added flags for whitelist/blacklist checks in isAddressAccepted()

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8317 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler 2015-05-30 09:29:43 +00:00
parent 20a2d42038
commit e80c366393
4 changed files with 56 additions and 7 deletions

View File

@ -1311,9 +1311,11 @@ int pqissl::Authorise_SSL_Connection()
bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert); bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
bool certCorrect = true; /* WE know it okay already! */ bool certCorrect = true; /* WE know it okay already! */
if(!rsBanList->isAddressAccepted(remote_addr)) uint32_t check_result ;
if(!rsBanList->isAddressAccepted(remote_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
{ {
std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Attack??" << std::endl; std::cerr << "(SS) connection attempt from banned IP address. Refusing it. Reason: " << check_result << ". Attack??" << std::endl;
reset_locked(); reset_locked();
return 0 ; return 0 ;
} }
@ -1357,9 +1359,12 @@ int pqissl::accept(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr
int pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr) // initiate incoming connection. int pqissl::accept_locked(SSL *ssl, int fd, const struct sockaddr_storage &foreign_addr) // initiate incoming connection.
{ {
if(!rsBanList->isAddressAccepted(foreign_addr)) uint32_t check_result;
if(!rsBanList->isAddressAccepted(foreign_addr,RSBANLIST_CHECKING_FLAGS_BLACKLIST,check_result))
{ {
std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr) << std::endl; std::cerr << "(SS) refusing incoming SSL connection from blacklisted foreign address " << sockaddr_storage_iptostring(foreign_addr)
<< ". Reason: " << check_result << "." << std::endl;
reset_locked(); reset_locked();
return -1; return -1;
} }

View File

@ -40,6 +40,20 @@ extern RsBanList *rsBanList ;
#define RSBANLIST_REASON_DHT 2 #define RSBANLIST_REASON_DHT 2
#define RSBANLIST_REASON_AUTO_RANGE 3 #define RSBANLIST_REASON_AUTO_RANGE 3
// These are flags. Can be combined.
#define RSBANLIST_CHECKING_FLAGS_NONE 0x00
#define RSBANLIST_CHECKING_FLAGS_BLACKLIST 0x01
#define RSBANLIST_CHECKING_FLAGS_WHITELIST 0x02
// These are not flags. Cannot be combined. Used to give the reson for acceptance/denial of connections.
#define RSBANLIST_CHECK_RESULT_UNKNOWN 0x00
#define RSBANLIST_CHECK_RESULT_NOCHECK 0x01
#define RSBANLIST_CHECK_RESULT_BLACKLISTED 0x02
#define RSBANLIST_CHECK_RESULT_NOT_WHITELISTED 0x03
#define RSBANLIST_CHECK_RESULT_ACCEPTED 0x04
class RsTlvBanListEntry ; class RsTlvBanListEntry ;
class BanListPeer class BanListPeer
@ -68,7 +82,7 @@ public:
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) =0; virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) =0;
virtual bool isAddressAccepted(const struct sockaddr_storage& addr) =0; virtual bool isAddressAccepted(const struct sockaddr_storage& addr,uint32_t checking_flags,uint32_t& check_result) =0;
virtual void getListOfBannedIps(std::list<BanListPeer>& list) =0; virtual void getListOfBannedIps(std::list<BanListPeer>& list) =0;
virtual bool autoRangeEnabled() =0; virtual bool autoRangeEnabled() =0;

