| 1 | /* -*-c-*- |
| 2 | * |
| 3 | * $Id: inet.c,v 1.3 2000/08/01 17:59:56 mdw Exp $ |
| 4 | * |
| 5 | * Protocol specific definitions for IPv4 sockets |
| 6 | * |
| 7 | * (c) 1999 Straylight/Edgeware |
| 8 | */ |
| 9 | |
| 10 | /*----- Licensing notice --------------------------------------------------* |
| 11 | * |
| 12 | * This file is part of the `fw' port forwarder. |
| 13 | * |
| 14 | * `fw' is free software; you can redistribute it and/or modify |
| 15 | * it under the terms of the GNU General Public License as published by |
| 16 | * the Free Software Foundation; either version 2 of the License, or |
| 17 | * (at your option) any later version. |
| 18 | * |
| 19 | * `fw' is distributed in the hope that it will be useful, |
| 20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 22 | * GNU General Public License for more details. |
| 23 | * |
| 24 | * You should have received a copy of the GNU General Public License |
| 25 | * along with `fw'; if not, write to the Free Software Foundation, |
| 26 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 27 | */ |
| 28 | |
| 29 | /*----- Revision history --------------------------------------------------* |
| 30 | * |
| 31 | * $Log: inet.c,v $ |
| 32 | * Revision 1.3 2000/08/01 17:59:56 mdw |
| 33 | * Switch over to using `size_t' for socket address lengths. |
| 34 | * |
| 35 | * Revision 1.2 1999/07/27 18:30:53 mdw |
| 36 | * Various minor portability fixes. |
| 37 | * |
| 38 | * Revision 1.1 1999/07/26 23:34:11 mdw |
| 39 | * New socket address types. |
| 40 | * |
| 41 | */ |
| 42 | |
| 43 | /*----- Header files ------------------------------------------------------*/ |
| 44 | |
| 45 | #include "config.h" |
| 46 | |
| 47 | #include <ctype.h> |
| 48 | #include <errno.h> |
| 49 | #include <stdio.h> |
| 50 | #include <stdlib.h> |
| 51 | #include <string.h> |
| 52 | |
| 53 | #include <sys/types.h> |
| 54 | #include <unistd.h> |
| 55 | |
| 56 | #include <sys/socket.h> |
| 57 | #include <netinet/in.h> |
| 58 | #include <arpa/inet.h> |
| 59 | #include <netdb.h> |
| 60 | |
| 61 | #include <mLib/alloc.h> |
| 62 | #include <mLib/dstr.h> |
| 63 | #include <mLib/report.h> |
| 64 | #include <mLib/sub.h> |
| 65 | |
| 66 | #include "acl.h" |
| 67 | #include "addr.h" |
| 68 | #include "conf.h" |
| 69 | #include "identify.h" |
| 70 | #include "inet.h" |
| 71 | #include "reffd.h" |
| 72 | #include "scan.h" |
| 73 | |
| 74 | /*----- Data structures ---------------------------------------------------*/ |
| 75 | |
| 76 | typedef struct inet_addrx { |
| 77 | addr a; |
| 78 | struct sockaddr_in sin; |
| 79 | } inet_addrx; |
| 80 | |
| 81 | typedef struct inet_opts { |
| 82 | addr_opts ao; |
| 83 | acl_entry *acl; |
| 84 | acl_entry **acltail; |
| 85 | } inet_opts; |
| 86 | |
| 87 | /*----- Protocol operations -----------------------------------------------*/ |
| 88 | |
| 89 | /* --- @read@ --- */ |
| 90 | |
| 91 | static addr *inet_read(scanner *sc, unsigned type) |
| 92 | { |
| 93 | inet_addrx *ia = xmalloc(sizeof(*ia)); |
| 94 | |
| 95 | ia->a.ops = &inet_ops; |
