<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Anthony, all,<br>
<br>
I wrote a fix this afternoon based on a git master pull (which
compiles and works like a charm after some tests).<br>
As I haven't done C programming in ages hence I'd be very grateful
if one of you could tell me if the patch is very unstable/could
cause a lot of troubles, and so on.<br>
<br>
Here it is:<br>
<blockquote><tt><small>[user@vm ~]# diff
/root/freeswitch/src/mod/endpoints/mod_sofia/mod_sofia.h
/root/freeswitch_git_test/freeswitch/src/mod/endpoints/mod_sofia/mod_sofia.h</small></tt><tt><br>
</tt><tt><small>952c952</small></tt><tt><br>
</tt><tt><small>< uint8_t sofia_reg_handle_register_sw(nua_t
*nua, sofia_profile_t *profile, nua_handle_t *nh, sip_t
const *sip,</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>> uint8_t sofia_reg_handle_register(nua_t
*nua, sofia_profile_t *profile, nua_handle_t *nh, sip_t
const *sip,</small></tt><tt><br>
</tt><tt><small>955,956c955</small></tt><tt><br>
</tt><tt><small><
uint32_t keylen, switch_event_t **v_event, const char
*is_nat, sofia_private_t **sofia_private_p, switch_xml_t
*user_xml, char *sw_acl_token);</small></tt><tt><br>
</tt><tt><small>< #define sofia_reg_handle_register(_nua_,
_profile_, _nh_, _sip_, _de_, _regtype_, _key_, _keylen_,
_v_event_, _is_nat_, _sofia_private_p_, _user_xml_)
sofia_reg_handle_register_sw(_nua_, _profile_, _nh_, _sip_,
_de_, _regtype_, _key_, _keylen_, _v_event_, _is_nat_,
_sofia_private_p_, _user_xml_, NULL)</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>>
uint32_t keylen, switch_event_t **v_event, const char
*is_nat, sofia_private_t **sofia_private_p, switch_xml_t
*user_xml);</small></tt><tt><br>
<br>
<br>
</tt><tt><small>[user@vm ~]# diff
/root/freeswitch/src/mod/endpoints/mod_sofia/sofia_reg.c
/root/freeswitch_git_test/freeswitch/src/mod/endpoints/mod_sofia/sofia_reg.c</small></tt><tt><br>
</tt><tt><small>1119c1119</small></tt><tt><br>
</tt><tt><small>< uint8_t sofia_reg_handle_register_sw(nua_t
*nua, sofia_profile_t *profile, nua_handle_t *nh, sip_t
const *sip,</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>> uint8_t sofia_reg_handle_register(nua_t
*nua, sofia_profile_t *profile, nua_handle_t *nh, sip_t
const *sip,</small></tt><tt><br>
</tt><tt><small>1121c1121</small></tt><tt><br>
</tt><tt><small><
uint32_t keylen, switch_event_t **v_event, const char
*is_nat, sofia_private_t **sofia_private_p, switch_xml_t
*user_xml, char *sw_acl_token)</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>>
uint32_t keylen, switch_event_t **v_event, const char
*is_nat, sofia_private_t **sofia_private_p, switch_xml_t
*user_xml)</small></tt><tt><br>
</tt><tt><small>1176,1179d1175</small></tt><tt><br>
</tt><tt><small>< // FK</small></tt><tt><br>
</tt><tt><small>< char *sw_to_user;</small></tt><tt><br>
</tt><tt><small>< char *sw_reg_host;</small></tt><tt><br>
</tt><tt><small><</small></tt><tt><br>
</tt><tt><small>1405,1410d1400</small></tt><tt><br>
</tt><tt><small>< // FK</small></tt><tt><br>
</tt><tt><small>< if (sw_acl_token) {</small></tt><tt><br>
</tt><tt><small><
switch_split_user_domain(sw_acl_token, &sw_to_user,
&sw_reg_host);</small></tt><tt><br>
</tt><tt><small>< to_user = sw_to_user;</small></tt><tt><br>
</tt><tt><small>< reg_host =
sw_reg_host;</small></tt><tt><br>
</tt><tt><small>< }</small></tt><tt><br>
