Browse code

Merge branch 'master' into pepelux/secfilter

Jose Luis Verdeguer authored on 15/08/2022 18:33:13 • GitHub committed on 15/08/2022 18:33:13
Showing 8 changed files
... ...
@@ -1 +1 @@
1
-Subproject commit e722c15be860794179082a05d09e6a90dc77ccf0
1
+Subproject commit 57aac1c50b45275c7a99eca32ad985998b292dc8
... ...
@@ -284,7 +284,7 @@ static int cfg_update_defaults(cfg_group_meta_t	*meta,
284 284
 				meta->array = array;
285 285
 				clone_done = 1;
286 286
 			}
287
-			if(ginst->vars + var->offset) {
287
+			if((unsigned long)ginst->vars + var->offset) {
288 288
 				memcpy(ginst->vars + var->offset, new_val, cfg_var_size(var));
289 289
 			} else {
290 290
 				LM_ERR("invalid variable offset\n");
... ...
@@ -347,6 +347,9 @@ int ksr_version_control(void *handle, char *path)
347 347
 	char **m_flags;
348 348
 	char* error;
349 349
 
350
+#ifdef __FreeBSD__
351
+    (void) dlerror();
352
+#endif
350 353
 	m_ver=(char **)dlsym(handle, "module_version");
351 354
 	if ((error=(char *)dlerror())!=0) {
352 355
 		LM_ERR("no version info in module <%s>: %s\n", path, error);
... ...
@@ -329,22 +329,45 @@ int udp_init(struct socket_info* sock_info)
329 329
 	}
330 330
 
331 331
 #if defined (__OS_linux) && defined(UDP_ERRORS)
332
+	/* Ask for the ability to recvmsg (...,MSG_ERRQUEUE) for immediate
333
+	 * resend when hitting Path MTU limits. */
332 334
 	optval=1;
333 335
 	/* enable error receiving on unconnected sockets */
334
-	if(setsockopt(sock_info->socket, SOL_IP, IP_RECVERR,
336
+	if (addr->s.sa_family==AF_INET){
337
+		if(setsockopt(sock_info->socket, SOL_IP, IP_RECVERR,
335 338
 					(void*)&optval, sizeof(optval)) ==-1){
336
-		LM_ERR("setsockopt: %s\n", strerror(errno));
337
-		goto error;
339
+			LM_ERR("IPV4 setsockopt: %s\n", strerror(errno));
340
+			goto error;
341
+		}
342
+	} else if (addr->s.sa_family==AF_INET6){
343
+		if(setsockopt(sock_info->socket, SOL_IPV6, IPV6_RECVERR,
344
+					(void*)&optval, sizeof(optval)) ==-1){
345
+			LM_ERR("IPv6 setsockopt: %s\n", strerror(errno));
346
+			goto error;
347
+		}
338 348
 	}
339 349
 #endif
340 350
 #if defined (__OS_linux)
341
-	/* if pmtu_discovery=1 then set DF bit and do Path MTU discovery
342
-	 * disabled by default */
343
-	optval= (pmtu_discovery) ? IP_PMTUDISC_DO : IP_PMTUDISC_DONT;
344
-	if(setsockopt(sock_info->socket, IPPROTO_IP, IP_MTU_DISCOVER,
345
-			(void*)&optval, sizeof(optval)) ==-1){
346
-		LM_ERR("setsockopt: %s\n", strerror(errno));
347
-		goto error;
351
+	if (addr->s.sa_family==AF_INET){
352
+		/* If pmtu_discovery=1 then set DF bit and do Path MTU discovery
353
+		 * disabled by default.  Specific to IPv4. */
354
+		optval= (pmtu_discovery) ? IP_PMTUDISC_DO : IP_PMTUDISC_DONT;
355
+		if(setsockopt(sock_info->socket, IPPROTO_IP, IP_MTU_DISCOVER,
356
+				(void*)&optval, sizeof(optval)) ==-1){
357
+			LM_ERR("IPv4 setsockopt: %s\n", strerror(errno));
358
+			goto error;
359
+		}
360
+	} else if (addr->s.sa_family==AF_INET6){
361
+		/* IPv6 never fragments but sends ICMPv6 Packet too Big,
362
+		 * If pmtu_discovery=1 then set DF bit and do Path MTU discovery
363
+		 * disabled by default.  Specific to IPv6. */
364
+		optval= (pmtu_discovery) ? IPV6_PMTUDISC_DO : IPV6_PMTUDISC_DONT;
365
+		if(setsockopt(sock_info->socket, IPPROTO_IPV6,
366
+				IPV6_MTU_DISCOVER,
367
+				(void*)&optval, sizeof(optval)) ==-1){
368
+			LM_ERR("IPv6 setsockopt: %s\n", strerror(errno));
369
+			goto error;
370
+		}
348 371
 	}
349 372
 #endif
350 373
 
