static char
decodeaddrtype(
sockaddr_u *sock
)
{
char ch = '-';
u_int32 dummy;
switch(AF(sock)) {
case AF_INET:
dummy = SRCADR(sock);
ch = (char)(((dummy&0xf0000000)==0xe0000000) ? 'm' :
((dummy&0x000000ff)==0x000000ff) ? 'b' :
((dummy&0xffffffff)==0x7f000001) ? 'l' :
((dummy&0xffffffe0)==0x00000000) ? '-' :
'u');
break;
case AF_INET6:
if (IN6_IS_ADDR_MULTICAST(PSOCK_ADDR6(sock)))
ch = 'm';
else
ch = 'u';
break;
default:
ch = '-';
break;
}
return ch;
}
/*
* Calculate the reference id from the address. If it is an IPv4
* address, use it as is. If it is an IPv6 address, do a md5 on
* it and use the bottom 4 bytes.
* The result is in network byte order.
*/
u_int32
addr2refid(sockaddr_u *addr)
{
u_char digest[20];
u_int32 addr_refid;
EVP_MD_CTX ctx;
u_int len;
if (IS_IPV4(addr))
return (NSRCADR(addr));
INIT_SSL();
#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL
EVP_MD_CTX_init(&ctx);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
msyslog(LOG_ERR,
"MD5 init failed");
exit(1);
}
#else
EVP_DigestInit(&ctx, EVP_md5());
#endif
EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
sizeof(struct in6_addr));
EVP_DigestFinal(&ctx, digest, &len);
memcpy(&addr_refid, digest, sizeof(addr_refid));
return (addr_refid);
}
char *
socktoa(
const sockaddr_u *sock
)
{
register char *buffer;
LIB_GETBUF(buffer);
if (NULL == sock)
strncpy(buffer, "(null)", LIB_BUFLENGTH);
else {
switch(AF(sock)) {
case AF_INET:
case AF_UNSPEC:
inet_ntop(AF_INET, PSOCK_ADDR4(sock), buffer,
LIB_BUFLENGTH);
break;
case AF_INET6:
inet_ntop(AF_INET6, PSOCK_ADDR6(sock), buffer,
LIB_BUFLENGTH);
break;
default:
snprintf(buffer, LIB_BUFLENGTH,
"(socktoa unknown family %d)",
AF(sock));
}
}
return buffer;
}
/*
* restrictions - return restrictions for this host
*/
u_short
restrictions(
sockaddr_u *srcadr
)
{
restrict_u *match;
struct in6_addr *pin6;
u_short flags;
res_calls++;
flags = 0;
/* IPv4 source address */
if (IS_IPV4(srcadr)) {
/*
* Ignore any packets with a multicast source address
* (this should be done early in the receive process,
* not later!)
*/
if (IN_CLASSD(SRCADR(srcadr)))
return (int)RES_IGNORE;
match = match_restrict4_addr(SRCADR(srcadr),
SRCPORT(srcadr));
match->count++;
/*
* res_not_found counts only use of the final default
* entry, not any "restrict default ntpport ...", which
* would be just before the final default.
*/
if (&restrict_def4 == match)
res_not_found++;
else
res_found++;
flags = match->flags;
}
/* IPv6 source address */
if (IS_IPV6(srcadr)) {
pin6 = PSOCK_ADDR6(srcadr);
/*
* Ignore any packets with a multicast source address
* (this should be done early in the receive process,
* not later!)
*/
if (IN6_IS_ADDR_MULTICAST(pin6))
return (int)RES_IGNORE;
match = match_restrict6_addr(pin6, SRCPORT(srcadr));
match->count++;
if (&restrict_def6 == match)
res_not_found++;
else
res_found++;
flags = match->flags;
}
return (flags);
}
/*
* socktoa - return a numeric host name from a sockaddr_storage structure
*/
const char *
socktoa(
const sockaddr_u *sock
)
{
int saved_errno;
char * res;
char * addr;
u_long scope;
saved_errno = errno;
LIB_GETBUF(res);
if (NULL == sock) {
strlcpy(res, "(null)", LIB_BUFLENGTH);
} else {
switch(AF(sock)) {
case AF_INET:
case AF_UNSPEC:
inet_ntop(AF_INET, PSOCK_ADDR4(sock), res,
LIB_BUFLENGTH);
break;
case AF_INET6:
inet_ntop(AF_INET6, PSOCK_ADDR6(sock), res,
LIB_BUFLENGTH);
scope = SCOPE_VAR(sock);
if (0 != scope && !strchr(res, '%')) {
addr = res;
LIB_GETBUF(res);
snprintf(res, LIB_BUFLENGTH, "%s%%%lu",
addr, scope);
res[LIB_BUFLENGTH - 1] = '\0';
}
break;
default:
snprintf(res, LIB_BUFLENGTH,
"(socktoa unknown family %d)",
AF(sock));
}
}
errno = saved_errno;
return res;
}
/*
* Calculate the reference id from the address. If it is an IPv4
* address, use it as is. If it is an IPv6 address, do a md5 on
* it and use the bottom 4 bytes.
* The result is in network byte order.
