mirror of https://github.com/sipwise/kamailio.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1002 lines
29 KiB
1002 lines
29 KiB
permissions Module
|
|
|
|
Miklos Tirpak
|
|
|
|
Edited by
|
|
|
|
Miklos Tirpak
|
|
|
|
Edited by
|
|
|
|
Bogdan-Andrei Iancu
|
|
|
|
Edited by
|
|
|
|
Juha Heinanen
|
|
|
|
Copyright © 2003 Miklos Tirpak
|
|
|
|
Copyright © 2006-2008 Juha Heinanen
|
|
__________________________________________________________________
|
|
|
|
Table of Contents
|
|
|
|
1. Admin Guide
|
|
|
|
1. Overview
|
|
|
|
1.1. Call Routing
|
|
1.2. Registration Permissions
|
|
1.3. URI Permissions
|
|
1.4. Address Permissions
|
|
1.5. Trusted Requests
|
|
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
3. Parameters
|
|
|
|
3.1. default_allow_file (string)
|
|
3.2. default_deny_file (string)
|
|
3.3. check_all_branches (integer)
|
|
3.4. allow_suffix (string)
|
|
3.5. deny_suffix (string)
|
|
3.6. db_url (string)
|
|
3.7. address_table (string)
|
|
3.8. grp_col (string)
|
|
3.9. ip_addr_col (string)
|
|
3.10. mask_col (string)
|
|
3.11. port_col (string)
|
|
3.12. db_mode (integer)
|
|
3.13. trusted_table (string)
|
|
3.14. source_col (string)
|
|
3.15. proto_col (string)
|
|
3.16. from_col (string)
|
|
3.17. tag_col (string)
|
|
3.18. peer_tag_avp (AVP string)
|
|
3.19. peer_tag_mode (integer)
|
|
|
|
4. Functions
|
|
|
|
4.1. allow_routing()
|
|
4.2. allow_routing(basename)
|
|
4.3. allow_routing(allow_file,deny_file)
|
|
4.4. allow_register(basename)
|
|
4.5. allow_register(allow_file, deny_file)
|
|
4.6. allow_uri(basename, pvar)
|
|
4.7. allow_address(group_id, ip_addr_pvar, port_pvar)
|
|
4.8. allow_source_address([group_id])
|
|
4.9. allow_source_address_group()
|
|
4.10. allow_address_group(addr, port)
|
|
4.11. allow_trusted([src_ip_pvar, proto_pvar])
|
|
|
|
5. MI Commands
|
|
|
|
5.1. address_reload
|
|
5.2. address_dump
|
|
5.3. subnet_dump
|
|
5.4. trusted_reload
|
|
5.5. trusted_dump
|
|
5.6. allow_uri
|
|
|
|
6. RPC Commands
|
|
|
|
6.1. addressReload
|
|
6.2. addressDump
|
|
6.3. subnetDump
|
|
6.4. testUri basename uri contact
|
|
6.5. trustedReload
|
|
6.6. trustedDump
|
|
|
|
List of Examples
|
|
|
|
1.1. Set default_allow_file parameter
|
|
1.2. Set default_deny_file parameter
|
|
1.3. Set check_all_branches parameter
|
|
1.4. Set allow_suffix parameter
|
|
1.5. Set deny_suffix parameter
|
|
1.6. Set db_url parameter
|
|
1.7. Set address_table parameter
|
|
1.8. Set grp_col parameter
|
|
1.9. Set ip_addr_col parameter
|
|
1.10. Set mask_col parameter
|
|
1.11. Set port_col parameter
|
|
1.12. Set db_mode parameter
|
|
1.13. Set trusted_table parameter
|
|
1.14. Set source_col parameter
|
|
1.15. Set proto_col parameter
|
|
1.16. Set from_col parameter
|
|
1.17. Set tag_col parameter
|
|
1.18. Set peer_tag_avp parameter
|
|
1.19. Set peer_tag_mode parameter
|
|
1.20. allow_routing usage
|
|
1.21. allow_routing(basename) usage
|
|
1.22. allow_routing(allow_file, deny_file) usage
|
|
1.23. allow_register(basename) usage
|
|
1.24. allow_register(allow_file, deny_file) usage
|
|
1.25. allow_uri(basename, pvar) usage
|
|
1.26. allow_address() usage
|
|
1.27. allow_source_address(group_id) usage
|
|
1.28. allow_source_address_group() usage
|
|
