Commit 6a2c8ff0 authored by Daniel Salzman's avatar Daniel Salzman

acl: add auto full prefix

parent 5e1e83ce
......@@ -474,7 +474,7 @@ struct sockaddr_storage conf_addr(
struct sockaddr_storage conf_net(
conf_val_t *val,
unsigned *prefix_length)
int *prefix_length)
{
assert(val != NULL && val->item != NULL && prefix_length != NULL);
assert(val->item->type == YP_TNET ||
......@@ -484,18 +484,8 @@ struct sockaddr_storage conf_net(
struct sockaddr_storage out = { AF_UNSPEC };
if (val->code == KNOT_EOK) {
int prefix;
conf_db_val(val);
out = yp_addr(val->data, val->len, &prefix);
if (prefix != -1) {
*prefix_length = prefix;
} else {
if (out.ss_family == AF_INET) {
*prefix_length = IPV4_PREFIXLEN;
} else if (out.ss_family == AF_INET6) {
*prefix_length = IPV6_PREFIXLEN;
}
}
out = yp_addr(val->data, val->len, prefix_length);
} else {
*prefix_length = 0;
}
......
......@@ -228,7 +228,7 @@ struct sockaddr_storage conf_addr(
struct sockaddr_storage conf_net(
conf_val_t *val,
unsigned *prefix_length
int *prefix_length
);
char* conf_abs_path(
......
......@@ -86,7 +86,7 @@ typedef struct synth_template {
char *zone;
uint32_t ttl;
struct sockaddr_storage addr;
unsigned mask;
int mask;
} synth_template_t;
/*! \brief Substitute all occurences of given character. */
......
......@@ -40,7 +40,7 @@ static const uint8_t* ipv6_addr(const struct sockaddr_storage *ss) {
bool netblock_match(const struct sockaddr_storage *ss1,
const struct sockaddr_storage *ss2,
unsigned prefix)
int prefix)
{
if (ss1 == NULL || ss2 == NULL) {
return false;
......@@ -55,12 +55,20 @@ bool netblock_match(const struct sockaddr_storage *ss1,
case AF_INET:
addr1 = ipv4_addr(ss1);
addr2 = ipv4_addr(ss2);
prefix = prefix > IPV4_PREFIXLEN ? IPV4_PREFIXLEN : prefix;
if (prefix < 0) {
prefix = IPV4_PREFIXLEN;
} else if (prefix > IPV4_PREFIXLEN) {
prefix = IPV4_PREFIXLEN;
}
break;
case AF_INET6:
addr1 = ipv6_addr(ss1);
addr2 = ipv6_addr(ss2);
prefix = prefix > IPV6_PREFIXLEN ? IPV6_PREFIXLEN : prefix;
if (prefix < 0) {
prefix = IPV6_PREFIXLEN;
} else if (prefix > IPV6_PREFIXLEN) {
prefix = IPV6_PREFIXLEN;
}
break;
default:
return false;
......@@ -101,7 +109,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
/* Check if the address matches the current acl address list. */
val = conf_id_get(conf(), C_ACL, C_ADDR, acl);
while (val.code == KNOT_EOK) {
unsigned prefix;
int prefix;
struct sockaddr_storage ss;
ss = conf_net(&val, &prefix);
if (!netblock_match(addr, &ss, prefix)) {
......
......@@ -44,11 +44,11 @@ typedef enum {
*
* \param ss1 First address storage.
* \param ss2 Second address storage.
* \param prefix Netblock length.
* \param prefix Netblock length (negative value for maximum prefix length).
*/
bool netblock_match(const struct sockaddr_storage *ss1,
const struct sockaddr_storage *ss2,
unsigned prefix);
int prefix);
/*!
* \brief Checks if the address and/or tsig key matches given ACL list.
......
......@@ -53,6 +53,8 @@ static void test_netblock_match(void)
ret = netblock_match(&ref4, NULL, 32);
ok(ret == false, "match: NULL second parameter");
ret = netblock_match(&ref4, &ref4, -1);
ok(ret == true, "match: ipv4 - identity, auto full prefix");
ret = netblock_match(&ref4, &ref4, 31);
ok(ret == true, "match: ipv4 - identity, subnet");
ret = netblock_match(&ref4, &ref4, 32);
......@@ -60,6 +62,8 @@ static void test_netblock_match(void)
ret = netblock_match(&ref4, &ref4, 33);
ok(ret == true, "match: ipv4 - identity, prefix overflow");
ret = netblock_match(&ref6, &ref6, -1);
ok(ret == true, "match: ipv6 - identity, auto full prefix");
ret = netblock_match(&ref6, &ref6, 127);
ok(ret == true, "match: ipv6 - identity, subnet");
ret = netblock_match(&ref6, &ref6, 128);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment