Access Control for DMR

[hacknix]

This request provides Access Control support for DMR destination IDs (including Talkgroups).

This functionality can be enabled and access by four new fields in MMDVM.ini:

DstIDBlackListSlot1=
DstIDBlackListSlot2=
DstIDWhiteListSlot1=
DstIDWhiteListSlot2=

Each entry represents a comma-separated list of desitnation IDs to either allow (whitelist) or deny (blacklist).

The implementation of this is consistent with the existing implementation of the "Blacklist=" configuration option for source IDs.

Added new README.DMR_ACL with the following text:

/start
To use DMR Access Control you can add the following fields to your MMDVM.ini:

Blacklist= <comma separated list of source-id's to block on RF>
DstIdBlackListSlot1=
DstIdBlackListSlot2=
DstIdWhiteListSlot1=
DstIdWhiteListSlot2=

So, for example:

DstIdBlackListSlot1=91 - block the TG91 net.

DstIdWhiteSlot1=9.5057,9990 - allows TG9, APRS SMS Gateway and Echo.

If the whitelist is null or commented out, it is disabled.

The whitelist behaves slightly differently on Slot1 than is does on Slot2.

For Slot1, the whitelist will allow all IDs above 10000 and everything in the whitelist.

For Slot2, the whitelist will allow all IDs between 4000 and 5000, IDs above 10000 and everything in the whitelist.

You can use the blacklist with the whitelist if you want to specifically block IDs within the allowed ranges above.

For example, to block users from disconnecting the reflectors, you could block ID 4000.

To block users connecting to reflector 4400 you could add ID 4400 to the blacklist for that slot.
/end

This code has been tested on GB7FR and also by Peter G7RPG and is working well.

[hacknix]

On 11/06/16 10:01, Jonathan Naylor wrote:

Merged #90 #90.

Thanks Jonathan :-)

[g0wfv]

Hmmmmm :-| As we debated, Simon - All good in practise, but this should be
implemented at the master, not at the repeater where all you will do is
deny the use of the repeater on the slot with the denied traffic without
any good indication to the user.

Some means of informing the master that you don't want the traffic and to
cease the data stream would be better .....

On Sat, Jun 11, 2016 at 10:10 AM hacknix notifications@github.com wrote:

On 11/06/16 10:01, Jonathan Naylor wrote:

Merged #90 #90.

Thanks Jonathan :-)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#90 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AQf_4j-6o6RCkqvlccXa2ZRbYSY69t36ks5qKntrgaJpZM4Izgbq
.

A J Corbett

G0WFV

[hacknix]

Hi Tony,

Thanks for your comments, which I have taken on board.

I agree that doing some or all of this at the master is preferable and
this code is not a complete substitute for that, but being able to do
this locally is still valid. I don't think the argument that it may not
be perfect or may not fulfil everyone's needs is a reason not to include
it. I think it's a choice for the repeater keeper to make. I'm
personally not comfortable with handing over 100% of my ability to
control repeater traffic to the network.

In fact, the slot is not locked up when traffic from the network is
rejected, local RF access still proceeds as normal (I have tested it),
albeit without the benefit of network access. This is preferable to the
slot being busy with an unwanted talk-group and local users not knowing
why. In my particular use-case, on slot 1 we only use TG9 (regionally
linked), private calls, APRS gate, SMS and Echo. Apart from
(temporarily) losing the regional link, everything functions as normal
when slot1 is blocking network traffic. This block should not usually be
invoked, as I have requested that only our regional link, private calls
and SMS are sent down to me from the master, however TG91 keeps creeping
in and locking the slot, so this offers a second line of protection.

The other way around, for example, if a user TXs on TG91, because their
traffic is blocked, our regional link will continue to be transmitted on
slot 1 and the user's inbound RF transmission will be rejected and not
repeated or forwarded to the network, so this actually stops this TG
from disrupting local traffic as much as if we allowed it. It's widely
publicised that GB7FR only accepts traffic on TG9 on both slots, so the
fact that we reject other TGs should not be an issue.

