+static int filt;
+static int find_access_list(char const *name)
+{
+ int i;
+
+ for (i = 0; i < MAXFILTER; i++)
+ if (!(*ip_filters[i].name && strcmp(ip_filters[i].name, name)))
+ return i;
+
+ return -1;
+}
+
+static int access_list(struct cli_def *cli, char **argv, int argc, int add)
+{
+ int extended;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "standard", "Standard syntax",
+ "extended", "Extended syntax",
+ NULL);
+
+ case 2:
+ return cli_arg_help(cli, argv[1][1],
+ "NAME", "Access-list name",
+ NULL);
+
+ default:
+ if (argc == 3 && !argv[2][1])
+ return cli_arg_help(cli, 1, NULL);
+
+ return CLI_OK;
+ }
+ }
+
+ if (argc != 2)
+ {
+ cli_error(cli, "Specify access-list type and name");
+ return CLI_OK;
+ }
+
+ if (MATCH("standard", argv[0]))
+ extended = 0;
+ else if (MATCH("extended", argv[0]))
+ extended = 1;
+ else
+ {
+ cli_error(cli, "Invalid access-list type");
+ return CLI_OK;
+ }
+
+ if (strlen(argv[1]) > sizeof(ip_filters[0].name) - 1 ||
+ strspn(argv[1], "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-") != strlen(argv[1]))
+ {
+ cli_error(cli, "Invalid access-list name");
+ return CLI_OK;
+ }
+
+ filt = find_access_list(argv[1]);
+ if (add)
+ {
+ if (filt < 0)
+ {
+ cli_error(cli, "Too many access-lists");
+ return CLI_OK;
+ }
+
+ // racy
+ if (!*ip_filters[filt].name)
+ {
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ strcpy(ip_filters[filt].name, argv[1]);
+ ip_filters[filt].extended = extended;
+ }
+ else if (ip_filters[filt].extended != extended)
+ {
+ cli_error(cli, "Access-list is %s",
+ ip_filters[filt].extended ? "extended" : "standard");
+
+ return CLI_OK;
+ }
+
+ cli_set_configmode(cli, MODE_CONFIG_NACL, extended ? "ext-nacl" : "std-nacl");
+ return CLI_OK;
+ }
+
+ if (filt < 0 || !*ip_filters[filt].name)
+ {
+ cli_error(cli, "Access-list not defined");
+ return CLI_OK;
+ }
+
+ // racy
+ if (ip_filters[filt].used)
+ {
+ cli_error(cli, "Access-list in use");
+ return CLI_OK;
+ }
+
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ return CLI_OK;
+}
+
+static int cmd_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 1);
+}
+
+static int cmd_no_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 0);
+}
+
+static int show_ip_wild(char *buf, in_addr_t ip, in_addr_t wild)
+{
+ if (ip == INADDR_ANY && wild == INADDR_BROADCAST)
+ return sprintf(buf, " any");
+
+ if (wild == INADDR_ANY)
+ return sprintf(buf, " host %s", fmtaddr(ip, 0));
+
+ return sprintf(buf, " %s %s", fmtaddr(ip, 0), fmtaddr(wild, 1));
+}
+
+static int show_ports(char *buf, ip_filter_portt *ports)
+{
+ switch (ports->op)
+ {
+ case FILTER_PORT_OP_EQ: return sprintf(buf, " eq %u", ports->port);
+ case FILTER_PORT_OP_NEQ: return sprintf(buf, " neq %u", ports->port);
+ case FILTER_PORT_OP_GT: return sprintf(buf, " gt %u", ports->port);
+ case FILTER_PORT_OP_LT: return sprintf(buf, " lt %u", ports->port);
+ case FILTER_PORT_OP_RANGE: return sprintf(buf, " range %u %u", ports->port, ports->port2);
+ }
+
+ return 0;
+}
+
+static char const *show_access_list_rule(int extended, ip_filter_rulet *rule)
+{
+ static char buf[256];
+ char *p = buf;
+
+ p += sprintf(p, " %s", rule->action == FILTER_ACTION_PERMIT ? "permit" : "deny");
+ if (extended)
+ {
+ struct protoent *proto = getprotobynumber(rule->proto);
+ p += sprintf(p, " %s", proto ? proto->p_name : "ERR");
+ }
+
+ p += show_ip_wild(p, rule->src_ip, rule->src_wild);
+ if (!extended)
+ return buf;
+
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->src_ports);
+
+ p += show_ip_wild(p, rule->dst_ip, rule->dst_wild);
