Filter code, work in progress, wont build yet

2024-12-19 21:17:52 +00:00 · 2013-07-07 19:36:57 -04:00 · 2013-07-07 19:36:57 -04:00 · e2a2d33f8f
commit e2a2d33f8f
parent c68ab6b70f
6 changed files with 469 additions and 42 deletions
--- a/node/EthernetTap.cpp
+++ b/node/EthernetTap.cpp
@ -470,7 +470,7 @@ EthernetTap::EthernetTap(const RuntimeEnvironment *renv,const MAC &mac,unsigned
 		waitpid(cpid,&exitcode,0);
 		if (exitcode) {
 			::close(_fd);
-			throw std::runtime_error("ifconfig failure setting link-layer address and activating tap interface");
+			throw std::runtime_error("ipconfig failure enabling IPv6 link-local addressing");
 		}
 	}

--- a/node/Filter.cpp
+++ b/node/Filter.cpp
@ -0,0 +1,106 @@
+/*
+ * ZeroTier One - Global Peer to Peer Ethernet
+ * Copyright (C) 2012-2013  ZeroTier Networks LLC
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * ZeroTier may be used and distributed under the terms of the GPLv3, which
+ * are available at: http://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * If you would like to embed ZeroTier into a commercial application or
+ * redistribute it in a modified binary form, please contact ZeroTier Networks
+ * LLC. Start here: http://www.zerotier.com/
+ */
+
+#include <stdint.h>
+
+#include "RuntimeEnvironment.hpp"
+#include "Logger.hpp"
+#include "Filter.hpp"
+
+namespace ZeroTier {
+
+bool Filter::Rule::operator()(unsigned int etype,const void *data,unsigned int len) const
+{
+	if ((_etherType >= 0)&&(etype != (unsigned int)_etherType))
+		return false; // ethertype mismatch
+
+	switch(etype) {
+		case ZT_ETHERTYPE_IPV4:
+			if (len < 20)
+				return false; // invalid packets don't match
+			if ((_protocol >= 0)&&(((const uint8_t *)data)[9] != (uint8_t)(_protocol & 0xff)))
+				return false; // IP protocol # mismatch
+
+			switch(((const uint8_t *)data)[9]) {
+			}
+
+			break;
+		case ZT_ETHERTYPE_IPV6
+			break;
+	}
+
+	return false;
+}
+
+Filter::Filter(const RuntimeEnvironment *renv) :
+	_r(renv)
+{
+}
+
+Filter::~Filter()
+{
+}
+
+void Filter::add(const Rule &r,const Action &a)
+{
+	Mutex::Lock _l(_chain_m);
+	for(std::vector<Entry>::iterator i(_chain.begin());i!=_chain.end();++i) {
+		if (i->rule == r) {
+			_chain.erase(i);
+			break;
+		}
+	}
+	_chain.push_back(Entry(r,a));
+}
+
+const char *Filter::etherTypeName(const unsigned int etherType)
+	throw()
+{
+	static char tmp[6];
+	switch(etherType) {
+		case ZT_ETHERTYPE_IPV4:
+			return "IPV4";
+		case ZT_ETHERTYPE_ARP:
+			return "ARP";
+		case ZT_ETHERTYPE_RARP:
+			return "RARP";
+		case ZT_ETHERTYPE_ATALK:
+			return "ATALK";
+		case ZT_ETHERTYPE_AARP:
+			return "AARP";
+		case ZT_ETHERTYPE_IPX_A:
+			return "IPX_A";
+		case ZT_ETHERTYPE_IPX_B:
+			return "IPX_B";
+		case ZT_ETHERTYPE_IPV6:
+			return "IPV6";
+	}
+	sprintf(tmp,"%.4x",etherType);
+	return tmp; // technically not thread safe, but we're only going to see this in debugging if ever
+}
+
+} // namespace ZeroTier
--- a/node/Filter.hpp
+++ b/node/Filter.hpp
@ -0,0 +1,239 @@
+/*
+ * ZeroTier One - Global Peer to Peer Ethernet
