[Serusers] prevent INVITE without REGISTERing
Miklos Tirpak
miklos at iptel.org
Thu Jul 13 16:53:13 CEST 2006
İlker Aktuna (Koç.net) wrote:
>
>
> Hi,
>
> Thanks for your answer.
> I see in my logs that both %$registered_host and %si are same but
> if (!avp_equals_xl("$registered_host", "%si"))
>
> fails !
>
> I also tried :
> if (!avp_equals_xl("%$registered_host", "%si"))
>
> But it also failed.
>
> Any idea why ?
try this one:
if (!avp_equals_xl("registered_host", "%si"))
>
> Could it be that they are different types of variables ? IP address and
> text ?
no, both of them has string values
Miklos
>
> Thanks,
> ilker
>
> -----Original Message-----
> From: Miklos Tirpak [mailto:miklos at iptel.org]
> Sent: Wednesday, July 12, 2006 6:45 PM
> To: İlker Aktuna (Koç.net)
> Cc: serusers at iptel.org
> Subject: Re: [Serusers] prevent INVITE without REGISTERing
>
> İlker Aktuna (Koç.net) wrote:
> >
> >
> >
> > Thanks,
> >
> > That configuration is accepted but now my "registered" client is
> > denied at both following lines:
> >
> > if (!lookup_user("From")) {
>
> check if the From HF is the same in the INVITE as the To HF in the
> REGISTER, and check the uri table in your database
>
> > if ((!avp_equals_xl("$registered_host", "%si") ||
> > !avp_equals_xl("$registered_port", "%sp"))) {
> >
> > How can I print $registered_host to log ?
>
> xlog("L_ERR", "registered_host = %$registered_host \n");
>
> > I can print %si with xlog().
>
> I guess
> xlog("L_ERR", "src ip = %si \n");
>
> Miklos
>
> >
> > Thanks,
> > ilker
> >
> >
> > -----Original Message-----
> > From: Miklos Tirpak [mailto:miklos at iptel.org]
> > Sent: Wednesday, July 12, 2006 4:01 PM
> > To: İlker Aktuna (Koç.net)
> > Cc: serusers at iptel.org
> > Subject: Re: [Serusers] prevent INVITE without REGISTERing
> >
> > İlker Aktuna (Koç.net) wrote:
> > >
> > >
> > > Thanks Miklos,
> > >
> > > I think this is just what I'm looking for.
> > > But I get some errors for this line:
> > > if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
> >
> > You can access src_ip and src_port via xl_lib:
> >
> > $registered_host = @ruri.host;
> > $registered_port = @ruri.port;
> >
> > if ((!avp_equals_xl("$registered_host", "%si"))
> > || (!avp_equals_xl("$registered_port", "%sp"))) {
> > ...
> >
> > Miklos
> >
> > >
> > > 0(30074) parse error (175,16-17): syntax error > 0(30074) parse
> > error (175,16-17): ip address or hostname expected > 0(30074) parse
> > error (175,16-17): bad command > 0(30074) parse error (175,21-22):
> > bad command > 0(30074) parse error (175,21-22): bad command >
> > 0(30074) parse error (175,26-27): bad command > 0(30074) parse error
> > (175,26-27): bad command > 0(30074) parse error (175,28-30): bad
> > command > 0(30074) parse error (175,31-32): bad command > 0(30074)
> > parse error (175,32-40): bad command > 0(30074) parse error
> > (175,41-43): bad command > 0(30074) parse error (175,44-45): bad
> > command > 0(30074) parse error (175,49-50): bad command > 0(30074)
> > parse error (175,49-50): bad command > 0(30074) parse error
> > (175,54-55): bad command > 0(30074) parse error (175,54-55): bad
> > command > 0(30074) parse error (175,55-56): bad command > 0(30074)
> > parse error (175,57-58): bad command > > Any idea why ?
> > >
> > > Thanks,
> > > ilker
> > >
> > > -----Original Message-----
> > > From: Miklos Tirpak [mailto:miklos at iptel.org] > Sent: Wednesday,
> > July 12, 2006 11:58 AM > To: İlker Aktuna (Koç.net) > Cc:
> > serusers at iptel.org > Subject: Re: [Serusers] prevent INVITE without
> > REGISTERing > > Hi Ilker, > > just my first idea, not tested:
> > >
> > >
> > > 1. lookup the From HF
> > >
> > > if (!lookup_user("From")) {
> > > # reject the INVITE
> > > ...
> > > }
> > >
> > > 2. save original To UID and Request URI > > $orig_to_uid =
> > $tu.uid; > $orig_req_uri = @ruri; > > 3. set To UID -- registrar
> > module will use this in the lookup > > $tu.uid = $fu.uid; > > 4.
> > lookup >From HF and compare the source address of the INVITE with >
> > the source address of the REGISTER message > > if
> > (lookup("location")) {
> > > if ((src_ip != @ruri.host) || (src_port != @ruri.port)) {
> > > # reject the INVITE
> > > ...
> > > }
> > > # restore original To UID and Request URI
> > > $tu.uid = $orig_to_uid;
> > > attr2uri("$orig_req_uri");
> > > } else {
> > > # reject the INVITE
> > > ...
> > > }
> > >
> > > Note, that the above solution is a bit ugly, you can get into
> > troubles > when the user registers multiple contact addresses. It is
> > better to > disable branches (see append_branches parameter in
> > registrar module), > but you loose some functionality.
> > >
> > > Regards,
> > > Miklos
> > >
> > > İlker Aktuna (Koç.net) wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > I am still trying to find a solution to this problem. (but
> > couldn't > > find > yet) > Victor was trying to help me but I think
> > he's not > able to reply these days.
