<div dir="ltr">apply-register acl is specifically designed to be used with the "domains" acl which is automatically generated by scanning the user directory and building a list using the cidr field and tokenizing the user to match the range of each acl entry. Its not really useful with normal acl's.<div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Mar 12, 2014 at 8:23 AM, Florent Krieg <span dir="ltr"><<a href="mailto:fkrieg@sewan.eu" target="_blank">fkrieg@sewan.eu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>I forgot the part of sofia.c that does
switch user, please find it inlined below.<br>
<br>
Le 12/03/2014 14:03, Florent Krieg a écrit :<br>
</div><div><div class="h5">
<blockquote type="cite">
Hello all,<br>
<br>
While checking and tuning our FreeSWITCH configuration, I found
out that there is big difference of behaviour between the
apply-inbound-acl and apply-register-acl sofia sip profile
parameters.<br>
=> in the case of 'apply-inbound-acl', requests coming from an
IP present in the acl profile list will be authentified as the
matching account, which is OK.<br>
=> in the case of 'apply-register-acl', register requests
coming from an IP present in the acl profile list will be
authorized (which is OK), while being 'authentified' as the user
specified in the SIP request. I would have imagined that register
requests would be identified as the matching account as well. We
end up in getting crazy registrations (devices registered as user
not existing in the directory for instance), when customers'
hardware are not permissive enough to allow from (user@domain)
field customisation (while outgoing calls are perfectly working).<br>
<br>
Is that behaviour wanted by the community?<br>
<br>
I checked the source code which I reckon I am not familiar with at
all, and I found that:<br>
* apply-inbound-acl (sofia.c):<br>
<blockquote><small><tt>if (profile->acl_count) {</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl = NULL;</tt><tt><br>
</tt><tt> const char *token = NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->acl[x];</tt><tt><br>
</tt><tt> if ((ok =
switch_check_network_list_ip_token(network_ip, last_acl,
&token))) {</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_pass_context[x]) {</tt><tt><br>
</tt><tt> acl_context =
profile->acl_pass_context[x];</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_fail_context[x]) {</tt><tt><br>
</tt><tt> acl_context =
profile->acl_fail_context[x];</tt><tt><br>
</tt><tt> } else {</tt><tt><br>
</tt><tt> acl_context = NULL;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok) {</tt><tt><br>
</tt><tt> if (token) {</tt><tt><br>
</tt><tt>
switch_set_string(acl_token, token);</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> if (sofia_test_pflag(profile,
PFLAG_AUTH_CALLS)) {</tt><tt><br>
</tt><tt>
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "IP
%s Approved by acl \"%s[%s]\". Access Granted.\n",</tt><tt><br>
</tt><tt>
network_ip, switch_str_nil(last_acl), acl_token);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_authed_by, last_acl);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_token, acl_token);</tt><tt><br>
</tt><tt> is_auth = 1;</tt><tt><br>
</tt><tt> }</tt></small><tt><br>
</tt></blockquote>
</blockquote>
</div></div><blockquote><small><tt>[...]</tt></small><br>
<small><tt> </tt></small><br>
<small><tt> </tt><tt>if (*acl_token) {</tt></small><br>
<small><tt> </tt><tt>
switch_channel_set_variable(channel, "acl_token", acl_token);</tt></small><br>
<small><tt> </tt><tt> if (strchr(acl_token, '@'))
{</tt></small><br>
<small><tt> </tt><tt> if
(switch_ivr_set_user(session, acl_token) ==
SWITCH_STATUS_SUCCESS) {</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_DEBUG, "Authenticating user %s\n", acl_token);</tt></small><br>
<small><tt> </tt><tt> } else {</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_WARNING, "Error Authenticating user %s\n",
acl_token);</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
</blockquote>
<br>
<blockquote type="cite"><div class="">
<blockquote><tt> </tt></blockquote>
* apply-register-acl (sofia_reg.c):<br>
<blockquote><small><tt>if (profile->reg_acl_count) {</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl = NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->reg_acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->reg_acl[x];</tt><tt><br>
</tt><tt> if (!(ok =
switch_check_network_list_ip(network_ip, last_acl))) {</tt><tt><br>
</tt><tt> break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok &&
!sofia_test_pflag(profile, PFLAG_BLIND_REG)) {</tt><tt><br>
</tt><tt> type = REG_AUTO_REGISTER;</tt><tt><br>
</tt></small></blockquote>
<br>
Is what I expect (similar behaviour in both cases) crazy to you?
Or does it sound right? <br>
<br>
In the latter case, should I open a JIRA case for somebody to push
a fix? <br>
I could try to 'fix' it myself (in case you consider it as a bug
as I do) but I am not really familiar with C development as well.<br>
<br>
Thank for your points of view!<br>
Regards<br>
Florent<br>
<br>
<fieldset></fieldset>
<br>
</div><pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a href="mailto:FreeSWITCH-dev@lists.freeswitch.org" target="_blank">FreeSWITCH-dev@lists.freeswitch.org</a>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-dev mailing list<br>
<a href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Anthony Minessale II ♬ @anthmfs ♬ @FreeSWITCH ♬<div><br><div>☞ <a href="http://freeswitch.org/" target="_blank">http://freeswitch.org/</a> ☞ <a href="http://cluecon.com/" target="_blank">http://cluecon.com/</a> ☞ <a href="http://twitter.com/FreeSWITCH" target="_blank">http://twitter.com/FreeSWITCH</a></div>
<div><div>☞ <a href="http://irc.freenode.net" target="_blank">irc.freenode.net</a> #freeswitch ☞ <u><a href="http://freeswitch.org/g+" target="_blank">http://freeswitch.org/g+</a></u><br><br></div><div>ClueCon Weekly Development Call <br>
</div><div>☎ <a href="mailto:sip%3A888@conference.freeswitch.org" target="_blank">sip:888@conference.freeswitch.org</a> ☎ +19193869900 </div><div><br></div></div></div></div>
</div></div>