The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
network.c
Go to the documentation of this file.
1 /*
2  * This program is is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or (at
5  * your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 706c10c109be7e1a9b9568c193153b72559c6278 $
19  * @file lib/bio/network.c
20  * @brief BIO patricia trie filtering handlers
21  *
22  * @copyright 2024 Network RADIUS SAS (legal@networkradius.com)
23  */
24 
25 #include <freeradius-devel/util/value.h>
26 #include <freeradius-devel/util/trie.h>
27 
28 #include <freeradius-devel/bio/bio_priv.h>
29 #include <freeradius-devel/bio/fd_priv.h>
30 
31 #include <freeradius-devel/bio/network.h>
32 
33 /** The network filtering bio
34  */
35 typedef struct {
36  FR_BIO_COMMON;
37 
38  fr_bio_read_t discard; //!< callback to run when discarding a packet due to filtering
39 
40  size_t offset; //!< where #fr_bio_fd_packet_ctx_t is stored
41 
42  fr_trie_t const *trie; //!< patricia trie for filtering
43 } fr_bio_network_t;
44 
45 /** Read a UDP packet, and only return packets from allowed sources.
46  *
47  */
48 static ssize_t fr_bio_network_read(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
49 {
50  ssize_t rcode;
51  bool *value;
52  fr_bio_network_t *my = talloc_get_type_abort(bio, fr_bio_network_t);
53  fr_bio_fd_packet_ctx_t *addr;
54  fr_bio_t *next;
55 
56  next = fr_bio_next(&my->bio);
57  fr_assert(next != NULL);
58 
59  rcode = next->read(next, packet_ctx, buffer, size);
60  if (rcode <= 0) return rcode;
61 
62  if (!packet_ctx) return rcode;
63 
64  addr = fr_bio_fd_packet_ctx(my, packet_ctx);
65 
66  /*
67  * Look up this particular source. If it's not found, then we suppress this packet.
68  */
69  value = fr_trie_lookup_by_key(my->trie,
70  &addr->socket.inet.src_ipaddr.addr, addr->socket.inet.src_ipaddr.prefix);
71  if (value != FR_BIO_NETWORK_ALLOW) {
72  if (my->discard) return my->discard(bio, packet_ctx, buffer, rcode);
73  return 0;
74  }
75 
76  return rcode;
77 }
78 
79 
80 /** Allocate a bio for filtering IP addresses
81  *
82  * This is used for unconnected UDP bios, where we filter packets based on source IP address.
83  *
84  * It is also used for accept bios, where we filter new connections based on source IP address. The caller
85  * should chain this bio to the next FD bio, and then fr_bio_read() from the top-level bio. The result will
86  * be filtered or "clean" FDs.
87  *
88  * A patricia trie (but not the bio) could also be used in an haproxy "activate" callback, where the callback
89  * gets the haproxy socket info, and then checks if the source is allowed. However, that patricia trie is a
90  * property of the main "accept" bio, and should be managed by the activate() callback for the haproxy bio.
91  */
92 fr_bio_t *fr_bio_network_alloc(TALLOC_CTX *ctx, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny,
93  fr_bio_read_t discard, fr_bio_t *next)
94 {
95  fr_bio_network_t *my;
96  fr_bio_t *fd;
97  fr_bio_fd_info_t const *info;
98 
99  /*
100  * We are only usable for FD bios. We need to get "offset" into the packet_ctx, and we don't
101  * want to have an API which allows for two different "offset" values to be passed to two
102  * different bios.
103  */
104  fd = NULL;
105 
106  /*
107  * @todo - add an internal "type" to the bio?
108  */
109  do {
110  if (strcmp(talloc_get_name(next), "fr_bio_fd_t") == 0) {
111  fd = next;
112  break;
113  }
114  } while ((next = fr_bio_next(next)) != NULL);
115 
116  if (!fd) return NULL;
117 
118  info = fr_bio_fd_info(fd);
119  fr_assert(info != NULL);
120 
121  /*
122  * We can only filter connections for IP address families.
123  *
124  * Unix domain sockets have to use a different method for filtering input connections.
125  */
126  if (!((info->socket.af == AF_INET) || (info->socket.af == AF_INET6))) return NULL;
127 
128  /*
129  * We can only be used for accept() sockets, or unconnected UDP sockets.
130  */
131  switch (info->type) {
132  case FR_BIO_FD_UNCONNECTED:
133  break;
134 
135  case FR_BIO_FD_CONNECTED:
136  case FR_BIO_FD_ACCEPTED:
137  return NULL;
138 
139  case FR_BIO_FD_LISTEN:
140  break;
141  }
142 
143  my = talloc_zero(ctx, fr_bio_network_t);
144  if (!my) return NULL;
145 
146  my->offset = ((fr_bio_fd_t *) fd)->offset;
147  my->discard = discard;
148 
149  my->bio.write = fr_bio_next_write;
150  my->bio.read = fr_bio_network_read;
151 
152  my->trie = fr_bio_network_trie_alloc(my, info->socket.af, allow, deny);
153  if (!my->trie) {
154  talloc_free(my);
155  return NULL;
156  }
157 
158  fr_bio_chain(&my->bio, next);
159 
160  return (fr_bio_t *) my;
161 }
162 
163 /** Create a patricia trie for doing network filtering.