1.29. allow_source_address_group() usage
|
|
1.30. allow_trusted() usage
|
|
|
|
Chapter 1. Admin Guide
|
|
|
|
Table of Contents
|
|
|
|
1. Overview
|
|
|
|
1.1. Call Routing
|
|
1.2. Registration Permissions
|
|
1.3. URI Permissions
|
|
1.4. Address Permissions
|
|
1.5. Trusted Requests
|
|
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
3. Parameters
|
|
|
|
3.1. default_allow_file (string)
|
|
3.2. default_deny_file (string)
|
|
3.3. check_all_branches (integer)
|
|
3.4. allow_suffix (string)
|
|
3.5. deny_suffix (string)
|
|
3.6. db_url (string)
|
|
3.7. address_table (string)
|
|
3.8. grp_col (string)
|
|
3.9. ip_addr_col (string)
|
|
3.10. mask_col (string)
|
|
3.11. port_col (string)
|
|
3.12. db_mode (integer)
|
|
3.13. trusted_table (string)
|
|
3.14. source_col (string)
|
|
3.15. proto_col (string)
|
|
3.16. from_col (string)
|
|
3.17. tag_col (string)
|
|
3.18. peer_tag_avp (AVP string)
|
|
3.19. peer_tag_mode (integer)
|
|
|
|
4. Functions
|
|
|
|
4.1. allow_routing()
|
|
4.2. allow_routing(basename)
|
|
4.3. allow_routing(allow_file,deny_file)
|
|
4.4. allow_register(basename)
|
|
4.5. allow_register(allow_file, deny_file)
|
|
4.6. allow_uri(basename, pvar)
|
|
4.7. allow_address(group_id, ip_addr_pvar, port_pvar)
|
|
4.8. allow_source_address([group_id])
|
|
4.9. allow_source_address_group()
|
|
4.10. allow_address_group(addr, port)
|
|
4.11. allow_trusted([src_ip_pvar, proto_pvar])
|
|
|
|
5. MI Commands
|
|
|
|
5.1. address_reload
|
|
5.2. address_dump
|
|
5.3. subnet_dump
|
|
5.4. trusted_reload
|
|
5.5. trusted_dump
|
|
5.6. allow_uri
|
|
|
|
6. RPC Commands
|
|
|
|
6.1. addressReload
|
|
6.2. addressDump
|
|
6.3. subnetDump
|
|
6.4. testUri basename uri contact
|
|
6.5. trustedReload
|
|
6.6. trustedDump
|
|
|
|
1. Overview
|
|
|
|
1.1. Call Routing
|
|
1.2. Registration Permissions
|
|
1.3. URI Permissions
|
|
1.4. Address Permissions
|
|
1.5. Trusted Requests
|
|
|
|
1.1. Call Routing
|
|
|
|
The module can be used to determine if a call has appropriate
|
|
permission to be established. Permission rules are stored in plaintext
|
|
configuration files similar to hosts.allow and hosts.deny files used by
|
|
tcpd.
|
|
|
|
When allow_routing function is called it tries to find a rule that
|
|
matches selected fields of the message.
|
|
|
|
Kamailio is a forking proxy and therefore a single message can be sent
|
|
to different destinations simultaneously. When checking permissions all
|
|
the destinations must be checked and if one of them fails, the
|
|
forwarding will fail.
|
|
|
|
The matching algorithm is as follows, first match wins:
|
|
* Create a set of pairs of form (From, R-URI of branch 1), (From,
|
|
R-URI of branch 2), etc.
|
|
* Routing will be allowed when all pairs match an entry in the allow
|
|
file.
|
|
* Otherwise routing will be denied when one of pairs matches an entry
|
|
in the deny file.
|
|
* Otherwise, routing will be allowed.
|
|
|
|
A non-existing permission control file is treated as if it were an
|
|
empty file. Thus, permission control can be turned off by providing no
|
|
permission control files.
|
|
|
|
From header field and Request-URIs are always compared with regular
|
|
expressions! For the syntax see the sample file:
|
|
config/permissions.allow.