On the RF side, I have been looking for a way to reject the transmission
earlier, so that the input is not held busy, preferably during the
handshake, so that the originating terminal just receives a busy signal,
but at the moment I can't see that this is possible. Anyway, because
traffic on non-supported talkgroups is not repeated, these transmissions
should only ever be short as it's not possible to hold a QSO on an
unsupported talkgroup via the repeater.

I think the short answer is, if it's useful to you, use it, if it's not,
don't :-) It certainly fulfils my needs and that of some others I have
been in correspondence with.

Thanks for the discussion, it's good to discuss these things and work it
through!

Cheers

Simon

On 11/06/16 10:25, Tony Corbett wrote:

Hmmmmm :-| As we debated, Simon - All good in practise, but this should be
implemented at the master, not at the repeater where all you will do is
deny the use of the repeater on the slot with the denied traffic without
any good indication to the user.

Some means of informing the master that you don't want the traffic and to
cease the data stream would be better .....

On Sat, Jun 11, 2016 at 10:10 AM hacknix notifications@github.com wrote:

On 11/06/16 10:01, Jonathan Naylor wrote:

Merged #90 #90.

Thanks Jonathan :-)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#90 (comment),
or mute
the thread

https://github.com/notifications/unsubscribe/AQf_4j-6o6RCkqvlccXa2ZRbYSY69t36ks5qKntrgaJpZM4Izgbq
.

A J Corbett

G0WFV

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#90 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ASS9QWbMD3KvqUsv-SEpA-ZEWI0hxuhHks5qKn8bgaJpZM4Izgbq.

[g0wfv]

Apologies, Simon, but a lot of this first comment may sound antoagonistic, but it's meant purely as Devil's Advocate ...

I'm personally not comfortable with handing over 100% of my ability to control repeater traffic to the network.

If I may, why are you running a networked repeater based on a technology where the routing and a vast amount of configuration is remote from the repeater?

It's widely publicised that GB7FR only accepts traffic on TG9 on both slots, so the fact that we reject other TGs should not be an issue.

This is the bit that should be configured at the master for your repeater to only accept/carry TG9 on both slots. It seems to me you and your users have issues with certain other TGs getting through - ask for them not to be sent by the master! Your repeated use of TG91 as an example only suggests that this is the offending TG; I agree, the net that takes place at certain times is like listening to paint dry!

I can see BM going completely reflector based anyway; there is no need for any other TG than TG9 (or maybe TG10 for pure local in the case where TG9 is a repeater link) on Slot 1 and TG9 on Slot 2; Reflectors are far more flexible than the TG system that we inherited from DMR-MARC et al.

On the RF side, I have been looking for a way to reject the transmission earlier, so that the input is not held busy, preferably during the handshake, so that the originating terminal just receives a busy signal, but at the moment I can't see that this is possible.

This is the only part of this that code I believe has real value - I agree; you should be able to prevent the transmissions at the source - which is why I strongly believe network traffic should be (where possible) prevented at source also!

I'm not up-to-speed on what information is included in which part of a DMR transmission, if it were possible to present a terminal with a busy tone or similar that would be the way to go. Perhaps Jonathan knows a trick or two that may work?

Whilst these changes to the way the repeater software operates will do as you intend; prevent transmission of unwanted traffic, you are bypassing the way the network is intended to be configured and you really need to ask the keeper (sysop?) of the master server to configure network traffic to your repeater as you want it - after all, it's your NOV and licence; I can't see why they'd have grounds to say no where it's in there power to comply with your reasonable request! If the system is incapable of complying, then you have a valid reason to bypass it.

I'm not arguing that the ACL concept is invalid, in fact if anything it's a good idea when used in the right place!

[g0wfv]

On a positive note, I've tested the code, and it works. Perhaps the output of a single log line when a blacklisted TG is attempted rather than the continual scroll for the duration of the transmission??

