<div dir="ltr">Hello all!<div><br></div><div>I have a scenario here where I need to put more than two companies into the same Kamailio server and to accomplish this I'm using a multi-domain configuration.</div><div><br></div><div>For now, I am able to create users in different domains and register all of them. The users are able to place and receive internal calls (as I am using this just to get internal communications working), so I am ok with this part of my configuration.</div><div><br></div><div>The problem that I'm facing now is that users from domain "A" are able to place calls to users from domain "B". I need to deny calls between different domains, and I don't know the best way to achieve this.</div><div><br></div><div>Here are my domains create (output from "kamctl domain show"):</div><div><br></div><div><div>domain:: <a href="http://enterprise.com">enterprise.com</a></div><div><span class="" style="white-space:pre"> </span>did:: <a href="http://enterprise.com">enterprise.com</a></div><div>domain:: <a href="http://enterprise2.com">enterprise2.com</a></div><div><span class="" style="white-space:pre"> </span>did:: <a href="http://enterprise2.com">enterprise2.com</a></div></div><div><br></div><div><br></div><div>And here are my users created:</div><div><br></div><div>username: bob<br></div><div>domain: <a href="http://enterprise.com">enterprise.com</a></div><div><br></div><div>username: alice</div><div>domain: <a href="http://enterprise2.com">enterprise2.com</a></div><div><br></div><div><br></div><div>So, can you please help me to get this?</div><div><br></div><div><br></div><div>Here is my .cfg file:</div><div><br></div><div><br></div><div><div>#!KAMAILIO</div><div>#!define WITH_PGSQL</div><div>#!define WITH_AUTH</div><div>#!define WITH_USRLOCDB</div><div>##!define WITH_NAT</div><div>##!define WITH_DEBUG</div><div>#!define WITH_MULTIDOMAIN</div><div>##!define WITH_SIPTRACE</div><div>#!define WITH_SQLOPS</div><div>#!define WITH_XMLRPC</div><div>##!define WITH_603</div><div>#!define WITH_TLS</div><div>#</div><div><br></div><div><br></div><div>#!substdef "!MY_WS_PORT!80!g"</div><div>#!substdef "!MY_WSS_PORT!81!g"</div><div>#!substdef "!MY_WS_ADDR!eth1:MY_WS_PORT!g"</div><div>#!substdef "!MY_WSS_ADDR!tls:eth1:MY_WSS_PORT!g"</div><div><br></div><div>#!define WITH_WEBSOCKETS</div><div><br></div><div><br></div><div>#!ifdef ACCDB_COMMENT</div><div> ALTER TABLE acc ADD COLUMN src_user VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE acc ADD COLUMN src_domain VARCHAR(128) NOT NULL DEFAULT '';</div><div> ALTER TABLE acc ADD COLUMN src_ip varchar(64) NOT NULL default '';</div><div> ALTER TABLE acc ADD COLUMN dst_ouser VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE acc ADD COLUMN dst_user VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE acc ADD COLUMN dst_domain VARCHAR(128) NOT NULL DEFAULT '';</div><div> ALTER TABLE missed_calls ADD COLUMN src_user VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE missed_calls ADD COLUMN src_domain VARCHAR(128) NOT NULL DEFAULT '';</div><div> ALTER TABLE missed_calls ADD COLUMN src_ip varchar(64) NOT NULL default '';</div><div> ALTER TABLE missed_calls ADD COLUMN dst_ouser VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE missed_calls ADD COLUMN dst_user VARCHAR(64) NOT NULL DEFAULT '';</div><div> ALTER TABLE missed_calls ADD COLUMN dst_domain VARCHAR(128) NOT NULL DEFAULT '';</div><div>#!endif</div><div><br></div><div>####### Include Local Config If Exists #########</div><div>import_file "kamailio-local.cfg"</div><div><br></div><div>####### Defined Values #########</div><div><br></div><div># *** Value defines - IDs used later in config</div><div>#!ifdef WITH_PGSQL</div><div># - database URL - used to connect to database server by modules such</div><div># as: auth_db, acc, usrloc, a.s.o.