|
|
|
|
1.2. Registration Permissions
|
|
|
|
In addition to call routing it is also possible to check REGISTER
|
|
messages and decide--based on the configuration files--whether the
|
|
message should be allowed and the registration accepted or not.
|
|
|
|
Main purpose of the function is to prevent registration of "prohibited"
|
|
IP addresses. One example, when a malicious user registers a contact
|
|
containing IP address of a PSTN gateway, he might be able to bypass
|
|
authorization checks performed by the SIP proxy. That is undesirable
|
|
and therefore attempts to register IP address of a PSTN gateway should
|
|
be rejected. Files config/register.allow and config/register.deny
|
|
contain an example configuration.
|
|
|
|
Function for registration checking is called allow_register and the
|
|
algorithm is very similar to the algorithm described in Section 1.1,
|
|
"Call Routing". The only difference is in the way how pairs are
|
|
created.
|
|
|
|
Instead of From header field the function uses To header field because
|
|
To header field in REGISTER messages contains the URI of the person
|
|
being registered. Instead of the Request-URI of branches the function
|
|
uses Contact header field.
|
|
|
|
Thus, pairs used in matching will look like this: (To, Contact 1), (To,
|
|
Contact 2), (To, Contact 3), and so on..
|
|
|
|
The algorithm of matching is same as described in Section 1.1, "Call
|
|
Routing".
|
|
|
|
1.3. URI Permissions
|
|
|
|
The module can be used to determine if request is allowed to the
|
|
destination specified by an URI stored in a pvar. Permission rules are
|
|
stored in plaintext configuration files similar to hosts.allow and
|
|
hosts.deny used by tcpd.
|
|
|
|
When allow_uri function is called, it tries to find a rule that matches
|
|
selected fields of the message. The matching algorithm is as follows,
|
|
first match wins:
|
|
* Create a pair <From URI, URI stored in pvar>.
|
|
* Request will be allowed when the pair matches an entry in the allow
|
|
file.
|
|
* Otherwise request will be denied when the pair matches an entry in
|
|
the deny file.
|
|
* Otherwise, request will be allowed.
|
|
|
|
A non-existing permission control file is treated as if it were an
|
|
empty file. Thus, permission control can be turned off by providing no
|
|
permission control files.
|
|
|
|
From URI and URI stored in pvar are always compared with regular
|
|
expressions! For the syntax see the sample file:
|
|
config/permissions.allow.
|
|
|
|
1.4. Address Permissions
|
|
|
|
The module can be used to determine if an address (IP address and port)
|
|
matches any of the IP subnets stored in cached Kamailio database table.
|
|
Port 0 in cached database table matches any port. IP address and port
|
|
to be matched can be either taken from the request
|
|
(allow_source_address) or given as pvar arguments (allow_address).
|
|
|
|
Addresses stored in cached database table can be grouped together into
|
|
one or more groups specified by a group identifier (positive integer
|
|
value, i.e., equal or greater than 1). Group identifier is given as
|
|
argument to allow_address and allow_source_address functions.
|
|
|
|
As a side effect of matching the address, non-NULL tag (see tag_col
|
|
module parameter) is added as value to peer_tag AVP if peer_tag_avp
|
|
module parameter has been defined.
|
|
|
|
1.5. Trusted Requests
|
|
|
|
The module can be used to determine if an incoming request can be
|
|
trusted without authentication.
|
|
|
|
When allow_trusted function is called, it tries to find a rule that
|
|
matches the request. Rules contain the following fields: <source
|
|
address, transport protocol, regular expression>.
|
|
|
|
A requests is accepted if there exists a rule, where
|
|
* source address is equal to source address of request or source
|
|
address given in pvar,
|
|
* transport protocol is either "ANY" or equal to transport protocol
|
|
of request or transport protocol given in pvar, and
|
|
* regular expression is either empty (NULL in database) or matches
|
|
From URI of request.
|
|
|
|
Otherwise the request is rejected.
|
|
|
|
As a side effect of accepting the request, peer's non-NULL tag (see
|
|
tag_col module parameter) is added as value to peer_tag AVP if
|
|
peer_tag_avp module parameter has been defined.