> > > >
> > > > Is there any idea to achieve what I need.
> > > >
> > > > Thanks,
> > > > ilker
> > > >
> > > >
> > >
> > ----------------------------------------------------------------------
> > > > --
> > > > *From:* serusers-bounces at lists.iptel.org > >
> > [mailto:serusers-bounces at lists.iptel.org] *On Behalf Of *İlker Aktuna
> > > > (Koç.net) > *Sent:* Tuesday, July 11, 2006 1:41 PM > *To:*
> > Victor > Stanescu > *Cc:* serusers at iptel.org > *Subject:* RE:
> > [Serusers] > prevent INVITE without REGISTERing > > Hi, > > What
> > if my proxy > does not handle authenticating INVITE messages ?
> > > >
> > > > In that case I think the best way is to lookup location table
> > for > the > source URI.
> > > > If the source URI location matches the location in that table
> > then > we > must permit INVITE message.
> > > > How can I configure this ?
> > > >
> > > > Thanks,
> > > > ilker
> > > >
> > > > -----Original Message-----
> > > > From: serusers-bounces at lists.iptel.org > >
> > [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Victor Stanescu
> > > > Sent: Monday, July 10, 2006 1:49 PM > Cc: serusers at iptel.org >
> > > Subject: Re: [Serusers] prevent INVITE without REGISTERing > > >
> > Please read "domain" instead of "gtstelecom.ro":
> > > > www_authorize("domain",
> > > > "subscriber") and proxy_authorize("domain", "subscriber"), >
> > otherwise > the code fragment will not be correct. I forgot to >
> > replace with a generic name.
> > > >
> > > > Victor Stanescu wrote:
> > > > > I think it is easier to force him to authenticate the INVITE.
> > If > he > is > able to authenticate the INVITE, why do you care if
> > he is > > registered > or not?
> > > > >
> > > > > if (method=="REGISTER") {
> > > > > if(!src_ip=="other") {
> > > > > if (!www_authorize("gtstelecom.ro", "subscriber")) {
> > > > > www_challenge("domain", "0");
> > > > > break;
> > > > > };
> > > > > save("location");
> > > > > log("Replicating REGISTER\n");
> > > > > t_replicate("other", "5060");
> > > > > } else {
> > > > > save("location");
> > > > > };
> > > > > break;
> > > > > } else {
> > > > > # this is an INVITE
> > > > > if (!proxy_authorize("gtstelecom.ro", "subscriber")) {
> > > > > proxy_challenge("domain", "1");
> > > > > break;
> > > > > };
> > > > > # route the call
> > > > > ...
> > > > > };
> > > > >
> > > > > İlker Aktuna (Koç.net) wrote:
> > > > >>
> > > > >> Hi all,
> > > > >>
> > > > >> Is it possible to prevent any user calling without
> registering ?
> > > > What >> is the best way to do this ?
> > > > >> I guess I'll have to check if the source URI exists in
> > location > table.
> > > > >> What is the easiest way to do this ?
> > > > >>
> > > > >> If there is a more robust way to do it, please suggest...
> > > > >>
> > > > >> Thanks,
> > > > >> ilker
> > > > >>
> > > > >>
> > > >
> > > >
> > > >
> >
> >
> >
> > <http://387555.sigclick.mailinfo.com/sigclick/00090507/060D4E00/00010A
> > 4E/0113122382.jpg>
> > ______________________________________________________________________
> > ______________________________________________________________________
> > _ Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor
> > olabilir.
> > Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir
> > sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen
> > e-posta mesajini kullaniciya hemen geri gonderiniz ve tum
> > kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir
> > sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para
> karsiligi satilamaz.
> > Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan
> > taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma
> > sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti
> > etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu
> > kabul etmez.
> > This message is intended solely for the use of the individual or
> > entity to whom it is addressed , and may contain confidential
> > information. If you are not the intended recipient of this message or
> > you receive this mail in error, you should refrain from making any use
> > of the contents and from opening any attachment. In that case, please
> > notify the sender immediately and return the message to the sender,
> > then, delete and destroy all copies. This e-mail message, can not be
> > copied, published or sold for any reason. This e-mail message has been
> > swept by anti-virus systems for the presence of computer viruses. In
> > doing so, however, sender cannot warrant that virus or other forms of
> > data corruption may not be present and do not take any responsibility
> in any occurrence.
> > ______________________________________________________________________
> > ______________________________________________________________________
> > _
>
>
>
> <http://387555.sigclick.mailinfo.com/sigclick/06090204/02044C00/06000C4D/0515151710.jpg>
> _____________________________________________________________________________________________________________________________________________
> Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir.
> Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir
> sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen
> e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini
> mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi
> bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.
> Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan
> taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma
> sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti
> etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu
> kabul etmez.
> This message is intended solely for the use of the individual or entity
> to whom it is addressed , and may contain confidential information. If
> you are not the intended recipient of this message or you receive this
> mail in error, you should refrain from making any use of the contents
> and from opening any attachment. In that case, please notify the sender
> immediately and return the message to the sender, then, delete and
> destroy all copies. This e-mail message, can not be copied, published or
> sold for any reason. This e-mail message has been swept by anti-virus
> systems for the presence of computer viruses. In doing so, however,
> sender cannot warrant that virus or other forms of data corruption may
> not be present and do not take any responsibility in any occurrence.
> _____________________________________________________________________________________________________________________________________________
More information about the sr-users
mailing list