</div><div>#!define DBURL "postgres://kamailio:kamailiorw@localhost/kamailio"</div><div>#!endif</div><div>#!ifdef WITH_MULTIDOMAIN</div><div># - the value for 'use_domain' parameters</div><div>#!define MULTIDOMAIN 1</div><div>#!else</div><div>#!define MULTIDOMAIN 0</div><div>#!endif</div><div><br></div><div># - flags</div><div># FLT_ - per transaction (message) flags</div><div># FLB_ - per branch flags</div><div>#!define FLT_ACC 1</div><div>#!define FLT_ACCMISSED 2</div><div>#!define FLT_ACCFAILED 3</div><div>#!define FLT_NATS 5</div><div><br></div><div>#!define FLB_NATB 6</div><div>#!define FLB_NATSIPPING 7</div><div><br></div><div>####### Global Parameters #########</div><div><br></div><div>### LOG Levels: 3=DBG, 2=INFO, 1=NOTICE, 0=WARN, -1=ERR</div><div>#!ifdef WITH_DEBUG</div><div>debug=4</div><div>log_stderror=yes</div><div>#!else</div><div>debug=2</div><div>log_stderror=no</div><div>#!endif</div><div><br></div><div><br></div><div>memdbg=5</div><div>memlog=5</div><div><br></div><div>log_facility=LOG_LOCAL0</div><div><br></div><div>fork=yes</div><div>children=4</div><div><br></div><div>/* uncomment the next line to disable TCP (default on) */</div><div>disable_tcp=no</div><div>tcp_accept_no_cl=yes</div><div><br></div><div>/* uncomment the next line to disable the auto discovery of local aliases</div><div> based on reverse DNS on IPs (default on) */</div><div>#auto_aliases=no</div><div><br></div><div>/* add local domain aliases */</div><div>#alias="<a href="http://sip.mydomain.com">sip.mydomain.com</a>"</div><div><br></div><div>/* uncomment and configure the following line if you want Kamailio to</div><div> bind on a specific interface/port/proto (default bind on all available) */</div><div>#listen=udp:<a href="http://10.0.0.10:5060">10.0.0.10:5060</a></div><div><br></div><div>/* port to listen to</div><div> * - can be specified more than once if needed to listen on many ports */</div><div>port=5060</div><div><br></div><div>#!ifdef WITH_TLS</div><div>enable_tls=yes</div><div>#!endif</div><div><br></div><div># life time of TCP connection when there is no traffic</div><div># - a bit higher than registration expires to cope with UA behind NAT</div><div>tcp_connection_lifetime=3605</div><div>tcp_rd_buf_size=6144</div><div><br></div><div>listen=eth1</div><div>#!ifdef WITH_WEBSOCKETS</div><div>listen=MY_WS_ADDR</div><div>#!ifdef WITH_TLS</div><div>listen=eth1</div><div>#!endif</div><div>#!endif</div><div><br></div><div>####### Custom Parameters #########</div><div><br></div><div># These parameters can be modified runtime via RPC interface</div><div># - see the documentation of 'cfg_rpc' module.</div><div>#</div><div># Format: <a href="http://group.id">group.id</a> = value 'desc' description</div><div># Access: $sel(<a href="http://cfg_get.group.id">cfg_get.group.id</a>) or @<a href="http://cfg_get.group.id">cfg_get.group.id</a></div><div>#</div><div><br></div><div>#!ifdef WITH_PSTN</div><div># PSTN GW Routing</div><div>#</div><div># - pstn.gw_ip: valid IP or hostname as string value, example:</div><div># pstn.gw_ip = "10.0.0.101" desc "My PSTN GW Address"</div><div>#</div><div># - by default is empty to avoid misrouting</div><div>pstn.gw_ip = "" desc "PSTN GW Address"</div><div>pstn.gw_port = "" desc "PSTN GW Port"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_VOICEMAIL</div><div># VoiceMail Routing on offline, busy or no answer</div><div>#</div><div># - by default Voicemail server IP is empty to avoid misrouting</div><div>voicemail.srv_ip = "" desc "VoiceMail IP Address"</div><div>voicemail.srv_port = "5060" desc "VoiceMail Port"</div><div>#!endif</div><div><br></div><div>####### Modules Section ########</div><div><br></div><div># set paths to location of modules (to sources or installation folders)</div><div>#!ifdef WITH_SRCPATH</div><div>mpath="modules/"</div><div>#!else</div><div>mpath="/usr/lib/x86_64-linux-gnu/kamailio/modules/"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_PGSQL</div><div>loadmodule "db_postgres.so"</div><div>#!endif</div><div><br></div><div>loadmodule "mi_fifo.so"</div><div>loadmodule "kex.so"</div><div>loadmodule "corex.so"</div><div>loadmodule "tm.so"</div><div>loadmodule "tmx.so"</div><div>loadmodule "sl.so"</div><div>loadmodule "rr.so"</div><div>loadmodule "pv.so"</div><div>loadmodule "maxfwd.so"</div><div>loadmodule "usrloc.so"</div><div>loadmodule "registrar.so"</div><div>loadmodule "textops.so"</div><div>loadmodule "siputils.so"</div><div>loadmodule "xlog.so"</div><div>loadmodule "sanity.so"</div><div>loadmodule "ctl.so"</div><div>loadmodule "cfg_rpc.so"</div><div>loadmodule "mi_rpc.so"</div><div>loadmodule "acc.so"</div><div><br></div><div>#!ifdef WITH_AUTH</div><div>loadmodule "auth.so"</div><div>loadmodule "auth_db.so"</div><div>#!ifdef WITH_IPAUTH</div><div>loadmodule "permissions.so"</div><div>#!endif</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_ALIASDB</div><div>loadmodule "alias_db.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_SPEEDDIAL</div><div>loadmodule "speeddial.