From 434187533bd1357ea8f834b10016499aa423082a Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Thu, 9 Nov 2017 05:09:48 +0100 Subject: bsc filter: don't ignore imsi-allow on "global" filter level First off, there are "global" and "local" IMSI black/whitelist levels: "global" "local" VTY 'bsc' 'msc' for osmo-bsc VTY 'nat' 'bsc' for osmo-bsc_nat Both in osmo-bsc and osmo-bsc-nat, the "global" IMSI filter so far completely ignores all 'imsi-allow' rules it may contain. A comment in imsi_allow() proclaims actions that are missing in the code. Notably, in our example config osmo-bsc_nat.cfg, there is an imsi-allow on the 'nat' level, which with the code before this patch cannot have been effective in any way. Furthermore, on the "local" level the order is to check imsi-allow first, and imsi-deny after that. The comment says to do that in reverse order on the "global" level. There is no apparent reason for reversing. Add evaluation of imsi-allow directives on the "global" level, i.e. 'bsc' in osmo-bsc and 'nat' in osmo-bsc-nat, in the same order as on "local" level, to avoid confusion. Swap the comment to be consistent. Before this patch, to have effective imsi-allow, this config would be necessary for osmo-bsc: bsc access-list acl imsi-allow 999999999999999 access-list acl imsi-allow 9017.* access-list acl imsi-deny .* msc 0 access-list-name acl ... msc 1 access-list-name acl ... With this patch, imsi-allow also works on the "global" level: bsc access-list acl imsi-allow 999999999999999 access-list acl imsi-allow 9017.* access-list acl imsi-deny .* access-list-name acl msc 0 ... msc 1 ... Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f --- src/libfilter/bsc_msg_filter.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/libfilter') diff --git a/src/libfilter/bsc_msg_filter.c b/src/libfilter/bsc_msg_filter.c index fc87e88fa..816ed940d 100644 --- a/src/libfilter/bsc_msg_filter.c +++ b/src/libfilter/bsc_msg_filter.c @@ -150,8 +150,8 @@ static int auth_imsi(struct bsc_filter_request *req, * 1.) Check the global IMSI barr list * 2.) Allow directly if the IMSI is allowed at the BSC * 3.) Reject if the IMSI is not allowed at the BSC - * 4.) Reject if the IMSI not allowed at the global level. - * 5.) Allow directly if the IMSI is allowed at the global level + * 4.) Allow directly if the IMSI is allowed at the global level + * 5.) Reject if the IMSI not allowed at the global level. */ int cm, lu; struct bsc_msg_acc_lst *nat_lst = NULL; @@ -189,8 +189,12 @@ static int auth_imsi(struct bsc_filter_request *req, } - /* 4. NAT deny */ if (nat_lst) { + /* 4. global allow */ + if (bsc_msg_acc_lst_check_allow(nat_lst, imsi) == 0) + return 1; + + /* 5. global deny */ if (lst_check_deny(nat_lst, imsi, &cm, &lu) == 0) { LOGP(DFILTER, LOGL_ERROR, "Filtering %s global imsi_deny on bsc nr: %d.\n", imsi, req->bsc_nr); -- cgit v1.2.3