diff --git a/libknet/links_acl.c b/libknet/links_acl.c
index 8592f1f1..cfcc1fd2 100644
--- a/libknet/links_acl.c
+++ b/libknet/links_acl.c
@@ -1,93 +1,95 @@
/*
* Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
*
* Author: Christine Caulfield <ccaulfie@redhat.com>
*
* This software licensed under GPL-2.0+, LGPL-2.0+
*/
+#include "config.h"
+
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include "internals.h"
#include "logging.h"
#include "transports.h"
#include "transport_common.h"
#include "links_acl.h"
#include "links_acl_ip.h"
int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
int err = -1;
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
err = 0;
break;
case IP_PROTO:
err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
ip1, ip2, type, acceptreject);
break;
default:
break;
}
return err;
}
int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
int err = -1;
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
err = 0;
break;
case IP_PROTO:
err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
ip1, ip2, type, acceptreject);
break;
default:
break;
}
return err;
}
void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
{
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
return;
break;
case IP_PROTO:
ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
break;
default:
break;
}
}
/*
* return 0 to reject and 1 to accept a packet
*/
int check_validate(knet_handle_t knet_h, int sock, uint8_t transport, struct sockaddr_storage *checkip)
{
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
return 1;
break;
case IP_PROTO:
return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry, checkip);
break;
default:
break;
}
/*
* reject by default
*/
return 0;
}
diff --git a/libknet/links_acl_ip.c b/libknet/links_acl_ip.c
index 2aef14ba..ffd18a47 100644
--- a/libknet/links_acl_ip.c
+++ b/libknet/links_acl_ip.c
@@ -1,278 +1,280 @@
/*
* Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
*
* Author: Christine Caulfield <ccaulfie@redhat.com>
*
* This software licensed under GPL-2.0+, LGPL-2.0+
*/
+#include "config.h"
+
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include "internals.h"
#include "logging.h"
#include "transports.h"
#include "links_acl.h"
#include "links_acl_ip.h"
/*
* s6_addr32 is not defined in BSD userland, only kernel.
* definition is the same as linux and it works fine for
* what we need.
*/
#ifndef s6_addr32
#define s6_addr32 __u6_addr.__u6_addr32
#endif
/*
* IPv4 See if the address we have matches the current match entry
*/
static int ip_matches_v4(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
{
struct sockaddr_in *ip_to_check;
struct sockaddr_in *match1;
struct sockaddr_in *match2;
ip_to_check = (struct sockaddr_in *)checkip;
match1 = (struct sockaddr_in *)&match_entry->addr1;
match2 = (struct sockaddr_in *)&match_entry->addr2;
switch(match_entry->type) {
case CHECK_TYPE_ADDRESS:
if (ip_to_check->sin_addr.s_addr == match1->sin_addr.s_addr)
return 1;
break;
case CHECK_TYPE_MASK:
if ((ip_to_check->sin_addr.s_addr & match2->sin_addr.s_addr) ==
match1->sin_addr.s_addr)
return 1;
break;
case CHECK_TYPE_RANGE:
if ((ntohl(ip_to_check->sin_addr.s_addr) >= ntohl(match1->sin_addr.s_addr)) &&
(ntohl(ip_to_check->sin_addr.s_addr) <= ntohl(match2->sin_addr.s_addr)))
return 1;
break;
}
return 0;
}
/*
* Compare two IPv6 addresses
*/
static int ip6addr_cmp(struct in6_addr *a, struct in6_addr *b)
{
uint64_t a_high, a_low;
uint64_t b_high, b_low;
a_high = ((uint64_t)htonl(a->s6_addr32[0]) << 32) | (uint64_t)htonl(a->s6_addr32[1]);