|
|
|
|
Rules are stored in a database table specified by module parameters.
|
|
There also exists a module parameter dm_mode that determines if rules
|
|
are cached into memory for faster matching or if database is consulted
|
|
for each invocation of allow_trusted function call.
|
|
|
|
2. Dependencies
|
|
|
|
2.1. Kamailio Modules
|
|
2.2. External Libraries or Applications
|
|
|
|
2.1. Kamailio Modules
|
|
|
|
The following modules must be loaded before this module:
|
|
* No dependencies on other Kamailio modules.
|
|
|
|
2.2. External Libraries or Applications
|
|
|
|
The following libraries or applications must be installed before
|
|
running Kamailio with this module loaded:
|
|
* None.
|
|
|
|
3. Parameters
|
|
|
|
3.1. default_allow_file (string)
|
|
3.2. default_deny_file (string)
|
|
3.3. check_all_branches (integer)
|
|
3.4. allow_suffix (string)
|
|
3.5. deny_suffix (string)
|
|
3.6. db_url (string)
|
|
3.7. address_table (string)
|
|
3.8. grp_col (string)
|
|
3.9. ip_addr_col (string)
|
|
3.10. mask_col (string)
|
|
3.11. port_col (string)
|
|
3.12. db_mode (integer)
|
|
3.13. trusted_table (string)
|
|
3.14. source_col (string)
|
|
3.15. proto_col (string)
|
|
3.16. from_col (string)
|
|
3.17. tag_col (string)
|
|
3.18. peer_tag_avp (AVP string)
|
|
3.19. peer_tag_mode (integer)
|
|
|
|
3.1. default_allow_file (string)
|
|
|
|
Default allow file used by functions without parameters. If you don't
|
|
specify full pathname then the directory in which is the main config
|
|
file is located will be used.
|
|
|
|
Default value is "permissions.allow".
|
|
|
|
Example 1.1. Set default_allow_file parameter
|
|
...
|
|
modparam("permissions", "default_allow_file", "/etc/permissions.allow")
|
|
...
|
|
|
|
3.2. default_deny_file (string)
|
|
|
|
Default file containing deny rules. The file is used by functions
|
|
without parameters. If you don't specify full pathname then the
|
|
directory in which the main config file is located will be used.
|
|
|
|
Default value is "permissions.deny".
|
|
|
|
Example 1.2. Set default_deny_file parameter
|
|
...
|
|
modparam("permissions", "default_deny_file", "/etc/permissions.deny")
|
|
...
|
|
|
|
3.3. check_all_branches (integer)
|
|
|
|
If set then allow_routing functions will check Request-URI of all
|
|
branches (default). If disabled then only Request-URI of the first
|
|
branch will be checked.
|
|
|
|
Warning
|
|
|
|
Do not disable this parameter unless you really know what you are
|
|
doing.
|
|
|
|
Default value is 1.
|
|
|
|
Example 1.3. Set check_all_branches parameter
|
|
...
|
|
modparam("permissions", "check_all_branches", 0)
|
|
...
|
|
|
|
3.4. allow_suffix (string)
|
|
|
|
Suffix to be appended to basename to create filename of the allow file
|
|
when version with one parameter of either allow_routing or
|
|
allow_register is used.
|
|
|
|
Note
|
|
|
|
Including leading dot.
|
|
|
|
Default value is ".allow".
|
|
|
|
Example 1.4. Set allow_suffix parameter
|
|
...
|
|
modparam("permissions", "allow_suffix", ".allow")
|
|
...
|
|
|
|
3.5. deny_suffix (string)
|
|
|
|
Suffix to be appended to basename to create filename of the deny file
|
|
when version with one parameter of either allow_routing or
|
|
allow_register is used.
|
|
|
|
Note
|
|
|
|
Including leading dot.
|
|
|
|
Default value is ".deny".
|
|
|
|
Example 1.5. Set deny_suffix parameter
|
|
...
|
|
modparam("permissions", "deny_suffix", ".deny")
|
|
...
|
|
|
|
3.6. db_url (string)
|
|
|
|
This is URL of the database to be used to store rules used by
|
|
allow_trusted function.
|
|
|
|
Default value is "NULL".
