nat: Change the order of the DENY/ALLOW rule for the BSC.
Currently it is not is not easily possible to disable
everyone and then only allow certain SIMs. By changing
the order we can do:
access-list imsi-deny only-something ^[0-9]*$
access-list imsi-allow only-something ^123[0-9]*$
and still keep the usecase of only forbidding certain
SIMs on certain LACs. Adjust test case, test that the
other cases are still functional.
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index b295f35..c1e3c98 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -320,8 +320,8 @@
{
/*
* Now apply blacklist/whitelist of the BSC and the NAT.
- * 1.) Reject if the IMSI is not allowed at the BSC
- * 2.) Allow directly if the IMSI is allowed at the BSC
+ * 1.) Allow directly if the IMSI is allowed at the BSC
+ * 2.) Reject if the IMSI is not allowed at the BSC
* 3.) Reject if the IMSI not allowed at the global level.
* 4.) Allow directly if the IMSI is allowed at the global level
*/
@@ -333,7 +333,11 @@
if (bsc_lst) {
- /* 1. BSC deny */
+ /* 1. BSC allow */
+ if (lst_check_allow(bsc_lst, mi_string) == 0)
+ return 1;
+
+ /* 2. BSC deny */
if (lst_check_deny(bsc_lst, mi_string) == 0) {
LOGP(DNAT, LOGL_ERROR,
"Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@@ -341,9 +345,6 @@
return -2;
}
- /* 2. BSC allow */
- if (lst_check_allow(bsc_lst, mi_string) == 0)
- return 1;
}
/* 3. NAT deny */