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->dst_ports);
+
+ if (rule->proto == IPPROTO_TCP && rule->tcp_flag_op)
+ {
+ switch (rule->tcp_flag_op)
+ {
+ case FILTER_FLAG_OP_EST:
+ p += sprintf(p, " established");
+ break;
+
+ case FILTER_FLAG_OP_ANY:
+ case FILTER_FLAG_OP_ALL:
+ p += sprintf(p, " match-%s", rule->tcp_flag_op == FILTER_FLAG_OP_ALL ? "all" : "any");
+ if (rule->tcp_sflags & TCP_FLAG_FIN) p += sprintf(p, " +fin");
+ if (rule->tcp_cflags & TCP_FLAG_FIN) p += sprintf(p, " -fin");
+ if (rule->tcp_sflags & TCP_FLAG_SYN) p += sprintf(p, " +syn");
+ if (rule->tcp_cflags & TCP_FLAG_SYN) p += sprintf(p, " -syn");
+ if (rule->tcp_sflags & TCP_FLAG_RST) p += sprintf(p, " +rst");
+ if (rule->tcp_cflags & TCP_FLAG_RST) p += sprintf(p, " -rst");
+ if (rule->tcp_sflags & TCP_FLAG_PSH) p += sprintf(p, " +psh");
+ if (rule->tcp_cflags & TCP_FLAG_PSH) p += sprintf(p, " -psh");
+ if (rule->tcp_sflags & TCP_FLAG_ACK) p += sprintf(p, " +ack");
+ if (rule->tcp_cflags & TCP_FLAG_ACK) p += sprintf(p, " -ack");
+ if (rule->tcp_sflags & TCP_FLAG_URG) p += sprintf(p, " +urg");
+ if (rule->tcp_cflags & TCP_FLAG_URG) p += sprintf(p, " -urg");
+ break;
+ }
+ }
+
+ if (rule->frag)
+ p += sprintf(p, " fragments");
+
+ return buf;
+}
+
+static ip_filter_rulet *access_list_rule_ext(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+ int i;
+ int a;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, 0,
+ "ip", "Match IP packets",
+ "tcp", "Match TCP packets",
+ "udp", "Match UDP packets",
+ NULL);
+
+ return NULL;
+ }
+
+ // *sigh*, too darned complex
+ cli_arg_help(cli, 0, "RULE", "SOURCE [PORTS] DEST [PORTS] FLAGS", NULL);
+ return NULL;
+ }
+
+ if (argc < 3)
+ {
+ cli_error(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ if (MATCH("ip", argv[0]))
+ rule.proto = IPPROTO_IP;
+ else if (MATCH("udp", argv[0]))
+ rule.proto = IPPROTO_UDP;
+ else if (MATCH("tcp", argv[0]))
+ rule.proto = IPPROTO_TCP;
+ else
+ {
+ cli_error(cli, "Invalid protocol \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ for (a = 1, i = 0; i < 2; i++)
+ {
+ in_addr_t *ip;
+ in_addr_t *wild;
+ ip_filter_portt *port;
+
+ if (i == 0)
+ {
+ ip = &rule.src_ip;
+ wild = &rule.src_wild;
+ port = &rule.src_ports;
+ }
+ else
+ {
+ ip = &rule.dst_ip;
+ wild = &rule.dst_wild;
+ port = &rule.dst_ports;
+ if (a >= argc)
+ {
+ cli_error(cli, "Specify destination");
+ return NULL;
+ }
+ }
+
+ if (MATCH("any", argv[a]))
+ {
+ *ip = INADDR_ANY;
+ *wild = INADDR_BROADCAST;
+ a++;
+ }
+ else if (MATCH("host", argv[a]))
+ {
+ if (++a >= argc)
+ {
+ cli_error(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+ *wild = INADDR_ANY;
+ a++;
+ }
+ else
+ {
+ if (a >= argc - 1)
+ {
+ cli_error(cli, "Specify %s ip address and wildcard", i ? "destination" : "source");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+
+ if (!inet_aton(argv[++a], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *wild = addr.s_addr;
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_IP || a >= argc)
+ continue;
+
+ port->op = 0;
+ if (MATCH("eq", argv[a]))
+ port->op = FILTER_PORT_OP_EQ;
+ else if (MATCH("neq", argv[a]))
+ port->op = FILTER_PORT_OP_NEQ;
+ else if (MATCH("gt", argv[a]))
+ port->op = FILTER_PORT_OP_GT;
+ else if (MATCH("lt", argv[a]))
+ port->op = FILTER_PORT_OP_LT;
+ else if (MATCH("range", argv[a]))
+ port->op = FILTER_PORT_OP_RANGE;
+
+ if (!port->op)
+ continue;
+
+ if (++a >= argc)
+ {
+ cli_error(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port = atoi(argv[a])))
+ {
+ cli_error(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ if (port->op != FILTER_PORT_OP_RANGE)
