fix(sip): extend identify hostname resolver to additionalHosts, harden trust gate

- m_SipHosts.address now accepts hostnames in addition to IP/CIDR literals;
  resolution flows through the same WorkerSipDnsResolver + Redis cache as
  provider.host. IptablesConf::addAdditionalFirewallRules reads the same
  cache so identify trust and firewall trust stay consistent for hostname
  rows. getSipHostsBuckets returns {ips,hostnames} split; legacy
  getSipHosts() kept as flat shape for 3rd-party module compat.
- Reject /0 wildcard CIDR (0.0.0.0/0, ::/0) at all ingress points — the
  previous string-equality guard was bypassable via /00, /+0, /-0, /0x0
  (filter_var did NOT validate the prefix, only the IP half). Switched
  to IpAddressHelper::normalizeCidr which parses prefix as a strict
  decimal int and enforces the per-version range.
- IpAddressHelper::isPublicIp now explicitly rejects CGNAT (100.64/10,
  RFC 6598), multicast (224.0.0.0/4), TEST-NET-{1,2,3} for IPv4; and
  Benchmarking (2001:2::/48), ORCHIDv1 (2001:10::/28) and ORCHIDv2
  (2001:20::/28) for IPv6. PHP filter flags FILTER_FLAG_NO_PRIV_RANGE |
  NO_RES_RANGE do not cover these.
- Symmetric structural gate (isAcceptableAdditionalHost) applied to
  provider.host, outbound_proxy and additionalHosts: single-label
  hostnames, host:port shapes, SRV-prefixed labels, bracketed-IPv6 with
  garbage all fail at schema validation as HTTP 422 instead of dropping
  silently in updateAdditionalHosts or throwing HTTP 500 deep inside
  executeInTransaction.
- maxLength=253 on host and additionalHosts.address (RFC 1035 limit;
  symmetric with isValidHostname strlen gate).
- OpenAPI pattern for host requires at least one '.' or ':' so single-
  label hosts surface as schema 422.
- stripIpv6Brackets shared helper normalises copy-paste-from-SIP-URI
  input ([2001:db8::1] -> 2001:db8::1) consistently across all ingress
  paths.
- Resolved-IP cache invalidated post-save when a hostname is dropped
  from provider.host or outbound_proxy (orphan cache prevention) — runs
  AFTER \$sip->save() so the orphan-check reads committed DB state.
- DNS warmup runs once per save batch with a 3-second wall-clock budget
  shared across all hostnames (provider.host, outbound_proxy, m_SipHosts).
  Gated by \$touchedHostFields so PATCHes of unrelated columns skip the
  cost. warmupShutdownRegistered de-dupes register_shutdown_function so
  long-running WorkerApiCommands does not accumulate closures linearly
  with save count.
- DnsResolver::resolveBatch short-circuits when caller passes timeoutSec=0
  (shared budget already exhausted) — no proc_open/fork/exec churn.
- m_SipHosts rows that fail validation (stale data from pre-validation
  DB writes) are logged once-per-process with SIP-IDENT-DROP prefix to
  surface in syslog without flooding on every regen.

UI tooltip on the Additional Hosts table surfaces the DNS-trust caveat:
hostnames are resolved through the configured DNS, so a compromised
resolver can inject IPs into the identify whitelist — admin should pin
critical providers to IP/CIDR directly. Translation key
pr_AdditionalHostsTooltip_trust added in Russian and propagated to all
28 locale files.

Tests: SIPConfTest gains 321 lines covering getSipHostsBuckets,
flattenBucketsToLegacyShape, isValidHostname, isAcceptableAdditionalHost
(including the /0 wildcard rejection), stripIpv6Brackets, and the
hostname-warmup cold-cache degradation path. DnsResolverTest covers the
timeoutSec=0 short-circuit.

Author: boffart

sites/admin-cabinet/assets/js/pbx/Providers/provider-sip-tooltip-manager.js

@@ -385,7 +385,10 @@ class ProviderSipTooltipManager extends ProviderTooltipManager {
                 globalTranslate.pr_AdditionalHostsTooltip_format_subnet,
                 globalTranslate.pr_AdditionalHostsTooltip_format_domain
             ],
-            note: globalTranslate.pr_AdditionalHostsTooltip_important
+            note: globalTranslate.pr_AdditionalHostsTooltip_important,
+            warning: {
+                text: globalTranslate.pr_AdditionalHostsTooltip_trust
+            }
         };
     }
 

sites/admin-cabinet/assets/js/src/Providers/provider-sip-tooltip-manager.js

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formatlar',
     'pr_AdditionalHostsTooltip_header' => 'Provayderin əlavə ünvanları',
     'pr_AdditionalHostsTooltip_important' => 'Vacib: yalnız gələn zənglərin identifikasiyası üçün istifadə olunur, gedən balanslaşdırma üçün DEYİL',
+    'pr_AdditionalHostsTooltip_trust' => 'Domen adları sizin DNS serveriniz vasitəsilə həll edilir; əgər bu DNS təcavüzkarın nəzarəti altındadırsa, onun IP-ləri whitelist-ə düşə bilər. Kritik provayderlər üçün birbaşa IP/şəbəkə göstərin.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Provayderdən gələn zənglərin identifikasiyası',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Çoxlu serveri olan provayderlərin dəstəyi',
     'pr_AdditionalHostsTooltip_purpose_security' => 'IP whitelist vasitəsilə təhlükəsizlik',

