working on per-realm white/black lists

src/apps/relay/dbdrivers/dbd_mongo.c

@@ -1001,7 +1001,7 @@ static int mongo_get_ip_list(const char *kind, ip_range_list_t * list) {
     while(mongoc_cursor_next(cursor, &item)) {
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ip_range") && BSON_ITER_HOLDS_UTF8(&iter)) {
         value = bson_iter_utf8(&iter, &length);
-		add_ip_list_range(value, list);
+		add_ip_list_range(value, NULL, list);
       }
     }
     mongoc_cursor_destroy(cursor);

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -913,7 +913,7 @@ static int mysql_get_ip_list(const char *kind, ip_range_list_t * list) {
 								char kval[TURN_LONG_STRING_SIZE];
 								ns_bcopy(row[0],kval,sz);
 								kval[sz]=0;
-								add_ip_list_range(kval,list);
+								add_ip_list_range(kval,NULL,list);
 							}
 						}
 					}

src/apps/relay/dbdrivers/dbd_pgsql.c

@@ -658,7 +658,7 @@ static int pgsql_get_ip_list(const char *kind, ip_range_list_t * list) {
 			for(i=0;i<PQntuples(res);i++) {
 				char *kval = PQgetvalue(res,i,0);
 				if(kval) {
-					add_ip_list_range(kval,list);
+					add_ip_list_range(kval,NULL,list);
 				}
 			}
       ret = 0;

src/apps/relay/dbdrivers/dbd_redis.c

@@ -1130,7 +1130,7 @@ static int redis_get_ip_list(const char *kind, ip_range_list_t * list) {
 						if (rget->type != REDIS_REPLY_NIL)
 							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
 					} else {
-						add_ip_list_range(rget->str,list);
+						add_ip_list_range(rget->str,NULL,list);
 					}
 					turnFreeRedisReply(rget);
 				}

src/apps/relay/mainrelay.c

@@ -77,7 +77,7 @@ DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1,
 {
   NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,0,NULL,NULL,NULL
 },
-{NULL, NULL, 0},{NULL, NULL, 0},
+{NULL, 0},{NULL, 0},
 NEV_UNKNOWN, 
 { "Unknown", "UDP listening socket per session", "UDP thread per network endpoint", "UDP thread per CPU core" },
 //////////////// Relay servers //////////////////////////////////
@@ -1230,10 +1230,10 @@ static void set_option(int c, char *value)
 		add_tls_alternate_server(value);
 		break;
 	case ALLOWED_PEER_IPS:
-		if (add_ip_list_range(value, &turn_params.ip_whitelist) == 0) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "White listing: %s\n", value);
+		if (add_ip_list_range(value, NULL, &turn_params.ip_whitelist) == 0) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "White listing: %s\n", value);
 		break;
 	case DENIED_PEER_IPS:
-		if (add_ip_list_range(value, &turn_params.ip_blacklist) == 0) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Black listing: %s\n", value);
+		if (add_ip_list_range(value, NULL, &turn_params.ip_blacklist) == 0) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Black listing: %s\n", value);
 		break;
 	case CIPHER_LIST_OPT:
 		STRCPY(turn_params.cipher_list,value);

src/apps/relay/turncli.c

@@ -312,7 +312,7 @@ static void cli_print_str_array(struct cli_session* cs, char **value, size_t sz,
 
 static void cli_print_ip_range_list(struct cli_session* cs, ip_range_list_t *value, const char* name, int changeable)
 {
-	if(cs && cs->ts && name && value && value->ranges_number && value->ranges) {
+	if(cs && cs->ts && name && value && value->ranges_number && value->rs) {
 		const char *sc="";
 		if(changeable==1)
 			sc=" (*)";
@@ -320,8 +320,15 @@ static void cli_print_ip_range_list(struct cli_session* cs, ip_range_list_t *val
 			sc=" (**)";
 		size_t i;
 		for(i=0;i<value->ranges_number;++i) {
-			if(value->ranges[i])
-				myprintf(cs,"  %s: %s%s\n",name,value->ranges[i],sc);
+			if(value->rs[i].realm[0]) {
+				if(cs->realm[0] && strcmp(cs->realm,value->rs[i].realm)) {
+					continue;
+				} else {
+					myprintf(cs,"  common %s: %s (%s)%s\n",name,value->rs[i].str,value->rs[i].realm,sc);
+				}
+			} else {
+				myprintf(cs,"  common %s: %s%s\n",name,value->rs[i].str,sc);
+			}
 		}
 	}
 }