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_MULTIDOMAIN</div><div>loadmodule "domain.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_PRESENCE</div><div>loadmodule "presence.so"</div><div>loadmodule "presence_xml.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_NAT</div><div>loadmodule "nathelper.so"</div><div>loadmodule "rtpproxy.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_TLS</div><div>loadmodule "tls.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_ANTIFLOOD</div><div>loadmodule "htable.so"</div><div>loadmodule "pike.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_XMLRPC</div><div>loadmodule "xmlrpc.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_DEBUG</div><div>loadmodule "debugger.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_SIPTRACE</div><div>loadmodule "siptrace.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_SQLOPS</div><div>loadmodule "sqlops.so"</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_WEBSOCKETS</div><div>loadmodule "xhttp.so"</div><div>loadmodule "websocket.so"</div><div>loadmodule "nathelper.so"</div><div>#!endif</div><div><br></div><div># ----------------- setting module-specific parameters ---------------</div><div><br></div><div># ---- sip_trace params ----</div><div>#!ifdef WITH_SIPTRACE</div><div>modparam("siptrace", "db_url", "postgres://kamailio:kamailiorw@localhost/kamailio")</div><div>modparam("siptrace", "trace_on", 1)</div><div>modparam("siptrace", "trace_flag", 22)</div><div>modparam("siptrace", "trace_sl_acks", 0)</div><div>#!endif</div><div><br></div><div># ----- mi_fifo params -----</div><div>modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")</div><div><br></div><div><br></div><div># ----- tm params -----</div><div># auto-discard branches from previous serial forking leg</div><div>modparam("tm", "failure_reply_mode", 3)</div><div># default retransmission timeout: 30sec</div><div>modparam("tm", "fr_timer", 30000)</div><div># default invite retransmission timeout after 1xx: 120sec</div><div>modparam("tm", "fr_inv_timer", 120000)</div><div><br></div><div># add value to ;lr param to cope with most of the UAs</div><div>modparam("rr", "enable_full_lr", 1)</div><div># do not append from tag to the RR (no need for this script)</div><div>modparam("rr", "append_fromtag", 0)</div><div><br></div><div><br></div><div># ----- registrar params -----</div><div>modparam("registrar", "method_filtering", 1)</div><div>/* uncomment the next line to disable parallel forking via location */</div><div># modparam("registrar", "append_branches", 0)</div><div>/* uncomment the next line not to allow more than 10 contacts per AOR */</div><div>#modparam("registrar", "max_contacts", 10)</div><div># max value for expires of registrations</div><div>modparam("registrar", "max_expires", 300)</div><div>modparam("registrar", "min_expires", 30)</div><div># set it to 1 to enable GRUU</div><div>modparam("registrar", "gruu_enabled", 0)</div><div><br></div><div><br></div><div># ----- acc params -----</div><div>/* what special events should be accounted ? */</div><div>modparam("acc", "early_media", 0)</div><div>modparam("acc", "report_ack", 0)</div><div>modparam("acc", "report_cancels", 0)</div><div>/* by default ww do not adjust the direct of the sequential requests.</div><div> if you enable this parameter, be sure the enable "append_fromtag"</div><div> in "rr" module */</div><div>modparam("acc", "detect_direction", 0)</div><div>/* account triggers (flags) */</div><div>modparam("acc", "log_flag", FLT_ACC)</div><div>modparam("acc", "log_missed_flag", FLT_ACCMISSED)</div><div>modparam("acc", "log_extra",</div><div> "src_user=$fU;src_domain=$fd;src_ip=$si;"</div><div> "dst_ouser=$tU;dst_user=$rU;dst_domain=$rd")</div><div>modparam("acc", "failed_transaction_flag", FLT_ACCFAILED)</div><div>/* enhanced DB accounting */</div><div>#!ifdef WITH_ACCDB</div><div>modparam("acc", "db_flag", FLT_ACC)</div><div>modparam("acc", "db_missed_flag", FLT_ACCMISSED)</div><div>modparam("acc", "db_url", DBURL)</div><div>modparam("acc", "db_extra",</div><div> "src_user=$fU;src_domain=$fd;src_ip=$si;"</div><div> "dst_ouser=$tU;dst_user=$rU;dst_domain=$rd")</div><div>#!endif</div><div><br></div><div><br></div><div># ----- usrloc params -----</div><div>/* enable DB persistency for location entries */</div><div>#!ifdef