Thu Apr 28 2011 17:15:26

Asterisk developer's documentation


acl.h File Reference

Access Control of various sorts. More...

#include "asterisk/network.h"
#include "asterisk/io.h"
Include dependency graph for acl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  ast_ha
 internal representation of acl entries In principle user applications would have no need for this, but there is sometimes a need to extract individual items, e.g. to print them, and rather than defining iterators to navigate the list, and an externally visible 'struct ast_ha_entry', at least in the short term it is more convenient to make the whole thing public and let users play with them. More...

Defines

#define AST_SENSE_ALLOW   1
#define AST_SENSE_DENY   0

Functions

struct ast_haast_append_ha (const char *sense, const char *stuff, struct ast_ha *path, int *error)
 Add a new rule to a list of HAs.
int ast_apply_ha (struct ast_ha *ha, struct sockaddr_in *sin)
 Apply a set of rules to a given IP address.
void ast_copy_ha (const struct ast_ha *from, struct ast_ha *to)
 Copy the contents of one HA to another.
struct ast_haast_duplicate_ha_list (struct ast_ha *original)
 Duplicate the contents of a list of host access rules.
int ast_find_ourip (struct in_addr *ourip, struct sockaddr_in bindaddr)
 Find our IP address.
void ast_free_ha (struct ast_ha *ha)
 Free a list of HAs.
int ast_get_ip (struct sockaddr_in *sin, const char *value)
 Get the IP address given a hostname.
int ast_get_ip_or_srv (struct sockaddr_in *sin, const char *value, const char *service)
 Get the IP address given a hostname and optional service.
int ast_lookup_iface (char *iface, struct in_addr *address)
 Find an IP address associated with a specific interface.
int ast_ouraddrfor (struct in_addr *them, struct in_addr *us)
 Get our local IP address when contacting a remote host.
int ast_str2cos (const char *value, unsigned int *cos)
 Convert a string to the appropriate COS value.
int ast_str2tos (const char *value, unsigned int *tos)
 Convert a string to the appropriate TOS value.
const char * ast_tos2str (unsigned int tos)
 Convert a TOS value into its string representation.

Detailed Description

Access Control of various sorts.

Definition in file acl.h.


Define Documentation

#define AST_SENSE_ALLOW   1

Definition at line 35 of file acl.h.

Referenced by ast_append_ha(), ast_apply_ha(), ast_sip_ouraddrfor(), and parse_register_contact().

#define AST_SENSE_DENY   0

Definition at line 34 of file acl.h.

Referenced by ast_append_ha().


Function Documentation

struct ast_ha* ast_append_ha ( const char *  sense,
const char *  stuff,
struct ast_ha path,
int *  error 
) [read]

Add a new rule to a list of HAs.

This adds the new host access rule to the end of the list whose head is specified by the path parameter. Rules are evaluated in a way such that if multiple rules apply to a single IP address/subnet mask, then the rule latest in the list will be used.

Parameters:
senseEither "permit" or "deny" (Actually any 'p' word will result in permission, and any other word will result in denial)
stuffThe IP address and subnet mask, separated with a '/'. The subnet mask can either be in dotted-decimal format or in CIDR notation (i.e. 0-32).
pathThe head of the HA list to which we wish to append our new rule. If NULL is passed, then the new rule will become the head of the list
[out]errorThe integer error points to will be set non-zero if an error occurs
Returns:
The head of the HA list

Definition at line 272 of file acl.c.

References ast_debug, ast_free, ast_inet_ntoa(), ast_log(), ast_malloc, AST_SENSE_ALLOW, AST_SENSE_DENY, ast_strdupa, inet_aton(), LOG_WARNING, ast_ha::netaddr, ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by __init_manager(), add_calltoken_ignore(), build_callno_limits(), build_device(), build_gateway(), build_peer(), build_user(), config_parse_variables(), and reload_config().

{
   struct ast_ha *ha;
   char *nm;
   struct ast_ha *prev = NULL;
   struct ast_ha *ret;
   int x;
   char *tmp = ast_strdupa(stuff);

   ret = path;
   while (path) {
      prev = path;
      path = path->next;
   }

   if (!(ha = ast_malloc(sizeof(*ha)))) {
      return ret;
   }

   if (!(nm = strchr(tmp, '/'))) {
      /* assume /32. Yes, htonl does not do anything for this particular mask
         but we better use it to show we remember about byte order */
      ha->netmask.s_addr = htonl(0xFFFFFFFF);
   } else {
      *nm = '\0';
      nm++;

