]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/ip-address-access.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add SPDX license identifiers to source files under the LGPL
[thirdparty/systemd.git] / src / core / ip-address-access.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2016 Daniel Mack
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <stdio.h>
22 #include <stdlib.h>
23
24 #include "alloc-util.h"
25 #include "bpf-firewall.h"
26 #include "extract-word.h"
27 #include "hostname-util.h"
28 #include "ip-address-access.h"
29 #include "parse-util.h"
30 #include "string-util.h"
31
32 int config_parse_ip_address_access(
33 const char *unit,
34 const char *filename,
35 unsigned line,
36 const char *section,
37 unsigned section_line,
38 const char *lvalue,
39 int ltype,
40 const char *rvalue,
41 void *data,
42 void *userdata) {
43
44 IPAddressAccessItem **list = data;
45 const char *p;
46 int r;
47
48 assert(list);
49
50 if (isempty(rvalue)) {
51 *list = ip_address_access_free_all(*list);
52 return 0;
53 }
54
55 p = rvalue;
56
57 for (;;) {
58 _cleanup_free_ IPAddressAccessItem *a = NULL;
59 _cleanup_free_ char *word = NULL;
60
61 r = extract_first_word(&p, &word, NULL, 0);
62 if (r == 0)
63 break;
64 if (r == -ENOMEM)
65 return log_oom();
66 if (r < 0) {
67 log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
68 break;
69 }
70
71 a = new0(IPAddressAccessItem, 1);
72 if (!a)
73 return log_oom();
74
75 if (streq(word, "any")) {
76 /* "any" is a shortcut for 0.0.0.0/0 and ::/0 */
77
78 a->family = AF_INET;
79 LIST_APPEND(items, *list, a);
80
81 a = new0(IPAddressAccessItem, 1);
82 if (!a)
83 return log_oom();
84
85 a->family = AF_INET6;
86
87 } else if (is_localhost(word)) {
88 /* "localhost" is a shortcut for 127.0.0.0/8 and ::1/128 */
89
90 a->family = AF_INET;
91 a->address.in.s_addr = htobe32(0x7f000000);
92 a->prefixlen = 8;
93 LIST_APPEND(items, *list, a);
94
95 a = new0(IPAddressAccessItem, 1);
96 if (!a)
97 return log_oom();
98
99 a->family = AF_INET6;
100 a->address.in6 = (struct in6_addr) IN6ADDR_LOOPBACK_INIT;
101 a->prefixlen = 128;
102
103 } else if (streq(word, "link-local")) {
104
105 /* "link-local" is a shortcut for 169.254.0.0/16 and fe80::/64 */
106
107 a->family = AF_INET;
108 a->address.in.s_addr = htobe32((UINT32_C(169) << 24 | UINT32_C(254) << 16));
109 a->prefixlen = 16;
110 LIST_APPEND(items, *list, a);
111
112 a = new0(IPAddressAccessItem, 1);
113 if (!a)
114 return log_oom();
115
116 a->family = AF_INET6;
117 a->address.in6 = (struct in6_addr) {
118 .s6_addr32[0] = htobe32(0xfe800000)
119 };
120 a->prefixlen = 64;
121
122 } else if (streq(word, "multicast")) {
123
124 /* "multicast" is a shortcut for 224.0.0.0/4 and ff00::/8 */
125
126 a->family = AF_INET;
127 a->address.in.s_addr = htobe32((UINT32_C(224) << 24));
128 a->prefixlen = 4;
129 LIST_APPEND(items, *list, a);
130
131 a = new0(IPAddressAccessItem, 1);
132 if (!a)
133 return log_oom();
134
135 a->family = AF_INET6;
136 a->address.in6 = (struct in6_addr) {
137 .s6_addr32[0] = htobe32(0xff000000)
138 };
139 a->prefixlen = 8;
140
141 } else {
142 r = in_addr_prefix_from_string_auto(word, &a->family, &a->address, &a->prefixlen);
143 if (r < 0) {
144 log_syntax(unit, LOG_WARNING, filename, line, r, "Address prefix is invalid, ignoring assignment: %s", word);
145 return 0;
146 }
147 }
148
149 LIST_APPEND(items, *list, a);
150 a = NULL;
151 }
152
153 *list = ip_address_access_reduce(*list);
154
155 if (*list) {
156 r = bpf_firewall_supported();
157 if (r < 0)
158 return r;
159 if (r == 0) {
160 static bool warned = false;
161
162 log_full(warned ? LOG_DEBUG : LOG_WARNING,
163 "File %s:%u configures an IP firewall (%s=%s), but the local system does not support BPF/cgroup based firewalling.\n"
164 "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)", filename, line, lvalue, rvalue);
165
166 warned = true;
167 }
168 }
169
170 return 0;
171 }
172
173 IPAddressAccessItem* ip_address_access_free_all(IPAddressAccessItem *first) {
174 IPAddressAccessItem *next, *p = first;
175
176 while (p) {
177 next = p->items_next;
178 free(p);
179
180 p = next;
181 }
182
183 return NULL;
184 }
185
186 IPAddressAccessItem* ip_address_access_reduce(IPAddressAccessItem *first) {
187 IPAddressAccessItem *a, *b, *tmp;
188 int r;
189
190 /* Drops all entries from the list that are covered by another entry in full, thus removing all redundant
191 * entries. */
192
193 LIST_FOREACH_SAFE(items, a, tmp, first) {
194
195 /* Drop irrelevant bits */
196 (void) in_addr_mask(a->family, &a->address, a->prefixlen);
197
198 LIST_FOREACH(items, b, first) {
199
200 if (a == b)
201 continue;
202
203 if (a->family != b->family)
204 continue;
205
206 if (b->prefixlen > a->prefixlen)
207 continue;
208
209 r = in_addr_prefix_covers(b->family,
210 &b->address,
211 b->prefixlen,
212 &a->address);
213 if (r <= 0)
214 continue;
215
216 /* b covers a fully, then let's drop a */
217
218 LIST_REMOVE(items, first, a);
219 free(a);
220 }
221 }
222
223 return first;
224 }
Unnamed repository; edit this file 'description' to name the repository.