X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=acl.c;h=a3e161db3278c3db1e7b82d1836cbaa16e8897ec;hp=3a30bd453306cfc65c0dc0605af9e9015b88f1d6;hb=926c584394c29354752458b06f7226f0da0dd35e;hpb=0f6df2322c12b1cc20dea08bb6c397465d4f5b46 diff --git a/acl.c b/acl.c index 3a30bd45..a3e161db 100644 --- a/acl.c +++ b/acl.c @@ -24,7 +24,6 @@ struct access_info { struct list_head node; }; - /** * Return true if addr_1 matches addr_2 in the first `netmask' bits. */ @@ -37,7 +36,15 @@ static int v4_addr_match(uint32_t addr_1, uint32_t addr_2, uint8_t netmask) return (htonl(addr_1) & mask) == (htonl(addr_2) & mask); } -int host_in_acl(int fd, struct list_head *acl) +/** + * Find out whether the peer name of a given fd belongs to an acl. + * + * \param fd File descriptor. + * \param acl The access control list. + * + * \return One if \a fd belongs to \a acl, zero otherwise. + */ +static int acl_lookup(int fd, struct list_head *acl) { struct access_info *ai, *tmp; struct sockaddr_storage ss; @@ -59,7 +66,14 @@ no_match: return 0; } -void add_acl_entry(struct list_head *acl, struct in_addr addr, +/** + * Add an entry to an access control list. + * + * \param acl The access control list. + * \param addr The address to add. + * \param netmask The netmask to use for this entry. + */ +static void acl_add_entry(struct list_head *acl, struct in_addr addr, int netmask) { struct access_info *ai = para_malloc(sizeof(struct access_info)); @@ -70,8 +84,14 @@ void add_acl_entry(struct list_head *acl, struct in_addr addr, para_list_add(&ai->node, acl); } - -void del_acl_entry(struct list_head *acl, struct in_addr addr, +/** + * Delete an entry from an access control list. + * + * \param acl The access control list. + * \param addr The address to delete. + * \param netmask The netmask of the entry to be removed from the list. + */ +static void acl_del_entry(struct list_head *acl, struct in_addr addr, int netmask) { struct access_info *ai, *tmp; @@ -89,7 +109,15 @@ void del_acl_entry(struct list_head *acl, struct in_addr addr, } } -char *get_acl_contents(struct list_head *acl) +/** + * Compute a string containing the contents of an acl. + * + * \param acl The access control list. + * + * \return A string containing the contents of \a acl, or \p NULL + * if \a acl is empty. + */ +char *acl_get_contents(struct list_head *acl) { struct access_info *ai, *tmp_ai; char *ret = NULL; @@ -103,7 +131,14 @@ char *get_acl_contents(struct list_head *acl) return ret; } -void init_acl(struct list_head *acl, char * const *acl_info, int num) +/** + * Initialize an access control list. + * + * \param acl The list to initialize. + * \param acl_info An array of strings of the form ip/netmask. + * \param num The number of strings in \a acl_info. + */ +void acl_init(struct list_head *acl, char * const *acl_info, int num) { int i; @@ -122,7 +157,7 @@ void init_acl(struct list_head *acl, char * const *acl_info, int num) netmask = atoi(++p); if (netmask < 0 || netmask > 32) goto err; - add_acl_entry(acl, addr, netmask); + acl_add_entry(acl, addr, netmask); goto success; err: PARA_CRIT_LOG("syntax error: %s\n", acl_info[i]); @@ -132,3 +167,51 @@ success: } } +/** + * Check whether the peer name of a given fd is allowed by an acl. + * + * \param fd File descriptor. + * \param acl The access control list. + * \param default_deny Whether \a acl is a whitelist. + * + * \return Positive if the peer of \a fd is permitted by \a acl, \p -E_ACL_PERM + * otherwise. + */ +int acl_check_access(int fd, struct list_head *acl, int default_deny) +{ + int match = acl_lookup(fd, acl); + + return (!match || default_deny) && (match || !default_deny)? + 1 : -E_ACL_PERM; +} + +/** + * Permit access for a range of IP addresses. + * + * \param addr The address to permit. + * \param netmask The netmask of the entry to be permitted. + * \param acl The access control list. + * \param default_deny Whether \a acl is a whitelist. + */ +void acl_allow(struct in_addr addr, int netmask, + struct list_head *acl, int default_deny) +{ + if (default_deny) + acl_add_entry(acl, addr, netmask); + else + acl_del_entry(acl, addr, netmask); +} + +/** + * Deny access for a range of IP addresses. + * + * \param addr The address to permit. + * \param netmask The netmask of the entry to be permitted. + * \param acl The access control list. + * \param default_deny Whether \a acl is a whitelist. + */ +void acl_deny(struct in_addr addr, int netmask, + struct list_head *acl, int default_deny) +{ + acl_allow(addr, netmask, acl, !default_deny); +}