From e5978f79ca793129cfdc17f308b6a3fe2ade00bb Mon Sep 17 00:00:00 2001 From: Cort Buffington Date: Wed, 21 Nov 2018 10:24:19 -0600 Subject: [PATCH] Consolidate ACLs into HBlink.py MAJOR CHANGE: Move ACLs into the main hblink.cfg configuraiton file and process all ingress ACLs in hblink.py itself. This means removing all other ACL processing from other programs, except hb_bridge_all.py which uses the main hblink.py ACLs for egress processing. --- acl.py | 104 ---------------- hb_bridge_all.py | 149 +++++++--------------- hb_bridge_all_rules_SAMPLE.py | 62 --------- hb_confbridge.py | 77 +----------- hb_config.py | 108 +++++++++++++--- hb_const.py | 5 +- hblink-SAMPLE.cfg | 64 +++++++++- hblink.py | 228 ++++++++++++++++++---------------- reg_acl-SAMPLE.py | 11 -- sub_acl-SAMPLE.py | 9 -- 10 files changed, 325 insertions(+), 492 deletions(-) delete mode 100755 acl.py delete mode 100755 hb_bridge_all_rules_SAMPLE.py delete mode 100755 reg_acl-SAMPLE.py delete mode 100755 sub_acl-SAMPLE.py diff --git a/acl.py b/acl.py deleted file mode 100755 index 8eeba5f..0000000 --- a/acl.py +++ /dev/null @@ -1,104 +0,0 @@ -############################################################################### -# Copyright (C) 2018 Cortney T. Buffington, N0MJS -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -############################################################################### - -from dmr_utils.utils import int_id - -# Lowest possible Subscirber and/or talkgroup IDs allowed by ETSI standard -ID_MIN = 1 -ID_MAX = 16776415 - - -# Checks the supplied ID against the ID given, and the ACL list, and the action -# Returns True if the ID should be allowed, False if it should not be -def acl_check(_id, _acl): - id = int_id(_id) - for entry in _acl[1]: - if entry[0] <= id <= entry[1]: - return _acl[0] - return not _acl[0] - - -def acl_build(_acl): - if not _acl: - return(True, set((ID_MIN, ID_MAX))) - - acl = set() - sections = _acl.split(':') - - if sections[0] == 'PERMIT': - action = True - else: - action = False - - for entry in sections[1].split(','): - if entry == 'ALL': - acl.add((ID_MIN, ID_MAX)) - break - - elif '-' in entry: - start,end = entry.split('-') - start,end = int(start), int(end) - if (ID_MIN <= start <= ID_MAX) or (ID_MIN <= end <= ID_MAX): - acl.add((start, end)) - else: - pass #logger message here - else: - id = int(entry) - if (ID_MIN <= id <= ID_MAX): - acl.add((id, id)) - else: - pass #logger message here - - return (action, acl) - - -if __name__ == '__main__': - from time import time - from pprint import pprint - - ACL = { - 'SUB': { - 'K0USY': { - 1: 'PERMIT:1-5,3120101,3120124', - 2: 'DENY:1-5,3120101,3120124' - } - }, - 'TGID': { - 'GLOBAL': { - 1: 'PERMIT:ALL', - 2: 'DENY:ALL' - }, - 'K0USY': { - 1: 'PERMIT:1-5,3120,31201', - 2: 'DENY:1-5,3120,31201' - } - } - } - - for acl in ACL: - if 'GLOBAL' not in ACL[acl]: - ACL[acl].update({'GLOBAL': {1:'PERMIT:ALL',2:'PERMIT:ALL'}}) - for acltype in ACL[acl]: - for slot in ACL[acl][acltype]: - ACL[acl][acltype][slot] = acl_build(ACL[acl][acltype][slot]) - - pprint(ACL) - print - - print(acl_check('\x00\x00\x01', ACL['TGID']['GLOBAL'][1])) - print(acl_check('\x00\x00\x01', ACL['TGID']['K0USY'][2])) \ No newline at end of file diff --git a/hb_bridge_all.py b/hb_bridge_all.py index c371d0a..29dc967 100755 --- a/hb_bridge_all.py +++ b/hb_bridge_all.py @@ -45,10 +45,9 @@ from twisted.protocols.basic import NetstringReceiver from twisted.internet import reactor, task # Things we import from the main hblink module -from hblink import HBSYSTEM, systems, hblink_handler, reportFactory, REPORT_OPCODES, config_reports, build_reg_acl +from hblink import HBSYSTEM, OPENBRIDGE, systems, hblink_handler, reportFactory, REPORT_OPCODES, config_reports from dmr_utils.utils import hex_str_3, int_id, get_alias from dmr_utils import decode, bptc, const -from acl import acl_check, acl_build import hb_config import hb_log import hb_const @@ -65,19 +64,6 @@ __status__ = 'pre-alpha' # Module gobal varaibles -# Import rules -- at this point, just ACLs -def import_rules(_rules): - try: - rules_file = import_module(_rules) - logger.info('Rules file found and bridges imported') - return rules_file - except ImportError: - logger.info('Rules file not found. Initializing defaults') - rules_file = ModuleType('rules_file') - rules_file.ACL = {'SID':{}, 'TGID':{}} - return rules_file - - class bridgeallSYSTEM(HBSYSTEM): def __init__(self, _name, _config, _logger, _report): @@ -140,32 +126,6 @@ class bridgeallSYSTEM(HBSYSTEM): if _call_type == 'group': - # Check for GLOBAL Subscriber ID ACL Match - if acl_check(_rf_src, ACL['SID']['GLOBAL'][_slot]) == False: - if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY INGRESS GLOBAL ACL*** SID: %s SLOT: %s HBP Peer %s', self._system, int_id(_rf_src), _slot, int_id(_peer_id)) - self.STATUS[_slot]['RX_STREAM_ID'] = _stream_id - return - # Check for SYSTEM Subscriber ID ACL Match - if acl_check(_rf_src, ACL['SID'][self._system][_slot]) == False: - if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY INGRESS SYSTEM ACL*** SID: %s SLOT: %s HBP Peer %s', self._system, int_id(_rf_src), _slot, int_id(_peer_id)) - self.STATUS[_slot]['RX_STREAM_ID'] = _stream_id - return - - # Check for GLOBAL Talkgroup ID ACL Match - if acl_check(_dst_id, ACL['TGID']['GLOBAL'][_slot]) == False: - if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY INGRESS GLOBAL ACL*** TGID: %s SLOT: %s HBP Peer %s', self._system, int_id(_dst_id), _slot, int_id(_peer_id)) - self.STATUS[_slot]['RX_STREAM_ID'] = _stream_id - return - # Check for SYSTEM Talkgroup ID ID ACL Match - if acl_check(_dst_id, ACL['TGID'][self._system][_slot]) == False: - if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY INGRESS SYSTEM ACL*** TGID: %s SLOT: %s HBP Peer %s', self._system, int_id(_dst_id), _slot, int_id(_peer_id)) - self.STATUS[_slot]['RX_STREAM_ID'] = _stream_id - return - # Is this is a new call stream? if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): self.STATUS['RX_START'] = pkt_time @@ -191,39 +151,45 @@ class bridgeallSYSTEM(HBSYSTEM): _target_status = systems[_target].STATUS _target_system = self._CONFIG['SYSTEMS'][_target] - - # Check for GLOBAL Subscriber ID ACL Match - if acl_check(_rf_src, ACL['SID']['GLOBAL'][_slot]) == False: - if (_stream_id != _target_status[_slot]['TX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY EGRESS GLOBAL ACL*** SID: %s SLOT: %s HBP Peer %s', _target, int_id(_rf_src), _slot, int_id(_peer_id)) - _target_status[_slot]['TX_STREAM_ID'] = _stream_id - return - # Check for SYSTEM Subscriber ID ACL Match - if acl_check(_rf_src, ACL['SID'][_target][_slot]) == False: - if (_stream_id != _target_status[_slot]['TX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY EGRESS SYSTEM ACL*** SID: %s SLOT: %s HBP Peer %s', _target, int_id(_rf_src), _slot, int_id(_peer_id)) - _target_status[_slot]['TX_STREAM_ID'] = _stream_id - return - - # Check for GLOBAL Talkgroup ID ACL Match - if acl_check(_dst_id, ACL['TGID']['GLOBAL'][_slot]) == False: - if (_stream_id != _target_status[_slot]['TX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY EGRESS GLOBAL ACL*** TGID: %s SLOT: %s HBP Peer %s', _target, int_id(_dst_id), _slot, int_id(_peer_id)) - _target_status[_slot]['TX_STREAM_ID'] = _stream_id - return - # Check for SYSTEM Talkgroup ID ID ACL Match - if acl_check(_dst_id, ACL['TGID'][_target][_slot]) == False: - if (_stream_id != _target_status[_slot]['TX_STREAM_ID']): - self._logger.warning('(%s) Group Voice Call ***REJECTED BY EGRESS SYSTEM ACL*** TGID: %s HBP Peer %s', _target, int_id(_dst_id), int_id(_peer_id)) - _target_status[_slot]['TX_STREAM_ID'] = _stream_id - return + _target_status[_slot]['TX_STREAM_ID'] = _stream_id + + # ACL Processing + if self._CONFIG['GLOBAL']['USE_ACL']: + if not acl_check(_rf_src, self._CONFIG['GLOBAL']['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s FROM SUBSCRIBER %s BY GLOBAL ACL', _target_system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s ON TGID %s BY GLOBAL TS1 ACL', _target_system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s ON TGID %s BY GLOBAL TS2 ACL', _target_system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if self._target_system['USE_ACL']: + if not acl_check(_rf_src, _target_system['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s FROM SUBSCRIBER %s BY SYSTEM ACL', _target_system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, _target_system['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s ON TGID %s BY SYSTEM TS1 ACL', _target_system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, _target_system['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED ON EGRESS WITH STREAM ID %s ON TGID %s BY SYSTEM TS2 ACL', _target_system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + self._laststrid = _stream_id systems[_target].send_system(_data) #self._logger.debug('(%s) Packet routed to system: %s', self._system, _target) - - - - #************************************************ @@ -269,9 +235,6 @@ if __name__ == '__main__': # Set signal handers so that we can gracefully exit if need be for sig in [signal.SIGTERM, signal.SIGINT]: signal.signal(sig, sig_handler) - - # Build the Access Control List - REG_ACL = build_reg_acl('reg_acl', logger) # ID ALIAS CREATION # Download @@ -295,43 +258,21 @@ if __name__ == '__main__': talkgroup_ids = mk_id_dict(CONFIG['ALIASES']['PATH'], CONFIG['ALIASES']['TGID_FILE']) if talkgroup_ids: logger.info('ID ALIAS MAPPER: talkgroup_ids dictionary is available') - - # Import rules file - rules_file = import_rules('hb_bridge_all_rules') - - # Create ACLs - ACL = rules_file.ACL - - for acl_type in ACL: - if acl_type != 'SID' and acl_type != 'TGID': - sys.exit(('TERMINATE: SID or TGID stanzas not in ACL!!! Exiting to save you grief later')) - - if 'GLOBAL' not in ACL[acl_type]: - ACL[acl_type].update({'GLOBAL': {1:'PERMIT:ALL',2:'PERMIT:ALL'}}) - - for system_acl in ACL[acl_type]: - if system_acl not in CONFIG['SYSTEMS'] and system_acl != 'GLOBAL': - sys.exit(('TERMINATE: {} ACL configured for system {} that does not exist!!! Exiting to save you grief later'.format(acl_type, system_acl))) - for slot in ACL[acl_type][system_acl]: - ACL[acl_type][system_acl][slot] = acl_build(ACL[acl_type][system_acl][slot]) - - for system in