updating Debian specification and adding oob cfg file

etc/ser-oob.cfg

@@ -0,0 +1,1060 @@
+#
+# $Id$
+#
+#
+# Applicability of this Configuration File
+# ----------------------------------------
+#
+# This is default SER script as used for example at the iptel.org
+# SIP service; it can deal with NATs, terminate calls to a PSTN
+# gateway, and it implements a couple of basic signaling features
+# (few types of call forwarding). In this scenario you may have
+# multiple SIP proxies sharing one database for accessing provisioned
+# data, which are maintained for example using serweb. The proxy
+# servers also share write-access to user location database (and
+# keeps a full cache of all usrloc entries synchronized using
+# multicast).
+# 
+# If you look for a simpler version with a lot less dependencies
+# please refer to the ser-basic.cfg file in your SER distribution.
+#
+# Requirements: 
+# ---------------
+# running DB, running RTP proxy, one public IP address
+# for SIP service, one private IP address for administrative purposes;
+# optional: IP address of a PSTN gateway
+#
+# HOWTOs:
+# ---------
+# To get this config running you need to execute the following commands
+# with the new serctl (the capital word are just place holders)
+# - ser_ctl domain add DOMAINNAME
+# - ser_ctl user add USERNAME@DOMAINNAME -p PASSWORD
+# If you want to have PID header for your user
+# - ser_attr add uid=UID asserted_id="PID"
+# If you want to have gateway support
+# - ser_db add attr_types name=gw_ip rich_type=string raw_type=2 description="The gateway IP for the default ser.cfg" default_flags=33
+# - ser_attr add global gw_ip=GATEWAY-IP
+#  Alternatively you can use serweb to set all the values above.
+#
+# Users with permission to call PSTN using this script must have
+# the $gw_acl attribute set properly, and shall have $asserted_id
+# set to indicate their caller-id for calls to PSTN. For inbound
+# calls from PSTN, additional aliases may be also set.
+#
+# Warning:
+# -----------
+# Note: if this file is installed on Debian from package 'ser-oob' then some options
+# in this configuration file may be set by post-installation script, according to values
+# entered by user at installation time in debconf configuration.
+# These values are then applied automatically to this file each time the 'ser-oob' package
+# is upgraded or reconfigured by calling 'dpkg-reconfigure ser-oob'.
+# The parts of this configuration file that may be altered by debconf are enclosed
+# between '#DEBCONF-something-START' and '#DEBCONF-something-END' comment marks. Please
+# don't remove them.
+#
+#
+# TODO (Future possible improvements):
+# ---------------------------------------
+# * protocol tuning
+#   - session-timer (port existing textops-based scripts)
+#   - AVP-based diversion for call-forwarding (as opposed to specialized module)
+#   - add Date header in 200s to REGISTERs (to be packaged with NTP!)
+# * more security: 
+#   - pike/rate-limit
+#   - identity
+#   - TLS
+#   - permissions
+# * refined DB use (e.g., flatstore for acc)
+# * miscellanous:
+#  - dialog module for monitoring purposes
+#  - more extensive logging using xlog (controlled by gflags/gAVPs)
+# * leveraging 2.1 features:
+#  - removal of private IP address (it takes a multicast-specific 
+#    command which will allow OS to determine source IP address)
+#  - timer route: 
+#     * don't use exec (it takes domain.reload as script command)
+#     * compare last-stored timestamp with current timestamp (it takes 
+#       assignment of gAVPs)
+#     * check multicast REGISTERs for their TTL (this is a simple and
+#       effective security check to prevent remote multicast messages
+#       to damage our traffic)
+#  - numerous fine-tuning parameters which are only available in 2.1 
+#   (mlock_pages, dns_try_naptr, etc.)
+#  - better support for preloaded routes with domain name
+#
+# Security considerations:
+# ------------------------
+# the script has been tested against security leaks, but it comes
+# under terms of GPL "as is" without any warranties; better check
+# yourself that:
+# - IP based authentication of PSTN gateway and multicast REGISTERs 
+#   is compliant to your network setup and security policy
+# - mutliple gateway IPs can't be provisioned as security checks
+#   are applied only to one
+#
+# Licensing
+# ----------
+# Copyright (C) 2005-2007 iptelorg GmbH
+# This file is part of SER, a free SIP server. It is available under the
+# terms of the  GNU General Public License.
+# Numerous folks have contributed to this file, including but not limited
+# to Andrei, Jan, Jiri, Michal, Miklos, Nils
+#
+#
+# .... that's it, enough of yadiyada, here the real config begin!
+
+
+# ----------- global configuration parameters ------------------------
+
+#debug=3         # debug level (cmd line: -ddd)
+#memdbg=10 # memory debug log level
+#memlog=10 # memory statistics log level
+#log_facility=LOG_LOCAL0 # sets the facility used for logging (see syslog(3))
+
+/* Uncomment these lines to enter debugging mode 
+fork=no
+log_stderror=yes
+*/
+
+check_via=no    # (cmd. line: -v)
+dns=no          # (cmd. line: -r)
+rev_dns=no      # (cmd. line: -R)
+#port=5060
+#children=4
+#user=ser
+#group=ser
+#disable_core=yes #disables core dumping
+open_files_limit=20480 # sets the open file descriptors limit
+#mhomed=yes  # usefull for multihomed hosts, small performance penalty
+# be conservative about enabling TCP -- it can degrade performance a lot
+disable_tcp=no
+#tcp_accept_aliases=yes # accepts the tcp alias via option (see NEWS)
+# ignore user=phone in request-URIs -- otherwise these URIs would be
+# interpreted as equivalent to TEL URIs, and their lookup would fail
+# in URI database
+phone2tel=no
+
+reply_to_via=no
+# public IP address
+#DEBCONF-LISTEN-START
+listen=1.2.3.4
+#DEBCONF-LISTEN-END
+# sip.mcast.net for REGISTER replication
+listen=224.0.1.75
+# administrative interface -- needed for example for multicast source
+# or XML-RPC
+#DEBCONF-LISTEN_ADMIN-START
+listen=udp:192.168.1.1
+#DEBCONF-LISTEN_ADMIN-END
+
+# ------------------- misc params -------------------------------------
+# ser 2.1 only
+# mlock_pages=yes
+# shm_force_alloc=yes
+# real_time=7
+
+
+# ------------------- DNS params -------------------------------------
+# (see doc/dns.txt for more details)
+# minimum timeouts 
+dns_retr_time=1
+dns_retr_no=1
+dns_servers_no=1
+dns_use_search_list=no
+dns_try_ipv6=no
+# dns cache & failover
+use_dns_cache=on
+use_dns_failover=on
+# dns_cache_flags=0
+dns_cache_negative_ttl=300
+dns_cache_min_ttl=60
+dns_cache_max_ttl=86400 # 1 day
+dns_cache_mem=2048 # 2 MB
+dns_cache_gc_interval=60  # garbage collection every minute
+# ser 2.1 specific options
+# dns_try_naptr=yes
+# dns_srv_lb=yes  # srv based load balancing
+# dns_udp_pref=3  # prefer udp (when resolving naptr record)
+# dns_tcp_pref=2  # if no udp availbale accept tcp (for naptr)
+# dns_tls_pref=-1 # ignore / don't accept tls (for naptr)
+# dns_cache_delete_nonexpired=no
+
+# ------------------- blacklist params -------------------------------------
+# (see doc/dst_blacklist.txt for more details)
+
+use_dst_blacklist=on
+dst_blacklist_mem=1024 # 1 MB
+dst_blacklist_expire=300  # blacklist default time
+dst_blacklist_gc_interval=150 # 2.5 min
+# for ser 2.1 to the above add tm blst_503* parameters and/or use the 
+# blst module (see NEWS)
+
+# ------------------- tcp params -------------------------------------
+# (see NEWS for more details)
+tcp_connection_lifetime=3600
+#tcp_max_connections=10240  # default is 2048
+tcp_connect_timeout=1
+
+ 
+# ------------------ module loading ----------------------------------
+
+# load a SQL database for authentication, domains, user AVPs etc.
+loadmodule "/usr/lib/ser/modules/mysql.so"
+
+loadmodule "/usr/lib/ser/modules/sl.so"
+loadmodule "/usr/lib/ser/modules/tm.so"
+loadmodule "/usr/lib/ser/modules/rr.so"
+loadmodule "/usr/lib/ser/modules/maxfwd.so"
+loadmodule "/usr/lib/ser/modules/usrloc.so"
+loadmodule "/usr/lib/ser/modules/registrar.so"
+loadmodule "/usr/lib/ser/modules/xlog.so"
+loadmodule "/usr/lib/ser/modules/textops.so"
+loadmodule "/usr/lib/ser/modules/ctl.so"
+loadmodule "/usr/lib/ser/modules/auth.so"
+loadmodule "/usr/lib/ser/modules/auth_db.so"
+loadmodule "/usr/lib/ser/modules/gflags.so"
+loadmodule "/usr/lib/ser/modules/domain.so"
+loadmodule "/usr/lib/ser/modules/uri_db.so"
+loadmodule "/usr/lib/ser/modules/avp.so"
+loadmodule "/usr/lib/ser/modules/avp_db.so"
+loadmodule "/usr/lib/ser/modules/acc_db.so"
+loadmodule "/usr/lib/ser/modules/xmlrpc.so"
+loadmodule "/usr/lib/ser/modules/options.so"
+loadmodule "/usr/lib/ser/modules/sanity.so"
