This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Neels Hofmeyr gerrit-no-reply at lists.osmocom.orgReview at https://gerrit.osmocom.org/4750 bsc filter: don't ignore imsi-allow on "global" filter level First off, there are "global" and "local" IMSI black/whitelist levels: "global" "local" VTY 'bsc' 'msc' for osmo-bsc VTY 'nat' 'bsc' for osmo-bsc_nat Both in osmo-bsc and osmo-bsc-nat, the "global" IMSI filter so far completely ignores all 'imsi-allow' rules it may contain. A comment in imsi_allow() proclaims actions that are missing in the code. Notably, in our example config osmo-bsc_nat.cfg, there is an imsi-allow on the 'nat' level, which with the code before this patch cannot have been effective in any way. Furthermore, on the "local" level the order is to check imsi-allow first, and imsi-deny after that. The comment says to do that in reverse order on the "global" level. There is no apparent reason for reversing. Add evaluation of imsi-allow directives on the "global" level, i.e. 'bsc' in osmo-bsc and 'nat' in osmo-bsc-nat, in the same order as on "local" level, to avoid confusion. Swap the comment to be consistent. Before this patch, to have effective imsi-allow, this config would be necessary for osmo-bsc: bsc access-list acl imsi-allow 999999999999999 access-list acl imsi-allow 9017.* access-list acl imsi-deny .* msc 0 access-list-name acl ... msc 1 access-list-name acl ... With this patch, imsi-allow also works on the "global" level: bsc access-list acl imsi-allow 999999999999999 access-list acl imsi-allow 9017.* access-list acl imsi-deny .* access-list-name acl msc 0 ... msc 1 ... Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f --- M src/libfilter/bsc_msg_filter.c 1 file changed, 7 insertions(+), 3 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/50/4750/1 diff --git a/src/libfilter/bsc_msg_filter.c b/src/libfilter/bsc_msg_filter.c index fc87e88..816ed94 100644 --- a/src/libfilter/bsc_msg_filter.c +++ b/src/libfilter/bsc_msg_filter.c @@ -150,8 +150,8 @@ * 1.) Check the global IMSI barr list * 2.) Allow directly if the IMSI is allowed at the BSC * 3.) Reject if the IMSI is not allowed at the BSC - * 4.) Reject if the IMSI not allowed at the global level. - * 5.) Allow directly if the IMSI is allowed at the global level + * 4.) Allow directly if the IMSI is allowed at the global level + * 5.) Reject if the IMSI not allowed at the global level. */ int cm, lu; struct bsc_msg_acc_lst *nat_lst = NULL; @@ -189,8 +189,12 @@ } - /* 4. NAT deny */ if (nat_lst) { + /* 4. global allow */ + if (bsc_msg_acc_lst_check_allow(nat_lst, imsi) == 0) + return 1; + + /* 5. global deny */ if (lst_check_deny(nat_lst, imsi, &cm, &lu) == 0) { LOGP(DFILTER, LOGL_ERROR, "Filtering %s global imsi_deny on bsc nr: %d.\n", imsi, req->bsc_nr); -- To view, visit https://gerrit.osmocom.org/4750 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f Gerrit-PatchSet: 1 Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>