allow antiflood to be extended and provided by 3rd party script

* use routes instead of ifdef
2600hz · Jun 28, 2023 · 124aace · 124aace
1 parent 3a7ed79
commit 124aace
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 38 deletions.
diff --git a/kamailio/antiflood-role.cfg b/kamailio/antiflood-role.cfg
@@ -28,18 +28,10 @@ kazoo.antiflood_rate_limit_enabled = ANTIFLOOD_RATE_LIMIT_ENABLED descr "antiflo
 kazoo.antiflood_auth_limit_enabled = ANTIFLOOD_AUTH_LIMIT_ENABLED descr "antiflood auth limit enabled"
 kazoo.antiflood_rate_drop = ANTIFLOOD_RATE_DROP descr "should we drop on rate limit"
 
-route[ANTIFLOOD_LIMIT]
-{
- if($sel(cfg_get.kazoo.antiflood_rate_limit_enabled) == 1) {
- route(ANTIFLOOD_RATE_LIMIT);
- }
- if($sel(cfg_get.kazoo.antiflood_auth_limit_enabled) == 1) {
- route(ANTIFLOOD_AUTH_LIMIT);
- }
-}
-
 route[ANTIFLOOD_RATE_LIMIT]
 {
+ if($sel(cfg_get.kazoo.antiflood_rate_limit_enabled) != 1) return;
+
  if (has_totag()
  || isflagset(FLAG_TRUSTED_SOURCE)
  || isflagset(FLAG_INTERNALLY_SOURCED)) {
@@ -59,13 +51,15 @@ route[ANTIFLOOD_RATE_LIMIT]
 
 route[ANTIFLOOD_AUTH_LIMIT]
 {
+ if($sel(cfg_get.kazoo.antiflood_auth_limit_enabled) != 1) return;
+
  if (has_totag()
  || isflagset(FLAG_TRUSTED_SOURCE)
  || isflagset(FLAG_INTERNALLY_SOURCED)) {
- return(1);
+ return;
  }
 
- if (is_method("OPTIONS")) return(1);
+ if (is_method("OPTIONS")) return;
 
  $var(auth_key) = "";
  if($sel(cfg_get.kazoo.antiflood_failed_auth_use_port) == 1) {
@@ -92,7 +86,7 @@ route[ANTIFLOOD_AUTH_LIMIT]
  }
 }
 
-route[ANTIFLOOD_SUCCESSFUL_AUTH]
+route[KZ_AUTHORIZATION_SUCCESS_ANTIFLOOD_ROLE]
 {
  if($sel(cfg_get.kazoo.antiflood_failed_auth_use_port) == 1) {
  sht_rm_name_re("antiflood=>$(Au{re.subst,/\\./\\\\./g})::$(si{re.subst,/\\./\\\\./g})::$sp::.*");
@@ -101,13 +95,13 @@ route[ANTIFLOOD_SUCCESSFUL_AUTH]
  }
 }
 
-route[ANTIFLOOD_RESET_AUTH]
+route[REGISTRAR_REG_FLUSH_ANTIFLOOD_ROLE]
 {
  $var(user) = $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm});
  sht_rm_name_re("antiflood=>$(var(user){re.subst,/\\./\\\\./g})::.*");
 }
 
-route[ANITFLOOD_FAILED_AUTH]
+route[KZ_AUTHORIZATION_FAILED_AUTH_ANTIFLOOD_ROLE]
 {
  if (isflagset(FLAG_TRUSTED_SOURCE)) {
  return;

diff --git a/kamailio/authorization.cfg b/kamailio/authorization.cfg
@@ -153,9 +153,7 @@ route[KZ_AUTHORIZATION_CHECK_RESPONSE]
  exit;
  break;
  default:
- #!ifdef ANTIFLOOD_ROLE
- route(ANITFLOOD_FAILED_AUTH);
- #!endif
+ routes(KZ_AUTHORIZATION_FAILED_AUTH);
  send_reply("403", "Forbidden");
  exit;
  }

diff --git a/kamailio/default.cfg b/kamailio/default.cfg
@@ -199,9 +199,7 @@ route
 
  route(CHECK_RETRANS);
 
