Commit 46a5881d authored by Jan Včelák's avatar Jan Včelák 🚀 Committed by Daniel Salzman

conf: add function for address range matching

parent e8683384
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -677,6 +677,35 @@ struct sockaddr_storage conf_addr_range(
return out;
}
bool conf_addr_range_match(
conf_val_t *range,
const struct sockaddr_storage *addr)
{
if (range == NULL || addr == NULL) {
return false;
}
while (range->code == KNOT_EOK) {
int mask;
struct sockaddr_storage min, max;
min = conf_addr_range(range, &max, &mask);
if (max.ss_family == AF_UNSPEC) {
if (sockaddr_net_match(addr, &min, mask)) {
return true;
}
} else {
if (sockaddr_range_match(addr, &min, &max)) {
return true;
}
}
conf_val_next(range);
}
return false;
}
char* conf_abs_path(
conf_val_t *val,
const char *base_dir)
......
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -502,6 +502,19 @@ struct sockaddr_storage conf_addr_range(
int *prefix_len
);
/*!
* Checks the address if matches given address range/network block.
*
* \param[in] range Address range/network block.
* \param[in] addr Address to check.
*
* \return True if matches.
*/
bool conf_addr_range_match(
conf_val_t *range,
const struct sockaddr_storage *addr
);
/*!
* Gets the absolute string value of the item.
*
......
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -14,45 +14,19 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <assert.h>
#include "knot/updates/acl.h"
#include "contrib/sockaddr.h"
bool acl_allowed(conf_t *conf, conf_val_t *acl, acl_action_t action,
const struct sockaddr_storage *addr,
knot_tsig_key_t *tsig)
const struct sockaddr_storage *addr, knot_tsig_key_t *tsig)
{
if (acl == NULL || addr == NULL || tsig == NULL) {
return NULL;
}
while (acl->code == KNOT_EOK) {
conf_val_t val;
/* Check if the address matches the current acl address list. */
val = conf_id_get(conf, C_ACL, C_ADDR, acl);
while (val.code == KNOT_EOK) {
struct sockaddr_storage ss, ss_max;
int prefix;
ss = conf_addr_range(&val, &ss_max, &prefix);
if (ss_max.ss_family == AF_UNSPEC) {
if (!netblock_match(addr, &ss, prefix)) {
conf_val_next(&val);
continue;
}
} else {
if (!netrange_match(addr, &ss, &ss_max)) {
conf_val_next(&val);
continue;
}
}
break;
}
/* Check for address match or empty list. */
if (val.code != KNOT_EOK && val.code != KNOT_ENOENT) {
conf_val_t val = conf_id_get(conf, C_ACL, C_ADDR, acl);
if (val.code != KNOT_ENOENT && !conf_addr_range_match(&val, addr)) {
goto next_acl;
}
......
/* Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -41,19 +41,17 @@ typedef enum {
/*!
* \brief Checks if the address and/or tsig key matches given ACL list.
*
* If a proper ACL rule is found and tsig.name is not empty,
* tsig.secret is filled.
* If a proper ACL rule is found and tsig.name is not empty, tsig.secret is filled.
*
* \param conf Configuration.
* \param acl Pointer to ACL config multivalued identifier.
* \param action ACL action.
* \param addr IP address.
* \param tsig TSIG parameters.
* \param conf Configuration.
* \param acl Pointer to ACL config multivalued identifier.
* \param action ACL action.
* \param addr IP address.
* \param tsig TSIG parameters.
*
* \retval bool if authenticated.
* \retval True if authenticated.
*/
bool acl_allowed(conf_t *conf, conf_val_t *acl, acl_action_t action,
const struct sockaddr_storage *addr,
knot_tsig_key_t *tsig);
const struct sockaddr_storage *addr, knot_tsig_key_t *tsig);
/*! @} */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment