Asterisk - The Open Source Telephony Project  GIT-master-e8cda4b
acl.c
Go to the documentation of this file.
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 1999 - 2012, Digium, Inc.
5  *
6  * Mark Spencer <markster@digium.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18 
19 /*! \file
20  *
21  * \brief Various sorts of access control
22  *
23  * \author Mark Spencer <markster@digium.com>
24  */
25 
26 /*** MODULEINFO
27  <support_level>core</support_level>
28  ***/
29 
30 #include "asterisk.h"
31 
32 #include "asterisk/network.h"
33 
34 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__Darwin__)
35 #include <fcntl.h>
36 #include <net/route.h>
37 #endif
38 
39 #if defined(SOLARIS)
40 #include <sys/sockio.h>
41 #include <net/if.h>
42 #elif defined(HAVE_GETIFADDRS)
43 #include <ifaddrs.h>
44 #endif
45 
46 #include "asterisk/acl.h"
47 #include "asterisk/channel.h"
48 #include "asterisk/utils.h"
49 #include "asterisk/lock.h"
50 #include "asterisk/srv.h"
51 #include "asterisk/cli.h"
52 
53 #if (!defined(SOLARIS) && !defined(HAVE_GETIFADDRS))
54 static int get_local_address(struct ast_sockaddr *ourip)
55 {
56  return -1;
57 }
58 #else
59 static void score_address(const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)
60 {
61  const char *address;
62  int score;
63 
64  address = ast_inet_ntoa(sin->sin_addr);
65 
66  /* RFC 1700 alias for the local network */
67  if (address[0] == '0') {
68  score = -25;
69  /* RFC 1700 localnet */
70  } else if (strncmp(address, "127", 3) == 0) {
71  score = -20;
72  /* RFC 1918 non-public address space */
73  } else if (strncmp(address, "10.", 3) == 0) {
74  score = -5;
75  /* RFC 1918 non-public address space */
76  } else if (strncmp(address, "172", 3) == 0) {
77  /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
78  if (address[4] == '1' && address[5] >= '6' && address[6] == '.') {
79  score = -5;
80  /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
81  } else if (address[4] == '2' && address[6] == '.') {
82  score = -5;
83  /* 172.30.0.0 - 172.31.255.255, but not 172.3.0.0 - 172.3.255.255 */
84  } else if (address[4] == '3' && (address[5] == '0' || address[5] == '1')) {
85  score = -5;
86  /* All other 172 addresses are public */
87  } else {
88  score = 0;
89  }
90  /* RFC 2544 Benchmark test range (198.18.0.0 - 198.19.255.255, but not 198.180.0.0 - 198.199.255.255) */
91  } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.') {
92  score = -10;
93  /* RFC 1918 non-public address space */
94  } else if (strncmp(address, "192.168", 7) == 0) {
95  score = -5;
96  /* RFC 3330 Zeroconf network */
97  } else if (strncmp(address, "169.254", 7) == 0) {
98  /*!\note Better score than a test network, but not quite as good as RFC 1918
99  * address space. The reason is that some Linux distributions automatically
100  * configure a Zeroconf address before trying DHCP, so we want to prefer a
101  * DHCP lease to a Zeroconf address.
102  */
103  score = -10;
104  /* RFC 3330 Test network */
105  } else if (strncmp(address, "192.0.2.", 8) == 0) {
106  score = -15;
107  /* Every other address should be publically routable */
108  } else {
109  score = 0;
110  }
111 
112  if (score > *best_score) {
113  *best_score = score;
114  memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
115  }
116 }
117 
118 static int get_local_address(struct ast_sockaddr *ourip)
119 {
120  int s, res = -1;
121 #ifdef SOLARIS
122  struct lifreq *ifr = NULL;
123  struct lifnum ifn;
124  struct lifconf ifc;
125  struct sockaddr_in *sa;
126  char *buf = NULL;
127  int bufsz, x;
128 #endif /* SOLARIS */
129 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
130  struct ifaddrs *ifap, *ifaphead;
131  int rtnerr;
132  const struct sockaddr_in *sin;
133 #endif /* BSD_OR_LINUX */
134  struct in_addr best_addr;
135  int best_score = -100;
136  memset(&best_addr, 0, sizeof(best_addr));
137 
138 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
139  rtnerr = getifaddrs(&ifaphead);
140  if (rtnerr) {
141  perror(NULL);
142  return -1;
143  }
144 #endif /* BSD_OR_LINUX */
145 
146  s = socket(AF_INET, SOCK_STREAM, 0);
147 
148  if (s > 0) {
149 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__) || defined(__GLIBC__)
150  for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
151 
152  if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
153  sin = (const struct sockaddr_in *) ifap->ifa_addr;
154  score_address(sin, &best_addr, &best_score);
155  res = 0;
156 
157  if (best_score == 0) {
158  break;
159  }
160  }
161  }
162 #endif /* BSD_OR_LINUX */
163 
164  /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
165 #ifdef SOLARIS
166  /* Get a count of interfaces on the machine */
167  ifn.lifn_family = AF_INET;
168  ifn.lifn_flags = 0;
169  ifn.lifn_count = 0;
170  if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
171  close(s);
172  return -1;
173  }
174 
175  bufsz = ifn.lifn_count * sizeof(struct lifreq);
176  if (!(buf = ast_malloc(bufsz))) {
177  close(s);
178  return -1;
179  }
180  memset(buf, 0, bufsz);
181 
182  /* Get a list of interfaces on the machine */
183  ifc.lifc_len = bufsz;
184  ifc.lifc_buf = buf;
185  ifc.lifc_family = AF_INET;
186  ifc.lifc_flags = 0;
187  if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
188  close(s);
189  ast_free(buf);
190  return -1;
191  }
192 
193  for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
194  sa = (struct sockaddr_in *)&(ifr->lifr_addr);
