diff options
| author | Neels Hofmeyr <neels@hofmeyr.de> | 2017-11-09 05:09:48 +0100 |
|---|---|---|
| committer | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2017-11-23 13:21:12 +0000 |
| commit | 434187533bd1357ea8f834b10016499aa423082a (patch) | |
| tree | 01b5f33970576906c71827fede8ff9e65a4ecddf /configure.ac | |
| parent | d663097b8adc89d35c19ef83a30f30efa871beef (diff) | |
bsc filter: don't ignore imsi-allow on "global" filter level
First off, there are "global" and "local" IMSI black/whitelist levels:
"global" "local"
VTY 'bsc' 'msc' for osmo-bsc
VTY 'nat' 'bsc' for osmo-bsc_nat
Both in osmo-bsc and osmo-bsc-nat, the "global" IMSI filter so far completely
ignores all 'imsi-allow' rules it may contain. A comment in imsi_allow()
proclaims actions that are missing in the code. Notably, in our example config
osmo-bsc_nat.cfg, there is an imsi-allow on the 'nat' level, which with the
code before this patch cannot have been effective in any way.
Furthermore, on the "local" level the order is to check imsi-allow first, and
imsi-deny after that. The comment says to do that in reverse order on the
"global" level. There is no apparent reason for reversing.
Add evaluation of imsi-allow directives on the "global" level, i.e. 'bsc' in
osmo-bsc and 'nat' in osmo-bsc-nat, in the same order as on "local" level, to
avoid confusion. Swap the comment to be consistent.
Before this patch, to have effective imsi-allow, this config would be necessary
for osmo-bsc:
bsc
access-list acl imsi-allow 999999999999999
access-list acl imsi-allow 9017.*
access-list acl imsi-deny .*
msc 0
access-list-name acl
...
msc 1
access-list-name acl
...
With this patch, imsi-allow also works on the "global" level:
bsc
access-list acl imsi-allow 999999999999999
access-list acl imsi-allow 9017.*
access-list acl imsi-deny .*
access-list-name acl
msc 0
...
msc 1
...
Change-Id: Idb6c8dd62aa90666ba6fcd213f59d79f5498da3f
Diffstat (limited to 'configure.ac')
0 files changed, 0 insertions, 0 deletions