a_low = ((uint64_t)htonl(a->s6_addr32[2]) << 32) | (uint64_t)htonl(a->s6_addr32[3]);
b_high = ((uint64_t)htonl(b->s6_addr32[0]) << 32) | (uint64_t)htonl(b->s6_addr32[1]);
b_low = ((uint64_t)htonl(b->s6_addr32[2]) << 32) | (uint64_t)htonl(b->s6_addr32[3]);
if (a_high > b_high)
return 1;
if (a_high < b_high)
return -1;
if (a_low > b_low)
return 1;
if (a_low < b_low)
return -1;
return 0;
}
/*
* IPv6 See if the address we have matches the current match entry
*/
static int ip_matches_v6(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry)
{
struct sockaddr_in6 *ip_to_check;
struct sockaddr_in6 *match1;
struct sockaddr_in6 *match2;
int i;
ip_to_check = (struct sockaddr_in6 *)checkip;
match1 = (struct sockaddr_in6 *)&match_entry->addr1;
match2 = (struct sockaddr_in6 *)&match_entry->addr2;
switch(match_entry->type) {
case CHECK_TYPE_ADDRESS:
if (!memcmp(ip_to_check->sin6_addr.s6_addr32, match1->sin6_addr.s6_addr32, sizeof(struct in6_addr)))
return 1;
break;
case CHECK_TYPE_MASK:
/*
* Note that this little loop will quit early if there is a non-match so the
* comparison might look backwards compared to the IPv4 one
*/
for (i=sizeof(struct in6_addr)/4-1; i>=0; i--) {
if ((ip_to_check->sin6_addr.s6_addr32[i] & match2->sin6_addr.s6_addr32[i]) !=
match1->sin6_addr.s6_addr32[i])
return 0;
}
return 1;
case CHECK_TYPE_RANGE:
if ((ip6addr_cmp(&ip_to_check->sin6_addr, &match1->sin6_addr) >= 0) &&
(ip6addr_cmp(&ip_to_check->sin6_addr, &match2->sin6_addr) <= 0))
return 1;
break;
}
return 0;
}
int ipcheck_validate(struct acl_match_entry **match_entry_head, struct sockaddr_storage *checkip)
{
struct acl_match_entry *match_entry = *match_entry_head;
int (*match_fn)(struct sockaddr_storage *checkip, struct acl_match_entry *match_entry);
if (checkip->ss_family == AF_INET){
match_fn = ip_matches_v4;
} else {
match_fn = ip_matches_v6;
}
while (match_entry) {
if (match_fn(checkip, match_entry)) {
if (match_entry->acceptreject == CHECK_ACCEPT)
return 1;
else
return 0;
}
match_entry = match_entry->next;
}
return 0; /* Default reject */
}
/*
* Routines to manuipulate access lists
*/
void ipcheck_rmall(struct acl_match_entry **match_entry_head)
{
struct acl_match_entry *next_match_entry;
struct acl_match_entry *match_entry = *match_entry_head;
while (match_entry) {
next_match_entry = match_entry->next;
free(match_entry);
match_entry = next_match_entry;
}
*match_entry_head = NULL;
}
static struct acl_match_entry *ipcheck_findmatch(struct acl_match_entry **match_entry_head,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
struct acl_match_entry *match_entry = *match_entry_head;
while (match_entry) {
if ((!memcmp(&match_entry->addr1, ip1, sizeof(struct sockaddr_storage))) &&
(!memcmp(&match_entry->addr2, ip2, sizeof(struct sockaddr_storage))) &&
(match_entry->type == type) &&
(match_entry->acceptreject == acceptreject)) {
return match_entry;
}
match_entry = match_entry->next;
}
return NULL;
}
int ipcheck_rmip(struct acl_match_entry **match_entry_head,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
struct acl_match_entry *next_match_entry = NULL;
struct acl_match_entry *rm_match_entry;
struct acl_match_entry *match_entry = *match_entry_head;
rm_match_entry = ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject);
if (!rm_match_entry) {
return -1;
}
while (match_entry) {
next_match_entry = match_entry->next;
/*
* we are removing the list head, be careful
*/
if (rm_match_entry == match_entry) {
*match_entry_head = next_match_entry;
free(match_entry);
break;
}
/*
* the next one is the one we need to remove
*/