195  score_address(sa, &best_addr, &best_score);
196  res = 0;
197 
198  if (best_score == 0) {
199  break;
200  }
201  }
202 
203  ast_free(buf);
204 #endif /* SOLARIS */
205 
206  close(s);
207  }
208 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
209  freeifaddrs(ifaphead);
210 #endif /* BSD_OR_LINUX */
211 
212  if (res == 0 && ourip) {
213  ast_sockaddr_setnull(ourip);
214  ourip->ss.ss_family = AF_INET;
215  ((struct sockaddr_in *)&ourip->ss)->sin_addr = best_addr;
216  }
217  return res;
218 }
219 #endif /* HAVE_GETIFADDRS */
220 
221 /* Free HA structure */
222 void ast_free_ha(struct ast_ha *ha)
223 {
224  struct ast_ha *hal;
225  while (ha) {
226  hal = ha;
227  ha = ha->next;
228  ast_free(hal);
229  }
230 }
231 
232 /* Free ACL list structure */
233 struct ast_acl_list *ast_free_acl_list(struct ast_acl_list *acl_list)
234 {
235  struct ast_acl *current;
236 
237  if (!acl_list) {
238  return NULL;
239  }
240 
241  AST_LIST_LOCK(acl_list);
242  while ((current = AST_LIST_REMOVE_HEAD(acl_list, list))) {
243  ast_free_ha(current->acl);
244  ast_free(current);
245  }
246  AST_LIST_UNLOCK(acl_list);
247 
248  AST_LIST_HEAD_DESTROY(acl_list);
249  ast_free(acl_list);
250 
251  return NULL;
252 }
253 
254 /* Copy HA structure */
255 void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to)
256 {
257  ast_sockaddr_copy(&to->addr, &from->addr);
258  ast_sockaddr_copy(&to->netmask, &from->netmask);
259  to->sense = from->sense;
260 }
261 
262 /* Create duplicate of ha structure */
263 static struct ast_ha *ast_duplicate_ha(struct ast_ha *original)
264 {
265  struct ast_ha *new_ha;
266 
267  if ((new_ha = ast_calloc(1, sizeof(*new_ha)))) {
268  /* Copy from original to new object */
269  ast_copy_ha(original, new_ha);
270  }
271 
272  return new_ha;
273 }
274 
275 /* Create duplicate HA link list */
276 /* Used in chan_sip2 templates */
277 struct ast_ha *ast_duplicate_ha_list(struct ast_ha *original)
278 {
279  struct ast_ha *start = original;
280  struct ast_ha *ret = NULL;
281  struct ast_ha *current, *prev = NULL;
282 
283  while (start) {
284  current = ast_duplicate_ha(start); /* Create copy of this object */
285  if (!current) {
286  ast_free_ha(ret);
287 
288  return NULL;
289  }
290 
291  if (prev) {
292  prev->next = current; /* Link previous to this object */
293  }
294 
295  if (!ret) {
296  ret = current; /* Save starting point */
297  }
298 
299  start = start->next; /* Go to next object */
300  prev = current; /* Save pointer to this object */
301  }
302  return ret; /* Return start of list */
303 }
304 
305 static int acl_new(struct ast_acl **pointer, const char *name) {
306  struct ast_acl *acl;
307  if (!(acl = ast_calloc(1, sizeof(*acl)))) {
308  return 1;
309  }
310 
311  *pointer = acl;
312  ast_copy_string(acl->name, name, ACL_NAME_LENGTH);
313  return 0;
314 }
315 
317 {
318  struct ast_acl_list *clone;
319  struct ast_acl *current_cursor;
320  struct ast_acl *current_clone;
321 
322  /* Early return if we receive a duplication request for a NULL original. */
323  if (!original) {
324  return NULL;
325  }
326 
327  if (!(clone = ast_calloc(1, sizeof(*clone)))) {
328  ast_log(LOG_ERROR, "Failed to allocate ast_acl_list struct while cloning an ACL\n");
329  return NULL;
330  }
331  AST_LIST_HEAD_INIT(clone);
332 
333  AST_LIST_LOCK(original);
334 
335  AST_LIST_TRAVERSE(original, current_cursor, list) {
336  if ((acl_new(&current_clone, current_cursor->name))) {
337  ast_log(LOG_ERROR, "Failed to allocate ast_acl struct while cloning an ACL.\n");
338  ast_free_acl_list(clone);
339  clone = NULL;
340  break;
341  }
342 
343  /* Copy data from original ACL to clone ACL */
344  current_clone->acl = ast_duplicate_ha_list(current_cursor->acl);
345 
346  current_clone->is_invalid = current_cursor->is_invalid;
347  current_clone->is_realtime = current_cursor->is_realtime;
348 
349  AST_LIST_INSERT_TAIL(clone, current_clone, list);
350 
351  if (current_cursor->acl && !current_clone->acl) {
352  /* Deal with failure after adding to clone so we don't have to free
353  * current_clone separately. */
354  ast_log(LOG_ERROR, "Failed to duplicate HA list while cloning ACL.\n");
355  ast_free_acl_list(clone);
356  clone = NULL;
357  break;
358  }
359  }
360 
361  AST_LIST_UNLOCK(original);
362 
363  return clone;
364 }
365 
366 /*!
367  * \brief
368  * Parse a netmask in CIDR notation
369  *
370  * \details
371  * For a mask of an IPv4 address, this should be a number between 0 and 32. For
372  * a mask of an IPv6 address, this should be a number between 0 and 128. This
373  * function creates an IPv6 ast_sockaddr from the given netmask. For masks of
374  * IPv4 addresses, this is accomplished by adding 96 to the original netmask.
375  *
376  * \param[out] addr The ast_sockaddr produced from the CIDR netmask
377  * \param is_v4 Tells if the address we are masking is IPv4.
378  * \param mask_str The CIDR mask to convert
379  * \retval -1 Failure
380  * \retval 0 Success
381  */
382 static int parse_cidr_mask(struct ast_sockaddr *addr, int is_v4, const char *mask_str)
383 {
384  int mask;
385 
386  if (sscanf(mask_str, "%30d", &mask) != 1) {
387  return -1;
388  }
389 
390  if (is_v4) {
391  struct sockaddr_in sin;
392  if (mask < 0 || mask > 32) {
393  return -1;
394  }
395  memset(&sin, 0, sizeof(sin));
396  sin.sin_family = AF_INET;
397  /* If mask is 0, then we already have the
398  * appropriate all 0s address in sin from
399  * the above memset.