... ...
@@ -663,67 +663,72 @@ d in the user-agent header ($ua)");
663 663
                 ...
664 664
 User-agent
665 665
 ==========
666
-[+] Blacklisted
667
-    -----------
668
-    0001 -> friendly-scanner
669
-    0002 -> pplsip
670
-    0003 -> sipcli
671
-    0004 -> sundayddr
672
-    0005 -> iWar
673
-    0006 -> sipsak
674
-    0007 -> VaxSIPUserAgent
675
-    0008 -> SimpleSIP
676
-    0009 -> SIP Call
677
-    0010 -> Ozeki
678
-    0011 -> VoIPSec
679
-    0012 -> SIPScan
680
-    0013 -> Conaito
681
-    0014 -> UsaAirport
682
-    0015 -> PortSIP VoIP SDK
683
-    0016 -> zxcvfdf11
684
-    0017 -> fdgddfg546df4g8d5f
685
-
686
-[+] Whitelisted
687
-    -----------
688
-    0001 -> my custom ua
666
+{
667
+        User-Agent: {
668
+                Blacklisted: {
669
+                        Value: friendly-scanner
670
+                        Value: pplsip
671
+                        Value: sipcli
672
+                        Value: sundayddr
673
+                        Value: iWar
674
+                        Value: sipsak
675
+                        Value: VaxSIPUserAgent
676
+                        Value: SimpleSIP
677
+                        Value: SIP Call
678
+                        Value: Ozeki
679
+                        Value: VoIPSec
680
+                        Value: SIPScan
681
+                        Value: Conaito
682
+                        Value: UsaAirport
683
+                        Value: PortSIP VoIP SDK
684
+                        Value: zxcvfdf11
685
+                        Value: fdgddfg546df4g8d5f
686
+                        Value: siptest
687
+                        Value: Nmap NSE
688
+                }
689
+                Whitelisted: {
690
+                        Value: my custom ua
691
+                }
692
+        }
693
+}
689 694
                 ...
690 695
 
