I have seen that in places just the formatting was improved - much appreciated, but
please respect the GNU Coding Style (http://openvas.org/compendium/source-code-style-guide.html). Don't get me wrong, looks fine and tidy compared to what there was, but it would be great if we would have a consistent formatting of the code in the (near) future. Thanks, -- Felix PS: What i was missing: * space before opening bracket * block indentation * return type in own line On Thursday 20 August 2009 11:20:33 scm-com...@wald.intevation.org wrote: > Author: jan > Date: 2009-08-20 11:20:32 +0200 (Thu, 20 Aug 2009) > New Revision: 4634 > > Modified: > trunk/openvas-server/ChangeLog > trunk/openvas-server/openvasd/attack.c > trunk/openvas-server/openvasd/rules.c > trunk/openvas-server/openvasd/rules.h > Log: > Initializing implementation for IPv6 support. > This corresponds to Change Request #27, > http://www.openvas.org/openvas-cr-27.html > Most work done by Srinivasa NL <nl.srini...@gmail.com>. > > * openvasd/rules.h: Added type "inaddrs_t" as union to hold > either IPv6 or IPv4 address. > (struct openvas_rules): Adapted to above and added family. > Adpated protos according to new type. > > * openvasd/rules.c (rules_validateandgetipaddr, rules_ipv6addrmask): New. > (rules_init_aux): Mostly rewritten to support IPv6 addresses. > (rules_dup_aux, rules_dup): Removed. These functions are never used. > (rules_set_client_ip): API changed (family added). Now supports IPv6. > (rules_add): Added support of IPv6. > (rules_dump): Added support of IPv6. > (get_host_rules): Removed recursion decision. Added support of IPv6. > > * openvasd/attack.c (attack_network): Adapt to new API for considerung > also IPv6 addesses when checking for access rules. > > > > Modified: trunk/openvas-server/ChangeLog > =================================================================== > --- trunk/openvas-server/ChangeLog 2009-08-20 09:02:13 UTC (rev 4633) > +++ trunk/openvas-server/ChangeLog 2009-08-20 09:20:32 UTC (rev 4634) > @@ -1,3 +1,30 @@ > +2009-08-20 Jan-Oliver Wagner <jan-oliver.wag...@greenbone.net> > + > + Initializing implementation for IPv6 support. > + This corresponds to Change Request #27, > + http://www.openvas.org/openvas-cr-27.html > + Most work done by Srinivasa NL <nl.srini...@gmail.com>. > + > + * openvasd/rules.h: Added type "inaddrs_t" as union to hold > + either IPv6 or IPv4 address. > + (struct openvas_rules): Adapted to above and added family. > + Adpated protos according to new type. > + > + * openvasd/rules.c (rules_validateandgetipaddr, rules_ipv6addrmask): > New. > + (rules_init_aux): Mostly rewritten to support IPv6 addresses. > + (rules_dup_aux, rules_dup): Removed. These functions are never used. > + (rules_set_client_ip): API changed (family added). Now supports IPv6. > + (rules_add): Added support of IPv6. > + (rules_dump): Added support of IPv6. > + (get_host_rules): Removed recursion decision. Added support of IPv6. > + > + * openvasd/attack.c (attack_network): Adapt to new API for considerung > + also IPv6 addesses when checking for access rules. > + > +2009-08-10 Vlatko Kosturjak <k...@linux.hr> > + > + * cnvts/3com_hub/Makefile, cnvts/3com_hub/3com_hub.c: > + > 2009-08-19 Tim Brown <t...