Merge branch 'release-4.6-updates' of github.com:dhubler/sipxecs into…

… release-4.6-updates

mak/build.mk.in

@@ -59,7 +59,8 @@ help.{1|2|6}.dist = Build archive, typically compressed tar
 
 %.dist : %.autoreconf %.configure %.dist_;
 %.dist_ :;$(MAKE) -C $(PROJ) dist
-%.dist-by-dep :
+.SECONDEXPANSION:
+%.dist-by-dep : $$(addsuffix .dist-by-dep,$$($$*_DEPS))
 	@if test -f $($(PROJ)_TAR) ; then \
 	  x=`find $(SRC)/$(PROJ)/ -type f \( \
 	       -not -name configure \
@@ -69,6 +70,17 @@ help.{1|2|6}.dist = Build archive, typically compressed tar
 	    rm $($(PROJ)_TAR); \
 	  fi; \
 	fi
+	@if test -f $($(PROJ)_TAR) ; then \
+	  if [ -n "$($(PROJ)_DEPS)" ]; then \
+	    for t in $(foreach P,$($(PROJ)_DEPS),$($(P)_TAR)) ; do \
+	      if test -f $($(PROJ)_TAR); then \
+	        if [ $$t -nt $($(PROJ)_TAR) ]; then \
+	          rm $($(PROJ)_TAR); \
+	        fi \
+	      fi \
+	    done \
+	  fi \
+	fi
 	@if ! test -f $($(PROJ)_TAR) ; then \
 	  $(MAKE) $(PROJ).dist; \
 	fi

mak/mock/centos-6-i386.cfg.in

@@ -58,7 +58,7 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/CentOS_6/i386/
+baseurl=http://localhost:@REPO_PORT@/CentOS_6/i386/
 """
 
 

mak/mock/centos-6-x86_64.cfg.in

@@ -59,7 +59,7 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/CentOS_6/x86_64/
+baseurl=http://localhost:@REPO_PORT@/CentOS_6/x86_64/
 
 """
 

mak/mock/fedora-16-i386.cfg.in

@@ -41,7 +41,7 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/Fedora_16/i386/
+baseurl=http://localhost:@REPO_PORT@/Fedora_16/i386/
 
 """
 

mak/mock/fedora-16-x86_64.cfg.in

@@ -45,7 +45,7 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/Fedora_16/x86_64/
+baseurl=http://localhost:@REPO_PORT@/Fedora_16/x86_64/
 """
 
 

mak/mock/fedora-17-i386.cfg.in

@@ -58,5 +58,5 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/Fedora_17/i386/
+baseurl=http://localhost:@REPO_PORT@/Fedora_17/i386/
 """

mak/mock/fedora-17-x86_64.cfg.in

@@ -58,5 +58,5 @@ enabled=@PULL_MISSING_RPMS@
 
 [build]
 name=build
-baseurl=http://localhost:40100/Fedora_17/x86_64/
+baseurl=http://localhost:@REPO_PORT@/Fedora_17/x86_64/
 """

mak/mock/site-defaults.cfg.in

@@ -15,8 +15,8 @@
 #
 # Things that we recommend you set in site-defaults.cfg:
 #
-# config_opts['basedir'] = '/var/lib/mock/'
-# config_opts['cache_topdir'] = '/var/cache/mock'
+config_opts['basedir'] = '@abs_top_builddir@/mock/'
+config_opts['cache_topdir'] = '@abs_top_builddir@/mock-cache'
 #  Note: the path pointed to by basedir and cache_topdir must be owned 
 #        by group 'mock' and must have mode: g+rws
 # config_opts['rpmbuild_timeout'] = 0

mak/rpm.m4

@@ -4,6 +4,14 @@ dnl
 
 AC_ARG_VAR(MIRROR_SITE, [Single place to find CentOS, Redhat and EPEL. Example: http://mirrors.kernel.org])
 
+DEFAULT_REPO_PORT=40100
+dnl Required for getting files to chroot.
+AC_ARG_VAR(REPO_PORT, [Port to host yum repo. Default is $DEFAULT_REPO_PORT])
+if test -z "$REPO_PORT" ; then
+  REPO_PORT=$DEFAULT_REPO_PORT
+fi
+
+
 AC_ARG_WITH(yum-proxy, [--with-yum-proxy send downloads thru caching proxy like squid to speed downloads], [
   AC_SUBST(DOWNLOAD_PROXY,$withval)
   AC_SUBST(DOWNLOAD_PROXY_CONFIG_LINE,"proxy=$withval")