if (rm_match_entry == next_match_entry) {
match_entry->next = next_match_entry->next;
free(next_match_entry);
break;
}
match_entry = next_match_entry;
}
return 0;
}
int ipcheck_addip(struct acl_match_entry **match_entry_head,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
struct acl_match_entry *new_match_entry;
struct acl_match_entry *match_entry = *match_entry_head;
if (!ip1) {
return -1;
}
if ((type != CHECK_TYPE_ADDRESS) && (!ip2)) {
return -1;
}
if (type == CHECK_TYPE_RANGE &&
(ip1->ss_family != ip2->ss_family))
return -1;
if (ipcheck_findmatch(match_entry_head, ip1, ip2, type, acceptreject) != NULL) {
return -1;
}
new_match_entry = malloc(sizeof(struct acl_match_entry));
if (!new_match_entry)
return -1;
memmove(&new_match_entry->addr1, ip1, sizeof(struct sockaddr_storage));
memmove(&new_match_entry->addr2, ip2, sizeof(struct sockaddr_storage));
new_match_entry->type = type;
new_match_entry->acceptreject = acceptreject;
new_match_entry->next = NULL;
if (match_entry) {
/* Find the end of the list */
/* is this OK, or should we use a doubly-linked list or bulk-load API call? */
while (match_entry->next) {
match_entry = match_entry->next;
}
match_entry->next = new_match_entry;
} else {
/*
* first entry in the list
*/
*match_entry_head = new_match_entry;
}
return 0;
}
diff --git a/libknet/tests/Makefile.am b/libknet/tests/Makefile.am
index d46553a5..2f222939 100644
--- a/libknet/tests/Makefile.am
+++ b/libknet/tests/Makefile.am
@@ -1,91 +1,92 @@
#
# Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
#
# Authors: Fabio M. Di Nitto <fabbione@kronosnet.org>
#
# This software licensed under GPL-2.0+, LGPL-2.0+
#
MAINTAINERCLEANFILES = Makefile.in
include $(top_srcdir)/build-aux/check.mk
include $(top_srcdir)/libknet/tests/api-check.mk
EXTRA_DIST = \
api-test-coverage \
api-check.mk \
int_links_acl.txt
AM_CPPFLAGS = -I$(top_srcdir)/libknet
AM_CFLAGS += $(PTHREAD_CFLAGS)
LIBS = $(top_builddir)/libknet/libknet.la \
$(PTHREAD_LIBS) $(dl_LIBS)
noinst_HEADERS = \
test-common.h
# the order of those tests is NOT random.
# some functions can only be tested properly after some dependents
# API have been validated upfront.
check_PROGRAMS = \
$(api_checks) \
$(int_checks) \
$(fun_checks)
int_checks = \
int_timediff_test
fun_checks =
benchmarks = \
knet_bench_test
# int_links_acl_test canĀ“t run yet standalone
noinst_PROGRAMS = \
api_knet_handle_new_limit_test \
pckt_test \
int_links_acl_test \
$(benchmarks) \
$(check_PROGRAMS)
noinst_SCRIPTS = \
api-test-coverage
TESTS = $(check_PROGRAMS)
if INSTALL_TESTS
testsuitedir = $(TESTDIR)
testsuite_PROGRAMS = $(noinst_PROGRAMS)
endif
check-local: check-api-test-coverage
check-api-test-coverage:
chmod u+x $(top_srcdir)/libknet/tests/api-test-coverage
$(top_srcdir)/libknet/tests/api-test-coverage $(top_srcdir) $(top_builddir)
pckt_test_SOURCES = pckt_test.c
int_links_acl_test_SOURCES = int_links_acl.c \
../common.c \
+ ../compat.c \
../logging.c \
../netutils.c \
../threads_common.c \
../transports.c \
../transport_common.c \
../transport_loopback.c \
../transport_sctp.c \
../transport_udp.c \
../links_acl.c \
../links_acl_ip.c
int_timediff_test_SOURCES = int_timediff.c
knet_bench_test_SOURCES = knet_bench.c \
test-common.c \
../common.c \
../logging.c \
../compat.c \
../transport_common.c \
../threads_common.c
diff --git a/libknet/tests/int_links_acl.c b/libknet/tests/int_links_acl.c
index 8d9f4e06..05bd829f 100644
--- a/libknet/tests/int_links_acl.c
+++ b/libknet/tests/int_links_acl.c
@@ -1,209 +1,211 @@
/*
* Copyright (C) 2016-2019 Red Hat, Inc. All rights reserved.