      if (!strchr(nm, '.')) {
         if ((sscanf(nm, "%30d", &x) == 1) && (x >= 0) && (x <= 32)) {
            if (x == 0) {
               /* This is special-cased to prevent unpredictable
                * behavior of shifting left 32 bits
                */
               ha->netmask.s_addr = 0;
            } else {
               ha->netmask.s_addr = htonl(0xFFFFFFFF << (32 - x));
            }
         } else {
            ast_log(LOG_WARNING, "Invalid CIDR in %s\n", stuff);
            ast_free(ha);
            if (error) {
               *error = 1;
            }
            return ret;
         }
      } else if (!inet_aton(nm, &ha->netmask)) {
         ast_log(LOG_WARNING, "Invalid mask in %s\n", stuff);
         ast_free(ha);
         if (error) {
            *error = 1;
         }
         return ret;
      }
   }

   if (!inet_aton(tmp, &ha->netaddr)) {
      ast_log(LOG_WARNING, "Invalid IP address in %s\n", stuff);
      ast_free(ha);
      if (error) {
         *error = 1;
      }
      return ret;
   }

   ha->netaddr.s_addr &= ha->netmask.s_addr;

   ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;

   ha->next = NULL;
   if (prev) {
      prev->next = ha;
   } else {
      ret = ha;
   }

   ast_debug(1, "%s/%s sense %d appended to acl for peer\n", ast_strdupa(ast_inet_ntoa(ha->netaddr)), ast_strdupa(ast_inet_ntoa(ha->netmask)), ha->sense);

   return ret;
}
int ast_apply_ha ( struct ast_ha ha,
struct sockaddr_in *  sin 
)

Apply a set of rules to a given IP address.

The list of host access rules is traversed, beginning with the input rule. If the IP address given matches a rule, the "sense" of that rule is used as the return value. Note that if an IP address matches multiple rules that the last one matched will be the one whose sense will be returned.

Parameters:
haThe head of the list of host access rules to follow
sinA sockaddr_in whose address is considered when matching rules
Return values:
AST_SENSE_ALLOWThe IP address passes our ACL
AST_SENSE_DENYThe IP address fails our ACL

Definition at line 352 of file acl.c.

References ast_copy_string(), ast_debug, ast_inet_ntoa(), AST_SENSE_ALLOW, ast_ha::netaddr, ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by ast_sip_ouraddrfor(), authenticate(), check_access(), check_peer_ok(), parse_register_contact(), register_verify(), and skinny_register().

{
   /* Start optimistic */
   int res = AST_SENSE_ALLOW;
   while (ha) {
#if 0 /* debugging code */
      char iabuf[INET_ADDRSTRLEN];
      char iabuf2[INET_ADDRSTRLEN];
      /* DEBUG */
      ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
      ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
      ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
#endif
      /* For each rule, if this address and the netmask = the net address
         apply the current rule */
      if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == ha->netaddr.s_addr) {
         res = ha->sense;
      }
      ha = ha->next;
   }
   return res;
}
void ast_copy_ha ( const struct ast_ha from,
struct ast_ha to 
)

Copy the contents of one HA to another.

This copies the internals of the 'from' HA to the 'to' HA. It is important that the 'to' HA has been allocated prior to calling this function

Parameters:
fromSource HA to copy
toDestination HA to copy to
Return values:
void

Definition at line 228 of file acl.c.

References ast_ha::netaddr, ast_ha::netmask, and ast_ha::sense.

Referenced by add_calltoken_ignore(), ast_duplicate_ha(), and build_callno_limits().

{
   memcpy(&to->netaddr, &from->netaddr, sizeof(from->netaddr));
   memcpy(&to->netmask, &from->netmask, sizeof(from->netmask));
   to->sense = from->sense;
}
struct ast_ha* ast_duplicate_ha_list ( struct ast_ha original) [read]

Duplicate the contents of a list of host access rules.

A deep copy of all ast_has in the list is made. The returned value is allocated on the heap and must be freed independently of the input parameter when finished.

Note:
This function is not actually used anywhere.
Parameters:
originalThe ast_ha to copy
Return values:
Thehead of the list of duplicated ast_has

Definition at line 250 of file acl.c.

References ast_duplicate_ha(), and ast_ha::next.

{
   struct ast_ha *start = original;
   struct ast_ha *ret = NULL;
   struct ast_ha *current, *prev = NULL;

   while (start) {
      current = ast_duplicate_ha(start);  /* Create copy of this object */
      if (prev) {
         prev->next = current;           /* Link previous to this object */
      }

      if (!ret) {
         ret = current;                  /* Save starting point */
      }

      start = start->next;                /* Go to next object */
      prev = current;                     /* Save pointer to this object */
   }
   return ret;                             /* Return start of list */
}
int ast_find_ourip ( struct in_addr *  ourip,
struct sockaddr_in  bindaddr 
)

Find our IP address.

