ACL: ast_apply_acl_nolog - identical to ast_apply_acl but without logging.

Due to use in res_rtp_asterisk there is a need to be able to apply an ACL without logging any invalid/denies. It's probably sensible to at least validate the ACL once directly after load and report invalid ACLs. Change-Id: I256169229d945ca7c1bbf228fc492d91df345843 Signed-off-by: Jaco Kroon <jaco@uls.co.za>
2019-12-04 10:35:52 +02:00 · 2019-12-04 10:35:52 +02:00 · 77941efad9
parent 4631e77078
commit 77941efad9
2 changed files with 34 additions and 5 deletions
--- a/include/asterisk/acl.h
+++ b/include/asterisk/acl.h
@ -212,6 +212,20 @@ enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockad
 */
 enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose);

+/*!
+ * \brief Apply a set of rules to a given IP address, don't log failure.
+ *
+ * \details
+ * Exactly like ast_apply_acl, except that it will never log anything.
+ *
+ * \param acl_list The head of the list of ACLs to evaluate
+ * \param addr An ast_sockaddr whose address is considered when matching rules
+ *
+ * \retval AST_SENSE_ALLOW The IP address passes our ACLs
+ * \retval AST_SENSE_DENY The IP address fails our ACLs
+ */
+enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr);
+
 /*!
 * \brief Get the IP address given a hostname
 *
--- a/main/acl.c
+++ b/main/acl.c
@ -723,7 +723,7 @@ void ast_ha_join_cidr(const struct ast_ha *ha, struct ast_str **buf)
 	}
 }

-enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose)
+static enum ast_acl_sense ast_apply_acl_internal(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *log_prefix)
 {
 	struct ast_acl *acl;

@ -737,16 +737,22 @@ enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast
 	AST_LIST_TRAVERSE(acl_list, acl, list) {
 		if (acl->is_invalid) {
 			/* In this case, the baseline ACL shouldn't ever trigger this, but if that somehow happens, it'll still be shown. */
-			ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr),
-					ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+			if (log_prefix) {
+				ast_log(LOG_WARNING, "%sRejecting '%s' due to use of an invalid ACL '%s'.\n",
+						log_prefix, ast_sockaddr_stringify_addr(addr),
+						ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+			}
 			AST_LIST_UNLOCK(acl_list);
 			return AST_SENSE_DENY;
 		}

 		if (acl->acl) {
 			if (ast_apply_ha(acl->acl, addr) == AST_SENSE_DENY) {
-				ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr),
-						ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+				if (log_prefix) {
+					ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n",
+							log_prefix, ast_sockaddr_stringify_addr(addr),
+							ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name);
+				}
 				AST_LIST_UNLOCK(acl_list);
 				return AST_SENSE_DENY;
 			}
@ -758,6 +764,15 @@ enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast
 	return AST_SENSE_ALLOW;
 }

+
+enum ast_acl_sense ast_apply_acl(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr, const char *purpose) {
+	return ast_apply_acl_internal(acl_list, addr, purpose ?: "");
+}
+
+enum ast_acl_sense ast_apply_acl_nolog(struct ast_acl_list *acl_list, const struct ast_sockaddr *addr) {
+	return ast_apply_acl_internal(acl_list, addr, NULL);
+}
+
 enum ast_acl_sense ast_apply_ha(const struct ast_ha *ha, const struct ast_sockaddr *addr)
 {
 	/* Start optimistic */