mak/rpm.mk.in

@@ -70,10 +70,9 @@ help.{1|2}.srpm = Called automatically as part of rpm process after srpm target.
 # srpm git revision in tarball may not match HEAD of git repo.  tarball is only rebuilt
 # if project source changed. So we need to extract the rev from the tarball
 DIST_REV = $(shell tar -O -xzf $(PROJ)/$(proj)-$(PACKAGE_VERSION).tar.gz $(proj)-$(PACKAGE_VERSION)/.tarball-revision)
-SRPM = $(proj)-$(PACKAGE_VERSION)-$(DIST_REV).src.rpm
 $(sipx:=.srpm_) $(app:=.srpm_) : %.srpm_ :
 	rpmbuild -ts $(SRPM_DEFS) $($(PROJ)_SRPM_DEFS) --nodeps $($(PROJ)_TAR)
-	cp @RPMBUILD_TOPDIR@/SRPMS/$(SRPM) $(MOCK_SRPM_DIR)
+	cp @RPMBUILD_TOPDIR@/SRPMS/$($(PROJ)_SRPM) $(MOCK_SRPM_DIR)
 
 sipx.rpm : $(sipx:=.rpm-by-dep);
 app.rpm : $(app:=.rpm-by-dep);
@@ -110,14 +109,13 @@ RPM_DEP = $(MOCK_RESULTS_DIR)/.dep.$(PROJ)
 	  $(MAKE) $(PROJ).srpm_ $(PROJ).rpm_; \
 	fi
 
-$(lib:=.rpm_): SRPM=$$($$(PROJ)_SRPM)
 %.rpm_ : repo-webserver
 	mock $(MOCK_OPTS) \
 	  --no-clean \
 	  --no-cleanup-after \
 	  --rebuild \
 	  $($(PROJ)_RPM_DEFS) \
-	  $(MOCK_SRPM_DIR)/$(SRPM)
+	  $(MOCK_SRPM_DIR)/$($(PROJ)_SRPM)
 	touch $(RPM_DEP)
 	find $(MOCK_RESULTS_DIR) -name '*.src.rpm' -exec rm {} \;
 # generate repo AFTER build otherwise it's unusable as a repo to feed to next build or other systems.
@@ -150,9 +148,9 @@ repo-clean :
 # if it has a file time that is newer then the file system. When building rpms from 2 different locations on the sames system
 # this is problematic
 repo-webserver :
-	-killall thttpd
+	-kill -15 $(firstword $(shell ps xo "%p %a" | grep -v grep | egrep 'thttpd -d repo -p @REPO_PORT@'))
 	find $(MOCK_RESULTS_DIR) -type f -not -path '*/.dep.*' -exec touch {} \;
-	/usr/sbin/thttpd -d @RPM_DIST_DIR@ -p 40100 -M 0
+	/usr/sbin/thttpd -d @RPM_DIST_DIR@ -p @REPO_PORT@ -M 0
 
 help.repo-src = Assemble source rpms into @RPM_DIST_DIR@/$(DISTRO_RESULTS_DIR)/source
 repo-src : repo-comps