+ continue;
+
+ if (a >= argc)
+ {
+ cli_error(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port2 = atoi(argv[a])) || port->port2 < port->port)
+ {
+ cli_error(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_TCP && a < argc)
+ {
+ if (MATCH("established", argv[a]))
+ {
+ rule.tcp_flag_op = FILTER_FLAG_OP_EST;
+ a++;
+ }
+ else if (!strcmp(argv[a], "match-any") || !strcmp(argv[a], "match-an") ||
+ !strcmp(argv[a], "match-all") || !strcmp(argv[a], "match-al"))
+ {
+ rule.tcp_flag_op = argv[a][7] == 'n'
+ ? FILTER_FLAG_OP_ANY
+ : FILTER_FLAG_OP_ALL;
+
+ if (++a >= argc)
+ {
+ cli_error(cli, "Specify tcp flags");
+ return NULL;
+ }
+
+ while (a < argc && (argv[a][0] == '+' || argv[a][0] == '-'))
+ {
+ uint8_t *f;
+
+ f = (argv[a][0] == '+') ? &rule.tcp_sflags : &rule.tcp_cflags;
+
+ if (MATCH("fin", &argv[a][1])) *f |= TCP_FLAG_FIN;
+ else if (MATCH("syn", &argv[a][1])) *f |= TCP_FLAG_SYN;
+ else if (MATCH("rst", &argv[a][1])) *f |= TCP_FLAG_RST;
+ else if (MATCH("psh", &argv[a][1])) *f |= TCP_FLAG_PSH;
+ else if (MATCH("ack", &argv[a][1])) *f |= TCP_FLAG_ACK;
+ else if (MATCH("urg", &argv[a][1])) *f |= TCP_FLAG_URG;
+ else
+ {
+ cli_error(cli, "Invalid tcp flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+ }
+ }
+
+ if (a < argc && MATCH("fragments", argv[a]))
+ {
+ if (rule.src_ports.op || rule.dst_ports.op || rule.tcp_flag_op)
+ {
+ cli_error(cli, "Can't specify \"fragments\" on rules with layer 4 matches");
+ return NULL;
+ }
+
+ rule.frag = 1;
+ a++;
+ }
+
+ if (a < argc)
+ {
+ cli_error(cli, "Invalid flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ return &rule;
+}
+
+static ip_filter_rulet *access_list_rule_std(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, argv[0][1],
+ "A.B.C.D", "Source address",
+ "any", "Any source address",
+ "host", "Source host",
+ NULL);
+
+ return NULL;
+ }
+
+ if (MATCH("any", argv[0]))
+ {
+ if (argc == 2 && !argv[1][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, argv[1][1],
+ "A.B.C.D", "Host address",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, 1,
+ "A.B.C.D", "Wildcard bits",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+
+ return NULL;
+ }
+
+ if (argc < 1)
+ {
+ cli_error(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ rule.proto = IPPROTO_IP;
+ if (MATCH("any", argv[0]))
+ {
+ rule.src_ip = INADDR_ANY;
+ rule.src_wild = INADDR_BROADCAST;
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc != 2)
+ {
+ cli_error(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+ rule.src_wild = INADDR_ANY;
+ }
+ else
+ {
+ if (argc > 2)
+ {
+ cli_error(cli, "Specify source ip address and wildcard");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[0], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+
+ if (argc > 1)
+ {
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_error(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_wild = addr.s_addr;
+ }
+ else
+ rule.src_wild = INADDR_ANY;
+ }
+
+ return &rule;
+}
+
+static int cmd_ip_access_list_rule(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ ip_filter_rulet *rule = ip_filters[filt].extended
+ ? access_list_rule_ext(cli, command, argv, argc)
+ : access_list_rule_std(cli, command, argv, argc);
+
+ if (!rule)
+ return CLI_OK;
+
+ for (i = 0; i < MAXFILTER_RULES - 1; i++) // -1: list always terminated by empty rule
+ {
+ if (!ip_filters[filt].rules[i].action)
+ {
+ memcpy(&ip_filters[filt].rules[i], rule, sizeof(*rule));
+ return CLI_OK;
+ }
+
+ if (!memcmp(&ip_filters[filt].rules[i], rule, sizeof(*rule)))
+ return CLI_OK;
+ }
+
