examples/pstn.cfg
0e3e0fbf
 #
 # $Id$
 #
 # example: ser configured as PSTN gateway guard; PSTN gateway is located
 # at 192.168.0.10
 #
 
 # ------------------ module loading ----------------------------------
 
 loadmodule "modules/sl/sl.so"
 loadmodule "modules/tm/tm.so"
 loadmodule "modules/acc/acc.so"
 loadmodule "modules/rr/rr.so"
 loadmodule "modules/maxfwd/maxfwd.so"
 loadmodule "modules/mysql/mysql.so"
 loadmodule "modules/auth/auth.so"
c96013a1
 loadmodule "modules/auth_db/auth_db.so"
 loadmodule "modules/group/group.so"
 loadmodule "modules/uri/uri.so"
0e3e0fbf
 
 # ----------------- setting module-specific parameters ---------------
 
3ee34899
 modparam("auth_db", "db_url","mysql://ser:heslo@localhost/ser")
c96013a1
 modparam("auth_db", "calculate_ha1", yes)
 modparam("auth_db", "password_column", "password")
0e3e0fbf
 
 # -- acc params --
 modparam("acc", "log_level", 1)
 # that is the flag for which we will account -- don't forget to
 # set the same one :-)
c96013a1
 modparam("acc", "log_flag", 1 )
0e3e0fbf
 
 # -------------------------  request routing logic -------------------
 
 # main routing logic
 
 route{
 
 	/* ********* ROUTINE CHECKS  ********************************** */
 
 	# filter too old messages
 	if (!mf_process_maxfwd_header("10")) {
 		log("LOG: Too many hops\n");
 		sl_send_reply("483","Too Many Hops");
 		break;
 	};
 	if (len_gt( max_len )) {
 		sl_send_reply("513", "Wow -- Message too large");
 		break;
 	};
 
 	/* ********* RR ********************************** */
 
c96013a1
 	/* grant Route routing if route headers present */
 	if (loose_route()) { t_relay(); break; };
 	
0e3e0fbf
 	/* record-route INVITEs -- all subsequent requests must visit us */
 	if (method=="INVITE") {
c96013a1
 		record_route();
0e3e0fbf
 	};
 
 	# now check if it really is a PSTN destination which should be handled
 	# by our gateway; if not, and the request is an invitation, drop it --
 	# we cannot terminate it in PSTN; relay non-INVITE requests -- it may
 	# be for example BYEs sent by gateway to call originator
 	if (!uri=~"sip:\+?[0-9]+@.*") {
 		if (method=="INVITE") {
 			sl_send_reply("403", "Call cannot be served here");
 		} else {
 			forward(uri:host, uri:port);
 		};
 		break;
 	}; 
 
 	# account completed transactions via syslog
 	setflag(1);
 
 	# free call destinations ... no authentication needed
 	if ( is_user_in("Request-URI", "free-pstn")  /* free destinations */
 			|  uri=~"sip:[79][0-9][0-9][0-9]@.*"  /* local PBX */
 			| uri=~"sip:98[0-9][0-9][0-9][0-9]") {
 		log("free call");
 	} else if (src_ip==192.168.0.10) {
 		# our gateway doesn't support digest authentication;
 		# verify that a request is coming from it by source
 		# address
 		log("gateway-originated request");
 	} else {
 		# in all other cases, we need to check the request against
 		# access control lists; first of all, verify request
 		# originator's identity
 
 		if (!proxy_authorize(	"gateway" /* realm */,
 				"subscriber" /* table name */))  {
 			proxy_challenge( "gateway" /* realm */, "0" /* no qop */ );
 			break;
 		};
 
 		# authorize only for INVITEs -- RR/Contact may result in weird
 		# things showing up in d-uri that would break our logic; our
 		# major concern is INVITE which causes PSTN costs 
 
 		if (method=="INVITE") {
 
 			# does the authenticated user have a permission for local
 			# calls (destinations beginning with a single zero)? 
 			# (i.e., is he in the "local" group?)
 			if (uri=~"sip:0[1-9][0-9]+@.*") {
c96013a1
 				if (!is_user_in("credentials", "local")) {
0e3e0fbf
 					sl_send_reply("403", "No permission for local calls"); 
 					break;
 				};
 			# the same for long-distance (destinations begin with two zeros")
 			} else if (uri=~"sip:00[1-9][0-9]+@.*") {
c96013a1
 				if (!is_user_in("credentials", "ld")) {
0e3e0fbf
 					sl_send_reply("403", " no permission for LD ");
 					break;
 				};
 			# the same for international calls (three zeros)
 			} else if (uri=~"sip:000[1-9][0-9]+@.*") {
c96013a1
 				if (!is_user_in("credentials", "int")) {
0e3e0fbf
 					sl_send_reply("403", "International permissions needed");
 					break;
 				};
 			# everything else (e.g., interplanetary calls) is denied
 			} else {
 				sl_send_reply("403", "Forbidden");
 				break;
 			};
 
 		}; # INVITE to authorized PSTN
 
 	}; # authorized PSTN
 
 	# if you have passed through all the checks, let your call go to GW!
 
 	rewritehostport("192.168.0.10:5060");
 
 	# forward the request now
 	if (!t_relay()) {
 		sl_reply_error(); 
 		break; 
 	};
 
 }