| 96 | ia->a.sz = sizeof(struct sockaddr_in); |
| 97 | memset(&ia->sin, 0, sizeof(ia->sin)); |
| 98 | ia->sin.sin_family = AF_INET; |
| 99 | |
| 100 | /* --- Read the host address part --- */ |
| 101 | |
| 102 | switch (type) { |
| 103 | case ADDR_SRC: |
| 104 | if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "port") == 0) |
| 105 | token(sc); |
| 106 | ia->sin.sin_addr.s_addr = htonl(INADDR_ANY); |
| 107 | break; |
| 108 | case ADDR_DEST: { |
| 109 | struct hostent *h; |
| 110 | dstr d = DSTR_INIT; |
| 111 | conf_name(sc, '.', &d); |
| 112 | if ((h = gethostbyname(d.buf)) == 0) |
| 113 | error(sc, "couldn't resolve Internet address `%s'", d.buf); |
| 114 | memcpy(&ia->sin.sin_addr, h->h_addr, sizeof(struct in_addr)); |
| 115 | dstr_destroy(&d); |
| 116 | if (sc->t == ':') |
| 117 | token(sc); |
| 118 | } break; |
| 119 | } |
| 120 | |
| 121 | /* --- Read the port number --- */ |
| 122 | |
| 123 | { |
| 124 | struct servent *s; |
| 125 | |
| 126 | if (sc->t != CTOK_WORD) |
| 127 | error(sc, "parse error, TCP port expected"); |
| 128 | if (isdigit((unsigned char)sc->d.buf[0])) |
| 129 | ia->sin.sin_port = htons(atoi(sc->d.buf)); |
| 130 | else if ((s = getservbyname(sc->d.buf, "tcp")) == 0) |
| 131 | error(sc, "unknown tcp service `%s'", sc->d.buf); |
| 132 | else |
| 133 | ia->sin.sin_port = s->s_port; |
| 134 | token(sc); |
| 135 | } |
| 136 | |
| 137 | return (&ia->a); |
| 138 | } |
| 139 | |
| 140 | /* --- @destroy@ --- */ |
| 141 | |
| 142 | static void inet_destroy(addr *a) |
| 143 | { |
| 144 | inet_addrx *ia = (inet_addrx *)a; |
| 145 | DESTROY(ia); |
| 146 | } |
| 147 | |
| 148 | /* --- @print@ --- */ |
| 149 | |
| 150 | static void inet_print(addr *a, unsigned type, dstr *d) |
| 151 | { |
| 152 | inet_addrx *ia = (inet_addrx *)a; |
| 153 | switch (type) { |
| 154 | case ADDR_SRC: |
| 155 | dstr_putf(d, "inet:%u", (unsigned)ntohs(ia->sin.sin_port)); |
| 156 | break; |
| 157 | case ADDR_DEST: |
| 158 | dstr_putf(d, "inet:%s:%u", |
| 159 | inet_ntoa(ia->sin.sin_addr), |
| 160 | (unsigned)ntohs(ia->sin.sin_port)); |
| 161 | break; |
| 162 | } |
| 163 | } |
| 164 | |
| 165 | /* --- @initopts@ --- */ |
| 166 | |
| 167 | static addr_opts *inet_initopts(void) |
| 168 | { |
| 169 | inet_opts *io = CREATE(inet_opts); |
| 170 | io->acl = 0; |
| 171 | io->acltail = &io->acl; |
| 172 | return (&io->ao); |
| 173 | } |
| 174 | |
| 175 | /* --- @option@ --- */ |
| 176 | |
| 177 | static int inet_option(scanner *sc, addr_opts *ao) |
| 178 | { |
| 179 | inet_opts *io = (inet_opts *)ao; |
| 180 | |
| 181 | CONF_BEGIN(sc, "inet", "Internet socket") |
| 182 | |
| 183 | unsigned act; |
| 184 | |
| 185 | /* --- Access control limitations --- */ |
| 186 | |
| 187 | if ((strcmp(sc->d.buf, "allow") == 0 && (act = ACL_ALLOW, 1)) || |
| 188 | (strcmp(sc->d.buf, "deny") == 0 && (act = ACL_DENY, 1))) { |
| 189 | struct hostent *h; |
| 190 | struct netent *n; |
| 191 | struct in_addr a, m; |
| 192 | dstr d = DSTR_INIT; |
| 193 | |
| 194 | /* --- Find the host or network address --- */ |
| 195 | |
| 196 | token(sc); |
