From 1fd60631f7ef329cc18df07dab0171f2ae23b677 Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Tue, 19 Oct 2010 20:55:33 +0200
Subject: nat: Change the order of the DENY/ALLOW rule for the BSC.

Currently it is not is not easily possible to disable
everyone and then only allow certain SIMs. By changing
the order we can do:
	access-list imsi-deny  only-something ^[0-9]*$
	access-list imsi-allow only-something ^123[0-9]*$

and still keep the usecase of only forbidding certain
SIMs on certain LACs. Adjust test case, test that the
other cases are still functional.
---
 openbsc/src/nat/bsc_nat_utils.c      | 13 +++++++------
 openbsc/tests/bsc-nat/bsc_nat_test.c | 19 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index b295f3512..c1e3c9828 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 {
 	/*
 	 * Now apply blacklist/whitelist of the BSC and the NAT.
-	 * 1.) Reject if the IMSI is not allowed at the BSC
-	 * 2.) Allow directly if the IMSI is allowed at the BSC
+	 * 1.) Allow directly if the IMSI is allowed at the BSC
+	 * 2.) Reject if the IMSI is not allowed at the BSC
 	 * 3.) Reject if the IMSI not allowed at the global level.
 	 * 4.) Allow directly if the IMSI is allowed at the global level
 	 */
@@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 
 
 	if (bsc_lst) {
-		/* 1. BSC deny */
+		/* 1. BSC allow */
+		if (lst_check_allow(bsc_lst, mi_string) == 0)
+			return 1;
+
+		/* 2. BSC deny */
 		if (lst_check_deny(bsc_lst, mi_string) == 0) {
 			LOGP(DNAT, LOGL_ERROR,
 			     "Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 			return -2;
 		}
 
-		/* 2. BSC allow */
-		if (lst_check_allow(bsc_lst, mi_string) == 0)
-			return 1;
 	}
 
 	/* 3. NAT deny */
diff --git a/openbsc/tests/bsc-nat/bsc_nat_test.c b/openbsc/tests/bsc-nat/bsc_nat_test.c
index f82b4db5f..75bd80384 100644
--- a/openbsc/tests/bsc-nat/bsc_nat_test.c
+++ b/openbsc/tests/bsc-nat/bsc_nat_test.c
@@ -657,12 +657,29 @@ static struct cr_filter cr_filter[] = {
 		/* filter as deny is first */
 		.data = bss_lu,
 		.length = sizeof(bss_lu),
-		.result = -2,
+		.result = 1,
 		.bsc_imsi_deny = "[0-9]*",
 		.bsc_imsi_allow = "[0-9]*",
 		.nat_imsi_deny = "[0-9]*",
 		.contype = NAT_CON_TYPE_LU,
 	},
+	{
+		/* deny by nat rule */
+		.data = bss_lu,
+		.length = sizeof(bss_lu),
+		.result = -3,
+		.bsc_imsi_deny = "000[0-9]*",
+		.nat_imsi_deny = "[0-9]*",
+		.contype = NAT_CON_TYPE_LU,
+	},
+	{
+		/* deny by bsc rule */
+		.data = bss_lu,
+		.length = sizeof(bss_lu),
+		.result = -2,
+		.bsc_imsi_deny = "[0-9]*",
+		.contype = NAT_CON_TYPE_LU,
+	},
 
 };
 
-- 
cgit v1.2.3