WITH_USRLOCDB</div><div>modparam("usrloc", "db_url", DBURL)</div><div>modparam("usrloc", "db_mode", 2)</div><div>modparam("usrloc", "use_domain", MULTIDOMAIN)</div><div>#!endif</div><div><br></div><div><br></div><div># ----- auth_db params -----</div><div>#!ifdef WITH_AUTH</div><div>modparam("auth_db", "db_url", DBURL)</div><div>modparam("auth_db", "calculate_ha1", 0)</div><div>#modparam("auth_db", "password_column", "password")</div><div>modparam("auth_db", "load_credentials", "")</div><div>modparam("auth_db", "use_domain", MULTIDOMAIN)</div><div>#modparam("auth_db", "use_domain", 1)</div><div><br></div><div># ----- permissions params -----</div><div>#!ifdef WITH_IPAUTH</div><div>modparam("permissions", "db_url", DBURL)</div><div>modparam("permissions", "db_mode", 1)</div><div>#!endif</div><div><br></div><div>#!endif</div><div><br></div><div><br></div><div># ----- alias_db params -----</div><div>#!ifdef WITH_ALIASDB</div><div>modparam("alias_db", "db_url", DBURL)</div><div>modparam("alias_db", "use_domain", MULTIDOMAIN)</div><div>#!endif</div><div><br></div><div><br></div><div># ----- speeddial params -----</div><div>#!ifdef WITH_SPEEDDIAL</div><div>modparam("speeddial", "db_url", DBURL)</div><div>modparam("speeddial", "use_domain", MULTIDOMAIN)</div><div>#!endif</div><div><br></div><div><br></div><div># ----- domain params -----</div><div>#!ifdef WITH_MULTIDOMAIN</div><div>modparam("domain", "db_url", DBURL)</div><div># register callback to match myself condition with domains list</div><div>modparam("domain", "register_myself", 1)</div><div>#!endif</div><div><br></div><div><br></div><div>#!ifdef WITH_PRESENCE</div><div># ----- presence params -----</div><div>modparam("presence", "db_url", DBURL)</div><div><br></div><div># ----- presence_xml params -----</div><div>modparam("presence_xml", "db_url", DBURL)</div><div>modparam("presence_xml", "force_active", 1)</div><div>#!endif</div><div><br></div><div><br></div><div>#!ifdef WITH_NAT</div><div># ----- rtpproxy params -----</div><div>modparam("rtpproxy", "rtpproxy_sock", "udp:<a href="http://127.0.0.1:7722">127.0.0.1:7722</a>")</div><div># ----- nathelper params -----</div><div>modparam("nathelper", "natping_interval", 30)</div><div>modparam("nathelper", "ping_nated_only", 1)</div><div>modparam("nathelper", "sipping_bflag", FLB_NATSIPPING)</div><div>modparam("nathelper", "sipping_from", "<a href="mailto:sip%3Apinger@kamailio.org">sip:pinger@kamailio.org</a>")</div><div><br></div><div># params needed for NAT traversal in other modules</div><div>modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")</div><div>modparam("usrloc", "nat_bflag", FLB_NATB)</div><div>#!endif</div><div><br></div><div><br></div><div>#!ifdef WITH_TLS</div><div># ----- tls params -----</div><div>modparam("tls", "connection_timeout", 60)</div><div>modparam("tls", "tls_debug", 10)</div><div>modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")</div><div>#modparam("tls", "verify_certificate", 1)</div><div>#modparam("tls", "require_certificate", 0)</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_ANTIFLOOD</div><div># ----- pike params -----</div><div>modparam("pike", "sampling_time_unit", 2)</div><div>modparam("pike", "reqs_density_per_unit", 16)</div><div>modparam("pike", "remove_latency", 4)</div><div><br></div><div># ----- htable params -----</div><div># ip ban htable with autoexpire after 5 minutes</div><div>modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_XMLRPC</div><div># ----- xmlrpc params -----</div><div>modparam("xmlrpc", "route", "XMLRPC");</div><div>modparam("xmlrpc", "url_match", "^/RPC")</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_DEBUG</div><div># ----- debugger params -----</div><div>modparam("debugger", "cfgtrace", 1)</div><div>#!endif</div><div><br></div><div><br></div><div>#!ifdef WITH_WEBSOCKETS</div><div># ----- nathelper params -----</div><div>modparam("nathelper|registrar", "received_avp", "$avp(RECEIVED)")</div><div># Note: leaving NAT pings turned off here as nathelper is _only_ being used for</div><div># WebSocket connections. NAT pings are not needed as WebSockets have</div><div># their own keep-alives.</div><div>#!endif</div><div><br></div><div><br></div><div><br></div><div>####### Routing Logic ########</div><div><br></div><div># Main SIP request routing logic</div><div># - processing of any incoming SIP request starts with this route</div><div># - note: this is the same as route { ... }</div><div>request_route {</div><div><br></div><div> route(REQINIT);</div><div><br></div><div><br></div><div> #!ifdef WITH_SIPTRACE</div><div> if($hdr(X-Omnz-SipTrace) !