Various sorts of access control. More...
#include "asterisk.h"
#include "asterisk/network.h"
#include <ifaddrs.h>
#include "asterisk/acl.h"
#include "asterisk/channel.h"
#include "asterisk/utils.h"
#include "asterisk/lock.h"
#include "asterisk/srv.h"
Go to the source code of this file.
Data Structures | |
struct | dscp_codepoint |
Macros | |
#define | V6_WORD(sin6, index) ((uint32_t *)&((sin6)->sin6_addr))[(index)] |
Isolate a 32-bit section of an IPv6 address. More... | |
Functions | |
static int | apply_netmask (const struct ast_sockaddr *addr, const struct ast_sockaddr *netmask, struct ast_sockaddr *result) |
Apply a netmask to an address and store the result in a separate structure. More... | |
struct ast_ha * | ast_append_ha (const char *sense, const char *stuff, struct ast_ha *path, int *error) |
Add a new rule to a list of HAs. More... | |
int | ast_apply_ha (const struct ast_ha *ha, const struct ast_sockaddr *addr) |
Apply a set of rules to a given IP address. More... | |
void | ast_copy_ha (const struct ast_ha *from, struct ast_ha *to) |
Copy the contents of one HA to another. More... | |
static struct ast_ha * | ast_duplicate_ha (struct ast_ha *original) |
struct ast_ha * | ast_duplicate_ha_list (struct ast_ha *original) |
Duplicate the contents of a list of host access rules. More... | |
int | ast_find_ourip (struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family) |
Find our IP address. More... | |
void | ast_free_ha (struct ast_ha *ha) |
Free a list of HAs. More... | |
int | ast_get_ip (struct ast_sockaddr *addr, const char *hostname) |
Get the IP address given a hostname. More... | |
int | ast_get_ip_or_srv (struct ast_sockaddr *addr, const char *hostname, const char *service) |
Get the IP address given a hostname and optional service. More... | |
int | ast_ouraddrfor (const struct ast_sockaddr *them, struct ast_sockaddr *us) |
Get our local IP address when contacting a remote host. More... | |
int | ast_str2cos (const char *value, unsigned int *cos) |
Convert a string to the appropriate COS value. More... | |
int | ast_str2tos (const char *value, unsigned int *tos) |
Convert a string to the appropriate TOS value. More... | |
const char * | ast_tos2str (unsigned int tos) |
Convert a TOS value into its string representation. More... | |
static int | get_local_address (struct ast_sockaddr *ourip) |
static int | parse_cidr_mask (struct ast_sockaddr *addr, int is_v4, const char *mask_str) |
Parse a netmask in CIDR notation. More... | |
static int | resolve_first (struct ast_sockaddr *addr, const char *name, int flag, int family) |
static void | score_address (const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score) |
Variables | |
static struct dscp_codepoint | dscp_pool1 [] |
Various sorts of access control.
Definition in file acl.c.
#define V6_WORD | ( | sin6, | |
index | |||
) | ((uint32_t *)&((sin6)->sin6_addr))[(index)] |
Isolate a 32-bit section of an IPv6 address.
An IPv6 address can be divided into 4 32-bit chunks. This gives easy access to one of these chunks.
sin6 | A pointer to a struct sockaddr_in6 |
index | Which 32-bit chunk to operate on. Must be in the range 0-3. |
Definition at line 288 of file acl.c.
Referenced by apply_netmask(), and parse_cidr_mask().
|
static |
Apply a netmask to an address and store the result in a separate structure.
When dealing with IPv6 addresses, one cannot apply a netmask with a simple logical and operation. Furthermore, the incoming address may be an IPv4 address and need to be mapped properly before attempting to apply a rule.
addr | The IP address to apply the mask to. |
netmask | The netmask configured in the host access rule. |
result | The resultant address after applying the netmask to the given address |
0 | Successfully applied netmask -1 Failed to apply netmask |
Definition at line 304 of file acl.c.
References ast_sockaddr_from_sin, ast_sockaddr_is_ipv4(), ast_sockaddr_is_ipv6(), ast_sockaddr::len, ast_sockaddr::ss, and V6_WORD.
Referenced by ast_append_ha(), and ast_apply_ha().
struct ast_ha* ast_append_ha | ( | const char * | sense, |
const char * | stuff, | ||
struct ast_ha * | path, | ||
int * | error | ||
) |
Add a new rule to a list of HAs.
This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.
sense | Either "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial) | |
stuff | The IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32). | |
path | The head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list | |
[out] | error | The integer error points to will be set non-zero if an error occurs |
Definition at line 399 of file acl.c.
References ast_ha::addr, apply_netmask(), ast_calloc, ast_debug, ast_free_ha(), ast_log(), AST_SENSE_ALLOW, AST_SENSE_DENY, ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_parse(), ast_sockaddr_stringify(), ast_strdupa, LOG_NOTICE, LOG_WARNING, ast_ha::netmask, ast_ha::next, parse_cidr_mask(), PARSE_PORT_FORBID, ast_ha::sense, and strsep().
