[access lists] add access lists support to sctp

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
kronosnet · May 9, 2019 · d2333aa · d2333aa
1 parent 862446d
commit d2333aa
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/libknet/transport_sctp.c b/libknet/transport_sctp.c
@@ -19,6 +19,7 @@
 #include "compat.h"
 #include "host.h"
 #include "links.h"
+#include "links_acl.h"
 #include "logging.h"
 #include "common.h"
 #include "transport_common.h"
@@ -728,6 +729,15 @@ static void _handle_incoming_sctp(knet_handle_t knet_h, int listen_sock)
 
 	log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Incoming: received connection from: %s port: %s",
 						addr_str, port_str);
+	if (knet_h->use_access_lists) {
+		if (!ipcheck_validate(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry, &ss)) {
+			savederrno = EINVAL;
+			err = -1;
+			log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Connection rejected from %s/%s", addr_str, port_str);
+			close(new_fd);
+			goto exit_error;
+		}
+	}
 
 	/*
 	 * Keep a track of all accepted FDs
@@ -936,6 +946,11 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
 	 */
 	knet_list_for_each_entry(info, &handle_info->listen_links_list, list) {
 		if (memcmp(&info->src_address, &kn_link->src_addr, sizeof(struct sockaddr_storage)) == 0) {
+			err = ipcheck_addip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+					    &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
+			if (err) {
+				return NULL;
+			}
 			return info;
 		}
 	}
@@ -990,6 +1005,15 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
 		goto exit_error;
 	}
 
+	if (ipcheck_addip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+			  &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+		savederrno = errno;
+		err = -1;
+		log_err(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to configure default access lists: %s",
+			strerror(savederrno));
+		goto exit_error;
+	}
+
 	memset(&ev, 0, sizeof(struct epoll_event));
 	ev.events = EPOLLIN;
 	ev.data.fd = listen_sock;
@@ -1012,6 +1036,8 @@ static sctp_listen_link_info_t *sctp_link_listener_start(knet_handle_t knet_h, s
 		if (info->on_listener_epoll) {
 			epoll_ctl(handle_info->listen_epollfd, EPOLL_CTL_DEL, listen_sock, &ev);
 		}
+		ipcheck_rmip(&knet_h->knet_transport_fd_tracker[listen_sock].match_entry,
+			     &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT);
 		if (listen_sock >= 0) {
 			close(listen_sock);
 		}
@@ -1050,6 +1076,11 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
 		}
 	}
 
+	if (ipcheck_rmip(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry,
+			 &kn_link->dst_addr, &kn_link->dst_addr, CHECK_TYPE_ADDRESS, CHECK_ACCEPT)) {
+		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "Unable to remove default access lists for %d", info->listen_sock);
+	}
+
 	if (found) {
 		this_link_info->listener = NULL;
 		log_debug(knet_h, KNET_SUB_TRANSP_SCTP, "SCTP listener socket %d still in use", info->listen_sock);
@@ -1080,6 +1111,8 @@ static int sctp_link_listener_stop(knet_handle_t knet_h, struct knet_link *kn_li
 		goto exit_error;
 	}
 
+	check_rmall(&knet_h->knet_transport_fd_tracker[info->listen_sock].match_entry);
+
 	close(info->listen_sock);
 
 	for (i=0; i< MAX_ACCEPTED_SOCKS; i++) {