=$null)</div><div> {</div><div> sip_trace();</div><div> setflag(22);</div><div> }</div><div> #!endif</div><div><br></div><div><br></div><div>#!ifdef WITH_WEBSOCKETS</div><div> if (nat_uac_test(64)) {</div><div> # Do NAT traversal stuff for requests from a WebSocket</div><div> # connection - even if it is not behind a NAT!</div><div> # This won't be needed in the future if Kamailio and the</div><div> # WebSocket client support Outbound and Path.</div><div> force_rport();</div><div> if (is_method("REGISTER"))</div><div> fix_nated_register();</div><div> else {</div><div> if (!add_contact_alias()) {</div><div> xlog("L_ERR", "Error aliasing contact <$ct>\n");</div><div> sl_send_reply("400", "Bad Request");</div><div> exit;</div><div> }</div><div> }</div><div> }</div><div>#!endif</div><div><br></div><div><br></div><div> # NAT detection</div><div> route(NATDETECT);</div><div><br></div><div> # CANCEL processing</div><div> if (is_method("CANCEL"))</div><div> {</div><div> if (t_check_trans()) {</div><div> route(RELAY);</div><div> }</div><div> exit;</div><div> }</div><div><br></div><div> # handle requests within SIP dialogs</div><div> route(WITHINDLG);</div><div><br></div><div> ### only initial requests (no To tag)</div><div><br></div><div> t_check_trans();</div><div><br></div><div> # authentication</div><div> route(AUTH);</div><div><br></div><div> # record routing for dialog forming requests (in case they are routed)</div><div> # - remove preloaded route headers</div><div> remove_hf("Route");</div><div> if (is_method("INVITE|SUBSCRIBE"))</div><div> record_route();</div><div><br></div><div> # account only INVITEs</div><div> if (is_method("INVITE"))</div><div> {</div><div> setflag(FLT_ACC); # do accounting</div><div> }</div><div><br></div><div> # dispatch requests to foreign domains</div><div> route(SIPOUT);</div><div><br></div><div> ### requests for my local domains</div><div><br></div><div> # handle presence related requests</div><div> route(PRESENCE);</div><div><br></div><div><br></div><div> # handle registrations</div><div> route(REGISTRAR);</div><div><br></div><div> if ($rU==$null)</div><div> {</div><div> # request with no Username in RURI</div><div> sl_send_reply("484","Address Incomplete");</div><div> exit;</div><div> }</div><div><br></div><div> # dispatch destinations to PSTN</div><div> route(PSTN);</div><div><br></div><div> # user location service</div><div> route(LOCATION);</div><div>}</div><div><br></div><div><br></div><div>route[RELAY] {</div><div><br></div><div> # enable additional event routes for forwarded requests</div><div> # - serial forking, RTP relaying handling, a.s.o.</div><div><br></div><div><br></div><div><span class="" style="white-space:pre"> </span>#!ifdef WITH_603</div><div> <span class="" style="white-space:pre"> </span>if (is_method("INVITE")) {</div><div> <span class="" style="white-space:pre"> </span>if($hdr(X-Omz-int-Id) ==$null)</div><div> {</div><div> # request with no Username in RURI</div><div> sl_send_reply("603","Declined");</div><div> exit;</div><div> } </div><div><span class="" style="white-space:pre"> </span>}</div><div> #!endif</div><div><br></div><div><br></div><div><br></div><div> if (is_method("INVITE|BYE|SUBSCRIBE|UPDATE")) {</div><div> if(!t_is_set("branch_route")) t_on_branch("MANAGE_BRANCH");</div><div> }</div><div> if (is_method("INVITE|SUBSCRIBE|UPDATE")) {</div><div> if(!t_is_set("onreply_route")) t_on_reply("MANAGE_REPLY");</div><div> }</div><div> if (is_method("INVITE")) {</div><div> if(!t_is_set("failure_route")) t_on_failure("MANAGE_FAILURE");</div><div> }</div><div><br></div><div> if (!t_relay()) {</div><div> sl_reply_error();</div><div> }</div><div> exit;</div><div>}</div><div><br></div><div><br></div><div># Per SIP request initial checks</div><div>route[REQINIT] {</div><div>#!ifdef WITH_ANTIFLOOD</div><div> # flood dection from same IP and traffic ban for a while</div><div> # be sure you exclude checking trusted peers, such as pstn gateways</div><div> # - local host excluded (e.g., loop to self)</div><div> if(src_ip!=myself)</div><div> {</div><div> if($sht(ipban=>$si)!