[fwd] / acl.c

/* -*-c-*-
 *
 * Access control list handling
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of the `fw' port forwarder.
 *
 * `fw' is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * `fw' is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with `fw'; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "config.h"

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <sys/types.h>
#include <unistd.h>

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#include <mLib/sub.h>

#include "acl.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @acl_addhost@ --- *
 *
 * Arguments:	@acl_entry ***a@ = address of pointer to list tail
 *		@unsigned act@ = what to do with matching addresses
 *		@struct in_addr addr, mask@ = address and mask to match
 *
 * Returns:	---
 *
 * Use:		Adds a host-authentication entry to the end of an access
 *		control list.
 */

static int acl_checkhost(void *aa, struct in_addr addr, unsigned port)
{
  acl_host *a = aa;
  return ((addr.s_addr & a->mask.s_addr) == a->addr.s_addr);
}

static void acl_dumphost(void *aa, FILE *fp)
{
  acl_host *a = aa;
  
  fputs("from ", fp);
  fputs(inet_ntoa(a->addr), fp);
  fputc('/', fp);
  fputs(inet_ntoa(a->mask), fp);
}

static void acl_freehost(void *aa)
{
  acl_host *a = aa;
  DESTROY(a);
}

static const acl_ops acl_hostops = {
  acl_checkhost, acl_dumphost, acl_freehost
};

void acl_addhost(acl_entry ***a, unsigned act,
		 struct in_addr addr, struct in_addr mask)
{
  acl_host *aa = CREATE(acl_host);
  aa->a.next = 0;
  aa->a.ops = &acl_hostops;
  aa->a.act = act;
  aa->addr.s_addr = addr.s_addr & mask.s_addr;
  aa->mask = mask;
  **a = &aa->a;
  *a = &aa->a.next;
}

/* --- @acl_addpriv@ --- *
 *
 * Arguments:	@acl_entry ***a@ = address of pointer to list tail
 *		@unsigned act@ = what to do with matching addresses
 *
 * Returns:	---
 *
 * Use:		Adds a privileged-port check to the end of an access control
 *		list.
 */

static int acl_checkpriv(void *aa, struct in_addr addr, unsigned port)
{
  return (port < 1024);
}

static void acl_dumppriv(void *aa, FILE *fp)
{
  fputs("from privileged ports", fp);
}

static void acl_freepriv(void *aa)
{
  acl_entry *a = aa;
  DESTROY(a);
}

static const acl_ops acl_privops = {
  acl_checkpriv, acl_dumppriv, acl_freepriv
};

void acl_addpriv(acl_entry ***a, unsigned act)
{
  acl_entry *aa = CREATE(acl_entry);
  aa->next = 0;
  aa->ops = &acl_privops;
  aa->act = act;
  **a = aa;
  *a = &aa->next;
}

/* --- @acl_check@ --- *
 *
 * Arguments:	@acl_entry *a@ = pointer to ACL to check against
 *		@struct in_addr addr@ = address to check
 *		@unsigned port@ = port number to check
 *		@int *act@ = verdict (should initially be @ACT_ALLOW@)
 *
 * Returns:	Zero if undecided, nonzero if a rule matched.
 *
 * Use:		Checks an address against an ACL.
 */

int acl_check(acl_entry *a, struct in_addr addr, unsigned port, int *act)
{
  for (; a; a = a->next) {
    if (a->ops->check(a, addr, port)) {
      *act = a->act & ACL_PERM;
      return (1);
    }
    *act = (a->act & ACL_PERM) ^ 1;
  }
  return (0);
}

/* --- @acl_dump@ --- *
 *
 * Arguments:	@acl_entry *a@ = pointer to ACL to dump
 *		@FILE *fp@ = pointer to stream to dump on
 *
 * Returns:	---
 *
 * Use:		Dumps an access control list to an output stream.
 */

void acl_dump(acl_entry *a, FILE *fp)
{
  for (; a; a = a->next) {
    fprintf(fp, "  %s ",
	    (a->act & ACL_PERM) == ACL_ALLOW ? "allow" : "deny");
    a->ops->dump(a, fp);
    fputc('\n', fp);
  }
}

/* --- @acl_free@ --- *
 *
 * Arguments:	@acl_entry *a@ = pointer to a list of ACLs
 *
 * Returns:	---
 *
 * Use:		Frees all of the memory used by an ACL.
 */