M: 2016-06-12 09:16:22.886 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:22.945 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:23.005 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:23.306 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:23.666 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:24.026 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:28.833 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:28.893 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:28.953 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:29.253 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:29.613 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:29.973 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:42.764 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:42.821 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:42.877 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:43.176 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:43.536 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:43.896 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:44.256 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:44.616 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:44.976 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:45.338 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:45.696 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)
M: 2016-06-12 09:16:46.056 DMR Slot 2, invalid access attempt to TG 9 (TG blacklisted)

[g7npw]

On 12/06/2016 10:07, Tony Corbett wrote:

On the RF side, I have been looking for a way to reject the
transmission earlier, so that the input is not held busy,
preferably during the handshake, so that the originating terminal
just receives a busy signal, but at the moment I can't see that
this is possible.

As a crude way I guess the downlink TX could be deactivated but I'm not
sure if the terminal user has already managed to catch the PTT & Gain
Sync he will then be freely transmitting and rendering the input
frequency useless anyway. I guess it would stop his unauthorized traffic
getting repeated and as such give him no audience locally.

Suppose the danger with this would be he could just send his ID out
occasionally over legitimate stations causing the downlink to deactivate.

You will never fully prevent abuse on the RF side.

Dom G7NPW

[hacknix]

Hi Tony,

I think we agree on many points. Perhaps my motivation is not entirely
clear. I will explain inline.

Comments inline.

On 12/06/16 10:07, Tony Corbett wrote:

Apologies, Simon, but a lot of this first comment may sound
antoagonistic, but it's meant purely as Devil's Advocate ...

I'm personally not comfortable with handing over 100% of my
ability to control repeater traffic to the network.

If I may, why are you running a networked repeater based on a
technology where the routing and a vast amount of configuration is
remote from the repeater?

No offence taken Tony. I see it kind of differently. I run a repeater.
The network connection, whilst important, is secondary. The repeater can
and should continue to function even without the network. I accept that
a lot of configuration is done at the network, but that does not mean I
should not have the ability to deal with things locally, particularly,
for example, if an issue arises at an odd time of day or if I cannot get
a timely response from the admin team, given that we are all volunteers.
Also, BrandMeister is not open source. It is a black box and we have no
control over it's behaviour. It's good practice in networking to provide
filtering (firewall) between our network and networks we don't have full
control over. I am applying the same principle to DMR.

It's widely publicised that GB7FR only accepts traffic on TG9 on
both slots, so the fact that we reject other TGs should not be an
issue.

This is the bit that should be configured at the master for your
repeater to only accept/carry TG9 on both slots. It seems to me you
and your users have issues with certain other TGs getting through -
ask for them not to be sent by the master! Your repeated use of TG91
as an example only suggests that this is the offending TG; I agree,
the net that takes place at certain times is like listening to paint dry!

I agree totally and I have FR configured by the master admins to only
send down our regional link on TG9 on slot 1. However, there has been a
repeated issue that TG91 has still been sent down the link. This has
annoyed myself and a couple of other keepers, to the extent that I said
I would write some code that would block this from happening (although
this is not my primary reason for writing the ACL - more on that further
down). I have to say that, unfortunately, whilst the admin team has been
very helpful in other matters, any email that I or other local keepers
send about TG91 seem to fall on deaf ears.

I can see BM going completely reflector based anyway; there is no need
for any other TG than TG9 (or maybe TG10 for pure local in the case
where TG9 is a repeater link) on Slot 1 and TG9 on Slot 2; Reflectors
are far more flexible than the TG system that we inherited from
DMR-MARC et al.

I agree here. I see no point in having both lots of talkgroups and
reflectors. This is why FR is configured for regional link on TS1 and
reflectors on TS2, only.

On the RF side, I have been looking for a way to reject the
transmission earlier, so that the input is not held busy,
preferably during the handshake, so that the originating terminal
just receives a busy signal, but at the moment I can't see that
this is possible.

This is the only part of this that code I believe has real value - I
agree; you should be able to prevent the transmissions at the source

• which is why I strongly believe network traffic should be (where
  possible) prevented at source also!

I'm not up-to-speed on what information is included in which part of a
DMR transmission, if it were possible to present a terminal with a
busy tone or similar that would be the way to go. Perhaps Jonathan
knows a trick or two that may work?