CONFIG['SYSTEMS']: - for acl_type in ACL: - if system not in ACL[acl_type]: - logger.warning('No %s ACL for system %s - initializing \'PERMIT:ALL\'', acl_type, system) - ACL[acl_type].update({system: {1: acl_build('PERMIT:ALL'), 2: acl_build('PERMIT:ALL')}}) - - # Build the Registration Access Control List - REG_ACL = build_reg_acl('reg_acl', logger) + # INITIALIZE THE REPORTING LOOP report_server = config_reports(CONFIG, logger, reportFactory) + # HBlink instance creation - logger.info('HBlink \'hb_bridge_all.py\' (c) 2016 N0MJS & the K0USY Group - SYSTEM STARTING...') + logger.info('HBlink \'HBlink.py\' (c) 2016-2018 N0MJS & the K0USY Group - SYSTEM STARTING...') for system in CONFIG['SYSTEMS']: if CONFIG['SYSTEMS'][system]['ENABLED']: - systems[system] = bridgeallSYSTEM(system, CONFIG, logger, report_server) + if CONFIG['SYSTEMS'][system]['MODE'] == 'OPENBRIDGE': + logger.critical('%s FATAL: Instance is mode \'OPENBRIDGE\', \n\t\t...Which would be tragic for Bridge All, since it carries multiple call\n\t\tstreams simultaneously. hb_bridge_all.py onlyl works with MMDVM-based systems', system) + sys.exit('hb_bridge_all.py cannot function with systems that are not MMDVM devices. System {} is configured as an OPENBRIDGE'.format(system)) + else: + systems[system] = HBSYSTEM(system, CONFIG, logger, report_server) reactor.listenUDP(CONFIG['SYSTEMS'][system]['PORT'], systems[system], interface=CONFIG['SYSTEMS'][system]['IP']) logger.debug('%s instance created: %s, %s', CONFIG['SYSTEMS'][system]['MODE'], system, systems[system]) diff --git a/hb_bridge_all_rules_SAMPLE.py b/hb_bridge_all_rules_SAMPLE.py deleted file mode 100755 index e06039a..0000000 --- a/hb_bridge_all_rules_SAMPLE.py +++ /dev/null @@ -1,62 +0,0 @@ -# ACL Entries -# -# The 'action' May be PERMIT|DENY -# Each entry may be a single radio id, a hypenated range (e.g. 1-2999), or the string 'ALL'. -# if "ALL" is used, you may not include any other ranges or individual IDs. -# Format: -# ACL = 'action:id|start-end|,id|start-end,....' -# -# Sections exist for both TGIDs and Subscriber IDs. -# Sections exist for glboal actions, and per-system actions. -# ***FIRST MATCH EXITS*** - -# SID - Subscriber ID section. -# TGID - Talkgroup ID section. -# -# "GLOBAL" affects ALL systems -# "SYSTEM NAME" affects the system in quetion -# ACLs are applied both ingress AND egress -# If you omit GLOBAL or SYSTEM level ACLs, they will be initilzied -# automatically as "PERMIT:ALL" -# Each system (or global) has two sections 1 and 2, which correspond -# to timeslots 1 and 2 respectively -# -# EXAMPLE: -#ACL = { -# 'SID': { -# 'GLOBAL': { -# 1: 'PERMIT:ALL', -# 2: 'PERMIT:ALL' -# }, -# 'LINK': { -# 1: 'DENY:3120121', -# 2: 'PERMIT:ALL' -# } -# }, -# 'TGID': { -# 'GLOBAL': { -# 1: 'PERMIT:ALL', -# 2: 'PERMIT:ALL' -# }, -# 'LINK': { -# 1: 'DENY:1-5,1616', -# 2: 'PERMIT:3120' -# } -# } -#} - -ACL = { - 'SID': { - 'GLOBAL': { - 1: 'PERMIT:ALL', - 2: 'PERMIT:ALL' - } - }, - 'TGID': { - 'GLOBAL': { - 1: 'PERMIT:ALL', - 2: 'PERMIT:ALL' - } - } -} - diff --git a/hb_confbridge.py b/hb_confbridge.py index ef0007e..a7832ab 100755 --- a/hb_confbridge.py +++ b/hb_confbridge.py @@ -45,7 +45,7 @@ from twisted.protocols.basic import NetstringReceiver from twisted.internet import reactor, task # Things we import from the main hblink module -from hblink import HBSYSTEM, OPENBRIDGE, systems, hblink_handler, reportFactory, REPORT_OPCODES, build_reg_acl +from hblink import HBSYSTEM, OPENBRIDGE, systems, hblink_handler, reportFactory, REPORT_OPCODES from dmr_utils.utils import hex_str_3, int_id, get_alias from dmr_utils import decode, bptc, const import hb_config @@ -115,61 +115,8 @@ def make_bridges(_hb_confbridge_bridges): _system['TIMER'] = time() + _system['TIMEOUT'] else: _system['TIMER'] = time() - return bridge_file.BRIDGES - - -# Import subscriber ACL -# ACL may be a single list of subscriber IDs -# Global action is to allow or deny them. Multiple lists with different actions and ranges -# are not yet implemented. -def build_acl(_sub_acl): - ACL = set() - try: - acl_file = import_module(_sub_acl) - logger.info('ACL file found, importing entries. This will take about 1.5 seconds per 1 million IDs') - sections = acl_file.ACL.split(':') - ACL_ACTION = sections[0] - entries_str = sections[1] - - - for entry in entries_str.split(','): - if '-' in entry: - start,end = entry.split('-') - start,end = int(start), int(end) - for id in range(start, end+1): - ACL.add(hex_str_3(id)) - else: - id = int(entry) - ACL.add(hex_str_3(id)) - - logger.info('ACL loaded: action "{}" for {:,} radio IDs'.format(ACL_ACTION, len(ACL))) - - except ImportError: - logger.info('ACL file not found or invalid - all subscriber IDs are valid') - ACL_ACTION = 'NONE' - - # Depending on which type of ACL is used (PERMIT, DENY... or there isn't one) - # define a differnet function to be used to check the ACL - global allow_sub - if ACL_ACTION == 'PERMIT': - def allow_sub(_sub): - if _sub in ACL: - return True - else: - return False - elif ACL_ACTION == 'DENY': - def allow_sub(_sub): - if _sub not in ACL: - return True - else: - return False - else: - def allow_sub(_sub): - return True - - return ACL - + # Run this every minute for rule timer updates def rule_timer_loop(): @@ -250,12 +197,6 @@ class routerOBP(OPENBRIDGE): _bits = int_id(_data[15]) if _call_type == 'group': - - # Check for ACL match, and return if the subscriber is not allowed - if allow_sub(_rf_src) == False: - self._logger.warning('(%s) Group Voice Packet ***REJECTED BY ACL*** From: %s, HBP Peer %s, Destination TGID %s', self._system, int_id(_rf_src), int_id(_peer_id), int_id(_dst_id)) - return - # Is this a new call stream? if (_stream_id not in self.STATUS): # This is a new call stream @@ -505,11 +446,6 @@ class routerHBP(HBSYSTEM): if _call_type == 'group': - # Check for ACL match, and return if the subscriber is not allowed - if allow_sub(_rf_src) == False: - self._logger.warning('(%s) Group Voice Packet ***REJECTED BY ACL*** From: %s, HBP Peer %s, Destination TGID %s', self._system, int_id(_rf_src), int_id(_peer_id), int_id(_dst_id)) - return - # Is this a new call stream? if (_stream_id != self.STATUS[_slot]['RX_STREAM_ID']): if (self.STATUS[_slot]['RX_TYPE'] != hb_const.HBPF_SLT_VTERM) and (pkt_time < (self.STATUS[_slot]['RX_TIME'] + hb_const.STREAM_TO)) and (_rf_src != self.STATUS[_slot]['RX_RFS']): @@ -804,9 +740,6 @@ if __name__ == '__main__': for sig in [signal.SIGTERM, signal.SIGINT]: signal.signal(sig, sig_handler) - # Build the Access Control List - REG_ACL = build_reg_acl('reg_acl', logger) - # ID ALIAS CREATION # Download if CONFIG['ALIASES']['TRY_DOWNLOAD'] == True: @@ -833,12 +766,6 @@ if __name__ == '__main__': # Build the routing rules file BRIDGES = make_bridges('hb_confbridge_rules') - # Build the Access Control List - ACL = build_acl('sub_acl') - - # Build the Registration Access Control List - REG_ACL = build_reg_acl('reg_acl', logger) - # INITIALIZE THE REPORTING LOOP report_server = config_reports(CONFIG, logger, confbridgeReportFactory) diff --git a/hb_config.py b/hb_config.py index 5600c99..d7024fc 100755 --- a/hb_config.py +++ b/hb_config.py @@ -28,6 +28,7 @@ change. import ConfigParser import sys +import hb_const as const from socket import gethostbyname @@ -39,6 +40,61 @@ __license__ = 'GNU GPLv3' __maintainer__ = 'Cort Buffington, N0MJS' __email__ = 'n0mjs@me.com' +# Processing of ALS goes here. It's separated from the acl_build function because this +# code is hblink config-file format specific, and acl_build is abstracted +def process_acls(_config): + # Global registration ACL + _config['GLOBAL']['REG_ACL'] = acl_build(_config['GLOBAL']['REG_ACL'], const.PEER_MAX) + + # Global subscriber and TGID ACLs + for acl in ['SUB_ACL', 'TG1_ACL', 'TG2_ACL']: + _config['GLOBAL'][acl] = acl_build(_config['GLOBAL'][acl], const.ID_MAX) + + # System level ACLs + for system in _config['SYSTEMS']: + # Registration ACLs (which make no sense for peer systems) + if _config['SYSTEMS'][system]['MODE'] == 'MASTER': + _config['SYSTEMS'][system]['REG_ACL'] = acl_build(_config['SYSTEMS'][system]['REG_ACL'], const.PEER_MAX) + + # Subscriber and TGID ACLs (valid for all system types) + for acl in ['SUB_ACL', 'TG1_ACL', 'TG2_ACL']: + _config['SYSTEMS'][system][acl] = acl_build(_config['SYSTEMS'][system][acl], const.ID_MAX) + +# Create an access control list that is programatically useable from human readable: +# ORIGINAL: 'DENY:1-5,3120101,3120124' +# PROCESSED: (False, set([(1, 5), (3120124, 3120124), (3120101, 3120101)])) +def acl_build(_acl, _max): + if not _acl: + return(True, set((const.ID_MIN, _max))) + + acl = set() + sections = _acl.split(':') + + if sections[0] == 'PERMIT': + action = True + else: + action = False + + for entry in sections[1].split(','): + if entry == 'ALL': + acl.add((const.ID_MIN, _max)) + break + + elif '-' in entry: + start,end = entry.split('-') + start,end = int(start), int(end) + if (const.ID_MIN <= start <= _max) or (const.ID_MIN <= end <= _max): + acl.add((start, end)) + else: + sys.exit('ACL CREATION ERROR, VALUE OUT OF RANGE (} - {})IN RANGE-BASED ENTRY: {}'.format(const.ID_MIN, _max, entry)) + else: + id = int(entry) + if (const.ID_MIN <= id <= _max): + acl.add((id, id)) + else: + sys.exit('ACL CREATION ERROR, VALUE OUT OF RANGE ({} - {}) IN SINGLE ID ENTRY: {}'.format(const.ID_MIN, _max, entry)) + + return (action, acl) def build_config(_config_file): config = ConfigParser.ConfigParser() @@ -51,7 +107,6 @@ def build_config(_config_file): CONFIG['REPORTS'] = {} CONFIG['LOGGER'] = {} CONFIG['ALIASES'] = {} - CONFIG['AMBE'] = {} CONFIG['SYSTEMS'] = {} try: @@ -60,7 +115,12 @@ def build_config(_config_file): CONFIG['GLOBAL'].update({ 'PATH': config.get(section, 'PATH'), 'PING_TIME': config.getint(section, 'PING_TIME'), - 'MAX_MISSED': config.getint(section, 'MAX_MISSED') + 'MAX_MISSED': config.getint(section, 'MAX_MISSED'), + 'USE_ACL': config.get(section, 'USE_ACL'), + 'REG_ACL': config.get(section, 'REG_ACL'), + 'SUB_ACL': config.get(section, 'SUB_ACL'), + 'TG1_ACL': config.get(section, 'TGID_TS1_ACL'), + 'TG2_ACL': config.get(section, 'TGID_TS2_ACL') }) elif section == 'REPORTS': @@ -91,12 +151,6 @@ def build_config(_config_file): 'STALE_TIME': config.getint(section, 'STALE_DAYS') * 86400, }) - elif section == 'AMBE': - CONFIG['AMBE'].update({ - 'EXPORT_IP': gethostbyname(config.get(section, 'EXPORT_IP')), - 'EXPORT_PORT': config.getint(section, 'EXPORT_PORT'), - }) - elif config.getboolean(section, 'ENABLED'): if config.get(section, 'MODE') == 'PEER': CONFIG['SYSTEMS'].update({section: { @@ -127,7 +181,11 @@ def build_config(_config_file): 'SOFTWARE_ID': config.get(section, 'SOFTWARE_ID').ljust(40)[:40], 'PACKAGE_ID': config.get(section, 'PACKAGE_ID').ljust(40)[:40], 'GROUP_HANGTIME': config.getint(section, 'GROUP_HANGTIME'), - 'OPTIONS': config.get(section, 'OPTIONS') + 'OPTIONS': config.get(section, 'OPTIONS'), + 'USE_ACL': config.getboolean(section, 'USE_ACL'), + 'SUB_ACL': config.get(section, 'SUB_ACL'), + 'TG1_ACL': config.get(section, 'TGID_TS1_ACL'), + 'TG2_ACL': config.get(section, 'TGID_TS2_ACL') }}) CONFIG['SYSTEMS'][section].update({'STATS': { 'CONNECTION': 'NO', # NO, RTPL_SENT, AUTHENTICATED, CONFIG-SENT, YES @@ -148,7 +206,12 @@ def build_config(_config_file): 'IP': gethostbyname(config.get(section, 'IP')), 'PORT': config.getint(section, 'PORT'), 'PASSPHRASE': config.get(section, 'PASSPHRASE'), - 'GROUP_HANGTIME': config.getint(section, 'GROUP_HANGTIME') + 'GROUP_HANGTIME': config.getint(section, 'GROUP_HANGTIME'), + 'USE_ACL': config.getboolean(section, 'USE_ACL'), + 'REG_ACL': config.get(section, 'REG_ACL'), + 'SUB_ACL': config.get(section, 'SUB_ACL'), + 'TG1_ACL': config.get(section, 'TGID_TS1_ACL'), + 'TG2_ACL': config.get(section, 'TGID_TS2_ACL') }}) CONFIG['SYSTEMS'][section].update({'PEERS': {}}) @@ -163,19 +226,20 @@ def build_config(_config_file): 'TARGET_SOCK': (gethostbyname(config.get(section, 'TARGET_IP')), config.getint(section, 'TARGET_PORT')), 'TARGET_IP': gethostbyname(config.get(section, 'TARGET_IP')), 'TARGET_PORT': config.getint(section, 'TARGET_PORT'), + 'USE_ACL': config.getboolean(section, 'USE_ACL'), + 'SUB_ACL': config.get(section, 'SUB_ACL'), + 'TG1_ACL': config.get(section, 'TGID_ACL'), + 'TG2_ACL': 'PERMIT:ALL' }}) except ConfigParser.Error, err: - print "Cannot parse configuration file. %s" %err - sys.exit('Could not parse configuration file, exiting...') + sys.exit('Error processing configuration file -- {}'.format(err)) + process_acls(CONFIG) + return CONFIG - - - - # Used to run this file direclty and print the config, # which might be useful for debugging if __name__ == '__main__': @@ -183,6 +247,7 @@ if __name__ == '__main__': import os import argparse from pprint import pprint + from dmr_utils.utils import int_id # Change the current directory to the location of the application os.chdir(os.path.dirname(os.path.realpath(sys.argv[0]))) @@ -197,5 +262,14 @@ if __name__ == '__main__': if not cli_args.CONFIG_FILE: cli_args.CONFIG_FILE = os.path.dirname(os.path.abspath(__file__))+'/hblink.cfg' + CONFIG = build_config(cli_args.CONFIG_FILE) + pprint(CONFIG) - pprint(build_config(cli_args.CONFIG_FILE)) + def acl_check(_id, _acl): + id = int_id(_id) + for entry in _acl[1]: + if entry[0] <= id <= entry[1]: + return _acl[0] + return not _acl[0] + + print acl_check('\x00\x01\x37', CONFIG['GLOBAL']['TG1_ACL']) \ No newline at end of file diff --git a/hb_const.py b/hb_const.py index 7732b73..578b363 100755 --- a/hb_const.py +++ b/hb_const.py @@ -46,4 +46,7 @@ HBPF_VOICE = 0x0 HBPF_VOICE_SYNC = 0x1 HBPF_DATA_SYNC = 0x2 HBPF_SLT_VHEAD = 0x1 -HBPF_SLT_VTERM = 0x2 \ No newline at end of file +HBPF_SLT_VTERM = 0x2 + +# Higheset peer ID permitted by HBP +PEER_MAX = 4294967295 \ No newline at end of file diff --git a/hblink-SAMPLE.cfg b/hblink-SAMPLE.cfg index af1e833..55b4675 100755 --- a/hblink-SAMPLE.cfg +++ b/hblink-SAMPLE.cfg @@ -4,10 +4,47 @@ # - how often the Master maintenance loop runs # MAX_MISSED - how many pings are missed before we give up and re-register # - number of times the master maintenance loop runs before de-registering a peer +# +# ACLs: +# +# Access Control Lists are a very powerful tool for administering your system. +# But they consume packet processing time. Disable them if you are not using them. +# But be aware that, as of now, the confiuration stanzas still need the ACL +# sections configured even if you're not using them. +# +# REGISTRATION ACLS ARE ALWAYS USED, ONLY SUBSCRIBER AND TGID MAY BE DISABLED!!! +# +# The 'action' May be PERMIT|DENY +# Each entry may be a single radio id, or a hypenated range (e.g. 1-2999) +# Format: +# ACL = 'action:id|start-end|,id|start-end,....' +# --for example-- +# SUB_ACL: DENY:1,1000-2000,4500-60000,17 +# +# ACL Types: +# REG_ACL: peer radio IDs for registration (only used on HBP master systems) +# SUB_ACL: subscriber IDs for end-users +# TGID_TS1_ACL: destination talkgroup IDs on Timeslot 1 +# TGID_TS2_ACL: destination talkgroup IDs on Timeslot 2 +# +# ACLs may be repeated for individual systems if needed for granularity +# Global ACLs will be processed BEFORE the system level ACLs +# Packets will be matched against all ACLs, GLOBAL first. If a packet 'passes' +# All elements, processing continues. Packets are discarded at the first +# negative match, or 'reject' from an ACL element. +# +# If you do not wish to use ACLs, set them to 'PERMIT:ALL' +# TGID_TS1_ACL in the global stanza is used for OPENBRIDGE