+loadmodule "/usr/lib/ser/modules/nathelper.so"
+loadmodule "/usr/lib/ser/modules/uri.so"
+loadmodule "/usr/lib/ser/modules/speeddial.so"
+loadmodule "/usr/lib/ser/modules/timer.so"
+loadmodule "/usr/lib/ser/modules/db_ops.so"
+loadmodule "/usr/lib/ser/modules/exec.so"
+
+# ----------------- setting script FLAGS -----------------------------
+flags
+  FLAG_ACC            : 1, # this request will be recorded by ACC
+  FLAG_FAILUREROUTE   : 2, # we are operating from the failure route
+  FLAG_NAT            : 3, # the UAC is behind a NAT
+  FLAG_PEER_REPLICATE : 4, # the request came from a replication peer node
+  FLAG_TOTAG          : 5,
+  FLAG_PSTN_ALLOWED   : 6, # the user is allowed to use the PSTN
+  FLAG_DONT_RM_CRED   : 7, # do not remove the credentials
+  FLAG_AUTH_OK        : 8, # authentication suceeded
+  FLAG_SERWEB_RSVD1   : 9, # bit reserved for use with serweb
+  FLAG_SERWEB_RSVD2   :10; # bit reserved for use with serweb
+
+avpflags
+  dialog_cookie;        # handled by rr module
+
+# ----------------- setting module-specific parameters ---------------
+
+# specify the path to you database here
+#DEBCONF-DBURL-START
+modparam("speeddial|auth_db|usrloc|acc_db|domain|uri_db|gflags|avp_db|db_ops", "db_url", "mysql://ser:[email protected]/ser")
+#DEBCONF-DBURL-END
+
+# -- usrloc params --
+
+# db_mode 0 -- memory cached, 1 -- write thru, 2 -- delayed write
+modparam("usrloc", "db_mode", 2)
+# don't delete expired records from database on a per-contact basis -- that
+# results in bulky DB operations and can lead to synchronization issues
+# in server farm when for a time a server doesn't obtain re-reregistrations
+modparam("usrloc","db_skip_delete",1)
+
+# -- registrar params
+# maximum expires time, forces users to re-register every 10 min.
+modparam("registrar", "max_expires", 600)
+# minimum expires time, even if tried, clients cannot get registered
+# for a shorter time than this
+modparam("registrar", "min_expires", 240)
+
+
+# identify natted contacts using a flag
+modparam("registrar", "load_nat_flag", "FLAG_NAT")
+modparam("registrar", "save_nat_flag", "FLAG_NAT")
+
+
+# -- auth params --
+#modparam("auth_db", "calculate_ha1", yes)
+#modparam("auth_db", "plain_password_column", "password")
+# minimize replay-attack window
+modparam("auth", "nonce_expire", 10)
+# deal with client's who can't do qop properly
+modparam("auth", "qop", "")
+#DEBCONF-AUTHSECRET-START
+modparam("auth", "secret", "aqwedrftredswqwddcft")
+#DEBCONF-AUTHSECRET-END
+
+
+# -- rr params --
+# add value to ;lr param to make some broken UAs happy
+modparam("rr", "enable_full_lr", 1)
+#
+# limit the length of the AVP cookie to only necessary ones
+modparam("rr", "cookie_filter", "(account|uac_nat)")
+#
+# you probably do not want that someone can simply read and change
+# the AVP cookie in your Routes, thus should really change this
+# secret value below
+modparam("rr", "cookie_secret", "sgsatewgdbsnmpoiewh")
+
+# ftag may be used to easily determine if a BYE is coming from
+# caller or callee, but here we prefer shorter messages
+modparam("rr", "append_fromtag", 0)
+
+# -- gflags params --
+# load the global AVPs
+# here we load global AVPs such as PSTN GW IP address; this can
+# be manipulated using ser_attr
+modparam("gflags", "load_global_attrs", 1)
+
+# -- domain params --
+# load the domain AVPs
+modparam("domain", "load_domain_attrs", 1)
+
+# -- ctl params --
+# by default ctl listens on unixs:/tmp/ser_ctl if no other address is
+# specified in modparams; this is also the default for sercmd
+modparam("ctl", "binrpc", "unixs:/tmp/ser_ctl")
+# listen on the "standard" fifo for backward compatibility
+modparam("ctl", "fifo", "fifo:/tmp/ser_fifo")
+# listen on tcp, localhost
+#modparam("ctl", "binrpc", "tcp:localhost:2046")
+
+# -- acc_db params --
+# failed transactions (=negative responses) should be logged to
+modparam("acc_db", "failed_transactions", 1)
+
+# comment the next line if you dont want to have accouting to DB
+modparam("acc_db", "log_flag", "FLAG_ACC")
+
+# if you would like to customize your CDRs, do it here....
+#modparam("acc_db", "attrs", "$f.sop_billing_category,$f.isPrepaidCustomer,$f.sop_cf_orig_uid")
+
+# -- tm params --
+# uncomment the following line if you want to avoid that each new reply
+# restarts the resend timer (see INBOUND route below)
+modparam("tm", "restart_fr_on_each_reply", 0)
+
+# -- xmlrpc params --
+# using a sub-route from the module is a lot safer then relying on the
+# request method to distinguish HTTP from SIP
+#modparam("xmlrpc", "route", "RPC");
+
+# -- nathelper params --
+# RTP-Proxy
+#DEBCONF-RTTPPROXY-START
+modparam("nathelper", "rtpproxy_sock", "udp:192.168.1.1:22222")
+#DEBCONF-RTTPPROXY-END
+# TCP keepalives as simple as CRLF
+# modparam("nathelper", "tcpping_crlf", 0)
+#DEBCONF-NATPING_INTERVAL-START
+modparam("nathelper", "natping_interval", 15)
+#DEBCONF-NATPING_INTERVAL-END
+modparam("nathelper", "ping_nated_only", 1 )
+# if this option is not set, simple 4-bytes ping is sent
+modparam("nathelper", "natping_method", "OPTIONS" )
+#temporary statefull natping test (only in future versions)
+#modparam("nathelper", "natping_stateful", 1)
+
+# -- exec module
+modparam("exec", "time_to_kill", 200);
+modparam("exec", "setvars", 0);
+
+# -- timer module
+modparam("timer", "declare_timer", "ON_1MIN_TIMER,60000,slow,enable");
+
+# -------------------------  request routing logic -------------------
+
+# main routing logic
+
+route{
+
+
+
+	# if you have a PSTN gateway just un-comment the follwoing line and 
+	# specify the IP address of it to route calls to it
+	#$gw_ip = "1.2.3.4"
+	# alternatively (even better, set it as global persistent parameter
+	# using serweb or ser_attrs); also if using a PSTN GW per-subscriber
+	# options must ($gw_acl) or may (asserted_id) be set to enable calls
+	# to PSTN; if email-like addresses are used, having a URI alias for
+	# processing incoming pstn-2-ip requests may be useful too
+	# important: the script is assuming one global pstn-gw for all domains!
+	# failure to allow gw_ip to be a domain-specic attribute would result
+	# in security gaps (onsend_route checks only for one gateway)
+
+
+	# first do some initial sanity checks
+	route(INIT);
+
+	# bypass the rest of the script for CANCELs if possible
+	route(CATCH_CANCEL);
+
+	# check if the request is routed via Route header or
+	# needs a Record-Route header
+	route(RR);
+
+	# check if the request belongs to our proxy
+	route(DOMAIN);
+
+	# answer OPTIONS to our system
+	route(OPTIONS_REPLY);
+
+	# handle REGISTER requests
+	route(REGISTRAR);
+
+	# from here on we want to know who is calling
+	route(AUTHENTICATION);
+
+	# we are finished with all the precaution work -- let's
+	# try to locate the callee; the first route that matches
+	# "wins", if none matches, SER will send a 404
+
+	# check if we should be outbound proxy for a local user
+	route(OUTBOUND);
+
+	# redirect in case user dialed a speed dial entry
+	route(SPEEDDIAL);
+
+	# place various site-specific routes here
+	route(SITE_SPECIFIC);
+
+	# check if the request is for a local user
+	route(INBOUND);
+
+	# here you could for example try to do an ENUM lookup before
+	# the call gets routed to the PSTN
+	#route(ENUM);
+
+	# last resort: if none of the previous route has found
+	# the recepient, try PSTN
+	route(PSTN);
+
+	# nothing matched, reject it finally
+	sl_reply("404", "No route matched");
+}
+
+route[FORWARD]
+{
+	# here you could decide wether this call needs a RTP relay or not
+
+	# if this is called from the failure route we need to open a new branch
+	if (isflagset(FLAG_FAILUREROUTE)) {
+		append_branch();
+	}
+
+	# if this is an initial INVITE (without a To-tag) we might try another
+	# (forwarding or voicemail) target after receiving an error
+	if (method=="INVITE" && [email protected]) {
+		t_on_failure("FAILURE_ROUTE");
+	}
+
+	t_on_reply("REPLY_ROUTE");
+
+	route(RTPPROXY);
+
+
+	# remove credentials to keep requests shorter
+	if (isflagset(FLAG_AUTH_OK) && !isflagset(FLAG_DONT_RM_CRED) ) {
+		consume_credentials();
+	}
+
+	# send it out now; use stateful forwarding as it works reliably
+	# even for UDP2TCP
+	if (!t_relay()) {
+		sl_reply_error();
+	}
+	drop;
+}
+
+route[INIT]
+{
+	# initial sanity checks -- messages with
+	# max_forwards==0, or excessively long requests
+	if (!mf_process_maxfwd_header("10")) {
+		sl_reply("483","Too Many Hops");
+		drop;
+	}
+
+	#if (msg:len >=  max_len ) {
+	if (msg:len >=  4096 ) {
+		sl_reply("513", "Message too big");
+		drop;
+	}
+
+
+	# this flag is need for the onsend route
+	if (@to.tag) {
+		setflag(FLAG_TOTAG);
+	}
+	
