[OpenSER-Users] How to check if $rd lies in an IP range

Daniel-Constantin Mierla miconda at gmail.com
Fri Mar 28 15:28:53 CET 2008


Hello,

On 03/27/08 19:37, Josh Mahonin wrote:
> Hi,
>
> I got the solution you recommended working, Daniel. 
great.


>  I'll look into
> cfgutils when I get some free time.  Here is a snippet for doing range
> checking in-script for anyone who is interested.  This checks if the IP
> lies in 172.20.62.0 / 24
>
> ---
> # Calculate decimal representation of our test range
> $var(tO1) = 172 * 16777216;  # 256^3
> $var(tO2) = 20 * 65536;           # 256^2
> $var(tO3) = 62 * 256;
> $var(tO4) = 0;
> $var(range1) = $var(tO1) + $var(tO2) + $var(tO3) + $var(tO4);
>
> # Create the net mask
> $var(net_mask1) = 255 * 16777216;
> $var(net_mask2) = 255 * 65536;
> $var(net_mask3) = 255 * 256;
> $var(net_mask) = $var(net_mask1) + $var(net_mask2) + $var(net_mask3);
>
> # Calculate the decimal value of each octet in $rd
> $var(cO1) = $(rd{s.select,0,.}{s.int}) * 16777216;
> $var(cO2) = $(rd{s.select,1,.}{s.int}) * 65536;
> $var(cO3) = $(rd{s.select,2,.}{s.int}) * 256;
> $var(cO4) = $(rd{s.select,3,.}{s.int});
>
> $var(remoteIP) =  $var(cO1) + $var(cO2) + $var(cO3) + $var(cO4);
>
> # Calculate the network address of $rd by bitwise ANDing the remote IP
> and the net mask
> $var(net_addr) = $var(remoteIP) & $var(net_mask);
>
> $var(check1) = $var(net_addr) == $var(range1);
> ---
>
> A word to the wise, if you want to optimize this code and use
> precomputed values for range1 and netmask, don't do what I did and just
> use your calculator, then assign a variable to that value.  If you
> assign a variable to a value greater than 2^32/2 (MAXINT), it will just
> be set to MAXINT, it will not rollover into the negatives and you will
> spend hours pulling your hair out wondering what's going on.   You will
> actually need to log what value SER calculates and use that instead. 
> (range1 = -1407959552 and netmask = -256 in my case).
>   
right. It is a signed int in openser configuration file. Your solution 
to log the value is a way to add some optimization.

Cheers,
Daniel

> Regards,
>
> Josh
>
> Daniel-Constantin Mierla wrote:
>   
>> Hello,
>>
>> On 03/25/08 16:06, Josh Mahonin wrote:
>>     
>>> Hi,
>>>
>>> I tried responding over the weekend, but I think my mail server ate the
>>> message, apologies if you receive duplicates.
>>>
>>> Thank you both Sergio and Daniel-Constantin, I was hoping someone else
>>> had encountered a similar problem!  I like the idea of transforming and
>>> netmasking - I'm new to OpenSER, but don't mind contributing back to the
>>> community - if I was to create some sort of check_netmask /
>>> check_iprange function, is there a particular module, or core source
>>> file that this function would fit well in?
>>>   
>>>       
>> for going in a module, cfgutils can be a candidate.
>>
>> Cheers,
>> Daniel
>>
>>     
>>> Regards,
>>>
>>> Josh
>>>
>>> Daniel-Constantin Mierla wrote:
>>>  
>>>       
>>>> Hello,
>>>>
>>>> it is another way, a bit more complex in the config file, but does not
>>>> require to execute external scripts.
>>>>
>>>> All you need is to play with transformations and arithmetic operations
>>>> in the config file. The idea is to convert to integer the IP addresses
>>>> apply bitmask and compare. Transformations that help:
>>>> - http://www.openser.org/dokuwiki/doku.php/transformations:devel#s.int
>>>> -
>>>> http://www.openser.org/dokuwiki/doku.php/transformations:devel#s.select_index_separator
>>>>
>>>>
>>>>
>>>> For example:
>>>> $rd = 23.34.56.78
>>>>
>>>> To get second number (34) as integer $(rd{s.select,1,.}{s.int})
>>>>
>>>> You transform the four parts in numbers, multiply each with the proper
>>>> value, make the sum and apply the bitwise 'and' operation with the
>>>> mask.
>>>>
>>>> Should get what you need.
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>>
>>>> On 03/21/08 03:41, Sergio Gutierrez wrote:
>>>>    
>>>>         
>>>>> Hi Josh.
>>>>>
>>>>> An approach we used is execute an external script through function
>>>>> exec_msg; the script receives as argument the source ip address, and
>>>>> by external means, it checks whether it belongs to a particular
>>>>> subnet, defined on a table in database or a file; we used PHP and a
>>>>> table in MySQL with the reference subnets.
>>>>>
>>>>> The script should return 0 or 1; when returns 0, exec_msg returns
>>>>> true, and when it returns 1; exec_msg returns false, so you can check
>>>>> it into an if statement.
>>>>>
>>>>> Hope it helps.
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Sergio Gutiérrez.
>>>>>
>>>>> On Thu, Mar 20, 2008 at 4:34 PM, Josh Mahonin <jmahonin at cbnco.com
>>>>> <mailto:jmahonin at cbnco.com>> wrote:
>>>>>
>>>>>     Hi folks,
>>>>>
>>>>>     In my setup, I've got two disjoint subnets (call then A and B)
>>>>> that
>>>>>     cannot communicate directly to each other, but devices on each can
>>>>>     both
>>>>>     communicate to my OpenSER server and Asterisk box (both on
>>>>> their own
>>>>>     subnet, C).  There is no NAT involved, so I only want to use
>>>>> rtpproxy
>>>>>     when it's the case that device from subnet A attempts to call a
>>>>> device
>>>>>     on subnet B, or vice-versa.
>>>>>
>>>>>     I would ideally not like to use rtp proxy for communication
>>>>>     between A-C
>>>>>     and A-B (this will enable RTP media between both subnets, but that
>>>>>     solution will not scale very well...)
>>>>>
>>>>>     I'm attempting do something like this:
>>>>>
>>>>>     if (src_ip == a.b.c.d/24 && dst_ip == w.x.y.z/24)
>>>>>        use rtp proxy
>>>>>
>>>>>     But unfortunately, on an INVITE, after a lookup, dst_ip is set to
>>>>> the
>>>>>     OpenSER server.  The pseudovariable $rd is set to the value I'd
>>>>>     like to
>>>>>     check against, but it complains loudly when I attempt to
>>>>> substitute
>>>>>     dst_ip for $rd.
>>>>>
>>>>>     Is there any way to use avp_check() or the like to verify that the
>>>>>     value
>>>>>     in $rd lies in a given subnet?  I don't want to match just one IP,
>>>>>     but a
>>>>>     whole range.  I found a similar question on the SER mailing list
>>>>> asked
>>>>>     several years ago, with no response.
>>>>>
>>>>>     Thanks,
>>>>>
>>>>>     Josh
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     Users mailing list
>>>>>     Users at lists.openser.org <mailto:Users at lists.openser.org>
>>>>>     http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.openser.org
>>>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>>>>         
>>>>>           
>>>   
>>>       
>
>   




More information about the Users mailing list