@nth-dimension.org.uk> > > * openvas-adduser.in, openvas-rmuser.in: Fixed bashism. > > Modified: trunk/openvas-server/openvasd/attack.c > =================================================================== > --- trunk/openvas-server/openvasd/attack.c 2009-08-20 09:02:13 UTC (rev > 4633) +++ trunk/openvas-server/openvasd/attack.c 2009-08-20 09:20:32 UTC > (rev 4634) @@ -721,6 +721,7 @@ > hargwalk * hw; > char * key; > struct timeval then, now; > + inaddrs_t addrs; > > gettimeofday(&then, NULL); > > @@ -861,8 +862,11 @@ > } > > host_pending = 0 ; > + > + addrs.ip.s_addr = host_ip.s_addr; > + > /* Do we have the right to test this host ? */ > - if(CAN_TEST(get_host_rules(rules, host_ip,32)) == 0) > + if(CAN_TEST(get_host_rules(rules, addrs)) == 0) > { > log_write("user %s : rejected attempt to scan %s", > attack_user_name(globals), hostname); > > Modified: trunk/openvas-server/openvasd/rules.c > =================================================================== > --- trunk/openvas-server/openvasd/rules.c 2009-08-20 09:02:13 UTC (rev > 4633) +++ trunk/openvas-server/openvasd/rules.c 2009-08-20 09:20:32 UTC > (rev 4634) @@ -35,6 +35,86 @@ > #include "rules.h" > #include "log.h" > > +static int rules_validateandgetipaddr(char *ip, int family, struct > sockaddr *sa, int numeric) +{ > + struct addrinfo hints; > + struct addrinfo *ai; > + int retval; > + > + memset(&hints, 0, sizeof(hints)); > + switch(family) > + { > + case AF_INET: > + hints.ai_family = AF_INET; > + break; > + case AF_INET6: > + hints.ai_family = AF_INET6; > + break; > + default: > + return -1; > + } > + if(numeric) > + hints.ai_flags = AI_NUMERICHOST; > + > + retval = getaddrinfo(ip, NULL, &hints, &ai); > + if(!retval) > + { > + if(family == AF_INET) > + { > + memcpy(sa, ai->ai_addr, sizeof(struct sockaddr_in)); > + } > + else > + { > + memcpy(sa, &((struct sockaddr_in6 *)(ai->ai_addr))->sin6_addr, > sizeof(struct sockaddr_in6)); + } > + freeaddrinfo(ai); > + return 0; > + } > + return -1; > +} > + > +static void rules_ipv6addrmask(struct in6_addr *in6addr, int mask) > +{ > + int wordmask; > + int word; > + uint32_t *ptr; > + uint32_t addr; > + > + word = mask / 32; > + wordmask = mask % 32; > + ptr = (uint32_t *)in6addr; > + switch(word) > + { > + case 0: > + ptr[1] = ptr[2] = ptr[3] = 0; > + addr = ptr[0]; > + addr = ntohl(addr) >> (32 - wordmask); > + addr = htonl(addr << (32 - wordmask)); > + ptr[0] = addr; > + break; > + case 1: > + ptr[2] = ptr[3] = 0; > + addr = ptr[1]; > + addr = ntohl(addr) >> (32 - wordmask); > + addr = htonl(addr << (32 - wordmask)); > + ptr[1] = addr; > + break; > + case 2: > + ptr[3] = 0; > + addr = ptr[2]; > + addr = ntohl(addr) >> (32 - wordmask); > + addr = htonl(addr << (32 - wordmask)); > + ptr[2] = addr; > + break; > + case 3: > + addr = ptr[3]; > + addr = ntohl(addr) >> (32 - wordmask); > + addr = htonl(addr << (32 - wordmask)); > + ptr[3] = addr; > + break; > + } > +} > + > /** > * @brief Returns the name of the rules file. > * > @@ -74,99 +154,137 @@ > } > > > -int rules_init_aux(rules,file, buffer, len,def) > - struct openvas_rules * rules; > - FILE * file; > - char * buffer; > - int len; > - int def; > +int rules_init_aux(struct openvas_rules * rules, FILE * file, > + char * buffer, int len, int def) > { > - buffer[0] = buffer[len - 1 ] = '\0'; > - > - if(!