// Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
// vim: sw=8 ts=8
-char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.56 2004/11/25 02:49:18 bodea Exp $";
+char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.59 2004/11/28 20:10:04 bodea Exp $";
#include <arpa/inet.h>
#include <assert.h>
#endif /* BGP */
// Globals
-struct configt *config = NULL; // all configuration
+configt *config = NULL; // all configuration
int tunfd = -1; // tun interface file handle. (network device)
int udpfd = -1; // UDP file handle
int controlfd = -1; // Control signal handle
linked_list *plugins[MAX_PLUGIN_TYPES];
#define membersize(STRUCT, MEMBER) sizeof(((STRUCT *)0)->MEMBER)
-#define CONFIG(NAME, MEMBER, TYPE) { NAME, offsetof(struct configt, MEMBER), membersize(struct configt, MEMBER), TYPE }
+#define CONFIG(NAME, MEMBER, TYPE) { NAME, offsetof(configt, MEMBER), membersize(configt, MEMBER), TYPE }
-struct config_descriptt config_values[] = {
+config_descriptt config_values[] = {
CONFIG("debug", debug, INT),
CONFIG("log_file", log_filename, STRING),
CONFIG("pid_file", pid_file, STRING),
sessioncountt *sess_count = NULL; // Array of partial per-session traffic counters.
radiust *radius = NULL; // Array of radius structures.
ippoolt *ip_address_pool = NULL; // Array of dynamic IP addresses.
+ip_filtert *ip_filters = NULL; // Array of named filters.
static controlt *controlfree = 0;
struct Tstats *_statistics = NULL;
#ifdef RINGBUFFER
t = session[s].tunnel;
sp = &session[s];
+ // run access-list if any
+ if (session[s].filter_out && !ip_filter(buf, len, session[s].filter_out - 1))
+ return;
+
if (sp->tbf_out)
{
// Are we throttling this session?
tunnel[t].controle->next = c;
else
tunnel[t].controls = c;
+
tunnel[t].controle = c;
tunnel[t].controlc++;
+
// send now if space in window
if (tunnel[t].controlc <= tunnel[t].window)
{
}
}
+// add/remove filters from session (-1 = no change)
+void filter_session(sessionidt s, int filter_in, int filter_out)
+{
+ if (!session[s].tunnel)
+ return; // No-one home.
+
+ if (!*session[s].user)
+ return; // User not logged in
+
+ // paranoia
+ if (filter_in > MAXFILTER) filter_in = -1;
+ if (filter_out > MAXFILTER) filter_out = -1;
+ if (session[s].filter_in > MAXFILTER) session[s].filter_in = 0;
+ if (session[s].filter_out > MAXFILTER) session[s].filter_out = 0;
+
+ if (filter_in >= 0)
+ {
+ if (session[s].filter_in)
+ ip_filters[session[s].filter_in - 1].used--;
+
+ if (filter_in > 0)
+ ip_filters[filter_in - 1].used++;
+
+ session[s].filter_in = filter_in;
+ }
+
+ if (filter_out >= 0)
+ {
+ if (session[s].filter_out)
+ ip_filters[session[s].filter_out - 1].used--;
+
+ if (filter_out > 0)
+ ip_filters[filter_out - 1].used++;
+
+ session[s].filter_out = filter_out;
+ }
+}
+
// start tidy shutdown of session
void sessionshutdown(sessionidt s, char *reason)
{
if (!session[s].die)
session[s].die = now() + 150; // Clean up in 15 seconds
+ // update filter refcounts
+ if (session[s].filter_in) ip_filters[session[s].filter_in - 1].used--;
+ if (session[s].filter_out) ip_filters[session[s].filter_out - 1].used--;
+
cluster_send_session(s);
}
STAT(tunnel_rx_errors);
return;
}
- LOG(3, ntohl(addr->sin_addr.s_addr), s, t, "Control message (%d bytes): (unacked %d) l-ns %d l-nr %d r-ns %d r-nr %d\n",
- l, tunnel[t].controlc, tunnel[t].ns, tunnel[t].nr, ns, nr);
- // if no tunnel specified, assign one
- if (!t)
+
+ // check for duplicate tunnel open message
+ if (!t && ns == 0)
{
int i;
tunnel[i].port != ntohs(addr->sin_port) )
continue;
t = i;
+ LOG(3, ntohl(addr->sin_addr.s_addr), s, t, "Duplicate SCCRQ?\n");
break;
}
}
+ LOG(3, ntohl(addr->sin_addr.s_addr), s, t, "Control message (%d bytes): (unacked %d) l-ns %d l-nr %d r-ns %d r-nr %d\n",
+ l, tunnel[t].controlc, tunnel[t].ns, tunnel[t].nr, ns, nr);
+
+ // if no tunnel specified, assign one
if (!t)
{
if (!(t = new_tunnel()))
tunnel[t].ip = ntohl(*(ipt *) & addr->sin_addr);
tunnel[t].port = ntohs(addr->sin_port);
tunnel[t].window = 4; // default window
- LOG(1, ntohl(addr->sin_addr.s_addr), 0, t, " New tunnel from %u.%u.%u.%u/%u ID %d\n", tunnel[t].ip >> 24, tunnel[t].ip >> 16 & 255, tunnel[t].ip >> 8 & 255, tunnel[t].ip & 255, tunnel[t].port, t);
STAT(tunnel_created);
+ LOG(1, ntohl(addr->sin_addr.s_addr), 0, t, " New tunnel from %u.%u.%u.%u/%u ID %d\n",
+ tunnel[t].ip >> 24, tunnel[t].ip >> 16 & 255,
+ tunnel[t].ip >> 8 & 255, tunnel[t].ip & 255, tunnel[t].port, t);
+ }
+
+ // If the 'ns' just received is not the 'nr' we're
+ // expecting, just send an ack and drop it.
