Hi Fernando!
you're almost there!
The permissions module has the parameters default_allow_file
and default_deny_file where you specify file path for each allow and deny
files.
In each file you specify:
groupid as integer
address as string
netmask as optional integer
port as optional integer . If 0 then any port
tag as optional string
Ex.:
100 10.200.0.0 24 5060 all_the_range
If you set the above line in the allow file, it means that Kamailio will
accept SIP messages from any node in the 10.200.0.0/24 range.
If on the deny file, Kamailio will deny same IP range.
As for the code, I usually do:
#!ifdef WITH_ACL
$var(GROUPID) = allow_address_group($si, $sp);
if ( $var(GROUPID) == 100 || !$var(GROUPID) ) {
xlog("L_WARN", "INIT - $si:$sp is not in the allowed ACL
Group ID !\n");
# uncomment below if you wish to return SIP 401 error to
non-allowed clients
#sl_reply("401", "Address not allowed");
exit;
}
if (is_method("OPTIONS") && $sht(evapistatus=>state) > 0 )
{
// reply to OPTIONS only if Kamailio has an EVAPI connection
active
sl_send_reply("200","OK");
exit;
}
#!endif
Where group ID 100 is a DENY group.
I use DB because it is way more flexible when you have 300 Kamailio
nodes..... Also, the permissions module doesn't query DB on every request,
in fact it load the DB Permissions Table data into memory and refreshes
every "reload_delta" parameter value. Having the data in DB is much easier,
IMHO.
Hope this helps!
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
*www.kahea.ai <http://www.kahea.ai> / www.voip.pt <http://www.voip.pt>*
*OpenTelecom* - Consulting for Telecoms, Lda
Tel.: +351 <callto:+351+91+104+12+66>91 631 11 44
Email : *[email protected] <[email protected]>*
This message and any files or documents attached are strictly confidential
or otherwise legally protected.
It is intended only for the individual or entity named. If you are not the
named addressee or have received this email in error, please inform the
sender immediately, delete it from your system and do not copy or disclose
it or its contents or use it for any purpose. Please also note that
transmission cannot be guaranteed to be secure or error-free.
On Thu, Oct 23, 2025 at 6:59 PM Fernando Lopes via sr-users <
[email protected]> wrote:
> Hello everyone,
>
> I have a question: is there a way to whitelist and blacklist IP addresses
> without using a database table?
>
> I’m currently using the permissions module to block some traffic, but I’d
> also like to ban specific IPs. Ideally, I’d prefer not to use a database —
> I’d rather use a file-based approach, something like a permissions.allow
> file.
>
> Thank you.
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions --
> [email protected]
> To unsubscribe send an email to [email protected]
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions --
[email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