+ * Copyright (C) 2012-2013  ZeroTier Networks LLC
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * ZeroTier may be used and distributed under the terms of the GPLv3, which
+ * are available at: http://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * If you would like to embed ZeroTier into a commercial application or
+ * redistribute it in a modified binary form, please contact ZeroTier Networks
+ * LLC. Start here: http://www.zerotier.com/
+ */
+
+#ifndef _ZT_FILTER_HPP
+#define _ZT_FILTER_HPP
+
+#include <stdio.h>
+#include <string.h>
+#include <string>
+#include <vector>
+#include <utility>
+
+#include "Mutex.hpp"
+#include "Range.hpp"
+ 
+/* Ethernet frame types that might be relevant to us */
+#define ZT_ETHERTYPE_IPV4 0x0800
+#define ZT_ETHERTYPE_ARP 0x0806
+#define ZT_ETHERTYPE_RARP 0x8035
+#define ZT_ETHERTYPE_ATALK 0x809b
+#define ZT_ETHERTYPE_AARP 0x80f3
+#define ZT_ETHERTYPE_IPX_A 0x8137
+#define ZT_ETHERTYPE_IPX_B 0x8138
+#define ZT_ETHERTYPE_IPV6 0x86dd
+
+/* IP protocols we might care about */
+#define ZT_IPPROTO_ICMP 0x01
+#define ZT_IPPROTO_IGMP 0x02
+#define ZT_IPPROTO_TCP 0x06
+#define ZT_IPPROTO_UDP 0x11
+#define ZT_IPPROTO_RDP 0x1b
+#define ZT_IPPROTO_GRE 0x2f
+#define ZT_IPPROTO_ESP 0x32
+#define ZT_IPPROTO_AH 0x33
+#define ZT_IPPROTO_ICMPV6 0x3a
+#define ZT_IPPROTO_OSPF 0x59
+#define ZT_IPPROTO_IPIP 0x5e
+#define ZT_IPPROTO_IPCOMP 0x6c
+#define ZT_IPPROTO_L2TP 0x73
+#define ZT_IPPROTO_SCTP 0x84
+#define ZT_IPPROTO_FC 0x85
+#define ZT_IPPROTO_UDPLITE 0x88
+#define ZT_IPPROTO_HIP 0x8b
+
+namespace ZeroTier {
+
+class RuntimeEnvironment;
+
+/**
+ * A simple Ethernet frame level filter supporting basic IP port DENY
+ */
+class Filter
+{
+public:
+	/**
+	 * A filter rule
+	 *
+	 * This behaves as an immutable value object.
+	 */
+	class Rule
+	{
+	public:
+		Rule()
+			throw() :
+			_etherType(-1),
+			_protocol(-1),
+			_port(-1)
+		{
+		}
+
+		/**
+		 * Construct a new rule
+		 *
+		 * @param etype Ethernet type or negative for ANY
+		 * @param prot Protocol or negative for ANY (meaning depends on ethertype, e.g. IP protocol numbers)
+		 * @param prt Port or negative for ANY (only applies to some protocols)
+		 */
+		Rule(int etype,int prot,int prt)
+			throw() :
+			_etherType((etype >= 0) ? etype : -1),
+			_protocol((prot >= 0) ? prot : -1),
+			_port((prt >= 0) ? prt : -1)
+		{
+		}
+
+		inline int etherType() const throw() { return _etherType; }
+		inline int protocol() const throw() { return _protocol; }
+		inline int port() const throw() { return _port; }
+
+		/**
+		 * Test this rule against a frame
+		 *
+		 * @param etype Type of ethernet frame
+		 * @param data Ethernet frame data
+		 * @param len Length of ethernet frame
+		 * @return True if rule matches
+		 */
+		bool operator()(unsigned int etype,const void *data,unsigned int len) const;
+
+		inline bool operator==(const Rule &r) const throw() { return ((_etherType == r._etherType)&&(_protocol == r._protocol)&&(_port == r._port)); }
+		inline bool operator!=(const Rule &r) const throw() { return !(*this == r); }