src/apps/relay/userdb.c

@@ -1393,17 +1393,8 @@ static ip_range_list_t* get_ip_list(const char *kind)
 static void ip_list_free(ip_range_list_t *l)
 {
 	if(l) {
-		size_t i;
-		for(i=0;i<l->ranges_number;++i) {
-			if(l->ranges && l->ranges[i])
-			  turn_free(l->ranges[i],0);
-			if(l->encaddrsranges && l->encaddrsranges[i])
-			  turn_free(l->encaddrsranges[i],0);
-		}
-		if(l->ranges)
-		  turn_free(l->ranges,0);
-		if(l->encaddrsranges)
-		  turn_free(l->encaddrsranges,0);
+		if(l->rs)
+		  turn_free(l->rs,l->ranges_number * sizeof(ip_range_t));
 		turn_free(l,sizeof(ip_range_list_t));
 	}
 }
@@ -1432,7 +1423,7 @@ void update_white_and_black_lists(void)
 
 /////////////// add ACL record ///////////////////
 
-int add_ip_list_range(const char * range0, ip_range_list_t * list)
+int add_ip_list_range(const char * range0, const char * realm, ip_range_list_t * list)
 {
 	char *range = turn_strdup(range0);
 
@@ -1465,13 +1456,14 @@ int add_ip_list_range(const char * range0, ip_range_list_t * list)
 		*separator = '-';
 
 	++(list->ranges_number);
-	list->ranges = (char**) turn_realloc(list->ranges, 0, sizeof(char*) * list->ranges_number);
-	list->ranges[list->ranges_number - 1] = range;
-	list->encaddrsranges = (ioa_addr_range**) turn_realloc(list->encaddrsranges, 0, sizeof(ioa_addr_range*) * list->ranges_number);
-
-	list->encaddrsranges[list->ranges_number - 1] = (ioa_addr_range*) turn_malloc(sizeof(ioa_addr_range));
-
-	ioa_addr_range_set(list->encaddrsranges[list->ranges_number - 1], &min, &max);
+	list->rs = (ip_range_t*) turn_realloc(list->rs, 0, sizeof(ip_range_t) * list->ranges_number);
+	STRCPY(list->rs[list->ranges_number - 1].str,range);
+	if(realm)
+		STRCPY(list->rs[list->ranges_number - 1].realm,realm);
+	else
+		list->rs[list->ranges_number - 1].realm[0]=0;
+	turn_free(range,0);
+	ioa_addr_range_set(&(list->rs[list->ranges_number - 1].enc), &min, &max);
 
 	return 0;
 }

src/apps/relay/userdb.h

@@ -208,7 +208,7 @@ void reread_realms(void);
 int add_user_account(char *user, int dynamic);
 int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, int is_st, perf_options_t* po);
 
-int add_ip_list_range(const char* range, ip_range_list_t * list);
+int add_ip_list_range(const char* range, const char* realm, ip_range_list_t * list);
 
 ///////////// Redis //////////////////////
 

src/server/ns_turn_ioalib.h

@@ -137,9 +137,16 @@ typedef struct _realm_options_t realm_options_t;
 
 //////// IP White/black listing ///////////
 
+struct _ip_range {
+	char str[257];
+	char realm[513];
+	ioa_addr_range enc;
+};
+
+typedef struct _ip_range ip_range_t;
+
 struct _ip_range_list {
-	char **ranges;
-	ioa_addr_range **encaddrsranges;
+	ip_range_t *rs;
 	size_t ranges_number;
 };
 

src/server/ns_turn_server.c

@@ -250,8 +250,10 @@ static int send_turn_message_to(turn_turnserver *server, ioa_network_buffer_hand
 
