Named ACLs: Introduces a system for creating and sharing ACLs

This patch adds Named ACL functionality to Asterisk. This allows system
administrators to define an ACL and refer to it by a unique name. Configurable
items can then refer to that name when specifying access control lists.
It also includes updates to all core supported consumers of ACLs. That includes
manager, chan_sip, and chan_iax2. This feature is based on the deluxepine-trunk
by Olle E. Johansson and provides a subset of the Named ACL functionality
implemented in that branch. For more information on this feature, see acl.conf
and/or the Asterisk wiki.

Review: https://reviewboard.asterisk.org/r/1978/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@369959 65c4cc65-6c06-0410-ace0-fbb531ad65f3

5 files changed, 106 insertions, 8 deletions

diff --git a/configs/acl.conf.sample b/configs/acl.conf.sample
new file mode 100644
index 000000000..ca6906d4b
--- /dev/null
+++ b/configs/acl.conf.sample
@@ -0,0 +1,86 @@
+;
+; Named Access Control Lists (ACLs)
+;
+; A convenient way to share acl definitions
+;
+; This configuration file is read on startup
+;
+; CLI Commands
+; -----------------------------------------------------------
+;   acl show                         Show all named ACLs configured
+;   acl show <name>                  Show contents of a particular named ACL
+;   reload acl                       Reload configuration file
+;
+;[general]
+;systemname=asterisksystem1          ; If a system name is specified, realtime
+;                                    ; ACLs will only be retrieved if they have
+;                                    ; a systemname field that matches this value.
+;                                    ; If it's less blank, the field is ignored.
+;
+; Any configuration that uses ACLs which has been made to be able to use named
+; ACLs will specify a named ACL with the 'acl' option in its configuration in
+; a similar fashion to the usual 'permit' and 'deny' options. Example:
+; acl=my_named_acl
+;
+; Multiple named ACLs can be applied by either comma separating the arguments or
+; just by adding additional ACL lines. Example:
+; acl=my_named_acl
+; acl=my_named_acl2
+;
+; or
+;
+; acl=my_named_acl,my_named_acl2
+;
+; ACLs specified by name are evaluated independently from the ACL specified via
+; permit/deny. In order for an address to pass a given ACL, it must pass both
+; the ACL specified by permit/deny for a given item as well as any named ACLs
+; that were specified.
+;
+;[example_named_acl1]
+;deny=0.0.0.0/0.0.0.0
+;permit=209.16.236.0
+;permit=209.16.236.1
+;
+;[example_named_acl2]
+;permit=0.0.0.0/0.0.0.0
+;deny=10.24.20.171
+;deny=10.24.20.103
+;deny=209.16.236.1
+;
+; example_named_acl1 above shows an example of whitelisting. When whitelisting, the
+; named ACLs should follow a deny that blocks everything (like deny=0.0.0.0/0.0.0.0)
+; The following example explains how combining the ACLs works:
+; <in another configuration>
+; [example_item_with_acl]
+; acl=example_named_acl1
+; acl=example_named_acl2
+;
+; Suppose 209.16.236.0 tries to communicate and the ACL for that example is applied to it...
+; First, example_named_acl1 is evaluated. The address is allowed by that ACL.
+; Next, example_named_acl2 is evaluated. The address isn't blocked by example_named_acl2
+; either, so it passes.
+;
+; Suppose instead 209.16.236.1 tries to communicate and the same ACL is applied.
+; First, example_named_acl1 is evaluated and the address is allowed.
+; However, it is blocked by example_named_acl2, so the address is blocked from the combined
+; ACL.
+;
+; Similarly, the permits/denies in specific configurations that make up an ACL definition
+; are also treated as a separate ACL for evaluation. So if we change the example above to:
+; <in another configuration>
+; [example_item_with_acl]
+; acl=example_named_acl1
+; acl=example_named_acl2
+; deny=209.16.236.0
+;
+; Then 209.16.236.0 will be rejected by the non-named component of the combined ACL even
+; though it passes the two named components.
+;
+;
+; Named ACLs can use ipv6 addresses just like normal ACLs.
+;[ipv6_example_1]
+;deny = ::
+;permit = ::1/128
+;
+;[ipv6_example_2]
+;permit = fe80::21d:bad:fad:2323
diff --git a/configs/extconfig.conf.sample b/configs/extconfig.conf.sample
index 1d67fa536..a83fa2c12 100644
--- a/configs/extconfig.conf.sample
+++ b/configs/extconfig.conf.sample
@@ -32,6 +32,11 @@
 ;	cdr.conf
 ;	rtp.conf
 ;
+; Named ACLs specified in realtime also can not be used
+; from manager.conf unless the storage driver is preloaded.
+; Attempting to use a realtime stored named ACL before the
+; driver is loaded will result in an invalid ACL which
+; rejects all addresses.
 ;
 ; Realtime configuration engine
 ;
@@ -74,6 +79,7 @@
 ;meetme => mysql,general
 ;queues => odbc,asterisk
 ;queue_members => odbc,asterisk
+;acls => odbc,asterisk
 ;musiconhold => mysql,general
 ;queue_log => mysql,general
 ;
diff --git a/configs/iax.conf.sample b/configs/iax.conf.sample
index 19f2a9b17..9b5d4bc78 100644
--- a/configs/iax.conf.sample
+++ b/configs/iax.conf.sample
@@ -518,11 +518,11 @@ inkeys=freeworlddialup
 ;
 ; Further user sections may be added, specifying a context and a secret used
 ; for connections with that given authentication name.  Limited IP based
-; access control is allowed by use of "permit" and "deny" keywords.  Multiple
-; rules are permitted.  Multiple permitted contexts may be specified, in
-; which case the first will be the default.  You can also override Caller*ID
-; so that when you receive a call you set the Caller*ID to be what you want
-; instead of trusting what the remote user provides
+; access control is allowed by use of "permit", "deny", and "acl" keywords.
+; Multiple rules are permitted. Multiple permitted contexts may be specified,
+; in which case the first will be the default.  You can also override
+; Caller*ID so that when you receive a call you set the Caller*ID to be what
+; you want instead of trusting what the remote user provides
 ;
 ; There are three authentication methods that are supported:  md5, plaintext,
 ; and rsa.  The least secure is "plaintext", which sends passwords cleartext
@@ -639,6 +639,7 @@ description=Demo System At Digium    ; Description of this peer, as listed by
 ;secret=shazbot  ; only the last specified secret will be used.
 ;context=default
 ;permit=0.0.0.0/0.0.0.0
+;acl=example_named_acl
 
