def ksr_route_natmanage(self):
if (KSR.siputils.is_request() > 0):
if (KSR.siputils.has_totag() > 0) and (KSR.rr.check_route_param("nat=yes") > 0):
KSR.setbflag(self.FLAGS['FLB_NATB'])
elif (KSR.tmx.t_is_branch_route() > 0):
if KSR.isdsturiset() and self.is_ip_internal(KSR.pv.getw("$dd")):
KSR.xlog.xnotice("In DURI domain $dd is RFC1918. Mark for NAT")
KSR.setbflag(self.FLAGS['FLB_NATB'])
if self.is_ip_internal(KSR.pv.getw("$rd")):
KSR.xlog.xnotice("In RURI domain $rd is RFC1918. Mark for NAT")
KSR.setbflag(self.FLAGS['FLB_NATB'])
if (KSR.siputils.is_reply() > 0):
if (KSR.siputils.has_totag() > 0):
KSR.setbflag(self.FLAGS['FLB_NATB'])
elif (KSR.textops.has_body() > 0):
if KSR.textops.search_body("127.0.0.2") > 0:
# Патчим 200 ответы от астериска
KSR.setbflag(self.FLAGS['FLB_NATB'])
elif KSR.nathelper.nat_uac_test(9) > 0:
KSR.setbflag(self.FLAGS['FLB_NATB'])
if not (KSR.isflagset(self.FLAGS['FLT_NATS']) or KSR.isbflagset(self.FLAGS['FLB_NATB'])):
return 1
if (KSR.textops.has_body() > 0) or KSR.is_method("BYE|CANCEL") or (KSR.siputils.is_reply() > 0 and 300 <= KSR.pv.getw("$rs") <= 399):
rtpengine_lp = "loop-protect "
if self.GLOBALS['WITH_LOOPPROTECT_PATCH'] and (KSR.siputils.is_reply() > 0) and (KSR.textops.has_body() > 0) and (KSR.textops.search_body("a=rtpengine") > 0):
KSR.xlog.xnotice("Client return looprotect param. Check SDP for our rtprngine IP " + self.GLOBALS['DEFINE_RTPENGINE_IP'])
KSR.sdpops.sdp_get_line_startswith("$avp(cline)", "c=")
KSR.sdpops.sdp_get_line_startswith("$avp(oline)", "o=")
if not (self.GLOBALS['DEFINE_RTPENGINE_IP'] in KSR.pv.getw("$avp(cline)") or self.GLOBALS['DEFINE_RTPENGINE_IP'] in KSR.pv.getw("$avp(oline)")):
KSR.xlog.xalert("In c/o param not found our rtprngine IP {}. Try to remove loop protect param for calls".format(self.GLOBALS['DEFINE_RTPENGINE_IP']))
KSR.sdpops.remove_line_by_prefix("a=rtpengine", "")
if (KSR.tmx.t_is_request_route() > 0) or (KSR.tmx.t_is_reply_route() > 0):
KSR.textopsx.msg_apply_changes()
# Сбрасываем флаг - IP адреса чужие, а клиент вернул
# нашу защиту от петли в rtpengine
rtpengine_lp = ""
# Проверяем - необходимо пропустить через RTPProxy SDP?
# 8 - The SDP is searched for occurrence of RFC1918 or RFC6598 addresses
# 'c' = replace-session-connection
# 'o' = replace-origin
# trust-address (flag 'r' in rtpproxy) enabled by default. To disable it need to use
# SIP-source-address - opposite for trust-address flag
if KSR.nathelper.is_rfc1918("$rd") and KSR.pv.getw("$rd") != "127.0.0.1" and KSR.pv.getw("$rd") != "<null>" and KSR.pv.getw("$rd") != ""sip_dns"" and KSR.pv.getw("$rd") != "10.5.26.236" and KSR.pv.getw("$tU") != "location":
KSR.rtpengine.rtpengine_manage(rtpengine_lp + "replace-session-connection external internal replace-origin SIP-source-address to-tag")
else:
KSR.rtpengine.rtpengine_manage(rtpengine_lp + "replace-session-connection external external replace-origin SIP-source-address to-tag")
if KSR.pv.getw("$rc") < 0:
KSR.xlog.xalert("Calling rtpengine_manage() cause troubles!")