+		inline bool operator<(const Rule &r) const
+			throw()
+		{
+			if (_etherType < r._etherType)
+				return true;
+			else if (_etherType == r._etherType) {
+				if (_protocol < r._protocol)
+					return true;
+				else if (_protocol == r._protocol) {
+					if (_port < r._port)
+						return true;
+				}
+			}
+			return false;
+		}
+		inline bool operator>(const Rule &r) const throw() { return (r < *this); }
+		inline bool operator<=(const Rule &r) const throw() { return !(r < *this); }
+		inline bool operator>=(const Rule &r) const throw() { return !(*this < r); }
+
+	private:
+		int _etherType;
+		int _protocol;
+		int _port;
+	};
+
+	/**
+	 * Action if a rule matches
+	 */
+	enum Action
+	{
+		ACTION_DENY = 0,
+		ACTION_ALLOW = 1,
+		ACTION_LOG = 2
+	};
+
+	/**
+	 * Entry in filter chain
+	 */
+	struct Entry
+	{
+		Entry() {}
+		Entry(const Rule &r,const Action &a) :
+			rule(r),
+			action(a)
+		{
+		}
+
+		Rule rule;
+		Action action;
+	};
+
+	Filter(const RuntimeEnvironment *renv);
+	~Filter();
+
+	/**
+	 * Remove all filter entries
+	 */
+	inline void clear()
+	{
+		Mutex::Lock _l(_chain_m);
+		_chain.clear();
+	}
+
+	/**
+	 * Append a rule/action pair to this chain
+	 *
+	 * If an identical rule already exists it is removed and a new entry is
+	 * added to the end with the new action. (Two identical rules with the
+	 * same action wouldn't make sense.)
+	 *
+	 * @param r Rule to add
+	 * @param a Action if rule matches
+	 */
+	void add(const Rule &r,const Action &a);
+
+	/**
+	 * @return Number of rules in filter chain
+	 */
+	inline unsigned int length() const
+		throw()
+	{
+		Mutex::Lock _l(_chain_m);
+		return _chain.length();
+	}
+
+	/**
+	 * @return Entry in filter chain or null entry if out of bounds
+	 */
+	inline Entry operator[](const unsigned int i) const
+		throw()
+	{
+		Mutex::Lock _l(_chain_m);
+		if (i < _chain.length())
+			return _chain[i];
+		return Entry();
+	}
+
+	/**
+	 * @param etherType Ethernet type ID
+	 * @return Name of Ethernet protocol (e.g. ARP, IPV4)
+	 */
+	static const char *etherTypeName(const unsigned int etherType)
+		throw();
+
+private:
+	const RuntimeEnvironment *_r;
+
+	std::vector<Entry> _chain;
+	Mutex _chain_m;
+};
+
+} // namespace ZeroTier
+
+#endif
--- a/node/Range.hpp
+++ b/node/Range.hpp
@ -0,0 +1,123 @@
+/*
+ * ZeroTier One - Global Peer to Peer Ethernet
+ * Copyright (C) 2012-2013  ZeroTier Networks LLC
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * ZeroTier may be used and distributed under the terms of the GPLv3, which
+ * are available at: http://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * If you would like to embed ZeroTier into a commercial application or
+ * redistribute it in a modified binary form, please contact ZeroTier Networks
+ * LLC. Start here: http://www.zerotier.com/
+ */
+
+#ifndef _ZT_RANGE_HPP
+#define _ZT_RANGE_HPP
+
+namespace ZeroTier {
+
+/**
+ * A range of numeric values
+ *
+ * @tparam T Type, can be any numeric value (int, float, double, etc.)
