nat: Change the order of the DENY/ALLOW rule for the BSC.
Currently it is not is not easily possible to disable everyone and then only allow certain SIMs. By changing the order we can do: access-list imsi-deny only-something ^[0-9]*$ access-list imsi-allow only-something ^123[0-9]*$ and still keep the usecase of only forbidding certain SIMs on certain LACs. Adjust test case, test that the other cases are still functional.
This commit is contained in:
parent
a25d579ab9
commit
1fd60631f7
|
@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
|
|||
{
|
||||
/*
|
||||
* Now apply blacklist/whitelist of the BSC and the NAT.
|
||||
* 1.) Reject if the IMSI is not allowed at the BSC
|
||||
* 2.) Allow directly if the IMSI is allowed at the BSC
|
||||
* 1.) Allow directly if the IMSI is allowed at the BSC
|
||||
* 2.) Reject if the IMSI is not allowed at the BSC
|
||||
* 3.) Reject if the IMSI not allowed at the global level.
|
||||
* 4.) Allow directly if the IMSI is allowed at the global level
|
||||
*/
|
||||
|
@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
|
|||
|
||||
|
||||
if (bsc_lst) {
|
||||
/* 1. BSC deny */
|
||||
/* 1. BSC allow */
|
||||
if (lst_check_allow(bsc_lst, mi_string) == 0)
|
||||
return 1;
|
||||
|
||||
/* 2. BSC deny */
|
||||
if (lst_check_deny(bsc_lst, mi_string) == 0) {
|
||||
LOGP(DNAT, LOGL_ERROR,
|
||||
"Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
|
||||
|
@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
|
|||
return -2;
|
||||
}
|
||||
|
||||
/* 2. BSC allow */
|
||||
if (lst_check_allow(bsc_lst, mi_string) == 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* 3. NAT deny */
|
||||
|
|
|
@ -657,12 +657,29 @@ static struct cr_filter cr_filter[] = {
|
|||
/* filter as deny is first */
|
||||
.data = bss_lu,
|
||||
.length = sizeof(bss_lu),
|
||||
.result = -2,
|
||||
.result = 1,
|
||||
.bsc_imsi_deny = "[0-9]*",
|
||||
.bsc_imsi_allow = "[0-9]*",
|
||||
.nat_imsi_deny = "[0-9]*",
|
||||
.contype = NAT_CON_TYPE_LU,
|
||||
},
|
||||
{
|
||||
/* deny by nat rule */
|
||||
.data = bss_lu,
|
||||
.length = sizeof(bss_lu),
|
||||
.result = -3,
|
||||
.bsc_imsi_deny = "000[0-9]*",
|
||||
.nat_imsi_deny = "[0-9]*",
|
||||
.contype = NAT_CON_TYPE_LU,
|
||||
},
|
||||
{
|
||||
/* deny by bsc rule */
|
||||
.data = bss_lu,
|
||||
.length = sizeof(bss_lu),
|
||||
.result = -2,
|
||||
.bsc_imsi_deny = "[0-9]*",
|
||||
.contype = NAT_CON_TYPE_LU,
|
||||
},
|
||||
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue