mirror of
https://github.com/RetroShare/RetroShare.git
synced 2024-10-01 02:35:48 -04:00
added flags for whitelist/blacklist checks in isAddressAccepted()
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8317 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
parent
20a2d42038
commit
e80c366393
@ -1311,9 +1311,11 @@ int pqissl::Authorise_SSL_Connection()
|
|||||||
bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
|
bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
|
||||||
bool certCorrect = true; /* WE know it okay already! */
|
bool certCorrect = true; /* WE know it okay already! */
|
||||||
|
|
||||||
if(!rsBanList->isAddressAccepted(remote_addr))
|
uint32_t check_result ;
|
||||||
|
|
||||||
|
if(!rsBanList->isAddressAccepted(remote_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
|
||||||
{
|
{
|
||||||
std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Attack??" << std::endl;
|
std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Reason: " << check_result << ". Attack??" << std::endl;
|
||||||
reset_locked();
|
reset_locked();
|
||||||
return 0 ;
|
return 0 ;
|
||||||
}
|
}
|
||||||
@ -1357,9 +1359,12 @@ int pqissl::accept(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr
|
|||||||
|
|
||||||
int pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr) // initiate incoming connection.
|
int pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr) // initiate incoming connection.
|
||||||
{
|
{
|
||||||
if(!rsBanList->isAddressAccepted(foreign_addr))
|
uint32_t check_result;
|
||||||
|
|
||||||
|
if(!rsBanList->isAddressAccepted(foreign_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
|
||||||
{
|
{
|
||||||
std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr) << std::endl;
|
std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr)
|
||||||
|
<< ". Reason: " << check_result << "." << std::endl;
|
||||||
reset_locked();
|
reset_locked();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -40,6 +40,20 @@ extern RsBanList *rsBanList ;
|
|||||||
#define RSBANLIST_REASON_DHT 2
|
#define RSBANLIST_REASON_DHT 2
|
||||||
#define RSBANLIST_REASON_AUTO_RANGE 3
|
#define RSBANLIST_REASON_AUTO_RANGE 3
|
||||||
|
|
||||||
|
// These are flags. Can be combined.
|
||||||
|
|
||||||
|
#define RSBANLIST_CHECKING_FLAGS_NONE 0x00
|
||||||
|
#define RSBANLIST_CHECKING_FLAGS_BLACKLIST 0x01
|
||||||
|
#define RSBANLIST_CHECKING_FLAGS_WHITELIST 0x02
|
||||||
|
|
||||||
|
// These are not flags. Cannot be combined. Used to give the reson for acceptance/denial of connections.
|
||||||
|
|
||||||
|
#define RSBANLIST_CHECK_RESULT_UNKNOWN 0x00
|
||||||
|
#define RSBANLIST_CHECK_RESULT_NOCHECK 0x01
|
||||||
|
#define RSBANLIST_CHECK_RESULT_BLACKLISTED 0x02
|
||||||
|
#define RSBANLIST_CHECK_RESULT_NOT_WHITELISTED 0x03
|
||||||
|
#define RSBANLIST_CHECK_RESULT_ACCEPTED 0x04
|
||||||
|
|
||||||
class RsTlvBanListEntry ;
|
class RsTlvBanListEntry ;
|
||||||
|
|
||||||
class BanListPeer
|
class BanListPeer
|
||||||
@ -68,7 +82,7 @@ public:
|
|||||||
|
|
||||||
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) =0;
|
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) =0;
|
||||||
|
|
||||||
virtual bool isAddressAccepted(const struct sockaddr_storage& addr) =0;
|
virtual bool isAddressAccepted(const struct sockaddr_storage& addr,uint32_t checking_flags,uint32_t& check_result) =0;
|
||||||
virtual void getListOfBannedIps(std::list<BanListPeer>& list) =0;
|
virtual void getListOfBannedIps(std::list<BanListPeer>& list) =0;
|
||||||
|
|
||||||
virtual bool autoRangeEnabled() =0;
|
virtual bool autoRangeEnabled() =0;
|
||||||
|
@ -33,6 +33,7 @@
|
|||||||
#include "serialiser/rsbanlistitems.h"
|
#include "serialiser/rsbanlistitems.h"
|
||||||
#include "serialiser/rsconfigitems.h"
|
#include "serialiser/rsconfigitems.h"
|
||||||
#include "retroshare/rsdht.h"
|
#include "retroshare/rsdht.h"
|
||||||
|
#include "retroshare/rsbanlist.h"
|
||||||
|
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
|
|
||||||
@ -230,8 +231,10 @@ void p3BanList::autoFigureOutBanRanges()
|
|||||||
condenseBanSources_locked() ;
|
condenseBanSources_locked() ;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
|
bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checking_flags,uint32_t& check_result)
|
||||||
{
|
{
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_NOCHECK ;
|
||||||
|