=$null)</div><div> {</div><div> # ip is already blocked</div><div> xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");</div><div> exit;</div><div> }</div><div> if (!pike_check_req())</div><div> {</div><div> xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n");</div><div> $sht(ipban=>$si) = 1;</div><div> exit;</div><div> }</div><div> }</div><div>#!endif</div><div><br></div><div> if (!mf_process_maxfwd_header("10")) {</div><div> sl_send_reply("483","Too Many Hops");</div><div> exit;</div><div> }</div><div><br></div><div> if(!sanity_check("1511", "7"))</div><div> {</div><div> xlog("Malformed SIP message from $si:$sp\n");</div><div> exit;</div><div> }</div><div>}</div><div><br></div><div><br></div><div># Handle requests within SIP dialogs</div><div>route[WITHINDLG] {</div><div> if (has_totag()) {</div><div> # sequential request withing a dialog should</div><div> # take the path determined by record-routing</div><div> if (loose_route()) {</div><div><br></div><div><br></div><div>#!ifdef WITH_WEBSOCKETS</div><div> if ($du == "") {</div><div> if (!handle_ruri_alias()) {</div><div> xlog("L_ERR", "Bad alias <$ru>\n");</div><div> sl_send_reply("400", "Bad Request");</div><div> exit;</div><div> }</div><div> }</div><div>#!endif</div><div><br></div><div><br></div><div><br></div><div> route(DLGURI);</div><div> if (is_method("BYE")) {</div><div> setflag(FLT_ACC); # do accounting ...</div><div> setflag(FLT_ACCFAILED); # ... even if the transaction fails</div><div> }</div><div> else if ( is_method("ACK") ) {</div><div> # ACK is forwarded statelessy</div><div> route(NATMANAGE);</div><div> }</div><div> else if ( is_method("NOTIFY") ) {</div><div> # Add Record-Route for in-dialog NOTIFY as per RFC 6665.</div><div> record_route();</div><div> }</div><div> route(RELAY);</div><div> } else {</div><div> if (is_method("SUBSCRIBE") && uri == myself) {</div><div> # in-dialog subscribe requests</div><div> route(PRESENCE);</div><div> exit;</div><div> }</div><div> if ( is_method("ACK") ) {</div><div> if ( t_check_trans() ) {</div><div> # no loose-route, but stateful ACK;</div><div> # must be an ACK after a 487</div><div> # or e.g. 404 from upstream server</div><div> route(RELAY);</div><div> exit;</div><div> } else {</div><div> # ACK without matching transaction ... ignore and discard</div><div> exit;</div><div> }</div><div> }</div><div> sl_send_reply("404","Not here");</div><div> }</div><div> exit;</div><div> }</div><div>}</div><div><br></div><div># Handle SIP registrations</div><div>route[REGISTRAR] {</div><div> if (is_method("REGISTER"))</div><div> {</div><div> if(isflagset(FLT_NATS))</div><div> {</div><div> setbflag(FLB_NATB);</div><div> # uncomment next line to do SIP NAT pinging </div><div> ## setbflag(FLB_NATSIPPING);</div><div> }</div><div> if (!save("location"))</div><div> sl_reply_error();</div><div><br></div><div> exit;</div><div> }</div><div>}</div><div><br></div><div># USER location service</div><div>route[LOCATION] {</div><div><br></div><div>#!ifdef WITH_SPEEDDIAL</div><div> # search for short dialing - 2-digit extension</div><div> if($rU=~"^[0-9][0-9]$")</div><div> if(sd_lookup("speed_dial"))</div><div> route(SIPOUT);</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_ALIASDB</div><div> # search in DB-based aliases</div><div> if(alias_db_lookup("dbaliases"))</div><div> route(SIPOUT);</div><div>#!endif</div><div><br></div><div> $avp(oexten) = $rU;</div><div> if (!lookup("location")) {</div><div> $var(rc) = $rc;</div><div> route(TOVOICEMAIL);</div><div> t_newtran();</div><div> switch ($var(rc)) {</div><div> case -1:</div><div> case -3:</div><div> send_reply("404", "Not Found");</div><div> exit;</div><div> case -2:</div><div> send_reply("405", "Method Not Allowed");</div><div> exit;</div><div> }</div><div> }</div><div><br></div><div> # when routing via usrloc, log the missed calls also</div><div> if (is_method("INVITE"))</div><div> {</div><div> setflag(FLT_ACCMISSED);</div><div> }</div><div><br></div><div> route(RELAY);</div><div> exit;</div><div>}</div><div><br></div><div># Presence server route</div><div>route[PRESENCE] {</div><div> if(!is_method("PUBLISH|SUBSCRIBE"))</div><div> return;</div><div><br></div><div>#!ifdef WITH_PRESENCE</div><div> if (!t_newtran())</div><div> {</div><div> sl_reply_error();</div><div> exit;</div><div> };</div><div><br></div><div> if(is_method("PUBLISH"))</div><div> {</div><div> handle_publish();</div><div> t_release();</div><div> }</div><div> else</div><div> if( is_method("SUBSCRIBE"))</div><div> {</div><div> handle_subscribe();</div><div> t_release();</div><div> }</div><div> exit;</div><div>#!endif</div><div><br></div><div> # if