269       prev = current;                     /* Save pointer to this object */
00270    }
00271    return ret;                             /* Return start of list */
00272 }

int ast_find_ourip ( struct ast_sockaddr ourip,
const struct ast_sockaddr bindaddr,
int  family 
)

Find our IP address.

This function goes through many iterations in an attempt to find our IP address. If any step along the way should fail, we move to the next item in the list. Here are the steps taken:

Parameters:
[out] ourip Our IP address is written here when it is found
bindaddr A hint used for finding our IP. See the steps above for more details
family Only addresses of the given family will be returned. Use 0 or AST_SOCKADDR_UNSPEC to get addresses of all families.
Return values:
0 Success
-1 Failure

Definition at line 733 of file acl.c.

References ast_debug, ast_log(), ast_ouraddrfor(), ast_sockaddr_copy(), ast_sockaddr_is_any(), bindaddr, get_local_address(), LOG_WARNING, MAXHOSTNAMELEN, ourhost, PARSE_PORT_FORBID, and resolve_first().

Referenced by __oh323_rtp_create(), gtalk_get_local_ip(), jingle_create_candidates(), and load_module().

00734 {
00735    char ourhost[MAXHOSTNAMELEN] = "";
00736    struct ast_sockaddr root;
00737 
00738    /* just use the bind address if it is nonzero */
00739    if (!ast_sockaddr_is_any(bindaddr)) {
00740       ast_sockaddr_copy(ourip, bindaddr);
00741       ast_debug(3, "Attached to given IP address\n");
00742       return 0;
00743    }
00744    /* try to use our hostname */
00745    if (gethostname(ourhost, sizeof(ourhost) - 1)) {
00746       ast_log(LOG_WARNING, "Unable to get hostname\n");
00747    } else {
00748       if (resolve_first(ourip, ourhost, PARSE_PORT_FORBID, family) == 0) {
00749          return 0;
00750       }
00751    }
00752    ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
00753    /* A.ROOT-SERVERS.NET. */
00754    if (!resolve_first(&root, "A.ROOT-SERVERS.NET", PARSE_PORT_FORBID, 0) &&
00755        !ast_ouraddrfor(&root, ourip)) {
00756       return 0;
00757    }
00758    return get_local_address(ourip);
00759 }

void ast_free_ha ( struct ast_ha ha  ) 

Free a list of HAs.

Given the head of a list of HAs, it and all appended HAs are freed

Parameters:
ha The head of the list of HAs to free
Return values:
void 

Definition at line 219 of file acl.c.

References ast_free, and ast_ha::next.

Referenced by __sip_destroy(), add_calltoken_ignore(), ast_append_ha(), build_callno_limits(), build_peer(), build_user(), destroy_gateway(), oh323_destroy_peer(), oh323_destroy_user(), peer_destructor(), reload_config(), sip_destroy_peer(), unload_module(), and user_destructor().

00220 {
00221    struct ast_ha *hal;
00222    while (ha) {
00223       hal = ha;
00224       ha = ha->next;
00225       ast_free(hal);
00226    }
00227 }

int ast_get_ip ( struct ast_sockaddr addr,
const char *  value 
)

Get the IP address given a hostname.

Similar in nature to ast_gethostbyname, except that instead of getting an entire hostent structure, you instead are given only the IP address inserted into a sockaddr_in structure.

Parameters:
[out] addr The IP address is written into sin->sin_addr
value The hostname to look up
Return values:
0 Success
-1 Failure

Definition at line 689 of file acl.c.

References ast_get_ip_or_srv().

Referenced by build_peer(), build_user(), config_parse_variables(), and peer_set_srcaddr().

00690 {
00691    return ast_get_ip_or_srv(addr, value, NULL);
00692 }

int ast_get_ip_or_srv ( struct ast_sockaddr addr,
const char *  value,
const char *  service 
)

Get the IP address given a hostname and optional service.

If the service parameter is non-NULL, then an SRV lookup will be made by prepending the service to the value parameter, separated by a '.' For example, if value is "example.com" and service is "_sip._udp" then an SRV lookup will be done for "_sip._udp.example.com". If service is NULL, then this function acts exactly like a call to ast_get_ip.

Parameters:
addr The IP address found. The address family is used as an input parameter to filter the returned adresses. if it is 0, both IPv4 and IPv6 addresses can be returned.
value The hostname to look up
service A specific service provided by the host. A NULL service results in an A-record lookup instead of an SRV lookup
Return values:
0 Success
-1 Failure

Definition at line 586 of file acl.c.

References ast_get_srv(), ast_sockaddr_set_port, PARSE_PORT_FORBID, resolve_first(), and ast_sockaddr::ss.

Referenced by ast_dnsmgr_lookup(), ast_get_ip(), create_addr(), dnsmgr_refresh(), and proxy_update().

