From 9fad3ecb9215a0034bf407f192926b04cb5efaed Mon Sep 17 00:00:00 2001 From: danieldg Date: Sat, 24 Oct 2009 20:04:05 +0000 Subject: Create irc::sockets::cidr_mask git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@11968 e03df62e-2008-0410-955e-edbf42e46eb7 --- src/cidr.cpp | 95 +------------------ src/modules/m_clones.cpp | 2 +- src/modules/m_connectban.cpp | 8 +- src/modules/m_spanningtree/utils.cpp | 31 ++----- src/socket.cpp | 175 +++++++++++++++++++++++++---------- src/usermanager.cpp | 2 - src/users.cpp | 4 +- 7 files changed, 148 insertions(+), 169 deletions(-) (limited to 'src') diff --git a/src/cidr.cpp b/src/cidr.cpp index d38056b02..31101836c 100644 --- a/src/cidr.cpp +++ b/src/cidr.cpp @@ -31,32 +31,6 @@ const unsigned char inverted_bits[8] = { 0x00, /* 00000000 - 0 bits - never actu }; -/* Match raw bytes using CIDR bit matching, used by higher level MatchCIDR() */ -bool irc::sockets::MatchCIDRBits(const unsigned char* address, const unsigned char* mask, unsigned int mask_bits) -{ - unsigned int divisor = mask_bits / 8; /* Number of whole bytes in the mask */ - unsigned int modulus = mask_bits % 8; /* Remaining bits in the mask after whole bytes are dealt with */ - - /* First (this is faster) compare the odd bits with logic ops */ - if (modulus) - if ((address[divisor] & inverted_bits[modulus]) != (mask[divisor] & inverted_bits[modulus])) - /* If they dont match, return false */ - return false; - - /* Secondly (this is slower) compare the whole bytes */ - if (memcmp(address, mask, divisor)) - return false; - - /* The address matches the mask, to mask_bits bits of mask */ - return true; -} - -/* Match CIDR, but dont attempt to match() against leading *!*@ sections */ -bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr_mask) -{ - return MatchCIDR(address, cidr_mask, false); -} - /* Match CIDR strings, e.g. 127.0.0.1 to 127.0.0.0/8 or 3ffe:1:5:6::8 to 3ffe:1::0/32 * If you have a lot of hosts to match, youre probably better off building your mask once * and then using the lower level MatchCIDRBits directly. @@ -66,10 +40,6 @@ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr */ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr_mask, bool match_with_username) { - unsigned char addr_raw[16]; - unsigned char mask_raw[16]; - unsigned int bits = 0; - std::string address_copy; std::string cidr_copy; @@ -105,69 +75,14 @@ bool irc::sockets::MatchCIDR(const std::string &address, const std::string &cidr cidr_copy.assign(cidr_mask); } - in_addr address_in4; - in_addr mask_in4; - - std::string::size_type bits_chars = cidr_copy.rfind('/'); - - if (bits_chars != std::string::npos) - { - bits = atoi(cidr_copy.substr(bits_chars + 1).c_str()); - cidr_copy.erase(bits_chars, cidr_copy.length() - bits_chars); - } - else - { - /* No 'number of bits' field! */ - return false; - } - - in6_addr address_in6; - in6_addr mask_in6; - - if (inet_pton(AF_INET6, address_copy.c_str(), &address_in6) > 0) - { - if (inet_pton(AF_INET6, cidr_copy.c_str(), &mask_in6) > 0) - { - memcpy(&addr_raw, &address_in6.s6_addr, 16); - memcpy(&mask_raw, &mask_in6.s6_addr, 16); + irc::sockets::sockaddrs addr; + irc::sockets::aptosa(address_copy, 0, addr); - if (bits > 128) - bits = 128; - } - else - { - /* The address was valid ipv6, but the mask - * that goes with it wasnt. - */ - return false; - } - } - else if (inet_pton(AF_INET, address_copy.c_str(), &address_in4) > 0) - { - if (inet_pton(AF_INET, cidr_copy.c_str(), &mask_in4) > 0) - { - memcpy(&addr_raw, &address_in4.s_addr, 4); - memcpy(&mask_raw, &mask_in4.s_addr, 4); + irc::sockets::cidr_mask mask(cidr_copy); + irc::sockets::cidr_mask mask2(addr, mask.length); - if (bits > 32) - bits = 32; - } - else - { - /* The address