From: Fabio M. Di Nitto <fdinitto@redhat.com>
Date: Fri, 15 Feb 2019 09:57:45 +0000 (+0100)
Subject: [access lists] enable access lists for GENERIC_ACL protocols (udp for example)
X-Git-Tag: v1.10^2~57
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=fe077a47ad551d6dcc9f136a1f29b2b98b718beb;p=mirror_kronosnet.git

[access lists] enable access lists for GENERIC_ACL protocols (udp for example)

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
---

diff --git a/libknet/threads_rx.c b/libknet/threads_rx.c
index 8435d13..833938d 100644
--- a/libknet/threads_rx.c
+++ b/libknet/threads_rx.c
@@ -20,6 +20,7 @@
 #include "crypto.h"
 #include "host.h"
 #include "links.h"
+#include "links_acl.h"
 #include "logging.h"
 #include "transports.h"
 #include "transport_common.h"
@@ -720,6 +721,27 @@ out_pmtud:
 	}
 }
 
+/*
+ * return 0 to reject and 1 to accept a packet
+ */
+static int _generic_filter_packet_by_acl(knet_handle_t knet_h, int sockfd, const struct knet_mmsghdr *msg)
+{
+	switch(transport_get_proto(knet_h, knet_h->knet_transport_fd_tracker[sockfd].transport)) {
+		case LOOPBACK:
+			return 1;
+			break;
+		case IP_PROTO:
+			return ipcheck_validate(&knet_h->knet_transport_fd_tracker[sockfd].match_entry, msg->msg_hdr.msg_name);
+			break;
+		default:
+			break;
+	}
+	/*
+	 * reject by default
+	 */
+	return 0;
+}
+
 static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct knet_mmsghdr *msg)
 {
 	int err, savederrno;
@@ -802,6 +824,28 @@ static void _handle_recv_from_links(knet_handle_t knet_h, int sockfd, struct kne
 				goto exit_unlock;
 				break;
 			case 2: /* packet is data and should be parsed as such */
+				/*
+				 * processing incoming packets vs access lists
+				 */
+				if ((knet_h->use_access_lists) &&
+				    (transport_get_acl_type(knet_h, transport) == USE_GENERIC_ACL)) {
+					if (!_generic_filter_packet_by_acl(knet_h, sockfd, &msg[i])) {
+						char src_ipaddr[KNET_MAX_HOST_LEN];
+						char src_port[KNET_MAX_PORT_LEN];
+
+						memset(src_ipaddr, 0, KNET_MAX_HOST_LEN);
+						memset(src_port, 0, KNET_MAX_PORT_LEN);
+						knet_addrtostr(msg->msg_hdr.msg_name, sockaddr_len(msg->msg_hdr.msg_name),
+							       src_ipaddr, KNET_MAX_HOST_LEN,
+							       src_port, KNET_MAX_PORT_LEN);
+
+						log_debug(knet_h, KNET_SUB_RX, "Packet rejected from %s/%s", src_ipaddr, src_port);
+						/*
+						 * continue processing the other packets
+						 */
+						continue;
+					}
+				}
 				_parse_recv_from_links(knet_h, sockfd, &msg[i]);
 				break;
 		}