Index: channels/chan_sip.c =================================================================== --- channels/chan_sip.c (revision 140020) +++ channels/chan_sip.c (working copy) @@ -574,6 +574,10 @@ /*! \brief Codecs that we support by default: */ static int global_capability = AST_FORMAT_ULAW | AST_FORMAT_ALAW | AST_FORMAT_GSM | AST_FORMAT_H263; +/*! \brief Global list of addresses dynamic peers are not allowed to use */ +static struct ast_ha *global_contact_ha = NULL; +static int global_dynamic_exclude_static = 0; + /* Object counters */ static int suserobjs = 0; /*!< Static users */ static int ruserobjs = 0; /*!< Realtime users */ @@ -1130,6 +1134,7 @@ struct sockaddr_in defaddr; /*!< Default IP address, used until registration */ struct ast_ha *ha; /*!< Access control list */ + struct ast_ha *contactha; /*!< Restrict what IPs are allowed in the Contact header (for registration) */ struct ast_variable *chanvars; /*!< Variables to set for channel created by user */ struct sip_pvt *mwipvt; /*!< Subscription for MWI */ int lastmsg; @@ -8159,7 +8164,7 @@ const char *useragent; struct hostent *hp; struct ast_hostent ahp; - struct sockaddr_in oldsin; + struct sockaddr_in oldsin, testsin; ast_copy_string(contact, get_header(req, "Contact"), sizeof(contact)); @@ -8240,13 +8245,26 @@ } else port = STANDARD_SIP_PORT; oldsin = peer->addr; + + /* Check that they're allowed to register at this IP */ + /* XXX This could block for a long time XXX */ + hp = ast_gethostbyname(n, &ahp); + if (!hp) { + ast_log(LOG_WARNING, "Invalid host '%s'\n", n); + *peer->fullcontact = '\0'; + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_FAILED; + } + memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr)); + if ( ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW || + ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) { + ast_log(LOG_WARNING, "Host '%s' disallowed by rule\n", n); + *peer->fullcontact = '\0'; + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_FAILED; + } + if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) { - /* XXX This could block for a long time XXX */ - hp = ast_gethostbyname(n, &ahp); - if (!hp) { - ast_log(LOG_WARNING, "Invalid host '%s'\n", n); - return PARSE_REGISTER_FAILED; - } peer->addr.sin_family = AF_INET; memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr)); peer->addr.sin_port = htons(port); @@ -17118,6 +17136,9 @@ if (!peer->addr.sin_port) peer->addr.sin_port = htons(STANDARD_SIP_PORT); } + if (global_dynamic_exclude_static) { + global_contact_ha = ast_append_ha("deny", (char *)ast_inet_ntoa(peer->addr.sin_addr), global_contact_ha); + } } } else if (!strcasecmp(v->name, "defaultip")) { if (ast_get_ip(&peer->defaddr, v->value)) { @@ -17126,6 +17147,8 @@ } } else if (!strcasecmp(v->name, "permit") || !strcasecmp(v->name, "deny")) { peer->ha = ast_append_ha(v->name, v->value, peer->ha); + } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) { + peer->contactha = ast_append_ha(v->name + 7, v->value, peer->contactha); } else if (!strcasecmp(v->name, "port")) { if (!realtime && ast_test_flag(&peer->flags[1], SIP_PAGE2_DYNAMIC)) peer->defaddr.sin_port = htons(atoi(v->value)); @@ -17293,6 +17316,9 @@ clear_sip_domains(); authl = NULL; + ast_free_ha(global_contact_ha); + global_contact_ha = NULL; + /* First, destroy all outstanding registry calls */ /* This is needed, since otherwise active registry entries will not be destroyed */ ASTOBJ_CONTAINER_TRAVERSE(®l, 1, do { @@ -17443,6 +17469,10 @@ ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_IGNOREREGEXPIRE); } else if (!strcasecmp(v->name, "t1min")) { global_t1min = atoi(v->value); + } else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) { + global_dynamic_exclude_static = ast_true(v->value); + } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) { + global_contact_ha = ast_append_ha(v->name + 7, v->value, global_contact_ha); } else if (!strcasecmp(v->name, "rtautoclear")) { int i = atoi(v->value); if (i > 0) Index: configs/sip.conf.sample =================================================================== --- configs/sip.conf.sample (revision 140020) +++ configs/sip.conf.sample (working copy) @@ -136,6 +136,16 @@ ; your localnet setting. Unless you have some sort of strange network ; setup you will not need to enable this. +;dynamic_exclude_static = yes ; Disallow all dynamic hosts from registering + ; as any IP address used for staticly defined + ; hosts. This helps avoid the configuration + ; error of allowing your users to register at + ; the same address as a SIP provider. + +;contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny to +;contactpermit=172.16.0.0/255.255.0.0 ; restrict at what IPs your users may + ; register their phones. + ; ; If regcontext is specified, Asterisk will dynamically create and destroy a ; NoOp priority 1 extension for a given peer who registers or unregisters with @@ -501,6 +511,10 @@ ; outboundproxy ; rfc2833compensate ; t38pt_usertpsource +; contactpermit ; Limit what a host may register as (a neat trick +; contactdeny ; is to register at the same IP as a SIP provider, +; ; then call oneself, and get redirected to that +; ; same location). ;[sip_proxy] ; For incoming calls only. Example: FWD (Free World Dialup)