Skip to content


Named ACLs introduce a new way to define Access Control Lists (ACLs) in Asterisk. Unlike traditional ACLs defined in specific module configuration files, Named ACLs can be shared across multiple modules. Named ACLs can also be accessed via the Asterisk Realtime Architecture (ARA), allowing for run-time updates of ACL information that can be retrieved by multiple consumers of ACL information.


Static Configuration

Named ACLs can be defined statically in acl.conf. Each context in acl.conf defines a specific Named ACL, where the name of the context is the name of the ACL. The syntax for each context follows the permit/deny nomenclature used in traditional ACLs defined in a consumer module's configuration file.

Option Value Description
deny IP address [/Mask] An IP address to deny, with an optional subnet mask to apply
permit IP address [/Mask] An IP address to allow, with an optional subnet mask to apply

On This Page


; within acl.conf


Multiple rules can be specified in an ACL as well by chaining deny/permit specifiers.


Named ACLs support common modifiers like templates and additions within configuration as well.



Configuring for IPv6

Named ACLs can use ipv6 addresses just like normal ACLs.

deny = ::/0
permit = ::1/128

permit = fe80::21d:bad:fad:2323

ARA Configuration

The ARA supports Named ACLs using the 'acls' keyword in extconfig.conf.

Example Configuration

;in extconfig.conf
acls => odbc,asterisk,acltable


Column Name Type Description
name varchar(80) Name of the ACL
rule_order integer Order to apply the ACL rule. Rules are applied in ascending order. Rule numbers do not have to be sequential
sense varchar(6) Either 'permit' or 'deny'
rule varchar(95) The IP address/Mask pair to apply


Table Creation Script (PostgreSQL)
 "name" character varying(80) NOT NULL,
 rule_order integer NOT NULL,
 sense character varying(6) NOT NULL,
 "rule" character varying(95) NOT NULL,
 CONSTRAINT aclrulekey PRIMARY KEY (name, rule_order, rule, sense)
ALTER TABLE acltable OWNER TO asterisk;
GRANT ALL ON TABLE acltable TO asterisk;
Table Creation Script (SQLite3)
CREATE TABLE acltable (rule TEXT, sense TEXT, rule_order NUMERIC, name TEXT);


These scripts were generated by pgadmin III and SQLite Database Browser. They might not necessarily apply for your own setup.


Since ACLs are obtained by consumer modules when they are loaded, an ACL updated in an ARA backend will not be propagated automatically to consumers using static configuration. Consumer modules also using ARA for their configuration (such as SIP/IAX2 peers) will similarly be up to date if and only if they have built the peer in question since the changes to the realtime ACL have taken place.

Named ACL Consumers

Named ACLs are supported by the following Asterisk components:

  • Manager (IPv4 and IPv6)
  • chan_sip (IPv4 and IPv6)
  • chan_pjsip (IPv4 and IPv6)
  • chan_iax2 (IPv4 and IPv6)


A consumer of Named ACLs can be configured to use a named ACL using the acl option in their ACL access rules. This can be in addition to the ACL rules traditionally defined in those configuration files.

Example 1: referencing a Named ACL

; within sip.conf

acl=name_of_acl_1 ; an ACL included from acl.conf that matches peer1's commented out permits/denies

Multiple named ACLs can be referenced as well by specifying a comma delineated list of Named ACLs to apply.

Example 2: multiple Named ACL references

; within sip.conf


Similarly, a SIP or IAX2 peer defined in ARA can include an 'acl' column and list the Named ACLs to apply in that column.


Named ACLs can also be defined using multiple instances of the acl keyword. This is discouraged, however, as the order in which ACLs are applied can be less obvious then the comma delineated list format.



ACL Rule Application

Each module consumer of ACL information maintains, for each object that uses the information, a list of the defined ACL rule sets that apply to that object. When an address is evaluated for the particular object, the address is evaluated against each rule. For an address to pass the ACL rules, it must pass each ACL rule set that was defined for that object. Failure of any ACL rule set will result in a rejection of the address.

Module Reloads

ACL information is static once a consumer module references that information. Hence, changes in ACL information in an ARA backend will not automatically update consumers of that information. In order for consumers to receive updated ACL information, the Named ACL component must be reloaded.

The Named ACL component supports module reloads, in the same way as other Asterisk components. When the Named ACL component is reloaded, it will issue a request to all consumers of Named ACLs. Those consumer modules will also be automatically reloaded.


This implies that reloading the Named ACL component will force a reload of manager, chan_sip, etc. Only reload the Named ACL component if you want all consumers of that information to be reloaded as well.