<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks for this suggestion.<br>
<br>
I ended up replacing permissions module <code class="function">allow_source_address()
with sql queries. </code>Not sure how well it will scale but
seems to work ok on a test system. <br>
<code>In order to use allow_source_address() I would need to save
all returned IP addresses in the database. The problem with that
is it will not automatically update if DNS changes</code><code
class="function">. I still have not ruled out doing that if this
ends up bogging down when the server gets busy.<br>
<br>
Excessive DNS queries/delays do not appear to be a problem with
this because it is cached in Kamailio DNS resolver. It renews
every 120 seconds by default unless configured otherwise.<br>
<br>
You can view the contents of the dns resolver by running "kamcmd
dns.view". <br>
<br>
Here is the replaced IPAUTH section I created for anyone who may
be interested.<br>
<br>
modparam("sqlops", "sqlcon",
"kamailio=>unixodbc:///kamailio-connector")<br>
.<br>
.<br>
.<br>
#!ifdef WITH_IPAUTH<br>
if((!is_method("REGISTER")) && $au == "")<br>
{<br>
sql_query("kamailio", "SELECT ip_addr FROM address",
"ka");<br>
if($dbr(ka=>rows)>0)<br>
{<br>
$var(dnsname) = $null;<br>
$var(i) = 0;<br>
while($var(i)<$dbr(ka=>rows))<br>
{<br>
$var(dnsname) = $dbr(ka=>[$var(i),0]);<br>
if (dns_int_match_ip("$var(dnsname)", "$si"))<br>
{ <br>
# source IP allowed, leave the 'while'
parent loop.<br>
$var(i) = $dbr(ka=>rows);<br>
return;<br>
}<br>
$var(i) = $var(i) + 1;<br>
}<br>
return;<br>
}<br>
sql_result_free("ka"); <br>
return;<br>
} </code><br>
<br>
<br>
<div class="moz-cite-prefix">On 3/9/2015 4:27 AM, Daniel-Constantin
Mierla wrote:<br>
</div>
<blockquote cite="mid:54FD8395.6050505@gmail.com" type="cite">
<pre wrap="">Hello,
On 08/03/15 21:38, canuck15 wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Here is is the relevant section of kamailio.cfg
$var(tempfU) = $fU;
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address() && $au == "")
{
# Loading $fU from database using IP
sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host = '$si'
AND sippasswd IS NULL", "$var(tempfU)");
# source IP allowed
return;
}
The problem is that when host= somefqdn.com the above will fail since
$si will always be an IP address as far as I can tell. More often
than not host= is a fqdn and requiring it to always be an IP address
is not an option. Converting it to IP before storing it in the DB is
also not an option because it needs to be able to work of the IP
address changes.
So how can the above be done to accomodate the possibility that host=
somefqdn.com or an IP address. Preferably in such a way that it can
scale to hundreds/thousands of rows in the database without slowing
things down or crashing.
</pre>
</blockquote>
<pre wrap="">
as first remark, note that permissions module can work with hostanmes in
the address table.
On the other hand, having what you want might not work. If you want to
test if a request comes from xyz.com, doing a dns query on xyz.com can
return a different IP than what was used for sending. If xyz.com has
many IP addresses associated with and they do load balancing, they are
usually returning just a subset of their IP addresses, not all of them.
In this case, the best is to discover the subnet addresses used by
xyz.com and store them in the address table, then use permissions in the
config.
Otherwise, you can try by doing a query and extract all hostnames from
the database with sqlops and then loop through them and test with the
functions from ipops module. You must have a fast dns server in order to
not slow down the processing in the case you have lots of hostnames.
Cheers,
Daniel
</pre>
</blockquote>
<br>
</body>
</html>