400  */
401  if (mask != 0) {
402  sin.sin_addr.s_addr = htonl(0xFFFFFFFF << (32 - mask));
403  }
404  ast_sockaddr_from_sin(addr, &sin);
405  } else {
406  struct sockaddr_in6 sin6;
407  int i;
408  if (mask < 0 || mask > 128) {
409  return -1;
410  }
411  memset(&sin6, 0, sizeof(sin6));
412  sin6.sin6_family = AF_INET6;
413  for (i = 0; i < 4; ++i) {
414  /* Once mask reaches 0, we don't have
415  * to explicitly set anything anymore
416  * since sin6 was zeroed out already
417  */
418  if (mask > 0) {
419  V6_WORD(&sin6, i) = htonl(0xFFFFFFFF << (mask < 32 ? (32 - mask) : 0));
420  mask -= mask < 32 ? mask : 32;
421  }
422  }
423  memcpy(&addr->ss, &sin6, sizeof(sin6));
424  addr->len = sizeof(sin6);
425  }
426 
427  return 0;
428 }
429 
430 void ast_append_acl(const char *sense, const char *stuff, struct ast_acl_list **path, int *error, int *named_acl_flag)
431 {
432  struct ast_acl *acl = NULL;
433  struct ast_acl *current;
434  struct ast_acl_list *working_list;
435 
436  char *tmp, *list;
437 
438  /* If the ACL list is currently uninitialized, it must be initialized. */
439  if (*path == NULL) {
440  struct ast_acl_list *list;
441  list = ast_calloc(1, sizeof(*list));
442  if (!list) {
443  /* Allocation Error */
444  if (error) {
445  *error = 1;
446  }
447  return;
448  }
449 
450  AST_LIST_HEAD_INIT(list);
451  *path = list;
452  }
453 
454  working_list = *path;
455 
456  AST_LIST_LOCK(working_list);
457 
458  /* First we need to determine if we will need to add a new ACL node or if we can use an existing one. */
459  if (strncasecmp(sense, "a", 1)) {
460  /* The first element in the path should be the unnamed, base ACL. If that's the case, we use it. If not,
461  * we have to make one and link it up appropriately. */
462  current = AST_LIST_FIRST(working_list);
463 
464  if (!current || !ast_strlen_zero(current->name)) {
465  if (acl_new(&acl, "")) {
466  if (error) {
467  *error = 1;
468  }
469  AST_LIST_UNLOCK(working_list);
470  return;
471  }
472  // Need to INSERT the ACL at the head here.
473  AST_LIST_INSERT_HEAD(working_list, acl, list);
474  } else {
475  /* If the first element was already the unnamed base ACL, we just use that one. */
476  acl = current;
477  }
478 
479  /* With the proper ACL set for modification, we can just pass this off to the ast_ha append function. */
480  acl->acl = ast_append_ha(sense, stuff, acl->acl, error);
481 
482  AST_LIST_UNLOCK(working_list);
483  return;
484  }
485 
486  /* We are in ACL append mode, so we know we'll be adding one or more named ACLs. */
487  list = ast_strdupa(stuff);
488 
489  while ((tmp = strsep(&list, ","))) {
490  struct ast_ha *named_ha;
491  int already_included = 0;
492 
493  /* Remove leading whitespace from the string in case the user put spaces between items */
494  tmp = ast_skip_blanks(tmp);
495 
496  /* The first step is to check for a duplicate */
497  AST_LIST_TRAVERSE(working_list, current, list) {
498  if (!strcasecmp(current->name, tmp)) { /* ACL= */
499  /* Inclusion of the same ACL multiple times isn't a catastrophic error, but it will raise the error flag and skip the entry. */
500  ast_log(LOG_ERROR, "Named ACL '%s' occurs multiple times in ACL definition. "
501  "Please update your ACL configuration.\n", tmp);
502  if (error) {
503  *error = 1;
504  }
505  already_included = 1;
506  break;
507  }
508  }
509 
510  if (already_included) {
511  continue;
512  }
513 
514  if (acl_new(&acl, tmp)) {
515  /* This is a catastrophic allocation error and we'll return immediately if this happens. */
516  if (error) {
517  *error = 1;
518  }
519  AST_LIST_UNLOCK(working_list);
520  return;
521  }
522 
523  /* Attempt to grab the Named ACL we are looking for. */
524  named_ha = ast_named_acl_find(tmp, &acl->is_realtime, &acl->is_invalid);
525 
526  /* Set the ACL's ast_ha to the duplicated named ACL retrieved above. */
527  acl->acl = named_ha;
528 
529  /* Raise the named_acl_flag since we are adding a named ACL to the ACL container. */
530  if (named_acl_flag) {
531  *named_acl_flag = 1;
532  }
533 
534  /* Now insert the new ACL at the end of the list. */
535  AST_LIST_INSERT_TAIL(working_list, acl, list);
536  }
537 
538  AST_LIST_UNLOCK(working_list);
539 }
540 
541 int ast_acl_list_is_empty(struct ast_acl_list *acl_list)
542 {
543  struct ast_acl *head;
544 
545  if (!acl_list) {
546  return 1;
547  }
548 
549  AST_LIST_LOCK(acl_list);
550  head = AST_LIST_FIRST(acl_list);
551  AST_LIST_UNLOCK(acl_list);
552 
553  if (head) {
554  return 0;
555  }
556 
557  return 1;
558 }
559 
560 /*!
561  * \internal
562  * \brief Used by ast_append_ha to avoid ast_strdupa in a loop.
563  *
564  * \note This function is only called at debug level 3 and higher.
