X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=ipif%2Fservice.c;h=08b0ed9f61a40859d37f531231940433db77d76c;hb=5f3e811b5415dcff74f82bdd2f26d3af1f73c555;hp=397740cba8e4db12008d46c3e74aa4c40bb272f2;hpb=5124214b2f9f6c40ac43ca9044a6b82eedd48b71;p=userv-utils.git

diff --git a/ipif/service.c b/ipif/service.c
index 397740c..08b0ed9 100644
--- a/ipif/service.c
+++ b/ipif/service.c
@@ -59,7 +59,7 @@
  *      Reads a file which contains lines which are each <config>
  *      items.
  *
- *   <gid>,[=]<prefix>/<len>[,<junk>]
+ *   <gid>,[=][-|+]<prefix>/<len>(-|+<prefix>/<len>...)[,<junk>]
  *
  *      Indicates that <gid> may allocate addresses in the relevant address
  *      range (<junk> is ignored).  <gid> must be numeric.  To specify a
@@ -67,6 +67,13 @@
  *      specified then the specific subrange is only allowed for the local
  *      endpoint address, but not for remote addresses.
  *
+ *      More than one range may be given, with each range prefixed
+ *      by + or -.  In this case each address range in the rule will
+ *      scanned in order, and the first range in the rule that matches
+ *      any desired rule will count: if that first matching range is
+ *      prefixed by `+' (or nothing) then the rule applies, if it
+ *      is prefixed by `-' (or nothing matches), the rule does not.
+ *
  *   *
  *      Means that anything is to be permitted.  This should not appear in
  *      /etc/userv/ipif-networks, as that would permit any user on the
@@ -84,7 +91,8 @@
  * The service program should be run from userv with no-disconnect-hup.
  */
 /*
- * Copyright (C) 1999-2000 Ian Jackson
+ * Copyright (C) 1999-2000,2003 Ian Jackson
+ * This file is part of ipif, part of userv-utils
  *
  * This is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by
@@ -119,7 +127,7 @@
 #include <sys/stat.h>
 
 #define NARGS 4
-#define MAXEXROUTES 5
+#define MAXEXROUTES 50
 #define ATXTLEN 16
 
 static const unsigned long gidmaxval= (unsigned long)((gid_t)-2);
@@ -128,11 +136,12 @@ static const int signals[]= { SIGHUP, SIGINT, SIGTERM, 0 };
 
 static const char *configstr, *proto;
 static unsigned long localaddr, peeraddr, mtu;
+static int localpming, peerpming;
 static int localallow, peerallow, allallow;
 static int nexroutes;
 static struct exroute {
   unsigned long prefix, mask;
-  int allow;
+  int allow, pming;
   char prefixtxt[ATXTLEN], masktxt[ATXTLEN];
 } exroutes[MAXEXROUTES];
 
@@ -290,12 +299,17 @@ static unsigned long eat_number(const char **argp, const char *what,
   return rv;
 }
 
-static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1,
-			       const char *w2, unsigned long p2, unsigned long m2) {
+static int addrnet_overlap(unsigned long p1, unsigned long m1,
+			   unsigned long p2, unsigned long m2) {
   unsigned long mask;
 
   mask= m1&m2;
-  if ((p1 & mask) != (p2 & mask)) return;
+  return (p1 & mask) == (p2 & mask);
+}
+
+static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1,
+			       const char *w2, unsigned long p2, unsigned long m2) {
+  if (!addrnet_overlap(p1,m1,p2,m2)) return;
   badusage("%s %08lx/%08lx overlaps/clashes with %s %08lx/%08lx",
 	   w1,p1,m1, w2,p2,m2);
 }
@@ -329,7 +343,7 @@ static void eat_prefixmask(const char **argp, const char *what,
   sprintf(whatbuf,"%s length",what);
   len= eat_number(argp,whatbuf, 0,32, endchars,endchar_r);
 
-  mask= (~0UL << (32-len));
+  mask= len ? (~0UL << (32-len)) : 0UL;
   if (prefix & ~mask) badusage("%s prefix %08lx not fully contained in mask %08lx",
 			       what,prefix,mask);
   *prefix_r= prefix;
@@ -341,35 +355,66 @@ static int addrnet_isin(unsigned long prefix, unsigned long mask,
 			unsigned long mprefix, unsigned long mmask) {
   return  !(~mask & mmask)  &&  (prefix & mmask) == mprefix;
 }
+
+/* Totally hideous algorithm for parsing the config file lines.
+ * For each config file line, we first see if its gid applies.  If not
+ * we skip it.  Otherwise, we do
+ *  permit_begin
+ *     which sets <foo>pming to 1
+ * for each range.  <foo>pming may be 0 if we've determined that
+ * this line does not apply to <foo>.
+ *  permit_range
+ *     which calls permit_range_thing for each <foo>
+ *        which checks to see if <foo> is inside the relevant
+ *        range (for +) or overlaps it (for -) and updates
+ *        <foo>allow and <foo>pming.
+ */
+
+static void permit_begin(void) {
+  int i;
   
