Dynamic users (from Curl XML) CIDR not merged to ACL

Kliment Toshkov mail at klimenttoshkov.com
Sat Aug 21 19:05:00 UTC 2021


Hello,

My goal is to have dynamic (through CURL XML) defined users AND gateways; to be able to accept incoming calls from gateways, having those calls authenticated as the user that the gateway belongs to, and to be able to send outgoing calls to those gateways.

Below is detailed description of my testing setup which works with static configuration and does not work with dynamic configuration. Kindly asking for advice!


I have configuration in which ACL “domains” is defined as:
acl.conf:
<configuration name="acl.conf" description="Network Lists">
  <network-lists>

    <list name="domains" default="deny">
        <node type="allow" domain="$${domain}"/>
    </list>

  </network-lists>
</configuration>



It is used to allow and accept calls from specific IPs without authentication, having those IPs matched to users. Sofia profile (important part of it):
<param name="apply-inbound-acl" value="domains”/>
<param name="auth-calls" value="false"/>




Matching is done by parameter “cidr” in user definition. According to the documentation each user “cidr” is added to the above list.
https://freeswitch.org/confluence/pages/viewpage.action?pageId=3965687 <https://freeswitch.org/confluence/pages/viewpage.action?pageId=3965687>
> domain	
> Scans the user definitions of the specified domain from the directory, and if your domain's users have cidr attributes, the ACL will be automatically built.
> Example usage:
> <node type="allow" domain="$${domain}"/>


Those gateway IPs are defined using <gateway> configurations and are currently visible in the CLI:
freeswitch at zz-freeswitch-test> sofia status
                     Name	   Type	                                      Data	State
=================================================================================================
            authenticated	profile	         sip:mod_sofia at 194.153.118.45:5060	RUNNING (0)
                   trunks	profile	         sip:mod_sofia at 194.153.118.45:5070	RUNNING (0)
trunks::1347a7ad-ff67-11eb-9528-9a306e6cb08d_2	gateway	             sip:FreeSWITCH at 194.153.118.34	NOREG
trunks::1347a7ad-ff67-11eb-9528-9a306e6cb08d_1	gateway	             sip:FreeSWITCH at 194.153.118.28	NOREG
=================================================================================================
2 profiles 0 aliases




When I define users in static XML files, then incoming calls are properly authenticated (this is file that is included in the directory xml files):
User definition:
<include>
    <user id="1347a7ad-ff67-11eb-9528-9a306e6cb08d" cidr="194.153.118.28/32,194.153.118.34/32">
        <params>
            <param name="a1-hash" value="97f2bba16d30623aa245353ff8ae2513"/>
            <param name="auth-acl" value="195.230.3.104/32"/>
        </params>
        <variables>
            <variable name="accountcode" value="1347a7ad-ff67-11eb-9528-9a306e6cb08d"/>
            <variable name="user_context" value="context_1"/>
        </variables>
    </user>
</include>

Inbound accepted call:
2021-08-21 21:23:35.432769 [NOTICE] switch_channel.c:1118 New Channel sofia/trunks/35924373333 at 194.153.118.28 [0e67c277-00b5-4584-9b31-b9e86f42aace]
2021-08-21 21:23:35.432769 [DEBUG] switch_core_state_machine.c:585 (sofia/trunks/35924373333 at 194.153.118.28) Running State Change CS_NEW (Cur 1 Tot 1)
2021-08-21 21:23:35.432769 [INFO] sofia.c:10362 sofia/trunks/35924373333 at 194.153.118.28 receiving invite from 194.153.118.28:5060 version: 1.10.6 -release 64bit call-id: 0faf6dcb69db75f945f753561b0dd6ad at 194.153.118.28:5060
2021-08-21 21:23:35.432769 [DEBUG] sofia.c:10456 verifying acl "domains" for ip/port 194.153.118.28:0.
2021-08-21 21:23:35.512752 [DEBUG] sofia.c:10658 Authenticating user 1347a7ad-ff67-11eb-9528-9a306e6cb08d at 194.153.118.45




When I define those using CURL XML (returning the same content as the static file, this is XML response) user is able to successfully register:
<document type="freeswitch/xml">
    <section name="directory">
        <domain name="194.153.118.45">

            <params>
            </params>

            <groups>
                <group name="contract_1">

                    <users>
                        <user id="1347a7ad-ff67-11eb-9528-9a306e6cb08d" cidr="194.153.118.28/32,194.153.118.34/32">
                            <params>
                                <param name="a1-hash" value="97f2bba16d30623aa245353ff8ae2513"/>
                                                                <param name="auth-acl" value="195.230.3.104/32"/>
                                                            </params>
                            <variables>
                                <variable name="accountcode" value="1347a7ad-ff67-11eb-9528-9a306e6cb08d"/>
                                <variable name="user_context" value="context_1"/>
                            </variables>
                        </user>

                    </users>
                </group>
            </groups>

        </domain>
    </section>
</document>


But then incoming calls are not authenticated /please note “cidr” parameter in user definition/:
2021-08-21 21:36:57.884309 [NOTICE] switch_channel.c:1118 New Channel sofia/trunks/35924373333 at 194.153.118.28 [dd9bd835-de7a-43e7-9521-bc48b22336b6]
2021-08-21 21:36:57.884309 [DEBUG] switch_core_state_machine.c:585 (sofia/trunks/35924373333 at 194.153.118.28) Running State Change CS_NEW (Cur 1 Tot 1)
2021-08-21 21:36:57.884309 [INFO] sofia.c:10362 sofia/trunks/35924373333 at 194.153.118.28 receiving invite from 194.153.118.28:5060 version: 1.10.6 -release 64bit call-id: 665047ab59dcb3576dc5e23f21cb4cff at 194.153.118.28:5060
2021-08-21 21:36:57.884309 [DEBUG] sofia.c:10456 verifying acl "domains" for ip/port 194.153.118.28:0.
2021-08-21 21:36:57.884309 [WARNING] sofia.c:10569 IP 194.153.118.28 Rejected by acl "domains"



Digging this for a few days, came to conclusion that the ACL “domains” is not properly updated when a user registers. 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20210821/bdf522e9/attachment-0001.html>


More information about the FreeSWITCH-users mailing list