565  */
566 static void debug_ha_sense_appended(struct ast_ha *ha)
567 {
568  const char *parsed_mask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
569 
570  ast_log(LOG_DEBUG, "%s/%s sense %u appended to ACL\n",
572  parsed_mask,
573  ha->sense);
574 }
575 
576 static struct ast_ha *append_ha_core(const char *sense, const char *stuff, struct ast_ha *path, int *error, int port_flags)
577 {
578  struct ast_ha *ha;
579  struct ast_ha *prev = NULL;
580  struct ast_ha *ret;
581  char *tmp, *list = ast_strdupa(stuff ?: "");
582  char *address = NULL, *mask = NULL;
583  int addr_is_v4;
584  int allowing = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
585 
586  ret = path;
587  while (path) {
588  prev = path;
589  path = path->next;
590  }
591 
592  while ((tmp = strsep(&list, ","))) {
593  uint16_t save_port;
594 
595  if (!(ha = ast_calloc(1, sizeof(*ha)))) {
596  if (error) {
597  *error = 1;
598  }
599  return ret;
600  }
601 
602  address = strsep(&tmp, "/");
603  if (!address) {
604  address = tmp;
605  } else {
606  mask = tmp;
607  }
608 
609  if (*address == '!') {
610  ha->sense = (allowing == AST_SENSE_DENY) ? AST_SENSE_ALLOW : AST_SENSE_DENY;
611  address++;
612  } else {
613  ha->sense = allowing;
614  }
615 
616  if (!ast_sockaddr_parse(&ha->addr, address, port_flags)) {
617  ast_log(LOG_WARNING, "Invalid IP address: %s\n", address);
618  ast_free_ha(ha);
619  if (error) {
620  *error = 1;
621  }
622  return ret;
623  }
624 
625  /* Be pedantic and zero out the port if we don't want it */
626  if ((port_flags & PARSE_PORT_MASK) == PARSE_PORT_FORBID) {
627  ast_sockaddr_set_port(&ha->addr, 0);
628  }
629 
630  /* If someone specifies an IPv4-mapped IPv6 address,
631  * we just convert this to an IPv4 ACL
632  */
633  if (ast_sockaddr_ipv4_mapped(&ha->addr, &ha->addr)) {
634  ast_log(LOG_NOTICE, "IPv4-mapped ACL network address specified. "
635  "Converting to an IPv4 ACL network address.\n");
636  }
637 
638  addr_is_v4 = ast_sockaddr_is_ipv4(&ha->addr);
639 
640  if (!mask) {
641  parse_cidr_mask(&ha->netmask, addr_is_v4, addr_is_v4 ? "32" : "128");
642  } else if (strchr(mask, ':') || strchr(mask, '.')) {
643  int mask_is_v4;
644  /* Mask is of x.x.x.x or x:x:x:x:x:x:x:x variety */
645  if (!ast_sockaddr_parse(&ha->netmask, mask, PARSE_PORT_FORBID)) {
646  ast_log(LOG_WARNING, "Invalid netmask: %s\n", mask);
647  ast_free_ha(ha);
648  if (error) {
649  *error = 1;
650  }
651  return ret;
652  }
653  /* If someone specifies an IPv4-mapped IPv6 netmask,
654  * we just convert this to an IPv4 ACL
655  */
656  if (ast_sockaddr_ipv4_mapped(&ha->netmask, &ha->netmask)) {
657  ast_log(LOG_NOTICE, "IPv4-mapped ACL netmask specified. "
658  "Converting to an IPv4 ACL netmask.\n");
659  }
660  mask_is_v4 = ast_sockaddr_is_ipv4(&ha->netmask);
661  if (addr_is_v4 ^ mask_is_v4) {
662  ast_log(LOG_WARNING, "Address and mask are not using same address scheme.\n");
663  ast_free_ha(ha);
664  if (error) {
665  *error = 1;
666  }
667  return ret;
668  }
669  } else if (parse_cidr_mask(&ha->netmask, addr_is_v4, mask)) {
670  ast_log(LOG_WARNING, "Invalid CIDR netmask: %s\n", mask);
671  ast_free_ha(ha);
672  if (error) {
673  *error = 1;
674  }
675  return ret;
676  }
677 
678  /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
679  * restore it */
680  save_port = ast_sockaddr_port(&ha->addr);
681 
682  if (ast_sockaddr_apply_netmask(&ha->addr, &ha->netmask, &ha->addr)) {
683  /* This shouldn't happen because ast_sockaddr_parse would
684  * have failed much earlier on an unsupported address scheme
685  */
686  char *failmask = ast_strdupa(ast_sockaddr_stringify(&ha->netmask));
687  char *failaddr = ast_strdupa(ast_sockaddr_stringify(&ha->addr));
688  ast_log(LOG_WARNING, "Unable to apply netmask %s to address %s\n", failmask, failaddr);
689  ast_free_ha(ha);
690  if (error) {
691  *error = 1;
692  }
693  return ret;
694  }
695 
696  ast_sockaddr_set_port(&ha->addr, save_port);
697 
698  if (prev) {
699  prev->next = ha;
700  } else {
701  ret = ha;
702  }
703  prev = ha;
704 
705  if (DEBUG_ATLEAST(3)) {
707  }
708  }
709 
710  return ret;
711 }
712 
713 struct ast_ha *ast_append_ha(const char *sense, const char *stuff, struct ast_ha *path, int *error)
714 {
715  return append_ha_core(sense, stuff, path, error, PARSE_PORT_FORBID);
716 }
717 
718 struct ast_ha *ast_append_ha_with_port(const char *sense, const char *stuff, struct ast_ha *path, int *error)
719 {
720  return append_ha_core(sense, stuff, path, error, 0);
721 }
722 
723 void ast_ha_join(const struct ast_ha *ha, struct ast_str **buf)
724 {
725  for (; ha; ha = ha->next) {
726  const char *addr;
727 
728  if (ast_sockaddr_port(&ha->addr)) {
729  addr = ast_sockaddr_stringify(&ha->addr);
730  } else {
731  addr = ast_sockaddr_stringify_addr(&ha->addr);
732  }
733 
734  ast_str_append(buf, 0, "%s%s/",
735  ha->sense == AST_SENSE_ALLOW ? "!" : "",
736  addr);
737  /* Separated to avoid duplicating stringified addresses. */
739  if (ha->next) {
740  ast_str_append(buf, 0, ",");
741  }
742  }
743 }
744 
745 void ast_ha_join_cidr(const struct ast_ha *ha, struct ast_str **buf)
746 {
747  for (; ha; ha = ha->next) {
748  const char *addr = ast_sockaddr_stringify_addr(&ha->addr);
749  ast_str_append(buf, 0, "%s%s/%d",
750  ha->sense == AST_SENSE_ALLOW ? "!" : "",
751  addr, ast_sockaddr_cidr_bits(&ha->netmask));
752  if (ha->next) {
753  ast_str_append(buf, 0, ",");
754  }
755  }
756 }
757 
758 static enum ast_acl_sense ast_apply_acl_internal(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *log_prefix)
759 {
760  struct ast_acl *acl;
761 
762  /* If the list is NULL, there are no rules, so we'll allow automatically. */
763  if (!acl_list) {
764  return AST_SENSE_ALLOW;
765  }
766 
767  AST_LIST_LOCK(acl_list);
768 
769  AST_LIST_TRAVERSE(acl_list, acl, list) {
770  if (acl->is_invalid) {
771  /* In this case, the baseline ACL shouldn't ever trigger this, but if that somehow happens, it'll still be shown. */
772  if (log_prefix) {
773  ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n",
774  log_prefix, ast_sockaddr_stringify_addr(addr),
775  ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
776  }