*
* Author: Christine Caulfield <ccaulfie@redhat.com>
*
* This software licensed under GPL-2.0+, LGPL-2.0+
*/
+#include "config.h"
+
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include "internals.h"
#include "links_acl.h"
#include "links_acl_ip.h"
static struct acl_match_entry *match_entry_v4;
static struct acl_match_entry *match_entry_v6;
/* This is a test program .. remember! */
#define BUFLEN 1024
static int get_ipaddress(char *buf, struct sockaddr_storage *addr)
{
struct addrinfo *info;
struct addrinfo hints;
int res;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
res = getaddrinfo(buf, NULL, &hints, &info);
if (!res) {
memmove(addr, info->ai_addr, info->ai_addrlen);
freeaddrinfo(info);
}
return res;
}
static int read_address(char *buf, struct sockaddr_storage *addr)
{
return get_ipaddress(buf, addr);
}
static int read_mask(char *buf, struct sockaddr_storage *addr, struct sockaddr_storage *addr2)
{
char tmpbuf[BUFLEN];
char *slash;
int ret;
slash = strchr(buf, '/');
if (!slash)
return 1;
strncpy(tmpbuf, buf, slash-buf);
tmpbuf[slash-buf] = '\0';
ret = get_ipaddress(tmpbuf, addr);
if (ret)
return ret;
ret = get_ipaddress(slash+1, addr2);
if (ret)
return ret;
return 0;
}
static int read_range(char *buf, struct sockaddr_storage *addr1, struct sockaddr_storage *addr2)
{
char tmpbuf[BUFLEN];
char *hyphen;
int ret;
hyphen = strchr(buf, '-');
if (!hyphen)
return 1;
strncpy(tmpbuf, buf, hyphen-buf);
tmpbuf[hyphen-buf] = '\0';
ret = get_ipaddress(tmpbuf, addr1);
if (ret)
return ret;
ret = get_ipaddress(hyphen+1, addr2);
if (ret)
return ret;
return 0;
}
static int load_file(void)
{
FILE *filterfile;
char filebuf[BUFLEN];
int line = 0;
int ret;
check_type_t type;
check_acceptreject_t acceptreject;
struct sockaddr_storage addr1;
struct sockaddr_storage addr2;
ipcheck_rmall(&match_entry_v4);
ipcheck_rmall(&match_entry_v6);
filterfile = fopen("int_links_acl.txt", "r");
if (!filterfile) {
fprintf(stderr, "Cannot open int_links_acl.txt\n");
return 1;
}
while (fgets(filebuf, sizeof(filebuf), filterfile)) {
filebuf[strlen(filebuf)-1] = '\0'; /* remove trailing LF */
line++;
/*
* First char is A (accept) or R (Reject)
*/
switch(filebuf[0] & 0x5F) {
case 'A':
acceptreject = CHECK_ACCEPT;
break;
case 'R':
acceptreject = CHECK_REJECT;
break;
default:
fprintf(stderr, "Unknown record type on line %d: %s\n", line, filebuf);
goto next_record;
}
/*
* Second char is the filter type:
* A Address
* M Mask
* R Range
*/
switch(filebuf[1] & 0x5F) {
case 'A':
type = CHECK_TYPE_ADDRESS;
ret = read_address(filebuf+2, &addr1);
break;
case 'M':
type = CHECK_TYPE_MASK;
ret = read_mask(filebuf+2, &addr1, &addr2);
break;
case 'R':
type = CHECK_TYPE_RANGE;
ret = read_range(filebuf+2, &addr1, &addr2);
break;
default:
fprintf(stderr, "Unknown filter type on line %d: %s\n", line, filebuf);
goto next_record;
break;
}
if (ret) {
fprintf(stderr, "Failed to parse address on line %d: %s\n", line, filebuf);
}
else {
if (addr1.ss_family == AF_INET) {
ipcheck_addip(&match_entry_v4, &addr1, &addr2, type, acceptreject);
} else {
ipcheck_addip(&match_entry_v6, &addr1, &addr2, type, acceptreject);
}
}
next_record: {} /* empty statement to mollify the compiler */
}
fclose(filterfile);
return 0;
}
int main(int argc, char *argv[])
{
struct sockaddr_storage saddr;
struct acl_match_entry *match_entry;
int ret;
int i;
if (load_file())
return 1;
for (i=1; i<argc; i++) {
ret = get_ipaddress(argv[i], &saddr);
if (ret) {
fprintf(stderr, "Cannot parse address %s\n", argv[i]);
} else {
if (saddr.ss_family == AF_INET) {
match_entry = match_entry_v4;
} else {
match_entry = match_entry_v6;
}
if (ipcheck_validate(&match_entry, &saddr)) {
printf("%s is VALID\n", argv[i]);
} else {
printf("%s is not allowed\n", argv[i]);
}
}
}
ipcheck_rmall(&match_entry_v4);
ipcheck_rmall(&match_entry_v6);
return 0;
}