diff options
| author | Neels Hofmeyr <neels@hofmeyr.de> | 2020-05-15 01:41:35 +0200 |
|---|---|---|
| committer | Neels Hofmeyr <neels@hofmeyr.de> | 2020-05-27 01:56:06 +0200 |
| commit | 5cda1d01b442ba03b86ea9001f62a6d830adfb35 (patch) | |
| tree | 8dfa63d205cfde539a82a3ff2092090566d99566 | |
| parent | 2d0ac1c90aa02865577b752cefec29041e5dfa6e (diff) | |
drop IMSI filter and libfilter completely
Filtering by IMSI in osmo-bsc is a legacy use case with questionable
usefulness. Remove.
Do not keep deprecated VTY commands: those could be dangerous, since
(presumably non-existing) users might assume that the filtering would still be
in place. Rather fail to start osmo-bsc for config with an IMSI ACL.
The IMSI filtering did, if present, provide the logging with an IMSI to print
for the bsc_subscriber. TMSIs should have ended up in logging likewise, which
has never been implemented. The proper way to learn the IMSI would be by the
Common Id message from the MSC. Furthermore, the upcoming MSC pooling feature
will extract the mobile identity again, and will hence make sure that both IMSI
and TMSI identities, as available, end up in the bsc_subscriber and will be
logged again.
So long, IMSI ACL, and thanks for all the fish.
Change-Id: I89727af5387e8360362e995fdee959883c37d89a
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | include/osmocom/bsc/Makefile.am | 1 | ||||
| -rw-r--r-- | include/osmocom/bsc/bsc_msc_data.h | 4 | ||||
| -rw-r--r-- | include/osmocom/bsc/bsc_msg_filter.h | 103 | ||||
| -rw-r--r-- | include/osmocom/bsc/gsm_04_08_rr.h | 2 | ||||
| -rw-r--r-- | include/osmocom/bsc/gsm_data.h | 4 | ||||
| -rw-r--r-- | include/osmocom/bsc/osmo_bsc.h | 3 | ||||
| -rw-r--r-- | src/Makefile.am | 1 | ||||
| -rw-r--r-- | src/libfilter/Makefile.am | 27 | ||||
| -rw-r--r-- | src/libfilter/bsc_msg_acc.c | 136 | ||||
| -rw-r--r-- | src/libfilter/bsc_msg_filter.c | 339 | ||||
| -rw-r--r-- | src/libfilter/bsc_msg_vty.c | 149 | ||||
| -rw-r--r-- | src/osmo-bsc/Makefile.am | 1 | ||||
| -rw-r--r-- | src/osmo-bsc/gsm_08_08.c | 107 | ||||
| -rw-r--r-- | src/osmo-bsc/osmo_bsc_main.c | 7 | ||||
| -rw-r--r-- | src/osmo-bsc/osmo_bsc_vty.c | 66 | ||||
| -rw-r--r-- | tests/handover/Makefile.am | 2 |
17 files changed, 2 insertions, 951 deletions
diff --git a/configure.ac b/configure.ac index d96dfb261..6555f875d 100644 --- a/configure.ac +++ b/configure.ac @@ -236,7 +236,6 @@ AC_OUTPUT( include/osmocom/Makefile include/osmocom/bsc/Makefile src/Makefile - src/libfilter/Makefile src/osmo-bsc/Makefile src/ipaccess/Makefile src/utils/Makefile diff --git a/include/osmocom/bsc/Makefile.am b/include/osmocom/bsc/Makefile.am index 396604eb1..509df9a64 100644 --- a/include/osmocom/bsc/Makefile.am +++ b/include/osmocom/bsc/Makefile.am @@ -6,7 +6,6 @@ noinst_HEADERS = \ acc_ramp.h \ arfcn_range_encode.h \ assignment_fsm.h \ - bsc_msg_filter.h \ bsc_rll.h \ bsc_subscriber.h \ bsc_subscr_conn_fsm.h \ diff --git a/include/osmocom/bsc/bsc_msc_data.h b/include/osmocom/bsc/bsc_msc_data.h index a97616f8a..c77c562c4 100644 --- a/include/osmocom/bsc/bsc_msc_data.h +++ b/include/osmocom/bsc/bsc_msc_data.h @@ -150,8 +150,6 @@ struct bsc_msc_data { /* ussd text when MSC has entered the grace period */ char *ussd_grace_txt; - char *acc_lst_name; - /* structures for keeping rate counters and gauge stats */ struct rate_ctr_group *msc_ctrs; struct osmo_stat_item_group *msc_statg; @@ -224,8 +222,6 @@ struct osmo_bsc_data { /* ussd text when there is no MSC available */ char *ussd_no_msc_txt; - char *acc_lst_name; - struct bsc_cbc_link *cbc; }; diff --git a/include/osmocom/bsc/bsc_msg_filter.h b/include/osmocom/bsc/bsc_msg_filter.h deleted file mode 100644 index fe8748526..000000000 --- a/include/osmocom/bsc/bsc_msg_filter.h +++ /dev/null @@ -1,103 +0,0 @@ -#pragma once - -#include <osmocom/core/msgb.h> -#include <osmocom/core/msgfile.h> -#include <osmocom/core/linuxrbtree.h> -#include <osmocom/core/linuxlist.h> - -#include <regex.h> - -struct vty; -struct gsm48_hdr; - -struct bsc_filter_reject_cause { - int lu_reject_cause; - int cm_reject_cause; -}; - -struct bsc_filter_barr_entry { - struct rb_node node; - - char *imsi; - int cm_reject_cause; - int lu_reject_cause; -}; - -enum bsc_filter_acc_ctr { - ACC_LIST_LOCAL_FILTER, - ACC_LIST_GLOBAL_FILTER, -}; - -struct bsc_msg_acc_lst { - struct llist_head list; - - /* counter */ - struct rate_ctr_group *stats; - - /* the name of the list */ - const char *name; - struct llist_head fltr_list; -}; - -struct bsc_msg_acc_lst_entry { - struct llist_head list; - - /* the filter */ - char *imsi_allow; - regex_t imsi_allow_re; - char *imsi_deny; - regex_t imsi_deny_re; - - /* reject reasons for the access lists */ - int cm_reject_cause; - int lu_reject_cause; -}; - -enum { - FLT_CON_TYPE_NONE, - FLT_CON_TYPE_LU, - FLT_CON_TYPE_CM_SERV_REQ, - FLT_CON_TYPE_PAG_RESP, - FLT_CON_TYPE_SSA, - FLT_CON_TYPE_LOCAL_REJECT, - FLT_CON_TYPE_OTHER, -}; - - -struct bsc_filter_state { - char *imsi; - int imsi_checked; - int con_type; -}; - -struct bsc_filter_request { - void *ctx; - struct rb_root *black_list; - struct llist_head *access_lists; - const char *local_lst_name; - const char *global_lst_name; - int bsc_nr; -}; - -/** - * Content filtering. - */ -int bsc_msg_filter_initial(struct gsm48_hdr *hdr, size_t size, - struct bsc_filter_request *req, - int *con_type, char **imsi, - struct bsc_filter_reject_cause *cause); -int bsc_msg_filter_data(struct gsm48_hdr *hdr, size_t size, - struct bsc_filter_request *req, - struct bsc_filter_state *state, - struct bsc_filter_reject_cause *cause); - -/* IMSI allow/deny handling */ -struct bsc_msg_acc_lst *bsc_msg_acc_lst_find(struct llist_head *lst, const char *name); -struct bsc_msg_acc_lst *bsc_msg_acc_lst_get(void *ctx, struct llist_head *lst, const char *name); -void bsc_msg_acc_lst_delete(struct bsc_msg_acc_lst *lst); - -struct bsc_msg_acc_lst_entry *bsc_msg_acc_lst_entry_create(struct bsc_msg_acc_lst *); -int bsc_msg_acc_lst_check_allow(struct bsc_msg_acc_lst *lst, const char *imsi); - -void bsc_msg_acc_lst_vty_init(void *ctx, struct llist_head *lst, int node); -void bsc_msg_acc_lst_write(struct vty *vty); diff --git a/include/osmocom/bsc/gsm_04_08_rr.h b/include/osmocom/bsc/gsm_04_08_rr.h index f0c0f4223..06cefa9de 100644 --- a/include/osmocom/bsc/gsm_04_08_rr.h +++ b/include/osmocom/bsc/gsm_04_08_rr.h @@ -1,6 +1,7 @@ #pragma once #include <stdint.h> +#include <osmocom/core/msgb.h> struct amr_mode; struct amr_multirate_conf; @@ -11,7 +12,6 @@ struct gsm_lchan; struct gsm_meas_rep; struct gsm_network; struct gsm_subscriber_connection; -struct msgb; void gsm_net_update_ctype(struct gsm_network *network); enum gsm_chan_t get_ctype_by_chreq(struct gsm_network *network, uint8_t ra); diff --git a/include/osmocom/bsc/gsm_data.h b/include/osmocom/bsc/gsm_data.h index a2e103d2e..e6a7708b0 100644 --- a/include/osmocom/bsc/gsm_data.h +++ b/include/osmocom/bsc/gsm_data.h @@ -31,7 +31,6 @@ #include <osmocom/gsm/protocol/gsm_12_21.h> #include <osmocom/abis/e1_input.h> #include <osmocom/bsc/meas_rep.h> -#include <osmocom/bsc/bsc_msg_filter.h> #include <osmocom/bsc/acc_ramp.h> #include <osmocom/bsc/neighbor_ident.h> #include <osmocom/bsc/osmux.h> @@ -265,9 +264,6 @@ struct gsm_subscriber_connection { /* state related to welcome USSD */ uint8_t new_subscriber; - /* state related to osmo_bsc_filter.c */ - struct bsc_filter_state filter_state; - /* SCCP connection associatd with this subscriber_connection */ struct { /* for advanced ping/pong */ diff --git a/include/osmocom/bsc/osmo_bsc.h b/include/osmocom/bsc/osmo_bsc.h index 163e49456..8999a2e80 100644 --- a/include/osmocom/bsc/osmo_bsc.h +++ b/include/osmocom/bsc/osmo_bsc.h @@ -2,8 +2,6 @@ #include <osmocom/gsm/protocol/gsm_04_08.h> -#include <osmocom/bsc/bsc_msg_filter.h> - #define BSS_SEND_USSD 1 enum bsc_con { @@ -13,6 +11,7 @@ enum bsc_con { BSC_CON_NO_MEM, }; +struct msgb; struct bsc_msc_data; struct gsm0808_channel_type; struct gsm0808_speech_codec_list; diff --git a/src/Makefile.am b/src/Makefile.am index 62ae4dde8..43b00b284 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -20,7 +20,6 @@ AM_LDFLAGS = \ $(NULL) SUBDIRS = \ - libfilter \ osmo-bsc \ utils \ $(NULL) diff --git a/src/libfilter/Makefile.am b/src/libfilter/Makefile.am deleted file mode 100644 index 8b0597bc6..000000000 --- a/src/libfilter/Makefile.am +++ /dev/null @@ -1,27 +0,0 @@ -AM_CPPFLAGS = \ - $(all_includes) \ - -I$(top_srcdir)/include \ - -I$(top_builddir) \ - $(NULL) - -AM_CFLAGS = \ - -Wall \ - $(LIBOSMOCORE_CFLAGS) \ - $(LIBOSMOGSM_CFLAGS) \ - $(LIBOSMOVTY_CFLAGS) \ - $(LIBOSMOABIS_CFLAGS) \ - $(LIBOSMOSIGTRAN_CFLAGS) \ - $(LIBOSMOLEGACYMGCP_CFLAGS) \ - $(COVERAGE_CFLAGS) \ - $(NULL) - -noinst_LIBRARIES = \ - libfilter.a \ - $(NULL) - -libfilter_a_SOURCES = \ - bsc_msg_filter.c \ - bsc_msg_acc.c \ - bsc_msg_vty.c \ - $(NULL) - diff --git a/src/libfilter/bsc_msg_acc.c b/src/libfilter/bsc_msg_acc.c deleted file mode 100644 index 8853dbb5c..000000000 --- a/src/libfilter/bsc_msg_acc.