 /////////////////// Peer addr check /////////////////////////////
 
-static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
+static int good_peer_addr(turn_turnserver *server, const char* realm, ioa_addr *peer_addr)
 {
+#define CHECK_REALM(r) if((r)[0] && realm && realm[0] && strcmp((r),realm)) continue
+
 	if(server && peer_addr) {
 		if(*(server->no_multicast_peers) && ioa_addr_is_multicast(peer_addr))
 			return 0;
@@ -264,7 +266,8 @@ static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
 			if(server->ip_whitelist) {
 				// White listing of addr ranges
 				for (i = server->ip_whitelist->ranges_number - 1; i >= 0; --i) {
-					if (ioa_addr_in_range(server->ip_whitelist->encaddrsranges[i], peer_addr))
+					CHECK_REALM(server->ip_whitelist->rs[i].realm);
+					if (ioa_addr_in_range(&(server->ip_whitelist->rs[i].enc), peer_addr))
 						return 1;
 				}
 			}
@@ -276,7 +279,8 @@ static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
 				if(wl) {
 					// White listing of addr ranges
 					for (i = wl->ranges_number - 1; i >= 0; --i) {
-						if (ioa_addr_in_range(wl->encaddrsranges[i], peer_addr)) {
+						CHECK_REALM(wl->rs[i].realm);
+						if (ioa_addr_in_range(&(wl->rs[i].enc), peer_addr)) {
 							ioa_unlock_whitelist(server->e);
 							return 1;
 						}
@@ -289,10 +293,11 @@ static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
 			if(server->ip_blacklist) {
 				// Black listing of addr ranges
 				for (i = server->ip_blacklist->ranges_number - 1; i >= 0; --i) {
-					if (ioa_addr_in_range(server->ip_blacklist->encaddrsranges[i], peer_addr)) {
+					CHECK_REALM(server->ip_blacklist->rs[i].realm);
+					if (ioa_addr_in_range(&(server->ip_blacklist->rs[i].enc), peer_addr)) {
 						char saddr[129];
 						addr_to_string_no_port(peer_addr,(u08bits*)saddr);
-						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "A peer IP %s denied in the range: %s\n",saddr,server->ip_blacklist->ranges[i]);
+						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "A peer IP %s denied in the range: %s\n",saddr,server->ip_blacklist->rs[i].str);
 						return 0;
 					}
 				}
@@ -305,11 +310,12 @@ static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
 				if(bl) {
 					// Black listing of addr ranges
 					for (i = bl->ranges_number - 1; i >= 0; --i) {
-						if (ioa_addr_in_range(bl->encaddrsranges[i], peer_addr)) {
+						CHECK_REALM(bl->rs[i].realm);
+						if (ioa_addr_in_range(&(bl->rs[i].enc), peer_addr)) {
 							ioa_unlock_blacklist(server->e);
 							char saddr[129];
 							addr_to_string_no_port(peer_addr,(u08bits*)saddr);
-							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "A peer IP %s denied in the range: %s\n",saddr,bl->ranges[i]);
+							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "A peer IP %s denied in the range: %s\n",saddr,bl->rs[i].str);
 							return 0;
 						}
 					}
@@ -320,6 +326,8 @@ static int good_peer_addr(turn_turnserver *server, ioa_addr *peer_addr)
 		}
 	}
 
+#undef CHECK_REALM
+
 	return 1;
 }
 
@@ -2076,7 +2084,7 @@ static void tcp_peer_accept_connection(ioa_socket_handle s, void *arg)
 			return;
 		}
 
-		if(!good_peer_addr(server, peer_addr)) {
+		if(!good_peer_addr(server, ss->realm_options.name, peer_addr)) {
 			u08bits saddr[256];
 			addr_to_string(peer_addr, saddr);
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: an attempt to connect from a peer with forbidden address: %s\n", __FUNCTION__,saddr);
@@ -2226,7 +2234,7 @@ static int handle_turn_connect(turn_turnserver *server,
 			*reason = (const u08bits *)"Where is Peer Address ?";
 
 		} else {
-			if(!good_peer_addr(server,&peer_addr)) {
+			if(!good_peer_addr(server,ss->realm_options.name,&peer_addr)) {
 				*err_code = 403;
 				*reason = (const u08bits *) "Forbidden IP";
 			} else {
@@ -2588,7 +2596,7 @@ static int handle_turn_channel_bind(turn_turnserver *server,
 					*err_code = 400;
 					*reason = (const u08bits *)"You cannot use the same peer with different channel number";
 				} else {
-					if(!good_peer_addr(server,&peer_addr)) {
+					if(!good_peer_addr(server,ss->realm_options.name,&peer_addr)) {
 						*err_code = 403;
 						*reason = (const u08bits *) "Forbidden IP";
 					} else {
@@ -3015,7 +3023,7 @@ static int handle_turn_create_permission(turn_turnserver *server,
 					if(!get_relay_socket(a,peer_addr.ss.sa_family)) {
 						*err_code = 443;
 						*reason = (const u08bits *)"Peer Address Family Mismatch";
-					} else if(!good_peer_addr(server, &peer_addr)) {
+					} else if(!good_peer_addr(server, ss->realm_options.name, &peer_addr)) {
 						*err_code = 403;
 						*reason = (const u08bits *) "Forbidden IP";
 					} else {