sipXconfig/etc/sipxpbx/firewall/firewall.properties

@@ -1,14 +1,50 @@
-sysctl.label=Settings
+sysctl.label=
 sysctl.icmp_echo_ignore_broadcasts.label=Disable response to broadcasts
 sysctl.icmp_echo_ignore_broadcasts.description=Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
 sysctl.tcp_syncookies.label=Denial of Service (DOS) attacks
 sysctl.tcp_syncookies.description=Enable syn cookies (prevent against the common 'syn flood attack')
 sysctl.log_martians.label=Log spoofed, source routed and redirect packets
 sysctl.log_martians.description=Log packets with impossible addresses to kernel log
-dos.label=
+dos.label=Security
+dos.white_list.label=White List
+dos.white_list.description=List of trusted IPs (comma separated values of IP addresses or subnet). All packets from these IPs will be accepted.
 dos.black_list.label=Black List
 dos.black_list.description=List of untrusted IPs (comma separated values of IP addresses or subnet) considered DoS Attackers.
+dos.friendly-scanner.label=Deny Friendly Scanner
+dos.friendly-scanner.description=Drop all SIP packets matching "friendly-scanner" user agent.
+dos.sipvicious.label=Deny Sipvicious
+dos.sipvicious.description=Drop all SIP packets matching "sipvicious" user agent.
+dos.sundayddr.label=Deny Sundayddr
+dos.sundayddr.description=Drop all SIP packets matching "sundayddr" user agent.
+dos.iwar.label=Deny iWar
+dos.iwar.description=Drop all SIP packets matching "iWar" user agent.
+dos.sip-scan.label=Deny SipScan
+dos.sip-scan.description=Drop all SIP packets matching "sip-scan" user agent.
+dos.sipsak.label=Deny Sipsak
+dos.sipsak.description=Drop all SIP packets matching "sipsak" user agent.
+dos.drop-uas.label=Deny packets matching
+dos.drop-uas.description=Comma separated values of user agents to match and deny. E.g. add "Foo" in the list if you want to drop all SIP packets from "User-Agent: Foo".
 sys.unmanaged.label=Unmanaged Firewall service
 sys.unmanaged.description=Enable this option if you don't want firewall service to be managed by unified communication system \
 (for e.g. generating configuration, automatic restart of services).
 sys.label=Configuration Control
+logging.label=Logging
+logging.enable-drop.label=Log dropped packets
+logging.enable-drop.description=If enabled dropped packets will be logged in firewall-drop.log file
+logging.enable-dos.label=Log SIP DoS packets
+logging.enable-dos.description=If enabled all packets matching denied UAs will be logged in firewall-sipdos.log file before dropping.
+logging.sip.label=
+logging.sip.enable-register.label=Log SIP REGISTERs
+logging.sip.enable-register.description=If enabled all SIP REGISTERs will be logged in firewall-sip.log file.
+logging.sip.enable-invite.label=Log SIP INVITEs
+logging.sip.enable-invite.description=If enabled all SIP INVITEs will be logged in firewall-sip.log file.
+logging.sip.enable-ack.label=Log SIP ACKs
+logging.sip.enable-ack.description=If enabled all SIP ACKs will be logged in firewall-sip.log file.
+logging.sip.enable-options.label=Log SIP OPTIONS
+logging.sip.enable-options.description=If enabled all SIP OPTIONS will be logged in firewall-sip.log file.
+logging.sip.enable-subscribe.label=Log SIP SUBSCRIBEs
+logging.sip.enable-subscribe.description=If enabled all SIP SUBSCRIBEs will be logged in firewall-sip.log file.
+logging.limit-drop-no.label=Max entries
+logging.limit-drop-no.description=Maximum number of similar dropped packets to be logged (max entries in time limit unit). Should be greater or equal with 2. If -1 then no limit will be applied.
+logging.limit-drop-time.label=Time limit unit
+logging.limit-drop-time.description=Time limit unit to consider for matching similar packets.

sipXconfig/etc/sipxpbx/firewall/firewall.xml

@@ -9,26 +9,117 @@
     </boolean>
   </type>
   <group name="dos">
+    <setting name="white_list">
+      <type>
+        <string multiLine="yes" maxLen="1000"/>
+      </type>
+    </setting>
     <setting name="black_list">
       <type>
         <string multiLine="yes" maxLen="1000"/>
       </type>
     </setting>
+    <setting name="friendly-scanner" advanced="yes">
+      <type refid="true-false"/>
+      <value>1</value>
+    </setting>
+    <setting name="sipvicious" advanced="yes">
+      <type refid="true-false"/>
+      <value>1</value>
+    </setting>
+    <setting name="sundayddr" advanced="yes">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <setting name="iwar" advanced="yes">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <setting name="sip-scan" advanced="yes">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <setting name="sipsak" advanced="yes">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <setting name="drop-uas" advanced="yes">
+      <type>
+        <string multiLine="yes" maxLen="1000"/>
+      </type>
+    </setting>
   </group>
   <group name="sysctl">
-    <setting name="icmp_echo_ignore_broadcasts" >
+    <setting name="icmp_echo_ignore_broadcasts" advanced="yes">
       <type refid="true-false"/>
       <value>1</value>
     </setting>
-    <setting name="tcp_syncookies" >
+    <setting name="tcp_syncookies" advanced="yes">
       <type refid="true-false"/>
       <value>1</value>
     </setting>
-    <setting name="log_martians" >
+    <setting name="log_martians" advanced="yes">
       <type refid="true-false"/>
       <value>1</value>
     </setting>
-   </group>
+  </group>
+  <group name="logging">
+    <setting name="enable-drop">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <setting name="enable-dos">
+      <type refid="true-false"/>
+      <value>0</value>
+    </setting>
+    <group name="sip">
+      <setting name="enable-register">
+        <type refid="true-false"/>
+        <value>0</value>
+      </setting>
+      <setting name="enable-invite">
+        <type refid="true-false"/>
+        <value>0</value>
+      </setting>
+      <setting name="enable-ack">
+        <type refid="true-false"/>
+        <value>0</value>
+      </setting>
+      <setting name="enable-options">
+        <type refid="true-false"/>
+        <value>0</value>
+      </setting>
+      <setting name="enable-subscribe">
+        <type refid="true-false"/>
+        <value>0</value>
+      </setting>
+    </group>
+    <setting name="limit-drop-no">
+      <type>
+        <integer min="-1"/>
+      </type>
+      <value>-1</value>
+    </setting>
+    <setting name="limit-drop-time">
+      <type>
+        <enum>
+          <option>
+            <value>second</value>
+          </option>
+          <option>
+            <value>minute</value>
+          </option>
+          <option>
+            <value>hour</value>
+          </option>
+          <option>
+            <value>day</value>
+          </option>
+        </enum>
+      </type>
+      <value>hour</value>
+    </setting>
+  </group>
   <group name="sys">
     <setting name="unmanaged">
       <type refid="true-false"/>

sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/address/AddressType.java

@@ -17,10 +17,12 @@
 package org.sipfoundry.sipxconfig.address;
 
 public class AddressType {
+    private static final String SIP_FORMAT = "sip:%s:%d";
     private String m_id;
     private String m_format;
     private Protocol m_protocol = Protocol.tcp;
     private int m_canonicalPort;
+    private boolean m_externalSip;
 
     /**
      * There are a lot more types (see /etc/protocol) but these are the only imaginable ones
@@ -51,6 +53,12 @@ public AddressType(String uniqueId, String format, Protocol protocol) {
         m_protocol = protocol;
     }
 
+    public AddressType(String uniqueId, String format, Protocol protocol, boolean externalSip) {
+        this(uniqueId, format);
+        m_protocol = protocol;
+        m_externalSip = externalSip;
+    }
+
     public AddressType(String uniqueId, String format, int canonicalPort) {
         this(uniqueId, format);
         m_canonicalPort = canonicalPort;
@@ -78,22 +86,42 @@ public static AddressType sipTcp(String uniqueId) {
         return sip(uniqueId, Protocol.tcp);
     }
 
+    public static AddressType externalSipTcp(String uniqueId) {
+        return externalsip(uniqueId, Protocol.tcp);
+    }
+
     public static AddressType sipUdp(String uniqueId) {
         return sip(uniqueId, Protocol.udp);
     }
 
+    public static AddressType externalSipUdp(String uniqueId) {
+        return externalsip(uniqueId, Protocol.udp);
+    }
+
     public static AddressType sipTls(String uniqueId) {
         return sip(uniqueId, Protocol.tlsp);
     }
 
+    public static AddressType externalSipTls(String uniqueId) {
+        return externalsip(uniqueId, Protocol.tlsp);
+    }
+
     public static AddressType sip(String uniqueId, Protocol protocol) {
-        return new AddressType(uniqueId, "sip:%s:%d", protocol);
+        return new AddressType(uniqueId, SIP_FORMAT, protocol);
+    }
+
+    public static AddressType externalsip(String uniqueId, Protocol protocol) {
+        return new AddressType(uniqueId, SIP_FORMAT, protocol, true);
     }
 
     public String getId() {
         return m_id;
     }
 
+    public boolean isExternalSip() {
+        return m_externalSip;
+    }
+
     public String format(Address address) {
         if (m_format != null) {
             return String.format(m_format, address.getAddress(), address.getPort());

sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/bridge/BridgeSbcContext.java

@@ -46,8 +46,8 @@ public class BridgeSbcContext implements FeatureProvider, AddressProvider, Firew
     public static final AddressType XMLRPC_ADDRESS = new AddressType("sbcBridgeXmlRpc", "http://%s:%d");
     public static final AddressType INTERNAL_SIP_ADDRESS = AddressType.sipTcp("sbcBridgeSip");
     public static final AddressType INTERNAL_TLS_ADDRESS = AddressType.sipTcp("sbcBridgeTls");
-    public static final AddressType EXTERNAL_SIP_ADDRESS = AddressType.sipTcp("sbcBridgeSipExternal");
-    public static final AddressType EXTERNAL_TLS_ADDRESS = AddressType.sipTcp("sbcBridgeTlsExternal");
+    public static final AddressType EXTERNAL_SIP_ADDRESS = AddressType.externalSipTcp("sbcBridgeSipExternal");
+    public static final AddressType EXTERNAL_TLS_ADDRESS = AddressType.externalSipTcp("sbcBridgeTlsExternal");
     private SbcDeviceManager m_sbcDeviceManager;
 
     @Override