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * (C) 2010-2015 by Holger Hans Peter Freyther <zecke@selfish.org> - * (C) 2010-2011 by On-Waves - * All Rights Reserved - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include <osmocom/bsc/bsc_msg_filter.h> -#include <osmocom/bsc/debug.h> - -#include <osmocom/gsm/protocol/gsm_04_08.h> - -#include <osmocom/core/rate_ctr.h> -#include <osmocom/core/stats.h> - -#include <string.h> - -static const struct rate_ctr_desc acc_list_ctr_description[] = { - [ACC_LIST_LOCAL_FILTER] = { "access-list:local-filter", "Rejected by rule for local"}, - [ACC_LIST_GLOBAL_FILTER]= { "access-list:global-filter", "Rejected by rule for global"}, -}; - -static const struct rate_ctr_group_desc bsc_cfg_acc_list_desc = { - .group_name_prefix = "nat:filter", - .group_description = "NAT Access-List Statistics", - .num_ctr = ARRAY_SIZE(acc_list_ctr_description), - .ctr_desc = acc_list_ctr_description, - .class_id = OSMO_STATS_CLASS_GLOBAL, -}; - -/*! Find an unused index for this rate counter group. - * \param[in] head List of allocated ctr groups of the same type - * \returns the largest used index number + 1, or 0 if none exist yet. */ -static unsigned int rate_ctr_get_unused_idx(struct llist_head *head) -{ - unsigned int idx = 0; - struct bsc_msg_acc_lst *lst; - - llist_for_each_entry(lst, head, list) { - if (idx <= lst->stats->idx) - idx = lst->stats->idx + 1; - } - return idx; -} - - -int bsc_msg_acc_lst_check_allow(struct bsc_msg_acc_lst *lst, const char *mi_string) -{ - struct bsc_msg_acc_lst_entry *entry; - - llist_for_each_entry(entry, &lst->fltr_list, list) { - if (!entry->imsi_allow) - continue; - if (regexec(&entry->imsi_allow_re, mi_string, 0, NULL, 0) == 0) - return 0; - } - - return 1; -} - -struct bsc_msg_acc_lst *bsc_msg_acc_lst_find(struct llist_head *head, const char *name) -{ - struct bsc_msg_acc_lst *lst; - - if (!name) - return NULL; - - llist_for_each_entry(lst, head, list) - if (strcmp(lst->name, name) == 0) - return lst; - - return NULL; -} - -struct bsc_msg_acc_lst *bsc_msg_acc_lst_get(void *ctx, struct llist_head *head, const char *name) -{ - struct bsc_msg_acc_lst *lst; - unsigned int new_idx; - - lst = bsc_msg_acc_lst_find(head, name); - if (lst) - return lst; - - lst = talloc_zero(ctx, struct bsc_msg_acc_lst); - if (!lst) { - LOGP(DFILTER, LOGL_ERROR, "Failed to allocate access list\n"); - return NULL; - } - - new_idx = rate_ctr_get_unused_idx(head); - lst->stats = rate_ctr_group_alloc(lst, &bsc_cfg_acc_list_desc, new_idx); - if (!lst->stats) { - talloc_free(lst); - return NULL; - } - - INIT_LLIST_HEAD(&lst->fltr_list); - lst->name = talloc_strdup(lst, name); - llist_add_tail(&lst->list, head); - return lst; -} - -void bsc_msg_acc_lst_delete(struct bsc_msg_acc_lst *lst) -{ - llist_del(&lst->list); - rate_ctr_group_free(lst->stats); - talloc_free(lst); -} - -struct bsc_msg_acc_lst_entry *bsc_msg_acc_lst_entry_create(struct bsc_msg_acc_lst *lst) -{ - struct bsc_msg_acc_lst_entry *entry; - - entry = talloc_zero(lst, struct bsc_msg_acc_lst_entry); - if (!entry) - return NULL; - - entry->cm_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - entry->lu_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - llist_add_tail(&entry->list, &lst->fltr_list); - return entry; -} - diff --git a/src/libfilter/bsc_msg_filter.c b/src/libfilter/bsc_msg_filter.c deleted file mode 100644 index 1318689fa..000000000 --- a/src/libfilter/bsc_msg_filter.c +++ /dev/null @@ -1,339 +0,0 @@ -/* - * Access filtering - */ -/* - * (C) 2010-2015 by Holger Hans Peter Freyther <zecke@selfish.org> - * (C) 2010-2012 by On-Waves - * All Rights Reserved - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include <osmocom/bsc/bsc_msg_filter.h> - -#include <osmocom/bsc/gsm_data.h> -#include <osmocom/bsc/debug.h> -#include <osmocom/bsc/ipaccess.h> -#include <osmocom/bsc/gsm_04_08_rr.h> - -#include <osmocom/core/talloc.h> -#include <osmocom/gsm/gsm0808.h> - -#include <osmocom/gsm/protocol/gsm_08_08.h> -#include <osmocom/gsm/protocol/gsm_04_11.h> -#include <osmocom/gsm/gsm48.h> - -static int bsc_filter_barr_find(struct rb_root *root, const char *imsi, int *cm, int *lu) -{ - struct bsc_filter_barr_entry *n; - n = rb_entry(root->rb_node, struct bsc_filter_barr_entry, node); - - while (n) { - int rc = strcmp(imsi, n->imsi); - if (rc == 0) { - *cm = n->cm_reject_cause; - *lu = n->lu_reject_cause; - return 1; - } - - n = rb_entry( - (rc < 0) ? n->node.rb_left : n->node.rb_right, - struct bsc_filter_barr_entry, node); - }; - - return 0; -} - - -static int lst_check_deny(struct bsc_msg_acc_lst *lst, const char *mi_string, - int *cm_cause, int *lu_cause) -{ - struct bsc_msg_acc_lst_entry *entry; - - llist_for_each_entry(entry, &lst->fltr_list, list) { - if (!entry->imsi_deny) - continue; - if (regexec(&entry->imsi_deny_re, mi_string, 0, NULL, 0) == 0) { - *cm_cause = entry->cm_reject_cause; - *lu_cause = entry->lu_reject_cause; - return 0; - } - } - - return 1; -} - -/* apply white/black list */ -static int auth_imsi(struct bsc_filter_request *req, - const char *imsi, - struct bsc_filter_reject_cause *cause) -{ - /* - * Now apply blacklist/whitelist of the BSC and the NAT. - * 1.) Check the global IMSI barr list - * 2.) Allow directly if the IMSI is allowed at the BSC - * 3.) Reject if the IMSI is not allowed at the BSC - * 4.) Allow directly if the IMSI is allowed at the global level - * 5.) Reject if the IMSI not allowed at the global level. - */ - int cm, lu; - struct bsc_msg_acc_lst *nat_lst = NULL; - struct bsc_msg_acc_lst *bsc_lst = NULL; - - /* 1. global check for barred imsis */ - if (req->black_list && bsc_filter_barr_find(req->black_list, imsi, &cm, &lu)) { - cause->cm_reject_cause = cm; - cause->lu_reject_cause = lu; - LOGP(DFILTER, LOGL_DEBUG, - "Blocking subscriber IMSI %s with CM: %d LU: %d\n", - imsi, cm, lu); - return -4; - } - - - bsc_lst = bsc_msg_acc_lst_find(req->access_lists, req->local_lst_name); - nat_lst = bsc_msg_acc_lst_find(req->access_lists, req->global_lst_name); - - - if (bsc_lst) { - /* 2. BSC allow */ - if (bsc_msg_acc_lst_check_allow(bsc_lst, imsi) == 0) - return 1; - - /* 3. BSC deny */ - if (lst_check_deny(bsc_lst, imsi, &cm, &lu) == 0) { - LOGP(DFILTER, LOGL_ERROR, - "Filtering %s by imsi_deny on config nr: %d.\n", imsi, req->bsc_nr); - rate_ctr_inc(&bsc_lst->stats->ctr[ACC_LIST_LOCAL_FILTER]); - cause->cm_reject_cause = cm; - cause->lu_reject_cause = lu; - return -2; - } - - } - - if (nat_lst) { - /* 4. global allow */ - if (bsc_msg_acc_lst_check_allow(nat_lst, imsi) == 0) - return 1; - - /* 5. global deny */ - if (lst_check_deny(nat_lst, imsi, &cm, &lu) == 0) { - LOGP(DFILTER, LOGL_ERROR, - "Filtering %s global imsi_deny on bsc nr: %d.\n", imsi, req->bsc_nr); - rate_ctr_inc(&nat_lst->stats->ctr[ACC_LIST_GLOBAL_FILTER]); - cause->cm_reject_cause = cm; - cause->lu_reject_cause = lu; - return -3; - } - } - - return 1; -} - -static int _cr_check_loc_upd(void *ctx, - uint8_t *data, unsigned int length, - char **imsi) -{ - uint8_t mi_type; - struct gsm48_loc_upd_req *lu; - char mi_string[GSM48_MI_SIZE]; - - if (length < sizeof(*lu)) { - LOGP(DFILTER, LOGL_ERROR, - "LU does not fit. Length is %d \n", length); - return -1; - } - - lu = (struct gsm48_loc_upd_req *) data; - mi_type = lu->mi[0] & GSM_MI_TYPE_MASK; - - /* - * We can only deal with the IMSI. This will fail for a phone that - * will send the TMSI of a previous network to us. - */ - if (mi_type != GSM_MI_TYPE_IMSI) - return 0; - - gsm48_mi_to_string(mi_string, sizeof(mi_string), lu->mi, lu->mi_len); - *imsi = talloc_strdup(ctx, mi_string); - return 1; -} - -static int _cr_check_cm_serv_req(void *ctx, - uint8_t *data, unsigned int length, - int *con_type, char **imsi) -{ - static const uint32_t classmark_offset = - offsetof(struct gsm48_service_request, classmark); - - char mi_string[GSM48_MI_SIZE]; - uint8_t mi_type; - int rc; - struct gsm48_service_request *req; - - /* unfortunately in Phase1 the classmark2 length is variable */ - - if (length < sizeof(*req)) { - LOGP(DFILTER, LOGL_ERROR, - "CM Serv Req does not fit. Length is %d\n", length); - return -1; - } - - req = (struct gsm48_service_request *) data; - if (req->cm_service_type == 0x8) - *con_type = FLT_CON_TYPE_SSA; - rc = gsm48_extract_mi((uint8_t *) &req->classmark, - length - classmark_offset, mi_string, &mi_type); - if (rc < 0) { - LOGP(DFILTER, LOGL_ERROR, "Failed to parse the classmark2/mi. error: %d\n", rc); - return -1; - } - - /* we have to let the TMSI or such pass */ - if (mi_type != GSM_MI_TYPE_IMSI) - return 0; - - *imsi = talloc_strdup(ctx, mi_string); - return 1; -} - -static int _cr_check_pag_resp(void *ctx, - uint8_t *data, unsigned int length, char **imsi) -{ - struct gsm48_pag_resp *resp; - char mi_string[GSM48_MI_SIZE]; - uint8_t mi_type; - - if (length < sizeof(*resp)) { - LOGP(DFILTER, LOGL_ERROR, "PAG RESP does not fit. Length was %d.