+	# check if the UAC is natted and fix the message appropiatly
+	route(NAT_DETECTION);
+
+	# lets account all initial INVITEs
+	# further in-dialog requests are accounted by a RR cookie (see below)
+	if (method=="INVITE" && [email protected]) {
+		setflag(FLAG_ACC);
+	}
+
+	if ($replicate==1) { # if global flag enabled, carry on replication
+		setflag(FLAG_PEER_REPLICATE);
+	}
+}
+
+route[OPTIONS_REPLY]
+{
+	# if it an OPTIONS without a username in the RURI but one
+	# our IPs answer directly statelessly
+	if (method=="OPTIONS" && @ruri.user=="" && (uri==myself||$t.did)) {
+		options_reply();
+		drop;
+	}
+}
+
+route[NAT_DETECTION]
+{
+	# lots of UAs do not send rport in there Via header
+	# so we put it there to remember where to send the reply to
+	force_rport();
+	force_tcp_alias();
+
+	# check if the request contains hints for a NATed UAC
+	# also try to rewrite contacts using maddr; using maddr is a real
+	# dubious technique and we better replace such with transport address;
+	# downside: it fails for clients fronted by another server, in which
+	# case a valid contact we dislike because of maddr will be substituted
+	# inapproprietely; (e.g., WM from other domains will fail); if worried
+	# about that, remove tests for maddr and recompile SER using HONOR_MADDR
+	# also note that possibly rewriting contacts may lead to client
+	# renying subseqent requests to them because they don't recognized
+	# fixed contacts as their own; we haven't encountered such case
+	# yet; a possible solution a la usrloc would be to store the original
+	# information as a contact parameter and restore it on its way back
+	if (nat_uac_test("19") || (@hf_value["contact"] && @contact.uri.params.maddr) ) {
+		setflag(FLAG_NAT);
+		$uac_nat=1;
+		if (method=="REGISTER") {
+			# prepare the Contact so that the registrar module saves the
+			# source as well
+			fix_nated_register();
+		} else {
+			# overwrite the Contact to allow proper in-dialog routing
+			fix_nated_contact();
+		}
+	}
+
+}
+
+route[RTPPROXY]
+{
+	# if no NAT is involved we dont have to do here anything
+	if (!isflagset(FLAG_NAT)) {
+		break;
+	}
+
+	# if the message terminates a dialog turn RTP proxy off
+	if ((method=="BYE" || method=="CANCEL") ||
+		isflagset(FLAG_FAILUREROUTE)) {
+		unforce_rtp_proxy();
+		append_hf("P-RTP-Proxy: UNFORCED\r\n");
+		break;
+	}
+
+	# turn the RTP proxy on for INVITEs
+	if (method=="INVITE") {
+		force_rtp_proxy('r');
+		append_hf("P-RTP-Proxy: YES\r\n");
+	}
+}
+
+route[RR]
+{
+	# subsequent messages withing a dialog should take the
+	# path determined by record-routing
+	if (loose_route()) {
+		# mark routing logic in request
+		append_hf("P-hint: rr-enforced\r\n"); 
+
+		# if the Route contained the accounting AVP cookie we
+		# set the accounting flag for the acc_db module.
+		# this is more for demonstration purpose as this could
+		# also be solved without RR cookies.
+		# Note: this means all in-dialog request will show up in the
+		# accouting tables, so prepare your accounting software for this ;-)
+		if ($account == "yes") {
+			setflag(FLAG_ACC);
+		}
+
+		# restore the NAT flag is is present
+		if ($uac_nat == 1) {
+			setflag(FLAG_NAT);
+		}
+
+		# for broken devices which overwrite their Route's with each
+		# (not present) RR from within dialog requests it is better
+		# to repeat the RRing
+		# and if we call rr after loose_route the AVP cookies are restored
+		# automatically :)
+		# note that here we forward before authentication check is executed;
+		# generally we only authenticate dialog-initiating requests; some
+		# in-dialog requests can't be authenticated at all, see the
+		# call-forwarding example in route[DOMAIN]
+		record_route();
+
+		route(FORWARD);
+	} else if (!method=="REGISTER") {
+		# we record-route all messages -- to make sure that
+		# subsequent messages will go through our proxy; that's
+		# particularly good if upstream and downstream entities
+		# use different transport protocol
+
+		# if the inital INVITE got the ACC flag store this in
+		# an RR AVP cookie. this is more for demonstration purpose
+		if (isflagset(FLAG_ACC)) {
+			$account = "yes";
+			setavpflag($account, "dialog_cookie");
+		}
+
+		record_route();
+	}
+}
+
+route[DOMAIN]
+{
+	# check if the caller is from a local domain
+	lookup_domain("$fd", "@from.uri.host");
+
+	# check if the callee is at a local domain
+	lookup_domain("$td", "@ruri.host");
+
+	# we dont know the domain of the caller and also not
+	# the domain of the callee -> somone uses our proxy as
+	# a relay; however we apply this check only to dialog
+	# initiating requests (no totag) -- in some cases such
+	# as call-forwarding, subsequent requests may not include
+	# served domain neither as origination nor destination
+	# (a@A calls b@B that forwards to c@C; BYE is formed as
+	# BYE a's IP\n f: b@B \n t: a@A; C server doesnt't spot
+	# C domain anywhere despite BYE is legitimate)
+	if (!isflagset(FLAG_TOTAG) && !$t.did && !$f.did) {
+		sl_reply("403", "Relaying Forbidden");
+		drop;
+	}
+}
+
+
+
+route[REGISTRAR]
+{
+	# process only REGISTERs here
+	if (!method=="REGISTER") {
+		break;
+	}
+
+	# if this is a replica (sent to multicast address), trust it to be
+	# secure and store it in usrloc
+	if (dst_ip==224.0.1.75) {
+		if (!isflagset(FLAG_PEER_REPLICATE)) {
+			# multicast replication adminsitratively disabled -- ignore
+			drop;
+		}
+		if (search("^Repl-Marker: nated")) { #: read marker from master
+			setflag(FLAG_NAT);
+			$uac_nat=1;
+		}
+		# assumes URI in form of UID@mydomain; store contacts under
+		# this UID; note it only works if local policy causes UIDs to
+		# have form compliant to RFC3261 URI usernames
+		[email protected];
+		if (!save_mem_nr("location")) {
+			log(1, "SER: Error while processing replicated REGISTER");
+		}
+		drop;
+	}
+
+	# check if the REGISTER if for one of our local domains
+	if (!$t.did) {
+		sl_reply("403", "Register forwarding forbidden");
+		drop;
+	}
+
+	# the REGISTER target is in the To header, so reload the domain
+	if (!lookup_domain("$td", "@to.uri.host")) {
+		sl_reply("404", "Unknown Domain");
+		drop;
+	}
+
+	append_to_reply("Expires: 600\r\n");
+	# useful for clients that ignore expires in 200 -- this is a try
+	# to keep them sticking to our value of 600
+	append_to_reply("Min-Expires: 240\r\n");
+
+	# we want only authenticated users to be registered
+	if (!www_authenticate("$fd.digest_realm", "credentials")) {
+		if ($? == -2) {
+			sl_reply("500", "Internal Server Error");
+		} else if ($? == -3) {
+			sl_reply("400", "Bad Request");
+		} else {
+			if ($digest_challenge) {
+				append_to_reply("%$digest_challenge");
+			}
+			sl_reply("401", "Unauthorized");
+		}
+		drop;
+	}
+
+	# check if the authenticated user is the same as the target user
+	if (!lookup_user("$tu.uid", "@to.uri")) {
+		sl_reply("404", "Unknown user in To");
+		drop;
+	}
+
+	# the authentication ID does not match the ID in the To header
+	if ($f.uid != $t.uid) {
+		sl_reply("403", "Authentication and To-Header mismatch");
+		drop;
+	}
+
+	# check if the authenticated user is the same as the request originator
+	# you may uncomment it if you care, what uri is in From header
+	#if (!lookup_user("$fu.uid", "@from.uri")) {
+	#	sl_reply("404", "Unknown user in From");
+	#	drop;
+	#}
+	#if ($fu.uid != $tu.uid) {
+	#	sl_reply("403", "Authentication and From-Header mismatch");
+	#	drop;
+	#}
+
+	# everyhting is fine so lets store the binding
+	if (!save_contacts("location")) {
+		sl_reply("400", "Invalid REGISTER Request");
+		drop;
+	}
+	if (isflagset(FLAG_PEER_REPLICATE)) {
+		if (isflagset(FLAG_NAT)) {
+			append_hf("Repl-Marker: nated\r\n");
+		}
+		# note: we are multicasting a successful REGISTER
+		# to all proxies on the multicast network for
+		# sake of replication; in case they share the
+		# same IP address (VIP) it is important to set
+		# the sending IP address to an unshared one
+		# (in the future a special mcast module may 
+		# use unbound sockets for sending and leave
+		# the srouce IP address decision up to kernel
+		# routing tables)
+		#DEBCONF-REPL_SEND_ADDR-START
+		force_send_socket(udp:192.168.1.1);
+		#DEBCONF-REPL_SEND_ADDR-END
+		# put UID in request URI so that it doesn't
+		# have to be looked up by all multicast receivers
+		# in database
+		attr2uri("$tu.uid","user");
+		forward_udp(224.0.1.75,5060);
+	}
+	drop;
+}
+
+
+
+# authentication of request originators claiming to belong to our
+# domain
+route[AUTHENTICATION]
+{
+	if (method=="CANCEL" || method=="ACK") {
+		# you are not allowed to challenge these methods
+		break;
+	}
+
+
+	# requests from non-local to local domains should be permitted