This is my primary motivation for the code; to block things from RF not
the network. By blocking transmissions from RF, I can stop unsupported
talk-groups from working and I can also stop local traffic from
activating user-activated groups. This is important for the TG91 case as
one key-up on TG91 activates this TG for the duration of the whole net,
again locking out our regional link and all local traffic on the
repeater and frustrating users on the three linked repeaters. At least
by blocking it, local traffic still works as normal. I am hoping that
the master configuration will stay stable and that the ACL rules will
never be activated from the network. However, if something changes, I
can be sure that at least local traffic still works as intended. Several
keepers have told me they have resorted to pulling out the network cable
entirely for the duration of the net. My ACL code is always going to be
preferable to doing this, in my opinion.

I have been looking at the busy tone issue, but the problem is, as far
as I can tell, the destination ID is not sent in the handshake, so I
can't match on it. Even if I take the TX down, the sending terminal
still happily carries on transmitting because it's not full-duplex and
it has already seen it's handshake. I think it's actually better to
leave the TX up, so if another user keys up, they will get a busy tone
as the colour-code is not free rather than just blindly doubling.

Whilst these changes to the way the repeater software operates will do
as you intend; prevent transmission of unwanted traffic, you are
bypassing the way the network is intended to be configured and you
really need to ask the keeper (sysop?) of the master server to
configure network traffic to your repeater as you want it - after all,
it's your NOV and licence; I can't see why they'd have grounds to say
no where it's in there power to comply with your reasonable request!
If the system is incapable of complying, then you have a valid reason
to bypass it.

I agree and I have. The configuration is as I require at the network and
by whitelisting only IDs 9, 5370 and 9990 and everything over 99999
coming from RF, I can ensure that nothing is activated that is unwanted.
The network simply does not at present offer this level of control.

I'm not arguing that the ACL concept is invalid, in fact if anything
it's a good idea when used in the right place!

I wonder if we could clarify some of this by explaining in more detail
the implications of using this functionality without first trying to get
the master config correct in the readme file. For me this code solves a
specific problem but I accept it's not without it's problems. We should
give keepers all the facts and let them make an informed choice and I
agree, this functionality should be used carefully and sparingly.

73

Simon

[hacknix]

On 12/06/16 10:23, Tony Corbett wrote:

On a positive note, I've tested the code, and it works. Perhaps the
output of a single log line when a blacklisted TG is attempted rather
than the continual scroll for the duration of the transmission??

Thanks for the test.

I agree Tony. I just need to work out how to do this and I will add it!

Simon

[hacknix]

On 12/06/16 10:36, g7npw wrote:

As a crude way I guess the downlink TX could be deactivated but I'm not
sure if the terminal user has already managed to catch the PTT & Gain
Sync he will then be freely transmitting and rendering the input
frequency useless anyway. I guess it would stop his unauthorized traffic
getting repeated and as such give him no audience locally.

Suppose the danger with this would be he could just send his ID out
occasionally over legitimate stations causing the downlink to deactivate.

HI Dom. Agree. I did try this, but it serves no purpose as it's exactly
as you describe; the terminal already has gained channel access.

Simon

[g7npw]

Would this code prevent auto connect to reflector 4400 upon restart? I only compiled and installed this version of MMDVMHost tonight and notice now I'm not automatically connecting to 4400 but it will let me connect manually.

I haven't tried my previous version to confirm yet as it is getting late. Will test more tomorrow.

Just m pay first observation since upgrading.

Dominic

On 11 Jun 2016, at 9:55 am, hacknix notifications@github.com wrote:

This request provides Access Control support for DMR destination IDs (including Talkgroups).

This functionality can be enabled and access by four new fields in MMDVM.ini:

DstIDBlackListSlot1=
DstIDBlackListSlot2=
DstIDWhiteListSlot1=
DstIDWhiteListSlot2=

Each entry represents a comma-separated list of desitnation IDs to either allow (whitelist) or deny (blacklist).

The implementation of this is consistent with the existing implementation of the "Blacklist=" configuration option for source IDs.

Added new README.DMR_ACL with the following text:

/start
To use DMR Access Control you can add the following fields to your MMDVM.ini:

Blacklist=
DstIdBlackListSlot1=
DstIdBlackListSlot2=
DstIdWhiteListSlot1=
DstIdWhiteListSlot2=

So, for example:

DstIdBlackListSlot1=91 - block the TG91 net.