Referenced by __init_manager(), add_calltoken_ignore(), build_callno_limits(), build_device(), build_gateway(), build_peer(), build_user(), config_parse_variables(), and reload_config().
int ast_apply_ha | ( | const struct ast_ha * | ha, |
const struct ast_sockaddr * | addr | ||
) |
Apply a set of rules to a given IP address.
The list of host access rules is traversed, beginning with the input rule. If the IP address given matches a rule, the "sense" of that rule is used as the return value. Note that if an IP address matches multiple rules that the last one matched will be the one whose sense will be returned.
ha | The head of the list of host access rules to follow |
addr | An ast_sockaddr whose address is considered when matching rules |
AST_SENSE_ALLOW | The IP address passes our ACL |
AST_SENSE_DENY | The IP address fails our ACL |
Definition at line 518 of file acl.c.
References ast_ha::addr, apply_netmask(), ast_copy_string(), ast_debug, ast_inet_ntoa(), ast_log(), AST_SENSE_ALLOW, ast_sockaddr_cmp_addr(), ast_sockaddr_ipv4_mapped(), ast_sockaddr_is_ipv4(), ast_sockaddr_is_ipv4_mapped(), ast_sockaddr_is_ipv6(), ast_sockaddr_stringify(), LOG_ERROR, ast_ha::netmask, ast_ha::next, and ast_ha::sense.
Referenced by apply_directmedia_ha(), ast_sip_ouraddrfor(), auth_http_callback(), authenticate(), check_access(), check_peer_ok(), parse_register_contact(), register_verify(), and skinny_register().
Copy the contents of one HA to another.
This copies the internals of the 'from' HA to the 'to' HA. It is important that the 'to' HA has been allocated prior to calling this function
from | Source HA to copy |
to | Destination HA to copy to |
void |
Definition at line 234 of file acl.c.
References ast_ha::addr, ast_sockaddr_copy(), ast_ha::netmask, and ast_ha::sense.
Referenced by add_calltoken_ignore(), ast_duplicate_ha(), and build_callno_limits().
Definition at line 242 of file acl.c.
References ast_calloc, and ast_copy_ha().
Referenced by ast_duplicate_ha_list().
Duplicate the contents of a list of host access rules.
A deep copy of all ast_has in the list is made. The returned value is allocated on the heap and must be freed independently of the input parameter when finished.
original | The ast_ha to copy |
The | head of the list of duplicated ast_has |
Definition at line 256 of file acl.c.
References ast_duplicate_ha(), and ast_ha::next.
Referenced by create_addr_from_peer().
int ast_find_ourip | ( | struct ast_sockaddr * | ourip, |
const struct ast_sockaddr * | bindaddr, | ||
int | family | ||
) |
Find our IP address.
This function goes through many iterations in an attempt to find our IP address. If any step along the way should fail, we move to the next item in the list. Here are the steps taken:
[out] | ourip | Our IP address is written here when it is found |
bindaddr | A hint used for finding our IP. See the steps above for more details | |
family | Only addresses of the given family will be returned. Use 0 or AST_SOCKADDR_UNSPEC to get addresses of all families. |
0 | Success |
-1 | Failure |
Definition at line 744 of file acl.c.
References ast_debug, ast_log(), ast_ouraddrfor(), ast_sockaddr_copy(), ast_sockaddr_is_any(), ast_sockaddr_port, ast_sockaddr_set_port, get_local_address(), LOG_WARNING, MAXHOSTNAMELEN, ourhost, PARSE_PORT_FORBID, and resolve_first().
Referenced by __oh323_rtp_create(), gtalk_get_local_ip(), jingle_create_candidates(), load_module(), and reload_config().
void ast_free_ha | ( | struct ast_ha * | ha | ) |
Free a list of HAs.
Given the head of a list of HAs, it and all appended HAs are freed
ha | The head of the list of HAs to free |
void |
Definition at line 223 of file acl.c.
References ast_free, and ast_ha::next.
Referenced by __init_manager(), __sip_destroy(), add_calltoken_ignore(), ast_append_ha(), build_callno_limits(), build_peer(), build_user(), destroy_gateway(), manager_free_user(), oh323_destroy_peer(), oh323_destroy_user(), peer_destructor(), reload_config(), sip_destroy_peer(), unload_module(), and user_destructor().
int ast_get_ip | ( | struct ast_sockaddr * | addr, |
const char * | hostname | ||
) |
Get the IP address given a hostname.
Similar in nature to ast_gethostbyname, except that instead of getting an entire hostent structure, you instead are given only the IP address inserted into a ast_sockaddr structure.
addr | The IP address found. The address family is used as an input parameter to filter the returned addresses. If it is 0, both IPv4 and IPv6 addresses can be returned. |
hostname | The hostname to look up |
0 | Success |
-1 | Failure |
Definition at line 700 of file acl.c.