+	# remove this if you want a walled garden
+	if (! $f.did) {
+		break;
+	}
+
+	# as gateways are usually not able to authenticate for their
+	# requests you will have trust them base on some other information
+	# like the source IP address. WARNING: if at all this is only safe
+	# in a local network!!!
+	if (@src.ip == $gw_ip) {
+		break;
+	}
+
+	if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
+		if ($? == -2) {
+			sl_reply("500", "Internal Server Error");
+		} else if ($? == -3) {
+			sl_reply("400", "Bad Request");
+		} else {
+			if ($digest_challenge) {
+				append_to_reply("%$digest_challenge");
+			}
+			sl_reply("407", "Proxy Authentication Required");
+		}
+		drop;
+	}
+
+	# check if the UID from the authentication matches the From header
+	$authuid = $uid;
+	if (!lookup_user("$fu.uid", "@from.uri")) {
+		del_attr("$uid");
+	}
+	if ($fu.uid != $fr.authuid) {
+		sl_reply("403", "Fake Identity");
+		drop;
+	}
+	setflag(FLAG_AUTH_OK);
+	# load the user AVPs (preferences) of the caller, e.g. for RPID header
+	load_attrs("$fu", "$f.uid");
+}
+
+route[OUTBOUND]
+{
+	# if a local user calls to a foreign domain we play outbound proxy for him
+	# comment this out if you want a walled garden
+	if ($f.did && ! $t.did) {
+		append_hf("P-hint: outbound\r\n");
+		route(FORWARD);
+	}
+}
+
+route[SPEEDDIAL]
+{
+	# if the caller is local and used only two digits
+	# we redirect the UA to the real target
+	if ($fd.did && uri=~"sip:[0-9][0-9]@") {
+		if (sd_lookup("speed_dial")) {
+			sl_reply("302", "Speed Dial Redirect");
+		} else {
+			sl_reply("404", "Speed Dial Not Found");
+		}
+		drop;
+	}
+	;
+}
+
+route[INBOUND]
+{
+	# lets see if know the callee
+	if (lookup_user("$tu.uid", "@ruri")) {
+
+		# load the preferences of the callee to have his timeout values loaded
+		load_attrs("$tu", "$t.uid");
+
+		# if you want to know if the callee username was an alias
+		# check it like this
+		#if (! $tu.uri_canonical) {
+			# if the alias URI has different AVPs/preferences
+			# you can load them into the URI track like this
+			#load_attrs("$tr", "@ruri");
+		#}
+
+		# check for call forwarding of the callee
+		# Note: the forwarding target has to be full routable URI
+		#       in this example
+		if ($tu.fwd_always_target) {
+			attr2uri("$tu.fwd_always_target");
+
+			# if we are forwarding to ourselves, don't
+			# remove credentials ; otherwise we would be
+			# challenged again
+			# Note: this doesn't apply to failure_route which
+			# may be still problematic -- credentials are already
+			# removed when we forward; consider 3xx!!!
+			lookup_domain("$td", "@ruri.host");
+			if ($t.did) {
+				setflag(FLAG_DONT_RM_CRED);
+			}
+
+			route(FORWARD);
+		}
+
+		# native SIP destinations are handled using our USRLOC DB
+		if (lookup_contacts("location")) {
+			append_hf("P-hint: usrloc applied\r\n");
+
+
+			# we set the TM module timers according to the prefences
+			# of the callee (avoid too long ringing of his phones)
+			# Note1: timer values have to be in ms now!
+			# Note2: this makes even more sense if you switch to a voicemail
+			#        from the FAILURE_ROUTE below
+			if ($t.fr_inv_timer) {
+				if ($t.fr_timer) {
+					t_set_fr("$t.fr_inv_timer", "$t.fr_timer");
+				} else {
+					t_set_fr("$t.fr_inv_timer");
+				}
+			}
+
+			route(FORWARD);
+		} else {
+			sl_reply("480", "User temporarily not available");
+			drop;
+		}
+	}
+}
+
+route[PSTN]
+{
+	# Only if the AVP 'gw_ip' is set and the request URI contains
+	# only a number we consider sending this to the PSTN GW.
+	# Only users from a local domain are permitted to make calls.
+	# Additionally you might want to check the acl AVP to verify
+	# that the user is allowed to make such expensives calls.
+	if (!$f.did) break;
+	if (!$gw_ip) break;
+	if (!uri=~"sips?:\+?[0-9]{3,18}@.*") break;
+	
+	# probably you need to convert the number in the request
+	# URI according to the requirements of your gateway here
+
+	# ....
+
+	# check permissions of the caller here for dialog-initiating requests
+	if (method=="INVITE" && [email protected]) {
+		if (!$f.gw_acl=="1") {
+			sl_reply("403", "pstn not permitted");
+			drop;
+		}
+	}
+
+	# if an optional AVP 'asserted_id' is set we insert an RPID header
+	if ($asserted_id) {
+		xlset_attr("$rpidheader", "<sip:%$asserted_id@%@ruri.host>;screen=yes");
+		replace_attr_hf("Remote-Party-ID", "$rpidheader");
+	}
+
+	# just replace the domain part of the RURI with the
+	# value from the AVP and send it out
+	attr2uri("$gw_ip", "domain");
+	# set the PSTN_ALLOWED flag, checked from onsend_route
+	setflag(FLAG_PSTN_ALLOWED);
+	route(FORWARD);
+}
+
+route[CATCH_CANCEL] {
+	# check whether there is a corresponding INVITE to the CANCEL,
+	# and bypass the rest of the script if possible
+
+	if (method == CANCEL) {
+		# ser 2.1 only
+		#if (!t_relay_cancel()) { # implicit drop if the INVITE was found
+
+			# INVITE was found but some error occurred
+		#	sl_reply("500", "Internal Server Error");
+		#	drop;
+		#}
+		# bad luck, no corresponding INVITE was found,
+		# we have to continue with the script
+		;
+	}
+}
+
+route[SITE_SPECIFIC] {
+	# only if a request is coming for one of our domains...
+	if (!$t.did) break;
+	# check if we do have some site-specific routing policy
+	# such as peering
+	# example:
+	if (uri=~"^sip:000777") {
+		rewritehostport("sems01.iptel.org:5074");
+		route(FORWARD);
+	}
+}
+
+
+failure_route[FAILURE_ROUTE]
+{
+	# mark for the other routes that we are operating from here on from a
+	# failure route
+	setflag(FLAG_FAILUREROUTE);
+
+	if (t_check_status("486|600")) {
+		# if we received a busy and a busy target is set, forward it there
+		# Note: again the forwarding target has to be a routeable URI
+		# We redirect using 3xx to avoid possible issues with credentials
+		# (if we consumed them, they may be missing in a loop, if we don't
+		# consume them, messages are bigger and more vulnerable)
+		if ($tu.fwd_busy_target) {
+			#attr2uri("$tu.fwd_busy_target");
+			#route(FORWARD);
+			attr_destination("$tu.fwd_busy_target");
+			t_reply("302", "Redirect On Busy");
+		}
+		# alternatively you could forward the request to SEMS/voicemail here
+	}
+	else if (t_check_status("408|480")) {
+		# if we received no answer and the noanswer target is set,
+		# forward it there
+		# Note: again the target has to be a routeable URI
+		if ($tu.fwd_noanswer_target) {
+			#attr2uri("$tu.fwd_noanswer_target");
+			#route(FORWARD);
+			attr_destination("$tu.fwd_noanswer_target");
+			t_reply("302", "Redirect On Busy");
+		}
+		# alternatively you could forward the request to SEMS/voicemail here
+	}
+}
+
+onreply_route[REPLY_ROUTE]
+{
+	# fix Contact in reply if it contains a private IP to allow
+	# proper routing of in-dialog messages
+	# do the same if the contact is maddred -- see [NAT_DETECTION]
+	# for additional notes about it
+	if (nat_uac_test("1") || (@hf_value["contact"] && @contact.uri.params.maddr) ) {
+		fix_nated_contact();
+	}
+
+	# if a NAT is involved and this is the final positive reply
+	# which contains a body, start to use the RTP proxy
+	if (isflagset(FLAG_NAT) &&
+		status=~"(18[03])|(2[0-9][0-9])" &&
+		!search("^Content-Length: 0")) {
+		force_rtp_proxy('r');
+	}
+}
+
+
+onsend_route{
+	# bypass check -- eliminate requests to PSTN GW if they have not
+	# passed ACL checks (not marked with FLAG_PSTN_ALLOWED) and are
+	# dialog-initiating requests (no to-tag, no CANCEL, no ACK); this
+	# helps to stop policy bypasses (GW IP uploaded as a forked contact,
+	# or a call-forwarding destination, or a DNS name, or a preloaded
+	# route, or something else possibly)
+
+	if (to_ip==$g.gw_ip && !isflagset(FLAG_PSTN_ALLOWED) &&
+	    !isflagset(FLAG_TOTAG) && method!="ACK" && method!="CANCEL"){
+		log(1, "ALERT: non authorized packet for PSTN, dropping...\n%mb\n");
+		# can't use advanced features from onsend_route
+		#xlog("L_ALERT", "non authorized packet for PSTN, dropping...\n%mb\n");
+		drop;
+	}
+}
+
+route[ON_1MIN_TIMER] {
+	# cleanup expired location records
+	db_query("delete from location where expires<utc_timestamp()");  
+
+	# reload domains if domain table has been changed recently
+	# note: because global attributes are read-only and we can't
+	# easily remember the "last" status, we check for changed
+	# timestamp in 2 minute time-interval
+
+	db_query("select value from global_attrs where name='domain_data_version' and type=0 and cast(value as unsigned int) between unix_timestamp(now())-120 and unix_timestamp(now())", 0);
+
+	if (@db.fetch[0].count=="1") {
+		# domain reload only available as fifo command
+		exec_msg("sercmd domain.reload"); 
+	}
+	db_close(0);
+}
+

