e82f7154 |
1 | /* -*-c-*- |
2 | * |
e82f7154 |
3 | * Access control list handling |
4 | * |
e5398e09 |
5 | * (c) 1999 Straylight/Edgeware |
e82f7154 |
6 | */ |
7 | |
206212ca |
8 | /*----- Licensing notice --------------------------------------------------* |
e82f7154 |
9 | * |
9155ea97 |
10 | * This file is part of the `fwd' port forwarder. |
e82f7154 |
11 | * |
9155ea97 |
12 | * `fwd' is free software; you can redistribute it and/or modify |
e82f7154 |
13 | * it under the terms of the GNU General Public License as published by |
14 | * the Free Software Foundation; either version 2 of the License, or |
15 | * (at your option) any later version. |
206212ca |
16 | * |
9155ea97 |
17 | * `fwd' is distributed in the hope that it will be useful, |
e82f7154 |
18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
20 | * GNU General Public License for more details. |
206212ca |
21 | * |
e82f7154 |
22 | * You should have received a copy of the GNU General Public License |
9155ea97 |
23 | * along with `fwd'; if not, write to the Free Software Foundation, |
e82f7154 |
24 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
25 | */ |
26 | |
9155ea97 |
27 | #include "fwd.h" |
e82f7154 |
28 | |
0ac54f22 |
29 | /*----- Main code ---------------------------------------------------------*/ |
30 | |
31 | /* --- @acl_addhost@ --- * |
32 | * |
33 | * Arguments: @acl_entry ***a@ = address of pointer to list tail |
34 | * @unsigned act@ = what to do with matching addresses |
35 | * @struct in_addr addr, mask@ = address and mask to match |
36 | * |
37 | * Returns: --- |
38 | * |
39 | * Use: Adds a host-authentication entry to the end of an access |
40 | * control list. |
41 | */ |
42 | |
43 | static int acl_checkhost(void *aa, struct in_addr addr, unsigned port) |
44 | { |
45 | acl_host *a = aa; |
46 | return ((addr.s_addr & a->mask.s_addr) == a->addr.s_addr); |
47 | } |
e82f7154 |
48 | |
0ac54f22 |
49 | static void acl_dumphost(void *aa, FILE *fp) |
50 | { |
51 | acl_host *a = aa; |
206212ca |
52 | |
0ac54f22 |
53 | fputs("from ", fp); |
54 | fputs(inet_ntoa(a->addr), fp); |
55 | fputc('/', fp); |
56 | fputs(inet_ntoa(a->mask), fp); |
57 | } |
e82f7154 |
58 | |
0ac54f22 |
59 | static void acl_freehost(void *aa) |
60 | { |
61 | acl_host *a = aa; |
62 | DESTROY(a); |
63 | } |
64 | |
65 | static const acl_ops acl_hostops = { |
66 | acl_checkhost, acl_dumphost, acl_freehost |
67 | }; |
68 | |
69 | void acl_addhost(acl_entry ***a, unsigned act, |
70 | struct in_addr addr, struct in_addr mask) |
71 | { |
72 | acl_host *aa = CREATE(acl_host); |
73 | aa->a.next = 0; |
74 | aa->a.ops = &acl_hostops; |
75 | aa->a.act = act; |
76 | aa->addr.s_addr = addr.s_addr & mask.s_addr; |
77 | aa->mask = mask; |
78 | **a = &aa->a; |
79 | *a = &aa->a.next; |
80 | } |
81 | |
82 | /* --- @acl_addpriv@ --- * |
83 | * |
84 | * Arguments: @acl_entry ***a@ = address of pointer to list tail |
85 | * @unsigned act@ = what to do with matching addresses |
86 | * |
87 | * Returns: --- |
88 | * |
89 | * Use: Adds a privileged-port check to the end of an access control |
90 | * list. |
91 | */ |
92 | |
93 | static int acl_checkpriv(void *aa, struct in_addr addr, unsigned port) |
94 | { |
95 | return (port < 1024); |
96 | } |
97 | |
98 | static void acl_dumppriv(void *aa, FILE *fp) |
99 | { |
100 | fputs("from privileged ports", fp); |
101 | } |
102 | |
103 | static void acl_freepriv(void *aa) |
104 | { |
105 | acl_entry *a = aa; |
106 | DESTROY(a); |
107 | } |
108 | |
109 | static const acl_ops acl_privops = { |
110 | acl_checkpriv, acl_dumppriv, acl_freepriv |
111 | }; |
112 | |
113 | void acl_addpriv(acl_entry ***a, unsigned act) |
114 | { |
115 | acl_entry *aa = CREATE(acl_entry); |
116 | aa->next = 0; |
117 | aa->ops = &acl_privops; |
118 | aa->act = act; |
119 | **a = aa; |
120 | *a = &aa->next; |
121 | } |
e82f7154 |
122 | |
123 | /* --- @acl_check@ --- * |
124 | * |
125 | * Arguments: @acl_entry *a@ = pointer to ACL to check against |
126 | * @struct in_addr addr@ = address to check |
0ac54f22 |
127 | * @unsigned port@ = port number to check |
128 | * @int *act@ = verdict (should initially be @ACT_ALLOW@) |
e82f7154 |
129 | * |
0ac54f22 |
130 | * Returns: Zero if undecided, nonzero if a rule matched. |
e82f7154 |
131 | * |
132 | * Use: Checks an address against an ACL. |
133 | */ |
134 | |
0ac54f22 |
135 | int acl_check(acl_entry *a, struct in_addr addr, unsigned port, int *act) |
e82f7154 |
136 | { |
0ac54f22 |
137 | for (; a; a = a->next) { |
138 | if (a->ops->check(a, addr, port)) { |
139 | *act = a->act & ACL_PERM; |
140 | return (1); |
e82f7154 |
141 | } |
0ac54f22 |
142 | *act = (a->act & ACL_PERM) ^ 1; |
e82f7154 |
143 | } |
0ac54f22 |
144 | return (0); |
e82f7154 |
145 | } |
146 | |
147 | /* --- @acl_dump@ --- * |
148 | * |
149 | * Arguments: @acl_entry *a@ = pointer to ACL to dump |
150 | * @FILE *fp@ = pointer to stream to dump on |
151 | * |
152 | * Returns: --- |
153 | * |
154 | * Use: Dumps an access control list to an output stream. |
155 | */ |
156 | |
157 | void acl_dump(acl_entry *a, FILE *fp) |
158 | { |
e82f7154 |
159 | for (; a; a = a->next) { |
0ac54f22 |
160 | fprintf(fp, " %s ", |
e82f7154 |
161 | (a->act & ACL_PERM) == ACL_ALLOW ? "allow" : "deny"); |
0ac54f22 |
162 | a->ops->dump(a, fp); |
e82f7154 |
163 | fputc('\n', fp); |
164 | } |
165 | } |
166 | |
e5398e09 |
167 | /* --- @acl_free@ --- * |
168 | * |
169 | * Arguments: @acl_entry *a@ = pointer to a list of ACLs |
170 | * |
171 | * Returns: --- |
172 | * |
173 | * Use: Frees all of the memory used by an ACL. |
174 | */ |
175 | |
176 | void acl_free(acl_entry *a) |
177 | { |
178 | while (a) { |
179 | acl_entry *aa = a; |
180 | a = a->next; |
0ac54f22 |
181 | aa->ops->free(aa); |
e5398e09 |
182 | } |
183 | } |
184 | |
e82f7154 |
185 | /*----- That's all, folks -------------------------------------------------*/ |