24 mar 2010 kl. 16.48 skrev Karl Fife: >>> Steve Edwards wrote: >>> >>>> It may not be as intended, but from a "user" standpoint, it seems >>>> logical >>>> and convenient to establish "policy" in [general] and make exceptions in >>>> the entities as needed. >>> >>> Right... for when you have one policy. When you have two policies, each >>> that apply to a dozen or more entries in the config file, then it really >>> doesn't help, it harms. Templates solve that problem completely, because >>> each policy can be its own (named!) template, and they can be combined. >>> Since templates are also very easy to use for the single policy case, >>> they are a better solution to teach people (and they're also easier to >>> implement in the configuration code of the module). >>> >>> In other modules created since chan_sip, we've intentionally avoided >>> this problem, and you'll note that in nearly every other module, the >>> [general] section is exactly that; general settings for the module, and >>> not defaults. >> >> In my NACL work, I implemented a channel-wide NACL for blacklist purposes. > > Can you talk more about this? Were your Named ACL's something other than > templates? > > What was/were the specific 'pain point/s' you were trying to assuage? For > example did you need something not currently offered in the existing > frameworks, for example DNS-resolved hostnames for permitting/restricting > registration/connection? Or were you just doing a > clever/elaborate/well-implemented setup of the existing frameworks? > > I for one would love to hear your 10,000 foot concepts and any details you'd > be willing to share. Well, I've written several mails and blog entries about this. Many discussions about security in Asterisk has ended with the need for a new concept for ACLs, something that can be manipulated by Asterisk using the C API, by using manager and the CLI. So currently, it's a framework. You can create a named ACL that is used by multiple devices or SIP trunks.
In the future, we have the API to build all kind of blacklist/whitelist functions. And I'm open for input on what's needed here. Now we have the framework to build on. http://www.voip-forum.com/asterisk/2010-01/manageable-access-control-lists-asterisk-nacls/ http://svnview.digium.com/svn/asterisk/team/oej/deluxepine-1.4/README.nacl It's something I'm working on just for fun, so it moves slowly forward. /O -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