|
||||||
if(!mIPFilteringEnabled)
|
if(!mIPFilteringEnabled)
|
||||||
return true ;
|
return true ;
|
||||||
|
|
||||||
@ -240,9 +243,31 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
|
|||||||
sockaddr_storage addr_24 = makeBitsRange(addr,1) ;
|
sockaddr_storage addr_24 = makeBitsRange(addr,1) ;
|
||||||
sockaddr_storage addr_16 = makeBitsRange(addr,2) ;
|
sockaddr_storage addr_16 = makeBitsRange(addr,2) ;
|
||||||
|
|
||||||
|
if(checking_flags & RSBANLIST_CHECKING_FLAGS_WHITELIST)
|
||||||
|
{
|
||||||
|
bool found = false ;
|
||||||
|
|
||||||
|
found = found || (mWhiteListedRanges.find(addr ) != mWhiteListedRanges.end()) ;
|
||||||
|
found = found || (mWhiteListedRanges.find(addr_16) != mWhiteListedRanges.end()) ;
|
||||||
|
found = found || (mWhiteListedRanges.find(addr_24) != mWhiteListedRanges.end()) ;
|
||||||
|
|
||||||
|
if(found)
|
||||||
|
{
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
|
||||||
|
return true ;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_NOT_WHITELISTED ;
|
||||||
|
return false ;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef DEBUG_BANLIST
|
#ifdef DEBUG_BANLIST
|
||||||
std::cerr << "p3BanList::isAddressAccepted() testing " << sockaddr_storage_iptostring(addr) << " and range " << sockaddr_storage_iptostring(addr_24) ;
|
std::cerr << "p3BanList::isAddressAccepted() testing " << sockaddr_storage_iptostring(addr) << " and range " << sockaddr_storage_iptostring(addr_24) ;
|
||||||
#endif
|
#endif
|
||||||
|
if(!(checking_flags & RSBANLIST_CHECKING_FLAGS_BLACKLIST))
|
||||||
|
return true;
|
||||||
|
|
||||||
std::map<sockaddr_storage,BanListPeer>::iterator it ;
|
std::map<sockaddr_storage,BanListPeer>::iterator it ;
|
||||||
|
|
||||||
@ -252,6 +277,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
|
|||||||
#ifdef DEBUG_BANLIST
|
#ifdef DEBUG_BANLIST
|
||||||
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
||||||
#endif
|
#endif
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
|
||||||
return false ;
|
return false ;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -261,6 +287,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
|
|||||||
#ifdef DEBUG_BANLIST
|
#ifdef DEBUG_BANLIST
|
||||||
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
||||||
#endif
|
#endif
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
|
||||||
return false ;
|
return false ;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -270,12 +297,14 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
|
|||||||
#ifdef DEBUG_BANLIST
|
#ifdef DEBUG_BANLIST
|
||||||
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
|
||||||
#endif
|
#endif
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
|
||||||
return false ;
|
return false ;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef DEBUG_BANLIST
|
#ifdef DEBUG_BANLIST
|
||||||
std::cerr << " returning true " << std::endl;
|
std::cerr << " returning true " << std::endl;
|
||||||
#endif
|
#endif
|
||||||
|
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
|
||||||
return true ;
|
return true ;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,7 +61,7 @@ public:
|
|||||||
|
|
||||||
/***** overloaded from RsBanList *****/
|
/***** overloaded from RsBanList *****/
|
||||||
|
|
||||||
virtual bool isAddressAccepted(const struct sockaddr_storage& addr) ;
|
virtual bool isAddressAccepted(const struct sockaddr_storage& addr, uint32_t checking_flags,uint32_t& check_result) ;
|
||||||
virtual void getListOfBannedIps(std::list<BanListPeer>& list) ;
|
virtual void getListOfBannedIps(std::list<BanListPeer>& list) ;
|
||||||
|
|
||||||
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) ;
|
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) ;
|
||||||
@ -139,6 +139,7 @@ private:
|
|||||||
std::map<RsPeerId, BanList> mBanSources;
|
std::map<RsPeerId, BanList> mBanSources;
|
||||||
std::map<struct sockaddr_storage, BanListPeer> mBanSet;
|
std::map<struct sockaddr_storage, BanListPeer> mBanSet;
|
||||||
std::map<struct sockaddr_storage, BanListPeer> mBanRanges;
|
std::map<struct sockaddr_storage, BanListPeer> mBanRanges;
|
||||||
|
std::map<struct sockaddr_storage, BanListPeer> mWhiteListedRanges;
|
||||||
|
|
||||||
p3ServiceControl *mServiceCtrl;
|
p3ServiceControl *mServiceCtrl;
|
||||||
p3NetMgr *mNetMgr;
|
p3NetMgr *mNetMgr;
|
||||||
|
Loading…
Reference in New Issue
Block a user