DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-03 16:35:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add IPv6 support

Browse Source
This commit is contained in:
Miroslav Lichvar
2009-10-09 15:00:59 +02:00
parent 183d56fd40
commit 8265ff2890
32 changed files with 1709 additions and 770 deletions
Download Patch File Download Diff File Expand all files Collapse all files

209
addrfilt.c
View File

@@ -51,23 +51,35 @@ typedef struct _TableNode {
} TableNode;
struct ADF_AuthTableInst {
TableNode base;
TableNode base4; /* IPv4 node */
TableNode base6; /* IPv6 node */
};
/* ================================================== */
inline static unsigned long
get_subnet(unsigned long addr)
static void
split_ip6(IPAddr *ip, uint32_t *dst)
{
return (addr >> (32-NBITS)) & ((1UL<<NBITS) - 1);
int i;
for (i = 0; i < 4; i++)
dst[i] = ip->addr.in6[i * 4 + 0] << 24 |
ip->addr.in6[i * 4 + 1] << 16 |
ip->addr.in6[i * 4 + 2] << 8 |
ip->addr.in6[i * 4 + 3];
}
/* ================================================== */
inline static unsigned long
get_residual(unsigned long addr)
inline static uint32_t
get_subnet(uint32_t *addr, unsigned int where)
{
return (addr << NBITS);
int off;
off = where / 32;
where %= 32;
return (addr[off] >> (32 - NBITS - where)) & ((1UL << NBITS) - 1);
}
/* ================================================== */
@@ -79,8 +91,10 @@ ADF_CreateTable(void)
result = MallocNew(struct ADF_AuthTableInst);
/* Default is that nothing is allowed */
result->base.state = DENY;
result->base.extended = NULL;
result->base4.state = DENY;
result->base4.extended = NULL;
result->base6.state = DENY;
result->base6.extended = NULL;
return result;
}
@@ -135,22 +149,22 @@ open_node(TableNode *node)
static ADF_Status
set_subnet(TableNode *start_node,
unsigned long ip,
uint32_t *ip,
int ip_len,
int subnet_bits,
State new_state,
int delete_children)
{
int bits_to_go;
unsigned long residual;
unsigned long subnet;
int bits_to_go, bits_consumed;
uint32_t subnet;
TableNode *node;
bits_consumed = 0;
bits_to_go = subnet_bits;
residual = ip;
node = start_node;
if ((subnet_bits < 0) ||
(subnet_bits > 32)) {
(subnet_bits > 32 * ip_len)) {
return ADF_BADSUBNET;
@@ -159,13 +173,13 @@ set_subnet(TableNode *start_node,
if ((bits_to_go & (NBITS-1)) == 0) {
while (bits_to_go > 0) {
subnet = get_subnet(residual);
residual = get_residual(residual);
subnet = get_subnet(ip, bits_consumed);
if (!(node->extended)) {
open_node(node);
}
node = &(node->extended[subnet]);
bits_to_go -= NBITS;
bits_consumed += NBITS;
}
if (delete_children) {
@@ -178,18 +192,18 @@ set_subnet(TableNode *start_node,
TableNode *this_node;
while (bits_to_go >= NBITS) {
subnet = get_subnet(residual);
residual = get_residual(residual);
subnet = get_subnet(ip, bits_consumed);
if (!(node->extended)) {
open_node(node);
}
node = &(node->extended[subnet]);
bits_to_go -= NBITS;
bits_consumed += NBITS;
}
/* How many subnet entries to set : 1->8, 2->4, 3->2 */
N = 1 << (NBITS-bits_to_go);
subnet = get_subnet(residual);
subnet = get_subnet(ip, bits_consumed);
if (!(node->extended)) {
open_node(node);
}