</tt><tt><small>2080,2081d2069</small></tt><tt><br>
</tt><tt><small>< // FK</small></tt><tt><br>
</tt><tt><small>< char acl_token[512] = "";</small></tt><tt><br>
</tt><tt><small>2159,2160d2146</small></tt><tt><br>
</tt><tt><small>< // FK</small></tt><tt><br>
</tt><tt><small>< const char *token_sw = NULL;</small></tt><tt><br>
</tt><tt><small>2164c2150</small></tt><tt><br>
</tt><tt><small>< if (!(ok =
switch_check_network_list_ip_token(network_ip, last_acl,
&token_sw))) {</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>> if (!(ok =
switch_check_network_list_ip(network_ip, last_acl))) {</small></tt><tt><br>
</tt><tt><small>2171,2173d2156</small></tt><tt><br>
</tt><tt><small>< if (token_sw) {</small></tt><tt><br>
</tt><tt><small><
switch_set_string(acl_token, token_sw);</small></tt><tt><br>
</tt><tt><small>< }</small></tt><tt><br>
</tt><tt><small>2194c2177</small></tt><tt><br>
</tt><tt><small>< sofia_reg_handle_register_sw(nua,
profile, nh, sip, de, type, key, sizeof(key), &v_event,
is_nat, sofia_private_p, NULL, acl_token);</small></tt><tt><br>
</tt><tt><small>---</small></tt><tt><br>
</tt><tt><small>> sofia_reg_handle_register(nua,
profile, nh, sip, de, type, key, sizeof(key), &v_event,
is_nat, sofia_private_p, NULL);</small></tt><br>
</blockquote>
<br>
I don't mean it to be integrated into FS core, if you don't want
it to be. <br>
I am just willing to use it for our platform and would like your
advices because I am not very confident about the dev done.<br>
<br>
Thanks all in advance!<br>
Florent<br>
<br>
<br>
Le 12/03/2014 17:11, Florent Krieg a écrit :<br>
</div>
<blockquote cite="mid:5320873B.8000601@sewan.eu" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Anthony,<br>
<br>
Actually we only use the domains acl (I am not even sure what is
'real acl', we only use it in correlaton with cidr users'
fields), automatically generated by scanning the user directory
(we are in a multi-homed environment).<br>
Here is an example (taken out from the logs):<br>
<blockquote>switch_utils.c:324 Adding XXX.XXX.XXX.XXX/32 (allow)
[account@test] to list domains<br>
</blockquote>
With 'apply-inbound-acl=domains' and
'apply-register-acl=domains', when XXX.XXX.XXX.XXX tries to
register with a random login@domain (eg: alice@alice, account
which doesn't exist at all, assuming we only have
'account@test') to our platform, it goes OK.<br>
If we do a 'sofia_contact alice@alice', it returns the register
from the db.<br>
<br>
Now:<br>
* if we start a call, it will be authentified as 'account@test'
(which is OK)<br>
* if we receive a call, we won't be able to get the contact for
'account@test' because the record in db is (to_user=)alice and
(reg_host=)alice <br>
So in the last case we have to do static routing. We want to
avoid it as much as possible.<br>
<br>
<br>
I am not sure whether I am clear...<br>
Regards,<br>
Florent<br>
<br>
<br>
Le 12/03/2014 15:42, Anthony Minessale a écrit :<br>
</div>
<blockquote
cite="mid:CAKbxfG9hdvcJGCdepYs+ktrvC17t8AappK_dvUzdFp0kiN8ASg@mail.gmail.com"
type="cite">
<div dir="ltr">apply-register acl is specifically designed to be
used with the "domains" acl which is automatically generated
by scanning the user directory and building a list using the
cidr field and tokenizing the user to match the range of each
acl entry. Its not really useful with normal acl's.
