Named ACLs introduce a new way to define Access Control Lists (ACLs) in Asterisk. Unlike traditional ACLs defined in specific module configuration files, Named ACLs can be shared across multiple modules. Named ACLs can also be accessed via the Asterisk Realtime Architecture (ARA), allowing for run-time updates of ACL information that can be retrieved by multiple consumers of ACL information.
Named ACLs can be defined statically in acl.conf. Each context in acl.conf defines a specific Named ACL, where the name of the context is the name of the ACL. The syntax for each context follows the permit/deny nomenclature used in traditional ACLs defined in a consumer module's configuration file.
IP address [/Mask]
An IP address to deny, with an optional subnet mask to apply
IP address [/Mask]
An IP address to allow, with an optional subnet mask to apply
Multiple rules can be specified in an ACL as well by chaining deny/permit specifiers.
Named ACLs support common modifiers like templates and additions within configuration as well.
Configuring for IPv6
Named ACLs can use ipv6 addresses just like normal ACLs.
The ARA supports Named ACLs using the 'acls' keyword in extconfig.conf.
Name of the ACL
Order to apply the ACL rule. Rules are applied in ascending order. Rule numbers do not have to be sequential
Either 'permit' or 'deny'
The IP address/Mask pair to apply
Table Creation Script (PostgreSQL)
Table Creation Script (SQLite3)
Named ACL Consumers
Named ACLs are supported by the following Asterisk components:
- Manager (IPv4 and IPv6)
- chan_sip (IPv4 and IPv6)
- chan_pjsip (IPv4 and IPv6)
- chan_iax2 (IPv4 and IPv6)
A consumer of Named ACLs can be configured to use a named ACL using the acl option in their ACL access rules. This can be in addition to the ACL rules traditionally defined in those configuration files.
Multiple named ACLs can be referenced as well by specifying a comma delineated list of Named ACLs to apply.
Similarly, a SIP or IAX2 peer defined in ARA can include an 'acl' column and list the Named ACLs to apply in that column.
ACL Rule Application
Each module consumer of ACL information maintains, for each object that uses the information, a list of the defined ACL rule sets that apply to that object. When an address is evaluated for the particular object, the address is evaluated against each rule. For an address to pass the ACL rules, it must pass each ACL rule set that was defined for that object. Failure of any ACL rule set will result in a rejection of the address.
ACL information is static once a consumer module references that information. Hence, changes in ACL information in an ARA backend will not automatically update consumers of that information. In order for consumers to receive updated ACL information, the Named ACL component must be reloaded.
The Named ACL component supports module reloads, in the same way as other Asterisk components. When the Named ACL component is reloaded, it will issue a request to all consumers of Named ACLs. Those consumer modules will also be automatically reloaded.