| 197 | if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "from") == 0) |
| 198 | token(sc); |
| 199 | conf_name(sc, '.', &d); |
| 200 | if ((n = getnetbyname(d.buf)) != 0) |
| 201 | a.s_addr = htonl(n->n_net); |
| 202 | else if ((h = gethostbyname(d.buf)) == 0) |
| 203 | error(sc, "couldn't resolve address `%s'", d.buf); |
| 204 | else |
| 205 | memcpy(&a, h->h_addr, sizeof(struct in_addr)); |
| 206 | |
| 207 | /* --- Find the netmask, if any --- */ |
| 208 | |
| 209 | if (sc->t != '/') |
| 210 | m.s_addr = ~0ul; |
| 211 | else { |
| 212 | token(sc); |
| 213 | DRESET(&d); |
| 214 | conf_name(sc, '.', &d); |
| 215 | if (strchr(d.buf, '.') == 0) { |
| 216 | int n = atoi(d.buf); |
| 217 | if (n == 0) |
| 218 | m.s_addr = 0; |
| 219 | else |
| 220 | m.s_addr = htonl((~0ul << (32 - n)) & 0xffffffff); |
| 221 | } else { |
| 222 | #ifdef HAVE_INET_ATON |
| 223 | if (!inet_aton(d.buf, &m)) |
| 224 | error(sc, "bad netmask `%s'", d.buf); |
| 225 | #else |
| 226 | m.s_addr = inet_addr(d.buf); |
| 227 | #endif |
| 228 | } |
| 229 | } |
| 230 | dstr_destroy(&d); |
| 231 | |
| 232 | /* --- Add the access control entry --- */ |
| 233 | |
| 234 | acl_add(io ? &io->acltail : 0, act, a, m); |
| 235 | CONF_ACCEPT; |
| 236 | } |
| 237 | |
| 238 | /* --- Anything unrecognized --- */ |
| 239 | |
| 240 | CONF_END; |
| 241 | } |
| 242 | |
| 243 | /* --- @accept@ --- */ |
| 244 | |
| 245 | static reffd *inet_accept(int fd, addr_opts *ao, const char *desc) |
| 246 | { |
| 247 | inet_opts *io = (inet_opts *)ao; |
| 248 | int nfd; |
| 249 | id_req q; |
| 250 | size_t lsinsz = sizeof(q.lsin), rsinsz = sizeof(q.rsin); |
| 251 | |
| 252 | /* --- Accept the new connection --- */ |
| 253 | |
| 254 | if ((nfd = accept(fd, (struct sockaddr *)&q.rsin, &rsinsz)) < 0) |
| 255 | return (0); |
| 256 | if (getsockname(nfd, (struct sockaddr *)&q.lsin, &lsinsz)) { |
| 257 | close(nfd); |
| 258 | return (0); |
| 259 | } |
| 260 | q.desc = desc; |
| 261 | q.r = reffd_init(nfd); |
| 262 | |
| 263 | /* --- Find out whether this connection is allowed --- */ |
| 264 | |
| 265 | if (!acl_check(io->acl, q.rsin.sin_addr)) { |
| 266 | q.act = "refused"; |
| 267 | if (!(io->ao.f & ADDRF_NOLOG)) |
| 268 | identify(&q); |
| 269 | REFFD_DEC(q.r); |
| 270 | return (0); |
| 271 | } |
| 272 | |
| 273 | /* --- Everything seems to be OK --- */ |
| 274 | |
| 275 | q.act = "accepted"; |
| 276 | if (!(io->ao.f & ADDRF_NOLOG)) |
| 277 | identify(&q); |
| 278 | return (q.r); |
| 279 | } |
| 280 | |
| 281 | /* --- @freeopts@ --- */ |
| 282 | |
| 283 | static void inet_freeopts(addr_opts *ao) |
| 284 | { |
| 285 | inet_opts *io = (inet_opts *)ao; |
| 286 | acl_free(io->acl); |
| 287 | DESTROY(ao); |
| 288 | } |
| 289 | |
| 290 | /* --- Ops table --- */ |
| 291 | |
| 292 | addr_ops inet_ops = { |
| 293 | "inet", PF_INET, |
| 294 | inet_read, inet_destroy, inet_print, |
| 295 | inet_initopts, inet_option, inet_accept, inet_freeopts, 0, 0 |
| 296 | }; |
| 297 | |
| 298 | /*----- That's all, folks -------------------------------------------------*/ |