This function goes through many iterations in an attempt to find our IP address. If any step along the way should fail, we move to the next item in the list. Here are the steps taken:

  • If bindaddr has a non-zero IP address, that is copied into ourip
  • We use a combination of gethostname and ast_gethostbyname to find our IP address.
  • We use ast_ouraddrfor with 198.41.0.4 as the destination IP address
  • We try some platform-specific socket operations to find the IP address
Parameters:
[out]ouripOur IP address is written here when it is found
bindaddrA hint used for finding our IP. See the steps above for more details
Return values:
0Success
-1Failure

Definition at line 512 of file acl.c.

References ast_debug, ast_gethostbyname(), ast_log(), ast_ouraddrfor(), get_local_address(), hp, inet_aton(), LOG_WARNING, MAXHOSTNAMELEN, and ourhost.

Referenced by __oh323_rtp_create(), gtalk_create_candidates(), jingle_create_candidates(), load_module(), and reload_config().

{
   char ourhost[MAXHOSTNAMELEN] = "";
   struct ast_hostent ahp;
   struct hostent *hp;
   struct in_addr saddr;

   /* just use the bind address if it is nonzero */
   if (ntohl(bindaddr.sin_addr.s_addr)) {
      memcpy(ourip, &bindaddr.sin_addr, sizeof(*ourip));
      ast_debug(3, "Attached to given IP address\n");
      return 0;
   }
   /* try to use our hostname */
   if (gethostname(ourhost, sizeof(ourhost) - 1)) {
      ast_log(LOG_WARNING, "Unable to get hostname\n");
   } else {
      if ((hp = ast_gethostbyname(ourhost, &ahp))) {
         memcpy(ourip, hp->h_addr, sizeof(*ourip));
         ast_debug(3, "Found one IP address based on local hostname %s.\n", ourhost);
         return 0;
      }
   }
   ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
   /* A.ROOT-SERVERS.NET. */
   if (inet_aton("198.41.0.4", &saddr) && !ast_ouraddrfor(&saddr, ourip)) {
      return 0;
   }
   return get_local_address(ourip);
}
void ast_free_ha ( struct ast_ha ha)

Free a list of HAs.

Given the head of a list of HAs, it and all appended HAs are freed

Parameters:
haThe head of the list of HAs to free
Return values:
void

Definition at line 217 of file acl.c.

References ast_free, and ast_ha::next.

Referenced by __init_manager(), add_calltoken_ignore(), build_callno_limits(), build_peer(), build_user(), destroy_gateway(), oh323_destroy_peer(), oh323_destroy_user(), peer_destructor(), reload_config(), sip_destroy_peer(), unload_module(), and user_destructor().

{
   struct ast_ha *hal;
   while (ha) {
      hal = ha;
      ha = ha->next;
      ast_free(hal);
   }
}
int ast_get_ip ( struct sockaddr_in *  sin,
const char *  value 
)

Get the IP address given a hostname.

Similar in nature to ast_gethostbyname, except that instead of getting an entire hostent structure, you instead are given only the IP address inserted into a sockaddr_in structure.

Parameters:
[out]sinThe IP address is written into sin->sin_addr
valueThe hostname to look up
Return values:
0Success
-1Failure

Definition at line 477 of file acl.c.

References ast_get_ip_or_srv().

Referenced by build_gateway(), build_peer(), build_user(), config_parse_variables(), and peer_set_srcaddr().

{
   return ast_get_ip_or_srv(sin, value, NULL);
}
int ast_get_ip_or_srv ( struct sockaddr_in *  sin,
const char *  value,
const char *  service 
)

Get the IP address given a hostname and optional service.

If the service parameter is non-NULL, then an SRV lookup will be made by prepending the service to the value parameter, separated by a '.' For example, if value is "example.com" and service is "_sip._udp" then an SRV lookup will be done for "_sip._udp.example.com". If service is NULL, then this function acts exactly like a call to ast_get_ip.

Parameters:
[out]sinThe IP address is written into sin->sin_addr
valueThe hostname to look up
serviceA specific service provided by the host. A NULL service results in an A-record lookup instead of an SRV lookup
Return values:
0Success
-1Failure

Definition at line 375 of file acl.c.

References ast_get_srv(), ast_gethostbyname(), ast_log(), hp, and LOG_WARNING.

Referenced by ast_dnsmgr_lookup(), ast_get_ip(), create_addr(), dnsmgr_refresh(), and proxy_update().