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">On Wed, Mar 12, 2014 at 8:23 AM,
Florent Krieg <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:fkrieg@sewan.eu"
target="_blank">fkrieg@sewan.eu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>I forgot the part of sofia.c that does switch
user, please find it inlined below.<br>
<br>
Le 12/03/2014 14:03, Florent Krieg a écrit :<br>
</div>
<div>
<div class="h5">
<blockquote type="cite"> Hello all,<br>
<br>
While checking and tuning our FreeSWITCH
configuration, I found out that there is big
difference of behaviour between the
apply-inbound-acl and apply-register-acl sofia
sip profile parameters.<br>
=> in the case of 'apply-inbound-acl',
requests coming from an IP present in the acl
profile list will be authentified as the
matching account, which is OK.<br>
=> in the case of 'apply-register-acl',
register requests coming from an IP present in
the acl profile list will be authorized (which
is OK), while being 'authentified' as the user
specified in the SIP request. I would have
imagined that register requests would be
identified as the matching account as well. We
end up in getting crazy registrations (devices
registered as user not existing in the directory
for instance), when customers' hardware are not
permissive enough to allow from (user@domain)
field customisation (while outgoing calls are
perfectly working).<br>
<br>
Is that behaviour wanted by the community?<br>
<br>
I checked the source code which I reckon I am
not familiar with at all, and I found that:<br>
* apply-inbound-acl (sofia.c):<br>
<blockquote><small><tt>if
(profile->acl_count) {</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl =
NULL;</tt><tt><br>
</tt><tt> const char *token =
NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->acl[x];</tt><tt><br>
</tt><tt> if ((ok =
switch_check_network_list_ip_token(network_ip,
last_acl, &token))) {</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_pass_context[x]) {</tt><tt><br>
</tt><tt>
acl_context =
profile->acl_pass_context[x];</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt>
break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if
(profile->acl_fail_context[x]) {</tt><tt><br>
</tt><tt>
acl_context =
profile->acl_fail_context[x];</tt><tt><br>
</tt><tt> } else {</tt><tt><br>
</tt><tt>
acl_context = NULL;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok) {</tt><tt><br>
</tt><tt> if (token)
{</tt><tt><br>
</tt><tt>
switch_set_string(acl_token, token);</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> if
(sofia_test_pflag(profile,
PFLAG_AUTH_CALLS)) {</tt><tt><br>
</tt><tt>
switch_log_printf(SWITCH_CHANNEL_LOG,
SWITCH_LOG_DEBUG, "IP %s Approved by acl
\"%s[%s]\". Access Granted.\n",</tt><tt><br>
</tt><tt>
network_ip, switch_str_nil(last_acl),
acl_token);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_authed_by,
last_acl);</tt><tt><br>
</tt><tt>
switch_set_string(sip_acl_token,
acl_token);</tt><tt><br>
</tt><tt>
is_auth = 1;</tt><tt><br>
</tt><tt> }</tt></small><tt><br>
</tt></blockquote>
</blockquote>
</div>
</div>
<blockquote><small><tt>[...]</tt></small><br>
<small><tt> </tt></small><br>
<small><tt> </tt><tt>if (*acl_token) {</tt></small><br>
<small><tt> </tt><tt>
switch_channel_set_variable(channel,
"acl_token", acl_token);</tt></small><br>
<small><tt> </tt><tt> if
(strchr(acl_token, '@')) {</tt></small><br>
<small><tt> </tt><tt> if
(switch_ivr_set_user(session, acl_token) ==
SWITCH_STATUS_SUCCESS) {</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_DEBUG, "Authenticating user %s\n",
acl_token);</tt></small><br>
<small><tt> </tt><tt> } else
{</tt></small><br>
<small><tt> </tt><tt>
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session),
SWITCH_LOG_WARNING, "Error Authenticating user
%s\n", acl_token);</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
<small><tt> </tt><tt> }</tt></small><br>
</blockquote>
<br>
<blockquote type="cite">
<div class="">
<blockquote><tt> </tt></blockquote>
* apply-register-acl (sofia_reg.c):<br>
<blockquote><small><tt>if
(profile->reg_acl_count) {</tt><tt><br>
</tt><tt> uint32_t x = 0;</tt><tt><br>
</tt><tt> int ok = 1;</tt><tt><br>
</tt><tt> char *last_acl =
NULL;</tt><tt><br>
</tt><tt><br>
</tt><tt> for (x = 0; x <
profile->reg_acl_count; x++) {</tt><tt><br>
