<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello Anthony,<br>
<br>
Actually we only use the domains acl (I am not even sure what is
'real acl', we only use it in correlaton with cidr users' fields),
automatically generated by scanning the user directory (we are in
a multi-homed environment).<br>
Here is an example (taken out from the logs):<br>
<blockquote>switch_utils.c:324 Adding XXX.XXX.XXX.XXX/32 (allow)
[account@test] to list domains<br>
</blockquote>
With 'apply-inbound-acl=domains' and 'apply-register-acl=domains',
when XXX.XXX.XXX.XXX tries to register with a random login@domain
(eg: alice@alice, account which doesn't exist at all, assuming we
only have 'account@test') to our platform, it goes OK.<br>
If we do a 'sofia_contact alice@alice', it returns the register
from the db.<br>
<br>
Now:<br>
* if we start a call, it will be authentified as 'account@test'
(which is OK)<br>
* if we receive a call, we won't be able to get the contact for
'account@test' because the record in db is (to_user=)alice and
(reg_host=)alice <br>
So in the last case we have to do static routing. We want to avoid
it as much as possible.<br>
<br>
<br>
I am not sure whether I am clear...<br>
Regards,<br>
Florent<br>
<br>
<br>
Le 12/03/2014 15:42, Anthony Minessale a écrit :<br>
</div>
<blockquote
cite="mid:CAKbxfG9hdvcJGCdepYs+ktrvC17t8AappK_dvUzdFp0kiN8ASg@mail.gmail.com"
type="cite">
<div dir="ltr">apply-register acl is specifically designed to be
used with the "domains" acl which is automatically generated by
scanning the user directory and building a list using the cidr
field and tokenizing the user to match the range of each acl
entry. Its not really useful with normal acl's.
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Wed, Mar 12, 2014 at 8:23 AM,
Florent Krieg <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:fkrieg@sewan.eu" target="_blank">fkrieg@sewan.eu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>I forgot the part of sofia.c that does switch user,
please find it inlined below.<br>
<br>
Le 12/03/2014 14:03, Florent Krieg a écrit :<br>
</div>
<div>
<div class="h5">
<blockquote type="cite"> Hello all,<br>
<br>
While checking and tuning our FreeSWITCH
configuration, I found out that there is big
difference of behaviour between the
apply-inbound-acl and apply-register-acl sofia sip
profile parameters.<br>
=> in the case of 'apply-inbound-acl', requests
coming from an IP present in the acl profile list
will be authentified as the matching account,
which is OK.<br>
=> in the case of 'apply-register-acl',
register requests coming from an IP present in the
acl profile list will be authorized (which is OK),
while being 'authentified' as the user specified
in the SIP request. I would have imagined that
register requests would be identified as the
matching account as well. We end up in getting
crazy registrations (devices registered as user
not existing in the directory for instance), when
customers' hardware are not permissive enough to
allow from (user@domain) field customisation
(while outgoing calls are perfectly working).<br>
<br>
Is that behaviour wanted by the community?<br>
<br>
I checked the source code which I reckon I am not
familiar with at all, and I found that:<br>
* apply-inbound-acl (sofia.c):<br>
<blockquote><small><tt>if (profile->acl_count)
{</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl =
NULL;</tt><tt><br>
</tt><tt> const char *token =
NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->acl[x];</tt><tt><br>
</tt><tt> if ((ok =
switch_check_network_list_ip_token(network_ip,
last_acl, &token))) {</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_pass_context[x]) {</tt><tt><br>
</tt><tt>
acl_context =
profile->acl_pass_context[x];</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt>
break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_fail_context[x]) {</tt><tt><br>
</tt><tt>
acl_context =
profile->acl_fail_context[x];</tt><tt><br>
</tt><tt> } else {</tt><tt><br>
</tt><tt>
acl_context = NULL;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok) {</tt><tt><br>
</tt><tt> if (token) {</tt><tt><br>
</tt><tt>
