cg_tag_line_parser() : mTagStart(CG_DEFAULT_TAG_START),
mTagEnd(CG_DEFAULT_TAG_END),
mAttributeDelimiter(CG_DEFAULT_ATTRIBUTE_DELIMITER),
mKeyValueSeperator(CG_DEFAULT_KEY_VALUE_SEPERATOR),
mState(CG_TAG_LINE_PARSE_STATE_DECODING_TAG_NAME),
mIsEqual('='),
mIsMinus('-'),
mIsPlus('+'),
mIsSlash('/') {
// Special attribute test list to account for the fact that our embedded base64
// is not withing double quote
mTestAttributeValue.push_back(&mIsInUppercaseRange);
mTestAttributeValue.push_back(&mIsInLowercaseRange);
mTestAttributeValue.push_back(&mIsInDecimalRange);
mTestAttributeValue.push_back(&mIsEqual);
mTestAttributeValue.push_back(&mIsSlash);
mTestAttributeValue.push_back(&mIsPlus);
// HLS TAG Name is alphanumeric values + '-' (Also inclusing lower case eventhough I shouldn't)
mTestTagName.push_back(&mIsInUppercaseRange);
mTestTagName.push_back(&mIsInLowercaseRange);
mTestTagName.push_back(&mIsInDecimalRange);
mTestTagName.push_back(&mIsMinus);
//
create_rule("tag", mIsTagNameRule, &mTestTagName, false, lr_or);
create_rule("attributevalue", mIsAttributeValueRule, &mTestAttributeValue, false, lr_or);
}
widget_move::widget_move(QWidget *parent)
: widget_src_dst(parent),
__creator(0)
{
connect(__add_action, SIGNAL(triggered()), this, SLOT(create_rule()));
connect(__edit_action, SIGNAL(triggered()), this, SLOT(edit_rule()));
connect(__remove_action, SIGNAL(triggered()), this, SLOT(remove_rule()));
}
static void
ipt_rule(const fko_srv_options_t * const opts,
const char * const complete_rule_buf,
const char * const fw_rule_macro,
const char * const srcip, const char * const dstip,
const unsigned int proto, const unsigned int port,
struct fw_chain * const chain,
const unsigned int exp_ts, const time_t now,
const char * const msg, const char * const access_msg)
{
char rule_buf[CMD_BUFSIZE] = {0};
if(complete_rule_buf != NULL && complete_rule_buf[0] != 0x0)
{
strlcpy(rule_buf, complete_rule_buf, CMD_BUFSIZE-1);
}
else
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, fw_rule_macro,
chain->table,
proto,
srcip,
dstip,
port,
exp_ts,
chain->target
);
}
/* Check to make sure that the chain and jump rule exists
*/
mk_chain(opts, chain->type);
if(rule_exists(opts, chain, rule_buf,
proto, srcip, dstip, port, exp_ts) == 0)
{
if(create_rule(opts, chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added %s rule to %s for %s -> %s %s, expires at %u",
msg, chain->to_chain, srcip, (dstip == NULL) ? IPT_ANY_IP : dstip,
access_msg, exp_ts
);
chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(chain->next_expire < now || exp_ts < chain->next_expire)
chain->next_expire = exp_ts;
}
}
return;
}
static void parse_request(char* req, int len) {
char *start, *end;
char *interceptor_name = NULL, proto_s[4] = { 0 }, addr_s[16] = { 0 },
port_s[6] = { 0 }, ruleid_s[20] = {0};
uint8_t ipproto = 0, filter_by = 0;
uint32_t ruleid;
__be32 daddr = 0, saddr = 0;
__be16 dport = 0, sport = 0;
filter_specs* sp;
switch (req[0]) {
case 'R':
for (start = end = req + 2; *end != ':' && *end != '\0'; end++)
;
if (start == end) {
printk("Unable to parse interceptor name for proc registry.\n");
return;
}
interceptor_name = kmalloc(end - start + 1, GFP_ATOMIC);
if (!interceptor_name) {
printk(
"%s in %s:%d: kmalloc failed. Unnable to create name for interceptor.\n",
__FILE__, __FUNCTION__, __LINE__);
return;
}
