Review at https://gerrit.osmocom.org/4750
bsc filter: don't ignore imsi-allow on "global" filter level
First off, there are "global" and "local" IMSI black/whitelist levels:
"global" "local"
VTY 'bsc' 'msc' for osmo-bsc
VTY 'nat' 'bsc' for osmo-bsc_nat
Both in osmo-bsc and osmo-bsc-nat, the "global" IMSI filter so far completely
ignores all 'imsi-allow' rules it may contain. A comment in imsi_allow()
proclaims actions that are missing in the code. Notably, in our example config
osmo-bsc_nat.cfg, there is an imsi-allow on the 'nat' level, which with the
code before this patch cannot have been effective in any way.
Furthermore, on the "local" level the order is to check imsi-allow first, and
imsi-deny after that. The comment says to do that in reverse order on the
"global" level. There is no apparent reason for reversing.
Add evaluation of imsi-allow directives on the "global" level, i.e. 'bsc' in
osmo-bsc and 'nat' in osmo-bsc-nat, in the same order as on "local" level, to
avoid confusion. Swap the comment to be consistent.
Before this patch, to have effective imsi-allow, this config would be necessary
for osmo-bsc:
bsc
access-list acl imsi-allow 999999999999999
access-list acl imsi-allow 9017.*
access-list acl imsi-deny .*
msc 0
access-list-name acl
...
msc 1
access-list-name acl
...
With this patch, imsi-allow also works on the "global" level:
bsc
access-list acl imsi-allow 999999999999999
access-list acl imsi-allow 9017.*
access-list acl imsi-deny .*
access-list-name acl
msc 0
...
msc 1
...
Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f
---
M src/libfilter/bsc_msg_filter.c
1 file changed, 7 insertions(+), 3 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/50/4750/1
diff --git a/src/libfilter/bsc_msg_filter.c b/src/libfilter/bsc_msg_filter.c
index fc87e88..816ed94 100644
--- a/src/libfilter/bsc_msg_filter.c
+++ b/src/libfilter/bsc_msg_filter.c
@@ -150,8 +150,8 @@
* 1.) Check the global IMSI barr list
* 2.) Allow directly if the IMSI is allowed at the BSC
* 3.) Reject if the IMSI is not allowed at the BSC
- * 4.) Reject if the IMSI not allowed at the global level.
- * 5.) Allow directly if the IMSI is allowed at the global level
+ * 4.) Allow directly if the IMSI is allowed at the global level
+ * 5.) Reject if the IMSI not allowed at the global level.
*/
int cm, lu;
struct bsc_msg_acc_lst *nat_lst = NULL;
@@ -189,8 +189,12 @@
}
- /* 4. NAT deny */
if (nat_lst) {
+ /* 4. global allow */
+ if (bsc_msg_acc_lst_check_allow(nat_lst, imsi) == 0)
+ return 1;
+
+ /* 5. global deny */
if (lst_check_deny(nat_lst, imsi, &cm, &lu) == 0) {
LOGP(DFILTER, LOGL_ERROR,
"Filtering %s global imsi_deny on bsc nr: %d.\n",
imsi, req->bsc_nr);
--
To view, visit https://gerrit.osmocom.org/4750
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofm...@sysmocom.de>