pkg/debian/changelog

@@ -1,3 +1,15 @@
+ser (2.1.0-0dev12) unstable; urgency=low
+
+  * Updated Debian specification for cvs HEAD version.
+
+ -- Pavel Kasparek <[email protected]>  Wed, 31 Oct 2007 13:35:40 +0100
+
+ser (2.0.0-0rc5.7) unstable; urgency=low
+
+  * Updated Debian specification for upcoming SER 2.0.0 version.
+
+ -- Pavel Kasparek <[email protected]>  Tue, 11 Sep 2007 12:08:05 +0200
+
 ser (0.9.4-0.2) unstable; urgency=low
 
   * minor debian rules clean target fix 

pkg/debian/control

@@ -2,14 +2,14 @@ Source: ser
 Section: net
 Priority: optional
 Maintainer: Andrei Pelinescu-Onciul <[email protected]>
-Build-Depends: debhelper (>= 4), libmysqlclient-dev | libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient12-dev, libexpat1-dev, libradius-ng-dev | libradiusclient-ng-dev | libradius1-dev, libxml2-dev, libpq-dev | postgresql-dev, libcurl3-dev, libssl-dev
+Build-Depends: debhelper (>= 4), libmysqlclient-dev | libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient12-dev, libexpat1-dev, libradius-ng-dev | libradiusclient-ng-dev | libradius1-dev, libxml2-dev, libpq-dev | postgresql-dev, libcurl3-dev, libssl-dev, libreadline5-dev
 Standards-Version: 3.5.2
 
 Package: ser
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, adduser
-Suggests: ser-mysql-module, ser-jabber-module, ser-cpl-module, ser-pa-module, ser-radius-modules
-Conflicts: ser-mysql-module (<< ${Source-Version}), ser-jabber-module (<< ${Source-Version}), ser-radius-modules (<< ${Source-Version}), ser-cpl-module (<< ${Source-Version}), ser-pa-module (<< ${Source-Version}), ser-postgres-module (<< ${Source-Version}), ser-acc-db-module (<< ${Source-Version}), ser-acc-radius-module (<< ${Source-Version})
+Suggests: ser-mysql-modules, ser-jabber-module, ser-cpl-module, ser-presence-modules, ser-radius-modules
+Conflicts: ser-mysql-modules (<< ${Source-Version}), ser-jabber-module (<< ${Source-Version}), ser-radius-modules (<< ${Source-Version}), ser-cpl-module (<< ${Source-Version}), ser-presence-modules (<< ${Source-Version}), ser-postgres-module (<< ${Source-Version}), ser-acc-db-module (<< ${Source-Version}), ser-acc-radius-module (<< ${Source-Version})
 Description: Sip Express Router, very fast and configurable SIP proxy
  ser or SIP Express Router is a very fast and flexible SIP (RFC3621)
  proxy server. Written entirely in C, ser can handle thousands calls
@@ -21,35 +21,35 @@ Description: Sip Express Router, very fast and configurable SIP proxy
  Authentication, Record Routing, SMS Gateway, Jabber Gateway, Transaction 
  Module, Registrar and User Location.
 
-Package: ser-mysql-module
+Package: ser-mysql-modules
 Architecture: any
 Depends: ${shlibs:Depends}, ser (= ${Source-Version})
-Description: contains the MySQL database connectivity module
+Description: contains the MySQL database connectivity modules
  This has been split out of the main ser package, so that ser will not
  depend upon libmysqlclient. This module will enable you to use the digest
  authentication module or persistent user location entries.
 
-Package: ser-jabber-module
-Architecture: any
-Depends: ${shlibs:Depends}, ser (= ${Source-Version})
-Description: contains the Jabber module (SIP-Jabber message translation)
- This has been split out of the main ser package, so that ser will not
- depend upon libexpat. This module will enable you to use ser to translate
- SIP messages into Jabber messages.
+#Package: ser-jabber-module
+#Architecture: any
+#Depends: ${shlibs:Depends}, ser (= ${Source-Version})
+#Description: contains the Jabber module (SIP-Jabber message translation)
+# This has been split out of the main ser package, so that ser will not
+# depend upon libexpat. This module will enable you to use ser to translate
+# SIP messages into Jabber messages.
 
-Package: ser-cpl-module
-Architecture: any
-Depends: ${shlibs:Depends}, ser (= ${Source-Version})
-Description: contains the cpl-c module (CPL support)
- This has been split out of the main ser package, so that ser will not
- depend upon libxml2.
+#Package: ser-cpl-module
+#Architecture: any
+#Depends: ${shlibs:Depends}, ser (= ${Source-Version})
+#Description: contains the cpl-c module (CPL support)
+# This has been split out of the main ser package, so that ser will not
+# depend upon libxml2.
 
-Package: ser-presence-module
-Architecture: any
-Depends: ${shlibs:Depends}, ser (= ${Source-Version})
-Description: contains the SIMPLE based presence support (Presence server)
- This module contains modules and libraries needed to implement SIMPLE
- based presence support in SER
+#Package: ser-presence-modules
+#Architecture: any
+#Depends: ${shlibs:Depends}, ser (= ${Source-Version})
+#Description: contains the SIMPLE based presence support (Presence server)
+# This module contains modules and libraries needed to implement SIMPLE
+# based presence support in SER
 
 Package: ser-radius-modules
 Architecture: any
@@ -59,13 +59,13 @@ Description: contains the ser RADIUS modules
  depend upon libradius1. This modules will enable you to authenticate, 
  do group membership checking or check the messages uris using RADIUS.
 