presence enabled, this part will not be executed</div><div> if (is_method("PUBLISH") || $rU==$null)</div><div> {</div><div> sl_send_reply("404", "Not here");</div><div> exit;</div><div> }</div><div> return;</div><div>}</div><div><br></div><div># Authentication route</div><div>route[AUTH] {</div><div>#!ifdef WITH_AUTH</div><div><br></div><div>#!ifdef WITH_IPAUTH</div><div> if((!is_method("REGISTER")) && allow_source_address())</div><div> {</div><div> # source IP allowed</div><div> return;</div><div> }</div><div>#!endif</div><div><br></div><div> if (is_method("REGISTER") || from_uri==myself)</div><div> {</div><div> # authenticate requests</div><div> if (!auth_check("$fd", "subscriber", "1")) {</div><div> auth_challenge("$fd", "0");</div><div> exit;</div><div> }</div><div> # user authenticated - remove auth header</div><div> if(!is_method("REGISTER|PUBLISH"))</div><div> consume_credentials();</div><div> }</div><div> # if caller is not local subscriber, then check if it calls</div><div> # a local destination, otherwise deny, not an open relay here</div><div> if (from_uri!=myself && uri!=myself)</div><div> {</div><div> sl_send_reply("403","Not relaying");</div><div> exit;</div><div> }</div><div><br></div><div>#!endif</div><div> return;</div><div>}</div><div><br></div><div># Caller NAT detection route</div><div>route[NATDETECT] {</div><div>#!ifdef WITH_NAT</div><div> force_rport();</div><div> if (nat_uac_test("19")) {</div><div> if (is_method("REGISTER")) {</div><div> fix_nated_register();</div><div> } else {</div><div> add_contact_alias();</div><div> }</div><div> setflag(FLT_NATS);</div><div> }</div><div>#!endif</div><div> return;</div><div>}</div><div><br></div><div># RTPProxy control</div><div>route[NATMANAGE] {</div><div>#!ifdef WITH_NAT</div><div> if (is_request()) {</div><div> if(has_totag()) {</div><div> if(check_route_param("nat=yes")) {</div><div> setbflag(FLB_NATB);</div><div> }</div><div> }</div><div> }</div><div> if (!(isflagset(FLT_NATS) || isbflagset(FLB_NATB)))</div><div> return;</div><div><br></div><div> rtpproxy_manage("co");</div><div><br></div><div> if (is_request()) {</div><div> if (!has_totag()) {</div><div> if(t_is_branch_route()) {</div><div> add_rr_param(";nat=yes");</div><div> }</div><div> }</div><div> }</div><div> if (is_reply()) {</div><div> if(isbflagset(FLB_NATB)) {</div><div> add_contact_alias();</div><div> }</div><div> }</div><div>#!endif</div><div> return;</div><div>}</div><div><br></div><div># URI update for dialog requests</div><div>route[DLGURI] {</div><div>#!ifdef WITH_NAT</div><div> if(!isdsturiset()) {</div><div> handle_ruri_alias();</div><div> }</div><div>#!endif</div><div> return;</div><div>}</div><div><br></div><div># Routing to foreign domains</div><div>route[SIPOUT] {</div><div> if (!uri==myself)</div><div> {</div><div> append_hf("P-hint: outbound\r\n");</div><div> route(RELAY);</div><div> }</div><div>}</div><div><br></div><div># PSTN GW routing</div><div>route[PSTN] {</div><div>#!ifdef WITH_PSTN</div><div> # check if PSTN GW IP is defined</div><div> if (strempty($sel(cfg_get.pstn.gw_ip))) {</div><div> xlog("SCRIPT: PSTN rotuing enabled but pstn.gw_ip not defined\n");</div><div> return;</div><div> }</div><div><br></div><div> # route to PSTN dialed numbers starting with '+' or '00'</div><div> # (international format)</div><div> # - update the condition to match your dialing rules for PSTN routing</div><div> if(!($rU=~"^(\+|00)[1-9][0-9]{3,20}$"))</div><div> return;</div><div><br></div><div> # only local users allowed to call</div><div> if(from_uri!=myself) {</div><div> sl_send_reply("403", "Not Allowed");</div><div> exit;</div><div> }</div><div><br></div><div> if (strempty($sel(cfg_get.pstn.gw_port))) {</div><div> $ru = "sip:" + $rU + "@" + $sel(cfg_get.pstn.gw_ip);</div><div> } else {</div><div> $ru = "sip:" + $rU + "@" + $sel(cfg_get.pstn.gw_ip) + ":"</div><div> + $sel(cfg_get.pstn.gw_port);</div><div> }</div><div><br></div><div> route(RELAY);</div><div> exit;</div><div>#!endif</div><div><br></div><div> return;</div><div>}</div><div><br></div><div># XMLRPC routing</div><div>#!ifdef WITH_XMLRPC</div><div>route[XMLRPC] {</div><div> # allow XMLRPC from localhost</div><div> if ((method=="POST" || method=="GET")</div><div> && (src_ip==127.0.0.1)) {</div><div> # close connection only for xmlrpclib user agents (there is a bug in</div><div> # xmlrpclib: it waits for EOF before interpreting the response).