diff --git a/libknet/links_acl.c b/libknet/links_acl.c index a941dde0..0b1fcd04 100644 --- a/libknet/links_acl.c +++ b/libknet/links_acl.c @@ -1,65 +1,65 @@ /* * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #include "config.h" #include #include #include #include #include "internals.h" #include "logging.h" #include "transports.h" #include "transport_common.h" #include "links_acl.h" #include "links_acl_ip.h" #include "links_acl_loopback.h" static check_ops_t proto_check_modules_cmds[] = { { TRANSPORT_PROTO_LOOPBACK, loopbackcheck_validate, loopbackcheck_add, loopbackcheck_rm, loopbackcheck_rmall }, { TRANSPORT_PROTO_IP_PROTO, ipcheck_validate, ipcheck_addip, ipcheck_rmip, ipcheck_rmall } }; /* * all those functions will return errno from the * protocol specific functions */ int check_add(knet_handle_t knet_h, int sock, uint8_t transport, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_add( &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, - ip1, ip2, type, acceptreject); + ss1, ss2, type, acceptreject); } int check_rm(knet_handle_t knet_h, int sock, uint8_t transport, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rm( &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, - ip1, ip2, type, acceptreject); + ss1, ss2, type, acceptreject); } void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport) { proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_rmall( &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head); } /* * return 0 to reject and 1 to accept a packet */ int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip) { return proto_check_modules_cmds[transport_get_proto(knet_h, transport)].protocheck_validate( &knet_h->knet_transport_fd_tracker[sock].access_list_match_entry_head, checkip); } diff --git a/libknet/links_acl.h b/libknet/links_acl.h index cc4fdaf5..a64faa1d 100644 --- a/libknet/links_acl.h +++ b/libknet/links_acl.h @@ -1,50 +1,50 @@ /* * Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #ifndef __KNET_LINKS_ACL_H__ #define __KNET_LINKS_ACL_H__ #include "internals.h" typedef enum { CHECK_TYPE_ADDRESS, CHECK_TYPE_MASK, CHECK_TYPE_RANGE } check_type_t; typedef enum { CHECK_ACCEPT, CHECK_REJECT } check_acceptreject_t; typedef struct { uint8_t transport_proto; int (*protocheck_validate) (void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip); int (*protocheck_add) (void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); int (*protocheck_rm) (void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); void (*protocheck_rmall) (void *fd_tracker_match_entry_head); } check_ops_t; int check_add(knet_handle_t knet_h, int sock, uint8_t transport, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); int check_rm(knet_handle_t knet_h, int sock, uint8_t transport, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport); int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip); #endif diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c index e72a382f..2682a709 100644 --- a/libknet/links_acl_ip.c +++ b/libknet/links_acl_ip.c @@ -1,300 +1,300 @@ /* * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #include "config.h" #include #include #include #include #include #include #include "internals.h" #include "logging.h" #include "transports.h" #include "links_acl.h" #include "links_acl_ip.h" struct ip_acl_match_entry { check_type_t type; check_acceptreject_t acceptreject; struct sockaddr_storage addr1; /* Actual IP address, mask top or low IP */ struct sockaddr_storage addr2; /* high IP address or address bitmask */ struct ip_acl_match_entry *next; }; /* * s6_addr32 is not defined in BSD userland, only kernel. * definition is the same as linux and it works fine for * what we need. */ #ifndef s6_addr32 #define s6_addr32 __u6_addr.