*/
u_int32
addr2refid(sockaddr_u *addr)
{
u_char digest[20];
u_int32 addr_refid;
EVP_MD_CTX ctx;
u_int len;
if (IS_IPV4(addr))
return (NSRCADR(addr));
INIT_SSL();
EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
sizeof(struct in6_addr));
EVP_DigestFinal(&ctx, digest, &len);
memcpy(&addr_refid, digest, 4);
return (addr_refid);
}
/*
* hack_restrict - add/subtract/manipulate entries on the restrict list
*/
void
hack_restrict(
int op,
sockaddr_u * resaddr,
sockaddr_u * resmask,
u_short mflags,
u_short flags,
u_long expire
)
{
int v6;
restrict_u match;
restrict_u * res;
restrict_u ** plisthead;
DPRINTF(1, ("restrict: op %d addr %s mask %s mflags %08x flags %08x\n",
op, stoa(resaddr), stoa(resmask), mflags, flags));
if (NULL == resaddr) {
REQUIRE(NULL == resmask);
REQUIRE(RESTRICT_FLAGS == op);
restrict_source_flags = flags;
restrict_source_mflags = mflags;
restrict_source_enabled = 1;
return;
}
ZERO(match);
#if 0
/* silence VC9 potentially uninit warnings */
// HMS: let's use a compiler-specific "enable" for this.
res = NULL;
v6 = 0;
#endif
if (IS_IPV4(resaddr)) {
v6 = 0;
/*
* Get address and mask in host byte order for easy
* comparison as u_int32
*/
match.u.v4.addr = SRCADR(resaddr);
match.u.v4.mask = SRCADR(resmask);
match.u.v4.addr &= match.u.v4.mask;
} else if (IS_IPV6(resaddr)) {
v6 = 1;
/*
* Get address and mask in network byte order for easy
* comparison as byte sequences (e.g. memcmp())
*/
match.u.v6.mask = SOCK_ADDR6(resmask);
MASK_IPV6_ADDR(&match.u.v6.addr, PSOCK_ADDR6(resaddr),
&match.u.v6.mask);
} else /* not IPv4 nor IPv6 */
REQUIRE(0);
match.flags = flags;
match.mflags = mflags;
match.expire = expire;
res = match_restrict_entry(&match, v6);
switch (op) {
case RESTRICT_FLAGS:
/*
* Here we add bits to the flags. If this is a
* new restriction add it.
*/
if (NULL == res) {
if (v6) {
res = alloc_res6();
memcpy(res, &match,
V6_SIZEOF_RESTRICT_U);
plisthead = &restrictlist6;
} else {
res = alloc_res4();
memcpy(res, &match,
V4_SIZEOF_RESTRICT_U);
plisthead = &restrictlist4;
}
LINK_SORT_SLIST(
*plisthead, res,
(v6)
? res_sorts_before6(res, L_S_S_CUR())
: res_sorts_before4(res, L_S_S_CUR()),
link, restrict_u);
restrictcount++;
if (RES_LIMITED & flags)
inc_res_limited();
} else {
if ((RES_LIMITED & flags) &&
!(RES_LIMITED & res->flags))
inc_res_limited();
res->flags |= flags;
}
break;
case RESTRICT_UNFLAG:
/*
* Remove some bits from the flags. If we didn't
* find this one, just return.
*/
if (res != NULL) {
if ((RES_LIMITED & res->flags)
&& (RES_LIMITED & flags))
dec_res_limited();
res->flags &= ~flags;
}
break;
case RESTRICT_REMOVE:
case RESTRICT_REMOVEIF:
/*
* Remove an entry from the table entirely if we
* found one. Don't remove the default entry and
* don't remove an interface entry.
*/
if (res != NULL
&& (RESTRICT_REMOVEIF == op
|| !(RESM_INTERFACE & res->mflags))
&& res != &restrict_def4
&& res != &restrict_def6)
free_res(res, v6);
break;
default: /* unknown op */
INSIST(0);
break;
}
}
/*
* restrictions - return restrictions for this host in *r4a
*/
void
restrictions(
sockaddr_u *srcadr,
r4addr *r4a
)
{
restrict_u *match;
struct in6_addr *pin6;
REQUIRE(NULL != r4a);
res_calls++;
r4a->rflags = RES_IGNORE;
r4a->ippeerlimit = 0;
DPRINTF(1, ("restrictions: looking up %s\n", stoa(srcadr)));
/* IPv4 source address */
if (IS_IPV4(srcadr)) {
/*
* Ignore any packets with a multicast source address
* (this should be done early in the receive process,
* not later!)
*/
if (IN_CLASSD(SRCADR(srcadr))) {
DPRINTF(1, ("restrictions: srcadr %s is multicast\n", stoa(srcadr)));
r4a->ippeerlimit = 2; /* XXX: we should use a better value */
return;
}
match = match_restrict4_addr(SRCADR(srcadr),
SRCPORT(srcadr));
INSIST(match != NULL);
match->count++;
/*
* res_not_found counts only use of the final default
* entry, not any "restrict default ntpport ...", which
* would be just before the final default.
*/
if (&restrict_def4 == match)
res_not_found++;
else
res_found++;
r4a->rflags = match->rflags;
r4a->ippeerlimit = match->ippeerlimit;
}
/* IPv6 source address */
if (IS_IPV6(srcadr)) {
pin6 = PSOCK_ADDR6(srcadr);
/*
* Ignore any packets with a multicast source address
* (this should be done early in the receive process,
* not later!)
*/
if (IN6_IS_ADDR_MULTICAST(pin6))
return;
match = match_restrict6_addr(pin6, SRCPORT(srcadr));
INSIST(match != NULL);
match->count++;
if (&restrict_def6 == match)
res_not_found++;
else
res_found++;
r4a->rflags = match->rflags;
r4a->ippeerlimit = match->ippeerlimit;
}
return;
}
