Exemple #1
0
END_TEST

START_TEST(test_ipv6_memory_size_1)
{
    ip_set_t  set;
    size_t  expected, actual;

    ipset_init(&set);
    ipset_ipv6_add(&set, &IPV6_ADDR_1);

#if GLIB_SIZEOF_VOID_P == 4
    expected = 1548;
#elif GLIB_SIZEOF_VOID_P == 8
    expected = 3096;
#else
#   error "Unknown architecture: not 32-bit or 64-bit"
#endif
    actual = ipset_memory_size(&set);

    fail_unless(expected == actual,
                "Expected set to be %zu bytes, got %zu bytes",
                expected, actual);

    ipset_done(&set);
}
Exemple #2
0
bool
ipset_ip_add(struct ip_set *set, struct cork_ip *addr)
{
    if (addr->version == 4) {
        return ipset_ipv4_add(set, &addr->ip.v4);
    } else {
        return ipset_ipv6_add(set, &addr->ip.v6);
    }
}
Exemple #3
0
END_TEST

START_TEST(test_ipv6_equality_1)
{
    ip_set_t  set1, set2;

    ipset_init(&set1);
    ipset_ipv6_add(&set1, &IPV6_ADDR_1);

    ipset_init(&set2);
    ipset_ipv6_add(&set2, &IPV6_ADDR_1);

    fail_unless(ipset_is_equal(&set1, &set2),
                "Expected {x} == {x}");

    ipset_done(&set1);
    ipset_done(&set2);
}
Exemple #4
0
END_TEST


/*-----------------------------------------------------------------------
 * IPv6 tests
 */

START_TEST(test_ipv6_insert_01)
{
    ip_set_t  set;

    ipset_init(&set);

    fail_if(ipset_ipv6_add(&set, &IPV6_ADDR_1),
            "Element should not be present");

    fail_unless(ipset_ipv6_add(&set, &IPV6_ADDR_1),
                "Element should be present");

    ipset_done(&set);
}
Exemple #5
0
int init_acl(const char *path, int mode)
{
    acl_mode = mode;

    // initialize ipset
    ipset_init_library();
    ipset_init(&acl_ipv4_set);
    ipset_init(&acl_ipv6_set);

    FILE *f = fopen(path, "r");
    if (f == NULL) {
        LOGE("Invalid acl path.");
        return -1;
    }

    char line[256];
    while (!feof(f))
        if (fgets(line, 256, f)) {
            // Trim the newline
            int len = strlen(line);
            if (len > 0 && line[len - 1] == '\n') {
                line[len - 1] = '\0';
            }

            char host[256];
            int cidr;
            parse_addr_cidr(line, host, &cidr);

            struct cork_ip addr;
            int err = cork_ip_init(&addr, host);
            if (!err) {
                if (addr.version == 4) {
                    if (cidr >= 0) {
                        ipset_ipv4_add_network(&acl_ipv4_set, &(addr.ip.v4), cidr);
                    } else {
                        ipset_ipv4_add(&acl_ipv4_set, &(addr.ip.v4));
                    }
                } else if (addr.version == 6) {
                    if (cidr >= 0) {
                        ipset_ipv6_add_network(&acl_ipv6_set, &(addr.ip.v6), cidr);
                    } else {
                        ipset_ipv6_add(&acl_ipv6_set, &(addr.ip.v6));
                    }
                }
            }
        }

    fclose(f);

    return 0;
}
Exemple #6
0
END_TEST

START_TEST(test_ipv6_store_03)
{
    ip_set_t  set;
    ip_set_t  *read_set;

    ipset_init(&set);
    ipset_ipv6_add(&set, &IPV6_ADDR_1);
    ipset_ipv6_add(&set, &IPV6_ADDR_2);
    ipset_ipv6_add_network(&set, &IPV6_ADDR_3, 24);

    GOutputStream  *ostream =
        g_memory_output_stream_new(NULL, 0, g_realloc, g_free);
    GMemoryOutputStream  *mostream =
        G_MEMORY_OUTPUT_STREAM(ostream);

    fail_unless(ipset_save(ostream, &set, NULL),
                "Could not save set");

