[OpenSIPS-Users] Issue with permission module in opensip 1.6
Irina Stanescu
istanescu at opensips.org
Fri Dec 11 10:46:46 CET 2009
Hi Jai,
As you suggested, i added the id of the entry to the debug info for
ignored entries .
Also, i committed a fix for the other problem you had with
check_source_address. Please update from SVN and let me know if you find
any other issues.
Regards,
Irina Stanescu
Jai Rangi wrote:
> Excellent, I owe you one.
>
> As always users always want more and more ;)
> I got this in the logs when I try to
> Dec 10 13:55:02 [11176] DBG:permissions:reload_address_table: invalid
> ip field in address table, ignoring entry 0
> Dec 10 13:55:02 [11176] DBG:permissions:reload_address_table: invalid
> ip field in address table, ignoring entry 1
>
> Here ID or IPAddress will be more useful for debugging purpose.
>
> Here is the trace for the failing call form same IP.
>
> Dec 10 14:03:09 [11772] DBG:core:parse_via: end of header reached, state=5
> Dec 10 14:03:09 [11772] DBG:core:parse_headers: via found, flags=200
> Dec 10 14:03:09 [11772] DBG:core:get_hdr_field: content_length=235
> Dec 10 14:03:09 [11772] DBG:core:get_hdr_field: found end of header
> Dec 10 14:03:09 [11772] DBG:rr:find_first_route: No Route headers found
> Dec 10 14:03:09 [11772] DBG:rr:loose_route: There is no Route HF
> source ip is 65.211.120.237 and protocol is udp avp is <null>
> Dec 10 14:03:09 [11772] DBG:permissions:check_src_addr_3: Looking for
> : <0, 65.211.120.237, 5060, 1> in tables
> Dec 10 14:03:09 [11772] DBG:permissions:hash_match: no match in the
> hash table
> Dec 10 14:03:09 [11772] DBG:permissions:match_subnet_table: subnet
> table is empty
> Monitor Request not from trusted source from
> sip:+19496794816 at 199.173.94.144:5060;user=phone to
> sip:+19493334879 at 209.216.2.213:5060;user=phone;transport=UDP from IP
> 65.211.120.237 Dec 10 14:03:09 [11772] DBG:core:parse_headers:
> flags=ffffffffffffffff
> Dec 10 14:03:09 [11772] DBG:core:parse_headers: flags=ffffffffffffffff
> Dec 10 14:03:09 [11772] DBG:core:check_ip_address: params
> 65.211.120.237, 65.211.120.237, 0
> Dec 10 14:03:09 [11772] DBG:core:destroy_avp_list: destroying list (nil)
> Dec 10 14:03:09 [11772] DBG:core:receive_msg: cleaning up
> Dec 10 14:03:09 [11771] DBG:core:parse_msg: SIP Request:
>
> Dump from address cache
> ../../sbin/opensipsctl fifo address_dump | grep "65.211.120.237"
> 12 <65.211.120.237,0, 0, 0, ^sip:.*$, NULL>
>
> Code in cfg file
> xlog(" source ip is $si and protocol is $proto avp is $avp(i:9)");
> if (check_source_address("0","$avp(i:9)")) {
>
> Same Call from other IP works juts IP
>
> Dec 10 14:08:16 [11776] DBG:rr:loose_route: There is no Route HF
> source ip is 65.217.40.210 and protocol is udp avp is <null>
> Dec 10 14:08:16 [11776] DBG:permissions:check_src_addr_3: Looking for
> : <0, 65.217.40.210, 5060, 1> in tables
> Dec 10 14:08:16 [11776] DBG:permissions:hash_match: match found in the
> hash table
>
> ../../sbin/opensipsctl fifo address_dump | grep "65.217.40.210"
> 9 <65.217.40.210,0, 0, 0, ^sip:.*$, NULL>
>
> Best,
>
> -Jai
>
> On Thu, Dec 10, 2009 at 8:19 AM, Irina Stanescu
> <istanescu at opensips.org <mailto:istanescu at opensips.org>> wrote:
>
> Hi Jai,
>
> I modified the permissions module so that now any invalid db entry
> from
> the address table is skipped.
> I committed the change on trunk and also on the 1.6 branch.
>
> About the other issue you have found, what does the log say?
>
>
>
> Regards,
> Irina Stanescu
>
>
> Jai Rangi wrote:
> > Bogda,
> > Wow that was quick. Thank you,
> >
> > I found one more issue,
> > I have this entry in address table
> > 944 0 65.211.120.237 32 0 any ^sip:.*$
> /NULL/ 0 some
> > descriptiond
> >
> >
> > Here is a check in my route block
> > if (check_source_address("0","$avp(i:9)")) {
> > t_rely();
> > } else {
> > xlog("Monitor Request not from trusted source from $fu to $ru from
> > IP $si ");
> > sl_send_reply("403", "Forbidden, we dont trust you");
> > }
> >
> > ../../sbin/opensipsctl fifo address_dump | grep "65.211.120.237"
> >
> > 12 <65.211.120.237,0, 0, 0, ^sip:.*$, NULL>
> >
> > I always get 403.
> > Is there a limit in address table.
> >
> > -Jai
> >
> >
> > On Thu, Dec 10, 2009 at 12:24 AM, Bogdan-Andrei Iancu
> > <bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>
> <mailto:bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>>>
> wrote:
> >
> > Hi Jai,
> >
> > I think you are correct - the permission table should also
> be more
> > permissive when comes to the errors and skip bogus entries.
> I will ask
> > the maintainer (Irina) to fix this problem.
> >
> > Thanks for the report,
> > Bogdan
> >
> > Jai Rangi wrote:
> > > Not sure if this this the right place for this post. May
> be I should
> > > post it on developers mailing list. Please suggest.
> > >
> > > Just installed opensip1.6 with Mysql, drouting and permissions
> > module.
> > > Did not take long to get it configure and get it going.
> > Documentations
> > > is wonderful.
> > > While testing I noticed that,
> > >
> > > 1. If there is any invalid entry in dr_routing tables, and
> I reload
> > > the dr_routing it spit the error for the mistyped/wrong
> entry and
> > > loads rest of the valid entries. Same thing with startup.
> > Opensip will
> > > start up just fine even if there are some invalid rules in
> the table
> > > and throws the error with ruleid.
> > >
> > > 2. On the other hand address table does not work that way. If
> > there is
> > > any space (Typo) in the IP address, opensip wont start and
> wont
> > reload
> > > the address table.
> > > I have to put the valid IP address, there is not option
> for dynamic
> > > domain names. (For people who does not have static IP).
> Not only
> > that
> > > it does not even tell which IP has a problem that makes it
> even
> > harder
> > > to debug when you have thousands of IPs in the trusted tables.
> > >
> > > I was wondering if there is a work around for this. I
> would like
> > > opensip to startup (or successful address_reload) with all
> the valid
> > > entries and throw an error for invalid entries. Also
> having the
> > > ability to add an domain would be nice.
> > >
> > > Any thoughts??
> > >
> > > -Jai
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > >
> >
> >
> > --
> > Bogdan-Andrei Iancu
> > www.voice-system.ro <http://www.voice-system.ro>
> <http://www.voice-system.ro>
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list