diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-19 20:55:33 +0200 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-10-19 20:55:33 +0200 |
commit | 1fd60631f7ef329cc18df07dab0171f2ae23b677 (patch) | |
tree | 3e665cd5efc7d6995bfb45cf58101aa50668448d /openbsc | |
parent | a25d579ab90305e6742e96b715ffd2e7fea0ef39 (diff) |
nat: Change the order of the DENY/ALLOW rule for the BSC.
Currently it is not is not easily possible to disable
everyone and then only allow certain SIMs. By changing
the order we can do:
access-list imsi-deny only-something ^[0-9]*$
access-list imsi-allow only-something ^123[0-9]*$
and still keep the usecase of only forbidding certain
SIMs on certain LACs. Adjust test case, test that the
other cases are still functional.
Diffstat (limited to 'openbsc')
-rw-r--r-- | openbsc/src/nat/bsc_nat_utils.c | 13 | ||||
-rw-r--r-- | openbsc/tests/bsc-nat/bsc_nat_test.c | 19 |
2 files changed, 25 insertions, 7 deletions
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c index b295f3512..c1e3c9828 100644 --- a/openbsc/src/nat/bsc_nat_utils.c +++ b/openbsc/src/nat/bsc_nat_utils.c @@ -320,8 +320,8 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string) { /* * Now apply blacklist/whitelist of the BSC and the NAT. - * 1.) Reject if the IMSI is not allowed at the BSC - * 2.) Allow directly if the IMSI is allowed at the BSC + * 1.) Allow directly if the IMSI is allowed at the BSC + * 2.) Reject if the IMSI is not allowed at the BSC * 3.) Reject if the IMSI not allowed at the global level. * 4.) Allow directly if the IMSI is allowed at the global level */ @@ -333,7 +333,11 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string) if (bsc_lst) { - /* 1. BSC deny */ + /* 1. BSC allow */ + if (lst_check_allow(bsc_lst, mi_string) == 0) + return 1; + + /* 2. BSC deny */ if (lst_check_deny(bsc_lst, mi_string) == 0) { LOGP(DNAT, LOGL_ERROR, "Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr); @@ -341,9 +345,6 @@ static int auth_imsi(struct bsc_connection *bsc, const char *mi_string) return -2; } - /* 2. BSC allow */ - if (lst_check_allow(bsc_lst, mi_string) == 0) - return 1; } /* 3. NAT deny */ diff --git a/openbsc/tests/bsc-nat/bsc_nat_test.c b/openbsc/tests/bsc-nat/bsc_nat_test.c index f82b4db5f..75bd80384 100644 --- a/openbsc/tests/bsc-nat/bsc_nat_test.c +++ b/openbsc/tests/bsc-nat/bsc_nat_test.c @@ -657,12 +657,29 @@ static struct cr_filter cr_filter[] = { /* filter as deny is first */ .data = bss_lu, .length = sizeof(bss_lu), - .result = -2, + .result = 1, .bsc_imsi_deny = "[0-9]*", .bsc_imsi_allow = "[0-9]*", .nat_imsi_deny = "[0-9]*", .contype = NAT_CON_TYPE_LU, }, + { + /* deny by nat rule */ + .data = bss_lu, + .length = sizeof(bss_lu), + .result = -3, + .bsc_imsi_deny = "000[0-9]*", + .nat_imsi_deny = "[0-9]*", + .contype = NAT_CON_TYPE_LU, + }, + { + /* deny by bsc rule */ + .data = bss_lu, + .length = sizeof(bss_lu), + .result = -2, + .bsc_imsi_deny = "[0-9]*", + .contype = NAT_CON_TYPE_LU, + }, }; |