-Package: ser-postgres-module
-Architecture: any
-Depends: ${shlibs:Depends}, ser (= ${Source-Version})
-Description: contains the PostgreSQL database connectivity module
- This has been split out of the main ser package, so that ser will not
- depend upon libpq. This module will enable you to use the digest
- authentication module or persistent user location entries.
+#Package: ser-postgres-module
+#Architecture: any
+#Depends: ${shlibs:Depends}, ser (= ${Source-Version})
+#Description: contains the PostgreSQL database connectivity module
+# This has been split out of the main ser package, so that ser will not
+# depend upon libpq. This module will enable you to use the digest
+# authentication module or persistent user location entries.
 
 Package: ser-xmlrpc-module
 Architecture: any
@@ -75,3 +75,20 @@ Description: contains the XML-RPC based interface to SER
  interface can be used to change various configuration options of
  SER at runtime. Other applications, such as serctl command line
  tools and SERWeb use XML-RPC interface to communicate with SER
+
+Package: ser-oob
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ser, ser-mysql-modules, ser-xmlrpc-module, serctl
+Suggests: rttpproxy, logrotate, ngrep
+Description: Sip Express Router - package for "out of the box" installation
+ This package conatins advanced configuration file for ser - SIP Express Router
+ and depends on ser and all needed ser modules. It can be used for easy installation 
+ of ser "out of the box".
+
+Package: ser-nth
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, screen, gdb, binutils, gcc, bison, flex, ngrep, tcpdump, iftop, lsof, psmisc, vim, bvi, most, serctl, mc, sipsak
+Description: Sip Express Router - package for "nice to have" installation
+ This is a meta-package for easy installation various useful tools that may be
+ handy on server with SER installed.
+

pkg/debian/postinst

@@ -64,7 +64,7 @@ if [ -x "/etc/init.d/ser" ]; then
 	 if ! invoke-rc.d ser restart ; then
 		echo ""
 		echo "ser failed to (re)start. Perhaps your configuration requires "
-		echo "additional modules (e.g. ser-mysql-module, ser-jabber-module "
+		echo "additional modules (e.g. ser-mysql-modules, ser-jabber-module "
 		echo "or ser-radius-modules). Next try to install any additional ser"
 		echo "modules you might need and then (re)start ser by executing "
 		echo "the command '/etc/init.d/ser start|restart'."

pkg/debian/rules

@@ -17,7 +17,12 @@
 #               is not yet part of debian)  (andrei)
 #  2005-06-23  added cpl-c, pa & re-enabled radius (with libradiusclient-ng)
 #                (andrei)
-
+#  2007-09-11  updated for ser 2.0.0 and Debian Etch
+#              presence modules commented out (can't be compiled due to some bug in Makefile)
+#              added /etc/defaults/ser file installation
+#              added ser-oob package
+#                (pavel)
+#  2007-10-31  updated for cvs head (pavel)
 
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
@@ -28,31 +33,35 @@
 #  force no striping (always include debug symbols for now)
 export DEB_BUILD_OPTIONS:="$(DEB_BUILD_OPTIONS) nostrip"
 
-# modules not in the "main" package or unstable 
-EXCLUDED_MODULES=	mysql jabber acc_radius xmlrpc auth_radius group_radius uri_radius \
-					avp_radius pa rls dialog presence_b2b xcap postgres snmp cpl cpl-c ext extcmd 
+# modules not in the "main" ser package
+EXCLUDED_MODULES=	jabber xmlrpc postgres cpl cpl-c
+
+# extra modules to skip, because they are not compilable now
+# - regardless if they go to the main ser package or to some module package,
+# they will be excluded from compile and install of all
+EXTRA_EXCLUDED_MODULES=	cpl-c avpops flatstore pdt db_ops lcr msilo speeddial
 
-# modules depending on mysql
-MYSQL_MODULES=mysql
+### modules depending on mysql
+##MYSQL_MODULES=mysql
 #jabber related modules
 JABBER_MODULES=jabber
-#module depending on radiusclient
-RADIUS_MODULES=acc_radius auth_radius group_radius uri_radius avp_radius
+###module depending on radiusclient
+##RADIUS_MODULES=acc_radius auth_radius group_radius uri_radius avp_radius
 #cpl related modules
 CPL_MODULES=cpl-c
-# pa related modules
-PA_MODULES=pa rls dialog presence_b2b xcap
+### pa related modules
+##PA_MODULES=pa rls dialog presence_b2b xcap
 # postgres modules
 POSTGRES_MODULES=postgres
 # xmlrpc module
 XMLRPC_MODULES=xmlrpc
 
 # the same but with path prepended (needed for modules="...")
-MYSQL_MOD_PATH=$(addprefix modules/, $(MYSQL_MODULES))
+##MYSQL_MOD_PATH=$(addprefix modules/, $(MYSQL_MODULES))
 JABBER_MOD_PATH=$(addprefix modules/, $(JABBER_MODULES))
-RADIUS_MOD_PATH=$(addprefix modules/, $(RADIUS_MODULES))
+##RADIUS_MOD_PATH=$(addprefix modules/, $(RADIUS_MODULES))
 CPL_MOD_PATH=$(addprefix modules/, $(CPL_MODULES))
-PA_MOD_PATH=$(addprefix modules/, $(PA_MODULES))
+##PA_MOD_PATH=$(addprefix modules/, $(PA_MODULES))
 POSTGRES_MOD_PATH=$(addprefix modules/, $(POSTGRES_MODULES))
 XMLRPC_MOD_PATH=$(addprefix modules/, $(XMLRPC_MODULES))
 
@@ -79,18 +88,14 @@ build-stamp: configure-stamp
 	dh_testdir
 
 	# Add here commands to compile the package.
-	$(MAKE) all  skip_modules="$(EXCLUDED_MODULES)" cfg-target=/etc/ser/
-	$(MAKE) modules modules="$(MYSQL_MOD_PATH)" cfg-target=/etc/ser/
-	$(MAKE) modules modules="$(JABBER_MOD_PATH)" cfg-target=/etc/ser/
-	$(MAKE) modules modules="$(RADIUS_MOD_PATH)" cfg-target=/etc/ser/
-	$(MAKE) modules modules="$(CPL_MOD_PATH)" cfg-target=/etc/ser/
-
-	# Compile shared libraries needed for presence modules
-	$(MAKE) -C lib -f Makefile.ser 
-	$(MAKE) modules modules="$(PA_MOD_PATH)" cfg-target=/etc/ser/
-	
-	$(MAKE) modules modules="$(POSTGRES_MOD_PATH)" cfg-target=/etc/ser/
-	$(MAKE) modules modules="$(XMLRPC_MOD_PATH)" cfg-target=/etc/ser/
+	$(MAKE) all group_include="standard" skip_modules="$(EXCLUDED_MODULES) $(EXTRA_EXCLUDED_MODULES)" cfg-target=/etc/ser/ prefix=/usr
+	$(MAKE) modules group_include="mysql" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	#$(MAKE) modules modules="$(JABBER_MOD_PATH)" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	$(MAKE) modules group_include="radius" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	#$(MAKE) modules modules="$(CPL_MOD_PATH)" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	#$(MAKE) modules group_include="presence" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	#$(MAKE) modules modules="$(POSTGRES_MOD_PATH)" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	$(MAKE) modules modules="$(XMLRPC_MOD_PATH)" cfg-target=/etc/ser/ prefix=/usr skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#/usr/bin/docbook-to-man debian/ser.sgml > ser.1
 
 	touch build-stamp
@@ -103,9 +108,8 @@ clean:
 	# Add here commands to clean up after the build process.
 	-$(MAKE) -C lib -f Makefile.ser proper
 	-$(MAKE) \
-		include_modules="$(MYSQL_MODULES) $(JABBER_MODULES) $(RADIUS_MODULES)\
-							$(CPL_MODULES) $(PA_MODULES) $(POSTGRES_MODULES) $(XMLRPC_MODULES)"\
-							proper
+		include_modules=" $(JABBER_MODULES) $(CPL_MODULES) \
+		$(POSTGRES_MODULES) $(XMLRPC_MODULES)" proper
 
