diff options
author | Jonathan Rose <jrose@digium.com> | 2012-07-11 18:33:36 +0000 |
---|---|---|
committer | Jonathan Rose <jrose@digium.com> | 2012-07-11 18:33:36 +0000 |
commit | 10afdf3a2abd7e45d5c1841b29744de5b852d722 (patch) | |
tree | efd6960cc2e8a9f2642d8ac950904ba6c51371e9 /configs | |
parent | 6190ae4430f2bdfb02d2ce8f4941cd9b4e65f5a0 (diff) |
Named ACLs: Introduces a system for creating and sharing ACLs
This patch adds Named ACL functionality to Asterisk. This allows system
administrators to define an ACL and refer to it by a unique name. Configurable
items can then refer to that name when specifying access control lists.
It also includes updates to all core supported consumers of ACLs. That includes
manager, chan_sip, and chan_iax2. This feature is based on the deluxepine-trunk
by Olle E. Johansson and provides a subset of the Named ACL functionality
implemented in that branch. For more information on this feature, see acl.conf
and/or the Asterisk wiki.
Review: https://reviewboard.asterisk.org/r/1978/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@369959 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'configs')
-rw-r--r-- | configs/acl.conf.sample | 86 | ||||
-rw-r--r-- | configs/extconfig.conf.sample | 6 | ||||
-rw-r--r-- | configs/iax.conf.sample | 11 | ||||
-rw-r--r-- | configs/manager.conf.sample | 1 | ||||
-rw-r--r-- | configs/sip.conf.sample | 10 |
5 files changed, 106 insertions, 8 deletions
diff --git a/configs/acl.conf.sample b/configs/acl.conf.sample new file mode 100644 index 000000000..ca6906d4b --- /dev/null +++ b/configs/acl.conf.sample @@ -0,0 +1,86 @@ +; +; Named Access Control Lists (ACLs) +; +; A convenient way to share acl definitions +; +; This configuration file is read on startup +; +; CLI Commands +; ----------------------------------------------------------- +; acl show Show all named ACLs configured +; acl show <name> Show contents of a particular named ACL +; reload acl Reload configuration file +; +;[general] +;systemname=asterisksystem1 ; If a system name is specified, realtime +; ; ACLs will only be retrieved if they have +; ; a systemname field that matches this value. +; ; If it's less blank, the field is ignored. +; +; Any configuration that uses ACLs which has been made to be able to use named +; ACLs will specify a named ACL with the 'acl' option in its configuration in +; a similar fashion to the usual 'permit' and 'deny' options. Example: +; acl=my_named_acl +; +; Multiple named ACLs can be applied by either comma separating the arguments or +; just by adding additional ACL lines. Example: +; acl=my_named_acl +; acl=my_named_acl2 +; +; or +; +; acl=my_named_acl,my_named_acl2 +; +; ACLs specified by name are evaluated independently from the ACL specified via +; permit/deny. In order for an address to pass a given ACL, it must pass both +; the ACL specified by permit/deny for a given item as well as any named ACLs +; that were specified. +; +;[example_named_acl1] +;deny=0.0.0.0/0.0.0.0 +;permit=209.16.236.0 +;permit=209.16.236.1 +; +;[example_named_acl2] +;permit=0.0.0.0/0.0.0.0 +;deny=10.24.20.171 +;deny=10.24.20.103 +;deny=209.16.236.1 +; +; example_named_acl1 above shows an example of whitelisting. When whitelisting, the +; named ACLs should follow a deny that blocks everything (like deny=0.0.0.0/0.0.0.0) +; The following example explains how combining the ACLs works: +; <in another configuration> +; [example_item_with_acl] +; acl=example_named_acl1 +; acl=example_named_acl2 +; +; Suppose 209.16.236.0 tries to communicate and the ACL for that example is applied to it... +; First, example_named_acl1 is evaluated. The address is allowed by that ACL. +; Next, example_named_acl2 is evaluated. The address isn't blocked by example_named_acl2 +; either, so it passes. +; +; Suppose instead 209.16.236.1 tries to communicate and the same ACL is applied. +; First, example_named_acl1 is evaluated and the address is allowed. +; However, it is blocked by example_named_acl2, so the address is blocked from the combined +; ACL. +; +; Similarly, the permits/denies in specific configurations that make up an ACL definition +; are also treated as a separate ACL for evaluation. So if we change the example above to: +; <in another configuration> +; [example_item_with_acl] +; acl=example_named_acl1 +; acl=example_named_acl2 +; deny=209.16.236.0 +; +; Then 209.16.236.0 will be rejected by the non-named component of the combined ACL even +; though it passes the two named components. +; +; +; Named ACLs can use ipv6 addresses just like normal ACLs. +;[ipv6_example_1] +;deny = :: +;permit = ::1/128 +; +;[ipv6_example_2] +;permit = fe80::21d:bad:fad:2323 diff --git