nat: Change the order of the DENY/ALLOW rule for the BSC.

Currently it is not is not easily possible to disable everyone and then only allow certain SIMs. By changing the order we can do: access-list imsi-deny only-something ^[0-9]*$ access-list imsi-allow only-something ^123[0-9]*$ and still keep the usecase of only forbidding certain SIMs on certain LACs. Adjust test case, test that the other cases are still functional.
2010-10-19 20:55:33 +02:00 · 2010-10-19 20:55:33 +02:00 · 1fd60631f7
parent a25d579ab9
commit 1fd60631f7
2 changed files with 25 additions and 7 deletions
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 {
 	/*
 	 * Now apply blacklist/whitelist of the BSC and the NAT.
-	 * 1.) Reject if the IMSI is not allowed at the BSC
-	 * 2.) Allow directly if the IMSI is allowed at the BSC
+	 * 1.) Allow directly if the IMSI is allowed at the BSC
+	 * 2.) Reject if the IMSI is not allowed at the BSC
 	 * 3.) Reject if the IMSI not allowed at the global level.
 	 * 4.) Allow directly if the IMSI is allowed at the global level
 	 */
@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)


 	if (bsc_lst) {
-		/* 1. BSC deny */
+		/* 1. BSC allow */
+		if (lst_check_allow(bsc_lst, mi_string) == 0)
+			return 1;
+
+		/* 2. BSC deny */
 		if (lst_check_deny(bsc_lst, mi_string) == 0) {
 			LOGP(DNAT, LOGL_ERROR,
 			     "Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 			return -2;
 		}

-		/* 2. BSC allow */
-		if (lst_check_allow(bsc_lst, mi_string) == 0)
-			return 1;
 	}

 	/* 3. NAT deny */
--- a/openbsc/tests/bsc-nat/bsc_nat_test.c
+++ b/openbsc/tests/bsc-nat/bsc_nat_test.c
@ -657,12 +657,29 @@ static struct cr_filter cr_filter[] = {
 		/* filter as deny is first */
 		.data = bss_lu,
 		.length = sizeof(bss_lu),
-		.result = -2,
+		.result = 1,
 		.bsc_imsi_deny = "[0-9]*",
 		.bsc_imsi_allow = "[0-9]*",
 		.nat_imsi_deny = "[0-9]*",
 		.contype = NAT_CON_TYPE_LU,
 	},
+	{
+		/* deny by nat rule */
+		.data = bss_lu,
+		.length = sizeof(bss_lu),
+		.result = -3,
+		.bsc_imsi_deny = "000[0-9]*",
+		.nat_imsi_deny = "[0-9]*",
+		.contype = NAT_CON_TYPE_LU,
+	},
+	{
+		/* deny by bsc rule */
+		.data = bss_lu,
+		.length = sizeof(bss_lu),
+		.result = -2,
+		.bsc_imsi_deny = "[0-9]*",
+		.contype = NAT_CON_TYPE_LU,
+	},

 };