systems, since all +# traffic is passed as TS 1 between OpenBridges [GLOBAL] PATH: ./ PING_TIME: 5 MAX_MISSED: 3 +USE_ACL: True +REG_ACL: PERMIT:ALL +SUB_ACL: DENY:1 +TGID_TS1_ACL: PERMIT:ALL +TGID_TS2_ACL: PERMIT:ALL # NOT YET WORKING: NETWORK REPORTING CONFIGURATION @@ -87,7 +124,12 @@ EXPORT_PORT: 1234 # connecting to. NETWORK_ID is a number in the format of a DMR Radio ID that # will be sent to the other server to identify this connection. # other parameters follow the other system types. -[3199] +# +# ACLs: +# OpenBridge does not 'register', so registration ACL is meaningless. +# OpenBridge passes all traffic on TS1, so there is only 1 TGID ACL. +# Otherwise ACLs work as described in the global stanza +[OBP-1] MODE: OPENBRIDGE ENABLED: True IP: @@ -96,6 +138,9 @@ NETWORK_ID: 3129100 PASSPHRASE: password TARGET_IP: 1.2.3.4 TARGET_PORT: 62035 +USE_ACL: True +SUB_ACL: 1 +TGID_ACL: PERMIT:ALL # MASTER INSTANCES - DUPLICATE SECTION FOR MULTIPLE MASTERS # HomeBrew Protocol Master instances go here. @@ -103,6 +148,9 @@ TARGET_PORT: 62035 # Port should be the port you want this master to listen on. It must be unique # and unused by anything else. # Repeat - if True, the master repeats traffic to peers, False, it does nothing. +# +# ACLs: +# See comments in the GLOBAL stanza [MASTER-1] MODE: MASTER ENABLED: True @@ -112,6 +160,11 @@ IP: PORT: 54000 PASSPHRASE: s3cr37w0rd GROUP_HANGTIME: 5 +USE_ACL: True +REG_ACL: DENY:1 +SUB_ACL: DENY:1 +TGID_TS1_ACL: PERMIT:ALL +TGID_TS2_ACL: PERMIT:ALL # PEER INSTANCES - DUPLICATE SECTION FOR MULTIPLE PEERS # There are a LOT of errors in the HB Protocol specifications on this one! @@ -122,6 +175,9 @@ GROUP_HANGTIME: 5 # Height is in meters # Setting Loose to True relaxes the validation on packets received from the master. # This will allow HBlink to connect to a non-compliant system such as XLXD, DMR+ etc. +# +# ACLs: +# See comments in the GLOBAL stanza [REPEATER-1] MODE: PEER ENABLED: True @@ -148,4 +204,8 @@ URL: www.w1abc.org SOFTWARE_ID: 20170620 PACKAGE_ID: MMDVM_HBlink GROUP_HANGTIME: 5 -OPTIONS: +OPTIONS: +USE_ACL: True +SUB_ACL: DENY:1 +TGID_TS1_ACL: PERMIT:ALL +TGID_TS2_ACL: PERMIT:ALL diff --git a/hblink.py b/hblink.py index 6c45eae..65e339b 100755 --- a/hblink.py +++ b/hblink.py @@ -48,6 +48,7 @@ from twisted.internet import reactor, task # Other files we pull from -- this is mostly for readability and segmentation import hb_log import hb_config +import hb_const as const from dmr_utils.utils import int_id, hex_str_4 # Imports for the reporting server @@ -93,93 +94,15 @@ def hblink_handler(_signal, _frame, _logger): _logger.info('SHUTDOWN: DE-REGISTER SYSTEM: %s', system) systems[system].dereg() - -# Import subscriber registration ACL -# REG_ACL may be a single list of subscriber IDs -# Global action is to allow or deny them. Multiple lists with different actions and ranges -# are not yet implemented. -def build_reg_acl(_reg_acl, _logger): - REG_ACL = set() - try: - acl_file = import_module(_reg_acl) - _logger.info('Registration ACL file found, importing entries. This will take about 1.5 seconds per 1 million IDs') - sections = acl_file.REG_ACL.split(':') - REG_ACL_ACTION = sections[0] - entries_str = sections[1] - - for entry in entries_str.split(','): - if '-' in entry: - start,end = entry.split('-') - start,end = int(start), int(end) - for id in range(start, end+1): - REG_ACL.add(hex_str_4(id)) - else: - id = int(entry) - REG_ACL.add(hex_str_4(id)) - - _logger.info('Registration ACL loaded: action "{}" for {:,} registration IDs'.format( REG_ACL_ACTION, len(REG_ACL))) +# Check a supplied ID against the ACL provided. Returns action (True|False) based +# on matching and the action specified. +def acl_check(_id, _acl): + id = int_id(_id) + for entry in _acl[1]: + if entry[0] <= id <= entry[1]: + return _acl[0] + return not _acl[0] - except ImportError: - _logger.info('Registration ACL file not found or invalid - all IDs may register with this system') - REG_ACL_ACTION = 'NONE' - - # Depending on which type of REG_ACL is used (PERMIT, DENY... or there isn't one) - # define a differnet function to be used to check the ACL - global allow_reg - if REG_ACL_ACTION == 'PERMIT': - def allow_reg(_id): - if _id in REG_ACL: - return True - else: - return False - elif REG_ACL_ACTION == 'DENY': - def allow_reg(_id): - if _id not in REG_ACL: - return True - else: - return False - else: - def allow_reg(_id): - return True - - return REG_ACL - -#************************************************ -# AMBE CLASS: Used to parse out AMBE and send to gateway -#************************************************ - -class AMBE: - def __init__(self, _config, _logger): - self._CONFIG = _config - self._logger = _logger - - self._sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) - self._exp_ip = self._CONFIG['AMBE']['EXPORT_IP'] - self._exp_port = self._CONFIG['AMBE']['EXPORT_PORT'] - - def parseAMBE(self, _peer, _data): - _seq = int_id(_data[4:5]) - _srcID = int_id(_data[5:8]) - _dstID = int_id(_data[8:11]) - _rptID = int_id(_data[11:15]) - _bits = int_id(_data[15:16]) # SCDV NNNN (Slot|Call type|Data|Voice|Seq or Data type) - _slot = 2 if _bits & 0x80 else 1 - _callType = 1 if (_bits & 0x40) else 0 - _frameType = (_bits & 0x30) >> 4 - _voiceSeq = (_bits & 0x0f) - _streamID = int_id(_data[16:20]) - self._logger.debug('(%s) seq: %d srcID: %d dstID: %d rptID: %d bits: %0X slot:%d callType: %d frameType: %d voiceSeq: %d streamID: %0X', - _peer, _seq, _srcID, _dstID, _rptID, _bits, _slot, _callType, _frameType, _voiceSeq, _streamID ) - - #logger.debug('Frame 1:(%s)', self.ByteToHex(_data)) - _dmr_frame = BitArray('0x'+ahex(_data[20:])) - _ambe = _dmr_frame[0:108] + _dmr_frame[156:264] - #_sock.sendto(_ambe.tobytes(), ("127.0.0.1", 31000)) - - ambeBytes = _ambe.tobytes() - self._sock.sendto(ambeBytes[0:9], (self._exp_ip, self._exp_port)) - self._sock.sendto(ambeBytes[9:18], (self._exp_ip, self._exp_port)) - self._sock.sendto(ambeBytes[18:27], (self._exp_ip, self._exp_port)) #************************************************ @@ -194,6 +117,7 @@ class OPENBRIDGE(DatagramProtocol): self._logger = _logger self._report = _report self._config = self._CONFIG['SYSTEMS'][self._system] + self._laststrid = '' def dereg(self): self._logger.info('(%s) is mode OPENBRIDGE. No De-Registration required, continuing shutdown', self._system) @@ -206,7 +130,7 @@ class OPENBRIDGE(DatagramProtocol): # KEEP THE FOLLOWING COMMENTED OUT UNLESS YOU'RE DEBUGGING DEEPLY!!!! # self._logger.debug('(%s) TX Packet to OpenBridge %s:%s -- %s', self._system, self._config['TARGET_IP'], self._config['TARGET_PORT'], ahex(_packet)) else: - self._logger.error('(%s) OpenBridge system was asked to send non DMRD packet') + self._logger.error('(%s) OpenBridge system was asked to send non DMRD packet', self._system) def dmrd_received(self, _peer_id, _rf_src, _dst_id, _seq, _slot, _call_type, _frame_type, _dtype_vseq, _stream_id, _data): pass @@ -233,12 +157,42 @@ class OPENBRIDGE(DatagramProtocol): _dtype_vseq = (_bits & 0xF) # data, 1=voice header, 2=voice terminator; voice, 0=burst A ... 5=burst F _stream_id = _data[16:20] #self._logger.debug('(%s) DMRD - Seqence: %s, RF Source: %s, Destination ID: %s', self._system, int_id(_seq), int_id(_rf_src), int_id(_dst_id)) - + + # Sanity check for OpenBridge -- all calls must be on Slot 1 + if _slot != 1: + self._logger.error('(%s) OpenBridge packet discarded because it was not received on slot 1. SID: %s, TGID %s', self._system, int_id(_rf_src), int_id(_dst_id)) + return + + # ACL Processing + if self._CONFIG['GLOBAL']['USE_ACL']: + if not acl_check(_rf_src, self._CONFIG['GLOBAL']['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY GLOBAL ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.info('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY GLOBAL TS1 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if self._config['USE_ACL']: + if not acl_check(_rf_src, self._config['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY SYSTEM ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if not acl_check(_dst_id, self._config['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY SYSTEM ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + self._laststrid = _stream_id + # Userland actions -- typically this is the function you subclass for an application self.dmrd_received(_peer_id, _rf_src, _dst_id, _seq, _slot, _call_type, _frame_type, _dtype_vseq, _stream_id, _data) else: self._logger.info('(%s) OpenBridge HMAC failed, packet discarded - OPCODE: %s DATA: %s HMAC LENGTH: %s HMAC: %s', self._system, _packet[:4], repr(_packet[:53]), len(_packet[53:]), repr(_packet[53:])) - + #************************************************ # HB MASTER CLASS @@ -252,6 +206,7 @@ class HBSYSTEM(DatagramProtocol): self._logger = _logger self._report = _report self._config = self._CONFIG['SYSTEMS'][self._system] + self._laststrid = '' # Define shortcuts and generic function names based on the type of system we are if self._config['MODE'] == 'MASTER': @@ -267,10 +222,6 @@ class HBSYSTEM(DatagramProtocol): self.maintenance_loop = self.peer_maintenance_loop self.datagramReceived = self.peer_datagramReceived self.dereg = self.peer_dereg - - # Configure for AMBE audio export if enabled - if self._config['EXPORT_AMBE']: - self._ambe = AMBE(_config, _logger) def startProtocol(self): # Set up periodic loop for tracking pings from peers. Run every 'PING_TIME' seconds @@ -363,10 +314,41 @@ class HBSYSTEM(DatagramProtocol): _dtype_vseq = (_bits & 0xF) # data, 1=voice header, 2=voice terminator; voice, 0=burst A ... 