1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2016 Daniel Mack
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include "alloc-util.h"
25 #include "bpf-firewall.h"
26 #include "extract-word.h"
27 #include "hostname-util.h"
28 #include "ip-address-access.h"
29 #include "parse-util.h"
30 #include "string-util.h"
32 int config_parse_ip_address_access(
37 unsigned section_line
,
44 IPAddressAccessItem
**list
= data
;
50 if (isempty(rvalue
)) {
51 *list
= ip_address_access_free_all(*list
);
58 _cleanup_free_ IPAddressAccessItem
*a
= NULL
;
59 _cleanup_free_
char *word
= NULL
;
61 r
= extract_first_word(&p
, &word
, NULL
, 0);
67 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
, "Invalid syntax, ignoring: %s", rvalue
);
71 a
= new0(IPAddressAccessItem
, 1);
75 if (streq(word
, "any")) {
76 /* "any" is a shortcut for 0.0.0.0/0 and ::/0 */
79 LIST_APPEND(items
, *list
, a
);
81 a
= new0(IPAddressAccessItem
, 1);
87 } else if (is_localhost(word
)) {
88 /* "localhost" is a shortcut for 127.0.0.0/8 and ::1/128 */
91 a
->address
.in
.s_addr
= htobe32(0x7f000000);
93 LIST_APPEND(items
, *list
, a
);
95 a
= new0(IPAddressAccessItem
, 1);
100 a
->address
.in6
= (struct in6_addr
) IN6ADDR_LOOPBACK_INIT
;
103 } else if (streq(word
, "link-local")) {
105 /* "link-local" is a shortcut for 169.254.0.0/16 and fe80::/64 */
108 a
->address
.in
.s_addr
= htobe32((UINT32_C(169) << 24 | UINT32_C(254) << 16));
110 LIST_APPEND(items
, *list
, a
);
112 a
= new0(IPAddressAccessItem
, 1);
116 a
->family
= AF_INET6
;
117 a
->address
.in6
= (struct in6_addr
) {
118 .s6_addr32
[0] = htobe32(0xfe800000)
122 } else if (streq(word
, "multicast")) {
124 /* "multicast" is a shortcut for 224.0.0.0/4 and ff00::/8 */
127 a
->address
.in
.s_addr
= htobe32((UINT32_C(224) << 24));
129 LIST_APPEND(items
, *list
, a
);
131 a
= new0(IPAddressAccessItem
, 1);
135 a
->family
= AF_INET6
;
136 a
->address
.in6
= (struct in6_addr
) {
137 .s6_addr32
[0] = htobe32(0xff000000)
142 r
= in_addr_prefix_from_string_auto(word
, &a
->family
, &a
->address
, &a
->prefixlen
);
144 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
, "Address prefix is invalid, ignoring assignment: %s", word
);
149 LIST_APPEND(items
, *list
, a
);
153 *list
= ip_address_access_reduce(*list
);
156 r
= bpf_firewall_supported();
159 if (r
== BPF_FIREWALL_UNSUPPORTED
) {
160 static bool warned
= false;
162 log_full(warned
? LOG_DEBUG
: LOG_WARNING
,
163 "File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n"
164 "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)", filename
, line
, lvalue
, rvalue
);
173 IPAddressAccessItem
* ip_address_access_free_all(IPAddressAccessItem
*first
) {
174 IPAddressAccessItem
*next
, *p
= first
;
177 next
= p
->items_next
;
186 IPAddressAccessItem
* ip_address_access_reduce(IPAddressAccessItem
*first
) {
187 IPAddressAccessItem
*a
, *b
, *tmp
;
190 /* Drops all entries from the list that are covered by another entry in full, thus removing all redundant
193 LIST_FOREACH_SAFE(items
, a
, tmp
, first
) {
195 /* Drop irrelevant bits */
196 (void) in_addr_mask(a
->family
, &a
->address
, a
->prefixlen
);
198 LIST_FOREACH(items
, b
, first
) {
203 if (a
->family
!= b
->family
)
206 if (b
->prefixlen
> a
->prefixlen
)
209 r
= in_addr_prefix_covers(b
->family
,
214 /* b covers a fully, then let's drop a */
215 LIST_REMOVE(items
, first
, a
);