 ;
 ; With immediate=yes, an IAX2 phone or a phone on an IAXy acts as a hot-line
diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample
index 5e99cf80d..31c182007 100644
--- a/configs/manager.conf.sample
+++ b/configs/manager.conf.sample
@@ -85,6 +85,7 @@ bindaddr = 0.0.0.0
 ;secret = mysecret
 ;deny=0.0.0.0/0.0.0.0
 ;permit=209.16.236.73/255.255.255.0
+;acl=named_acl_example               ; use a named ACL from acl.conf
 ;
 ;eventfilter=Event: Newchannel
 ;eventfilter=!Channel: DAHDI*
diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
index e92bba9fe..dcf88aa73 100644
--- a/configs/sip.conf.sample
+++ b/configs/sip.conf.sample
@@ -10,8 +10,8 @@
 ;
 ;	Especially note the following settings:
 ;		- allowguest (default enabled)
-;		- permit/deny - IP address filters
-;		- contactpermit/contactdeny - IP address filters for registrations
+;		- permit/deny/acl - IP address filters
+;		- contactpermit/contactdeny/contactacl - IP address filters for registrations
 ;		- context - Which set of services you offer various users
 ;
 ; SIP dial strings
@@ -454,6 +454,7 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;contactdeny=0.0.0.0/0.0.0.0           ; Use contactpermit and contactdeny to
 ;contactpermit=172.16.0.0/255.255.0.0  ; restrict at what IPs your users may
                                        ; register their phones.
+;contactacl=named_acl_example          ; Use named ACLs defined in acl.conf
 
 ;engine=asterisk                ; RTP engine to use when communicating with the device
 
@@ -956,6 +957,7 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
                                 ; Use this if some of your phones are on IP addresses that
                                 ; can not reach each other directly. This way you can force 
                                 ; RTP to always flow through asterisk in such cases.
+;directmediaacl=acl_example     ; Use named ACLs defined in acl.conf
 
 ;ignoresdpversion=yes           ; By default, Asterisk will honor the session version
                                 ; number in SDP packets and will only modify the SDP
@@ -1211,10 +1213,11 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ; t38pt_usertpsource
 ; contactpermit         ; Limit what a host may register as (a neat trick
 ; contactdeny           ; is to register at the same IP as a SIP provider,
-;                       ; then call oneself, and get redirected to that
+; contactacl            ; then call oneself, and get redirected to that
 ;                       ; same location).
 ; directmediapermit
 ; directmediadeny
+; directmediaacl
 ; unsolicited_mailbox
 ; use_q850_reason
 ; maxforwards
@@ -1419,6 +1422,7 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;permit=2001:db8::/32            ; IPv6 ACLs can be specified if desired. IPv6 ACLs
                                  ; apply only to IPv6 addresses, and IPv4 ACLs apply
                                  ; only to IPv4 addresses.
+;acl=named_acl_example           ; Use named ACLs defined in acl.conf
 
 ;[cisco1]
 ;type=friend