5=burst F _stream_id = _data[16:20] #self._logger.debug('(%s) DMRD - Seqence: %s, RF Source: %s, Destination ID: %s', self._system, int_id(_seq), int_id(_rf_src), int_id(_dst_id)) - - # If AMBE audio exporting is configured... - if self._config['EXPORT_AMBE']: - self._ambe.parseAMBE(self._system, _data) + + # ACL Processing + if self._CONFIG['GLOBAL']['USE_ACL']: + if not acl_check(_rf_src, self._CONFIG['GLOBAL']['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY GLOBAL ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY GLOBAL TS1 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY GLOBAL TS2 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if self._config['USE_ACL']: + if not acl_check(_rf_src, self._config['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY SYSTEM ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._config['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY SYSTEM TS1 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, self._config['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY SYSTEM TS2 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + self._laststrid = _stream_id # The basic purpose of a master is to repeat to the peers if self._config['REPEAT'] == True: @@ -377,13 +359,16 @@ class HBSYSTEM(DatagramProtocol): #self.send_peer(_peer, _data[:11] + self._config['RADIO_ID'] + _data[15:]) #self._logger.debug('(%s) Packet on TS%s from %s (%s) for destination ID %s repeated to peer: %s (%s) [Stream ID: %s]', self._system, _slot, self._peers[_peer_id]['CALLSIGN'], int_id(_peer_id), int_id(_dst_id), self._peers[_peer]['CALLSIGN'], int_id(_peer), int_id(_stream_id)) + # Userland actions -- typically this is the function you subclass for an application self.dmrd_received(_peer_id, _rf_src, _dst_id, _seq, _slot, _call_type, _frame_type, _dtype_vseq, _stream_id, _data) elif _command == 'RPTL': # RPTLogin -- a repeater wants to login _peer_id = _data[4:8] - if allow_reg(_peer_id): # Check for valid Radio ID - self._peers.update({_peer_id: { # Build the configuration data strcuture for the peer + # Check for valid Radio ID + if acl_check(_peer_id, self._CONFIG['REG_ACL']) and acl_check(_peer_id, self._config['REG_ACL']): + # Build the configuration data strcuture for the peer + self._peers.update({_peer_id: { 'CONNECTION': 'RPTL-RECEIVED', 'PINGS_RECEIVED': 0, 'LAST_PING': time(), @@ -515,10 +500,42 @@ class HBSYSTEM(DatagramProtocol): _dtype_vseq = (_bits & 0xF) # data, 1=voice header, 2=voice terminator; voice, 0=burst A ... 5=burst F _stream_id = _data[16:20] self._logger.debug('(%s) DMRD - Sequence: %s, RF Source: %s, Destination ID: %s', self._system, int_id(_seq), int_id(_rf_src), int_id(_dst_id)) - - # If AMBE audio exporting is configured... - if self._config['EXPORT_AMBE']: - self._ambe.parseAMBE(self._system, _data) + + # ACL Processing + if self._CONFIG['GLOBAL']['USE_ACL']: + if not acl_check(_rf_src, self._CONFIG['GLOBAL']['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY GLOBAL ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY GLOBAL TS1 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, self._CONFIG['GLOBAL']['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY GLOBAL TS2 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if self._config['USE_ACL']: + if not acl_check(_rf_src, self._config['SUB_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s FROM SUBSCRIBER %s BY SYSTEM ACL', self._system, int_id(_stream_id), int_id(_rf_src)) + self._laststrid = _stream_id + return + if _slot == 1 and not acl_check(_dst_id, self._config['TG1_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY SYSTEM TS1 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + if _slot == 2 and not acl_check(_dst_id, self._config['TG2_ACL']): + if self._laststrid != _stream_id: + self._logger.debug('(%s) CALL DROPPED WITH STREAM ID %s ON TGID %s BY SYSTEM TS2 ACL', self._system, int_id(_stream_id), int_id(_dst_id)) + self._laststrid = _stream_id + return + self._laststrid = _stream_id + # Userland actions -- typically this is the function you subclass for an application self.dmrd_received(_peer_id, _rf_src, _dst_id, _seq, _slot, _call_type, _frame_type, _dtype_vseq, _stream_id, _data) @@ -701,9 +718,6 @@ if __name__ == '__main__': for sig in [signal.SIGTERM, signal.SIGINT]: signal.signal(sig, sig_handler) - # Build the Registration Access Control List - REG_ACL = build_reg_acl('reg_acl', logger) - # INITIALIZE THE REPORTING LOOP report_server = config_reports(CONFIG, logger, reportFactory) @@ -718,4 +732,4 @@ if __name__ == '__main__': reactor.listenUDP(CONFIG['SYSTEMS'][system]['PORT'], systems[system], interface=CONFIG['SYSTEMS'][system]['IP']) logger.debug('%s instance created: %s, %s', CONFIG['SYSTEMS'][system]['MODE'], system, systems[system]) - reactor.run() + reactor.run() \ No newline at end of file diff --git a/reg_acl-SAMPLE.py b/reg_acl-SAMPLE.py deleted file mode 100755 index 9a9e701..0000000 --- a/reg_acl-SAMPLE.py +++ /dev/null @@ -1,11 +0,0 @@ -# -# Used to limit HomeBrew repeater Protocol registrations. -# -# If this is the SAMPLE file, you'll need to made a copy or start from scratch -# with one called reg_acl.py -# -# The 'action' May be PERMIT|DENY -# Each entry may be a single radio id, or a hypenated range (e.g. 1-2999) -# Format: -# ACL = 'action:id|start-end|,id|start-end,....' -REG_ACL = 'DENY:1' diff --git a/sub_acl-SAMPLE.py b/sub_acl-SAMPLE.py deleted file mode 100755 index c249001..0000000 --- a/sub_acl-SAMPLE.py +++ /dev/null @@ -1,9 +0,0 @@ -# -# To use this feature, you'll need to copy this, or create a file called -# sub_acl.py that's like this one, with your local parameters in it. -# -# The 'action' May be PERMIT|DENY -# Each entry may be a single radio id, or a hypenated range (e.g. 1-2999) -# Format: -# ACL = 'action:id|start-end|,id|start-end,....' -ACL = 'DENY:0-2999,4000000-4000999'