777  AST_LIST_UNLOCK(acl_list);
778  return AST_SENSE_DENY;
779  }
780 
781  if (acl->acl) {
782  if (ast_apply_ha(acl->acl, addr) == AST_SENSE_DENY) {
783  if (log_prefix) {
784  ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n",
785  log_prefix, ast_sockaddr_stringify_addr(addr),
786  ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
787  }
788  AST_LIST_UNLOCK(acl_list);
789  return AST_SENSE_DENY;
790  }
791  }
792  }
793 
794  AST_LIST_UNLOCK(acl_list);
795 
796  return AST_SENSE_ALLOW;
797 }
798 
799 
800 enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose) {
801  return ast_apply_acl_internal(acl_list, addr, purpose ?: "");
802 }
803 
804 enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr) {
805  return ast_apply_acl_internal(acl_list, addr, NULL);
806 }
807 
808 enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
809 {
810  /* Start optimistic */
811  enum ast_acl_sense res = AST_SENSE_ALLOW;
812  const struct ast_ha *current_ha;
813 
814  for (current_ha = ha; current_ha; current_ha = current_ha->next) {
815  struct ast_sockaddr result;
816  struct ast_sockaddr mapped_addr;
817  const struct ast_sockaddr *addr_to_use;
818  uint16_t save_port;
819 #if 0 /* debugging code */
820  char iabuf[INET_ADDRSTRLEN];
821  char iabuf2[INET_ADDRSTRLEN];
822  /* DEBUG */
823  ast_copy_string(iabuf, ast_sockaddr_stringify(addr), sizeof(iabuf));
824  ast_copy_string(iabuf2, ast_sockaddr_stringify(&current_ha->addr), sizeof(iabuf2));
825  ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
826 #endif
827  if (ast_sockaddr_is_ipv4(&current_ha->addr)) {
828  if (ast_sockaddr_is_ipv6(addr)) {
829  if (ast_sockaddr_is_ipv4_mapped(addr)) {
830  /* IPv4 ACLs apply to IPv4-mapped addresses */
831  if (!ast_sockaddr_ipv4_mapped(addr, &mapped_addr)) {
832  ast_log(LOG_ERROR, "%s provided to ast_sockaddr_ipv4_mapped could not be converted. That shouldn't be possible.\n",
833  ast_sockaddr_stringify(addr));
834  continue;
835  }
836  addr_to_use = &mapped_addr;
837  } else {
838  /* An IPv4 ACL does not apply to an IPv6 address */
839  continue;
840  }
841  } else {
842  /* Address is IPv4 and ACL is IPv4. No biggie */
843  addr_to_use = addr;
844  }
845  } else {
847  addr_to_use = addr;
848  } else {
849  /* Address is IPv4 or IPv4 mapped but ACL is IPv6. Skip */
850  continue;
851  }
852  }
853 
854  /* ast_sockaddr_apply_netmask() does not preserve the port, so we need to save and
855  * restore it */
856  save_port = ast_sockaddr_port(addr_to_use);
857 
858  /* For each rule, if this address and the netmask = the net address
859  apply the current rule */
860  if (ast_sockaddr_apply_netmask(addr_to_use, &current_ha->netmask, &result)) {
861  /* Unlikely to happen since we know the address to be IPv4 or IPv6 */
862  continue;
863  }
864 
865  ast_sockaddr_set_port(&result, save_port);
866 
867  if (!ast_sockaddr_cmp_addr(&result, &current_ha->addr)
868  && (!ast_sockaddr_port(&current_ha->addr)
869  || ast_sockaddr_port(&current_ha->addr) == ast_sockaddr_port(&result))) {
870  res = current_ha->sense;
871  }
872  }
873  return res;
874 }
875 
876 static int resolve_first(struct ast_sockaddr *addr, const char *name, int flag,
877  int family)
878 {
879  struct ast_sockaddr *addrs;
880  int addrs_cnt;
881 
882  addrs_cnt = ast_sockaddr_resolve(&addrs, name, flag, family);
883  if (addrs_cnt > 0) {
884  if (addrs_cnt > 1) {
885  ast_debug(1, "Multiple addresses. Using the first only\n");
886  }
887  ast_sockaddr_copy(addr, &addrs[0]);
888  ast_free(addrs);
889  } else {
890  ast_log(LOG_WARNING, "Unable to lookup '%s'\n", name);
891  return -1;
892  }
893 
894  return 0;
895 }
896 
897 int ast_get_ip_or_srv(struct ast_sockaddr *addr, const char *hostname, const char *service)
898 {
899  char srv[256];
900  char host[256];
901  int srv_ret = 0;
902  int tportno;
903 
904  if (service) {
905  snprintf(srv, sizeof(srv), "%s.%s", service, hostname);
906  if ((srv_ret = ast_get_srv(NULL, host, sizeof(host), &tportno, srv)) > 0) {
907  hostname = host;
908  }
909  }
910 
911  if (resolve_first(addr, hostname, PARSE_PORT_FORBID, addr->ss.ss_family) != 0) {
912  return -1;
913  }
914 
915  if (srv_ret > 0) {
916  ast_sockaddr_set_port(addr, tportno);
917  }
918 
919  return 0;
920 }
921 
923  char *name;
924  unsigned int space;
925 };
926 
927 /* IANA registered DSCP codepoints */
928 
929 static const struct dscp_codepoint dscp_pool1[] = {
930  { "CS0", 0x00 },
931  { "CS1", 0x08 },
932  { "CS2", 0x10 },
933  { "CS3", 0x18 },
934  { "CS4", 0x20 },
935  { "CS5", 0x28 },
936  { "CS6", 0x30 },
937  { "CS7", 0x38 },
938  { "AF11", 0x0A },
939  { "AF12", 0x0C },
940  { "AF13", 0x0E },
941  { "AF21", 0x12 },
942  { "AF22", 0x14 },
943  { "AF23", 0x16 },
944  { "AF31", 0x1A },
945  { "AF32", 0x1C },
946  { "AF33", 0x1E },
947  { "AF41", 0x22 },
948  { "AF42", 0x24 },
949  { "AF43", 0x26 },
950  { "EF", 0x2E },
951 };
952 
953 int ast_str2cos(const char *value, unsigned int *cos)
954 {
955  int fval;
956 
957  if (sscanf(value, "%30d", &fval) == 1) {
958  if (fval < 8) {
959  *cos = fval;
960  return 0;
961  }
962  }
963 
964  return -1;
965 }
966 
967 int ast_str2tos(const char *value, unsigned int *tos)
968 {
969  int fval;
970  unsigned int x;
971 
972  if (sscanf(value, "%30i", &fval) == 1) {
973  *tos = fval & 0xFF;
974  return 0;
975  }
976 
977  for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
978  if (!strcasecmp(value, dscp_pool1[x].name)) {
979  *tos = dscp_pool1[x].space << 2;
980  return 0;
981  }
982  }
983 
984  return -1;
985 }
986 
987 const char *ast_tos2str(unsigned int tos)
988 {
989  unsigned int x;
990 
991  for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
992  if (dscp_pool1[x].space == (tos >> 2)) {
993  return dscp_pool1[x].name;
994  }
995  }
996 
997  return "unknown";
998 }
999 
1000 int ast_get_ip(struct ast_sockaddr *addr, const char *hostname)
1001 {
1002  return ast_get_ip_or_srv(addr, hostname, NULL);
1003 }
1004 
1005 int ast_ouraddrfor(const struct ast_sockaddr *them, struct ast_sockaddr *us)
1006 {
1007  /*
1008  * We must create the errno string before creating the address
1009  * string because it could wipe out errno on the error return
1010  * paths.