a/configs/extconfig.conf.sample b/configs/extconfig.conf.sample index 1d67fa536..a83fa2c12 100644 --- a/configs/extconfig.conf.sample +++ b/configs/extconfig.conf.sample @@ -32,6 +32,11 @@ ; cdr.conf ; rtp.conf ; +; Named ACLs specified in realtime also can not be used +; from manager.conf unless the storage driver is preloaded. +; Attempting to use a realtime stored named ACL before the +; driver is loaded will result in an invalid ACL which +; rejects all addresses. ; ; Realtime configuration engine ; @@ -74,6 +79,7 @@ ;meetme => mysql,general ;queues => odbc,asterisk ;queue_members => odbc,asterisk +;acls => odbc,asterisk ;musiconhold => mysql,general ;queue_log => mysql,general ; diff --git a/configs/iax.conf.sample b/configs/iax.conf.sample index 19f2a9b17..9b5d4bc78 100644 --- a/configs/iax.conf.sample +++ b/configs/iax.conf.sample @@ -518,11 +518,11 @@ inkeys=freeworlddialup ; ; Further user sections may be added, specifying a context and a secret used ; for connections with that given authentication name. Limited IP based -; access control is allowed by use of "permit" and "deny" keywords. Multiple -; rules are permitted. Multiple permitted contexts may be specified, in -; which case the first will be the default. You can also override Caller*ID -; so that when you receive a call you set the Caller*ID to be what you want -; instead of trusting what the remote user provides +; access control is allowed by use of "permit", "deny", and "acl" keywords. +; Multiple rules are permitted. Multiple permitted contexts may be specified, +; in which case the first will be the default. You can also override +; Caller*ID so that when you receive a call you set the Caller*ID to be what +; you want instead of trusting what the remote user provides ; ; There are three authentication methods that are supported: md5, plaintext, ; and rsa. The least secure is "plaintext", which sends passwords cleartext @@ -639,6 +639,7 @@ description=Demo System At Digium ; Description of this peer, as listed by ;secret=shazbot ; only the last specified secret will be used. ;context=default ;permit=0.0.0.0/0.0.0.0 +;acl=example_named_acl ; ; With immediate=yes, an IAX2 phone or a phone on an IAXy acts as a hot-line diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample index 5e99cf80d..31c182007 100644 --- a/configs/manager.conf.sample +++ b/configs/manager.conf.sample @@ -85,6 +85,7 @@ bindaddr = 0.0.0.0 ;secret = mysecret ;deny=0.0.0.0/0.0.0.0 ;permit=209.16.236.73/255.255.255.0 +;acl=named_acl_example ; use a named ACL from acl.conf ; ;eventfilter=Event: Newchannel ;eventfilter=!Channel: DAHDI* diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index e92bba9fe..dcf88aa73 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -10,8 +10,8 @@ ; ; Especially note the following settings: ; - allowguest (default enabled) -; - permit/deny - IP address filters -; - contactpermit/contactdeny - IP address filters for registrations +; - permit/deny/acl - IP address filters +; - contactpermit/contactdeny/contactacl - IP address filters for registrations ; - context - Which set of services you offer various users ; ; SIP dial strings @@ -454,6 +454,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny to ;contactpermit=172.16.0.0/255.255.0.0 ; restrict at what IPs your users may ; register their phones. +;contactacl=named_acl_example ; Use named ACLs defined in acl.conf ;engine=asterisk ; RTP engine to use when communicating with the device @@ -956,6 +957,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; Use this if some of your phones are on IP addresses that ; can not reach each other directly. This way you can force ; RTP to always flow through asterisk in such cases. +;directmediaacl=acl_example ; Use named ACLs defined in acl.conf ;ignoresdpversion=yes ; By default, Asterisk will honor the session version ; number in SDP packets and will only modify the SDP @@ -1211,10 +1213,11 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; t38pt_usertpsource ; contactpermit ; Limit what a host may register as (a neat trick ; contactdeny ; is to register at the same IP as a SIP provider, -; ; then call oneself, and get redirected to that +; contactacl ; then call oneself, and get redirected to that ; ; same location). ; directmediapermit ; directmediadeny +; directmediaacl ; unsolicited_mailbox ; use_q850_reason ; maxforwards @@ -1419,6 +1422,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;permit=2001:db8::/32 ; IPv6 ACLs can be specified if desired. IPv6 ACLs ; apply only to IPv6 addresses, and IPv4 ACLs apply ; only to IPv4 addresses. +;acl=named_acl_example ; Use named ACLs defined in acl.conf ;[cisco1] ;type=friend |