\n", length); - return -1; - } - - resp = (struct gsm48_pag_resp *) data; - if (gsm48_paging_extract_mi(resp, length, mi_string, &mi_type) < 0) { - LOGP(DFILTER, LOGL_ERROR, "Failed to extract the MI.\n"); - return -1; - } - - /* we need to let it pass for now */ - if (mi_type != GSM_MI_TYPE_IMSI) - return 0; - - *imsi = talloc_strdup(ctx, mi_string); - return 1; -} - -static int _dt_check_id_resp(struct bsc_filter_request *req, - uint8_t *data, unsigned int length, - struct bsc_filter_state *state, - struct bsc_filter_reject_cause *cause) -{ - char mi_string[GSM48_MI_SIZE]; - uint8_t mi_type; - - if (length < 2) { - LOGP(DFILTER, LOGL_ERROR, "mi does not fit.\n"); - return -1; - } - - if (data[0] < length - 1) { - LOGP(DFILTER, LOGL_ERROR, "mi length too big.\n"); - return -2; - } - - mi_type = data[1] & GSM_MI_TYPE_MASK; - gsm48_mi_to_string(mi_string, sizeof(mi_string), &data[1], data[0]); - - if (mi_type != GSM_MI_TYPE_IMSI) - return 0; - - state->imsi_checked = 1; - state->imsi = talloc_strdup(req->ctx, mi_string); - return auth_imsi(req, mi_string, cause); -} - - -/* Filter out CR data... */ -int bsc_msg_filter_initial(struct gsm48_hdr *hdr48, size_t hdr48_len, - struct bsc_filter_request *req, - int *con_type, - char **imsi, struct bsc_filter_reject_cause *cause) -{ - int ret = 0; - uint8_t msg_type, proto; - - *con_type = FLT_CON_TYPE_NONE; - cause->cm_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - cause->lu_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - *imsi = NULL; - - proto = gsm48_hdr_pdisc(hdr48); - msg_type = gsm48_hdr_msg_type(hdr48); - if (proto == GSM48_PDISC_MM && - msg_type == GSM48_MT_MM_LOC_UPD_REQUEST) { - *con_type = FLT_CON_TYPE_LU; - ret = _cr_check_loc_upd(req->ctx, &hdr48->data[0], - hdr48_len - sizeof(*hdr48), imsi); - } else if (proto == GSM48_PDISC_MM && - msg_type == GSM48_MT_MM_CM_SERV_REQ) { - *con_type = FLT_CON_TYPE_CM_SERV_REQ; - ret = _cr_check_cm_serv_req(req->ctx, &hdr48->data[0], - hdr48_len - sizeof(*hdr48), - con_type, imsi); - } else if (proto == GSM48_PDISC_RR && - msg_type == GSM48_MT_RR_PAG_RESP) { - *con_type = FLT_CON_TYPE_PAG_RESP; - ret = _cr_check_pag_resp(req->ctx, &hdr48->data[0], - hdr48_len - sizeof(*hdr48), imsi); - } else { - /* We only want to filter the above, let other things pass */ - *con_type = FLT_CON_TYPE_OTHER; - return 0; - } - - /* check if we are done */ - if (ret != 1) - return ret; - - /* the memory allocation failed */ - if (!*imsi) - return -1; - - /* now check the imsi */ - return auth_imsi(req, *imsi, cause); -} - -int bsc_msg_filter_data(struct gsm48_hdr *hdr48, size_t len, - struct bsc_filter_request *req, - struct bsc_filter_state *state, - struct bsc_filter_reject_cause *cause) -{ - uint8_t msg_type, proto; - - cause->cm_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - cause->lu_reject_cause = GSM48_REJECT_PLMN_NOT_ALLOWED; - - if (state->imsi_checked) - return 0; - - proto = gsm48_hdr_pdisc(hdr48); - msg_type = gsm48_hdr_msg_type(hdr48); - if (proto != GSM48_PDISC_MM || msg_type != GSM48_MT_MM_ID_RESP) - return 0; - - return _dt_check_id_resp(req, &hdr48->data[0], - len - sizeof(*hdr48), state, cause); -} diff --git a/src/libfilter/bsc_msg_vty.c b/src/libfilter/bsc_msg_vty.c deleted file mode 100644 index b26f4f1a6..000000000 --- a/src/libfilter/bsc_msg_vty.c +++ /dev/null @@ -1,149 +0,0 @@ -/* (C) 2010-2015 by Holger Hans Peter Freyther - * (C) 2010-2013 by On-Waves - * All Rights Reserved - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include <osmocom/bsc/bsc_msg_filter.h> -#include <osmocom/bsc/gsm_data.h> -#include <osmocom/bsc/vty.h> - -#include <osmocom/vty/misc.h> - -static struct llist_head *_acc_lst; -static void *_ctx; - -static void bsc_msg_acc_lst_write_one(struct vty *vty, struct bsc_msg_acc_lst *lst) -{ - struct bsc_msg_acc_lst_entry *entry; - - llist_for_each_entry(entry, &lst->fltr_list, list) { - if (entry->imsi_allow) - vty_out(vty, " access-list %s imsi-allow %s%s", - lst->name, entry->imsi_allow, VTY_NEWLINE); - if (entry->imsi_deny) - vty_out(vty, " access-list %s imsi-deny %s %d %d%s", - lst->name, entry->imsi_deny, - entry->cm_reject_cause, entry->lu_reject_cause, - VTY_NEWLINE); - } -} - -DEFUN(cfg_lst_no, - cfg_lst_no_cmd, - "no access-list NAME", - NO_STR "Remove an access-list by name\n" - "The access-list to remove\n") -{ - struct bsc_msg_acc_lst *acc; - acc = bsc_msg_acc_lst_find(_acc_lst, argv[0]); - if (!acc) - return CMD_WARNING; - - bsc_msg_acc_lst_delete(acc); - return CMD_SUCCESS; -} - -DEFUN(show_acc_lst, - show_acc_lst_cmd, - "show access-list NAME", - SHOW_STR "IMSI access list\n" "Name of the access list\n") -{ - struct bsc_msg_acc_lst *acc; - acc = bsc_msg_acc_lst_find(_acc_lst, argv[0]); - if (!acc) - return CMD_WARNING; - - vty_out(vty, "access-list %s%s", acc->name, VTY_NEWLINE); - bsc_msg_acc_lst_write_one(vty, acc); - vty_out_rate_ctr_group(vty, " ", acc->stats); - - return CMD_SUCCESS; -} - -DEFUN(cfg_lst_imsi_allow, - cfg_lst_imsi_allow_cmd, - "access-list NAME imsi-allow [REGEXP]", - "Access list commands\n" - "Name of the access list\n" - "Add allowed IMSI to the list\n" - "Regexp for IMSIs\n") -{ - struct bsc_msg_acc_lst *acc; - struct bsc_msg_acc_lst_entry *entry; - - acc = bsc_msg_acc_lst_get(_ctx, _acc_lst, argv[0]); - if (!acc) - return CMD_WARNING; - - entry = bsc_msg_acc_lst_entry_create(acc); - if (!entry) - return CMD_WARNING; - - if (gsm_parse_reg(acc, &entry->imsi_allow_re, &entry->imsi_allow, argc - 1, &argv[1]) != 0) - return CMD_WARNING; - return CMD_SUCCESS; -} - -DEFUN(cfg_lst_imsi_deny, - cfg_lst_imsi_deny_cmd, - "access-list NAME imsi-deny [REGEXP] (<0-256>) (<0-256>)", - "Access list commands\n" - "Name of the access list\n" - "Add denied IMSI to the list\n" - "Regexp for IMSIs\n" - "CM Service Reject reason\n" - "LU Reject reason\n") -{ - struct bsc_msg_acc_lst *acc; - struct bsc_msg_acc_lst_entry *entry; - - acc = bsc_msg_acc_lst_get(_ctx, _acc_lst, argv[0]); - if (!acc) - return CMD_WARNING; - - entry = bsc_msg_acc_lst_entry_create(acc); - if (!entry) - return CMD_WARNING; - - if (gsm_parse_reg(acc, &entry->imsi_deny_re, &entry->imsi_deny, argc - 1, &argv[1]) != 0) - return CMD_WARNING; - if (argc >= 3) - entry->cm_reject_cause = atoi(argv[2]); - if (argc >= 4) - entry->lu_reject_cause = atoi(argv[3]); - return CMD_SUCCESS; -} - -void bsc_msg_acc_lst_write(struct vty *vty) -{ - struct bsc_msg_acc_lst *lst; - llist_for_each_entry(lst, _acc_lst, list) { - bsc_msg_acc_lst_write_one(vty, lst); - } -} - -void bsc_msg_acc_lst_vty_init(void *ctx, struct llist_head *lst, int node) -{ - _ctx = ctx; - _acc_lst = lst; - install_element_ve(&show_acc_lst_cmd); - - /* access-list */ - install_element(node, &cfg_lst_imsi_allow_cmd); - install_element(node, &cfg_lst_imsi_deny_cmd); - install_element(node, &cfg_lst_no_cmd); -} diff --git a/src/osmo-bsc/Makefile.am b/src/osmo-bsc/Makefile.am index 51d887579..6009e1d44 100644 --- a/src/osmo-bsc/Makefile.am +++ b/src/osmo-bsc/Makefile.am @@ -94,7 +94,6 @@ osmo_bsc_SOURCES = \ $(NULL) osmo_bsc_LDADD = \ - $(top_builddir)/src/libfilter/libfilter.a \ $(LIBOSMOCORE_LIBS) \ $(LIBOSMOGSM_LIBS) \ $(LIBOSMOVTY_LIBS) \ diff --git a/src/osmo-bsc/gsm_08_08.c b/src/osmo-bsc/gsm_08_08.c index 8a4b1c5fe..030808b06 100644 --- a/src/osmo-bsc/gsm_08_08.c +++ b/src/osmo-bsc/gsm_08_08.c @@ -58,70 +58,6 @@ static bool msc_connected(struct gsm_subscriber_connection *conn) static bool complete_layer3(struct gsm_subscriber_connection *conn, struct msgb *msg, struct bsc_msc_data *msc); -static void bsc_maybe_lu_reject(struct gsm_subscriber_connection *conn, int con_type, int cause) -{ - struct msgb *msg; - - /* ignore cm service request or such */ - if (con_type != FLT_CON_TYPE_LU) - return; - - msg = gsm48_create_loc_upd_rej(cause); - if (!msg) { - LOGP(DMM, LOGL_ERROR, "Failed to create msg for LOCATION UPDATING REJECT.