nat: Change the order of the DENY/ALLOW rule for the BSC.
Currently it is not is not easily possible to disable
everyone and then only allow certain SIMs. By changing
the order we can do:
access-list imsi-deny only-something ^[0-9]*$
access-list imsi-allow only-something ^123[0-9]*$
and still keep the usecase of only forbidding certain
SIMs on certain LACs. Adjust test case, test that the
other cases are still functional.
diff --git a/openbsc/src/nat/bsc_nat_utils.c b/openbsc/src/nat/bsc_nat_utils.c
index b295f35..c1e3c98 100644
--- a/openbsc/src/nat/bsc_nat_utils.c
+++ b/openbsc/src/nat/bsc_nat_utils.c
@@ -320,8 +320,8 @@
{
/*
* Now apply blacklist/whitelist of the BSC and the NAT.
- * 1.) Reject if the IMSI is not allowed at the BSC
- * 2.) Allow directly if the IMSI is allowed at the BSC
+ * 1.) Allow directly if the IMSI is allowed at the BSC
+ * 2.) Reject if the IMSI is not allowed at the BSC
* 3.) Reject if the IMSI not allowed at the global level.
* 4.) Allow directly if the IMSI is allowed at the global level
*/
@@ -333,7 +333,11 @@
if (bsc_lst) {
- /* 1. BSC deny */
+ /* 1. BSC allow */
+ if (lst_check_allow(bsc_lst, mi_string) == 0)
+ return 1;
+
+ /* 2. BSC deny */
if (lst_check_deny(bsc_lst, mi_string) == 0) {
LOGP(DNAT, LOGL_ERROR,
"Filtering %s by imsi_deny on bsc nr: %d.\n", mi_string, bsc->cfg->nr);
@@ -341,9 +345,6 @@
return -2;
}
- /* 2. BSC allow */
- if (lst_check_allow(bsc_lst, mi_string) == 0)
- return 1;
}
/* 3. NAT deny */
diff --git a/openbsc/tests/bsc-nat/bsc_nat_test.c b/openbsc/tests/bsc-nat/bsc_nat_test.c
index f82b4db..75bd803 100644
--- a/openbsc/tests/bsc-nat/bsc_nat_test.c
+++ b/openbsc/tests/bsc-nat/bsc_nat_test.c
@@ -657,12 +657,29 @@
/* filter as deny is first */
.data = bss_lu,
.length = sizeof(bss_lu),
- .result = -2,
+ .result = 1,
.bsc_imsi_deny = "[0-9]*",
.bsc_imsi_allow = "[0-9]*",
.nat_imsi_deny = "[0-9]*",
.contype = NAT_CON_TYPE_LU,
},
+ {
+ /* deny by nat rule */
+ .data = bss_lu,
+ .length = sizeof(bss_lu),
+ .result = -3,
+ .bsc_imsi_deny = "000[0-9]*",
+ .nat_imsi_deny = "[0-9]*",
+ .contype = NAT_CON_TYPE_LU,
+ },
+ {
+ /* deny by bsc rule */
+ .data = bss_lu,
+ .length = sizeof(bss_lu),
+ .result = -2,
+ .bsc_imsi_deny = "[0-9]*",
+ .contype = NAT_CON_TYPE_LU,
+ },
};