|
|
|
|
Example 1.6. Set db_url parameter
|
|
...
|
|
modparam("permissions", "db_url", "dbdriver://username:password@dbhost/dbname")
|
|
...
|
|
|
|
3.7. address_table (string)
|
|
|
|
Name of database table containing IP subnet information used by
|
|
allow_address and allow_source_address functions.
|
|
|
|
Default value is "address".
|
|
|
|
Example 1.7. Set address_table parameter
|
|
...
|
|
modparam("permissions", "address_table", "addr")
|
|
...
|
|
|
|
3.8. grp_col (string)
|
|
|
|
Name of address table column containing group identifier of the
|
|
address.
|
|
|
|
Default value is "grp".
|
|
|
|
Example 1.8. Set grp_col parameter
|
|
...
|
|
modparam("permissions", "grp_col", "group_id")
|
|
...
|
|
|
|
3.9. ip_addr_col (string)
|
|
|
|
Name of address table column containing IP address part of the address.
|
|
|
|
Default value is "ip_addr".
|
|
|
|
Example 1.9. Set ip_addr_col parameter
|
|
...
|
|
modparam("permissions", "ip_addr_col", "ip_address")
|
|
...
|
|
|
|
3.10. mask_col (string)
|
|
|
|
Name of address table column containing network mask of the address.
|
|
Possible values are 0-32.
|
|
|
|
Default value is "mask".
|
|
|
|
Example 1.10. Set mask_col parameter
|
|
...
|
|
modparam("permissions", "mask_col", "subnet_length")
|
|
...
|
|
|
|
3.11. port_col (string)
|
|
|
|
Name of address table column containing port part of the address.
|
|
|
|
Default value is "port".
|
|
|
|
Example 1.11. Set port_col parameter
|
|
...
|
|
modparam("permissions", "port_col", "prt")
|
|
...
|
|
|
|
3.12. db_mode (integer)
|
|
|
|
Database mode. 0 means non-caching, 1 means caching. Valid only for
|
|
allow_trusted function.
|
|
|
|
Default value is 0 (non-caching).
|
|
|
|
Example 1.12. Set db_mode parameter
|
|
...
|
|
modparam("permissions", "db_mode", 1)
|
|
...
|
|
|
|
3.13. trusted_table (string)
|
|
|
|
Name of database table containing matching rules used by allow_trusted
|
|
function.
|
|
|
|
Default value is "trusted".
|
|
|
|
Example 1.13. Set trusted_table parameter
|
|
...
|
|
modparam("permissions", "trusted_table", "pbx")
|
|
...
|
|
|
|
3.14. source_col (string)
|
|
|
|
Name of trusted table column containing source IP address that is
|
|
matched against source IP address of received request.
|
|
|
|
Default value is "src_ip".
|
|
|
|
Example 1.14. Set source_col parameter
|
|
...
|
|
modparam("permissions", "source_col", "source_ip_address")
|
|
...
|
|
|
|
3.15. proto_col (string)
|
|
|
|
Name of trusted table column containing transport protocol that is
|
|
matched against transport protocol of received request. Possible values
|
|
that can be stored in proto_col are "any", "udp", "tcp", "tls", "sctp",
|
|
and "none". Value "any" matches always and value "none" never.
|
|
|
|
Default value is "proto".
|
|
|
|
Example 1.15. Set proto_col parameter
|
|
...
|
|
modparam("permissions", "proto_col", "transport")
|
|
...
|
|
|
|
3.16. from_col (string)
|
|
|
|
Name of trusted table column containing regular expression that is
|
|
matched against From URI.
|
|
|
|
Default value is "from_pattern".
|
|
|
|
Example 1.16. Set from_col parameter
|
|
...
|
|
modparam("permissions", "from_col", "regexp")
|
|
...
|
|
|
|
3.17. tag_col (string)
|
|
|
|
Name of address or trusted table column containing a string that is
|
|
added as value to peer_tag AVP if peer_tag AVP has been defined and if
|
|
the address or peer matches.
|
|
|
|
Default value is "tag".
|
|
|
|
Example 1.17. Set tag_col parameter
|
|
...
|
|
modparam("permissions", "tag_col", "peer_tag")
|
|
...