 	dh_clean
 
@@ -116,63 +120,75 @@ install: build
 	dh_installdirs
 
 	# Add here commands to install the package into debian/ser
-	$(MAKE) install  skip_modules="$(EXCLUDED_MODULES)" \
+	$(MAKE) install group_include="standard" skip_modules="$(EXCLUDED_MODULES) $(EXTRA_EXCLUDED_MODULES)" \
 		basedir=$(CURDIR)/debian/ser \
 		prefix=/usr \
 		cfg-prefix=$(CURDIR)/debian/ser \
 		cfg-target=/etc/ser/
+	# fix etc/ser dir location
+	mv -f $(CURDIR)/debian/ser/usr/etc $(CURDIR)/debian/ser
 	# install only the mysql module
-	$(MAKE) install-modules-all modules="$(MYSQL_MOD_PATH)"  \
-		basedir=$(CURDIR)/debian/ser-mysql-module \
+	$(MAKE) install-modules-all group_include="mysql" \
+		basedir=$(CURDIR)/debian/ser-mysql-modules \
 		prefix=/usr \
-		cfg-prefix=$(CURDIR)/debian/ser-mysql-module \
+		cfg-prefix=$(CURDIR)/debian/ser-mysql-modules \
 		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-mysql-module
+		doc-dir=share/doc/ser-mysql-modules \
+		skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#install only the jabber module
-	$(MAKE) install-modules-all modules="$(JABBER_MOD_PATH)"  \
-		basedir=$(CURDIR)/debian/ser-jabber-module \
-		prefix=/usr \
-		cfg-prefix=$(CURDIR)/debian/ser-jabber-module \
-		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-jabber-module
+	#$(MAKE) install-modules-all modules="$(JABBER_MOD_PATH)"  \
+	#	basedir=$(CURDIR)/debian/ser-jabber-module \
+	#	prefix=/usr \
+	#	cfg-prefix=$(CURDIR)/debian/ser-jabber-module \
+	#	cfg-target=/etc/ser/ \
+	#	doc-dir=share/doc/ser-jabber-module \
+	#	skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#install only the radius modules
-	$(MAKE) install-modules-all modules="$(RADIUS_MOD_PATH)"  \
+	$(MAKE) install-modules-all group_include="radius"  \
 		basedir=$(CURDIR)/debian/ser-radius-modules \
 		prefix=/usr \
 		cfg-prefix=$(CURDIR)/debian/ser-radius-modules \
 		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-radius-modules
+		doc-dir=share/doc/ser-radius-modules \
+		skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#install only the cpl module
-	$(MAKE) install-modules-all modules="$(CPL_MOD_PATH)"  \
-		basedir=$(CURDIR)/debian/ser-cpl-module \
-		prefix=/usr \
-		cfg-prefix=$(CURDIR)/debian/ser-cpl-module \
-		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-cpl-module
-	#install only the pa module
-	$(MAKE) -C lib -f Makefile.ser install \
-	        prefix=$(CURDIR)/debian/ser-presence-module/usr/
-	$(MAKE) install-modules-all modules="$(PA_MOD_PATH)"  \
-		basedir=$(CURDIR)/debian/ser-presence-module \
-		prefix=/usr \
-		cfg-prefix=$(CURDIR)/debian/ser-presence-module \
-		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-presence-module
+	#$(MAKE) install-modules-all modules="$(CPL_MOD_PATH)"  \
+	#	basedir=$(CURDIR)/debian/ser-cpl-module \
+	#	prefix=/usr \
+	#	cfg-prefix=$(CURDIR)/debian/ser-cpl-module \
+	#	cfg-target=/etc/ser/ \
+	#	doc-dir=share/doc/ser-cpl-module \
+	#	skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	#install only the presence modules
+	#$(MAKE) install-modules-all group_include="presence"  \
+	#	basedir=$(CURDIR)/debian/ser-presence-modules \
+	#	prefix=/usr \
+	#	cfg-prefix=$(CURDIR)/debian/ser-presence-modules \
+	#	cfg-target=/etc/ser/ \
+	#	doc-dir=share/doc/ser-presence-modules \
+	#	skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#install only the postgres module
-	$(MAKE) install-modules-all modules="$(POSTGRES_MOD_PATH)"  \
-		basedir=$(CURDIR)/debian/ser-postgres-module \
-		prefix=/usr \
-		cfg-prefix=$(CURDIR)/debian/ser-postgres-module \
-		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-postgres-module
+	#$(MAKE) install-modules-all modules="$(POSTGRES_MOD_PATH)"  \
+	#	basedir=$(CURDIR)/debian/ser-postgres-module \
+	#	prefix=/usr \
+	#	cfg-prefix=$(CURDIR)/debian/ser-postgres-module \
+	#	cfg-target=/etc/ser/ \
+	#	doc-dir=share/doc/ser-postgres-module \
+	#	skip_modules="$(EXTRA_EXCLUDED_MODULES)"
 	#install only the xmlrpc module
 	$(MAKE) install-modules-all modules="$(XMLRPC_MOD_PATH)"  \
 		basedir=$(CURDIR)/debian/ser-xmlrpc-module \
 		prefix=/usr \
 		cfg-prefix=$(CURDIR)/debian/ser-xmlrpc-module \
 		cfg-target=/etc/ser/ \
-		doc-dir=share/doc/ser-xmlrpc-module
-	
+		doc-dir=share/doc/ser-xmlrpc-module \
+		skip_modules="$(EXTRA_EXCLUDED_MODULES)"
+	# install /etc/default/ser file
+	mkdir -p $(CURDIR)/debian/ser/etc/default
+	cp -f debian/ser.default $(CURDIR)/debian/ser/etc/default/ser
+	# install advanced ser config file for ser-oob package
+	mkdir -p $(CURDIR)/debian/ser-oob/etc/ser
+	cp -f etc/ser-oob.cfg $(CURDIR)/debian/ser-oob/etc/ser/
 	#dh_movefiles
 
 
@@ -184,7 +200,7 @@ install: build
 binary-common: 
 	dh_testdir
 	dh_testroot
-#	dh_installdebconf	
+	dh_installdebconf	
 	dh_installdocs
 	dh_installexamples
 	dh_installmenu
@@ -227,3 +243,4 @@ binary-%: build install
 
 binary: binary-indep binary-arch
 .PHONY: build clean binary-indep binary-arch binary install configure
+

pkg/debian/ser-oob.config

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+. /usr/share/debconf/confmodule
+
+# configure ?
+db_input medium ser-oob/config || true
+db_go
+
+db_get ser-oob/config
+
+if [ "$RET" = "false" ]; then
+  exit 0
+fi
+
+db_input medium ser-oob/LISTEN || true
+db_go
+
+db_input medium ser-oob/ADMINADDR || true
+db_go
+
+db_input medium ser-oob/DBURL || true
+db_go
+
+db_input medium ser-oob/AUTHSECRET || true
+db_go
+
+db_input medium ser-oob/RTTPPROXY || true
+db_go
+
+db_input medium ser-oob/NATPING_INTERVAL || true
+db_go
+