+  localpming= peerpming= 1;
+  for (i=0; i<nexroutes; i++) exroutes[i].pming= 1;
+}
+
+static void permit_range_thing(unsigned long tprefix, unsigned long tmask,
+			       const char *what, int *tallow, int *tpming,
+			       unsigned long pprefix, unsigned long pmask,
+			       int plus, int *any) {
+  if (plus) {
+    if (!addrnet_isin(tprefix,tmask, pprefix,pmask)) return;
+    if (*tpming) *tallow= 1;
+  } else {
+    if (!addrnet_overlap(tprefix,tmask, pprefix,pmask)) return;
+    *tpming= 0;
+  }
+  if (!proto) printf(" %c%s", plus?'+':'-', what);
+  *any= 1;
+}
 
-static void permit(unsigned long pprefix, unsigned long pmask, int localonly) {
+static void permit_range(unsigned long prefix, unsigned long mask,
+			 int plus, int localonly) {
   int i, any;
+  char idbuf[40];
   
-  assert(!(pprefix & ~pmask));
+  assert(!(prefix & ~mask));
   any= 0;
 
-  if (!proto) fputs(localonly ? "permits-l" : "permits",stdout);
-  if (addrnet_isin(localaddr,~0UL, pprefix,pmask)) {
-    if (!proto) fputs(" local-addr",stdout);
-    any= localallow= 1;
-  }
+  permit_range_thing(localaddr,~0UL,"local", &localallow,&localpming,
+		     prefix,mask, plus,&any);
+
   if (!localonly) {
-    if (addrnet_isin(peeraddr,~0UL, pprefix,pmask)) {
-      if (!proto) fputs(" peer-addr",stdout);
-      any= peerallow= 1;
-    }
+    permit_range_thing(peeraddr,~0UL, "peer-addr", &peerallow,&peerpming,
+		       prefix,mask, plus,&any);
     for (i=0; i<nexroutes; i++) {
-      if (addrnet_isin(exroutes[i].prefix,exroutes[i].mask, pprefix,pmask)) {
-	if (!proto) printf(" route#%d",i);
-	any= exroutes[i].allow= 1;
-      }
+      sprintf(idbuf,"route#%d",i);
+      permit_range_thing(exroutes[i].prefix,exroutes[i].mask, idbuf,
+			 &exroutes[i].allow,&exroutes[i].pming,
+			 prefix,mask, plus,&any);
     }
   }
-  if (!proto) {
+  if (!proto)
     if (!any) fputs(" nothing",stdout);
-    putchar('\n');
-  }
 }
 
 static void pconfig(const char *configstr, int truncated);
@@ -421,14 +466,15 @@ static void pfile(const char *filename) {
 
 static void pconfig(const char *configstr, int truncated) {
   unsigned long fgid, tgid, pprefix, pmask;
-  int plen, localonly;
+  int plen, localonly, plus, rangeix, delim;
   char ptxt[ATXTLEN];
+  char whattxt[100];
   const char *gidlist;
   
   switch (configstr[0]) {
   case '*':
-    if (strcmp(configstr,"*")) badusage("`*' directive must be only thing on line");
-    permit(0UL,0UL,0);
+    permit_begin();
+    permit_range(0UL,0UL,1,0);
     return;
     
   case '#':
@@ -444,28 +490,57 @@ static void pconfig(const char *configstr, int truncated) {
       badusage("unknown configuration directive");
     
     fgid= eat_number(&configstr,"gid", 0,gidmaxval, ",",0);
-    if (configstr[0] == '=') {
-      localonly= 1;
-      configstr++;
-    } else {
-      localonly= 0;
-    }
-    eat_prefixmask(&configstr,"permitted-prefix", ",",0, &pprefix,&pmask,&plen);
-    if (!configstr && truncated) badusage("gid,prefix/len,... spec too long");
 
-    if (!proto) printf(" %5lu,%s/%d: ", fgid, ip2txt(pprefix,ptxt), plen);
+    if (!proto) printf(" %5lu", fgid);
 
     gidlist= getenv("USERV_GID");
     if (!gidlist) fatal("USERV_GID not set");
     for (;;) {
       if (!gidlist) {
-	if (!proto) printf("no matching gid\n");
+	if (!proto) printf(" no matching gid\n");
 	return;
       }
       tgid= eat_number(&gidlist,"userv-gid", 0,gidmaxval, " ",0);
       if (tgid == fgid) break;
     }
-    permit(pprefix,pmask,localonly);
+
+    if (configstr[0] == '=') {
+      localonly= 1;
+      configstr++;
+    } else {
+      localonly= 0;
+    }
+
+    permit_begin();
+
+    rangeix= 0;
+    plus= 1;
+    switch (configstr[0]) {
+    case '-': plus= 0;     /* fall through */
+    case '+': configstr++;
+    default:;
+    }
+
+    for (;;) {
+      sprintf(whattxt, "%s-prefix#%d",
+	      plus ? "permitted" : "notpermitted",
+	      rangeix);
+      eat_prefixmask(&configstr,whattxt, ",+-",&delim,
+		     &pprefix,&pmask,&plen);
+      if (!configstr && truncated)
+	badusage("gid,prefix/len,... spec too long");
+
+      if (!proto)
+	printf("  %c%s/%d:", plus?'+':'-',ip2txt(pprefix,ptxt), plen);
+
+      permit_range(pprefix,pmask,plus,localonly);
+      if (delim==',') break;
+
+      plus= delim=='-' ? 0 : 1;
+      rangeix++;
+    }
+
+    putchar('\n');
     return;
   }
 }