The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
network.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 94ef3b69190c0e63ad58c32121f8db1d982682f3 $
19 * @file lib/bio/network.c
20 * @brief BIO patricia trie filtering handlers
21 *
22 * @copyright 2024 Network RADIUS SAS (legal@networkradius.com)
23 */
24
25#include <freeradius-devel/util/value.h>
26#include <freeradius-devel/util/trie.h>
27
28#include <freeradius-devel/bio/bio_priv.h>
29#include <freeradius-devel/bio/fd_priv.h>
30
31#include <freeradius-devel/bio/network.h>
32
33/** The network filtering bio
34 */
35typedef struct {
36 FR_BIO_COMMON;
37
38 fr_bio_read_t discard; //!< callback to run when discarding a packet due to filtering
39
40 size_t offset; //!< where #fr_bio_fd_packet_ctx_t is stored
41
42 fr_trie_t const *trie; //!< patricia trie for filtering
43} fr_bio_network_t;
44
45/** Read a UDP packet, and only return packets from allowed sources.
46 *
47 */
48static ssize_t fr_bio_network_read(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
49{
50 ssize_t rcode;
51 bool *value;
52 fr_bio_network_t *my = talloc_get_type_abort(bio, fr_bio_network_t);
53 fr_bio_fd_packet_ctx_t *addr;
54 fr_bio_t *next;
55
56 next = fr_bio_next(&my->bio);
57 fr_assert(next != NULL);
58
59 rcode = next->read(next, packet_ctx, buffer, size);
60 if (rcode <= 0) return rcode;
61
62 if (!packet_ctx) return rcode;
63
64 addr = fr_bio_fd_packet_ctx(my, packet_ctx);
65
66 /*
67 * Look up this particular source. If it's not found, then we suppress this packet.
68 */
69 value = fr_trie_lookup_by_key(my->trie,
70 &addr->socket.inet.src_ipaddr.addr, addr->socket.inet.src_ipaddr.prefix);
71 if (value != FR_BIO_NETWORK_ALLOW) {
72 if (my->discard) return my->discard(bio, packet_ctx, buffer, rcode);
73 return 0;
74 }
75
76 return rcode;
77}
78
79
80/** Allocate a bio for filtering IP addresses
81 *
82 * This is used for unconnected UDP bios, where we filter packets based on source IP address.
83 *
84 * It is also used for accept bios, where we filter new connections based on source IP address. The caller
85 * should chain this bio to the next FD bio, and then fr_bio_read() from the top-level bio. The result will
86 * be filtered or "clean" FDs.
87 *
88 * A patricia trie (but not the bio) could also be used in an haproxy "activate" callback, where the callback
89 * gets the haproxy socket info, and then checks if the source is allowed. However, that patricia trie is a
90 * property of the main "accept" bio, and should be managed by the activate() callback for the haproxy bio.
91 */
92fr_bio_t *fr_bio_network_alloc(TALLOC_CTX *ctx, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny,
93 fr_bio_read_t discard, fr_bio_t *next)
94{
95 fr_bio_network_t *my;
96 fr_bio_fd_info_t const *info;
97
98 /*
99 * We are only usable for FD bios. We need to get "offset" into the packet_ctx, and we don't
100 * want to have an API which allows for two different "offset" values to be passed to two
101 * different bios.
102 */
103 if (strcmp(talloc_get_name(next), "fr_bio_fd_t") != 0) {
104 fr_strerror_const("Invalid 'next' BIO - must be an FD one");
105 return NULL;
106 }
107
108 info = fr_bio_fd_info(next);
109 fr_assert(info != NULL);
110
111 /*
112 * We can only filter connections for IP address families.
113 *
114 * Unix domain sockets have to use a different method for filtering input connections.
115 */
116 if (!((info->socket.af == AF_INET) || (info->socket.af == AF_INET6))) return NULL;
117
118 /*
119 * We can only be used for accept() sockets, or unconnected UDP sockets.
120 */
121 switch (info->type) {
122 case FR_BIO_FD_UNCONNECTED:
123 break;
124
125 case FR_BIO_FD_INVALID:
126 case FR_BIO_FD_CONNECTED:
127 fr_strerror_const("Cannot use network BIO with connected FD BIO");
128 return NULL;
129
130 case FR_BIO_FD_LISTEN:
131 break;
132 }
133
134 my = talloc_zero(ctx, fr_bio_network_t);
135 if (!my) return NULL;
136
137 my->offset = ((fr_bio_fd_t *) next)->offset;
138 my->discard = discard;
139
140 my->bio.write = fr_bio_next_write;
141 my->bio.read = fr_bio_network_read;
142
143 my->trie = fr_bio_network_trie_alloc(my, info->socket.af, allow, deny);
144 if (!my->trie) {
145 talloc_free(my);
146 return NULL;
147 }
148
149 fr_bio_chain(&my->bio, next);
150 talloc_set_destructor((fr_bio_t *) my, fr_bio_destructor); /* always use a common destructor */
151
152 return (fr_bio_t *) my;
153}
154
155/** Create a patricia trie for doing network filtering.