+ */
+template<typename T>
+class Range
+{
+public:
+	/**
+	 * Construct an empty range
+	 */
+	Range()
+		throw() :
+		start(0),
+		end(0)
+	{
+	}
+
+	/**
+	 * @param s Starting value (inclusive)
+	 * @param e Ending value (exclusive)
+	 */
+	Range(T s,T e)
+		throw() :
+		start(s),
+		end(e)
+	{
+	}
+
+	/**
+	 * Construct a range containing from n to n+1 (thus only n for integers)
+	 *
+	 * @param n Number to contain
+	 */
+	Range(T n)
+		throw() :
+		start(n),
+		end(n+1)
+	{
+	}
+
+	/**
+	 * @return end - start
+	 */
+	inline T magnitude() const
+		throw()
+	{
+		return (end - start);
+	}
+
+	/**
+	 * @return True if range contains something (magnitude is nonzero)
+	 */
+	inline operator bool() const
+		throw()
+	{
+		return (end > start);
+	}
+
+	/**
+	 * @param v Value to test
+	 * @return True if value is between start (inclusive) and end (exclusive)
+	 */
+	inline bool operator()(const T &v) const
+		throw()
+	{
+		return ((v >= start)&&(v < end));
+	}
+
+	inline bool operator==(const Range &r) const throw() { return ((start == r.start)&&(end == r.end)); }
+	inline bool operator!=(const Range &r) const throw() { return (!(*this == r)); }
+	inline bool operator<(const Range &r) const throw() { return ((start < r.start) ? true : ((start == r.start) ? (end < r.end) : false)); }
+	inline bool operator>(const Range &r) const throw() { return (r < *this); }
+	inline bool operator<=(const Range &r) const throw() { return !(r < *this); }
+	inline bool operator>=(const Range &r) const throw() { return !(*this < r); }
+
+	/**
+	 * Start of range (may be modified directly)
+	 */
+	T start;
+
+	/**
+	 * End of range (may be modified directly)
+	 */
+	T end;
+};
+
+} // namespace ZeroTier
+
+#endif
--- a/node/Utils.cpp
+++ b/node/Utils.cpp
@ -283,31 +283,6 @@ std::string Utils::base64Decode(const char *data,unsigned int len)
 	return out.substr(0,outLen);
 }

-const char *Utils::etherTypeName(const unsigned int etherType)
-{
-	static char tmp[6];
-	switch(etherType) {
-		case ZT_ETHERTYPE_IPV4:
-			return "IPV4";
-		case ZT_ETHERTYPE_ARP:
-			return "ARP";
-		case ZT_ETHERTYPE_RARP:
-			return "RARP";
-		case ZT_ETHERTYPE_ATALK:
-			return "ATALK";
-		case ZT_ETHERTYPE_AARP:
-			return "AARP";
-		case ZT_ETHERTYPE_IPX_A:
-			return "IPX_A";
-		case ZT_ETHERTYPE_IPX_B:
-			return "IPX_B";
-		case ZT_ETHERTYPE_IPV6:
-			return "IPV6";
-	}
-	sprintf(tmp,"%.4x",etherType);
-	return tmp; // technically not thread safe, but we're only going to see this in debugging if ever
-}
-
 std::string Utils::hex(const void *data,unsigned int len)
 {
 	std::string r;
--- a/node/Utils.hpp
+++ b/node/Utils.hpp
@ -44,16 +44,6 @@

 #include "Constants.hpp"

-/* Ethernet frame types that might be relevant to us */
-#define ZT_ETHERTYPE_IPV4 0x0800
-#define ZT_ETHERTYPE_ARP 0x0806
-#define ZT_ETHERTYPE_RARP 0x8035
-#define ZT_ETHERTYPE_ATALK 0x809b
-#define ZT_ETHERTYPE_AARP 0x80f3
-#define ZT_ETHERTYPE_IPX_A 0x8137
-#define ZT_ETHERTYPE_IPX_B 0x8138
-#define ZT_ETHERTYPE_IPV6 0x86dd
-
 /**
 * Maximum compression/decompression block size (do not change)
 */
@ -67,12 +57,6 @@ namespace ZeroTier {
 class Utils
 {
 public:
-	/**
-	 * @param etherType Ethernet type ID
-	 * @return Name of Ethernet protocol (e.g. ARP, IPV4)
-	 */
-	static const char *etherTypeName(const unsigned int etherType);
-
 	/**
 	 * @param data Data to convert to hex
 	 * @param len Length of data