ASTERISK-24874: Asterisk 11/13 Named ACL misconfiguration produces misleading errors - lacking commands to debug or troubleshoot

[Home]

Summary: ASTERISK-24874: Asterisk 11/13 Named ACL misconfiguration produces misleading errors - lacking commands to debug or troubleshoot

Reporter: Michael Keuter (mkeuter) Labels:

Date Opened: 2015-03-13 10:39:08 Date Closed:

Priority: Major Regression?

Status: Open/New Components: Core/ACL

Versions: 11.16.0 13.2.0 Frequency of
Occurrence Constant

Related
Issues:
is related to ASTERISK-24969 Named ACL's do not handle config errors.

Environment: AstLinux 1.2.2, Linux 3.2 Attachments: ( 0) full_log

Description: When I use this ACL configuration:

acl.conf:
{noformat}
[lan_acl]
deny=0.0.0.0/0.0.0.0
permit=192.168.0.0/255.255.255.0

[vpn_acl]
deny=0.0.0.0/0.0.0.0
permit=192.168.0.0/255.255.255.0
permit=10.8.0.0/255.255.255.0
{noformat}

sip.conf:
{noformat}
[phones](!)
;deny=0.0.0.0/0.0.0.0
;permit=192.168.0.0/255.255.255.0
acl=lan_acl
{noformat}

I get these error messages:
{noformat}
Mar 13 13:46:51 localhost local0.err asterisk[1722]: ERROR[1761]: acl.c:541 in ast_append_acl: Named ACL 'lan_acl' is already included in the ast_acl container.
Mar 13 13:46:51 localhost local0.err asterisk[1722]: ERROR[1761]: chan_sip.c:30923 in build_peer: Bad ACL entry in configuration line 761 : lan_acl
{noformat}
It gets worse when I try to include one named ACL into another as mentioned in the examples, in this case acl.conf is not loaded at all:
{noformat}
[vpn_acl]
acl=lan_acl
permit=10.8.0.0/255.255.255.0
{noformat}
I get these errors:
{noformat}
Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: config_options.c:589 in aco_process_var: Could not find option suitable for category 'vpn_acl' named 'acl' at line 87 of
Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: config_options.c:402 in process_category: In acl.conf: Processing options for vpn_acl failed
Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: named_acl.c:328 in ast_named_acl_find: Attempted to find named ACL 'vpn_acl', but the ACL configuration isn't available.
Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: acl.c:541 in ast_append_acl: Named ACL 'vpn_acl' is already included in the ast_acl container.
Mar 13 13:49:06 localhost local0.err asterisk[29624]: ERROR[29624]: chan_sip.c:30923 in build_peer: Bad ACL entry in configuration line 15 : vpn_acl
{noformat}

Comments: By: Michael Keuter (mkeuter) 2015-03-13 11:52:57.191-0500

Thanks Richard, I overlooked the 'noformat' tag in the help.
By: Corey Farrell (coreyfarrell) 2015-04-05 16:55:00.994-0500

I was able to start Asterisk with the configurations you've provided, the proper ACL was applied to some test peers I created. I was only able to reproduce the issue by adding 'preload=chan_sip.so' to modules.conf. This cannot work since acl.conf is loaded after preload modules.
By: Michael Keuter (mkeuter) 2015-04-06 03:08:17.550-0500

Hi Corey, thanks for trying.

I never used 'preload=chan_sip.so'. Here is my modules.conf:

{noformat}
[modules]
autoload=yes
;
; Any modules that need to be loaded before the Asterisk core has been
; initialized (just after the logger has been initialized) can be loaded
; using 'preload'. This will frequently be needed if you wish to map all
; module configuration files into Realtime storage, since the Realtime
; driver will need to be loaded before the modules using those configuration
; files are initialized.
;
; An example of loading ODBC support would be:
;preload => res_odbc.so
;preload => res_config_odbc.so
;
; Uncomment the following if you wish to use the Speech Recognition API
;preload => res_speech.so
;
; If you want, load the GTK console right away.
;
noload => pbx_gtkconsole.so
;load => pbx_gtkconsole.so
;
load => res_musiconhold.so
;
; Load either OSS or ALSA, not both
; By default, load OSS only (automatically) and do not load ALSA
;
noload => chan_alsa.so
noload => chan_oss.so
;
noload => app_voicemail_imap.so
;
noload => pbx_ael.so
noload => pbx_dundi.so
noload => chan_dahdi.so
noload => chan_iax2.so
noload => chan_mgcp.so
noload => chan_misdn.so
noload => chan_phone.so
noload => chan_skinny.so
noload => chan_unistim.so
noload => codec_dahdi.so

noload => app_minivm.so
noload => func_realtime.so
noload => pbx_lua.so
noload => pbx_realtime.so
noload => res_calendar_caldav.so
noload => res_calendar_exchange.so
noload => res_calendar_ews.so
noload => res_config_curl.so
noload => res_config_mysql.so
noload => res_fax_digium.so
noload => res_phoneprov.so
noload => res_realtime.so
{noformat}

BTW: You need to RESTART Asterisk to see those errors after making changes, reload is not enough!
By: Corey Farrell (coreyfarrell) 2015-04-10 17:19:38.972-0500

Please uncomment {{full => notice,warning,error,debug,verbose,dtmf,fax}} in logger.conf. Please also set {{verbose = 6}} and {{debug = 6}} in asterisk.conf. Reproduce the issue and upload the full log as an attachment. It can normally be found at /var/log/asterisk/full.