memset(interceptor_name, 0, end - start + 1);
memcpy(interceptor_name, start, end - start);
//protocol
for (start = end = end + 1; *end != ':' && *end != '\0'; end++)
;
if (start != end) {
memcpy(proto_s, start, end - start);
ipproto = simple_strtol(proto_s, NULL, 10);
filter_by |= FILTER_BY_L4_PROTO;
}
//destination address
for (start = end = end + 1; *end != ':' && *end != '\0'; end++)
;
if (start != end) {
memcpy(addr_s, start, end - start);
daddr = simple_strtol(addr_s, NULL, 10);
memset(addr_s, 0, 16);
filter_by |= FILTER_BY_DST_ADDR;
}
//source address
for (start = end = end + 1; *end != ':' && *end != '\0'; end++)
;
if (start != end) {
memcpy(addr_s, start, end - start);
saddr = simple_strtol(addr_s, NULL, 10);
filter_by |= FILTER_BY_SRC_ADDR;
}
//destination port
for (start = end = end + 1; *end != ':' && *end != '\0'; end++)
;
if (start != end) {
memcpy(port_s, start, end - start);
dport = simple_strtol(port_s, NULL, 10);
memset(port_s, 0, 7);
filter_by |= FILTER_BY_DST_PORT;
}
//source port
for (start = end = end + 1; *end != ':' && *end != '\0'; end++)
;
if (start != end) {
memcpy(port_s, start, end - start);
sport = simple_strtol(port_s, NULL, 10);
filter_by |= FILTER_BY_SRC_PORT;
}
sp = create_filter_specs(filter_by, daddr, saddr, dport, sport, ipproto);
if (!create_rule(interceptor_name, sp))
printk("Proc registry could not create rule. Create rule failed.\n");
break;
case 'U':
for (start = end = req + 2; *end != ':' && *end != '\0'; end++)
;
if(start == end){
printk("Proc registry could not get rule id.\n");
break;
}
memcpy(ruleid_s, start, end - start);
ruleid = simple_strtol(ruleid_s, NULL, 10);
remove_rule(ruleid);
break;
default:
printk("Unknown request to proc registry.\n");
}
return;
}
/* Rule Processing - Create an access request...
*/
int
process_spa_request(const fko_srv_options_t * const opts,
const acc_stanza_t * const acc, spa_data_t * const spadat)
{
char nat_ip[MAX_IPV4_STR_LEN] = {0};
char snat_target[SNAT_TARGET_BUFSIZE] = {0};
char rule_buf[CMD_BUFSIZE] = {0};
char *ndx;
unsigned int nat_port = 0;
acc_port_list_t *port_list = NULL;
acc_port_list_t *ple = NULL;
unsigned int fst_proto;
unsigned int fst_port;
struct fw_chain * const in_chain = &(opts->fw_config->chain[IPT_INPUT_ACCESS]);
struct fw_chain * const out_chain = &(opts->fw_config->chain[IPT_OUTPUT_ACCESS]);
struct fw_chain * const fwd_chain = &(opts->fw_config->chain[IPT_FORWARD_ACCESS]);
struct fw_chain * const dnat_chain = &(opts->fw_config->chain[IPT_DNAT_ACCESS]);
struct fw_chain *snat_chain; /* We assign this later (if we need to). */
int res = 0, is_err, snat_chain_num = 0;
time_t now;
unsigned int exp_ts;
/* Parse and expand our access message.
*/
if(expand_acc_port_list(&port_list, spadat->spa_message_remain) != 1)
{
/* technically we would already have exited with an error if there were
* any memory allocation errors (see the add_port_list() function), but
* for completeness...
*/
free_acc_port_list(port_list);
return res;
}
/* Start at the top of the proto-port list...
*/
ple = port_list;
/* Remember the first proto/port combo in case we need them
* for NAT access requests.
*/
fst_proto = ple->proto;
fst_port = ple->port;
/* Set our expire time value.
*/
time(&now);
exp_ts = now + spadat->fw_access_timeout;
/* For straight access requests, we currently support multiple proto/port
* request.