was valid ipv4, - * but the mask that went with it wasnt. - */ - return false; - } - } - else - { - /* The address was neither ipv4 or ipv6 */ - return false; - } + return mask == mask2; - /* Low-level-match the bits in the raw data */ - return MatchCIDRBits(addr_raw, mask_raw, bits); } diff --git a/src/modules/m_clones.cpp b/src/modules/m_clones.cpp index fac64f356..09aa1043b 100644 --- a/src/modules/m_clones.cpp +++ b/src/modules/m_clones.cpp @@ -46,7 +46,7 @@ class CommandClones : public Command for (clonemap::iterator x = ServerInstance->Users->global_clones.begin(); x != ServerInstance->Users->global_clones.end(); x++) { if (x->second >= limit) - user->WriteServ(clonesstr + " "+ ConvToStr(x->second) + " " + assign(x->first)); + user->WriteServ(clonesstr + " "+ ConvToStr(x->second) + " " + x->first.str()); } user->WriteServ(clonesstr + " END"); diff --git a/src/modules/m_connectban.cpp b/src/modules/m_connectban.cpp index 735f3da99..276962b2d 100644 --- a/src/modules/m_connectban.cpp +++ b/src/modules/m_connectban.cpp @@ -81,7 +81,7 @@ class ModuleConnectBan : public Module break; } - irc::string mask = assign(irc::sockets::mask(u->client_sa, range)); + irc::sockets::cidr_mask mask(u->client_sa, range); i = connects.find(mask); if (i != connects.end()) @@ -91,15 +91,15 @@ class ModuleConnectBan : public Module if (i->second >= threshold) { // Create zline for set duration. - ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName.c_str(), "Connect flooding", mask.c_str()); + ZLine* zl = new ZLine(ServerInstance->Time(), banduration, ServerInstance->Config->ServerName.c_str(), "Connect flooding", mask.str().c_str()); if (ServerInstance->XLines->AddLine(zl,NULL)) ServerInstance->XLines->ApplyLines(); else delete zl; ServerInstance->SNO->WriteGlobalSno('x',"Module m_connectban added Z:line on *@%s to expire on %s: Connect flooding", - mask.c_str(), ServerInstance->TimeString(zl->expiry).c_str()); - ServerInstance->SNO->WriteGlobalSno('a', "Connect flooding from IP range %s (%d)", mask.c_str(), threshold); + mask.str().c_str(), ServerInstance->TimeString(zl->expiry).c_str()); + ServerInstance->SNO->WriteGlobalSno('a', "Connect flooding from IP range %s (%d)", mask.str().c_str(), threshold); connects.erase(i); } } diff --git a/src/modules/m_spanningtree/utils.cpp b/src/modules/m_spanningtree/utils.cpp index 723ff9352..da3417de9 100644 --- a/src/modules/m_spanningtree/utils.cpp +++ b/src/modules/m_spanningtree/utils.cpp @@ -29,34 +29,19 @@ ModResult ModuleSpanningTree::OnAcceptConnection(int newsock, ListenSocket* from if (from->bind_tag->getString("type") != "servers") return MOD_RES_PASSTHRU; - bool found = false; - int port; - std::string incomingip; - irc::sockets::satoap(*client, incomingip, port); + std::string incomingip = client->addr(); - found = (std::find(Utils->ValidIPs.begin(), Utils->ValidIPs.end(), incomingip) != Utils->ValidIPs.end()); - if (!found) + for (std::vector::iterator i = Utils->ValidIPs.begin(); i != Utils->ValidIPs.end(); i++) { - for (std::vector::iterator i = Utils->ValidIPs.begin(); i != Utils->ValidIPs.end(); i++) + if (*i == "*" || *i == incomingip || irc::sockets::cidr_mask(*i).match(*client)) { - if (*i == "*" || irc::sockets::MatchCIDR(incomingip, *i)) - { - found = true; - break; - } - } - - if (!found) - { - ServerInstance->SNO->WriteToSnoMask('l', "Server connection from %s denied (no link blocks with that IP address)", incomingip.c_str()); - return MOD_RES_DENY; + /* we don't need to do anything with the pointer, creating it stores it in the necessary places */ + new TreeSocket(Utils, newsock, from, client, server); + return MOD_RES_ALLOW; } } - - /* we don't need to do anything with the pointer, creating it stores it in the necessary places */ - - new TreeSocket(Utils, newsock, from, client, server); - return MOD_RES_ALLOW; + ServerInstance->SNO->WriteToSnoMask('l', "Server connection from %s denied (no link blocks with that IP address)", incomingip.c_str()); + return MOD_RES_DENY; } /** Yay for fast searches! diff --git a/src/socket.cpp b/src/socket.cpp index a92343d91..ef81542e1 100644 --- a/src/socket.cpp +++ b/src/socket.cpp @@ -11,8 +11,6 @@ * --------------------------------------------------- */ -/* $Core */ - #include "inspircd.h" #include "socket.h" #include "socketengine.h" @@ -203,59 +201,71 @@ bool irc::sockets::aptosa(const std::string& addr, int port, irc::sockets::socka return false; } -bool irc::sockets::satoap(const irc::sockets::sockaddrs& sa, std::string& addr, int &port) +int irc::sockets::sockaddrs::port() const +{ + if (sa.sa_family == AF_INET) + return ntohs(in4.sin_port); + if (sa.sa_family == AF_INET6) + return ntohs(in6.sin6_port); + return -1; +} + +std::string irc::sockets::sockaddrs::addr() const { char addrv[INET6_ADDRSTRLEN+1]; - if (sa.sa.sa_family == AF_INET) + if (sa.sa_family == AF_INET) { - if (!inet_ntop(AF_INET, &sa.in4.sin_addr, addrv, sizeof(addrv))) - return false; - addr = addrv; - port = ntohs(sa.in4.sin_port); - return true; + if (!inet_ntop(AF_INET, &in4.sin_addr, addrv, sizeof(addrv))) + return ""; + return addrv; } - else if (sa.sa.sa_family == AF_INET6) + else if (sa.sa_family == AF_INET6) { - if (!inet_ntop(AF_INET6, &sa.in6.sin6_addr, addrv, sizeof(addrv))) - return false; - addr = addrv; - port = ntohs(sa.in6.sin6_port); - return true; + if (!inet_ntop(AF_INET6, &in6.sin6_addr, addrv, sizeof(addrv))) + return ""; + return addrv; } - return false; + return ""; +} + +bool irc::sockets::satoap(const irc::sockets::sockaddrs& sa, std::string& addr, int &port) +{ + port = sa.port(); + addr = sa.addr(); + return !addr.empty(); } static const char all_zero[16] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0 }; -std::string irc::sockets::satouser(const irc::sockets::sockaddrs& sa) +std::string irc::sockets::sockaddrs::str() const { char buffer[MAXBUF]; - if (sa.sa.sa_family == AF_INET) + if (sa.sa_family == AF_INET) { - if (sa.in4.sin_addr.s_addr == 0) + if (in4.sin_addr.s_addr == 0) { - sprintf(buffer, "*:%u", ntohs(sa.in4.sin_port)); + sprintf(buffer, "*:%u", ntohs(in4.sin_port)); } else { - const uint8_t* bits = reinterpret_cast(&sa.in4.sin_addr); - sprintf(buffer, "%d.%d.%d.%d:%u", bits[0], bits[1], bits[2], bits[3], ntohs(sa.in4.sin_port)); + const uint8_t* bits = reinterpret_cast(&in4.sin_addr); + sprintf(buffer, "%d.%d.%d.%d:%u", bits[0], bits[1], bits[2], bits[3], ntohs(in4.sin_port)); } } - else if (sa.sa.sa_family == AF_INET6) + else if (sa.sa_family == AF_INET6) { - if (!memcmp(all_zero, &sa.in6.sin6_addr, 16)) + if (!memcmp(all_zero, &in6.sin6_addr, 16)) { - sprintf(buffer, "*:%u", ntohs(sa.in6.sin6_port)); + sprintf(buffer, "*:%u", ntohs(in6.sin6_port)); } else { buffer[0] = '['; - if (!inet_ntop(AF_INET6, &sa.in6.sin6_addr, buffer+1, MAXBUF - 10)) + if (!inet_ntop(AF_INET6, &in6.sin6_addr, buffer+1, MAXBUF - 10)) return ""; // should never happen, buffer is large enough int len = strlen(buffer); // no need for snprintf, buffer has at least 9 chars left, max short len = 5 - sprintf(buffer + len, "]:%u", ntohs(sa.in6.sin6_port)); + sprintf(buffer + len, "]:%u", ntohs(in6.sin6_port)); } } else @@ -263,41 +273,112 @@ std::string irc::sockets::satouser(const irc::sockets::sockaddrs& sa) return std::string(buffer); } -int irc::sockets::sa_size(const irc::sockets::sockaddrs& sa) +int irc::sockets::sockaddrs::sa_size() const { - if (sa.sa.sa_family == AF_INET) - return sizeof(sa.in4); - if (sa.sa.sa_family == AF_INET6) - return