DstIdWhiteSlot1=9.5057,9990 - allows TG9, APRS SMS Gateway and Echo.

If the whitelist is null or commented out, it is disabled.

The whitelist behaves slightly differently on Slot1 than is does on Slot2.

For Slot1, the whitelist will allow all IDs above 10000 and everything in the whitelist.

For Slot2, the whitelist will allow all IDs between 4000 and 5000, IDs above 10000 and everything in the whitelist.

You can use the blacklist with the whitelist if you want to specifically block IDs within the allowed ranges above.

For example, to block users from disconnecting the reflectors, you could block ID 4000.

To block users connecting to reflector 4400 you could add ID 4400 to the blacklist for that slot.

/end

This code has been tested on GB7FR and also by Peter G7RPG and is working well.

You can view, comment on, or merge this pull request online at:

#90

Commit Summary

Added whitelist and blacklist config
Addedd whitelist and blacklist config
Added blacklist and whitelist for TGs
Merge remote-tracking branch 'upstream/master'
Added blacklist and whitelist options (commented out)
fixed end of non-void
Fixed blacklist/whitelist logic
Logging at blacklist and whitelist initiation
Blacklist/whitelist stuff
Blacklist and whitelist traffic from network
blacklist
fixed typo in blacklist/whitelist logging
Improved acl logging (added dataType)
first draft of readme
Merge remote-tracking branch 'upstream/master'
Added check for null whitelist
Include secondary TGs in default block for TS1 TGs
Tided up logging text for acl
more logging tidying for acl
More blacklist tidying
Merge remote-tracking branch 'upstream/master'
Tidyed comments
File Changes

M Conf.cpp (52)
M Conf.h (8)
M DMRControl.cpp (4)
M DMRControl.h (2)
M DMRSlot.cpp (249)
M DMRSlot.h (9)
M MMDVM.ini (6)
M MMDVMHost.cpp (16)
A README.DMR_ACL (28)
Patch Links:

https://github.com/g4klx/MMDVMHost/pull/90.patch
https://github.com/g4klx/MMDVMHost/pull/90.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[g0wfv]

No the audio connect is something at the master - I've got the same issue
since some point yesterday evening.

On Tue, 14 Jun 2016, 01:49 g7npw, notifications@github.com wrote:

Would this code prevent auto connect to reflector 4400 upon restart? I
only compiled and installed this version of MMDVMHost tonight and notice
now I'm not automatically connecting to 4400 but it will let me connect
manually.

I haven't tried my previous version to confirm yet as it is getting late.
Will test more tomorrow.

Just m pay first observation since upgrading.

Dominic

On 11 Jun 2016, at 9:55 am, hacknix notifications@github.com wrote:

This request provides Access Control support for DMR destination IDs
(including Talkgroups).

This functionality can be enabled and access by four new fields in
MMDVM.ini:

DstIDBlackListSlot1=
DstIDBlackListSlot2=
DstIDWhiteListSlot1=
DstIDWhiteListSlot2=

Each entry represents a comma-separated list of desitnation IDs to
either allow (whitelist) or deny (blacklist).

The implementation of this is consistent with the existing
implementation of the "Blacklist=" configuration option for source IDs.

Added new README.DMR_ACL with the following text:

/start
To use DMR Access Control you can add the following fields to your
MMDVM.ini:

Blacklist=
DstIdBlackListSlot1=
DstIdBlackListSlot2=
DstIdWhiteListSlot1=
DstIdWhiteListSlot2=

So, for example:

DstIdBlackListSlot1=91 - block the TG91 net.

DstIdWhiteSlot1=9.5057,9990 - allows TG9, APRS SMS Gateway and Echo.

If the whitelist is null or commented out, it is disabled.

The whitelist behaves slightly differently on Slot1 than is does on
Slot2.

For Slot1, the whitelist will allow all IDs above 10000 and everything
in the whitelist.

For Slot2, the whitelist will allow all IDs between 4000 and 5000, IDs
above 10000 and everything in the whitelist.