+ //
+ // if 'ns' is less, then we got a retransmitted packet.
+ // if 'ns' is greater than missed a packet. Either way
+ // we should ignore it.
+ if (ns != tunnel[t].nr)
+ {
+ // is this the sequence we were expecting?
+ STAT(tunnel_rx_errors);
+ LOG(1, ntohl(addr->sin_addr.s_addr), 0, t, " Out of sequence tunnel %d, (%d is not the expected %d)\n",
+ t, ns, tunnel[t].nr);
+
+ if (l) // Is this not a ZLB?
+ controlnull(t);
+ return;
}
// This is used to time out old tunnels
{
int skip = tunnel[t].window; // track how many in-window packets are still in queue
// some to clear maybe?
- while (tunnel[t].controlc && (((tunnel[t].ns - tunnel[t].controlc) - nr) & 0x8000))
+ while (tunnel[t].controlc > 0 && (((tunnel[t].ns - tunnel[t].controlc) - nr) & 0x8000))
{
controlt *c = tunnel[t].controls;
tunnel[t].controls = c->next;
tunnel[t].try = 0; // we have progress
}
- // If the 'ns' just received is not the 'nr' we're
- // expecting, just send an ack and drop it.
- //
- // if 'ns' is less, then we got a retransmitted packet.
- // if 'ns' is greater than missed a packet. Either way
- // we should ignore it.
- if (ns != tunnel[t].nr)
- {
- // is this the sequence we were expecting?
- LOG(1, ntohl(addr->sin_addr.s_addr), 0, t, " Out of sequence tunnel %d, (%d is not the expected %d)\n", t, ns, tunnel[t].nr);
- STAT(tunnel_rx_errors);
-
- if (l) // Is this not a ZLB?
- controlnull(t);
- return;
- }
// receiver advance (do here so quoted correctly in any sends below)
if (l) tunnel[t].nr = (ns + 1);
if (skip < 0) skip = 0;
send++;
}
+ if (a & CLI_SESS_NOFILTER)
+ {
+ LOG(2, 0, s, session[s].tunnel, "Un-filtering session by CLI\n");
+ filter_session(s, 0, 0);
+ send++;
+ }
+ else if (a & CLI_SESS_FILTER)
+ {
+ LOG(2, 0, s, session[s].tunnel, "Filtering session by CLI (in=%d, out=%d)\n",
+ cli_session_actions[s].filter_in,
+ cli_session_actions[s].filter_out);
+
+ filter_session(s, cli_session_actions[s].filter_in, cli_session_actions[s].filter_out);
+ send++;
+ }
+
if (send)
cluster_send_session(s);
LOG(0, 0, 0, 0, "Error doing malloc for _statistics: %s\n", strerror(errno));
exit(1);
}
- if (!(config = shared_malloc(sizeof(struct configt))))
+ if (!(config = shared_malloc(sizeof(configt))))
{
LOG(0, 0, 0, 0, "Error doing malloc for configuration: %s\n", strerror(errno));
exit(1);
}
- memset(config, 0, sizeof(struct configt));
+ memset(config, 0, sizeof(configt));
time(&config->start_time);
strncpy(config->config_file, optconfig, strlen(optconfig));
config->debug = optdebug;
exit(1);
}
+if (!(ip_filters = shared_malloc(sizeof(ip_filtert) * MAXFILTER)))
+{
+ LOG(0, 0, 0, 0, "Error doing malloc for ip_filters: %s\n", strerror(errno));
+ exit(1);
+}
+memset(ip_filters, 0, sizeof(ip_filtert) * MAXFILTER);
+
#ifdef RINGBUFFER
if (!(ringbuffer = shared_malloc(sizeof(struct Tringbuffer))))
{
_statistics->start_time = _statistics->last_reset = time(NULL);
#ifdef BGP
- if (!(bgp_peers = shared_malloc(sizeof(struct bgp_peer) * BGP_NUM_PEERS)))
- {
- LOG(0, 0, 0, 0, "Error doing malloc for bgp: %s\n", strerror(errno));
- exit(1);
- }
+ if (!(bgp_peers = shared_malloc(sizeof(struct bgp_peer) * BGP_NUM_PEERS)))
+ {
+ LOG(0, 0, 0, 0, "Error doing malloc for bgp: %s\n", strerror(errno));
+ exit(1);
+ }
#endif /* BGP */
}
}
}
+ // check filters
+ if (new->filter_in && (new->filter_in > MAXFILTER || !ip_filters[new->filter_in - 1].name[0]))
+ {
+ LOG(2, session[s].ip, s, session[s].tunnel, "Dropping invalid input filter %d\n", (int) new->filter_in);
+ new->filter_in = 0;
+ }
+
+ if (new->filter_out && (new->filter_out > MAXFILTER || !ip_filters[new->filter_out - 1].name[0]))
+ {
+ LOG(2, session[s].ip, s, session[s].tunnel, "Dropping invalid output filter %d\n", (int) new->filter_out);
+ new->filter_out = 0;
+ }
+
+ if (new->filter_in != session[s].filter_in)
+ {
+ if (session[s].filter_in) ip_filters[session[s].filter_in - 1].used--;
+ if (new->filter_in) ip_filters[new->filter_in - 1].used++;
+ }
+
+ if (new->filter_out != session[s].filter_out)
+ {
+ if (session[s].filter_out) ip_filters[session[s].filter_out - 1].used--;
+ if (new->filter_out) ip_filters[new->filter_out - 1].used++;
+ }
+
if (new->tunnel && s > config->cluster_highest_sessionid) // Maintain this in the slave. It's used
// for walking the sessions to forward byte counts to the master.
