nat: Change the order of the DENY/ALLOW rule for the BSC.

Currently it is not is not easily possible to disable
everyone and then only allow certain SIMs. By changing
the order we can do:
	access-list imsi-deny  only-something ^[0-9]*$
	access-list imsi-allow only-something ^123[0-9]*$

and still keep the usecase of only forbidding certain
SIMs on certain LACs. Adjust test case, test that the
other cases are still functional.

1 files changed, 7 insertions, 6 deletions

diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index b295f3512..c1e3c9828 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 {
 	/*
 	 * Now apply blacklist/whitelist of the BSC and the NAT.
-	 * 1.) Reject if the IMSI is not allowed at the BSC
-	 * 2.) Allow directly if the IMSI is allowed at the BSC
+	 * 1.) Allow directly if the IMSI is allowed at the BSC
+	 * 2.) Reject if the IMSI is not allowed at the BSC
 	 * 3.) Reject if the IMSI not allowed at the global level.
 	 * 4.) Allow directly if the IMSI is allowed at the global level
 	 */
@@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 
 
 	if (bsc_lst) {
-		/* 1. BSC deny */
+		/* 1. BSC allow */
+		if (lst_check_allow(bsc_lst, mi_string) == 0)
+			return 1;
+
+		/* 2. BSC deny */
 		if (lst_check_deny(bsc_lst, mi_string) == 0) {
 			LOGP(DNAT, LOGL_ERROR,
 			     "Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
 			return -2;
 		}
 
-		/* 2. BSC allow */
-		if (lst_check_allow(bsc_lst, mi_string) == 0)
-			return 1;
 	}
 
 	/* 3. NAT deny */