164  *
165  */
166 fr_trie_t *fr_bio_network_trie_alloc(TALLOC_CTX *ctx, int af, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny)
167 {
168  size_t i, num;
169  fr_trie_t *trie;
170 
171  trie = fr_trie_alloc(ctx, NULL, NULL);
172  if (!trie) return NULL;
173 
174  num = talloc_array_length(allow);
175  fr_assert(num > 0);
176 
177  for (i = 0; i < num; i++) {
178  bool *value;
179 
180  /*
181  * Can't add v4 networks to a v6 socket, or vice versa.
182  */
183  if (allow[i].af != af) {
184  fr_strerror_printf("Address family in entry %zd - 'allow = %pV' "
185  "does not match 'ipaddr'", i + 1, fr_box_ipaddr(allow[i]));
186  fail:
187  talloc_free(trie);
188  return NULL;
189  }
190 
191  /*
192  * Duplicates are bad.
193  */
194  value = fr_trie_match_by_key(trie, &allow[i].addr, allow[i].prefix);
195  if (value) {
196  fr_strerror_printf("Cannot add duplicate entry 'allow = %pV'",
197  fr_box_ipaddr(allow[i]));
198  goto fail;
199  }
200 
201 #if 0
202  /*
203  * Look for overlapping entries. i.e. the networks MUST be disjoint.
204  *
205  * Note that this catches 192.168.1/24 followed by 192.168/16, but NOT the other way
206  * around. The best fix is likely to add a flag to fr_trie_alloc() saying "we can only
207  * have terminal fr_trie_user_t nodes"
208  */
209  value = fr_trie_lookup_by_key(trie, &allow[i].addr, allow[i].prefix);
210  if (network && (network->prefix <= allow[i].prefix)) {
211  fr_strerror_printf("Cannot add overlapping entry 'allow = %pV'", fr_box_ipaddr(allow[i]));
212  fr_strerror_const("Entry is completely enclosed inside of a previously defined network.");
213  goto fail;
214  }
215 #endif
216 
217  /*
218  * Insert the network into the trie. Lookups will return a bool ptr of allow / deny.
219  */
220  if (fr_trie_insert_by_key(trie, &allow[i].addr, allow[i].prefix, FR_BIO_NETWORK_ALLOW) < 0) {
221  fr_strerror_printf("Failed adding 'allow = %pV' to filtering rules", fr_box_ipaddr(allow[i]));
222  return NULL;
223  }
224  }
225 
226  /*
227  * And now check denied networks.
228  */
229  num = talloc_array_length(deny);
230  if (!num) return trie;
231 
232  /*
233  * Since the default is to deny, you can only add a "deny" inside of a previous "allow".
234  */
235  for (i = 0; i < num; i++) {
236  bool *value;
237 
238  /*
239  * Can't add v4 networks to a v6 socket, or vice versa.
240  */
241  if (deny[i].af != af) {
242  fr_strerror_printf("Address family in entry %zd - 'deny = %pV' "
243  "does not match 'ipaddr'", i + 1, fr_box_ipaddr(deny[i]));
244  goto fail;
245  }
246 
247  /*
248  * Exact duplicates are forbidden.
249  */
250  value = fr_trie_match_by_key(trie, &deny[i].addr, deny[i].prefix);
251  if (value) {
252  fr_strerror_printf("Cannot add duplicate entry 'deny = %pV'", fr_box_ipaddr(deny[i]));
253  goto fail;
254  }
255 
256  /*
257  * A "deny" can only be within a previous "allow".
258  */
259  value = fr_trie_lookup_by_key(trie, &deny[i].addr, deny[i].prefix);
260  if (!value) {
261  fr_strerror_printf("The network in entry %zd - 'deny = %pV' is not "
262  "contained within a previous 'allow'", i + 1, fr_box_ipaddr(deny[i]));
263  goto fail;
264  }
265 
266  /*
267  * A "deny" cannot be within a previous "deny".
268  */
269  if (value == FR_BIO_NETWORK_DENY) {
270  fr_strerror_printf("The network in entry %zd - 'deny = %pV' is overlaps "
271  "with another 'deny' rule", i + 1, fr_box_ipaddr(deny[i]));
272  goto fail;
273  }
274 
275  /*
276  * Insert the rule into the trie.
277  */
278  if (fr_trie_insert_by_key(trie, &deny[i].addr, deny[i].prefix, FR_BIO_NETWORK_DENY) < 0) {
279  fr_strerror_printf("Failed adding 'deny = %pV' to filtering rules", fr_box_ipaddr(deny[i]));
280  return NULL;
281  }
282  }
283 
284  return trie;
285 }
buffer
static int const char char buffer[256]
Definition: acutest.h:574
fr_bio_read_t
ssize_t(* fr_bio_read_t)(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
Do a raw read from a socket, or other data source.