</div><div> if ($hdr(User-Agent) =~ "xmlrpclib")</div><div> set_reply_close();</div><div> set_reply_no_connect();</div><div> dispatch_rpc();</div><div> exit;</div><div> }</div><div> send_reply("403", "Forbidden");</div><div> exit;</div><div>}</div><div>#!endif</div><div><br></div><div># route to voicemail server</div><div>route[TOVOICEMAIL] {</div><div>#!ifdef WITH_VOICEMAIL</div><div> if(!is_method("INVITE"))</div><div> return;</div><div><br></div><div> # check if VoiceMail server IP is defined</div><div> if (strempty($sel(cfg_get.voicemail.srv_ip))) {</div><div> xlog("SCRIPT: VoiceMail rotuing enabled but IP not defined\n");</div><div> return;</div><div> }</div><div> if($avp(oexten)==$null)</div><div> return;</div><div><br></div><div> $ru = "sip:" + $avp(oexten) + "@" + $sel(cfg_get.voicemail.srv_ip)</div><div> + ":" + $sel(cfg_get.voicemail.srv_port);</div><div> route(RELAY);</div><div> exit;</div><div>#!endif</div><div><br></div><div> return;</div><div>}</div><div><br></div><div># manage outgoing branches</div><div>branch_route[MANAGE_BRANCH] {</div><div> xdbg("new branch [$T_branch_idx] to $ru\n");</div><div> route(NATMANAGE);</div><div>}</div><div><br></div><div># manage incoming replies</div><div>onreply_route[MANAGE_REPLY] {</div><div> xdbg("incoming reply\n");</div><div> if(status=~"[12][0-9][0-9]")</div><div> route(NATMANAGE);</div><div>}</div><div><br></div><div># manage failure routing cases</div><div>failure_route[MANAGE_FAILURE] {</div><div> route(NATMANAGE);</div><div><br></div><div> if (t_is_canceled()) {</div><div> exit;</div><div> }</div><div><br></div><div>#!ifdef WITH_BLOCK3XX</div><div> # block call redirect based on 3xx replies.</div><div> if (t_check_status("3[0-9][0-9]")) {</div><div> t_reply("404","Not found");</div><div> exit;</div><div> }</div><div>#!endif</div><div><br></div><div>#!ifdef WITH_VOICEMAIL</div><div> # serial forking</div><div> # - route to voicemail on busy or no answer (timeout)</div><div> if (t_check_status("486|408")) {</div><div> $du = $null;</div><div> route(TOVOICEMAIL);</div><div> exit;</div><div> }</div><div>#!endif</div><div>}</div><div><br></div><div><br></div><div>#!ifdef WITH_WEBSOCKETS</div><div>onreply_route {</div><div> if (nat_uac_test(64)) {</div><div> # Do NAT traversal stuff for replies to a WebSocket connection</div><div> # - even if it is not behind a NAT!</div><div> # This won't be needed in the future if Kamailio and the</div><div> # WebSocket client support Outbound and Path.</div><div> add_contact_alias();</div><div> }</div><div>}</div><div><br></div><div>event_route[xhttp:request] {</div><div> set_reply_close();</div><div> set_reply_no_connect();</div><div><br></div><div> if ($Rp != MY_WS_PORT </div><div> </div><div> #!ifdef WITH_TLS</div><div> && $Rp != MY_WSS_PORT</div><div> #!endif</div><div> </div><div> ) {</div><div> xlog("L_WARN", "HTTP request received on $Rp\n");</div><div> xhttp_reply("403", "Forbidden", "", "");</div><div> exit;</div><div> }</div><div><br></div><div> xlog("L_DBG", "HTTP Request Received\n");</div><div><br></div><div> if ($hdr(Upgrade)=~"websocket"</div><div> && $hdr(Connection)=~"Upgrade"</div><div> && $rm=~"GET") {</div><div> xlog("L_DBG", "WebSocket\n");</div><div> xlog("L_DBG", " Host: $hdr(Host)\n");</div><div> xlog("L_DBG", " Origin: $hdr(Origin)\n");</div><div><br></div><div> if ($hdr(Host) == $null ) {</div><div> xlog("L_WARN", "Bad host $hdr(Host)\n");</div><div> xhttp_reply("403", "Forbidden", "", "");</div><div> exit;</div><div> }</div><div><br></div><div> # Optional... validate Origin</div><div> # Optional... perform HTTP authentication</div><div><br></div><div> # ws_handle_handshake() exits (no further configuration file</div><div> # processing of the request) when complete.</div><div> if (ws_handle_handshake())</div><div> {</div><div> # Optional... cache some information abou the</div><div> # successful connection</div><div> exit;</div><div> }</div><div> }</div><div><br></div><div> xhttp_reply("404", "Not found", "", "");</div><div>}</div><div><br></div><div>event_route[websocket:closed] {</div><div> xlog("L_INFO", "WebSocket connection from $si:$sp has closed\n");</div><div>}</div><div>#!endif</div></div><div><br></div><div><br></div><div><br></div><div><div><div class="gmail_signature"><div dir="ltr"><div></div></div></div></div>
</div></div>