/
links_acl.c
137 lines (123 loc) · 3.2 KB
/
links_acl.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
* Copyright (C) 2016-2018 Red Hat, Inc. All rights reserved.
*
* Author: Christine Caulfield <ccaulfie@redhat.com>
*
* This software licensed under GPL-2.0+, LGPL-2.0+
*/
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include "internals.h"
#include "logging.h"
#include "transports.h"
#include "transport_common.h"
#include "links_acl.h"
#include "links_acl_ip.h"
int check_add(knet_handle_t knet_h, int sock, uint8_t transport,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
int err = -1;
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
err = 0;
break;
case IP_PROTO:
err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
ip1, ip2, type, acceptreject);
break;
default:
break;
}
return err;
}
int check_rm(knet_handle_t knet_h, int sock, uint8_t transport,
struct sockaddr_storage *ip1, struct sockaddr_storage *ip2,
check_type_t type, check_acceptreject_t acceptreject)
{
int err = -1;
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
err = 0;
break;
case IP_PROTO:
err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry,
ip1, ip2, type, acceptreject);
break;
default:
break;
}
return err;
}
void check_rmall(knet_handle_t knet_h, int sock, uint8_t transport)
{
switch(transport_get_proto(knet_h, transport)) {
case LOOPBACK:
return;
break;
case IP_PROTO:
ipcheck_rmall((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sock].match_entry);
break;
default:
break;
}
}
int _link_add_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
{
int err = -1;
switch(transport_get_proto(knet_h, kh_link->transport_type)) {
case LOOPBACK:
/*
* loopback does not require access lists
*/
err = 0;
break;
case IP_PROTO:
err = ipcheck_addip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
break;
default:
break;
}
return err;
}
int _link_rm_default_acl(knet_handle_t knet_h, struct knet_link *kh_link)
{
int err = -1;
switch(transport_get_proto(knet_h, kh_link->transport_type)) {
case LOOPBACK:
/*
* loopback does not require access lists
*/
err = 0;
break;
case IP_PROTO:
err = ipcheck_rmip((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[kh_link->outsock].match_entry,
&kh_link->dst_addr, &kh_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
break;
default:
break;
}
return err;
}
/*
* * return 0 to reject and 1 to accept a packet
* */
int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, struct sockaddr_storage *checkip)
{
switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
case LOOPBACK:
return 1;
break;
case IP_PROTO:
return ipcheck_validate((struct acl_match_entry **)&knet_h->knet_transport_fd_tracker[sockfd].match_entry, checkip);
break;
default:
break;
}
/*
* reject by default
*/
return 0;
}