3 * $Id: inet.c,v 1.6 2003/11/29 20:36:07 mdw Exp $
5 * Protocol specific definitions for IPv4 sockets
7 * (c) 1999 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of the `fw' port forwarder.
14 * `fw' is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * `fw' is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with `fw'; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Revision history --------------------------------------------------*
32 * Revision 1.6 2003/11/29 20:36:07 mdw
33 * Privileged outgoing connections.
35 * Revision 1.5 2003/11/25 14:08:23 mdw
36 * Debianization. Socket target options. Internet binding.
38 * Revision 1.4 2002/01/13 14:49:56 mdw
39 * Conditional compilation for @getnetbyname@, since Cygwin doesn't have
42 * Revision 1.3 2000/08/01 17:59:56 mdw
43 * Switch over to using `size_t' for socket address lengths.
45 * Revision 1.2 1999/07/27 18:30:53 mdw
46 * Various minor portability fixes.
48 * Revision 1.1 1999/07/26 23:34:11 mdw
49 * New socket address types.
53 /*----- Header files ------------------------------------------------------*/
63 #include <sys/types.h>
66 #include <sys/socket.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
71 #include <mLib/alloc.h>
72 #include <mLib/dstr.h>
73 #include <mLib/fdflags.h>
74 #include <mLib/report.h>
88 /*----- Data structures ---------------------------------------------------*/
90 typedef struct inet_addrx {
92 struct sockaddr_in sin;
95 typedef struct inet_opts {
100 typedef struct inet_srcopts {
106 typedef struct inet_targopts {
111 #define ADDRF_PRIVCONN 16u
113 static inet_srcopts inet_globalsrc =
114 { { { 0 }, { INADDR_ANY } }, 0, &inet_globalsrc.acl };
115 static inet_targopts inet_globaltarg =
116 { { { 0 }, { INADDR_ANY } } };
118 /*----- Protocol operations -----------------------------------------------*/
122 static addr *inet_read(scanner *sc, unsigned type)
124 inet_addrx *ia = xmalloc(sizeof(*ia));
126 ia->a.ops = &inet_ops;
127 ia->a.sz = sizeof(struct sockaddr_in);
128 memset(&ia->sin, 0, sizeof(ia->sin));
129 ia->sin.sin_family = AF_INET;
131 /* --- Read the host address part --- */
135 if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "port") == 0)
137 ia->sin.sin_addr.s_addr = htonl(INADDR_ANY);
142 conf_name(sc, '.', &d);
143 if ((h = gethostbyname(d.buf)) == 0)
144 error(sc, "couldn't resolve Internet address `%s'", d.buf);
145 memcpy(&ia->sin.sin_addr, h->h_addr, sizeof(struct in_addr));
152 /* --- Read the port number --- */
157 if (sc->t != CTOK_WORD)
158 error(sc, "parse error, TCP port expected");
159 if (isdigit((unsigned char)sc->d.buf[0]))
160 ia->sin.sin_port = htons(atoi(sc->d.buf));
161 else if ((s = getservbyname(sc->d.buf, "tcp")) == 0)
162 error(sc, "unknown tcp service `%s'", sc->d.buf);
164 ia->sin.sin_port = s->s_port;
171 /* --- @destroy@ --- */
173 static void inet_destroy(addr *a)
175 inet_addrx *ia = (inet_addrx *)a;
179 /* --- @print@ --- */
181 static void inet_print(addr *a, unsigned type, dstr *d)
183 inet_addrx *ia = (inet_addrx *)a;
186 dstr_putf(d, "inet:%u", (unsigned)ntohs(ia->sin.sin_port));
189 dstr_putf(d, "inet:%s:%u",
190 inet_ntoa(ia->sin.sin_addr),
191 (unsigned)ntohs(ia->sin.sin_port));
196 /* --- @initopts@ --- */
198 static addr_opts *inet_initsrcopts(void)
200 inet_srcopts *io = CREATE(inet_srcopts);
201 *io = inet_globalsrc;
203 io->acltail = &io->acl;
207 static addr_opts *inet_inittargopts(void)
209 inet_targopts *io = CREATE(inet_targopts);
210 *io = inet_globaltarg;
215 /* --- @option@ --- */
217 static void addropt(scanner *sc, inet_opts *io)
225 if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "any") == 0)
226 io->bind.s_addr = INADDR_ANY;
228 conf_name(sc, '.', &d);
229 if ((h = gethostbyname(d.buf)) == 0)
230 error(sc, "couldn't resolve address `%s'", d.buf);
231 memcpy(&io->bind, h->h_addr, sizeof(struct in_addr));
235 static int srcopt(scanner *sc, addr_opts *ao)
237 inet_srcopts *io = (inet_srcopts *)ao;
240 CONF_BEGIN(sc, "source", "Internet socket source")
242 /* --- Initialization --- */
245 if (!inet_globalsrc.acltail)
246 inet_globalsrc.acltail = &inet_globalsrc.acl;
247 io = &inet_globalsrc;
250 /* --- Source address configuration --- */
252 if (strcmp(sc->d.buf, "addr") == 0) {
253 addropt(sc, &io->io);
257 /* --- Access control limitations --- */
259 if ((strcmp(sc->d.buf, "allow") == 0 && (act = ACL_ALLOW, 1)) ||
260 (strcmp(sc->d.buf, "deny") == 0 && (act = ACL_DENY, 1))) {
266 /* --- Find out what's going on --- */
269 if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "from") == 0)
