Hello,
please keep the list in CC.
Let’s look into the two issues one by one:
1) I had to explicitly configure the parameter:
modparam("permissions", "mask_col", "mask")
Although the documentation suggests "mask" is the default - the JSON output
from "kamctl address dump" did not output this value on K5.5. (On K5.3 it
outputted properly)
Do you get an error if you do not specify the mask_col like this, or something
else? From the source code the default should be “mask”.
When I run the "kamcmd permissions.subnetDump" on Kamailio 5.3, it returns
everything as expected - including the 0.0.0.0/0<http://0.0.0.0/0> subnets.
However, when running the same commands on Kamailio 5.5, it only returns a
small subset (of only 20) subnets/groups - and the selection does not appear to
follow a logical selection criteria.
Additionally, it does not return any groups with a 0.0.0.0/0<http://0.0.0.0/0>
subnet either.
It seems that the behaviour has changed regarding the “0” subnet, checkout the
docs:
https://kamailio.org/docs/modules/devel/modules/permissions.html#permissions.p.mask_col
It will convert them to 32/128 respectively. Can you see a 0.0.0./32 in your
dump?
This was changed in commit f376c82a9f8 during an extension for text files.
Maybe Daniel can comment here if this was done by purpose.
Otherwise, you can open an issue on our tracker about it.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>
From: Tom Dworakowski <[email protected]>
Sent: Tuesday, September 14, 2021 5:00 PM
To: Henning Westerholt <[email protected]>
Subject: Re: [SR-Users] Empty Subnets in Permissions Module
Hello Henning,
Thank you for looking into this for me.
I made two interesting discoveries this morning:
1) I had to explicitly configure the parameter:
modparam("permissions", "mask_col", "mask")
Although the documentation suggests "mask" is the default - the JSON output
from "kamctl address dump" did not output this value on K5.5. (On K5.3 it
outputted properly)
2)
When I run the "kamcmd permissions.subnetDump" on Kamailio 5.3, it returns
everything as expected - including the 0.0.0.0/0<http://0.0.0.0/0> subnets.
However, when running the same commands on Kamailio 5.5, it only returns a
small subset (of only 20) subnets/groups - and the selection does not appear to
follow a logical selection criteria.
Additionally, it does not return any groups with a 0.0.0.0/0<http://0.0.0.0/0>
subnet either.
From my logs - I have noted this:
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4353, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <3769, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4355, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4359, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <1955, 84.XX.XX.66, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.231, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.33, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4361, 91.X.X.34, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4363, 80.X.X.25, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4363, 85.X.X.124, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4363, 212.X.X.19, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4365, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4367, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <4371, 0.0.0.0, 0> inserted
into address hash table
Sep 14 03:07:25 webrtc kamailio[5407]: 0(5407) DEBUG: permissions
[address.c:118]: reload_address_insert(): Tuple <3991, 0.0.0.0, 0> inserted
into address hash table
At the moment of querying group id 3983 (where there is only
0.0.0.0/0<http://0.0.0.0/0>), the function returns false:
DEBUG: permissions [address.c:671]: allow_source_address(): looking for <3983,
[IPv4 in hex, reversed octet order], 62281>
However, None of those addresses appear in the "kamcmd permissions.subnetDump"
output.
Moreover, if "my" group has the address 0.0.0.0/0<http://0.0.0.0/0> listed as
an approved address - it will fail the test; but if I register
0.0.0.0/1<http://0.0.0.0/1> it will let me through (as my IP is < 128.0.0.0),
kamcmd permissions.subnetDump will display this address.
My thoughts are that there might be another table that is not being populated -
or there is a filter during the import that either drops
0.0.0.0/0<http://0.0.0.0/0> or filters it out completely?
Regards, Tom
On Tue, Sep 14, 2021 at 4:10 AM Henning Westerholt
<[email protected]<mailto:[email protected]>> wrote:
Hello Tom,
I’ve done a quick comparison of the main function and the called function. On a
first view it looked identically, but I looked only a few levels deep.
Do you have maybe some means to reproduce this on a test system? Then it would
be probably interesting to look to the DEBUG logging of this cases. Maybe you
can compare if you spot some obvious differences from the logic.
Cheers,
Henning
From: sr-users
<[email protected]<mailto:[email protected]>>
On Behalf Of Tom Dworakowski
Sent: Tuesday, September 14, 2021 4:10 AM
To: [email protected]<mailto:[email protected]>
Subject: [SR-Users] Empty Subnets in Permissions Module
Greetings all!
I have two deployments of Kamailio: one running version 5.3 and one 5.5 with
practically identical configurations, same (MySQL and REDIS) data sources.
We have customers that we assign an ACL "group" to, where the ID of this group
resolves to records in the "address" table in our MySQL database - using the
"grp" field.
On the box running Kamailio 5.5, we have noticed that if a group has
ip_addr=0.0.0.0, mask=0, port=0 - and we try to run the allow_source_address()
- it will return false, thus failing this phase of the authentication process.
However, on Kamailio 5.3 we are not seeing this issue, i.e. if a customer is
assigned a group where the ACL is 0.0.0.0/0<http://0.0.0.0/0> - it will let him
through.
Has something changed that I'm not aware of?
Any suggestions on how to resolve this?
My best, Tom
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