</tt><tt> last_acl =
profile->reg_acl[x];</tt><tt><br>
</tt><tt> if (!(ok =
switch_check_network_list_ip(network_ip,
last_acl))) {</tt><tt><br>
</tt><tt>
break;</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt><br>
</tt><tt> if (ok &&
!sofia_test_pflag(profile, PFLAG_BLIND_REG))
{</tt><tt><br>
</tt><tt> type =
REG_AUTO_REGISTER;</tt><tt><br>
</tt></small></blockquote>
<br>
Is what I expect (similar behaviour in both cases)
crazy to you? Or does it sound right? <br>
<br>
In the latter case, should I open a JIRA case for
somebody to push a fix? <br>
I could try to 'fix' it myself (in case you
consider it as a bug as I do) but I am not really
familiar with C development as well.<br>
<br>
Thank for your points of view!<br>
Regards<br>
Florent<br>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a moz-do-not-send="true" href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a moz-do-not-send="true" href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
<a moz-do-not-send="true" href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a>
<a moz-do-not-send="true" href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a moz-do-not-send="true" href="mailto:FreeSWITCH-dev@lists.freeswitch.org" target="_blank">FreeSWITCH-dev@lists.freeswitch.org</a>
<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a moz-do-not-send="true" href="http://lists.freeswitch.org/mailman/options/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a moz-do-not-send="true" href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</div>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a moz-do-not-send="true"
href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitchsolutions.com"
target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication
Server<br>
<a moz-do-not-send="true" href="http://www.cudatel.com"
target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a moz-do-not-send="true" href="http://www.cluecon.com"
target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a><br>
<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev"
target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a><br>
UNSUBSCRIBE:<a moz-do-not-send="true"
href="http://lists.freeswitch.org/mailman/options/freeswitch-dev"
target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a><br>
<a moz-do-not-send="true"
href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">Anthony Minessale II ♬ @anthmfs ♬
@FreeSWITCH ♬
<div><br>
<div>☞ <a moz-do-not-send="true"
href="http://freeswitch.org/" target="_blank">http://freeswitch.org/</a>
☞ <a moz-do-not-send="true"
href="http://cluecon.com/" target="_blank">http://cluecon.com/</a>
☞ <a moz-do-not-send="true"
href="http://twitter.com/FreeSWITCH" target="_blank">http://twitter.com/FreeSWITCH</a></div>
<div>
<div>☞ <a moz-do-not-send="true"
href="http://irc.freenode.net" target="_blank">irc.freenode.net</a>
#freeswitch ☞ <u><a moz-do-not-send="true"
href="http://freeswitch.org/g+" target="_blank">http://freeswitch.org/g+</a></u><br>
<br>
</div>
<div>ClueCon Weekly Development Call <br>
</div>
<div>☎ <a moz-do-not-send="true"
href="mailto:sip%3A888@conference.freeswitch.org"
target="_blank">sip:888@conference.freeswitch.org</a>
☎ +19193869900 </div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-dev">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
<a class="moz-txt-link-abbreviated" href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitchsolutions.com">http://www.freeswitchsolutions.com</a>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server
<a class="moz-txt-link-freetext" href="http://www.cudatel.com">http://www.cudatel.com</a>
Official FreeSWITCH Sites
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://wiki.freeswitch.org">http://wiki.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://www.cluecon.com">http://www.cluecon.com</a>
FreeSWITCH-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a>
<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a>
UNSUBSCRIBE:<a class="moz-txt-link-freetext" href="http://lists.freeswitch.org/mailman/options/freeswitch-dev">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a>
<a class="moz-txt-link-freetext" href="http://www.freeswitch.org">http://www.freeswitch.org</a>
</pre>
</blockquote>
<br>
</body>
</html>