272 if (sc->t == CTOK_WORD && (strcmp(sc->d.buf, "priv") == 0 ||
273 strcmp(sc->d.buf, "priv-port") == 0)) {
274 acl_addpriv(&io->acltail, act);
277 if (sc->t == CTOK_WORD && strcmp(sc->d.buf, "host") == 0)
280 /* --- Find the host or network address --- */
282 conf_name(sc, '.', &d);
283 #ifdef HAVE_GETNETBYNAME
284 if ((n = getnetbyname(d.buf)) != 0)
285 a.s_addr = htonl(n->n_net);
288 if ((h = gethostbyname(d.buf)) == 0)
289 error(sc, "couldn't resolve address `%s'", d.buf);
291 memcpy(&a, h->h_addr, sizeof(struct in_addr));
293 /* --- Find the netmask, if any --- */
300 conf_name(sc, '.', &d);
301 if (strchr(d.buf, '.') == 0) {
306 m.s_addr = htonl((~0ul << (32 - n)) & 0xffffffff);
308 #ifdef HAVE_INET_ATON
309 if (!inet_aton(d.buf, &m))
310 error(sc, "bad netmask `%s'", d.buf);
312 m.s_addr = inet_addr(d.buf);
318 /* --- Add the access control entry --- */
320 acl_addhost(&io->acltail, act, a, m);
325 /* --- Anything unrecognized --- */
330 static int targopt(scanner *sc, addr_opts *ao)
332 inet_targopts *io = (inet_targopts *)ao;
334 CONF_BEGIN(sc, "dest", "Internet socket target");
335 if (strcmp(sc->d.buf, "addr") == 0) {
336 addropt(sc, &io->io);
339 if (strcmp(sc->d.buf, "priv") == 0 ||
340 strcmp(sc->d.buf, "priv-port") == 0) {
342 if (sc->t == '=') token(sc);
343 if (conf_enum(sc, "no,yes", ENUM_ABBREV, "privileged connection status"))
344 io->io.ao.f |= ADDRF_PRIVCONN;
346 io->io.ao.f &= ~ADDRF_PRIVCONN;
352 static int inet_option(scanner *sc, addr_opts *ao, unsigned type)
354 CONF_BEGIN(sc, "inet", "Internet socket");
355 if (type != ADDR_DEST && srcopt(sc, ao))
357 if (type != ADDR_SRC && targopt(sc, ao))
362 /* --- @confirm@ --- */
364 static void inet_confirm(addr *a, unsigned type, addr_opts *ao)
366 inet_addrx *ia = (inet_addrx *)a;
370 inet_targopts *io = (inet_targopts *)ao;
371 if ((io->io.ao.f & ADDRF_PRIVCONN) &&
372 (io->ipriv = privconn_adddest(ia->sin.sin_addr,
373 ia->sin.sin_port)) < 0)
374 die(1, "couldn't add privileged connection target (too late)");
379 /* --- @freeopts@ --- */
381 static void inet_freesrcopts(addr_opts *ao)
383 inet_srcopts *io = (inet_srcopts *)ao;
388 static void inet_freetargopts(addr_opts *ao)
390 inet_targopts *io = (inet_targopts *)ao;
396 static int inet_bind(addr *a, addr_opts *ao)
398 inet_addrx *ia = (inet_addrx *)a;
399 inet_srcopts *io = (inet_srcopts *)ao;
400 struct sockaddr_in sin;
404 if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0)
406 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
407 fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC);
409 sin.sin_addr = io->io.bind;
410 if (bind(fd, (struct sockaddr *)&sin, sizeof(ia->sin)))
420 /* --- @accept@ --- */
422 static reffd *inet_accept(int fd, addr_opts *ao, const char *desc)
424 inet_srcopts *io = (inet_srcopts *)ao;
427 size_t lsinsz = sizeof(q.lsin), rsinsz = sizeof(q.rsin);
430 /* --- Accept the new connection --- */
432 if ((nfd = accept(fd, (struct sockaddr *)&q.rsin, &rsinsz)) < 0)
434 if (getsockname(nfd, (struct sockaddr *)&q.lsin, &lsinsz)) {
439 q.r = reffd_init(nfd);
441 /* --- Find out whether this connection is allowed --- */
443 if (!acl_check(io->acl, q.rsin.sin_addr, ntohs(q.rsin.sin_port), &act))
444 acl_check(inet_globalsrc.acl, q.rsin.sin_addr,
445 ntohs(q.rsin.sin_port), &act);
446 if (act != ACL_ALLOW) {
448 if (!(io->io.ao.f & ADDRF_NOLOG))
454 /* --- Everything seems to be OK --- */
457 if (!(io->io.ao.f & ADDRF_NOLOG))
462 /* --- @connect@ --- */
464 static int inet_connect(addr *a, addr_opts *ao, conn *c, endpt *e)
466 inet_addrx *ia = (inet_addrx *)a;
467 inet_targopts *io = (inet_targopts *)ao;
470 if (io->ipriv >= 0) {
471 return (privconn_connect(c, sel, io->ipriv, io->io.bind,
472 starget_connected, e));
474 if ((fd = socket(PF_INET, SOCK_STREAM, 0)) < 0)
476 if (io->io.bind.s_addr != INADDR_ANY) {
477 struct sockaddr_in sin;
478 memset(&sin, 0, sizeof(sin));
479 sin.sin_family = AF_INET;
480 sin.sin_addr = io->io.bind;
482 if (bind(fd, (struct sockaddr *)&sin, sizeof(sin)))
485 fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC);
486 return (conn_init(c, sel, fd, (struct sockaddr *)&ia->sin, sizeof(ia->sin),
487 starget_connected, e));
494 /* --- Ops table --- */
496 addr_ops inet_ops = {
498 inet_read, inet_destroy, inet_print,
499 inet_initsrcopts, inet_option, inet_confirm, inet_freesrcopts,
500 inet_bind, 0, inet_accept,
501 inet_inittargopts, inet_freetargopts,
505 /*----- That's all, folks -------------------------------------------------*/