|
|
|
|
3.18. peer_tag_avp (AVP string)
|
|
|
|
If defined, the AVP will be set as side effect of allow_trusted() call
|
|
to not NULL tag column value of the matching peer.
|
|
|
|
Default value is "undefined".
|
|
|
|
Example 1.18. Set peer_tag_avp parameter
|
|
...
|
|
modparam("permissions", "peer_tag_avp", "$avp(i:707)")
|
|
...
|
|
|
|
3.19. peer_tag_mode (integer)
|
|
|
|
Tag mode for allow_trusted(). 0 sets only the tag of the first match. 1
|
|
adds the tags of all matches to the avp. In addition the return value
|
|
of allow_trusted() is the number of matches.
|
|
|
|
Default value is "0".
|
|
|
|
Example 1.19. Set peer_tag_mode parameter
|
|
...
|
|
modparam("permissions", "peer_tag_mode", "1")
|
|
...
|
|
|
|
4. Functions
|
|
|
|
4.1. allow_routing()
|
|
4.2. allow_routing(basename)
|
|
4.3. allow_routing(allow_file,deny_file)
|
|
4.4. allow_register(basename)
|
|
4.5. allow_register(allow_file, deny_file)
|
|
4.6. allow_uri(basename, pvar)
|
|
4.7. allow_address(group_id, ip_addr_pvar, port_pvar)
|
|
4.8. allow_source_address([group_id])
|
|
4.9. allow_source_address_group()
|
|
4.10. allow_address_group(addr, port)
|
|
4.11. allow_trusted([src_ip_pvar, proto_pvar])
|
|
|
|
4.1. allow_routing()
|
|
|
|
Returns true if all pairs constructed as described in Section 1.1,
|
|
"Call Routing" have appropriate permissions according to the
|
|
configuration files. This function uses default configuration files
|
|
specified in default_allow_file and default_deny_file.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.20. allow_routing usage
|
|
...
|
|
if (allow_routing()) {
|
|
t_relay();
|
|
};
|
|
...
|
|
|
|
4.2. allow_routing(basename)
|
|
|
|
Returns true if all pairs constructed as described in Section 1.1,
|
|
"Call Routing" have appropriate permissions according to the
|
|
configuration files given as parameters.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* basename - Basename from which allow and deny filenames will be
|
|
created by appending contents of allow_suffix and deny_suffix
|
|
parameters.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.21. allow_routing(basename) usage
|
|
...
|
|
if (allow_routing("basename")) {
|
|
t_relay();
|
|
};
|
|
...
|
|
|
|
4.3. allow_routing(allow_file,deny_file)
|
|
|
|
Returns true if all pairs constructed as described in Section 1.1,
|
|
"Call Routing" have appropriate permissions according to the
|
|
configuration files given as parameters.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* allow_file - File containing allow rules.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
* deny_file - File containing deny rules.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.22. allow_routing(allow_file, deny_file) usage
|
|
...
|
|
if (allow_routing("rules.allow", "rules.deny")) {
|
|
t_relay();
|
|
};
|
|
...
|
|
|
|
4.4. allow_register(basename)
|
|
|
|
The function returns true if all pairs constructed as described in
|
|
Section 1.2, "Registration Permissions" have appropriate permissions
|
|
according to the configuration files given as parameters.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* basename - Basename from which allow and deny filenames will be
|
|
created by appending contents of allow_suffix and deny_suffix
|
|
parameters.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.23. allow_register(basename) usage
|
|
...
|
|
if (method=="REGISTER") {
|
|
if (allow_register("register")) {
|
|
save("location");
|
|
exit;
|
|
} else {
|
|
sl_send_reply("403", "Forbidden");
|
|
};
|
|
};
|
|
...
|
|
|
|
4.5. allow_register(allow_file, deny_file)
|
|
|
|
The function returns true if all pairs constructed as described in
|
|
Section 1.2, "Registration Permissions" have appropriate permissions
|
|
according to the configuration files given as parameters.
|
|
|
|
Meaning of the parameters is as follows:
|
|
* allow_file - File containing allow rules.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
* deny_file - File containing deny rules.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.24. allow_register(allow_file, deny_file) usage
|
|
...