switch_set_string(acl_token, token);</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> if
(sofia_test_pflag(profile,
PFLAG_AUTH_CALLS)) {</tt><tt><br>
</tt><tt>
switch_log_printf(SWITCH_CHANNEL_LOG,
SWITCH_LOG_DEBUG, "IP %s Approved by acl
\"%s[%s]\". Access Granted.\n",</tt><tt><br>
</tt><tt>
network_ip, switch_str_nil(last_acl),
acl_token);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_authed_by,
last_acl);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_token, acl_token);</tt><tt><br>
</tt><tt>
is_auth = 1;</tt><tt><br>
</tt><tt> }</tt></small><tt><br>
</tt></blockquote>
</blockquote>
</div>
</div>
<blockquote><small><tt>[...]</tt></small><br>
<small><tt> </tt></small><br>
<small><tt> </tt><tt>if (*acl_token) {</tt></small><br>
<small><tt> </tt><tt>
switch_channel_set_variable(channel, "acl_token",
acl_token);</tt></small><br>
<small><tt> </tt><tt> if
(strchr(acl_token, '@')) {</tt></small><br>
<small><tt> </tt><tt> if
(switch_ivr_set_user(session, acl_token) ==
SWITCH_STATUS_SUCCESS) {</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_DEBUG, "Authenticating user %s\n",
acl_token);</tt></small><br>
<small><tt> </tt><tt> } else {</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_WARNING, "Error Authenticating user
%s\n", acl_token);</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
</blockquote>
<br>
<blockquote type="cite">
<div class="">
<blockquote><tt> </tt></blockquote>
* apply-register-acl (sofia_reg.c):<br>
<blockquote><small><tt>if
(profile->reg_acl_count) {</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl = NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->reg_acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->reg_acl[x];</tt><tt><br>
</tt><tt> if (!(ok =
switch_check_network_list_ip(network_ip,
last_acl))) {</tt><tt><br>
</tt><tt> break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok &&
!sofia_test_pflag(profile, PFLAG_BLIND_REG)) {</tt><tt><br>
</tt><tt> type =
REG_AUTO_REGISTER;</tt><tt><br>
</tt></small></blockquote>
<br>
Is what I expect (similar behaviour in both cases)
crazy to you? Or does it sound right? <br>
<br>
In the latter case, should I open a JIRA case for
somebody to push a fix? <br>
I could try to 'fix' it myself (in case you consider
it as a bug as I do) but I am not really familiar
with C development as well.<br>
<br>
Thank for your points of view!<br>
Regards<br>
Florent<br>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a moz-do-not-send="true" href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a moz-do-not-send="true" href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a moz-do-not-send="true" href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a moz-do-not-send="true" href="mailto:FreeSWITCH-dev@lists.freeswitch.org" target="_blank">FreeSWITCH-dev@lists.freeswitch.org</a>
<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/options/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication
Server<br>
<a moz-do-not-send="true" href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-dev"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a><br>
<a moz-do-not-send="true" href="http://www.freeswitch.org"
target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Anthony Minessale II ♬ @anthmfs ♬
@FreeSWITCH ♬
<div><br>
<div>☞ <a moz-do-not-send="true"
href="http://freeswitch.org/" target="_blank">http://freeswitch.org/</a>
☞ <a moz-do-not-send="true" href="http://cluecon.com/"
target="_blank">http://cluecon.com/</a> ☞ <a
moz-do-not-send="true"
href="http://twitter.com/FreeSWITCH" target="_blank">http://twitter.com/FreeSWITCH</a></div>
<div>
<div>☞ <a moz-do-not-send="true"
href="http://irc.freenode.net" target="_blank">irc.freenode.net</a>
#freeswitch ☞ <u><a moz-do-not-send="true"
href="http://freeswitch.org/g+" target="_blank">http://freeswitch.org/g+</a></u><br>
<br>
</div>
<div>ClueCon Weekly Development Call <br>
</div>
<div>☎ <a moz-do-not-send="true"
href="mailto:sip%3A888@conference.freeswitch.org"
target="_blank">sip:888@conference.freeswitch.org</a>
☎ +19193869900 </div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-dev">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</body>
</html>