Example #1
0
/*
 * Return 0,  if not match.
 * Return 1,  if match black list.
 * Return -1, if match white list.
 */
int
acl_match_host(const char *host)
{
    struct cork_ip addr;
    int ret = 0;
    int err = cork_ip_init(&addr, host);

    if (err) {
        int host_len = strlen(host);
        if (lookup_rule(&black_list_rules, host, host_len) != NULL)
            ret = 1;
        else if (lookup_rule(&white_list_rules, host, host_len) != NULL)
            ret = -1;
        return ret;
    }

    if (addr.version == 4) {
        if (ipset_contains_ipv4(&black_list_ipv4, &(addr.ip.v4)))
            ret = 1;
        else if (ipset_contains_ipv4(&white_list_ipv4, &(addr.ip.v4)))
            ret = -1;
    } else if (addr.version == 6) {
        if (ipset_contains_ipv6(&black_list_ipv6, &(addr.ip.v6)))
            ret = 1;
        else if (ipset_contains_ipv6(&white_list_ipv6, &(addr.ip.v6)))
            ret = -1;
    }

    return ret;
}
Example #2
0
RULE * bindrule( OBJECT * rulename, module_t * m )
{
    RULE * result = lookup_rule( rulename, m, 0 );
    if ( !result )
        result = lookup_rule( rulename, root_module(), 0 );
    /* We have only one caller, 'evaluate_rule', which will complain about
     * calling an undefined rule. We could issue the error here, but we do not
     * have the necessary information, such as frame.
     */
    if ( !result )
        result = enter_rule( rulename, m );
    return result;
}
Example #3
0
RULE * lookup_rule( OBJECT * rulename, module_t * m, int local_only )
{
    RULE       rule;
    RULE     * r = &rule;
    RULE     * result = 0;
    module_t * original_module = m;

    r->name = rulename;

    if ( m->class_module )
        m = m->class_module;

    if ( m->rules && hashcheck( m->rules, (HASHDATA * *)&r ) )
        result = r;
    else if ( !local_only && m->imported_modules )
    {
        /* Try splitting the name into module and rule. */
        char *p = strchr( object_str( r->name ), '.' ) ;
        if ( p )
        {
            string buf[1];
            OBJECT * module_part;
            OBJECT * rule_part;
            string_new( buf );
            string_append_range( buf, object_str( r->name ), p );
            module_part = object_new( buf->value );
            rule_part = object_new( p + 1 );
            r->name = module_part;
            /* Now, r->name keeps the module name, and p+1 keeps the rule name.
             */
            if ( hashcheck( m->imported_modules, (HASHDATA * *)&r ) )
                result = lookup_rule( rule_part, bindmodule( module_part ), 1 );
            object_free( rule_part );
            object_free( module_part );
            string_free( buf );
        }
    }

    if ( result )
    {
        if ( local_only && !result->exported )
            result = 0;
        else
        {
            /* Lookup started in class module. We have found a rule in class
             * module, which is marked for execution in that module, or in some
             * instances. Mark it for execution in the instance where we started
             * the lookup.
             */
            int execute_in_class = ( result->module == m );
            int execute_in_some_instance = ( result->module->class_module &&
                ( result->module->class_module == m ) );
            if ( ( original_module != m ) &&
                ( execute_in_class || execute_in_some_instance ) )
                result->module = original_module;
        }
    }

    return result;
}
Example #4
0
/* Looks for a rule in the specified module, and returns it, if found.
   First checks if the rule is present in the module's rule table.
   Second, if name of the rule is in the form name1.name2 and name1 is in 
   the list of imported modules, look in module 'name1' for rule 'name2'.
*/
RULE *lookup_rule( char *rulename, module_t *m, int local_only )
{
    RULE rule, *r = &rule, *result = 0;
    module_t* original_module = m;
    r->name = rulename;

    if (m->class_module)
        m = m->class_module;

    if (m->rules && hashcheck( m->rules, (HASHDATA **)&r ) )
        result = r;
    else if (!local_only && m->imported_modules) {
        /* Try splitting the name into module and rule. */
        char *p = strchr(r->name, '.') ;
        if (p) {
            *p = '\0';
            /* Now, r->name keeps the module name, and p+1 keeps the rule name. */
            if (hashcheck( m->imported_modules, (HASHDATA **)&r))
            {
                result = lookup_rule(p+1, bindmodule(rulename), 1);
            }
            *p = '.';
        }        
    }

    if (result)
    {
        if (local_only && !result->exported)
            result = 0;
        else
        {
            /* Lookup started in class module. We've found a rule in class module,
               which is marked for execution in that module, or in some instances.
               Mark it for execution in the instance where we've started lookup.
            */
            int execute_in_class = (result->module == m);
            int execute_in_some_instance = 
            (result->module->class_module && result->module->class_module == m);
            if (original_module != m && (execute_in_class || execute_in_some_instance))
                result->module = original_module;            
        }
    }

    return result;
        
}
Example #5
0
int new_rule(RULE_LIST* rules, char* identifier, NAMESPACE* ns, int flags, TAG* tag_list_head, META* meta_list_head, STRING* string_list_head, TERM* precondition, TERM* condition)
{
    RULE* new_rule;
    RULE_LIST_ENTRY* entry;

    unsigned int key;
    int result = ERROR_SUCCESS;

    if (lookup_rule(rules, identifier, ns) == NULL)  /* do not allow rules with the same identifier */
    {
        new_rule = (RULE*) yr_malloc(sizeof(RULE));
    
        if (new_rule != NULL)
        {
            new_rule->identifier = identifier;
			new_rule->ns = ns;
            new_rule->flags = flags;
			new_rule->tag_list_head = tag_list_head;
            new_rule->meta_list_head = meta_list_head;
            new_rule->string_list_head = string_list_head;
            new_rule->precondition = precondition;
            new_rule->condition = condition;
            new_rule->next = NULL;
            
            if (rules->head == NULL && rules->tail == NULL)  /* list is empty */
            {
                rules->head = new_rule;
                rules->tail = new_rule;
            }
            else
            {
                rules->tail->next = new_rule;
                rules->tail = new_rule;
            }			
            
            key = hash(0, identifier, strlen(identifier));
            key = hash(key, ns->name, strlen(ns->name));
            key = key % RULE_LIST_HASH_TABLE_SIZE;
            
            if (rules->hash_table[key].rule == NULL)
            {
                rules->hash_table[key].rule = new_rule;
            }
            else
            {
                entry = (RULE_LIST_ENTRY*) yr_malloc(sizeof(RULE_LIST_ENTRY));
                
                if (entry == NULL)
                    return ERROR_INSUFICIENT_MEMORY;

                entry->rule = new_rule;
                entry->next = rules->hash_table[key].next;
                rules->hash_table[key].next = entry;
            }
        }
        else
        {
            result = ERROR_INSUFICIENT_MEMORY;
        }
    }
    else
    {
        result = ERROR_DUPLICATE_RULE_IDENTIFIER;
    }

    return result;
}