You can use the blacklist with the whitelist if you want to specifically
block IDs within the allowed ranges above.

For example, to block users from disconnecting the reflectors, you could
block ID 4000.

To block users connecting to reflector 4400 you could add ID 4400 to the
blacklist for that slot.

/end

This code has been tested on GB7FR and also by Peter G7RPG and is
working well.

You can view, comment on, or merge this pull request online at:

#90

Commit Summary

Added whitelist and blacklist config
Addedd whitelist and blacklist config
Added blacklist and whitelist for TGs
Merge remote-tracking branch 'upstream/master'
Added blacklist and whitelist options (commented out)
fixed end of non-void
Fixed blacklist/whitelist logic
Logging at blacklist and whitelist initiation
Blacklist/whitelist stuff
Blacklist and whitelist traffic from network
blacklist
fixed typo in blacklist/whitelist logging
Improved acl logging (added dataType)
first draft of readme
Merge remote-tracking branch 'upstream/master'
Added check for null whitelist
Include secondary TGs in default block for TS1 TGs
Tided up logging text for acl
more logging tidying for acl
More blacklist tidying
Merge remote-tracking branch 'upstream/master'
Tidyed comments
File Changes

M Conf.cpp (52)
M Conf.h (8)
M DMRControl.cpp (4)
M DMRControl.h (2)
M DMRSlot.cpp (249)
M DMRSlot.h (9)
M MMDVM.ini (6)
M MMDVMHost.cpp (16)
A README.DMR_ACL (28)
Patch Links:

https://github.com/g4klx/MMDVMHost/pull/90.patch
https://github.com/g4klx/MMDVMHost/pull/90.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#90 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AQf_4ix8Ew1e-zMVw3AlaPv3C2j1p0SEks5qLfqPgaJpZM4Izgbq
.

A J Corbett

G0WFV

[g0wfv]

That should of course read "auto" - damn predictive text!

On Tue, 14 Jun 2016, 06:07 Tony Corbett, tonyc.uk@gmail.com wrote:

No the audio connect is something at the master - I've got the same issue
since some point yesterday evening.

On Tue, 14 Jun 2016, 01:49 g7npw, notifications@github.com wrote:

Would this code prevent auto connect to reflector 4400 upon restart? I
only compiled and installed this version of MMDVMHost tonight and notice
now I'm not automatically connecting to 4400 but it will let me connect
manually.

I haven't tried my previous version to confirm yet as it is getting late.
Will test more tomorrow.

Just m pay first observation since upgrading.

Dominic

On 11 Jun 2016, at 9:55 am, hacknix notifications@github.com wrote:

This request provides Access Control support for DMR destination IDs
(including Talkgroups).

This functionality can be enabled and access by four new fields in
MMDVM.ini:

DstIDBlackListSlot1=
DstIDBlackListSlot2=
DstIDWhiteListSlot1=
DstIDWhiteListSlot2=

Each entry represents a comma-separated list of desitnation IDs to
either allow (whitelist) or deny (blacklist).

The implementation of this is consistent with the existing
implementation of the "Blacklist=" configuration option for source IDs.

Added new README.DMR_ACL with the following text:

/start
To use DMR Access Control you can add the following fields to your
MMDVM.ini:

Blacklist=
DstIdBlackListSlot1=
DstIdBlackListSlot2=
DstIdWhiteListSlot1=
DstIdWhiteListSlot2=

So, for example:

DstIdBlackListSlot1=91 - block the TG91 net.

DstIdWhiteSlot1=9.5057,9990 - allows TG9, APRS SMS Gateway and Echo.

If the whitelist is null or commented out, it is disabled.

The whitelist behaves slightly differently on Slot1 than is does on
Slot2.

For Slot1, the whitelist will allow all IDs above 10000 and everything
in the whitelist.

For Slot2, the whitelist will allow all IDs between 4000 and 5000, IDs
above 10000 and everything in the whitelist.

You can use the blacklist with the whitelist if you want to
specifically block IDs within the allowed ranges above.

For example, to block users from disconnecting the reflectors, you
could block ID 4000.