{
   struct hostent *hp;
   struct ast_hostent ahp;
   char srv[256];
   char host[256];
   int tportno = ntohs(sin->sin_port);
   if (service) {
      snprintf(srv, sizeof(srv), "%s.%s", service, value);
      if (ast_get_srv(NULL, host, sizeof(host), &tportno, srv) > 0) {
         sin->sin_port = htons(tportno);
         value = host;
      }
   }
   if ((hp = ast_gethostbyname(value, &ahp))) {
      sin->sin_family = hp->h_addrtype;
      memcpy(&sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr));
   } else {
      ast_log(LOG_WARNING, "Unable to lookup '%s'\n", value);
      return -1;
   }
   return 0;
}
int ast_lookup_iface ( char *  iface,
struct in_addr *  address 
)

Find an IP address associated with a specific interface.

Given an interface such as "eth0" we find the primary IP address associated with it using the SIOCGIFADDR ioctl. If the ioctl call should fail, we populate address with 0s.

Note:
This function is not actually used anywhere
Parameters:
ifaceThe interface name whose IP address we wish to find
[out]addressThe interface's IP address is placed into this param
Return values:
-1Failure. address is filled with 0s
0Success
int ast_ouraddrfor ( struct in_addr *  them,
struct in_addr *  us 
)

Get our local IP address when contacting a remote host.

This function will attempt to connect(2) to them over UDP using a source port of 5060. If the connect(2) call is successful, then we inspect the sockaddr_in output parameter of connect(2) to determine the IP address used to connect to them. This IP address is then copied into us.

Parameters:
themThe IP address to which we wish to attempt to connect
[out]usThe source IP address used to connect to them
Return values:
-1Failure
0Success

Definition at line 482 of file acl.c.

References ast_debug, ast_log(), LOG_ERROR, LOG_WARNING, and s.

Referenced by ast_find_ourip(), ast_sip_ouraddrfor(), build_gateway(), and find_subchannel_and_lock().

{
   int s;
   struct sockaddr_in sin;
   socklen_t slen;

   if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
      ast_log(LOG_ERROR, "Cannot create socket\n");
      return -1;
   }
   sin.sin_family = AF_INET;
   sin.sin_port = htons(5060);
   sin.sin_addr = *them;
   if (connect(s, (struct sockaddr *)&sin, sizeof(sin))) {
      ast_log(LOG_WARNING, "Cannot connect\n");
      close(s);
      return -1;
   }
   slen = sizeof(sin);
   if (getsockname(s, (struct sockaddr *)&sin, &slen)) {
      ast_log(LOG_WARNING, "Cannot get socket name\n");
      close(s);
      return -1;
   }
   close(s);
   ast_debug(3, "Found IP address for this socket\n");
   *us = sin.sin_addr;
   return 0;
}
int ast_str2cos ( const char *  value,
unsigned int *  cos 
)

Convert a string to the appropriate COS value.

Parameters:
valueThe COS string to convert
[out]cosThe integer representation of that COS value
Return values:
-1Failure
0Success

Definition at line 430 of file acl.c.

Referenced by config_parse_variables(), reload_config(), and set_config().

{
   int fval;

   if (sscanf(value, "%30d", &fval) == 1) {
      if (fval < 8) {
          *cos = fval;
          return 0;
      }
   }

   return -1;
}
int ast_str2tos ( const char *  value,
unsigned int *  tos 
)

Convert a string to the appropriate TOS value.

Parameters:
valueThe TOS string to convert
[out]tosThe integer representation of that TOS value
Return values:
-1Failure
0Success

Definition at line 444 of file acl.c.

References ARRAY_LEN, name, and dscp_codepoint::space.

Referenced by config_parse_variables(), iax_template_parse(), reload_config(), and set_config().

{
   int fval;
   unsigned int x;

   if (sscanf(value, "%30i", &fval) == 1) {
      *tos = fval & 0xFF;
      return 0;
   }

   for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
      if (!strcasecmp(value, dscp_pool1[x].name)) {
         *tos = dscp_pool1[x].space << 2;
         return 0;
      }
   }

   return -1;
}
const char* ast_tos2str ( unsigned int  tos)

Convert a TOS value into its string representation.

Parameters:
tosThe TOS value to look up
Returns:
The string equivalent of the TOS value

Definition at line 464 of file acl.c.

References ARRAY_LEN, dscp_codepoint::name, and dscp_codepoint::space.

Referenced by sip_show_settings().

{
   unsigned int x;

   for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
      if (dscp_pool1[x].space == (tos >> 2)) {
         return dscp_pool1[x].name;
      }
   }

   return "unknown";
}