added flags for whitelist/blacklist checks in isAddressAccepted()

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8317 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2024-10-01 02:35:48 -04:00 · 2015-05-30 09:29:43 +00:00 · 2015-05-30 09:29:43 +00:00 · e80c366393
commit e80c366393
parent 20a2d42038
4 changed files with 56 additions and 7 deletions
--- a/libretroshare/src/pqi/pqissl.cc
+++ b/libretroshare/src/pqi/pqissl.cc
@ -1311,9 +1311,11 @@ int 	pqissl::Authorise_SSL_Connection()
    bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
 	bool certCorrect = true; /* WE know it okay already! */

-    if(!rsBanList->isAddressAccepted(remote_addr))
+    uint32_t check_result ;
+
+    if(!rsBanList->isAddressAccepted(remote_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
    {
-        std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Attack??" << std::endl;
+        std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Reason: " << check_result << ". Attack??" << std::endl;
    reset_locked();
    return 0 ;
    }
@ -1357,9 +1359,12 @@ int	pqissl::accept(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr

 int	pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr) // initiate incoming connection.
 {
-    if(!rsBanList->isAddressAccepted(foreign_addr))
+    uint32_t check_result;
+
+    if(!rsBanList->isAddressAccepted(foreign_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
    {
-        std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr) << std::endl;
+        std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr)
+              << ". Reason: " << check_result << "." << std::endl;
            reset_locked();
        return -1;
    }
--- a/libretroshare/src/retroshare/rsbanlist.h
+++ b/libretroshare/src/retroshare/rsbanlist.h
@ -40,6 +40,20 @@ extern RsBanList *rsBanList ;
 #define RSBANLIST_REASON_DHT		2
 #define RSBANLIST_REASON_AUTO_RANGE     3

+// These are flags. Can be combined.
+
+#define RSBANLIST_CHECKING_FLAGS_NONE   	0x00
+#define RSBANLIST_CHECKING_FLAGS_BLACKLIST   	0x01
+#define RSBANLIST_CHECKING_FLAGS_WHITELIST   	0x02
+
+// These are not flags. Cannot be combined. Used to give the reson for acceptance/denial of connections.
+
+#define RSBANLIST_CHECK_RESULT_UNKNOWN  	0x00
+#define RSBANLIST_CHECK_RESULT_NOCHECK  	0x01
+#define RSBANLIST_CHECK_RESULT_BLACKLISTED  	0x02
+#define RSBANLIST_CHECK_RESULT_NOT_WHITELISTED  0x03
+#define RSBANLIST_CHECK_RESULT_ACCEPTED     	0x04
+
 class RsTlvBanListEntry ;

 class BanListPeer
@ -68,7 +82,7 @@ public:

    virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) =0;

-    virtual bool isAddressAccepted(const struct sockaddr_storage& addr) =0;
+    virtual bool isAddressAccepted(const struct sockaddr_storage& addr,uint32_t checking_flags,uint32_t& check_result) =0;
    virtual void getListOfBannedIps(std::list<BanListPeer>& list) =0;

    virtual bool autoRangeEnabled() =0;
--- a/libretroshare/src/services/p3banlist.cc
+++ b/libretroshare/src/services/p3banlist.cc
@ -33,6 +33,7 @@
 #include "serialiser/rsbanlistitems.h"
 #include "serialiser/rsconfigitems.h"
 #include "retroshare/rsdht.h"
+#include "retroshare/rsbanlist.h"

 #include <sys/time.h>

@ -230,8 +231,10 @@ void p3BanList::autoFigureOutBanRanges()
    condenseBanSources_locked() ;
 }

-bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
+bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checking_flags,uint32_t& check_result)
 {
+    check_result = RSBANLIST_CHECK_RESULT_NOCHECK ;
+
    if(!mIPFilteringEnabled)
        return true ;

@ -240,9 +243,31 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
    sockaddr_storage addr_24 = makeBitsRange(addr,1) ;
    sockaddr_storage addr_16 = makeBitsRange(addr,2) ;

+    if(checking_flags & RSBANLIST_CHECKING_FLAGS_WHITELIST)
+    {
+        bool found = false ;
+
+        found = found || (mWhiteListedRanges.find(addr   ) != mWhiteListedRanges.end()) ;
+        found = found || (mWhiteListedRanges.find(addr_16) != mWhiteListedRanges.end()) ;
+        found = found || (mWhiteListedRanges.find(addr_24) != mWhiteListedRanges.end()) ;
+
+        if(found)
+        {
+            check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
+            return true ;
+        }
+        else
+        {
+            check_result = RSBANLIST_CHECK_RESULT_NOT_WHITELISTED ;
+            return false ;
+        }
+    }
+
 #ifdef DEBUG_BANLIST
    std::cerr << "p3BanList::isAddressAccepted() testing " << sockaddr_storage_iptostring(addr) << " and range " << sockaddr_storage_iptostring(addr_24) ;
 #endif
+    if(!(checking_flags & RSBANLIST_CHECKING_FLAGS_BLACKLIST))
+        return true;

    std::map<sockaddr_storage,BanListPeer>::iterator it ;

@ -252,6 +277,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
 #ifdef DEBUG_BANLIST
        std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
 #endif
+    check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
        return false ;
    }

@ -261,6 +287,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
 #ifdef DEBUG_BANLIST
        std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
 #endif
+    check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
        return false ;
    }

@ -270,12 +297,14 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
 #ifdef DEBUG_BANLIST
        std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
 #endif
+    check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
        return false ;
    }

 #ifdef DEBUG_BANLIST
    std::cerr << " returning true " << std::endl;
 #endif
+    check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
    return true ;
 }

--- a/libretroshare/src/services/p3banlist.h
+++ b/libretroshare/src/services/p3banlist.h
@ -61,7 +61,7 @@ public:

    /***** overloaded from RsBanList *****/

-    virtual bool isAddressAccepted(const struct sockaddr_storage& addr) ;
+    virtual bool isAddressAccepted(const struct sockaddr_storage& addr, uint32_t checking_flags,uint32_t& check_result) ;
    virtual void getListOfBannedIps(std::list<BanListPeer>& list) ;

    virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) ;
@ -139,6 +139,7 @@ private:
    std::map<RsPeerId, BanList> mBanSources;
    std::map<struct sockaddr_storage, BanListPeer> mBanSet;
    std::map<struct sockaddr_storage, BanListPeer> mBanRanges;
+    std::map<struct sockaddr_storage, BanListPeer> mWhiteListedRanges;

    p3ServiceControl *mServiceCtrl;
    p3NetMgr *mNetMgr;