00587 {
00588    char srv[256];
00589    char host[256];
00590    int srv_ret = 0;
00591    int tportno;
00592 
00593    if (service) {
00594       snprintf(srv, sizeof(srv), "%s.%s", service, value);
00595       if ((srv_ret = ast_get_srv(NULL, host, sizeof(host), &tportno, srv)) > 0) {
00596          value = host;
00597       }
00598    }
00599 
00600    if (resolve_first(addr, value, PARSE_PORT_FORBID, addr->ss.ss_family) != 0) {
00601       return -1;
00602    }
00603 
00604    if (srv_ret > 0) {
00605       ast_sockaddr_set_port(addr, tportno);
00606    }
00607 
00608    return 0;
00609 }

int ast_lookup_iface ( char *  iface,
struct ast_sockaddr address 
)

Find an IP address associated with a specific interface.

Given an interface such as "eth0" we find the primary IP address associated with it using the SIOCGIFADDR ioctl. If the ioctl call should fail, we populate address with 0s.

Note:
This function is not actually used anywhere
Parameters:
iface The interface name whose IP address we wish to find
[out] address The interface's IP address is placed into this param
Return values:
-1 Failure. address is filled with 0s
0 Success

int ast_ouraddrfor ( const struct ast_sockaddr them,
struct ast_sockaddr us 
)

Get our local IP address when contacting a remote host.

This function will attempt to connect(2) to them over UDP using a source port of 5060. If the connect(2) call is successful, then we inspect the sockaddr_in output parameter of connect(2) to determine the IP address used to connect to them. This IP address is then copied into us.

Parameters:
them The IP address to which we wish to attempt to connect
[out] us The source IP address used to connect to them
Return values:
-1 Failure
0 Success

Definition at line 694 of file acl.c.

References ast_connect(), ast_debug, ast_getsockname(), ast_log(), ast_sockaddr_is_ipv6(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify_addr(), ast_strdupa, LOG_ERROR, and LOG_WARNING.

Referenced by ast_find_ourip(), ast_sip_ouraddrfor(), find_subchannel_and_lock(), and gtalk_get_local_ip().

00695 {
00696    int port;
00697    int s;
00698 
00699    port = ast_sockaddr_port(us);
00700 
00701    if ((s = socket(ast_sockaddr_is_ipv6(them) ? AF_INET6 : AF_INET,
00702          SOCK_DGRAM, 0)) < 0) {
00703       ast_log(LOG_ERROR, "Cannot create socket\n");
00704       return -1;
00705    }
00706 
00707    if (ast_connect(s, them)) {
00708       ast_log(LOG_WARNING, "Cannot connect\n");
00709       close(s);
00710       return -1;
00711    }
00712    if (ast_getsockname(s, us)) {
00713 
00714       ast_log(LOG_WARNING, "Cannot get socket name\n");
00715       close(s);
00716       return -1;
00717    }
00718    close(s);
00719 
00720    {
00721       const char *them_addr = ast_strdupa(ast_sockaddr_stringify_addr(them));
00722       const char *us_addr = ast_strdupa(ast_sockaddr_stringify_addr(us));
00723 
00724       ast_debug(3, "For destination '%s', our source address is '%s'.\n",
00725             them_addr, us_addr);
00726    }
00727 
00728    ast_sockaddr_set_port(us, port);
00729 
00730    return 0;
00731 }

int ast_str2cos ( const char *  value,
unsigned int *  cos 
)

Convert a string to the appropriate COS value.

Parameters:
value The COS string to convert
[out] cos The integer representation of that COS value
Return values:
-1 Failure
0 Success

Definition at line 642 of file acl.c.

Referenced by config_parse_variables(), reload_config(), and set_config().

00643 {
00644    int fval;
00645 
00646    if (sscanf(value, "%30d", &fval) == 1) {
00647       if (fval < 8) {
00648           *cos = fval;
00649           return 0;
00650       }
00651    }
00652 
00653    return -1;
00654 }

int ast_str2tos ( const char *  value,
unsigned int *  tos 
)

Convert a string to the appropriate TOS value.

Parameters:
value The TOS string to convert
[out] tos The integer representation of that TOS value
Return values:
-1 Failure
0 Success

Definition at line 656 of file acl.c.

References ARRAY_LEN, dscp_pool1, name, and dscp_codepoint::space.

Referenced by config_parse_variables(), iax_template_parse(), reload_config(), and set_config().

00657 {
00658    int fval;
00659    unsigned int x;
00660 
00661    if (sscanf(value, "%30i", &fval) == 1) {
00662       *tos = fval & 0xFF;
00663       return 0;
00664    }
00665 
00666    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
00667       if (!strcasecmp(value, dscp_pool1[x].name)) {
00668          *tos = dscp_pool1[x].space << 2;
00669          return 0;
00670       }
00671    }
00672 
00673    return -1;
00674 }

const char* ast_tos2str ( unsigned int  tos  ) 

Convert a TOS value into its string representation.

Parameters:
tos The TOS value to look up
Returns:
The string equivalent of the TOS value

Definition at line 676 of file acl.c.

References ARRAY_LEN, dscp_pool1, dscp_codepoint::name, and dscp_codepoint::space.

Referenced by sip_show_settings().

00677 {
00678    unsigned int x;
00679 
00680    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
00681       if (dscp_pool1[x].space == (tos >> 2)) {
00682          return dscp_pool1[x].name;
00683       }
00684    }
00685 
00686    return "unknown";
00687 }


Generated on Mon Jun 27 16:50:57 2011 for Asterisk - The Open Source Telephony Project by  doxygen 1.4.7