[Spce-user] Possible bug in ROUTE_DOS_ATTACK_CHECK
Jon Bonilla (Manwe)
manwe at sipdoc.net
Tue Mar 31 11:25:45 EDT 2015
El Tue, 31 Mar 2015 14:13:24 +0200
Andrew Pogrebennyk <apogrebennyk at sipwise.com> escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Jon,
>
> On 03/31/2015 02:35 AM, Jon Bonilla (Manwe) wrote:
> > Happened in 2.8:
> >
> > If presence and pike check are disabled ROUTE_DOS_ATTACK_CHECK is
> > empty and kamailio-lb fails to start. It needs an unconditional
> > return at then end to avoid it.
> >
> > It is present in version 3.7.X
>
> do you have a customtt there by any chance?
I do but I've just checked the vanilla version 2.8.23 and this is how it looks
like:
route[ROUTE_DOS_ATTACK_CHECK]
{
#!ifdef ENABLE_PIKECHECK
if($sht(ipban=>$si) != $null)
{
# ip is already blocked - keep the node warm
pike_check_req();
exit;
}
#!endif
#!ifdef ENABLE_PRESENCE
# special case for jitsi: pass all remote control in-dialog NOTIFY now
# remove it if Jitsi changed to use Psudo-TCP for remote control in the
future if (is_method("NOTIFY") && has_totag()) {
return;
}
#!endif
#!ifdef ENABLE_PIKECHECK
if(!pike_check_req())
{
append_hf("P-NGCP-CheckBan: 1\r\n");
xlog("L_INFO", "Mark request for pike trust check - [% logreq
-%]\n"); # NGCP proxy will return "P-NGCP-Ban: <ip>" in reply if it's not from
# a trusted peer, which is checked below and added to ban list.
return;
}
#!endif
}
It should have a return after the last endif and before the }.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Firma digital OpenPGP
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20150331/14aa60cd/attachment-0001.sig>
More information about the Spce-user
mailing list