def ksr_route_reqinit(self):
if KSR.is_INVITE():
KSR.xlog.xinfo("REQINIT. Check request $ru from $fu:$si")
if KSR.is_method("PUBLISH|SUBSCRIBE"):
# Drop unsupported methods
KSR.sl.sl_send_reply(404, "Pool is closed due to aids.")
return -255
if KSR.is_OPTIONS() and re.match("friendly-scanner|sipcli|VaxSIPUserAgent", KSR.pv.getw("$ua")):
# silent drop for scanners - uncomment next line if want to reply
# KSR.sl.sl_send_reply(200, "OK")
KSR.sl.sl_send_reply(503, "There is no money, but you hang in there. Best wishes! Cheers!")
return -255
if KSR.maxfwd.process_maxfwd(10) < 0:
KSR.sl.sl_send_reply(483, "Too Many Hops")
return -255
if KSR.is_OPTIONS():
KSR.sl.sl_send_reply(200, "Keepalive")
return -255
if (int(KSR.siputils.is_request()) > 0) and (int(KSR.textops.has_body()) < 0) and (int(KSR.hdr.is_present("Content-Length")) < 0):
KSR.xlog.xwarn("Malformed SIP message from $si:$sp - unpresent Body and no Content-Length header. User agent:$ua - Append hdr")
KSR.hdr.append("Content-Length: 0\r\n")
KSR.textopsx.msg_apply_changes()
if "null" in KSR.pv.getw("$ct"):
KSR.xlog.xalert("Null in contact:{} Patch it".format(KSR.pv.getw("$ct")))
KSR.hdr.remove("Contact")
KSR.hdr.append("Contact: sip:{}@{}:{}\r\n".format(KSR.pv.getw("$fU"), KSR.pv.getw("$si"), KSR.pv.getw("$sp")))
KSR.textopsx.msg_apply_changes()
KSR.xlog.xalert("Contact now:{}".format(KSR.pv.getw("$ct")))
if KSR.sanity.sanity_check(1511, 7) < 0:
KSR.xlog.xerr("Malformed SIP message from $si:$sp")
return -255
if not KSR.pv.is_null("$au") and re.match("(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)", KSR.pv.getw("$au")):
KSR.xlog.xalert("SQL Injection in authorization username from IP:$si:$sp - $au")
KSR.sl.sl_send_reply(503, "There is no money, but you hang in there. Best wishes! Cheers!")
return -255
if KSR.is_INVITE() and re.match("(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)", KSR.pv.getw("$ru")):
KSR.xlog.xalert("SQL Injection in RURI in INVITE from IP:$si:$sp - $ru")
KSR.sl.sl_send_reply(503, "There is no money, but you hang in there. Best wishes! Cheers!")
return -255
return 1
def ksr_request_route(self, msg):
KSR.dbg("method " + KSR.pv.get("$rm") + " r-uri " + KSR.pv.get("$ru"))
if KSR.is_method("REGISTER"):
KSR.sl.send_reply(200, "OK")
elif KSR.is_method("INVITE"):
#Lookup our public IP address
try:
ip = requests.get('https://api.ipify.org').text
except:
ip = "Failed to resolve"
#Add that as a header
KSR.hdr.append("X-KEMI: I came from KEMI at " + str(ip) + "\r\n")
#Set host IP to 10.1.1.1
KSR.sethost("10.1.1.1")
#Forward the request on
KSR.forward()
else:
KSR.sl.send_reply(500, "Got no idea...")
def ksr_route_relay(self):
KSR.nathelper.handle_ruri_alias()
# enable additional event routes for forwarded requests
# - serial forking, RTP relaying handling, a.s.o.
if KSR.is_method("INVITE|BYE|SUBSCRIBE|UPDATE") and (KSR.tm.t_is_set("branch_route") < 0):
KSR.tm.t_on_branch("ksr_branch_manage")
#if KSR.is_method("INVITE|BYE|SUBSCRIBE|UPDATE") and (KSR.tm.t_is_set("onreply_route") < 0):
# KSR.tm.t_on_reply("ksr_onreply_manage")
if KSR.is_INVITE() and (KSR.tm.t_is_set("failure_route") < 0):
KSR.tm.t_on_failure("ksr_failure_manage")
if KSR.isflagset(self.FLAGS['FLT_FROM_ASTERISK']):
KSR.textops.remove_hf_re("^X-")
if KSR.tm.t_relay() < 0:
KSR.xlog.xerr("Cant relay request. Send error.")
KSR.sl.sl_reply_error()
return -255
else:
return 1
