mirror of
https://github.com/servalproject/serval-dna.git
synced 2024-12-18 20:57:56 +00:00
Build filter framework for incoming mdp packets
This commit is contained in:
Jeremy Lakeman
parent
b56f4c27d3
commit
b4a48e4cc8
@ -234,5 +234,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
// should there be a types.h to hold this?
|
||||
typedef char bool_t;
|
||||
|
||||
#define RULE_ALLOW 0
|
||||
#define RULE_DROP (1<<0)
|
||||
#define RULE_SOURCE (1<<1)
|
||||
#define RULE_DESTINATION (1<<2)
|
||||
#define RULE_SRC_PORT (1<<3)
|
||||
#define RULE_DST_PORT (1<<4)
|
||||
|
||||
#endif // __SERVAL_DNA__CONSTANTS_H
|
||||
|
||||
102
mdp_filter.c
Normal file
102
mdp_filter.c
Normal file
@ -0,0 +1,102 @@
|
||||
|
||||
#include "serval.h"
|
||||
#include "overlay_address.h"
|
||||
#include "overlay_packet.h"
|
||||
#include "constants.h"
|
||||
#include "conf.h"
|
||||
|
||||
#define RULE_ALLOW 0
|
||||
#define RULE_DROP (1<<0)
|
||||
#define RULE_SOURCE (1<<1)
|
||||
#define RULE_DESTINATION (1<<2)
|
||||
#define RULE_SRC_PORT (1<<3)
|
||||
#define RULE_DST_PORT (1<<4)
|
||||
|
||||
struct packet_rule{
|
||||
struct subscriber *source;
|
||||
struct subscriber *destination;
|
||||
mdp_port_t src_start;
|
||||
mdp_port_t src_end;
|
||||
mdp_port_t dst_start;
|
||||
mdp_port_t dst_end;
|
||||
uint8_t flags;
|
||||
struct packet_rule *next;
|
||||
};
|
||||
struct packet_rule *global_rules = NULL;
|
||||
|
||||
static int match_rule(struct internal_mdp_header *header, struct packet_rule *rule)
|
||||
{
|
||||
if ((rule->flags & RULE_SOURCE) && header->source != rule->source)
|
||||
return 0;
|
||||
if ((rule->flags & RULE_DESTINATION) && header->destination != rule->destination)
|
||||
return 0;
|
||||
if ((rule->flags & RULE_SRC_PORT) &&
|
||||
(header->source_port < rule->src_start||header->source_port > rule->src_end))
|
||||
return 0;
|
||||
if ((rule->flags & RULE_DST_PORT) &&
|
||||
(header->destination_port < rule->dst_start||header->destination_port > rule->dst_end))
|
||||
return 0;
|
||||
if (config.debug.mdprequests)
|
||||
DEBUGF("Packet matches %s rule, flags:%s%s%s%s",
|
||||
rule->flags & RULE_DROP ? "DROP" : "ALLOW",
|
||||
rule->flags & RULE_SOURCE ? " SOURCE" : "",
|
||||
rule->flags & RULE_DESTINATION ? " DESTINATION" : "",
|
||||
rule->flags & RULE_SRC_PORT? " SOURCE_PORT" : "",
|
||||
rule->flags & RULE_DST_PORT ? " DESTINATION_PORT" : "");
|
||||
return 1;
|
||||
}
|
||||
|
||||
int allow_incoming_packet(struct internal_mdp_header *header)
|
||||
{
|
||||
struct packet_rule *rule = header->source->source_rules;
|
||||
while(rule){
|
||||
if (match_rule(header, rule))
|
||||
return rule->flags & RULE_DROP;
|
||||
rule = rule->next;
|
||||
}
|
||||
rule = global_rules;
|
||||
while(rule){
|
||||
if (match_rule(header, rule))
|
||||
return rule->flags & RULE_DROP;
|
||||
rule = rule->next;
|
||||
}
|
||||
return RULE_ALLOW;
|
||||
}
|
||||
|
||||
static void free_rule_list(struct packet_rule *rule)
|
||||
{
|
||||
while(rule){
|
||||
struct packet_rule *t = rule;
|
||||
rule = rule->next;
|
||||
free(t);
|
||||
}
|
||||
}
|
||||
|
||||
static int drop_rule(struct subscriber *subscriber, void *UNUSED(context))
|
||||
{
|
||||
free_rule_list(subscriber->source_rules);
|
||||
subscriber->source_rules=NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void load_mdp_packet_rules(const char *UNUSED(filename))
|
||||
{
|
||||
// drop all existing rules
|
||||
free_rule_list(global_rules);
|
||||
global_rules=NULL;
|
||||
enum_subscribers(NULL, drop_rule, NULL);
|
||||
|
||||
// TODO parse config [file]?
|
||||
|
||||
/*
|
||||
* Rule format?
|
||||
* one line per rule, name value pairs for parameters?
|
||||
* eg;
|
||||
*
|
||||
* DROP,source=FF...,destination_port=00[-99]
|
||||
* DROP,destination=broadcast
|
||||
* ALLOW
|
||||
*
|
||||
* */
|
||||
}
|
||||
|
||||
@ -45,6 +45,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
#define BROADCAST_LEN 8
|
||||
|
||||
struct packet_rule;
|
||||
|
||||
// This structure supports both our own routing protocol which can store calculation details in *node
|
||||
// or IP4 addresses reachable via any other kind of normal layer3 routing protocol, eg olsr
|
||||
@ -84,6 +85,8 @@ struct subscriber{
|
||||
|
||||
// private keys for local identities
|
||||
struct keyring_identity *identity;
|
||||
|
||||
struct packet_rule *source_rules;
|
||||
};
|
||||
|
||||
struct broadcast{
|
||||
|
||||
@ -541,7 +541,8 @@ static int overlay_saw_mdp_frame(
|
||||
alloca_tohex_sid_t_trunc(header->source->sid, 14),
|
||||
header->source_port, header->destination_port);
|
||||
|
||||
// TODO filter by sid src (& dst?) port
|
||||
if (allow_incoming_packet(header) == RULE_DROP)
|
||||
return 0;
|
||||
|
||||
for(i=0;i<MDP_MAX_BINDINGS;i++)
|
||||
{
|
||||
|
||||
2
serval.h
2
serval.h
@ -371,6 +371,8 @@ int mdp_bind_internal(struct subscriber *subscriber, mdp_port_t port,
|
||||
int mdp_unbind_internal(struct subscriber *subscriber, mdp_port_t port,
|
||||
int (*internal)(struct internal_mdp_header *header, struct overlay_buffer *payload));
|
||||
|
||||
int allow_incoming_packet(struct internal_mdp_header *header);
|
||||
void load_mdp_packet_rules(const char *filename);
|
||||
|
||||
struct vomp_call_state;
|
||||
|
||||
|
||||
@ -47,6 +47,7 @@ SERVAL_SOURCES = \
|
||||
$(SERVAL_BASE)overlay_queue.c \
|
||||
$(SERVAL_BASE)overlay_mdp.c \
|
||||
$(SERVAL_BASE)overlay_mdp_services.c \
|
||||
$(SERVAL_BASE)mdp_filter.c \
|
||||
$(SERVAL_BASE)overlay_olsr.c \
|
||||
$(SERVAL_BASE)overlay_packetformats.c \
|
||||
$(SERVAL_BASE)overlay_payload.c \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user