sizeof(sa.in6); + if (sa.sa_family == AF_INET) + return sizeof(in4); + if (sa.sa_family == AF_INET6) + return sizeof(in6); return 0; } -std::string irc::sockets::mask(irc::sockets::sockaddrs sa, unsigned int range) +static void sa2cidr(const irc::sockets::sockaddrs& sa, irc::sockets::cidr_mask& cidr, int range) { + const unsigned char* base; + cidr.type = sa.sa.sa_family; + if (cidr.type == AF_INET) + { + base = (unsigned char*)&sa.in4.sin_addr; + if (range > 32) + range = 32; + } + else if (cidr.type == AF_INET6) + { + base = (unsigned char*)&sa.in6.sin6_addr; + if (range > 128) + range = 128; + } + else + { + base = (unsigned char*)""; + range = 0; + } + cidr.length = range; + unsigned int border = range / 8; + unsigned int bitmask = (0xFF00 >> (range & 7)) & 0xFF; + for(unsigned int i=0; i < 16; i++) + { + if (i < border) + cidr.bits[i] = base[i]; + else if (i == border) + cidr.bits[i] = base[i] & bitmask; + else + cidr.bits[i] = 0; + } +} + +irc::sockets::cidr_mask::cidr_mask(const irc::sockets::sockaddrs& sa, int range) +{ + sa2cidr(sa, *this, range); +} + +irc::sockets::cidr_mask::cidr_mask(const std::string& mask) +{ + std::string::size_type bits_chars = mask.rfind('/'); + irc::sockets::sockaddrs sa; + + if (bits_chars == std::string::npos) + { + irc::sockets::aptosa(mask, 0, sa); + sa2cidr(sa, *this, 128); + } + else + { + int range = atoi(mask.substr(bits_chars + 1).c_str()); + irc::sockets::aptosa(mask.substr(0, bits_chars), 0, sa); + sa2cidr(sa, *this, range); + } +} + +std::string irc::sockets::cidr_mask::str() const +{ + irc::sockets::sockaddrs sa; + sa.sa.sa_family = type; unsigned char* base; - unsigned int len; - if (sa.sa.sa_family == AF_INET) + int len; + if (type == AF_INET) { base = (unsigned char*)&sa.in4.sin_addr; len = 4; } - else if (sa.sa.sa_family == AF_INET6) + else if (type == AF_INET6) { base = (unsigned char*)&sa.in6.sin6_addr; len = 16; } else return ""; - if (range > 8*len) - range = 8*len; - unsigned int byte = range / 8; - unsigned int bits = (-1 << (range & 7)); - base[byte++] &= bits; - while (byte < len) - base[byte++] = 0; - int dummy; - std::string rv; - irc::sockets::satoap(sa, rv, dummy); - return rv + "/" + ConvToStr(range); + memcpy(base, bits, len); + return sa.addr() + "/" + ConvToStr(length); +} + +bool irc::sockets::cidr_mask::operator==(const cidr_mask& other) const +{ + return type == other.type && length == other.length && + 0 == memcmp(bits, other.bits, 16); +} + +bool irc::sockets::cidr_mask::operator<(const cidr_mask& other) const +{ + return type < other.type || length < other.length || + memcmp(bits, other.bits, 16) < 0; +} + +bool irc::sockets::cidr_mask::match(const irc::sockets::sockaddrs& addr) const +{ + if (addr.sa.sa_family != type) + return false; + irc::sockets::cidr_mask tmp(addr, length); + return tmp == *this; } diff --git a/src/usermanager.cpp b/src/usermanager.cpp index 577d52f67..06d6ad1cd 100644 --- a/src/usermanager.cpp +++ b/src/usermanager.cpp @@ -11,8 +11,6 @@ * --------------------------------------------------- */ -/* $Core */ - #include "inspircd.h" #include "xline.h" #include "bancache.h" diff --git a/src/users.cpp b/src/users.cpp index 424484b8c..cf2d11a0a 100644 --- a/src/users.cpp +++ b/src/users.cpp @@ -965,7 +965,7 @@ const char* User::GetIPString() return cachedip.c_str(); } -irc::string User::GetCIDRMask() +irc::sockets::cidr_mask User::GetCIDRMask() { int range = 0; switch (client_sa.sa.sa_family) @@ -977,7 +977,7 @@ irc::string User::GetCIDRMask() range = ServerInstance->Config->c_ipv4_range; break; } - return assign(irc::sockets::mask(client_sa, range)); + return irc::sockets::cidr_mask(client_sa, range); } bool User::SetClientIP(const char* sip) -- cgit v1.2.3