void acl_free(acl_entry *a)
{
  while (a) {
    acl_entry *aa = a;
    a = a->next;
    aa->ops->free(aa);
  }
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
e82f7154	1	/* --c--
e82f7154	2	*
e82f7154	3	* Access control list handling
e82f7154	4	*
e5398e09	5	* (c) 1999 Straylight/Edgeware
e82f7154	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of the `fw' port forwarder.
	11	*
	12	* `fw' is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* `fw' is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with `fw'; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
e82f7154	27	/----- Header files ------------------------------------------------------/
	28
	29	#include "config.h"
	30
	31	#include <errno.h>
	32	#include <stdio.h>
	33	#include <stdlib.h>
	34	#include <string.h>
	35
e0ce9d38	36	#include <sys/types.h>
	37	#include <unistd.h>
	38
e82f7154	39	#include <sys/socket.h>
	40	#include <netinet/in.h>
	41	#include <arpa/inet.h>
	42	#include <netdb.h>
	43
	44	#include <mLib/sub.h>
	45
	46	#include "acl.h"
	47
0ac54f22	48	/----- Main code ---------------------------------------------------------/
	49
	50	/* --- @acl_addhost@ --- *
	51	*
	52	* Arguments: @acl_entry ***a@ = address of pointer to list tail
	53	* @unsigned act@ = what to do with matching addresses
	54	* @struct in_addr addr, mask@ = address and mask to match
	55	*
	56	* Returns: ---
	57	*
	58	* Use: Adds a host-authentication entry to the end of an access
	59	* control list.
	60	*/
	61
	62	static int acl_checkhost(void *aa, struct in_addr addr, unsigned port)
	63	{
	64	acl_host *a = aa;
	65	return ((addr.s_addr & a->mask.s_addr) == a->addr.s_addr);
	66	}
e82f7154	67
0ac54f22	68	static void acl_dumphost(void aa, FILE fp)
	69	{
	70	acl_host *a = aa;
	71
	72	fputs("from ", fp);
	73	fputs(inet_ntoa(a->addr), fp);
	74	fputc('/', fp);
	75	fputs(inet_ntoa(a->mask), fp);
	76	}
e82f7154	77
0ac54f22	78	static void acl_freehost(void *aa)
	79	{
	80	acl_host *a = aa;
	81	DESTROY(a);
	82	}
	83
	84	static const acl_ops acl_hostops = {
	85	acl_checkhost, acl_dumphost, acl_freehost
	86	};
	87
	88	void acl_addhost(acl_entry ***a, unsigned act,
	89	struct in_addr addr, struct in_addr mask)
	90	{
	91	acl_host *aa = CREATE(acl_host);
	92	aa->a.next = 0;
	93	aa->a.ops = &acl_hostops;
	94	aa->a.act = act;
	95	aa->addr.s_addr = addr.s_addr & mask.s_addr;
	96	aa->mask = mask;
	97	**a = &aa->a;
	98	*a = &aa->a.next;
	99	}
	100
	101	/* --- @acl_addpriv@ --- *
	102	*
	103	* Arguments: @acl_entry ***a@ = address of pointer to list tail
	104	* @unsigned act@ = what to do with matching addresses
	105	*
	106	* Returns: ---
	107	*
	108	* Use: Adds a privileged-port check to the end of an access control
	109	* list.
	110	*/
	111
	112	static int acl_checkpriv(void *aa, struct in_addr addr, unsigned port)
	113	{
	114	return (port < 1024);
	115	}
	116
	117	static void acl_dumppriv(void aa, FILE fp)
	118	{
	119	fputs("from privileged ports", fp);
	120	}
	121
	122	static void acl_freepriv(void *aa)
	123	{
	124	acl_entry *a = aa;
	125	DESTROY(a);
	126	}
	127
	128	static const acl_ops acl_privops = {
	129	acl_checkpriv, acl_dumppriv, acl_freepriv
	130	};
	131
	132	void acl_addpriv(acl_entry ***a, unsigned act)
	133	{
	134	acl_entry *aa = CREATE(acl_entry);
	135	aa->next = 0;
	136	aa->ops = &acl_privops;
	137	aa->act = act;
	138	**a = aa;
	139	*a = &aa->next;
	140	}
e82f7154	141
	142	/* --- @acl_check@ --- *
	143	*
	144	* Arguments: @acl_entry *a@ = pointer to ACL to check against
	145	* @struct in_addr addr@ = address to check
0ac54f22	146	* @unsigned port@ = port number to check
0ac54f22	147	* @int *act@ = verdict (should initially be @ACT_ALLOW@)
e82f7154	148	*
0ac54f22	149	* Returns: Zero if undecided, nonzero if a rule matched.
e82f7154	150	*
	151	* Use: Checks an address against an ACL.
	152	*/
	153
0ac54f22	154	int acl_check(acl_entry a, struct in_addr addr, unsigned port, int act)
e82f7154	155	{
0ac54f22	156	for (; a; a = a->next) {
	157	if (a->ops->check(a, addr, port)) {
	158	*act = a->act & ACL_PERM;
	159	return (1);
e82f7154	160	}
0ac54f22	161	*act = (a->act & ACL_PERM) ^ 1;
e82f7154	162	}
0ac54f22	163	return (0);
e82f7154	164	}
	165
	166	/* --- @acl_dump@ --- *
	167	*
	168	* Arguments: @acl_entry *a@ = pointer to ACL to dump
	169	* @FILE *fp@ = pointer to stream to dump on
	170	*
	171	* Returns: ---
	172	*
	173	* Use: Dumps an access control list to an output stream.
	174	*/
	175
	176	void acl_dump(acl_entry a, FILE fp)
	177	{
e82f7154	178	for (; a; a = a->next) {
0ac54f22	179	fprintf(fp, " %s ",
e82f7154	180	(a->act & ACL_PERM) == ACL_ALLOW ? "allow" : "deny");
0ac54f22	181	a->ops->dump(a, fp);
e82f7154	182	fputc('\n', fp);
	183	}
	184	}
	185
e5398e09	186	/* --- @acl_free@ --- *
	187	*
	188	* Arguments: @acl_entry *a@ = pointer to a list of ACLs
	189	*
	190	* Returns: ---
	191	*
	192	* Use: Frees all of the memory used by an ACL.
	193	*/
	194
	195	void acl_free(acl_entry *a)
	196	{
	197	while (a) {
	198	acl_entry *aa = a;
	199	a = a->next;
0ac54f22	200	aa->ops->free(aa);
e5398e09	201	}
	202	}
	203
e82f7154	204	/----- That's all, folks -------------------------------------------------/