Hello.
And Sorry for my english :)
https://issues.asterisk.org/jira/browse/ASTERISK-24890
I continue to migrate from asterisk 11 to 13.2 and continues to face
problems of compatibility.
chan_sip has a very good ability to limit registration for a particular
PEER to the specified set of IP addresses. I have not found such an
opportunity in res_pjsip.
ACL offers only limit of the IP packet or contact without being tied to
a particular endpoint. Because registration restrictions by IP require
only part of endpoints, then using version 13.2 all registrations are
unprotected, insecure.
I propose to implement an option to specify the endpoint in ACL section.
Studying the implementation of res_pjsip_acl and chan_sip come to the
conclusion that it is much easier to do new named option "acl" in the
endpoint section.
But the realization of this prevents that the module res_pjsip
(endpoint) knows nothing about res_pjsip_acl (pjsip ACL).
Using ACL only from acl.conf is a bad idea, because for something done
ACL sections in pjsip.conf :)
So, the only way left - Zero to Many ENDPOINTs can be associated with an
ACL object.
Where is the ACL test code should be placed?
- in acl_on_rx_msg (res_pjsip_acl)
- in registrar_on_rx_request (res_pjsip_registrar). Oh, That would be
the best place, but there is also nothing is known about the ACL.
res_pjsip_acl can parse ACL and register them with name format
'endpoint_<endpoint_name>_<acl_name>'. In registrar_on_rx_request can
test ACL with names like 'endpoint_<endpoint_name>_%'.
And of course acl_on_rx_msg should ignore ACL, which are binded to
endpoints.
What do you think about this implementation? Maybe there is a better
approach?
Dmitriy Serov
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