__u6_addr32 #endif /* * IPv4 See if the address we have matches the current match entry */ static int ip_matches_v4(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry) { struct sockaddr_in *ip_to_check; struct sockaddr_in *match1; struct sockaddr_in *match2; ip_to_check = (struct sockaddr_in *)checkip; match1 = (struct sockaddr_in *)&match_entry->addr1; match2 = (struct sockaddr_in *)&match_entry->addr2; switch(match_entry->type) { case CHECK_TYPE_ADDRESS: if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr) return 1; break; case CHECK_TYPE_MASK: if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) == match1->sin_addr.s_addr) return 1; break; case CHECK_TYPE_RANGE: if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) && (ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr))) return 1; break; } return 0; } /* * Compare two IPv6 addresses */ static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b) { uint64_t a_high, a_low; uint64_t b_high, b_low; a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) | (uint64_t)htonl(a->s6_addr32[1]); a_low = ((uint64_t)htonl(a->s6_addr32[2]) << 32) | (uint64_t)htonl(a->s6_addr32[3]); b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) | (uint64_t)htonl(b->s6_addr32[1]); b_low = ((uint64_t)htonl(b->s6_addr32[2]) << 32) | (uint64_t)htonl(b->s6_addr32[3]); if (a_high > b_high) return 1; if (a_high < b_high) return -1; if (a_low > b_low) return 1; if (a_low < b_low) return -1; return 0; } /* * IPv6 See if the address we have matches the current match entry */ static int ip_matches_v6(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry) { struct sockaddr_in6 *ip_to_check; struct sockaddr_in6 *match1; struct sockaddr_in6 *match2; int i; ip_to_check = (struct sockaddr_in6 *)checkip; match1 = (struct sockaddr_in6 *)&match_entry->addr1; match2 = (struct sockaddr_in6 *)&match_entry->addr2; switch(match_entry->type) { case CHECK_TYPE_ADDRESS: if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr))) return 1; break; case CHECK_TYPE_MASK: /* * Note that this little loop will quit early if there is a non-match so the * comparison might look backwards compared to the IPv4 one */ for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) { if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) != match1->sin6_addr.s6_addr32[i]) return 0; } return 1; case CHECK_TYPE_RANGE: if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) && (ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0)) return 1; break; } return 0; } int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip) { struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head; struct ip_acl_match_entry *match_entry = *match_entry_head; int (*match_fn)(struct sockaddr_storage *checkip, struct ip_acl_match_entry *match_entry); if (checkip->ss_family == AF_INET){ match_fn = ip_matches_v4; } else { match_fn = ip_matches_v6; } while (match_entry) { if (match_fn(checkip, match_entry)) { if (match_entry->acceptreject == CHECK_ACCEPT) return 1; else return 0; } match_entry = match_entry->next; } return 0; /* Default reject */ } /* * Routines to manuipulate access lists */ void ipcheck_rmall(void *fd_tracker_match_entry_head) { struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head; struct ip_acl_match_entry *next_match_entry; struct ip_acl_match_entry *match_entry = *match_entry_head; while (match_entry) { next_match_entry = match_entry->next; free(match_entry); match_entry = next_match_entry; } *match_entry_head = NULL; } static struct ip_acl_match_entry *ipcheck_findmatch(struct ip_acl_match_entry **match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { struct ip_acl_match_entry *match_entry = *match_entry_head; while (match_entry) { - if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) && - (!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) && + if ((!memcmp(&match_entry->addr1, ss1, sizeof(struct sockaddr_storage))) && + (!memcmp(&match_entry->addr2, ss2, sizeof(struct sockaddr_storage))) && (match_entry->type == type) && (match_entry->acceptreject == acceptreject)) { return match_entry; } match_entry = match_entry->next; } return NULL; } int ipcheck_rmip(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head; struct ip_acl_match_entry *next_match_entry = NULL; struct ip_acl_match_entry *rm_match_entry; struct ip_acl_match_entry *match_entry = *match_entry_head; - rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject); + rm_match_entry = ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject); if (!rm_match_entry) { errno = ENOENT; return -1; } while (match_entry) { next_match_entry = match_entry->next; /* * we are removing the list