156 *
157 */
158fr_trie_t *fr_bio_network_trie_alloc(TALLOC_CTX *ctx, int af, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny)
159{
160 size_t i, num;
161 fr_trie_t *trie;
162
163 trie = fr_trie_alloc(ctx, NULL, NULL);
164 if (!trie) return NULL;
165
166 num = talloc_array_length(allow);
167 fr_assert(num > 0);
168
169 for (i = 0; i < num; i++) {
170 bool *value;
171
172 /*
173 * Can't add v4 networks to a v6 socket, or vice versa.
174 */
175 if (allow[i].af != af) {
176 fr_strerror_printf("Address family in entry %zu - 'allow = %pV' "
177 "does not match 'ipaddr'", i + 1, fr_box_ipaddr(allow[i]));
178 fail:
179 talloc_free(trie);
180 return NULL;
181 }
182
183 /*
184 * Duplicates are bad.
185 */
186 value = fr_trie_match_by_key(trie, &allow[i].addr, allow[i].prefix);
187 if (value) {
188 fr_strerror_printf("Cannot add duplicate entry 'allow = %pV'",
189 fr_box_ipaddr(allow[i]));
190 goto fail;
191 }
192
193#if 0
194 /*
195 * Look for overlapping entries. i.e. the networks MUST be disjoint.
196 *
197 * Note that this catches 192.168.1/24 followed by 192.168/16, but NOT the other way
198 * around. The best fix is likely to add a flag to fr_trie_alloc() saying "we can only
199 * have terminal fr_trie_user_t nodes"
200 */
201 value = fr_trie_lookup_by_key(trie, &allow[i].addr, allow[i].prefix);
202 if (network && (network->prefix <= allow[i].prefix)) {
203 fr_strerror_printf("Cannot add overlapping entry 'allow = %pV'", fr_box_ipaddr(allow[i]));
204 fr_strerror_const("Entry is completely enclosed inside of a previously defined network.");
205 goto fail;
206 }
207#endif
208
209 /*
210 * Insert the network into the trie. Lookups will return a bool ptr of allow / deny.
211 */
212 if (fr_trie_insert_by_key(trie, &allow[i].addr, allow[i].prefix, FR_BIO_NETWORK_ALLOW) < 0) {
213 fr_strerror_printf("Failed adding 'allow = %pV' to filtering rules", fr_box_ipaddr(allow[i]));
214 goto fail;
215 }
216 }
217
218 /*
219 * And now check denied networks.
220 */
221 num = talloc_array_length(deny);
222 if (!num) return trie;
223
224 /*
225 * Since the default is to deny, you can only add a "deny" inside of a previous "allow".
226 */
227 for (i = 0; i < num; i++) {
228 bool *value;
229
230 /*
231 * Can't add v4 networks to a v6 socket, or vice versa.
232 */
233 if (deny[i].af != af) {
234 fr_strerror_printf("Address family in entry %zu - 'deny = %pV' "
235 "does not match 'ipaddr'", i + 1, fr_box_ipaddr(deny[i]));
236 goto fail;
237 }
238
239 /*
240 * Exact duplicates are forbidden.
241 */
242 value = fr_trie_match_by_key(trie, &deny[i].addr, deny[i].prefix);
243 if (value) {
244 fr_strerror_printf("Cannot add duplicate entry 'deny = %pV'", fr_box_ipaddr(deny[i]));
245 goto fail;
246 }
247
248 /*
249 * A "deny" can only be within a previous "allow".
250 */
251 value = fr_trie_lookup_by_key(trie, &deny[i].addr, deny[i].prefix);
252 if (!value) {
253 fr_strerror_printf("The network in entry %zu - 'deny = %pV' is not "
254 "contained within a previous 'allow'", i + 1, fr_box_ipaddr(deny[i]));
255 goto fail;
256 }
257
258 /*
259 * A "deny" cannot be within a previous "deny".
260 */
261 if (value == FR_BIO_NETWORK_DENY) {
262 fr_strerror_printf("The network in entry %zu - 'deny = %pV' is overlaps "
263 "with another 'deny' rule", i + 1, fr_box_ipaddr(deny[i]));
264 goto fail;
265 }
266
267 /*
268 * Insert the rule into the trie.
269 */
270 if (fr_trie_insert_by_key(trie, &deny[i].addr, deny[i].prefix, FR_BIO_NETWORK_DENY) < 0) {
271 fr_strerror_printf("Failed adding 'deny = %pV' to filtering rules", fr_box_ipaddr(deny[i]));
272 goto fail;
273 }
274 }
275
276 return trie;
277}
buffer
static int const char char buffer[256]
Definition acutest.h:578
fr_bio_s::read
fr_bio_read_t _CONST read
read from the underlying bio
Definition base.h:116
fr_bio_read_t
ssize_t(* fr_bio_read_t)(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
Do a raw read from a socket, or other data source.
