Issue #9726 - rlister - Better logging for ACL denials

While at it, also added better logging and handling of peers that are not supposed to register.

My patch, stole the issue report from Russell. My apologies, Russell :-)

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.2@64514 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 85981ee4601cb7e4b9f9a77f1962e31de2e211cd..453f0a42e38e775b4474f1e35e4c44370405517a 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -6642,10 +6642,12 @@ static int register_verify(struct sip_pvt *p, struct sockaddr_in *sin, struct si
                if (peer)
                        ASTOBJ_UNREF(peer,sip_destroy_peer);
                peer = NULL;
+               res = -4;
        }
        if (peer) {
                if (!ast_test_flag(&peer->flags_page2, SIP_PAGE2_DYNAMIC)) {
                        ast_log(LOG_ERROR, "Peer '%s' is trying to register, but not configured as host=dynamic\n", peer->name);
+                       res = -5;
                } else {
                        ast_copy_flags(p, peer, SIP_NAT);
                        transmit_response(p, "100 Trying", req);
@@ -6719,22 +6721,20 @@ static int register_verify(struct sip_pvt *p, struct sockaddr_in *sin, struct si
                           proper authentication by digest auth name */
                        transmit_response(p, "403 Authentication user name does not match account name", &p->initreq);
                        break;
-               case -3:
+               case -3:        /* Unknown domain */
+               case -4:        /* ACL error */
+               case -5:        /* Peer is not supposed to register with us at all */
                        if (global_alwaysauthreject) {
                                transmit_fake_auth_response(p, &p->initreq, p->randdata, sizeof(p->randdata), 1);
                        } else {
                                /* URI not found */
-                               transmit_response(p, "404 Not found", &p->initreq);
+                               if (res == -5)
+                                       transmit_response(p, "403 Forbidden", &p->initreq);
+                               else
+                                       transmit_response(p, "404 Not found", &p->initreq);
                        }
-                       /* Set res back to -2 because we don't want to return an invalid domain message. That check already happened up above. */
-                       res = -2;
                        break;
                }
-               if (option_debug > 1) {
-                       ast_log(LOG_DEBUG, "SIP REGISTER attempt failed for %s : %s\n",
-                               peer->name,
-                               (res == -1) ? "Bad password" : ((res == -2 ) ? "Bad digest user" : "Peer not found"));
-               }
        }
        if (peer)
                ASTOBJ_UNREF(peer,sip_destroy_peer);
@@ -11244,8 +11244,24 @@ static int handle_request_register(struct sip_pvt *p, struct sip_request *req, i
                ast_verbose("Using latest REGISTER request as basis request\n");
        copy_request(&p->initreq, req);
        check_via(p, req);
-       if ((res = register_verify(p, sin, req, e, ignore)) < 0) 
-               ast_log(LOG_NOTICE, "Registration from '%s' failed for '%s' - %s\n", get_header(req, "To"), ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), (res == -1) ? "Wrong password" : (res == -2 ? "Username/auth name mismatch" : "Not a local SIP domain"));
+       if ((res = register_verify(p, sin, req, e, ignore)) < 0)  {
+               const char *error;
+               switch (res) {
+               case -1:        error = "Wrong password";
+                       break;
+               case -2:        error = "Username/auth name mismatch";
+                       break;
+               case -3:        error = "Not a local SIP domain";
+                       break;
+               case -4:        error = "ACL error (permit/deny)";
+                       break;
+               case -5:        error = "Peer is not supposed to register";
+                       break;
+               default:        error = "Unknown error";
+                       break;
+               }
+               ast_log(LOG_NOTICE, "Registration from '%s' failed for '%s' - %s\n", get_header(req, "To"), ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), error);
+       }
        if (res < 1) {
                /* Destroy the session, but keep us around for just a bit in case they don't
                   get our 200 OK */