View File

@ -33,6 +33,7 @@
#include "serialiser/rsbanlistitems.h" #include "serialiser/rsbanlistitems.h"
#include "serialiser/rsconfigitems.h" #include "serialiser/rsconfigitems.h"
#include "retroshare/rsdht.h" #include "retroshare/rsdht.h"
#include "retroshare/rsbanlist.h"
#include <sys/time.h> #include <sys/time.h>
@ -230,8 +231,10 @@ void p3BanList::autoFigureOutBanRanges()
condenseBanSources_locked() ; condenseBanSources_locked() ;
} }
bool p3BanList::isAddressAccepted(const sockaddr_storage &addr) bool p3BanList::isAddressAccepted(const sockaddr_storage &addr, uint32_t checking_flags,uint32_t& check_result)
{ {
check_result = RSBANLIST_CHECK_RESULT_NOCHECK ;
if(!mIPFilteringEnabled) if(!mIPFilteringEnabled)
return true ; return true ;
@ -240,9 +243,31 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
sockaddr_storage addr_24 = makeBitsRange(addr,1) ; sockaddr_storage addr_24 = makeBitsRange(addr,1) ;
sockaddr_storage addr_16 = makeBitsRange(addr,2) ; sockaddr_storage addr_16 = makeBitsRange(addr,2) ;
if(checking_flags & RSBANLIST_CHECKING_FLAGS_WHITELIST)
{
bool found = false ;
found = found || (mWhiteListedRanges.find(addr ) != mWhiteListedRanges.end()) ;
found = found || (mWhiteListedRanges.find(addr_16) != mWhiteListedRanges.end()) ;
found = found || (mWhiteListedRanges.find(addr_24) != mWhiteListedRanges.end()) ;
if(found)
{
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
return true ;
}
else
{
check_result = RSBANLIST_CHECK_RESULT_NOT_WHITELISTED ;
return false ;
}
}
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << "p3BanList::isAddressAccepted() testing " << sockaddr_storage_iptostring(addr) << " and range " << sockaddr_storage_iptostring(addr_24) ; std::cerr << "p3BanList::isAddressAccepted() testing " << sockaddr_storage_iptostring(addr) << " and range " << sockaddr_storage_iptostring(addr_24) ;
#endif #endif
if(!(checking_flags & RSBANLIST_CHECKING_FLAGS_BLACKLIST))
return true;
std::map<sockaddr_storage,BanListPeer>::iterator it ; std::map<sockaddr_storage,BanListPeer>::iterator it ;
@ -252,6 +277,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
@ -261,6 +287,7 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
@ -270,12 +297,14 @@ bool p3BanList::isAddressAccepted(const sockaddr_storage &addr)
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl; std::cerr << " returning false. attempts=" << it->second.connect_attempts << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_BLACKLISTED ;
return false ; return false ;
} }
#ifdef DEBUG_BANLIST #ifdef DEBUG_BANLIST
std::cerr << " returning true " << std::endl; std::cerr << " returning true " << std::endl;
#endif #endif
check_result = RSBANLIST_CHECK_RESULT_ACCEPTED ;
return true ; return true ;
} }

View File

@ -61,7 +61,7 @@ public:
/***** overloaded from RsBanList *****/ /***** overloaded from RsBanList *****/
virtual bool isAddressAccepted(const struct sockaddr_storage& addr) ; virtual bool isAddressAccepted(const struct sockaddr_storage& addr, uint32_t checking_flags,uint32_t& check_result) ;
virtual void getListOfBannedIps(std::list<BanListPeer>& list) ; virtual void getListOfBannedIps(std::list<BanListPeer>& list) ;
virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) ; virtual void addIpRange(const struct sockaddr_storage& addr,int masked_bytes,const std::string& comment) ;
@ -139,6 +139,7 @@ private:
std::map<RsPeerId, BanList> mBanSources; std::map<RsPeerId, BanList> mBanSources;
std::map<struct sockaddr_storage, BanListPeer> mBanSet; std::map<struct sockaddr_storage, BanListPeer> mBanSet;
std::map<struct sockaddr_storage, BanListPeer> mBanRanges; std::map<struct sockaddr_storage, BanListPeer> mBanRanges;
std::map<struct sockaddr_storage, BanListPeer> mWhiteListedRanges;
p3ServiceControl *mServiceCtrl; p3ServiceControl *mServiceCtrl;
p3NetMgr *mNetMgr; p3NetMgr *mNetMgr;