Definition: base.h:80
fr_bio_next
static fr_bio_t * fr_bio_next(fr_bio_t *bio)
Definition: base.h:130
fr_bio_s
Definition: base.h:112
fr_bio_network_t::offset
size_t offset
where fr_bio_fd_packet_ctx_t is stored
Definition: network.c:40
fr_bio_network_trie_alloc
fr_trie_t * fr_bio_network_trie_alloc(TALLOC_CTX *ctx, int af, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny)
Create a patricia trie for doing network filtering.
Definition: network.c:166
fr_bio_network_t::discard
fr_bio_read_t discard
callback to run when discarding a packet due to filtering
Definition: network.c:38
fr_bio_network_alloc
fr_bio_t * fr_bio_network_alloc(TALLOC_CTX *ctx, fr_ipaddr_t const *allow, fr_ipaddr_t const *deny, fr_bio_read_t discard, fr_bio_t *next)
Allocate a bio for filtering IP addresses.
Definition: network.c:92
fr_bio_network_read
static ssize_t fr_bio_network_read(fr_bio_t *bio, void *packet_ctx, void *buffer, size_t size)
Read a UDP packet, and only return packets from allowed sources.
Definition: network.c:48
fr_bio_network_t::trie
fr_trie_t const * trie
patricia trie for filtering
Definition: network.c:42
fr_bio_network_t
The network filtering bio.
Definition: network.c:35
FR_BIO_NETWORK_DENY
#define FR_BIO_NETWORK_DENY
Definition: network.h:44
FR_BIO_NETWORK_ALLOW
#define FR_BIO_NETWORK_ALLOW
Definition: network.h:43
fr_bio_chain
static void fr_bio_chain(fr_bio_t *first, fr_bio_t *second)
Chain one bio after another.
Definition: bio_priv.h:69
next
next
Definition: dcursor.h:178
value
Test enumeration values.
Definition: dict_test.h:92
fr_bio_fd_info
fr_bio_fd_info_t const * fr_bio_fd_info(fr_bio_t *bio)
Returns a pointer to the bio-specific information.
Definition: fd.c:1323
fr_bio_fd_info_t::socket
fr_socket_t socket
as connected socket
Definition: fd.h:111
FR_BIO_FD_ACCEPTED
@ FR_BIO_FD_ACCEPTED
temporarily until it's connected.
Definition: fd.h:68
FR_BIO_FD_CONNECTED
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition: fd.h:65
FR_BIO_FD_UNCONNECTED
@ FR_BIO_FD_UNCONNECTED
unconnected UDP / datagram only
Definition: fd.h:62
FR_BIO_FD_LISTEN
@ FR_BIO_FD_LISTEN
returns new fd in buffer on fr_bio_read() or fr_bio_fd_accept()
Definition: fd.h:66
fr_bio_fd_info_t::type
fr_bio_fd_type_t type
type of the socket
Definition: fd.h:113
fr_bio_fd_packet_ctx_t::socket
fr_socket_t socket
socket information, including FD.
Definition: fd.h:50
fr_bio_fd_info_t
Run-time status of the socket.
Definition: fd.h:110
fr_bio_fd_packet_ctx_t
Per-packet context.
Definition: fd.h:49
my
fr_bio_shutdown & my
Definition: fd_errno.h:59
fr_bio_fd_packet_ctx
#define fr_bio_fd_packet_ctx(_my, _packet_ctx)
Definition: fd_priv.h:59
fr_bio_fd_s
Our FD bio structure.
Definition: fd_priv.h:35
fr_ipaddr_t::prefix
uint8_t prefix
Prefix length - Between 0-32 for IPv4 and 0-128 for IPv6.
Definition: inet.h:69
fr_ipaddr_t
IPv4/6 prefix.
Definition: merged_model.c:272
fr_bio_next_write
ssize_t fr_bio_next_write(fr_bio_t *bio, void *packet_ctx, void const *buffer, size_t size)
Internal bio function which just writes to the "next" bio.
Definition: base.c:74
talloc_free
talloc_free(reap)
ssize_t
long int ssize_t
Definition: merged_model.c:24
fr_assert
fr_assert(0)
fr_trie_alloc
fr_trie_t * fr_trie_alloc(TALLOC_CTX *ctx, fr_trie_key_t get_key, fr_free_t free_data)
Allocate a trie.
Definition: trie.c:741
fr_trie_match_by_key
void * fr_trie_match_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Match a key and length in a trie and return user ctx, if any.
Definition: trie.c:1286
fr_trie_insert_by_key
int fr_trie_insert_by_key(fr_trie_t *ft, void const *key, size_t keylen, void const *data)
Insert a key and user ctx into a trie.
Definition: trie.c:1875
fr_trie_lookup_by_key
void * fr_trie_lookup_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Lookup a key in a trie and return user ctx, if any.
Definition: trie.c:1262
fr_trie_s
Definition: trie.c:484
fr_socket_t::af
int af
AF_INET, AF_INET6, or AF_UNIX.
Definition: socket.h:78
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition: strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition: strerror.h:223
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition: value.h:294
Generated by   doxygen 1.9.1