- #!ifdef ANTIFLOOD_ROLE
- route(ANTIFLOOD_LIMIT);
- #!endif
+ routes(ANTIFLOOD);
 
  #!ifdef TRAFFIC_FILTER_ROLE
  route(FILTER_REQUEST);

diff --git a/kamailio/registrar-role.cfg b/kamailio/registrar-role.cfg
@@ -222,9 +222,7 @@ route[HANDLE_REGISTER]
  if($sht(auth_cache=>$avp(auth-uri)) == "authn_perm_err") {
  xlog("L_INFO", "end - issuing auth challenge to cached permanent failed registration attempt for $avp(auth-uri) from IP $si:$sp\n");
  update_stat("registrar:authn_perm_err", "+1");
- #!ifdef ANTIFLOOD_ROLE
- route(ANITFLOOD_FAILED_AUTH);
- #!endif
+ routes(KZ_AUTHORIZATION_FAILED_AUTH);
  update_stat("registrar:challenge", "+1");
  auth_challenge("$avp(auth-domain)", "4");
  exit;
@@ -318,9 +316,7 @@ onreply_route[KZ_AUTHORIZATION_REPLY]
  $sht(auth_cache=>$avp(auth-uri)) = "authn_perm_err";
  }
  update_stat("registrar:authn_err", "+1");
- #!ifdef ANTIFLOOD_ROLE
- route(ANITFLOOD_FAILED_AUTH);
- #!endif
+ routes(KZ_AUTHORIZATION_FAILED_AUTH);
  update_stat("registrar:challenge", "+1");
  auth_challenge("$avp(auth-domain)", "4");
  xlog("L_INFO", "end - challenging $Au ($avp(auth-uri)) $si:$sp via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) response\n");
@@ -344,19 +340,15 @@ onreply_route[KZ_AUTHORIZATION_REPLY]
 route[CHECK_AUTHORIZATION]
 {
  if (!pv_auth_check("$avp(auth-domain)", "$vn(password)", "0", "0")) {
- #!ifdef ANTIFLOOD_ROLE
- route(ANITFLOOD_FAILED_AUTH);
- #!endif
+ routes(KZ_AUTHORIZATION_FAILED_AUTH);
 
  xlog("L_WARNING", "end - issuing auth challenge to failed registration attempt for $avp(auth-uri) from IP $si:$sp\n");
  update_stat("registrar:challenge", "+1");
  auth_challenge("$avp(auth-domain)", "5");
  exit;
  }
 
- #!ifdef ANTIFLOOD_ROLE
- route(ANTIFLOOD_SUCCESSFUL_AUTH);
- #!endif
+ routes(KZ_AUTHORIZATION_SUCCESS);
 
  route(SUCCESS_AUTHORIZATION);
 }
@@ -581,6 +573,7 @@ event_route[kazoo:consumer-event-directory-reg-flush]
  xlog("L_INFO", "received directory flush for device $(kzE{kz.json,Username})@$(kzE{kz.json,Realm})\n");
  }
 
+ routes(REGISTRAR_REG_FLUSH);
  route(REGISTRAR_FLUSH);
 
  if ($(kzE{kz.json,Username}) == "") {
@@ -590,11 +583,6 @@ event_route[kazoo:consumer-event-directory-reg-flush]
  xlog("L_INFO", "flushed $var(count) entries for realm $(kzE{kz.json,Realm})\n");
  }
  }
-
- #!ifdef ANTIFLOOD_ROLE
- route(ANTIFLOOD_RESET_AUTH);
- #!endif
-
 }
 
 event_route[kazoo:consumer-event-directory-reg-success]