aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <zecke@selfish.org>2010-10-19 20:55:33 +0200
committerHolger Hans Peter Freyther <zecke@selfish.org>2010-10-19 20:55:33 +0200
commit1fd60631f7ef329cc18df07dab0171f2ae23b677 (patch)
tree3e665cd5efc7d6995bfb45cf58101aa50668448d
parenta25d579ab90305e6742e96b715ffd2e7fea0ef39 (diff)
nat: Change the order of the DENY/ALLOW rule for the BSC.
Currently it is not is not easily possible to disable everyone and then only allow certain SIMs. By changing the order we can do: access-list imsi-deny only-something ^[0-9]*$ access-list imsi-allow only-something ^123[0-9]*$ and still keep the usecase of only forbidding certain SIMs on certain LACs. Adjust test case, test that the other cases are still functional.
-rw-r--r--openbsc/src/nat/bsc_nat_utils.c13
-rw-r--r--openbsc/tests/bsc-nat/bsc_nat_test.c19
2 files changed, 25 insertions, 7 deletions
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index b295f3512..c1e3c9828 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
{
/*
* Now apply blacklist/whitelist of the BSC and the NAT.
- * 1.) Reject if the IMSI is not allowed at the BSC
- * 2.) Allow directly if the IMSI is allowed at the BSC
+ * 1.) Allow directly if the IMSI is allowed at the BSC
+ * 2.) Reject if the IMSI is not allowed at the BSC
* 3.) Reject if the IMSI not allowed at the global level.
* 4.) Allow directly if the IMSI is allowed at the global level
*/
@@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
if (bsc_lst) {
- /* 1. BSC deny */
+ /* 1. BSC allow */
+ if (lst_check_allow(bsc_lst, mi_string) == 0)
+ return 1;
+
+ /* 2. BSC deny */
if (lst_check_deny(bsc_lst, mi_string) == 0) {
LOGP(DNAT, LOGL_ERROR,
"Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string)
return -2;
}
- /* 2. BSC allow */
- if (lst_check_allow(bsc_lst, mi_string) == 0)
- return 1;
}
/* 3. NAT deny */
diff --git a/openbsc/tests/bsc-nat/bsc_nat_test.c b/openbsc/tests/bsc-nat/bsc_nat_test.c
index f82b4db5f..75bd80384 100644
--- a/openbsc/tests/bsc-nat/bsc_nat_test.c
+++ b/openbsc/tests/bsc-nat/bsc_nat_test.c
@@ -657,12 +657,29 @@ static struct cr_filter cr_filter[] = {
/* filter as deny is first */
.data = bss_lu,
.length = sizeof(bss_lu),
- .result = -2,
+ .result = 1,
.bsc_imsi_deny = "[0-9]*",
.bsc_imsi_allow = "[0-9]*",
.nat_imsi_deny = "[0-9]*",
.contype = NAT_CON_TYPE_LU,
},
+ {
+ /* deny by nat rule */
+ .data = bss_lu,
+ .length = sizeof(bss_lu),
+ .result = -3,
+ .bsc_imsi_deny = "000[0-9]*",
+ .nat_imsi_deny = "[0-9]*",
+ .contype = NAT_CON_TYPE_LU,
+ },
+ {
+ /* deny by bsc rule */
+ .data = bss_lu,
+ .length = sizeof(bss_lu),
+ .result = -2,
+ .bsc_imsi_deny = "[0-9]*",
+ .contype = NAT_CON_TYPE_LU,
+ },
};