|
|
if (method=="REGISTER") {
|
|
if (allow_register("register.allow", "register.deny")) {
|
|
save("location");
|
|
exit;
|
|
} else {
|
|
sl_send_reply("403", "Forbidden");
|
|
};
|
|
};
|
|
...
|
|
|
|
4.6. allow_uri(basename, pvar)
|
|
|
|
Returns true if the pair constructed as described in Section 1.3, "URI
|
|
Permissions" have appropriate permissions according to the
|
|
configuration files specified by the parameter.
|
|
|
|
Meaning of the parameter is as follows:
|
|
* basename - Basename from which allow and deny filenames will be
|
|
created by appending contents of allow_suffix and deny_suffix
|
|
parameters.
|
|
If the parameter doesn't contain full pathname then the function
|
|
expects the file to be located in the same directory as the main
|
|
configuration file of the server.
|
|
* pvar - Any pseudo-variable defined in Kamailio.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.25. allow_uri(basename, pvar) usage
|
|
...
|
|
if (allow_uri("basename", "$rt")) { // Check Refer-To URI
|
|
t_relay();
|
|
};
|
|
if (allow_uri("basename", "$avp(i:705)") { // Check URI stored in $avp(i:705)
|
|
t_relay();
|
|
};
|
|
...
|
|
|
|
4.7. allow_address(group_id, ip_addr_pvar, port_pvar)
|
|
|
|
Returns true if IP address and port given as values of pvar arguments
|
|
belonging to a group given as group_id argument matches an IP subnet
|
|
found in cached address table. Cached address table entry containing
|
|
port value 0 matches any port. group_id argument can be an integer
|
|
string or a pseudo variable.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.26. allow_address() usage
|
|
...
|
|
|
|
// Check if source address/port is in group 1
|
|
if (!allow_address("1", "$si", "$sp")) {
|
|
sl_send_reply("403", "Forbidden");
|
|
};
|
|
// Check IP address/port stored in AVPs i:704/i:705 is in group 2
|
|
if (!allow_address("2", "$avp(i:704)", "$avp(i:705)") {
|
|
sl_send_reply("403", "Forbidden");
|
|
};
|
|
...
|
|
|
|
4.8. allow_source_address([group_id])
|
|
|
|
Equal to allow_address(group_id, "$si", "$sp"). If 'group_id' is
|
|
missing, the function is equal to allow_address("1", "$si", "$sp").
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.27. allow_source_address(group_id) usage
|
|
...
|
|
|
|
// Check source address/port of request
|
|
if (!allow_source_address("1")) {
|
|
sl_send_reply("403", "Forbidden");
|
|
};
|
|
...
|
|
|
|
4.9. allow_source_address_group()
|
|
|
|
Checks if source address/port is found in cached address or subnet
|
|
table in any group. If yes, returns that group. If not returns -1. Port
|
|
value 0 in cached address and group table matches any port.
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.28. allow_source_address_group() usage
|
|
...
|
|
|
|
$var(group) = allow_source_address_group();
|
|
if ($var(group) != -1) {
|
|
# do something with $var(group)
|
|
};
|
|
...
|
|
|
|
4.10. allow_address_group(addr, port)
|
|
|
|
Checks if address/port is found in cached address or subnet table in
|
|
any group. If yes, returns that group. If not returns -1. Port value 0
|
|
in cached address and group table matches any port. The parameters can
|
|
be pseudo-variables.
|
|
|
|
This function can be used from ANY_ROUTE.
|
|
|
|
Example 1.29. allow_source_address_group() usage
|
|
...
|
|
|
|
$var(group) = allow_address_group("1.2.3.4", "5060");
|
|
if ($var(group) != -1) {
|
|
# do something with $var(group)
|
|
};
|
|
...
|
|
|
|
4.11. allow_trusted([src_ip_pvar, proto_pvar])
|
|
|
|
Checks based either on request's source address and transport protocol
|
|
or source address and transport protocol given in pvar arguments, and
|
|
From URI of request if request can be trusted without authentication.
|
|
Returns 1 if a match is found as described in Section 1.5, "Trusted
|
|
Requests" and -1 otherwise. If a match is found and peer_tag_avp has
|
|
been defined, adds a non-NULL tag column value of the matching peer to
|
|
AVP peer_tag_avp.