pkg/debian/ser-oob.postinst

@@ -0,0 +1,193 @@
+#!/bin/sh
+
+set -e
+
+# don't do anything when called with other argument than configure 
+case "$1" in
+  configure)
+  ;;  
+  abort-upgrade|abort-remove|abort-deconfigure)
+    exit 0
+  ;;
+  *)
+    echo "postinst called with unknown argument \$1'" >&2
+    exit 1
+  ;;
+esac
+
+. /usr/share/debconf/confmodule
+
+
+# ser config file that will be altered by this script, based on debconf values
+CONFIGFILE=/etc/ser/ser-oob.cfg 
+# ser defaults file, where config filename is set
+DEFAULTFILE=/etc/default/ser
+
+
+if ! test -e $CONFIGFILE; then
+  echo "Warning: ser-oob postinst script can't find config file $CONFIGFILE. Configuration aborted."
+  exit 0
+fi
+
+if ! test -e $DEFAULTFILE; then
+  echo "Warning: ser-oob postinst script can't find config file $CONFIGFILE. Configuration aborted."
+  exit 0
+else
+  # do not modify the default file more than once
+  if ! cat $DEFAULTFILE | grep -q "#SER-OOB_CONFIGURED" ; then
+    echo "Package ser-oob postinst script: setting ser configuration file to ser-oob.cfg in $DEFAULTFILE"
+    cp -f $DEFAULTFILE ${DEFAULTFILE}.config_bck
+    cat ${DEFAULTFILE}.config_bck | sed -e "s+^SER_CFG_FILE=.*$+SER_CFG_FILE=$CONFIGFILE+" >$DEFAULTFILE
+    echo "#the following line marks that ser config filename was updated by ser-oob postinst script, and will not be modified again" >>$DEFAULTFILE
+    echo "#SER-OOB_CONFIGURED" >>$DEFAULTFILE
+  fi
+fi
+
+
+function fn_config_replace 
+{
+	if test $# -ne 2; then
+	  echo "Error - bad number of input parameters"
+	  echo "usage:"
+	  echo "fn_config_replace config_file CFG_OPTION_something" 
+	  exit 1
+	fi
+
+	FILENAME="$1"
+	ITEM="$2"
+
+	echo "Changing config option $ITEM."
+	OLDFILE="$FILENAME.config_replace_bck"
+	cp -f $FILENAME $OLDFILE
+
+	REPLACEMENT="$FILENAME.repl"
+	TEMPFILE="$FILENAME.temp"
+	TAIL="$FILENAME.tail"
+
+	rm -f $REPLACEMENT
+	touch $REPLACEMENT # needed if the input is empty
+	while read -r LINE
+	do
+	  echo "$LINE" >> $REPLACEMENT
+	done
+
+	STARTPOS=`nl -b a $FILENAME | grep -w "DEBCONF-$ITEM-START" | sed -e "s/^ *\([0-9]*\).*/\1/g"`
+	if [ "$STARTPOS" == "" ]; then
+		echo "WARNING: section $ITEM not found"
+		return
+	fi
+		
+	ENDPOS=`nl -b a $FILENAME | sed -e "1,${STARTPOS}d" | grep "DEBCONF-$ITEM-END" | head -n 1 | sed -e "s/^ *\([0-9]*\).*/\1/g"`
+	if [ "$STARTPOS" == "" ]; then
+		echo "WARNING: end of section $ITEM not found"
+		return
+	fi
+	ENDPOS=$(($ENDPOS-1))
+	STARTPOS=$(($STARTPOS+1))
+
+	cat $FILENAME | sed -e "1,${ENDPOS}d" > $TAIL
+	cat $FILENAME | sed -e "${STARTPOS},\$d" > $TEMPFILE
+	cat $REPLACEMENT >> $TEMPFILE
+	cat $TAIL >> $TEMPFILE
+	rm -f $TAIL
+	mv -f $TEMPFILE $FILENAME
+}
+
+# pads $1 with as many empty rows as needed until $2 lines are complete
+padLines() {
+	output="$1"
+	needed="$2"
+	num=`echo "$output" | wc -l`
+	echo "$output"
+	moreneeded=$(($needed-$num))
+	while (true); do
+	if [ $moreneeded -gt 0 ]
+	then
+		echo ""
+		moreneeded=$(($moreneeded-1))
+	else
+		break
+	fi
+	done
+}
+
+#----------------------------------------------------------------------------
+
+
+db_get ser-oob/config
+if [ "$RET" = "false" ] ; then
+  # do not change config file
+  echo "Package ser-oob postinst script: NOT modifying config file $CONFIGFILE."
+else
+
+BACKUP="$CONFIGFILE.config_bck"
+
+echo "Package ser-oob config script: MODIFYING config file $CONFIGFILE."
+echo "Creating backup copy as $BACKUP"
+cp -f $CONFIGFILE $BACKUP
+
+db_get ser-oob/LISTEN
+if test "$RET" != "!" ; then
+  echo "$RET"|sed 's/,/\n/g'|awk '{print "listen=\"" $1 "\""}' | \
+  fn_config_replace $CONFIGFILE LISTEN
+fi
+
+db_get ser-oob/ADMINADDR
+if test "$RET" != "!" ; then
+  echo "listen=udp:$RET" | fn_config_replace $CONFIGFILE LISTEN_ADMIN
+  fn_config_replace $CONFIGFILE REPL_SEND_ADDR <<+++
+		force_send_socket(udp:$RET);
++++
+fi
+
+db_get ser-oob/DBURL
+if test "$RET" != "!" ; then
+  fn_config_replace $CONFIGFILE DBURL <<+++
+modparam("speeddial|auth_db|usrloc|acc_db|domain|uri_db|gflags|avp_db", "db_url", "$RET")
++++
+fi
+
+db_get ser-oob/AUTHSECRET
+if test "$RET" != "!" ; then
+  fn_config_replace $CONFIGFILE AUTHSECRET <<+++
+modparam("auth", "secret", "$RET")
++++
+fi
+
+db_get ser-oob/RTTPPROXY
+if test "$RET" != "!" ; then
+  fn_config_replace $CONFIGFILE RTTPPROXY <<+++
+modparam("nathelper", "rtpproxy_sock", "$RET")
++++
+fi
+
+db_get ser-oob/NATPING_INTERVAL
+if test "$RET" != "!" ; then
+  fn_config_replace $CONFIGFILE NATPING_INTERVAL <<+++
+modparam("nathelper", "natping_interval", $RET)
++++
+fi
+
+fi # if changing config
+
+echo ""
+echo "***"
+echo "Configuration of ser-oob has finished."
+echo ""
+echo "To restart it when configuration has changed use '/etc/init.d/ser restart'"
+echo ""
+echo "To change it's configuration use 'dpkg-reconfigure ser-oob'"
+echo "***"
+echo ""
+
+if [ -x "/etc/init.d/ser" ]; then
+  if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+    invoke-rc.d ser restart || exit 0
+  else
+    /etc/init.d/ser restart || exit 0
+  fi
+fi
+                                                                
+
+exit 0
+

pkg/debian/ser-oob.postrm

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+#DEBHELPER#
+
+
+exit 0

pkg/debian/ser-oob.prerm

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+if test "$1" = "upgrade"; then
+  exit 0
+fi
+
+#DEBHELPER#
+
+
+exit 0
+
+

pkg/debian/ser.default

@@ -0,0 +1,18 @@
+# configuration for ser - Sip Expres Router
+#
+# this file is sourced by ser init script /etc/init.d/ser
+
+# ser configuration file
+SER_CFG_FILE="/etc/ser/ser.cfg"
+
+# user to run ser as
+#SER_USER="ser"
+
+# group to run ser as
+#SER_GROUP="ser"
+
+# ser pidfile
+#SER_PIDFILE="/var/run/ser/ser.pid"
+
+
+

pkg/debian/ser.init

@@ -12,15 +12,40 @@
 #  adapted for ser by Andrei Pelinescu-Onciul <[email protected]>
 # $Id$
 
+# read configuration from /etc/default/ser file
+DEFAULT_FILE="/etc/default/ser"
+
+if test -f "$DEFAULT_FILE" ; then
+  . /etc/default/ser
+fi
+
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
 DAEMON=/usr/sbin/ser
 NAME=ser
 DESC=ser
-PIDFILE=/var/run/$NAME/$NAME.pid
-PARAMS="-P $PIDFILE -u ser -g ser"
+
+if test "$SER_PIDFILE" = ""; then
+  SER_PIDFILE="/var/run/$NAME/$NAME.pid"
+fi
+
+if test "$SER_USER" = "" ; then
+  SER_USER="ser"
+fi
+if test "$SER_GROUP" = "" ; then
+  SER_GROUP="ser"
+fi
+
+PARAMS="-P $SER_PIDFILE -u $SER_USER -g $SER_GROUP"
 LD_LIBRARY_PATH=/usr/lib/ser
 
+CFGPARAMS=""
+if test "$SER_CFG_FILE" != "" ; then
+  CFGPARAMS="-f $SER_CFG_FILE"
+fi
+
+PARAMS="$PARAMS $CFGPARAMS"
+
 test -f $DAEMON || exit 0
 
 export LD_LIBRARY_PATH
@@ -29,13 +54,13 @@ set -e
 case "$1" in
   start)
 	echo -n "Starting $DESC: $NAME"
-	start-stop-daemon --start --quiet --pidfile $PIDFILE \
+	start-stop-daemon --start --quiet --pidfile $SER_PIDFILE \
 		--exec $DAEMON -- $PARAMS
 	echo "."
 	;;
   stop)
 	echo -n "Stopping $DESC: $NAME"
-	start-stop-daemon --oknodo --stop --quiet --pidfile $PIDFILE \
+	start-stop-daemon --oknodo --stop --quiet --pidfile $SER_PIDFILE \
 		--exec $DAEMON
 	echo "."
 	;;
@@ -49,7 +74,7 @@ case "$1" in
 	#
 	# echo "Reloading $DESC configuration files."
 	# start-stop-daemon --stop --signal 1 --quiet --pidfile \
-	#	$PIDFILE --exec $DAEMON
+	#	$SER_PIDFILE --exec $DAEMON
   #;;
   restart|force-reload)
 	#
@@ -58,19 +83,19 @@ case "$1" in
 	#	just the same as "restart".
 	#
 	# Check if ser configuration is valid before restarting the server
-        (($DAEMON -c 2>&1) | grep "config file ok, exiting") > /dev/null
+        (($DAEMON $CFGPARAMS -c 2>&1) | grep "config file ok, exiting") > /dev/null
 	if [ $? -ne 0 ]; then
-            ($DAEMON -c 2>&1)
+            ($DAEMON $CFGPARAMS -c 2>&1)
 	    echo -e "\nThere are errors in the configuration file. Please fix them first"
 	    echo -e "\n$out\n"
 	    exit 0
 	fi
 	echo -n "Restarting $DESC: $NAME"
 	start-stop-daemon --oknodo --stop --quiet --pidfile \
-		$PIDFILE --exec $DAEMON
+		$SER_PIDFILE --exec $DAEMON
 	sleep 1
 	start-stop-daemon --start --quiet --pidfile \
-		$PIDFILE --exec $DAEMON  -- $PARAMS
+		$SER_PIDFILE --exec $DAEMON  -- $PARAMS
 	echo "."
 	;;
   *)
@@ -82,3 +107,4 @@ case "$1" in
 esac
 
 exit 0
+