To block users connecting to reflector 4400 you could add ID 4400 to
the blacklist for that slot.

/end

This code has been tested on GB7FR and also by Peter G7RPG and is
working well.

You can view, comment on, or merge this pull request online at:

#90

Commit Summary

Added whitelist and blacklist config
Addedd whitelist and blacklist config
Added blacklist and whitelist for TGs
Merge remote-tracking branch 'upstream/master'
Added blacklist and whitelist options (commented out)
fixed end of non-void
Fixed blacklist/whitelist logic
Logging at blacklist and whitelist initiation
Blacklist/whitelist stuff
Blacklist and whitelist traffic from network
blacklist
fixed typo in blacklist/whitelist logging
Improved acl logging (added dataType)
first draft of readme
Merge remote-tracking branch 'upstream/master'
Added check for null whitelist
Include secondary TGs in default block for TS1 TGs
Tided up logging text for acl
more logging tidying for acl
More blacklist tidying
Merge remote-tracking branch 'upstream/master'
Tidyed comments
File Changes

M Conf.cpp (52)
M Conf.h (8)
M DMRControl.cpp (4)
M DMRControl.h (2)
M DMRSlot.cpp (249)
M DMRSlot.h (9)
M MMDVM.ini (6)
M MMDVMHost.cpp (16)
A README.DMR_ACL (28)
Patch Links:

https://github.com/g4klx/MMDVMHost/pull/90.patch
https://github.com/g4klx/MMDVMHost/pull/90.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#90 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AQf_4ix8Ew1e-zMVw3AlaPv3C2j1p0SEks5qLfqPgaJpZM4Izgbq
.

A J Corbett

G0WFV

A J Corbett

G0WFV

[g7npw]

Thanks Tony.

I thought it could be a Brandmeister issue but as I'd just updated was worried it could be a bug.

Dominic

On 14 Jun 2016, at 6:08 am, Tony Corbett notifications@github.com wrote:

No the audio connect is something at the master - I've got the same issue
since some point yesterday evening.

On Tue, 14 Jun 2016, 01:49 g7npw, notifications@github.com wrote:

Would this code prevent auto connect to reflector 4400 upon restart? I
only compiled and installed this version of MMDVMHost tonight and notice
now I'm not automatically connecting to 4400 but it will let me connect
manually.

I haven't tried my previous version to confirm yet as it is getting late.
Will test more tomorrow.

Just m pay first observation since upgrading.

Dominic

On 11 Jun 2016, at 9:55 am, hacknix notifications@github.com wrote:

This request provides Access Control support for DMR destination IDs
(including Talkgroups).

This functionality can be enabled and access by four new fields in
MMDVM.ini:

DstIDBlackListSlot1=
DstIDBlackListSlot2=
DstIDWhiteListSlot1=
DstIDWhiteListSlot2=

Each entry represents a comma-separated list of desitnation IDs to
either allow (whitelist) or deny (blacklist).

The implementation of this is consistent with the existing
implementation of the "Blacklist=" configuration option for source IDs.

Added new README.DMR_ACL with the following text:

/start
To use DMR Access Control you can add the following fields to your
MMDVM.ini:

Blacklist=
DstIdBlackListSlot1=
DstIdBlackListSlot2=
DstIdWhiteListSlot1=
DstIdWhiteListSlot2=

So, for example:

DstIdBlackListSlot1=91 - block the TG91 net.

DstIdWhiteSlot1=9.5057,9990 - allows TG9, APRS SMS Gateway and Echo.

If the whitelist is null or commented out, it is disabled.

The whitelist behaves slightly differently on Slot1 than is does on
Slot2.

For Slot1, the whitelist will allow all IDs above 10000 and everything
in the whitelist.

For Slot2, the whitelist will allow all IDs between 4000 and 5000, IDs
above 10000 and everything in the whitelist.

You can use the blacklist with the whitelist if you want to specifically
block IDs within the allowed ranges above.

For example, to block users from disconnecting the reflectors, you could
block ID 4000.

To block users connecting to reflector 4400 you could add ID 4400 to the
blacklist for that slot.

/end

This code has been tested on GB7FR and also by Peter G7RPG and is
working well.