config->cluster_highest_sessionid = s;
return hidden_length + 6;
}
+static int ip_filter_port(ip_filter_portt *p, portt port)
+{
+ switch (p->op)
+ {
+ case FILTER_PORT_OP_EQ: return port == p->port;
+ case FILTER_PORT_OP_NEQ: return port != p->port;
+ case FILTER_PORT_OP_GT: return port > p->port;
+ case FILTER_PORT_OP_LT: return port < p->port;
+ case FILTER_PORT_OP_RANGE: return port >= p->port && port <= p->port2;
+ }
+
+ return 0;
+}
+
+static int ip_filter_flag(u8 op, u8 sflags, u8 cflags, u8 flags)
+{
+ switch (op)
+ {
+ /*
+ * NOTE: "match-any +A +B -C -D" is interpreted as "match if
+ * either A or B is set *and* C or D is clear". While "or" is
+ * possibly more correct, the way "established" is currently
+ * implemented depends on this behaviour.
+ */
+ case FILTER_FLAG_OP_ANY:
+ return (flags & sflags) && !(flags & cflags);
+
+ case FILTER_FLAG_OP_ALL:
+ return (flags & sflags) == sflags && (~flags & cflags) == cflags;
+ }
+
+ return 0;
+}
+
+int ip_filter(u8 *buf, int len, u8 filter)
+{
+ u8 proto;
+ ipt src_ip;
+ ipt dst_ip;
+ portt src_port = 0;
+ portt dst_port = 0;
+ u8 flags = 0;
+ ip_filter_rulet *rule;
+
+ if (len < 20) // up to end of destination address
+ return 0;
+
+ if (*buf >> 4) // IPv4
+ return 0;
+
+ proto = buf[9];
+ src_ip = *(u32 *) (buf + 12);
+ dst_ip = *(u32 *) (buf + 16);
+
+ if (proto == IPPROTO_TCP || proto == IPPROTO_UDP)
+ {
+ int l = buf[0] & 0xf;
+ if (len < l + 4) // ports
+ return 0;
+
+ src_port = ntohs(*(u16 *) (buf + l));
+ dst_port = ntohs(*(u16 *) (buf + l + 2));
+ if (proto == IPPROTO_TCP)
+ {
+ if (len < l + 15) // flags
+ return 0;
+
+ flags = buf[l + 14] & 0x3f;
+ }
+ }
+
+ for (rule = ip_filters[filter].rules; rule->action; rule++)
+ {
+ if (proto && proto != rule->proto)
+ continue;
+
+ if (rule->src_wild != INADDR_BROADCAST &&
+ (src_ip & ~rule->src_wild) != (rule->src_ip & ~rule->src_wild))
+ continue;
+
+ if (rule->dst_wild != INADDR_BROADCAST &&
+ (dst_ip & ~rule->dst_wild) != (rule->dst_ip & ~rule->dst_wild))
+ continue;
+
+ if (proto == IPPROTO_TCP || proto == IPPROTO_UDP)
+ {
+ if (rule->src_ports.op && !ip_filter_port(&rule->src_ports, src_port))
+ continue;
+
+ if (rule->dst_ports.op && !ip_filter_port(&rule->dst_ports, dst_port))
+ continue;
+
+ if (proto == IPPROTO_TCP && rule->tcp_flag_op &&
+ !ip_filter_flag(rule->tcp_flag_op, rule->tcp_sflags, rule->tcp_cflags, flags))
+ continue;
+ }
+
+ // matched
+ return rule->action == FILTER_ACTION_PERMIT;
+ }
+
+ // default deny
+ return 0;
+}
projects / l2tpns.git / blobdiff