| Summary: | ASTERISK-24890: res_pjsip_acl: patch proposal - endpoint specific ACL | ||
| Reporter: | Dmitriy Serov (Demon) | Labels: | Security |
| Date Opened: | 2015-03-17 02:21:44 | Date Closed: | 2015-03-26 06:12:56 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip_acl |
| Versions: | 13.2.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | I continue to migrate from asterisk 11 to 13.2 and continues to face problems of compatibility.
chan_sip has a very good ability to limit registration for a particular PEER to the specified set of IP addresses. I have not found such an opportunity in res_pjsip. ACL offers only limit of the IP packet or contact without being tied to a particular endpoint. Because registration restrictions by IP require only part of endpoints, then using version 13.2 all registrations are unprotected, insecure. I propose to implement an option to specify the endpoint in ACL section. | ||
| Comments: | By: Dmitriy Serov (Demon) 2015-03-17 02:52:46.692-0500 Studying the implementation of res_pjsip_acl and chan_sip come to the conclusion that it is much easier to do new named option "acl" in the endpoint section. If the reference to the ACL from acl.conf, it will cost a few lines of code. Use of named ACL from pjsip.conf unchanged impossible, since they will block the registration other endpoint. Workaround to use named acl from pjsip.conf may be existing one acl section which allows all traffic. In such way other named ACL sections can be used in endpoint option "acl". By: Rusty Newton (rnewton) 2015-03-23 08:57:38.021-0500 Features requests without patches are not accepted through the issue tracker. Features requests are openly discussed on the mailing lists, forums, and IRC [1]. Please see the Asterisk Issue Guidelines [2] for more information on feature request and patch submission. [1] http://asterisk.org/community/discuss [2] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines By: Rusty Newton (rnewton) 2015-03-23 09:00:43.369-0500 I can't see much opposition to your idea in general, however it is a good idea to first propose new features on the development mailing list for discussion: http://lists.digium.com/mailman/listinfo/asterisk-dev By: Joshua C. Colp (jcolp) 2015-03-26 06:12:56.167-0500 Discussion about this issue has occurred at http://lists.digium.com/pipermail/asterisk-dev/2015-March/073508.html including a manner in which it could be implemented. If anyone would like to implement the functionality this issue can be reopened at that time. | ||