head, be careful */ if (rm_match_entry == match_entry) { *match_entry_head = next_match_entry; free(match_entry); break; } /* * the next one is the one we need to remove */ if (rm_match_entry == next_match_entry) { match_entry->next = next_match_entry->next; free(next_match_entry); break; } match_entry = next_match_entry; } return 0; } int ipcheck_addip(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { struct ip_acl_match_entry **match_entry_head = (struct ip_acl_match_entry **)fd_tracker_match_entry_head; struct ip_acl_match_entry *new_match_entry; struct ip_acl_match_entry *match_entry = *match_entry_head; - if (!ip1) { + if (!ss1) { errno = EINVAL; return -1; } - if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) { + if ((type != CHECK_TYPE_ADDRESS) && (!ss2)) { errno = EINVAL; return -1; } if (type == CHECK_TYPE_RANGE && - (ip1->ss_family != ip2->ss_family)) { + (ss1->ss_family != ss2->ss_family)) { errno = EINVAL; return -1; } - if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) { + if (ipcheck_findmatch(match_entry_head, ss1, ss2, type, acceptreject) != NULL) { errno = EEXIST; return -1; } new_match_entry = malloc(sizeof(struct ip_acl_match_entry)); if (!new_match_entry) { return -1; } - memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage)); - memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage)); + memmove(&new_match_entry->addr1, ss1, sizeof(struct sockaddr_storage)); + memmove(&new_match_entry->addr2, ss2, sizeof(struct sockaddr_storage)); new_match_entry->type = type; new_match_entry->acceptreject = acceptreject; new_match_entry->next = NULL; if (match_entry) { /* Find the end of the list */ /* is this OK, or should we use a doubly-linked list or bulk-load API call? */ while (match_entry->next) { match_entry = match_entry->next; } match_entry->next = new_match_entry; } else { /* * first entry in the list */ *match_entry_head = new_match_entry; } return 0; } diff --git a/libknet/links_acl_ip.h b/libknet/links_acl_ip.h index c475db9c..e069b99d 100644 --- a/libknet/links_acl_ip.h +++ b/libknet/links_acl_ip.h @@ -1,27 +1,27 @@ /* * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #ifndef __KNET_LINKS_ACL_IP_H__ #define __KNET_LINKS_ACL_IP_H__ #include "internals.h" #include "links_acl.h" int ipcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip); int ipcheck_addip(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); int ipcheck_rmip(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); void ipcheck_rmall(void *fd_tracker_match_entry_head); #endif diff --git a/libknet/links_acl_loopback.c b/libknet/links_acl_loopback.c index 42559f3f..bb691307 100644 --- a/libknet/links_acl_loopback.c +++ b/libknet/links_acl_loopback.c @@ -1,41 +1,41 @@ /* * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #include "config.h" #include #include "internals.h" #include "logging.h" #include "transports.h" #include "links_acl.h" #include "links_acl_loopback.h" int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip) { return 1; } void loopbackcheck_rmall(void *fd_tracker_match_entry_head) { return; } int loopbackcheck_rm(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { return 0; } int loopbackcheck_add(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject) { return 0; } diff --git a/libknet/links_acl_loopback.h b/libknet/links_acl_loopback.h index 0f862228..73a97049 100644 --- a/libknet/links_acl_loopback.h +++ b/libknet/links_acl_loopback.h @@ -1,27 +1,27 @@ /* * Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved. * * Author: Christine Caulfield * * This software licensed under GPL-2.0+, LGPL-2.0+ */ #ifndef __KNET_LINKS_ACL_LOOPBACK_H__ #define __KNET_LINKS_ACL_LOOPBACK_H__ #include "internals.h" #include "links_acl.h" int loopbackcheck_validate(void *fd_tracker_match_entry_head, struct sockaddr_storage *checkip); int loopbackcheck_add(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); int loopbackcheck_rm(void *fd_tracker_match_entry_head, - struct sockaddr_storage *ip1, struct sockaddr_storage *ip2, + struct sockaddr_storage *ss1, struct sockaddr_storage *ss2, check_type_t type, check_acceptreject_t acceptreject); void loopbackcheck_rmall(void *fd_tracker_match_entry_head); #endif