    GInputStream  *istream =
        g_memory_input_stream_new_from_data
        (g_memory_output_stream_get_data(mostream),
         g_memory_output_stream_get_data_size(mostream),
         NULL);

    read_set = ipset_load(istream, NULL);
    fail_if(read_set == NULL,
            "Could not read set");

    fail_unless(ipset_is_equal(&set, read_set),
                "Set not same after saving/loading");

    g_object_unref(ostream);
    g_object_unref(istream);
    ipset_done(&set);
    ipset_free(read_set);
}
Exemple #7
0
int acl_add_ip(const char *ip)
{
    struct cork_ip addr;
    int err = cork_ip_init(&addr, ip);
    if (err) {
        return -1;
    }

    if (addr.version == 4) {
        ipset_ipv4_add(&acl_ipv4_set, &(addr.ip.v4));
    } else if (addr.version == 6) {
        ipset_ipv6_add(&acl_ipv6_set, &(addr.ip.v6));
    }

    return 0;
}
Exemple #8
0
END_TEST

START_TEST(test_ipv6_insert_02)
{
    ip_set_t  set;

    ipset_init(&set);

    ipset_ip_t  ip;
    ipset_ip_from_string(&ip, "fe80::21e:c2ff:fe9f:e8e1");

    fail_if(ipset_ip_add(&set, &ip),
            "Element should not be present");

    fail_unless(ipset_ipv6_add(&set, &IPV6_ADDR_1),
                "Element should be present");

    ipset_done(&set);
}
Exemple #9
0
int
init_acl(const char *path)
{
    // initialize ipset
    ipset_init_library();

    ipset_init(&white_list_ipv4);
    ipset_init(&white_list_ipv6);
    ipset_init(&black_list_ipv4);
    ipset_init(&black_list_ipv6);
    ipset_init(&outbound_block_list_ipv4);
    ipset_init(&outbound_block_list_ipv6);

    cork_dllist_init(&black_list_rules);
    cork_dllist_init(&white_list_rules);
    cork_dllist_init(&outbound_block_list_rules);

    struct ip_set *list_ipv4  = &black_list_ipv4;
    struct ip_set *list_ipv6  = &black_list_ipv6;
    struct cork_dllist *rules = &black_list_rules;

    FILE *f = fopen(path, "r");
    if (f == NULL) {
        LOGE("Invalid acl path.");
        return -1;
    }

    char buf[257];
    while (!feof(f))
        if (fgets(buf, 256, f)) {
            // Trim the newline
            int len = strlen(buf);
            if (len > 0 && buf[len - 1] == '\n') {
                buf[len - 1] = '\0';
            }

            char *comment = strchr(buf, '#');
            if (comment) {
                *comment = '\0';
            }

            char *line = trimwhitespace(buf);
            if (strlen(line) == 0) {
                continue;
            }

            if (strcmp(line, "[outbound_block_list]") == 0) {
                list_ipv4 = &outbound_block_list_ipv4;
                list_ipv6 = &outbound_block_list_ipv6;
                rules     = &outbound_block_list_rules;
                continue;
            } else if (strcmp(line, "[black_list]") == 0
                       || strcmp(line, "[bypass_list]") == 0) {
                list_ipv4 = &black_list_ipv4;
                list_ipv6 = &black_list_ipv6;
                rules     = &black_list_rules;
                continue;
            } else if (strcmp(line, "[white_list]") == 0
                       || strcmp(line, "[proxy_list]") == 0) {
                list_ipv4 = &white_list_ipv4;
                list_ipv6 = &white_list_ipv6;
                rules     = &white_list_rules;
                continue;
            } else if (strcmp(line, "[reject_all]") == 0
                       || strcmp(line, "[bypass_all]") == 0) {
                acl_mode = WHITE_LIST;
                continue;
            } else if (strcmp(line, "[accept_all]") == 0
                       || strcmp(line, "[proxy_all]") == 0) {
                acl_mode = BLACK_LIST;
                continue;
            } else if (strcmp(line, "[remote_dns]") == 0) {
                continue;
            }

            char host[257];
            int cidr;
            parse_addr_cidr(line, host, &cidr);

            struct cork_ip addr;
            int err = cork_ip_init(&addr, host);
            if (!err) {
                if (addr.version == 4) {
                    if (cidr >= 0) {
                        ipset_ipv4_add_network(list_ipv4, &(addr.ip.v4), cidr);
                    } else {
                        ipset_ipv4_add(list_ipv4, &(addr.ip.v4));
                    }
                } else if (addr.version == 6) {
                    if (cidr >= 0) {
                        ipset_ipv6_add_network(list_ipv6, &(addr.ip.v6), cidr);
                    } else {
                        ipset_ipv6_add(list_ipv6, &(addr.ip.v6));
                    }
                }
            } else {
                rule_t *rule = new_rule();
                accept_rule_arg(rule, line);
                init_rule(rule);
                add_rule(rules, rule);
            }
        }

    fclose(f);

    return 0;
}
Exemple #10
0
int
main(int argc, char **argv)
{
    ipset_init_library();