+ cli_error(cli, "Too many rules");
+ return CLI_OK;
+}
+
+static int cmd_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ sessionidt s;
+ int i;
+
+ /* filter USER {in|out} FILTER ... */
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "USER", "Username of session to filter", NULL);
+
+ case 2:
+ case 4:
+ return cli_arg_help(cli, 0,
+ "in", "Set incoming filter",
+ "out", "Set outgoing filter", NULL);
+
+ case 3:
+ case 5:
+ return cli_arg_help(cli, argc == 5 && argv[4][1],
+ "NAME", "Filter name", NULL);
+
+ default:
+ return cli_arg_help(cli, argc > 1, NULL);
+ }
+ }
+
+ if (!config->cluster_iam_master)
+ {
+ cli_error(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
+ return CLI_OK;
+ }
+
+ if (argc != 3 && argc != 5)
+ {
+ cli_error(cli, "Specify a user and filters");
+ return CLI_OK;
+ }
+
+ if (!(s = sessionbyuser(argv[0])))
+ {
+ cli_error(cli, "User %s is not connected", argv[0]);
+ return CLI_OK;
+ }
+
+ cli_session_actions[s].filter_in = cli_session_actions[s].filter_out = -1;
+ for (i = 1; i < argc; i += 2)
+ {
+ int *f = 0;
+ int v;
+
+ if (MATCH("in", argv[i]))
+ {
+ if (session[s].filter_in)
+ {
+ cli_error(cli, "Input already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_in;
+ }
+ else if (MATCH("out", argv[i]))
+ {
+ if (session[s].filter_out)
+ {
+ cli_error(cli, "Output already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_out;
+ }
+ else
+ {
+ cli_error(cli, "Invalid filter specification");
+ return CLI_OK;
+ }
+
+ v = find_access_list(argv[i+1]);
+ if (v < 0 || !*ip_filters[v].name)
+ {
+ cli_error(cli, "Access-list %s not defined", argv[i+1]);
+ return CLI_OK;
+ }
+
+ *f = v + 1;
+ }
+
+ cli_print(cli, "Filtering user %s", argv[0]);
+ cli_session_actions[s].action |= CLI_SESS_FILTER;
+
+ return CLI_OK;
+}
+
+static int cmd_no_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ sessionidt s;
+
+ if (CLI_HELP_REQUESTED)
+ return cli_arg_help(cli, argc > 1,
+ "USER", "Username of session to remove filters from", NULL);
+
+ if (!config->cluster_iam_master)
+ {
+ cli_error(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
+ return CLI_OK;
+ }
+
+ if (!argc)
+ {
+ cli_error(cli, "Specify a user to remove filters from");
+ return CLI_OK;
+ }
+
+ for (i = 0; i < argc; i++)
+ {
+ if (!(s = sessionbyuser(argv[i])))
+ {
+ cli_error(cli, "User %s is not connected", argv[i]);
+ continue;
+ }
+
+ if (session[s].filter_in || session[s].filter_out)
+ {
+ cli_print(cli, "Removing filters from user %s", argv[i]);
+ cli_session_actions[s].action |= CLI_SESS_NOFILTER;
+ }
+ else
+ {
+ cli_error(cli, "User %s not filtered", argv[i]);
+ }
+ }
+
+ return CLI_OK;
+}
+
+static int cmd_show_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+
+ if (CLI_HELP_REQUESTED)
+ return cli_arg_help(cli, argc > 1, "NAME", "Filter name", NULL);
+
+ if (argc < 1)
+ {
+ cli_error(cli, "Specify a filter name");
+ return CLI_OK;
+ }
+
+ for (i = 0; i < argc; i++)
+ {
+ int f = find_access_list(argv[i]);
+ ip_filter_rulet *rules;
+
+ if (f < 0 || !*ip_filters[f].name)
+ {
+ cli_error(cli, "Access-list %s not defined", argv[i]);
+ return CLI_OK;
+ }
+
+ if (i)
+ cli_print(cli, "");
+
+ cli_print(cli, "%s IP access list %s",
+ ip_filters[f].extended ? "Extended" : "Standard",
+ ip_filters[f].name);
+
+ for (rules = ip_filters[f].rules; rules->action; rules++)
+ {
+ char const *r = show_access_list_rule(ip_filters[f].extended, rules);
+ if (rules->counter)
+ cli_print(cli, "%s (%d match%s)", r,
+ rules->counter, rules->counter > 1 ? "es" : "");
+ else
+ cli_print(cli, "%s", r);
+ }
+ }
+
+ return CLI_OK;
+}
+