1011  */
1012  const char *sock_err;
1013  int port;
1014  int s;
1015 
1016  /* Preserve our original address port */
1017  port = ast_sockaddr_port(us);
1018 
1019  s = socket(ast_sockaddr_is_ipv6(them) ? AF_INET6 : AF_INET, SOCK_DGRAM, 0);
1020  if (s < 0) {
1021  sock_err = ast_strdupa(strerror(errno));
1022  ast_log(LOG_ERROR, "Cannot create socket to %s: %s\n",
1023  ast_sockaddr_stringify_addr(them), sock_err);
1024  return -1;
1025  }
1026 
1027  if (ast_connect(s, them)) {
1028  sock_err = ast_strdupa(strerror(errno));
1029  ast_log(LOG_WARNING, "Cannot connect to %s: %s\n",
1030  ast_sockaddr_stringify_addr(them), sock_err);
1031  close(s);
1032  return -1;
1033  }
1034  if (ast_getsockname(s, us)) {
1035  sock_err = ast_strdupa(strerror(errno));
1036  ast_log(LOG_WARNING, "Cannot get socket name for connection to %s: %s\n",
1037  ast_sockaddr_stringify_addr(them), sock_err);
1038  close(s);
1039  return -1;
1040  }
1041  close(s);
1042 
1043  ast_sockaddr_set_port(us, port);
1044 
1045  ast_debug(3, "For destination '%s', our source address is '%s'.\n",
1048 
1049  return 0;
1050 }
1051 
1052 int ast_find_ourip(struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family)
1053 {
1054  char ourhost[MAXHOSTNAMELEN] = "";
1055  struct ast_sockaddr root;
1056  int res, port = ast_sockaddr_port(ourip);
1057 
1058  /* just use the bind address if it is nonzero */
1059  if (!ast_sockaddr_is_any(bindaddr)) {
1060  ast_sockaddr_copy(ourip, bindaddr);
1061  ast_debug(3, "Attached to given IP address\n");
1062  return 0;
1063  }
1064  /* try to use our hostname */
1065  if (gethostname(ourhost, sizeof(ourhost) - 1)) {
1066  ast_log(LOG_WARNING, "Unable to get hostname\n");
1067  } else {
1068  if (resolve_first(ourip, ourhost, PARSE_PORT_FORBID, family) == 0) {
1069  /* reset port since resolve_first wipes this out */
1070  ast_sockaddr_set_port(ourip, port);
1071  return 0;
1072  }
1073  }
1074  ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
1075  /* A.ROOT-SERVERS.NET. */
1076  if (!resolve_first(&root, "A.ROOT-SERVERS.NET", PARSE_PORT_FORBID, 0) &&
1077  !ast_ouraddrfor(&root, ourip)) {
1078  /* reset port since resolve_first wipes this out */
1079  ast_sockaddr_set_port(ourip, port);
1080  return 0;
1081  }
1082  res = get_local_address(ourip);
1083  ast_sockaddr_set_port(ourip, port);
1084  return res;
1085 }
1086 
1087 void ast_ha_output(int fd, const struct ast_ha *ha, const char *prefix)
1088 {
1089  char addr[AST_SOCKADDR_BUFLEN];
1090  char *mask;
1091  int index = 0;
1092  for (; ha; ha = ha->next, ++index) {
1093  strcpy(addr, ast_sockaddr_stringify_addr(&ha->addr));
1094  mask = ast_sockaddr_stringify_addr(&ha->netmask);
1095  ast_cli(fd, "%s%3d: %s - %s/%s\n", prefix ?: "", index, ha->sense == AST_SENSE_ALLOW ? "allow" : " deny", addr, mask);
1096  }
1097 }
1098 
1099 void ast_acl_output(int fd, struct ast_acl_list *acl_list, const char *prefix)
1100 {
1101  struct ast_acl *acl;
1102 
1103  AST_LIST_LOCK(acl_list);
1104  AST_LIST_TRAVERSE(acl_list, acl, list) {
1105  ast_cli(fd, "%sACL: %s%s\n---------------------------------------------\n",
1106  prefix ?: "", ast_strlen_zero(acl->name) ? "(unnamed)" : acl->name,
1107  acl->is_realtime ? " (realtime)" : "");
1108 
1109  ast_ha_output(fd, acl->acl, prefix);
1110  }
1111  AST_LIST_UNLOCK(acl_list);
1112 
1113 }
static char * ast_sockaddr_stringify_addr(const struct ast_sockaddr *addr)
Wrapper around ast_sockaddr_stringify_fmt() to return an address only.
Definition: netsock2.h:290
struct ast_ha * next
Definition: acl.h:56
struct ast_acl_list * ast_duplicate_acl_list(struct ast_acl_list *original)
Duplicates the contests of a list of lists of host access rules.
Definition: acl.c:316
struct sockaddr_storage ss
Definition: netsock2.h:98
#define AST_SOCKADDR_BUFLEN
Definition: netsock2.h:46
void ast_acl_output(int fd, struct ast_acl_list *acl_list, const char *prefix)
output an ACL to the provided fd
Definition: acl.c:1099
unsigned int cos
Definition: chan_iax2.c:352
#define AST_LIST_LOCK(head)
Locks a list.
