res/res_pjsip: Standardize/fix localnet checks across pjsip.

In 2dee95cc (ASTERISK-27024) and 776ffd77 (ASTERISK-26879) there was
confusion about whether the transport_state->localnet ACL has ALLOW or
DENY semantics.

For the record: the localnet has DENY semantics, meaning that "not in
the list" means ALLOW, and the local nets are in the list.

Therefore, checks like this look wrong, but are right:

    /* See if where we are sending this request is local or not, and if
       not that we can get a Contact URI to modify */
    if (ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
        ast_debug(5, "Request is being sent to local address, "
                     "skipping NAT manipulation\n");

(In the list == localnet == DENY == skip NAT manipulation.)

And conversely, other checks that looked right, were wrong.

This change adds two macro's to reduce the confusion and uses those
instead:

    ast_sip_transport_is_nonlocal(transport_state, addr)
    ast_sip_transport_is_local(transport_state, addr)

ASTERISK-27248 #close

Change-Id: Ie7767519eb5a822c4848e531a53c0fd054fae934

diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h
index efc0cd0193ce245be09e30926941dad9785ff0f2..18661dffe987ad93359fd5bd92a993e25b2bdba4 100644 (file)
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -98,7 +98,10 @@ struct ast_sip_transport_state {
         */
        pj_ssl_cipher ciphers[SIP_TLS_MAX_CIPHERS];
        /*!
-        * Optional local network information, used for NAT purposes
+        * Optional local network information, used for NAT purposes.
+        * "deny" (set) means that it's in the local network. Use the
+        * ast_sip_transport_is_nonlocal and ast_sip_transport_is_local
+        * macro's.
         * \since 13.8.0
         */
        struct ast_ha *localnet;
@@ -124,6 +127,12 @@ struct ast_sip_transport_state {
        struct ast_sockaddr external_media_address;
 };
 
+#define ast_sip_transport_is_nonlocal(transport_state, addr) \
+       (!transport_state->localnet || ast_apply_ha(transport_state->localnet, addr) == AST_SENSE_ALLOW)
+
+#define ast_sip_transport_is_local(transport_state, addr) \
+       (transport_state->localnet && ast_apply_ha(transport_state->localnet, addr) != AST_SENSE_ALLOW)
+
 /*
  * \brief Transport to bind to
  */

diff --git a/main/acl.c b/main/acl.c
index 6aeff403f77f013371f1208f57934ead193f5b1f..237d77d59fb7a389feb07001d65b0ecef87bb9f4 100644 (file)
--- a/main/acl.c
+++ b/main/acl.c
@@ -739,8 +739,8 @@ enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockad
                char iabuf[INET_ADDRSTRLEN];
                char iabuf2[INET_ADDRSTRLEN];
                /* DEBUG */
-               ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
-               ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
+               ast_copy_string(iabuf, ast_sockaddr_stringify(addr), sizeof(iabuf));
+               ast_copy_string(iabuf2, ast_sockaddr_stringify(&current_ha->addr), sizeof(iabuf2));
                ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
 #endif
                if (ast_sockaddr_is_ipv4(&current_ha->addr)) {

diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
index 5f7eafa1c4deed04111e7449a71e310d5ce2cc33..0c804b82a49f1a9f4f54c24c5b573c738e08e110 100644 (file)
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@@ -1127,7 +1127,9 @@ static int transport_localnet_handler(const struct aco_option *opt, struct ast_v
                return 0;
        }
 
-       if (!(state->localnet = ast_append_ha("d", var->value, state->localnet, &error))) {
+       /* We use only the ast_apply_ha() which defaults to ALLOW
+        * ("permit"), so we add DENY rules. */
+       if (!(state->localnet = ast_append_ha("deny", var->value, state->localnet, &error))) {
                return -1;
        }
 

diff --git a/res/res_pjsip_nat.c b/res/res_pjsip_nat.c
index 45b0d7ce6b6f3c0d4c0ffb08542ce3343cacb502..e1d56e6af8cbf323111111c93258c28abb0cbf0d 100644 (file)
--- a/res/res_pjsip_nat.c
+++ b/res/res_pjsip_nat.c
@@ -267,7 +267,7 @@ static pj_status_t nat_on_tx_message(pjsip_tx_data *tdata)
                ast_sockaddr_set_port(&addr, tdata->tp_info.dst_port);
 
                /* See if where we are sending this request is local or not, and if not that we can get a Contact URI to modify */
-               if (ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
+               if (ast_sip_transport_is_local(transport_state, &addr)) {
                        ast_debug(5, "Request is being sent to local address, skipping NAT manipulation\n");
                        return PJ_SUCCESS;
                }

diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index 850d04d9c098718017d41dc04c0f54046f4d5a49..b77994bff915101bfbe1fb8eebd30ca5d73a0942 100644 (file)
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -1535,8 +1535,7 @@ static void change_outgoing_sdp_stream_media_address(pjsip_tx_data *tdata, struc
        ast_sockaddr_parse(&addr, host, PARSE_PORT_FORBID);
 
        /* Is the address within the SDP inside the same network? */
-       if (transport_state->localnet
-               && ast_apply_ha(transport_state->localnet, &addr) == AST_SENSE_ALLOW) {
+       if (ast_sip_transport_is_local(transport_state, &addr)) {
                return;
        }
        ast_debug(5, "Setting media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));

diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 42d37fe0c0590ee47fbb433699e802e038b0c46c..e7ee055389724ec7c2d7b0b6a7996ff4b7ce80a5 100644 (file)
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -3227,8 +3227,7 @@ static void session_outgoing_nat_hook(pjsip_tx_data *tdata, struct ast_sip_trans
                ast_copy_pj_str(host, &sdp->conn->addr, sizeof(host));
                ast_sockaddr_parse(&addr, host, PARSE_PORT_FORBID);
 
-               if (!transport_state->localnet
-                       || ast_apply_ha(transport_state->localnet, &addr) != AST_SENSE_ALLOW) {
+               if (ast_sip_transport_is_nonlocal(transport_state, &addr)) {
                        ast_debug(5, "Setting external media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));
                        pj_strdup2(tdata->pool, &sdp->conn->addr, ast_sockaddr_stringify_host(&transport_state->external_media_address));
                }

diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
index 9f6ae0c2fe1a0ef3798f82752d609acc31b5441f..ac75cafbb5bc173e3ee7e3e92a1b393d66ac8cce 100644 (file)
--- a/res/res_pjsip_t38.c
+++ b/res/res_pjsip_t38.c
@@ -881,8 +881,7 @@ static void change_outgoing_sdp_stream_media_address(pjsip_tx_data *tdata, struc
        ast_sockaddr_parse(&addr, host, PARSE_PORT_FORBID);
 
        /* Is the address within the SDP inside the same network? */
-       if (transport_state->localnet
-               && ast_apply_ha(transport_state->localnet, &addr) == AST_SENSE_ALLOW) {
+       if (ast_sip_transport_is_local(transport_state, &addr)) {
                return;
        }
        ast_debug(5, "Setting media address to %s\n", ast_sockaddr_stringify_host(&transport_state->external_media_address));