flexnbd-c/src/acl.c

#include <stdlib.h>

#include "util.h"
#include "parse.h"

#include "acl.h"


struct acl * acl_create( int len, char ** lines, int default_deny )
{
	struct acl * acl;

	acl = (struct acl *)xmalloc( sizeof( struct acl ) );
	acl->len = parse_acl( &acl->entries, len, lines );
	acl->default_deny = default_deny;
	return acl;
}


static int testmasks[9] = { 0,128,192,224,240,248,252,254,255 };

/** Test whether AF_INET or AF_INET6 sockaddr is included in the given access
  * control list, returning 1 if it is, and 0 if not.
  */
static int is_included_in_acl(int list_length, struct ip_and_mask (*list)[], union mysockaddr* test)
{
	NULLCHECK( test );

	int i;

	for (i=0; i < list_length; i++) {
		struct ip_and_mask *entry = &(*list)[i];
		int testbits;
		unsigned char *raw_address1, *raw_address2;

		debug("checking acl entry %d (%d/%d)", i, test->generic.sa_family, entry->ip.family);

		if (test->generic.sa_family != entry->ip.family) {
			continue;
		}

		if (test->generic.sa_family == AF_INET) {
			debug("it's an AF_INET");
			raw_address1 = (unsigned char*) &test->v4.sin_addr;
			raw_address2 = (unsigned char*) &entry->ip.v4.sin_addr;
		}
		else if (test->generic.sa_family == AF_INET6) {
			debug("it's an AF_INET6");
			raw_address1 = (unsigned char*) &test->v6.sin6_addr;
			raw_address2 = (unsigned char*) &entry->ip.v6.sin6_addr;
		}
		else {
			fatal( "Can't check an ACL for this address type." );
		}

		debug("testbits=%d", entry->mask);

		for (testbits = entry->mask; testbits > 0; testbits -= 8) {
			debug("testbits=%d, c1=%02x, c2=%02x", testbits, raw_address1[0], raw_address2[0]);
			if (testbits >= 8) {
				if (raw_address1[0] != raw_address2[0]) { goto no_match; }
			}
			else {
				if ((raw_address1[0] & testmasks[testbits%8]) !=
				    (raw_address2[0] & testmasks[testbits%8]) ) {
				    	goto no_match;
				}
			}

			raw_address1++;
			raw_address2++;
		}

		return 1;

		no_match: ;
		debug("no match");
	}

	return 0;
}

int acl_includes( struct acl * acl, union mysockaddr * addr )
{
	NULLCHECK( acl );

	if ( 0 == acl->len ) {
		return !( acl->default_deny );
	}
	else {
		return is_included_in_acl( acl->len, acl->entries, addr );
	}
}

int acl_default_deny( struct acl * acl )
{
	NULLCHECK( acl );
	return acl->default_deny;
}

void acl_destroy( struct acl * acl )
{
	free( acl->entries );
	acl->len = 0;
	acl->entries = NULL;
	free( acl );
}
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`#include <stdlib.h>`

			`#include "util.h"`
			`#include "parse.h"`

			`#include "acl.h"`


			`struct acl * acl_create( int len, char ** lines, int default_deny )`
			`{`
			`struct acl * acl;`

			`acl = (struct acl *)xmalloc( sizeof( struct acl ) );`
			`acl->len = parse_acl( &acl->entries, len, lines );`
			`acl->default_deny = default_deny;`
			`return acl;`
			`}`


			`static int testmasks[9] = { 0,128,192,224,240,248,252,254,255 };`

			`/** Test whether AF_INET or AF_INET6 sockaddr is included in the given access`
			`* control list, returning 1 if it is, and 0 if not.`
			`*/`
			`static int is_included_in_acl(int list_length, struct ip_and_mask (list)[], union mysockaddr test)`
			`{`
			`NULLCHECK( test );`

			`int i;`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`for (i=0; i < list_length; i++) {`
			`struct ip_and_mask entry = &(list)[i];`
			`int testbits;`
			`unsigned char raw_address1, raw_address2;`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`debug("checking acl entry %d (%d/%d)", i, test->generic.sa_family, entry->ip.family);`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`if (test->generic.sa_family != entry->ip.family) {`
			`continue;`
			`}`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`if (test->generic.sa_family == AF_INET) {`
			`debug("it's an AF_INET");`
			`raw_address1 = (unsigned char*) &test->v4.sin_addr;`
			`raw_address2 = (unsigned char*) &entry->ip.v4.sin_addr;`
			`}`
			`else if (test->generic.sa_family == AF_INET6) {`
			`debug("it's an AF_INET6");`
			`raw_address1 = (unsigned char*) &test->v6.sin6_addr;`
			`raw_address2 = (unsigned char*) &entry->ip.v6.sin6_addr;`
			`}`
Add a 'just in case' error case to acl checking 2012-07-13 10:16:44 +01:00			`else {`
			`fatal( "Can't check an ACL for this address type." );`
			`}`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`debug("testbits=%d", entry->mask);`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`for (testbits = entry->mask; testbits > 0; testbits -= 8) {`
			`debug("testbits=%d, c1=%02x, c2=%02x", testbits, raw_address1[0], raw_address2[0]);`
			`if (testbits >= 8) {`
Make sure all ifs are braced 2012-06-11 14:34:17 +01:00			`if (raw_address1[0] != raw_address2[0]) { goto no_match; }`
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`}`
			`else {`
			`if ((raw_address1[0] & testmasks[testbits%8]) !=`
Make sure all ifs are braced 2012-06-11 14:34:17 +01:00			`(raw_address2[0] & testmasks[testbits%8]) ) {`
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`goto no_match;`
Make sure all ifs are braced 2012-06-11 14:34:17 +01:00			`}`
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`}`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`raw_address1++;`
			`raw_address2++;`
			`}`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`return 1;`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`no_match: ;`
			`debug("no match");`
			`}`
Whitespace 2012-06-11 13:05:22 +01:00
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`return 0;`
			`}`

			`int acl_includes( struct acl * acl, union mysockaddr * addr )`
			`{`
			`NULLCHECK( acl );`

			`if ( 0 == acl->len ) {`
			`return !( acl->default_deny );`
Whitespace 2012-06-11 13:05:22 +01:00			`}`
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00			`else {`
			`return is_included_in_acl( acl->len, acl->entries, addr );`
			`}`
			`}`

Add mboxes 2012-06-27 15:45:33 +01:00			`int acl_default_deny( struct acl * acl )`
			`{`
			`NULLCHECK( acl );`
			`return acl->default_deny;`
			`}`
Pull ACLs into their own struct 2012-06-07 17:47:43 +01:00
			`void acl_destroy( struct acl * acl )`
			`{`
			`free( acl->entries );`
			`acl->len = 0;`
			`acl->entries = NULL;`
			`free( acl );`
			`}`
Whitespace 2012-06-11 13:05:22 +01:00