References ast_get_ip_or_srv().
Referenced by build_gateway(), build_peer(), build_user(), config_parse_variables(), peer_set_srcaddr(), setup_stunaddr(), and stun_monitor_request().
int ast_get_ip_or_srv | ( | struct ast_sockaddr * | addr, |
const char * | hostname, | ||
const char * | service | ||
) |
Get the IP address given a hostname and optional service.
If the service parameter is non-NULL, then an SRV lookup will be made by prepending the service to the hostname parameter, separated by a '.' For example, if hostname is "example.com" and service is "_sip._udp" then an SRV lookup will be done for "_sip._udp.example.com". If service is NULL, then this function acts exactly like a call to ast_get_ip.
addr | The IP address found. The address family is used as an input parameter to filter the returned addresses. If it is 0, both IPv4 and IPv6 addresses can be returned. |
hostname | The hostname to look up |
service | A specific service provided by the host. A NULL service results in an A-record lookup instead of an SRV lookup |
0 | Success |
-1 | Failure |
Definition at line 597 of file acl.c.
References ast_get_srv(), ast_sockaddr_set_port, PARSE_PORT_FORBID, resolve_first(), and ast_sockaddr::ss.
Referenced by ast_get_ip(), create_addr(), dnsmgr_refresh(), internal_dnsmgr_lookup(), and proxy_update().
int ast_ouraddrfor | ( | const struct ast_sockaddr * | them, |
struct ast_sockaddr * | us | ||
) |
Get our local IP address when contacting a remote host.
This function will attempt to connect(2) to them over UDP using a source port of 5060. If the connect(2) call is successful, then we inspect the sockaddr_in output parameter of connect(2) to determine the IP address used to connect to them. This IP address is then copied into us.
them | The IP address to which we wish to attempt to connect | |
[out] | us | The source IP address used to connect to them |
-1 | Failure |
0 | Success |
Definition at line 705 of file acl.c.
References ast_connect(), ast_debug, ast_getsockname(), ast_log(), ast_sockaddr_is_ipv6(), ast_sockaddr_port, ast_sockaddr_set_port, ast_sockaddr_stringify_addr(), ast_strdupa, LOG_ERROR, and LOG_WARNING.
Referenced by ast_find_ourip(), ast_sip_ouraddrfor(), build_gateway(), find_subchannel_and_lock(), gtalk_get_local_ip(), and sip_acf_channel_read().
int ast_str2cos | ( | const char * | value, |
unsigned int * | cos | ||
) |
Convert a string to the appropriate COS value.
value | The COS string to convert | |
[out] | cos | The integer representation of that COS value |
-1 | Failure |
0 | Success |
Definition at line 653 of file acl.c.
Referenced by config_parse_variables(), reload_config(), and set_config().
int ast_str2tos | ( | const char * | value, |
unsigned int * | tos | ||
) |
Convert a string to the appropriate TOS value.
value | The TOS string to convert | |
[out] | tos | The integer representation of that TOS value |
-1 | Failure |
0 | Success |
Definition at line 667 of file acl.c.
References ARRAY_LEN, name, and dscp_codepoint::space.
Referenced by config_parse_variables(), iax_template_parse(), reload_config(), and set_config().
const char* ast_tos2str | ( | unsigned int | tos | ) |
Convert a TOS value into its string representation.
tos | The TOS value to look up |
Definition at line 687 of file acl.c.
References ARRAY_LEN, dscp_codepoint::name, and dscp_codepoint::space.
Referenced by sip_show_settings().
|
static |
Definition at line 119 of file acl.c.
References ast_sockaddr_setnull(), free, malloc, score_address(), and ast_sockaddr::ss.
Referenced by ast_find_ourip().
|
static |
Parse a netmask in CIDR notation.
For a mask of an IPv4 address, this should be a number between 0 and 32. For a mask of an IPv6 address, this should be a number between 0 and 128. This function creates an IPv6 ast_sockaddr from the given netmask. For masks of IPv4 addresses, this is accomplished by adding 96 to the original netmask.
[out] | addr | The ast_sockaddr produced from the CIDR netmask |
is_v4 | Tells if the address we are masking is IPv4. | |
mask_str | The CIDR mask to convert |
-1 | Failure |
0 | Success |
Definition at line 351 of file acl.c.
References ast_sockaddr_from_sin, ast_sockaddr::len, ast_sockaddr::ss, and V6_WORD.
Referenced by ast_append_ha().
|
static |
Definition at line 576 of file acl.c.
References ast_debug, ast_free, ast_log(), ast_sockaddr_copy(), ast_sockaddr_resolve(), and LOG_WARNING.
Referenced by ast_find_ourip(), and ast_get_ip_or_srv().
|
static |
Definition at line 60 of file acl.c.
References ast_inet_ntoa().
Referenced by get_local_address().
|
static |