Once you've reproduced the issue and collected the log file you should undo the changes to asterisk.conf and logger.conf, otherwise your log files will get huge.
By: Michael Keuter (mkeuter) 2015-04-11 06:30:30.100-0500

Hi Corey, I added a full log with verb 6 + debug 6. Please search for "lan_acl" to find the error.

In this log the IP values are 192.168.22.0 for LAN and 10.8.22.0 for VPN.
By: Corey Farrell (coreyfarrell) 2015-04-14 14:57:51.016-0500

I've done some additional testing, I think you must be somehow including 'lan_acl' onto the same peer more than once. Though this reports an error, it doesn't actually prevent the config from loading, and the ACL is applied to the peer. Really the following should probably be warnings, not errors.
{noformat}
[2015-04-11 13:02:03] ERROR[12818] acl.c: Named ACL 'lan_acl' is already included in the ast_acl container.
[2015-04-11 13:02:03] ERROR[12818] chan_sip.c: Bad ACL entry in configuration line 1653 : lan_acl
{noformat}

I was able to reproduce this with the following in sip.conf:
{noformat}
[phones](!)
acl=lan_acl

[test1](phones)
type=friend
acl=lan_acl

[test2](phones,phones)
type=friend
{noformat}

So either including the same template twice, or including the template to a peer then adding the same ACL. In this example config both peers (test1 and test2) effectively include acl=lan_acl twice.
By: Michael Keuter (mkeuter) 2015-04-15 03:08:05.921-0500

Hi Corey, thanks for your further testing.
I checked it again, and you are perfectly right. I included "(phones)" for a single phone again to overwrite the default settings.
But Named_ACLs behave completely different in this case than the normal ACLs, which don't have an issue with this.
BTW: Is there a way to verify/debug which ACLs are actually present for a specific SIP peer? "sip show peer xyz" only shows "ACL=Yes".
By: Michael Keuter (mkeuter) 2015-04-15 03:39:57.516-0500

Have you also tried the other case from above: to include one Named_ACL into the other? That doesn't work at all for me:

acl.conf:
{noformat}
[lan_acl]
deny=0.0.0.0/0.0.0.0
permit=192.168.0.0/255.255.255.0

[vpn_acl]
acl=lan_acl
permit=10.8.0.0/255.255.255.0
{noformat}

By: Rusty Newton (rnewton) 2015-04-16 13:03:41.951-0500

Changing security status and linking to ASTERISK-24969.
By: Corey Farrell (coreyfarrell) 2015-04-16 13:12:45.933-0500

'acl=' is not a valid option in acl.conf - only permit and deny. This error is preventing acl.conf from loading. The correct way for acl.conf to include one acl from another is:
{noformat}
[lan_acl]
deny=0.0.0.0/0.0.0.0
permit=192.168.0.0/255.255.255.0

[vpn_acl](lan_acl)
permit=10.8.0.0/255.255.255.0
{noformat}

In my opinion an invalid acl.conf at Asterisk startup should cause Asterisk to exit (it's a critical error). This is being treated as a separate issue, ASTERISK-24969. Note that when you do {{module reload acl}}, it's not actually succeeding, it's silently skipping the reload (due to the file being unchanged).

For the issue of using the same ACL twice from a single peer, the issue is that pointless / misleading error messages are produced. Really it should be a warning, if that. I think it would be fine if this condition were silently ignored.

I'm not aware of a way to debug the actual ACL's applied to sip peers, this would be a nice improvement. Feel like giving it a try? Normally improvements/features would go to master (trunk) only, but I feel this would be justified for all supported branches.
By: Michael Keuter (mkeuter) 2015-04-16 15:49:40.154-0500

Hi Corey, for the inclusion: I think I misinterpreted the "[example_item_with_acl]" example in acl.conf as an ACL definition :-(.

Yes, it would be good if it using the same ACL twice definition would be just ignored.

Regarding the debug feature: I am not a C programmer, but maybe it is just a nice idea.
By: Rusty Newton (rnewton) 2015-05-17 15:07:23.852-0500

[~coreyfarrell] does [~mmichelson]'s fix on ASTERISK-24969 satisfy this issue? At least the misleading errors side?

I don't think it adds debug commands, or at least I didn't see that mentioned in the gerrit review. Perhaps we should close this issue out and create a new issue for the improvement side of things?
By: Corey Farrell (coreyfarrell) 2015-06-03 21:35:58.166-0500

[~rnewton]: the fix on ASTERISK-24969 has been applied to master only. I'm still not sure what an appropriate fix for 11/13 is, but I think something is needed.
By: Rusty Newton (rnewton) 2015-06-05 17:13:31.221-0500

Alright for the moment I'm going to leave this assigned to you.