Definition base.h:81
fr_bio_next
static fr_bio_t * fr_bio_next(fr_bio_t *bio)
Definition base.h:131
fr_bio_s
Definition base.h:113
fr_bio_network_t::offset
size_t offset
where fr_bio_fd_packet_ctx_t is stored
Definition network.c:40
fr_bio_network_trie_alloc
fr_trie_t * fr_bio_network_trie_alloc(TALLOC_CTX *ctx, int af, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny)
Create a patricia trie for doing network filtering.
Definition network.c:158
fr_bio_network_alloc
fr_bio_t * fr_bio_network_alloc(TALLOC_CTX *ctx, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny, fr_bio_read_t discard, fr_bio_t *next)
Allocate a bio for filtering IP addresses.
Definition network.c:92
fr_bio_network_t::discard
fr_bio_read_t discard
callback to run when discarding a packet due to filtering
Definition network.c:38
fr_bio_network_read
static ssize_t fr_bio_network_read(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
Read a UDP packet, and only return packets from allowed sources.
Definition network.c:48
fr_bio_network_t::trie
fr_trie_t const * trie
patricia trie for filtering
Definition network.c:42
fr_bio_network_t
The network filtering bio.
Definition network.c:35
FR_BIO_NETWORK_DENY
#define FR_BIO_NETWORK_DENY
Definition network.h:44
FR_BIO_NETWORK_ALLOW
#define FR_BIO_NETWORK_ALLOW
Definition network.h:43
fr_bio_chain
static void fr_bio_chain(fr_bio_t *first, fr_bio_t *second)
Chain one bio after another.
Definition bio_priv.h:84
value
Test enumeration values.
Definition dict_test.h:92
fr_bio_fd_info
fr_bio_fd_info_t const * fr_bio_fd_info(fr_bio_t *bio)
Returns a pointer to the bio-specific information.
Definition fd.c:1281
fr_bio_fd_info_t::socket
fr_socket_t socket
as connected socket
Definition fd.h:132
FR_BIO_FD_CONNECTED
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition fd.h:68
FR_BIO_FD_INVALID
@ FR_BIO_FD_INVALID
not set
Definition fd.h:64
FR_BIO_FD_UNCONNECTED
@ FR_BIO_FD_UNCONNECTED
unconnected UDP / datagram only
Definition fd.h:65
FR_BIO_FD_LISTEN
@ FR_BIO_FD_LISTEN
returns new fd in buffer on fr_bio_read() or fr_bio_fd_accept()
Definition fd.h:69
fr_bio_fd_info_t::type
fr_bio_fd_type_t type
type of the socket
Definition fd.h:134
fr_bio_fd_packet_ctx_t::socket
fr_socket_t socket
socket information, including FD.
Definition fd.h:52
fr_bio_fd_info_t
Run-time status of the socket.
Definition fd.h:131
fr_bio_fd_packet_ctx_t
Per-packet context.
Definition fd.h:51
my
void fr_bio_shutdown & my
Definition fd_errno.h:70
fr_bio_fd_packet_ctx
#define fr_bio_fd_packet_ctx(_my, _packet_ctx)
Definition fd_priv.h:62
fr_bio_fd_s
Our FD bio structure.
Definition fd_priv.h:35
talloc_free
talloc_free(hp)
fr_ipaddr_t::prefix
uint8_t prefix
Prefix length - Between 0-32 for IPv4 and 0-128 for IPv6.
Definition inet.h:69
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
fr_bio_destructor
int fr_bio_destructor(fr_bio_t *bio)
Free this bio.
Definition base.c:35
fr_bio_next_write
ssize_t fr_bio_next_write(fr_bio_t *bio, void *packet_ctx, void const *buffer, size_t size)
Internal bio function which just writes to the "next" bio.
Definition base.c:64
ssize_t
long int ssize_t
Definition merged_model.c:24
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
fr_trie_alloc
fr_trie_t * fr_trie_alloc(TALLOC_CTX *ctx, fr_trie_key_t get_key, fr_free_t free_data)
Allocate a trie.
Definition trie.c:741
fr_trie_lookup_by_key
void * fr_trie_lookup_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Lookup a key in a trie and return user ctx, if any.
Definition trie.c:1265
fr_trie_match_by_key
void * fr_trie_match_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Match a key and length in a trie and return user ctx, if any.
Definition trie.c:1289
fr_trie_insert_by_key
int fr_trie_insert_by_key(fr_trie_t *ft, void const *key, size_t keylen, void const *data)
Insert a key and user ctx into a trie.
Definition trie.c:1878
fr_trie_s
Definition trie.c:484
fr_socket_t::af
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition socket.h:78
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition value.h:317
Generated by   doxygen 1.9.8