Definition: linkedlists.h:39
Asterisk locking-related definitions:
int ast_get_ip(struct ast_sockaddr *addr, const char *hostname)
Get the IP address given a hostname.
Definition: acl.c:1000
Asterisk main include file. File version handling, generic pbx functions.
#define AST_LIST_FIRST(head)
Returns the first entry contained in a list.
Definition: linkedlists.h:420
#define ARRAY_LEN(a)
Definition: isdn_lib.c:42
static const struct dscp_codepoint dscp_pool1[]
Definition: acl.c:929
char * name
Definition: acl.c:923
void ast_ha_join(const struct ast_ha *ha, struct ast_str **buf)
Convert HAs to a comma separated string value.
Definition: acl.c:723
int ast_sockaddr_parse(struct ast_sockaddr *addr, const char *str, int flags)
Parse an IPv4 or IPv6 address string.
Definition: netsock2.c:230
enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose)
Apply a set of rules to a given IP address.
Definition: acl.c:800
struct ast_sockaddr addr
Definition: acl.h:53
static void ast_sockaddr_copy(struct ast_sockaddr *dst, const struct ast_sockaddr *src)
Copies the data from one ast_sockaddr to another.
Definition: netsock2.h:171
char * address
Definition: f2c.h:59
char buf[BUFSIZE]
Definition: eagi_proxy.c:66
static struct ast_ha * append_ha_core(const char *sense, const char *stuff, struct ast_ha *path, int *error, int port_flags)
Definition: acl.c:576
int ast_get_ip_or_srv(struct ast_sockaddr *addr, const char *hostname, const char *service)
Get the IP address given a hostname and optional service.
Definition: acl.c:897
#define LOG_WARNING
Definition: logger.h:274
#define AST_LIST_UNLOCK(head)
Attempts to unlock a list.
Definition: linkedlists.h:139
Support for DNS SRV records, used in to locate SIP services.
int ast_sockaddr_ipv4_mapped(const struct ast_sockaddr *addr, struct ast_sockaddr *ast_mapped)
Convert an IPv4-mapped IPv6 address into an IPv4 address.
Definition: netsock2.c:37
static int tmp()
Definition: bt_open.c:389
char name[ACL_NAME_LENGTH]
Definition: acl.h:71
struct ast_ha * ast_append_ha_with_port(const char *sense, const char *stuff, struct ast_ha *path, int *error)
Add a new rule with optional port to a list of HAs.
Definition: acl.c:718
socklen_t len
Definition: netsock2.h:99
struct ast_acl_list * ast_free_acl_list(struct ast_acl_list *acl_list)
Free a list of ACLs.
Definition: acl.c:233
void ast_append_acl(const char *sense, const char *stuff, struct ast_acl_list **path, int *error, int *named_acl_flag)
Add a rule to an ACL struct.
Definition: acl.c:430
static char ourhost[MAXHOSTNAMELEN]
Definition: chan_mgcp.c:238
enum ast_cc_service_type service
Definition: chan_sip.c:950
int ast_str_append(struct ast_str **buf, ssize_t max_len, const char *fmt,...)
Append to a thread local dynamic string.
Definition: strings.h:1091
enum ast_acl_sense sense
Definition: acl.h:55
struct ast_ha * ast_append_ha(const char *sense, const char *stuff, struct ast_ha *path, int *error)
Add a new rule to a list of HAs.
Definition: acl.c:713
Wrapper for an ast_acl linked list.
Definition: acl.h:76
#define MAXHOSTNAMELEN
Definition: network.h:69
#define NULL
Definition: resample.c:96
static int parse_cidr_mask(struct ast_sockaddr *addr, int is_v4, const char *mask_str)
Parse a netmask in CIDR notation.
Definition: acl.c:382
int value
Definition: syslog.c:37
void ast_cli(int fd, const char *fmt,...)
Definition: clicompat.c:6
#define LOG_DEBUG
Definition: logger.h:241
Socket address structure.
Definition: netsock2.h:97
int ast_sockaddr_cmp_addr(const struct ast_sockaddr *a, const struct ast_sockaddr *b)
Compares the addresses of two ast_sockaddr structures.
Definition: netsock2.c:413
static int resolve_first(struct ast_sockaddr *addr, const char *name, int flag, int family)
Definition: acl.c:876
void ast_free_ha(struct ast_ha *ha)
Free a list of HAs.
Definition: acl.c:222
Utility functions.
static void ast_sockaddr_setnull(struct ast_sockaddr *addr)
Sets address addr to null.
Definition: netsock2.h:140
unsigned int tos
Definition: chan_iax2.c:351
#define AST_LIST_HEAD_DESTROY(head)
Destroys a list head structure.
Definition: linkedlists.h:652
#define ast_sockaddr_port(addr)
Get the port number of a socket address.
Definition: netsock2.h:521
internal representation of ACL entries In principle user applications would have no need for this...
Definition: acl.h:51
void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to)
Copy the contents of one HA to another.
Definition: acl.c:255
int is_realtime
Definition: acl.h:69
#define ast_debug(level,...)
Log a DEBUG message.
Definition: logger.h:444
#define ast_log
Definition: astobj2.c:42
int ast_sockaddr_is_any(const struct ast_sockaddr *addr)
Determine if the address type is unspecified, or "any" address.
Definition: netsock2.c:534
int ast_get_srv(struct ast_channel *chan, char *host, int hostlen, int *port, const char *service)
Lookup entry in SRV records Returns 1 if found, 0 if not found, -1 on hangup.
Definition: srv.c:260
static char host[256]
Definition: muted.c:77
General Asterisk PBX channel definitions.
#define ast_sockaddr_from_sin(addr, sin)
Converts a struct sockaddr_in to a struct ast_sockaddr.
Definition: netsock2.h:782
struct ast_sockaddr netmask
Definition: acl.h:54
ast_acl_sense
Definition: acl.h:36
Access Control of various sorts.
int ast_str2cos(const char *value, unsigned int *cos)
Convert a string to the appropriate COS value.
Definition: acl.c:953
static void score_address(const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)
Definition: acl.c:59
int is_invalid
Definition: acl.h:70
#define ast_strdupa(s)
duplicate a string in memory from the stack
Definition: astmm.h:300
void ast_ha_join_cidr(const struct ast_ha *ha, struct ast_str **buf)
Convert HAs to a comma separated string value using CIDR notation.