src/Common/Messages/az/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formáty',
     'pr_AdditionalHostsTooltip_header' => 'Další adresy poskytovatele',
     'pr_AdditionalHostsTooltip_important' => 'Důležité: používají se pouze pro identifikaci příchozích hovorů, NE pro vyvažování odchozích',
+    'pr_AdditionalHostsTooltip_trust' => 'Doménová jména jsou překládána přes váš DNS server; pokud je tento DNS pod kontrolou útočníka, jeho IP adresy se mohou dostat do whitelistu. U kritických poskytovatelů uvádějte IP/podsíť přímo.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Identifikace příchozích hovorů od poskytovatele',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Podpora poskytovatelů s více servery',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Bezpečnost prostřednictvím IP whitelist',

src/Common/Messages/cs/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formater',
     'pr_AdditionalHostsTooltip_header' => 'Yderligere udbyderadresser',
     'pr_AdditionalHostsTooltip_important' => 'Vigtigt: bruges kun til identifikation af indgående opkald, IKKE til lastbalancering af udgående',
+    'pr_AdditionalHostsTooltip_trust' => 'Domænenavne opløses via din DNS-server; hvis denne DNS er under en angribers kontrol, kan deres IP\'er ende på whitelisten. For kritiske udbydere skal du angive IP/undernet direkte.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Identifikation af indgående opkald fra udbyder',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Understøttelse af udbydere med flere servere',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Sikkerhed gennem IP whitelist',

src/Common/Messages/da/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formate',
     'pr_AdditionalHostsTooltip_header' => 'Zusätzliche Provider-Adressen',
     'pr_AdditionalHostsTooltip_important' => 'Wichtig: nur zur Identifizierung eingehender Anrufe verwendet, NICHT für Lastverteilung ausgehender',
+    'pr_AdditionalHostsTooltip_trust' => 'Domainnamen werden über Ihren DNS-Server aufgelöst; befindet sich dieser DNS unter Kontrolle eines Angreifers, können dessen IPs in die Whitelist gelangen. Geben Sie für kritische Anbieter IP/Subnetz direkt an.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Identifizierung eingehender Anrufe vom Provider',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Unterstützung von Providern mit mehreren Servern',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Sicherheit durch IP-Whitelist',

src/Common/Messages/de/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Μορφές',
     'pr_AdditionalHostsTooltip_header' => 'Πρόσθετες διευθύνσεις παρόχου',
     'pr_AdditionalHostsTooltip_important' => 'Σημαντικό: χρησιμοποιούνται μόνο για αναγνώριση εισερχόμενων κλήσεων, ΟΧΙ για εξισορρόπηση εξερχόμενων',
+    'pr_AdditionalHostsTooltip_trust' => 'Τα ονόματα τομέα επιλύονται μέσω του DNS διακομιστή σας· αν αυτός ο DNS είναι υπό έλεγχο επιτιθέμενου, οι IP του μπορεί να καταλήξουν στη whitelist. Για κρίσιμους παρόχους ορίστε απευθείας IP/υποδίκτυο.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Αναγνώριση εισερχόμενων κλήσεων από πάροχο',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Υποστήριξη παρόχων με πολλαπλούς διακομιστές',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Ασφάλεια μέσω IP whitelist',

src/Common/Messages/el/Providers.php

@@ -76,6 +76,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formats',
     'pr_AdditionalHostsTooltip_header' => 'Additional provider addresses',
     'pr_AdditionalHostsTooltip_important' => 'Important: used only for identifying incoming calls, NOT for outbound load balancing',
+    'pr_AdditionalHostsTooltip_trust' => 'Domain names are resolved via your DNS server; if this DNS is under attacker control, their IPs may end up in the whitelist. For critical providers specify IP/subnet directly.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Identification of incoming calls from provider',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Support for providers with multiple servers',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Security through IP whitelist',

src/Common/Messages/en/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Formatos',
     'pr_AdditionalHostsTooltip_header' => 'Direcciones adicionales del proveedor',
     'pr_AdditionalHostsTooltip_important' => 'Importante: se usan solo para identificación de llamadas entrantes, NO para balanceo de llamadas salientes',
+    'pr_AdditionalHostsTooltip_trust' => 'Los nombres de dominio se resuelven mediante su servidor DNS; si dicho DNS está bajo el control de un atacante, sus IPs pueden acabar en la whitelist. Para proveedores críticos indique IP/subred directamente.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Identificación de llamadas entrantes del proveedor',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Soporte de proveedores con múltiples servidores',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Seguridad a través de lista blanca de IP',

src/Common/Messages/es/Providers.php

@@ -59,6 +59,7 @@
     'pr_AdditionalHostsTooltip_formats' => 'Muodot',
     'pr_AdditionalHostsTooltip_header' => 'Palveluntarjoajan lisäosoitteet',
     'pr_AdditionalHostsTooltip_important' => 'Tärkeää: käytetään vain saapuvien puhelujen tunnistamiseen, EI lähtevien kuormantasaukseen',
+    'pr_AdditionalHostsTooltip_trust' => 'Verkkotunnukset resolvoidaan DNS-palvelimesi kautta; jos kyseinen DNS on hyökkääjän hallinnassa, hänen IP-osoitteensa voivat päätyä sallittujen luetteloon. Kriittisille palveluntarjoajille määritä IP/aliverkko suoraan.',
     'pr_AdditionalHostsTooltip_purpose_id' => 'Saapuvien puhelujen tunnistus palveluntarjoajalta',
     'pr_AdditionalHostsTooltip_purpose_multi' => 'Useita palvelimia omaavien palveluntarjoajien tuki',
     'pr_AdditionalHostsTooltip_purpose_security' => 'Turvallisuus IP-valkolistan kautta',