\n"); - return; - } - - msg->lchan = conn->lchan; - gscon_submit_rsl_dtap(conn, msg, 0, 0); -} - -static int bsc_filter_initial(struct osmo_bsc_data *bsc, - struct bsc_msc_data *msc, - struct gsm_subscriber_connection *conn, - struct msgb *msg, char **imsi, int *con_type, - int *lu_cause) -{ - struct bsc_filter_request req; - struct bsc_filter_reject_cause cause; - struct gsm48_hdr *gh = msgb_l3(msg); - int rc; - - req.ctx = conn; - req.black_list = NULL; - req.access_lists = bsc_access_lists(); - req.local_lst_name = msc->acc_lst_name; - req.global_lst_name = conn_get_bts(conn)->network->bsc_data->acc_lst_name; - req.bsc_nr = 0; - - rc = bsc_msg_filter_initial(gh, msgb_l3len(msg), &req, - con_type, imsi, &cause); - *lu_cause = cause.lu_reject_cause; - return rc; -} - -static int bsc_filter_data(struct gsm_subscriber_connection *conn, - struct msgb *msg, int *lu_cause) -{ - struct bsc_filter_request req; - struct gsm48_hdr *gh = msgb_l3(msg); - struct bsc_filter_reject_cause cause; - int rc; - - req.ctx = conn; - req.black_list = NULL; - req.access_lists = bsc_access_lists(); - req.local_lst_name = conn->sccp.msc->acc_lst_name; - req.global_lst_name = conn_get_bts(conn)->network->bsc_data->acc_lst_name; - req.bsc_nr = 0; - - rc = bsc_msg_filter_data(gh, msgb_l3len(msg), &req, - &conn->filter_state, - &cause); - *lu_cause = cause.lu_reject_cause; - return rc; -} - /*! BTS->MSC: tell MSC a SAPI was not established. */ void bsc_sapi_n_reject(struct gsm_subscriber_connection *conn, int dlci) { @@ -489,22 +425,12 @@ int bsc_scan_bts_msg(struct gsm_subscriber_connection *conn, struct msgb *msg) static bool complete_layer3(struct gsm_subscriber_connection *conn, struct msgb *msg, struct bsc_msc_data *msc) { - int con_type, rc, lu_cause; - char *imsi = NULL; struct msgb *resp; enum bsc_con ret; struct gsm0808_speech_codec_list scl; log_set_context(LOG_CTX_BSC_SUBSCR, conn->bsub); - /* Check the filter */ - rc = bsc_filter_initial(msc->network->bsc_data, msc, conn, msg, - &imsi, &con_type, &lu_cause); - if (rc < 0) { - bsc_maybe_lu_reject(conn, con_type, lu_cause); - goto early_fail; - } - /* allocate resource for a new connection */ ret = osmo_bsc_sigtran_new_conn(conn, msc); @@ -517,28 +443,6 @@ static bool complete_layer3(struct gsm_subscriber_connection *conn, goto early_fail; } - /* TODO: also extract TMSI. We get an IMSI only when an initial L3 Complete comes in that - * contains an IMSI. We filter by IMSI. A TMSI identity is never returned here, see e.g. - * _cr_check_loc_upd() and other similar functions called from bsc_msg_filter_initial(). */ - if (imsi) { - conn->filter_state.imsi = talloc_steal(conn, imsi); - if (conn->bsub) { - log_set_context(LOG_CTX_BSC_SUBSCR, conn->bsub); - /* Already a subscriber on L3 Complete? Should never happen... */ - if (conn->bsub->imsi[0] - && strcmp(conn->bsub->imsi, imsi)) - LOGP(DMSC, LOGL_ERROR, "Subscriber's IMSI changes from %s to %s\n", - conn->bsub->imsi, imsi); - bsc_subscr_set_imsi(conn->bsub, imsi); - } else { - conn->bsub = bsc_subscr_find_or_create_by_imsi(msc->network->bsc_subscribers, - imsi); - log_set_context(LOG_CTX_BSC_SUBSCR, conn->bsub); - } - gscon_update_id(conn); - } - conn->filter_state.con_type = con_type; - /* check return value, if failed check msg for and send USSD */ bsc_scan_bts_msg(conn, msg); @@ -664,8 +568,6 @@ static int handle_cc_setup(struct gsm_subscriber_connection *conn, /*! MS->BSC/MSC: Um L3 message. */ void bsc_dtap(struct gsm_subscriber_connection *conn, uint8_t link_id, struct msgb *msg) { - int lu_cause; - log_set_context(LOG_CTX_BSC_SUBSCR, conn->bsub); if (!msc_connected(conn)) @@ -680,15 +582,6 @@ void bsc_dtap(struct gsm_subscriber_connection *conn, uint8_t link_id, struct ms if (handle_cc_setup(conn, msg) >= 1) goto done; - /* Check the filter */ - if (bsc_filter_data(conn, msg, &lu_cause) < 0) { - bsc_maybe_lu_reject(conn, - conn->filter_state.con_type, - lu_cause); - bsc_clear_request(conn, 0); - goto done; - } - bsc_scan_bts_msg(conn, msg); /* Store link_id in msg->cb */ diff --git a/src/osmo-bsc/osmo_bsc_main.c b/src/osmo-bsc/osmo_bsc_main.c index ad5a3a9da..42d05b1a2 100644 --- a/src/osmo-bsc/osmo_bsc_main.c +++ b/src/osmo-bsc/osmo_bsc_main.c @@ -84,12 +84,6 @@ struct gsm_network *bsc_gsmnet = 0; static const char *config_file = "osmo-bsc.cfg"; static const char *rf_ctrl = NULL; static int daemonize = 0; -static LLIST_HEAD(access_lists); - -struct llist_head *bsc_access_lists(void) -{ - return &access_lists; -} static void print_usage() { @@ -841,7 +835,6 @@ int main(int argc, char **argv) /* This needs to precede handle_options() */ vty_init(&vty_info); bsc_vty_init(bsc_gsmnet); - bsc_msg_acc_lst_vty_init(tall_bsc_ctx, &access_lists, BSC_NODE); ctrl_vty_init(tall_bsc_ctx); logging_vty_add_deprecated_subsys(tall_bsc_ctx, "cc"); logging_vty_add_deprecated_subsys(tall_bsc_ctx, "mgcp"); diff --git a/src/osmo-bsc/osmo_bsc_vty.c b/src/osmo-bsc/osmo_bsc_vty.c index 7174de1be..cf995cc2d 100644 --- a/src/osmo-bsc/osmo_bsc_vty.c +++ b/src/osmo-bsc/osmo_bsc_vty.c @@ -25,7 +25,6 @@ #include <osmocom/bsc/vty.h> #include <osmocom/bsc/bsc_subscriber.h> #include <osmocom/bsc/debug.h> -#include <osmocom/bsc/bsc_msg_filter.h> #include <osmocom/bsc/osmux.h> #include <osmocom/core/talloc.h> @@ -161,9 +160,6 @@ static void write_msc(struct vty *vty, struct bsc_msc_data *msc) if (msc->local_pref) vty_out(vty, " local-prefix %s%s", msc->local_pref, VTY_NEWLINE); - if (msc->acc_lst_name) - vty_out(vty, " access-list-name %s%s", msc->acc_lst_name, VTY_NEWLINE); - /* write amr options */ write_msc_amr_options(vty, msc); @@ -232,10 +228,6 @@ static int config_write_bsc(struct vty *vty) vty_out(vty, " missing-msc-text %s%s", bsc->ussd_no_msc_txt, VTY_NEWLINE); else vty_out(vty, " no missing-msc-text%s", VTY_NEWLINE); - if (bsc->acc_lst_name) - vty_out(vty, " access-list-name %s%s", bsc->acc_lst_name, VTY_NEWLINE); - - bsc_msg_acc_lst_write(vty); return CMD_SUCCESS; } @@ -528,33 +520,6 @@ AMR_COMMAND(5_90) AMR_COMMAND(5_15) AMR_COMMAND(4_75) -DEFUN(cfg_msc_acc_lst_name, - cfg_msc_acc_lst_name_cmd, - "access-list-name NAME", - "Set the name of the access list to use.\n" - "The name of the to be used access list.\n") -{ - struct bsc_msc_data *msc = bsc_msc_data(vty); - - osmo_talloc_replace_string(msc, &msc->acc_lst_name, argv[0]); - return CMD_SUCCESS; -} - -DEFUN(cfg_msc_no_acc_lst_name, - cfg_msc_no_acc_lst_name_cmd, - "no access-list-name", - NO_STR "Remove the access list from the NAT.\n") -{ - struct bsc_msc_data *msc = bsc_msc_data(vty); - - if (msc->acc_lst_name) { - talloc_free(msc->acc_lst_name); - msc->acc_lst_name = NULL; - } - - return CMD_SUCCESS; -} - /* Make sure only standard SSN numbers are used. If no ssn number is * configured, silently apply the default SSN */ static void enforce_standard_ssn(struct vty *vty, struct osmo_sccp_addr *addr) @@ -781,33 +746,6 @@ DEFUN(cfg_net_no_rf_off_time, return CMD_SUCCESS; } -DEFUN(cfg_bsc_acc_lst_name, - cfg_bsc_acc_lst_name_cmd, - "access-list-name NAME", - "Set the name of the access list to use.\n" - "The name of the to be used access list.\n") -{ - struct osmo_bsc_data *bsc = osmo_bsc_data(vty); - - osmo_talloc_replace_string(bsc, &bsc->acc_lst_name, argv[0]); - return CMD_SUCCESS; -} - -DEFUN(cfg_bsc_no_acc_lst_name, - cfg_bsc_no_acc_lst_name_cmd, - "no access-list-name", - NO_STR "Remove the access list from the BSC\n") -{ - struct osmo_bsc_data *bsc = osmo_bsc_data(vty); - - if (bsc->acc_lst_name) { - talloc_free(bsc->acc_lst_name); - bsc->acc_lst_name = NULL; - } - - return CMD_SUCCESS; -} - DEFUN(show_statistics, show_statistics_cmd, "show statistics", @@ -1005,8 +943,6 @@ int bsc_vty_init_extra(void) install_element(BSC_NODE, &cfg_net_no_rf_off_time_cmd); install_element(BSC_NODE, &cfg_net_bsc_missing_msc_ussd_cmd); install_element(BSC_NODE, &cfg_net_bsc_no_missing_msc_text_cmd); - install_element(BSC_NODE, &cfg_bsc_acc_lst_name_cmd); - install_element(BSC_NODE, &cfg_bsc_no_acc_lst_name_cmd); install_node(&msc_node, config_write_msc); install_element(MSC_NODE, &cfg_net_bsc_ncc_cmd); @@ -1037,8 +973,6 @@ int bsc_vty_init_extra(void) install_element(MSC_NODE, &cfg_net_msc_amr_octet_align_cmd); install_element(MSC_NODE, &cfg_net_msc_lcls_mode_cmd); install_element(MSC_NODE, &cfg_net_msc_lcls_mismtch_cmd); - install_element(MSC_NODE, &cfg_msc_acc_lst_name_cmd); - install_element(MSC_NODE, &cfg_msc_no_acc_lst_name_cmd); install_element(MSC_NODE, &cfg_msc_cs7_bsc_addr_cmd); install_element(MSC_NODE, &cfg_msc_cs7_msc_addr_cmd); install_element(MSC_NODE, &cfg_msc_cs7_asp_proto_cmd); diff --git a/tests/handover/Makefile.am b/tests/handover/Makefile.am index 8bd001259..901d5231e 100644 --- a/tests/handover/Makefile.am +++ b/tests/handover/Makefile.am @@ -41,8 +41,6 @@ handover_test_LDFLAGS = \ $(NULL) handover_test_LDADD = \ - $(top_builddir)/src/libfilter/bsc_msg_acc.o \ - $(top_builddir)/src/libfilter/bsc_msg_vty.o \ $(top_builddir)/src/osmo-bsc/a_reset.o \ $(top_builddir)/src/osmo-bsc/abis_nm.o \ $(top_builddir)/src/osmo-bsc/abis_nm_vty.o \ |