Definition: acl.c:745
struct ast_ha * acl
Definition: acl.h:68
#define ast_malloc(len)
A wrapper for malloc()
Definition: astmm.h:193
an ast_acl is a linked list node of ast_ha structs which may have names.
Definition: acl.h:67
#define AST_LIST_REMOVE_HEAD(head, field)
Removes and returns the head entry from a list.
Definition: linkedlists.h:832
const char * ast_tos2str(unsigned int tos)
Convert a TOS value into its string representation.
Definition: acl.c:987
int ast_sockaddr_apply_netmask(const struct ast_sockaddr *addr, const struct ast_sockaddr *netmask, struct ast_sockaddr *result)
Apply a netmask to an address and store the result in a separate structure.
Definition: netsock2.c:357
Wrapper for network related headers, masking differences between various operating systems...
struct ast_acl::@212 list
#define LOG_ERROR
Definition: logger.h:285
#define AST_LIST_INSERT_TAIL(head, elm, field)
Appends a list entry to the tail of a list.
Definition: linkedlists.h:730
The descriptor of a dynamic string XXX storage will be optimized later if needed We use the ts field ...
Definition: strings.h:584
void ast_ha_output(int fd, const struct ast_ha *ha, const char *prefix)
output an HA to the provided fd
Definition: acl.c:1087
#define ast_sockaddr_set_port(addr, port)
Sets the port number of a socket address.
Definition: netsock2.h:537
#define ACL_NAME_LENGTH
Definition: acl.h:59
int errno
static char * ast_sockaddr_stringify(const struct ast_sockaddr *addr)
Wrapper around ast_sockaddr_stringify_fmt() with default format.
Definition: netsock2.h:260
int ast_ouraddrfor(const struct ast_sockaddr *them, struct ast_sockaddr *us)
Get our local IP address when contacting a remote host.
Definition: acl.c:1005
char * ast_skip_blanks(const char *str)
Gets a pointer to the first non-whitespace character in a string.
Definition: strings.h:157
#define LOG_NOTICE
Definition: logger.h:263
#define AST_LIST_TRAVERSE(head, var, field)
Loops over (traverses) the entries in a list.
Definition: linkedlists.h:490
long int flag
Definition: f2c.h:83
#define ast_strlen_zero(a)
Definition: muted.c:73
#define AST_LIST_INSERT_HEAD(head, elm, field)
Inserts a list entry at the head of a list.
Definition: linkedlists.h:710
Definition: test_acl.c:111
const char * ast_inet_ntoa(struct in_addr ia)
thread-safe replacement for inet_ntoa().
Definition: main/utils.c:782
static const char name[]
Definition: cdr_mysql.c:74
#define AST_LIST_HEAD_INIT(head)
Initializes a list head structure.
Definition: linkedlists.h:625
#define ast_free(a)
Definition: astmm.h:182
#define ast_calloc(num, len)
A wrapper for calloc()
Definition: astmm.h:204
static int get_local_address(struct ast_sockaddr *ourip)
Definition: acl.c:118
int ast_str2tos(const char *value, unsigned int *tos)
Convert a string to the appropriate TOS value.
Definition: acl.c:967
int ast_find_ourip(struct ast_sockaddr *ourip, const struct ast_sockaddr *bindaddr, int family)
Find our IP address.
Definition: acl.c:1052
int ast_sockaddr_is_ipv4_mapped(const struct ast_sockaddr *addr)
Determine if this is an IPv4-mapped IPv6 address.
Definition: netsock2.c:507
unsigned int space
Definition: acl.c:924
int ast_sockaddr_cidr_bits(const struct ast_sockaddr *sa)
Count the 1 bits in a netmask.
Definition: netsock2.c:130
struct ast_ha * ast_named_acl_find(const char *name, int *is_realtime, int *is_undefined)
Retrieve a named ACL.
Definition: named_acl.c:293
int ast_acl_list_is_empty(struct ast_acl_list *acl_list)
Determines if an ACL is empty or if it contains entries.
Definition: acl.c:541
char * strsep(char **str, const char *delims)
struct ast_ha * ast_duplicate_ha_list(struct ast_ha *original)
Duplicate the contents of a list of host access rules.
Definition: acl.c:277
Standard Command Line Interface.
void ast_copy_string(char *dst, const char *src, size_t size)
Size-limited null-terminating string copy.
Definition: strings.h:401
enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
Apply a set of rules to a given IP address.
Definition: acl.c:808
int ast_sockaddr_is_ipv4(const struct ast_sockaddr *addr)
Determine if the address is an IPv4 address.
Definition: netsock2.c:497
static struct ast_str * hostname
Definition: cdr_mysql.c:77
int error(const char *format,...)
Definition: utils/frame.c:999
static enum ast_acl_sense ast_apply_acl_internal(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *log_prefix)
Definition: acl.c:758
static int acl_new(struct ast_acl **pointer, const char *name)
Definition: acl.c:305
static void debug_ha_sense_appended(struct ast_ha *ha)
Definition: acl.c:566
int ast_getsockname(int sockfd, struct ast_sockaddr *addr)
Wrapper around getsockname(2) that uses struct ast_sockaddr.
Definition: netsock2.c:600
static struct ast_ha * ast_duplicate_ha(struct ast_ha *original)
Definition: acl.c:263
enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr)
Apply a set of rules to a given IP address, don&#39;t log failure.
Definition: acl.c:804
#define DEBUG_ATLEAST(level)
Definition: logger.h:433
int ast_sockaddr_is_ipv6(const struct ast_sockaddr *addr)
Determine if this is an IPv6 address.
Definition: netsock2.c:524
int ast_connect(int sockfd, const struct ast_sockaddr *addr)
Wrapper around connect(2) that uses struct ast_sockaddr.
Definition: netsock2.c:595
struct ast_sockaddr bindaddr
Definition: chan_ooh323.c:353
#define V6_WORD(sin6, index)
Isolate a 32-bit section of an IPv6 address.
Definition: netsock2.h:77
int ast_sockaddr_resolve(struct ast_sockaddr **addrs, const char *str, int flags, int family)
Parses a string with an IPv4 or IPv6 address and place results into an array.
Definition: netsock2.c:280
static char prefix[MAX_PREFIX]
Definition: http.c:141