*/
if((spadat->message_type == FKO_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_ACCESS_MSG) && !acc->force_nat)
{
/* Check to make sure that the jump rules exist for each
* required chain
*/
if(chain_exists(opts, IPT_INPUT_ACCESS) == 0)
create_chain(opts, IPT_INPUT_ACCESS);
if(jump_rule_exists(opts, IPT_INPUT_ACCESS) == 0)
add_jump_rule(opts, IPT_INPUT_ACCESS);
if(strlen(out_chain->to_chain))
{
if(chain_exists(opts, IPT_OUTPUT_ACCESS) == 0)
create_chain(opts, IPT_OUTPUT_ACCESS);
if(jump_rule_exists(opts, IPT_OUTPUT_ACCESS) == 0)
add_jump_rule(opts, IPT_OUTPUT_ACCESS);
}
/* Create an access command for each proto/port for the source ip.
*/
while(ple != NULL)
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_RULE_ARGS,
in_chain->table,
ple->proto,
spadat->use_src_ip,
ple->port,
exp_ts,
in_chain->target
);
if(rule_exists(opts, in_chain, rule_buf,
ple->proto, spadat->use_src_ip, ple->port, exp_ts) == 0)
{
if(create_rule(opts, in_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added Rule to %s for %s, %s expires at %u",
in_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
in_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(in_chain->next_expire < now || exp_ts < in_chain->next_expire)
in_chain->next_expire = exp_ts;
}
}
/* If we have to make an corresponding OUTPUT rule if out_chain target
* is not NULL.
*/
if(strlen(out_chain->to_chain))
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_OUT_RULE_ARGS,
out_chain->table,
ple->proto,
spadat->use_src_ip,
ple->port,
exp_ts,
out_chain->target
);
if(rule_exists(opts, out_chain, rule_buf,
ple->proto, spadat->use_src_ip, ple->port, exp_ts) == 0)
{
if(create_rule(opts, out_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added Rule in %s for %s, %s expires at %u",
out_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
out_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted. */
if(out_chain->next_expire < now || exp_ts < out_chain->next_expire)
out_chain->next_expire = exp_ts;
}
}
}
ple = ple->next;
}
}
/* NAT requests... */
else if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG
|| spadat->message_type == FKO_NAT_ACCESS_MSG
|| spadat->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG
|| acc->force_nat)
{
/* Parse out the NAT IP and Port components.
*/
if(acc->force_nat)
{
strlcpy(nat_ip, acc->force_nat_ip, sizeof(nat_ip));
nat_port = acc->force_nat_port;
}
else
{
ndx = strchr(spadat->nat_access, ',');
if(ndx != NULL)
{
strlcpy(nat_ip, spadat->nat_access, (ndx-spadat->nat_access)+1);
if (! is_valid_ipv4_addr(nat_ip))
{
log_msg(LOG_INFO, "Invalid NAT IP in SPA message");
free_acc_port_list(port_list);
return res;
}
nat_port = strtol_wrapper(ndx+1, 0, MAX_PORT, NO_EXIT_UPON_ERR, &is_err);
if(is_err != FKO_SUCCESS)
{
log_msg(LOG_INFO, "Invalid NAT port in SPA message");
free_acc_port_list(port_list);
res = is_err;
return res;
}
}
}
if(spadat->message_type == FKO_LOCAL_NAT_ACCESS_MSG)
{
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_RULE_ARGS,
in_chain->table,
fst_proto,
spadat->use_src_ip,
nat_port,
exp_ts,
in_chain->target
);
/* Check to make sure that the jump rules exist for each
* required chain
*/
if(chain_exists(opts, IPT_INPUT_ACCESS) == 0)
create_chain(opts, IPT_INPUT_ACCESS);
if(jump_rule_exists(opts, IPT_INPUT_ACCESS) == 0)
add_jump_rule(opts, IPT_INPUT_ACCESS);
if(rule_exists(opts, in_chain, rule_buf,
fst_proto, spadat->use_src_ip, nat_port, exp_ts) == 0)
{
if(create_rule(opts, in_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added Rule to %s for %s, %s expires at %u",
in_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
in_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(in_chain->next_expire < now || exp_ts < in_chain->next_expire)
