< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index  

Re: [reSIProcate-users] disable domain check


I tried modifying the code, to allow 0:

            if (mask != 0 && (mask < 8 || mask > 32))
            {
               return false;
            }

This allowed me to add the ACL, but it didn't work; it was still saying the source address wasn't trusted.

I added in a single /8, which worked, but I'd rather not have to add 255 ACLs, so now I'm looking at modifying the check code to just assume everything is trusted, and perhaps may even reverse the behaviour, so added ACLs will make the traffic untrusted/blocked.

Thanks for your help.


On Tue, Oct 8, 2013 at 5:14 PM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
Just thought of something.  It's a bit ugly but you could add an ACL for each top level address: ie:
....

It won't be very efficient to check through 255 ACL's, but it might serve your purpose.

Scott


On Tue, Oct 8, 2013 at 4:46 PM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
I had never tried that, it was only a theory.  : )  You could try changing the code to allow 0 and see if that works, or just hardcod to stamp all requests as trusted - not sure what else you could try without code modifications.

Scott


On Tue, Oct 8, 2013 at 4:22 PM, Simon Quigley <squigley@xxxxxxxxxxxxx> wrote:
Hi Scott,

Thanks for the quick reply. I tried adding 0.0.0.0/0 first, but when I try to add it, I get "Error parsing: 0.0.0.0/0".

I suspect this is from line 221 in http://svn.resiprocate.org/dox/repro/_acl_store_8cxx_source.html

219  if (ipv4)
220  {
221  if (mask < 8 || mask > 32)
222  {
223  return false;
224  }
225  }

So I can't specify a netmask of 0, and that's why I was specifying 8, but of course (now) I see how that wouldn't match.

Any suggestions?



On Tue, Oct 8, 2013 at 4:08 PM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
The slash in the ACL's is how many bits of the IP address should be matched - so 0.0.0.0/0 should be what you want.  (see Tuple::isEqualWithMask)

You are correct about the restart - it will close all TCP connections.

Scott


On Tue, Oct 8, 2013 at 3:48 PM, Simon Quigley <squigley@xxxxxxxxxxxxx> wrote:
Hi Scott,

Thanks for the reply. I had started reading the PDF, but only made it to page 10 :-)

I figured since I'm using it in a fairly unusual way, with authentication and registrar disabled, it might not cover what I'm trying to do.

I do see your point on adding an ACL, and scripting the updates, which I should be able to get working.

However, I can't seem to work out the format of the ACL to act as a catch all. I've adding things like 0.0.0.0/8, but it's still failing with a 403.

It seems that ACL isn't correct for matching the IP, as I tried specifying that with the exact port number the request comes in from, but I still see it saying " AclStore.cxx:532 | AclStore - source address NOT trusted".

I looked through the source of the file, http://svn.resiprocate.org/dox/repro/_acl_store_8cxx_source.html but I don't see how to create wildcard addresses or a catch all record.

For the alternate option, of adding domains, I'm worried about having to do a restart to pickup the changes, even though it shows the registrations don't drop. The reason for my worry is that because we're not using it to do registrations, just to translate TCP to UDP in a passthrough mode, that the restart will close all the TCP connections, and then devices registered via the passthrough will either not realise, and be offline until they reregister, or will all try to reregister at the same time.

Can you provide some more information on the catch all acl?

Thanks,
Simon


On Tue, Oct 8, 2013 at 9:02 AM, Scott Godin <sgodin@xxxxxxxxxxxxxxx> wrote:
Hi Simon,

You could try adding a catch all ACL via the web interface to basically treat all addresses as "trusted" this should allow relaying to/from unknown domains and avoid the 403's.

Also you can use the webinterface or modify the config file to add domains, then use an HTTP command (or reprocmd) to restart the proxy leaving registrations in tact.  See "Repro Command Interface" and "Scripting Database Updates" sections in https://www.resiprocate.org/images/f/f0/Repro_1.8_Overview.pdf for more info.

Scott


On Mon, Oct 7, 2013 at 6:05 PM, Simon Quigley <squigley@xxxxxxxxxxxxx> wrote:
Hello,

I'm using reSIProcate as a TCP to UDP relay, in front of a switch which has a single DNS hostname, but accepts registration for many domains.

Auth and registration are disabled in the config file for resipro, but it still requires the domain to be specified.

Is it possible to have reSIProcate accept/route requests for any/all domains, rather than having to specify them in the domain list/config file?

(I've tried obvious things like omitting the domain list, and also attempting to specify wildcards, but that results in it returning 403s for every registration attempt).

Alternatively, if it isn't possible to allow all domains, is it possible to have the running repro process reread the domain list/config file, without having to do a full restart? (in which case I could have some sort of wrapper script which would append the additional domains to the list, and then cause it to be reread).

I've searched through the site, and the list archives, but I couldn't find these subjects being discussed, I apologise if they have been, and I failed to find the posts, and am repeating questions.

Thanks,
Simon

--
Simon Quigley, Systems Engineer
Versature Corp.  |  877-498-3772 x128

Follow us on Twitter - http://twitter.com/Versature
Check out the Versature Blog - http://inside.versature.com

_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/




--
Simon Quigley, Systems Engineer
Versature Corp.  |  877-498-3772 x128

Follow us on Twitter - http://twitter.com/Versature
Check out the Versature Blog - http://inside.versature.com

_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/




--
Simon Quigley, Systems Engineer
Versature Corp.  |  877-498-3772 x128

Follow us on Twitter - http://twitter.com/Versature
Check out the Versature Blog - http://inside.versature.com

_______________________________________________
resiprocate-users mailing list
resiprocate-users@xxxxxxxxxxxxxxx
List Archive: http://list.resiprocate.org/archive/resiprocate-users/





--
Simon Quigley, Systems Engineer
Versature Corp.  |  877-498-3772 x128

Follow us on Twitter - http://twitter.com/Versature
Check out the Versature Blog - http://inside.versature.com