You can view, comment on, or merge this pull request online at:

#90

Commit Summary

Added whitelist and blacklist config
Addedd whitelist and blacklist config
Added blacklist and whitelist for TGs
Merge remote-tracking branch 'upstream/master'
Added blacklist and whitelist options (commented out)
fixed end of non-void
Fixed blacklist/whitelist logic
Logging at blacklist and whitelist initiation
Blacklist/whitelist stuff
Blacklist and whitelist traffic from network
blacklist
fixed typo in blacklist/whitelist logging
Improved acl logging (added dataType)
first draft of readme
Merge remote-tracking branch 'upstream/master'
Added check for null whitelist
Include secondary TGs in default block for TS1 TGs
Tided up logging text for acl
more logging tidying for acl
More blacklist tidying
Merge remote-tracking branch 'upstream/master'
Tidyed comments
File Changes

M Conf.cpp (52)
M Conf.h (8)
M DMRControl.cpp (4)
M DMRControl.h (2)
M DMRSlot.cpp (249)
M DMRSlot.h (9)
M MMDVM.ini (6)
M MMDVMHost.cpp (16)
A README.DMR_ACL (28)
Patch Links:

https://github.com/g4klx/MMDVMHost/pull/90.patch
https://github.com/g4klx/MMDVMHost/pull/90.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
#90 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AQf_4ix8Ew1e-zMVw3AlaPv3C2j1p0SEks5qLfqPgaJpZM4Izgbq
.

A J Corbett

G0WFV
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[g7npw]

On 14/06/2016 06:08, Tony Corbett wrote:

No the audio connect is something at the master - I've got the same issue
since some point yesterday evening.

Quick update. Mentioned issue to Jon @ UK BM Master Server in
conversation and he has restored the auto connect. I think he applied an
update in the last day that had disabled it.

Can your code be used to ensure a talk group remains local on the
repeater only? I briefly tried last night but it seemed to prevent TG RF
to RF for me? I only did brief rush test.

Cheers Dom G7NPW

[hacknix]

On 14/06/16 12:11, g7npw wrote:

Can your code be used to ensure a talk group remains local on the
repeater only? I briefly tried last night but it seemed to prevent TG RF
to RF for me? I only did brief rush test.

Hi,

Not in it's current state it will not, but it could be expanded to do
so. Could you expand on your use-case and I will look at it.

73

Simon

[g7npw]

On 14/06/2016 12:26, hacknix wrote:

On 14/06/16 12:11, g7npw wrote:

Can your code be used to ensure a talk group remains local on the
repeater only? I briefly tried last night but it seemed to prevent TG RF
to RF for me? I only did brief rush test.

Hi,

Not in it's current state it will not, but it could be expanded to do
so. Could you expand on your use-case and I will look at it.

73

Simon

I didn't have a specific application at present for it just wondered. I
was going to add TG10 to Slot1 if it did as that is a purely local RF TG
on my system and you just never do know if the network is likely to come
in do you!

I was told TG91 was user activated one day but low and behold the next
week it came on in again so was just going to lock down my specific
requirements.

Cheers Dom G7NPW

[hacknix]

That's precisely the reason I wrote the ACL in the first place. Let me look into it.

On 14 June 2016 13:41:44 BST, g7npw notifications@github.com wrote:

On 14/06/2016 12:26, hacknix wrote:

On 14/06/16 12:11, g7npw wrote:

Can your code be used to ensure a talk group remains local on the
repeater only? I briefly tried last night but it seemed to prevent
TG RF
to RF for me? I only did brief rush test.

Hi,

Not in it's current state it will not, but it could be expanded to do
so. Could you expand on your use-case and I will look at it.

73

Simon

I didn't have a specific application at present for it just wondered. I

was going to add TG10 to Slot1 if it did as that is a purely local RF
TG
on my system and you just never do know if the network is likely to
come
in do you!

I was told TG91 was user activated one day but low and behold the next
week it came on in again so was just going to lock down my specific
requirements.

Cheers Dom G7NPW

---

You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#90 (comment)

Sent from my Android device with K-9 Mail. Please excuse my brevity.