    /*
     * Parse the command-line options.
     */

    GError  *error = NULL;
    GOptionContext  *context;

    context = g_option_context_new("INPUT FILES");
    g_option_context_add_main_entries(context, entries, NULL);

    if (!g_option_context_parse(context, &argc, &argv, &error))
    {
        fprintf(stderr, "Error parsing command-line options: %s\n",
                error->message);
        exit(1);
    }

    /*
     * Verify that the user specified at least one SiLK file to read.
     */

    if (argc <= 1)
    {
#if GLIB_MINOR_VERSION < 14
        fprintf(stderr, "ERROR: You need to specify at "
                "least one input file.\n");
#else
        fprintf(stderr, "ERROR: You need to specify at "
                "least one input file.\n\n%s",
                g_option_context_get_help(context, TRUE, NULL));
#endif
        exit(1);
    }

    /*
     * Set up logging.
     */

    g_log_set_handler("ipset", G_LOG_LEVEL_DEBUG,
                      ignore_log_message, NULL);

    /*
     * Read in the IP set files specified on the command line.
     */

    ip_set_t  set;
    ipset_init(&set);

    int  i;
    for (i = 1; i < argc; i++)
    {
        const char  *filename = argv[i];
        FILE  *stream;
        gboolean  close_stream;

        /*
         * Create a FILE object for the file.
         */

        if (strcmp(filename, "-") == 0)
        {
            fprintf(stderr, "Opening stdin...\n");
            filename = "stdin";

            stream = stdin;
            close_stream = FALSE;
        }

        else
        {
            fprintf(stderr, "Opening file %s...\n", filename);

            stream = fopen(filename, "rb");
            if (stream == NULL)
            {
                fprintf(stderr, "Cannot open file %s:\n  %s\n",
                        filename, strerror(errno));
                exit(1);
            }

            close_stream = TRUE;
        }

        /*
         * Read in one IP address per line in the file.
         */

        gsize  ip_count = 0;

#define MAX_LINELENGTH  4096

        gchar  line[MAX_LINELENGTH];

        while (fgets(line, MAX_LINELENGTH, stream) != NULL)
        {
            /*
             * Reserve enough space for an IPv6 address.
             */

            guint32  addr[4];
            int  rc;

            /*
             * Try to parse the line as an IPv4 address.  If that
             * works, add it to the set.
             */

            rc = inet_pton(AF_INET, line, addr);
            if (rc == 1)
            {
                ipset_ipv4_add(&set, addr);
                g_free(line);
                continue;
            }

            /*
             * If that didn't work, try IPv6.
             */

            rc = inet_pton(AF_INET6, line, addr);
            if (rc == 1)
            {
                ipset_ipv6_add(&set, addr);
                g_free(line);
                continue;
            }

            /*
             * Otherwise, we've got an error.
             */

            fprintf(stderr, "\"%s\" is not a valid IP address.\n", line);
            exit(1);
        }

        if (ferror(stream))
        {
            /*
             * There was an error reading from the stream.
             */

            fprintf(stderr, "Error reading from %s:\n  %s\n",
                    filename, strerror(errno));
            exit(1);
        }

        fprintf(stderr, "Read %" G_GSIZE_FORMAT " IP addresses from %s.\n",
                ip_count, filename);

        /*
         * Free the streams before opening the next file.
         */

        if (close_stream)
        {
            fclose(stream);
        }
    }

    fprintf(stderr, "Set uses %" G_GSIZE_FORMAT " bytes of memory.\n",
            ipset_memory_size(&set));

    /*
     * Serialize the IP set to the desired output file.
     */

    FILE  *ostream;
    gboolean  close_ostream;

    if ((output_filename == NULL) ||
        (strcmp(output_filename, "-") == 0))
    {
        fprintf(stderr, "Writing to stdout...\n");

        ostream = stdout;
        output_filename = "stdout";
        close_ostream = FALSE;
    }

    else
    {
        fprintf(stderr, "Writing to file %s...\n", output_filename);

        ostream = fopen(output_filename, "wb");
        if (ostream == NULL)
        {
            fprintf(stderr, "Cannot open file %s:\n  %s\n",
                    output_filename, strerror(errno));
            exit(1);
        }

        close_ostream = TRUE;
    }

    if (!ipset_save(ostream, &set, &error))
    {
        fprintf(stderr, "Error saving IP set:\n  %s\n",
                error->message);
        exit(1);
    }

    /*
     * Close the output stream for exiting.
     */

    if (close_ostream)
    {
        fclose(ostream);
    }

    return 0;
}