691 696
 7.2. Statistics
692 697
 
693 698
    Example 1.25. kamcmd secfilter.stats
694 699
                 ...
695
-Blocked messages (blacklist)
696
-============================
697
-[+] By user-agent    : 1256
698
-[+] By country       : 45
699
-[+] By from domain   : 0
700
-[+] By to domain     : 0
701
-[+] By contact domain: 1
702
-[+] By IP address    : 2552
703
-[+] By from name     : 0
704
-[+] By to name       : 0
705
-[+] By contact name  : 0
706
-[+] By from user     : 316
707
-[+] By to user       : 134
708
-[+] By contact user  : 0
709
-
710
-Allowed messages (whitelist)
711
-============================
712
-[+] By user-agent    : 0
713
-[+] By country       : 478
714
-[+] By from domain   : 0
715
-[+] By to domain     : 0
716
-[+] By contact domain: 0
717
-[+] By IP address    : 0
718
-[+] By from name     : 0
719
-[+] By to name       : 0
720
-[+] By contact name  : 0
721
-[+] By from user     : 0
722
-[+] By to user       : 0
723
-[+] By contact user  : 0
724
-
725
-Other blocked messages
726
-======================
727
-[+] Destinations   : 0
728
-[+] SQL injection  : 213
700
+{
701
+        Blacklist: {
702
+                User-Agent: 1256
703
+                Country: 45
704
+                From-Domain: 0
705
+                To-Domain: 0
706
+                Contact-Domain: 1
707
+                IP-Address: 2552
708
+                From-Name: 0
709
+                To-Name: 0
710
+                Contact-Name: 0
711
+                From-User: 316
712
+                To-User: 0134
713
+                Contact-User: 0
714
+        }
715
+        Whitelist: {
716
+                User-Agent: 0
717
+                Country: 478
718
+                From-Domain: 0
719
+                To-Domain: 0
720
+                Contact-Domain: 0
721
+                IP-Address: 0
722
+                From-Name: 0
723
+                To-Name: 0
724
+                Contact-Name: 0
725
+                From-User: 0
726
+                To-User: 0
727
+                Contact-User: 0
728
+        }
729
+        Other: {
730
+                Destination: 0
731
+                SQL-Injection: 213
732
+        }
733
+}
729 734
                 ...
... ...
@@ -23,7 +23,7 @@ $(WOLFSSL_PREFIX)/include/wolfssl/options.h $(WOLFSSL_PREFIX)/lib/libwolfssl.a:
23 23
 		./autogen.sh; \
24 24
 	fi; \
25 25
 	if [ ! -f "Makefile" ]; then \
26
-		env -u DEFS -u CFLAGS -u LDFLAGS -u LIBS EXTRA_CFLAGS="-g -fPIC -Wno-error=array-bounds -Wno-error=stringop-overflow" ./configure \
26
+		env -u DEFS -u CFLAGS -u LDFLAGS -u LIBS EXTRA_CFLAGS="-g -fPIC" ./configure \
27 27
 		--enable-all --enable-pkcs11 --enable-static --enable-aligndata=no \
28 28
 		--disable-shared --disable-examples \
29 29
 		--prefix=$(CURDIR)/$(WOLFSSL_PREFIX) \
... ...
@@ -131,11 +131,15 @@ Chapter 1. Admin Guide
131 131
 
132 132
 3.2. Kamailio Core Settings
133 133
 
134
-   SIP requires a Content-Length header for TCP transport. But most HTTP
135
-   clients do not set the content length for normal GET requests.
136
-   Therefore, the core must be configured to allow incoming requests
137
-   without content length header:
138
-     * tcp_accept_no_cl=yes
134
+   Related core settings:
135
+     * tcp_accept_no_cl=yes - SIP requires the Content-Length header for
136
+       TCP transport. But most HTTP clients do not set the content length
137
+       for normal GET requests. Therefore, the core must be configured to
138
+       allow incoming requests without content length header.
139
+     * http_reply_parse=yes - various Kamailio modules may parse what it
140
+       is sent out (e.g., for replication, topology management). In such
141
+       case errors are printed if the outgoing message is not SIP and this
142
+       parameter is not set.
139 143
 
140 144
 3.3. External Libraries or Applications
141 145
 
... ...
@@ -85,13 +85,23 @@
85 85
 	<section>
86 86
 		<title>&kamailio; Core Settings</title>
87 87
 		<para>
88
-		SIP requires a Content-Length header for TCP transport. But most HTTP clients do not
89
-		set the content length for normal GET requests. Therefore, the core must be configured
90
-		to allow incoming requests without content length header:
88
+		Related core settings:
91 89
 			<itemizedlist>
92 90
 			<listitem>
93 91
 			<para>
94
-				<emphasis>tcp_accept_no_cl=yes</emphasis>
92
+				<emphasis>tcp_accept_no_cl=yes</emphasis> - SIP requires the
93
+				Content-Length header for TCP transport. But most HTTP clients
94
+				do not set the content length for normal GET requests. Therefore,
95
+				the core must be configured to allow incoming requests without
96
+				content length header.
97
+			</para>
98
+			</listitem>
99
+			<listitem>
100
+			<para>
101
+				<emphasis>http_reply_parse=yes</emphasis> - various Kamailio
102
+				modules may parse what it is sent out (e.g., for replication,
103
+				topology management). In such case errors are printed if the
104
+				outgoing message is not SIP and this parameter is not set.
95 105
 			</para>
96 106
 			</listitem>
97 107
 			</itemizedlist>