in_chain->next_expire = exp_ts;
}
}
}
else if(strlen(fwd_chain->to_chain))
{
/* Make our FORWARD and NAT rules, and make sure the
* required chain and jump rule exists
*/
if(chain_exists(opts, IPT_FORWARD_ACCESS) == 0)
create_chain(opts, IPT_FORWARD_ACCESS);
if (jump_rule_exists(opts, IPT_FORWARD_ACCESS) == 0)
add_jump_rule(opts, IPT_FORWARD_ACCESS);
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_RULE_ARGS,
fwd_chain->table,
fst_proto,
spadat->use_src_ip,
nat_ip,
nat_port,
exp_ts,
fwd_chain->target
);
if(rule_exists(opts, fwd_chain, rule_buf, fst_proto,
spadat->use_src_ip, nat_port, exp_ts) == 0)
{
if(create_rule(opts, fwd_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added FORWARD Rule to %s for %s, %s expires at %u",
fwd_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
fwd_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(fwd_chain->next_expire < now || exp_ts < fwd_chain->next_expire)
fwd_chain->next_expire = exp_ts;
}
}
}
if(strlen(dnat_chain->to_chain))
{
/* Make sure the required chain and jump rule exist
*/
if(chain_exists(opts, IPT_DNAT_ACCESS) == 0)
create_chain(opts, IPT_DNAT_ACCESS);
if (jump_rule_exists(opts, IPT_DNAT_ACCESS) == 0)
add_jump_rule(opts, IPT_DNAT_ACCESS);
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_DNAT_RULE_ARGS,
dnat_chain->table,
fst_proto,
spadat->use_src_ip,
fst_port,
exp_ts,
dnat_chain->target,
nat_ip,
nat_port
);
if(rule_exists(opts, dnat_chain, rule_buf, fst_proto,
spadat->use_src_ip, fst_port, exp_ts) == 0)
{
if(create_rule(opts, dnat_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added DNAT Rule to %s for %s, %s expires at %u",
dnat_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
dnat_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(dnat_chain->next_expire < now || exp_ts < dnat_chain->next_expire)
dnat_chain->next_expire = exp_ts;
}
}
}
/* If SNAT (or MASQUERADE) is wanted, then we add those rules here as well.
*/
if(acc->force_snat || strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0)
{
/* Add SNAT or MASQUERADE rules.
*/
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", acc->force_snat_ip, fst_port);
snat_chain_num = IPT_SNAT_ACCESS;
}
else if(acc->force_snat && acc->force_masquerade)
{
/* Using MASQUERADE */
snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-ports %i", fst_port);
snat_chain_num = IPT_MASQUERADE_ACCESS;
}
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-source %s:%i", opts->config[CONF_SNAT_TRANSLATE_IP],
fst_port);
snat_chain_num = IPT_SNAT_ACCESS;
}
else
{
/* Using MASQUERADE */
snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]);
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
"--to-ports %i", fst_port);
snat_chain_num = IPT_MASQUERADE_ACCESS;
}
if(chain_exists(opts, snat_chain_num) == 0)
create_chain(opts, snat_chain_num);
if(jump_rule_exists(opts, snat_chain_num) == 0)
add_jump_rule(opts, snat_chain_num);
memset(rule_buf, 0, CMD_BUFSIZE);
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_SNAT_RULE_ARGS,
snat_chain->table,
fst_proto,
nat_ip,
nat_port,
exp_ts,
snat_chain->target,
snat_target
);
if(rule_exists(opts, snat_chain, rule_buf, fst_proto,
spadat->use_src_ip, nat_port, exp_ts) == 0)
{
if(create_rule(opts, snat_chain->to_chain, rule_buf))
{
log_msg(LOG_INFO, "Added SNAT Rule to %s for %s, %s expires at %u",
snat_chain->to_chain, spadat->use_src_ip,
spadat->spa_message_remain, exp_ts
);
snat_chain->active_rules++;
/* Reset the next expected expire time for this chain if it
* is warranted.
*/
if(snat_chain->next_expire < now || exp_ts < snat_chain->next_expire)
snat_chain->next_expire = exp_ts;
}
}
}
}
/* Done with the port list for access rules.
*/
free_acc_port_list(port_list);
return(res);
}