|
|
|
|
Source address and transport protocol given in pvar arguments must be
|
|
in string format. Valid transport protocol values are (ignoring case)
|
|
"any", "udp, "tcp", "tls", and "sctp".
|
|
|
|
This function can be used from REQUEST_ROUTE, FAILURE_ROUTE.
|
|
|
|
Example 1.30. allow_trusted() usage
|
|
...
|
|
if (allow_trusted()) {
|
|
t_relay();
|
|
};
|
|
...
|
|
if (allow_trusted("$si", "$proto")) {
|
|
t_relay();
|
|
};
|
|
...
|
|
|
|
5. MI Commands
|
|
|
|
5.1. address_reload
|
|
5.2. address_dump
|
|
5.3. subnet_dump
|
|
5.4. trusted_reload
|
|
5.5. trusted_dump
|
|
5.6. allow_uri
|
|
|
|
5.1. address_reload
|
|
|
|
Causes permissions module to re-read the contents of address database
|
|
table into cache memory. In cache memory the entries are for
|
|
performance reasons stored in two different tables: address table and
|
|
subnet table depending on the value of the mask field (32 or smaller).
|
|
|
|
Parameters: none
|
|
|
|
5.2. address_dump
|
|
|
|
Causes permissions module to dump contents of cache memory address
|
|
table.
|
|
|
|
Parameters: none
|
|
|
|
5.3. subnet_dump
|
|
|
|
Causes permissions module to dump contents of cache memory subnet
|
|
table.
|
|
|
|
Parameters: none
|
|
|
|
5.4. trusted_reload
|
|
|
|
Causes permissions module to re-read the contents of trusted table into
|
|
cache memory.
|
|
|
|
Parameters: none
|
|
|
|
5.5. trusted_dump
|
|
|
|
Causes permissions module to dump contents of trusted table from cache
|
|
memory.
|
|
|
|
Parameters: none
|
|
|
|
5.6. allow_uri
|
|
|
|
Tests if (URI, Contact) pair is allowed according to allow/deny files.
|
|
The files must already have been loaded by Kamailio.
|
|
|
|
Parameters:
|
|
* basename - Basename from which allow and deny filenames will be
|
|
created by appending contents of allow_suffix and deny_suffix
|
|
parameters.
|
|
* URI - URI to be tested
|
|
* Contact - Contact to be tested
|
|
|
|
6. RPC Commands
|
|
|
|
6.1. addressReload
|
|
6.2. addressDump
|
|
6.3. subnetDump
|
|
6.4. testUri basename uri contact
|
|
6.5. trustedReload
|
|
6.6. trustedDump
|
|
|
|
6.1. addressReload
|
|
|
|
Causes permissions module to re-read the contents of address database
|
|
table into cache memory. In cache memory the entries are for
|
|
performance reasons stored in two different tables: address table and
|
|
subnet table depending on the value of the mask field (32 or smaller).
|
|
|
|
Parameters: none
|
|
|
|
6.2. addressDump
|
|
|
|
Causes permissions module to dump contents of cache memory address
|
|
table. (Not the subnet table).
|
|
|
|
Parameters: none
|
|
|
|
6.3. subnetDump
|
|
|
|
Causes permissions module to dump contents of cache memory subnet
|
|
table.
|
|
|
|
Parameters: none
|
|
|
|
6.4. testUri basename uri contact
|
|
|
|
Tests if (URI, Contact) pair is allowed according to allow/deny files.
|
|
The files must already have been loaded by Kamailio.
|
|
|
|
Parameters:
|
|
* basename - Basename from which allow and deny filenames will be
|
|
created by appending contents of allow_suffix and deny_suffix
|
|
parameters.
|
|
* URI - URI to be tested
|
|
* Contact - Contact to be tested
|
|
|
|
6.5. trustedReload
|
|
|
|
Causes permissions module to re-read the contents of trusted table into
|
|
cache memory.
|
|
|
|
Parameters: none
|
|
|
|
6.6. trustedDump
|
|
|
|
Causes permissions module to dump contents of trusted table from cache
|
|
memory.
|
|
|
|
Parameters: none
|