@@ -210,12 +224,41 @@ set_subnet(TableNode *start_node,
/* ================================================== */
static ADF_Status
set_subnet_(ADF_AuthTable table,
IPAddr *ip_addr,
int subnet_bits,
State new_state,
int delete_children)
{
uint32_t ip6[4];
switch (ip_addr->family) {
case IPADDR_INET4:
return set_subnet(&table->base4, &ip_addr->addr.in4, 1, subnet_bits, new_state, delete_children);
case IPADDR_INET6:
split_ip6(ip_addr, ip6);
return set_subnet(&table->base6, ip6, 4, subnet_bits, new_state, delete_children);
case IPADDR_UNSPEC:
/* Apply to both, subnet_bits has to be 0 */
if (subnet_bits != 0)
return ADF_BADSUBNET;
memset(ip6, 0, sizeof (ip6));
if (set_subnet(&table->base4, ip6, 1, 0, new_state, delete_children) == ADF_SUCCESS &&
set_subnet(&table->base6, ip6, 4, 0, new_state, delete_children) == ADF_SUCCESS)
return ADF_SUCCESS;
break;
}
return ADF_BADSUBNET;
}
ADF_Status
ADF_Allow(ADF_AuthTable table,
unsigned long ip,
IPAddr *ip,
int subnet_bits)
{
return set_subnet(&(table->base), ip, subnet_bits, ALLOW, 0);
return set_subnet_(table, ip, subnet_bits, ALLOW, 0);
}
/* ================================================== */
@@ -223,30 +266,30 @@ ADF_Allow(ADF_AuthTable table,
ADF_Status
ADF_AllowAll(ADF_AuthTable table,
unsigned long ip,
IPAddr *ip,
int subnet_bits)
{
return set_subnet(&(table->base), ip, subnet_bits, ALLOW, 1);
return set_subnet_(table, ip, subnet_bits, ALLOW, 1);
}
/* ================================================== */
ADF_Status
ADF_Deny(ADF_AuthTable table,
unsigned long ip,
IPAddr *ip,
int subnet_bits)
{
return set_subnet(&(table->base), ip, subnet_bits, DENY, 0);
return set_subnet_(table, ip, subnet_bits, DENY, 0);
}
/* ================================================== */
ADF_Status
ADF_DenyAll(ADF_AuthTable table,
unsigned long ip,
IPAddr *ip,
int subnet_bits)
{
return set_subnet(&(table->base), ip, subnet_bits, DENY, 1);
return set_subnet_(table, ip, subnet_bits, DENY, 1);
}
/* ================================================== */
@@ -254,32 +297,33 @@ ADF_DenyAll(ADF_AuthTable table,
void
ADF_DestroyTable(ADF_AuthTable table)
{
close_node(&(table->base));
close_node(&table->base4);
close_node(&table->base6);
Free(table);
}
/* ================================================== */
static int
check_ip_in_node(TableNode *start_node, unsigned long ip)
check_ip_in_node(TableNode *start_node, uint32_t *ip)
{
unsigned long residual, subnet;
uint32_t subnet;
int bits_consumed = 0;
int result = 0;
int finished = 0;
TableNode *node;
State state=DENY;
node = start_node;
residual = ip;
do {
if (node->state != AS_PARENT) {
state = node->state;
}
if (node->extended) {
subnet = get_subnet(residual);
residual = get_residual(residual);
subnet = get_subnet(ip, bits_consumed);
node = &(node->extended[subnet]);
bits_consumed += NBITS;
} else {
/* Make decision on this node */
finished = 1;
@@ -306,38 +350,63 @@ check_ip_in_node(TableNode *start_node, unsigned long ip)
int
ADF_IsAllowed(ADF_AuthTable table,
unsigned long ip)
IPAddr *ip_addr)
{
uint32_t ip6[4];
return check_ip_in_node(&(table->base), ip);
switch (ip_addr->family) {
case IPADDR_INET4:
return check_ip_in_node(&table->base4, &ip_addr->addr.in4);
case IPADDR_INET6:
split_ip6(ip_addr, ip6);
return check_ip_in_node(&table->base6, ip6);
}
return 0;
}
/* ================================================== */
#if defined TEST
static void print_node(TableNode *node, unsigned long addr, int shift, int subnet_bits)
static void print_node(TableNode *node, uint32_t *addr, int ip_len, int shift, int subnet_bits)
{
unsigned long new_addr;
uint32_t new_addr[4];
int i;
TableNode *sub_node;
for (i=0; i<subnet_bits; i++) putchar(' ');
printf("%d.%d.%d.%d/%d : %s\n",
((addr >> 24) & 255),
((addr >> 16) & 255),
((addr >> 8) & 255),
((addr ) & 255),
if (ip_len == 1)
printf("%d.%d.%d.%d",
((addr[0] >> 24) & 255),
((addr[0] >> 16) & 255),
((addr[0] >> 8) & 255),
((addr[0] ) & 255));
else {
for (i=0; i<4; i++) {
if (addr[i])
printf("%d.%d.%d.%d",
((addr[i] >> 24) & 255),
((addr[i] >> 16) & 255),
((addr[i] >> 8) & 255),
((addr[i] ) & 255));
putchar(i < 3 ? ':' : '\0');
}
}
printf("/%d : %s\n",
subnet_bits,
(node->state == ALLOW) ? "allow" :
(node->state == DENY) ? "deny" : "as parent");
if (node->extended) {
for (i=0; i<16; i++) {
sub_node = &((*(node->extended))[i]);
new_addr = addr | ((unsigned long) i << shift);
print_node(sub_node, new_addr, shift - 4, subnet_bits + 4);
sub_node = &(node->extended[i]);
new_addr[0] = addr[0];
new_addr[1] = addr[1];
new_addr[2] = addr[2];
new_addr[3] = addr[3];
new_addr[ip_len - 1 - shift / 32] |= ((uint32_t)i << (shift % 32));
print_node(sub_node, new_addr, ip_len, shift - 4, subnet_bits + 4);
}
}
return;
@@ -346,11 +415,15 @@ static void print_node(TableNode *node, unsigned long addr, int shift, int subne
static void print_table(ADF_AuthTable table)
{
unsigned long addr = 0;
int shift = 28;
int subnet_bits = 0;
uint32_t addr[4];
print_node(&table->base, addr, shift, subnet_bits);
memset(addr, 0, sizeof (addr));
printf("IPv4 table:\n");
print_node(&table->base4, addr, 1, 28, 0);
memset(addr, 0, sizeof (addr));
printf("IPv6 table:\n");
print_node(&table->base6, addr, 4, 124, 0);
return;
}
@@ -358,13 +431,41 @@ static void print_table(ADF_AuthTable table)
int main (int argc, char **argv)
{
IPAddr ip;
ADF_AuthTable table;
table = ADF_CreateTable();
ADF_Allow(table, 0x7e800000, 9);
ADF_Deny(table, 0x7ecc0000, 14);
/* ADF_Deny(table, 0x7f000001, 32); */
/* ADF_Allow(table, 0x7f000000, 8); */
ip.family = IPADDR_INET4;
ip.addr.in4 = 0x7e800000;
ADF_Allow(table, &ip, 9);
ip.addr.in4 = 0x7ecc0000;
ADF_Deny(table, &ip, 14);
#if 0
ip.addr.in4 = 0x7f000001;
ADF_Deny(table, &ip, 32);
ip.addr.in4 = 0x7f000000;
ADF_Allow(table, &ip, 8);
#endif
printf("allowed: %d\n", ADF_IsAllowed(table, &ip));
ip.addr.in4 ^= 1;
printf("allowed: %d\n", ADF_IsAllowed(table, &ip));
ip.family = IPADDR_INET6;
memcpy(ip.addr.in6, "abcdefghijklmnop", 16);
ADF_Deny(table, &ip, 66);
ADF_Allow(table, &ip, 59);
memcpy(ip.addr.in6, "xbcdefghijklmnop", 16);
ADF_Deny(table, &ip, 128);
ip.addr.in6[15] ^= 3;
ADF_Allow(table, &ip, 127);
printf("allowed: %d\n", ADF_IsAllowed(table, &ip));
ip.addr.in4 ^= 1;
printf("allowed: %d\n", ADF_IsAllowed(table, &ip));
print_table(table);