(fgets(buffer, len - 1, file))){ > - rules->next = NULL; > - return def; > - } > - else { > - char *t = buffer; > - char *v; > - int t_len; > - if(t[strlen(t)-1]=='\n')t[strlen(t)-1]='\0'; > - while((t[0]==' ')||(t[0]=='\t'))t++; > - if((t[0]=='#')||t[0] == '\0')return rules_init_aux(rules,file, buffer, > len,def); - v = strchr(t, ' '); > - if( v == NULL ){ > - printf("Parse error in the rules file : %s\n", > - buffer); > - return rules_init_aux(rules, file, buffer, len, def); > - } > - else > - { > - if(!strncmp(t, "accept", 6)) > - rules->rule = RULES_ACCEPT; > - else if(!strncmp(t, "default", 7)){ > - if(!strncmp(t+8, "accept", 6))def = RULES_ACCEPT; > - else def = RULES_REJECT; > - return rules_init_aux(rules, file, buffer, len, def); > - } > - else if((!strncmp(t, "reject", 6))|| > - (!strncmp(t, "deny", 4)))rules->rule = RULES_REJECT; > - else { > - printf("Parse error in the rules file : %s\n", > - buffer); > - return rules_init_aux(rules, file, buffer, len,def); > - } > - t = v+sizeof(char); > - v = strchr(t, '/'); > - if(v)v[0]='\0'; > - if(t[0]=='!'){ > - rules->not = 1; > - t++; > - } > - else rules->not = 0; > - t_len = strlen(t); > - while(t[t_len-1]==' ') > - { > - t[t_len-1]='\0'; > - t_len --; > - } > - if(!(inet_aton(t,&rules->ip))) > - { > - if(strcmp(t, "client_ip")) > - { > - printf("Parse error in the rules file : '%s' is not a valid IP\n", > - t); > - return rules_init_aux(rules, file, buffer, len,def); > - } > - else > - { > - rules->ip.s_addr = -1; > - rules->client_ip = 1; > - } > - } > - else rules->client_ip = 0; > - > - if(v)rules->mask = atoi(v+sizeof(char)); > - else rules->mask = 32; > - if(rules->mask < 0 || rules->mask > 32) > - { > - printf("Error in the rules file. %s is not a valid cidr netmask\n", > - v+sizeof(char)); > - EXIT(1); > + struct sockaddr_in saddr; > + struct sockaddr_in6 s6addr; > > - } > - if(rules->mask > 0) > - { > - rules->ip.s_addr = ntohl(rules->ip.s_addr) >> (32 - rules->mask); > - rules->ip.s_addr = htonl(rules->ip.s_addr << (32 - rules->mask)); > - } > - else rules->ip.s_addr = 0; > - rules->next = emalloc(sizeof(*rules)); > - } > - } > - return rules_init_aux(rules->next, file, buffer, len, def); > + while(1) > + { > + buffer[0] = buffer[len - 1 ] = '\0'; > + if(!(fgets(buffer, len - 1, file))) > + { > + rules->next = NULL; > + return def; > + } > + else > + { > + char *t = buffer; > + char *v; > + int t_len; > + if(t[strlen(t)-1]=='\n')t[strlen(t)-1]='\0'; > + while((t[0]==' ')||(t[0]=='\t'))t++; > + if((t[0]=='#')||t[0] == '\0') > + continue; > + v = strchr(t, ' '); > + if( v == NULL ){ > + printf("Parse error in the rules file : %s\n", > + buffer); > + continue; > + } > + else > + { > + if(!strncmp(t, "accept", 6)) > + rules->rule = RULES_ACCEPT; > + else if(!strncmp(t, "default", 7)){ > + if(!strncmp(t+8, "accept", 6))def = RULES_ACCEPT; > + else def = RULES_REJECT; > + continue; > + } > + else if((!strncmp(t, "reject", 6))|| > + (!strncmp(t, "deny", 4)))rules->rule = RULES_REJECT; > + else { > + printf("Parse error in the rules file : %s\n", > + buffer); > + continue; > + } > + t = v+sizeof(char); > + v = strchr(t, '/'); > + if(v)v[0]='\0'; > + if(t[0]=='!'){ > + rules->not = 1; > + t++; > + } > + else rules->not = 0; > + t_len = strlen(t); > + while(t[t_len-1]==' ') > + { > + t[t_len-1]='\0'; > + t_len --; > + } > + > + if(!rules_validateandgetipaddr(t, AF_INET, (struct sockaddr > *)&saddr ,1)) + { > + rules->inaddrs.ip.s_addr = saddr.sin_addr.s_addr; > + rules->family = AF_INET; > + rules->client_ip = 0; > + } > + else if(!rules_validateandgetipaddr(t, AF_INET6, (struct sockaddr > *)&s6addr ,1)) + { > + memcpy(&rules->inaddrs.ip6, &s6addr, sizeof(struct > sockaddr_in6)); + rules->family = AF_INET6; > + rules->client_ip = 0; > + } > + else > + { > + if(strcmp(t, "client_ip")) > + { > + printf("Parse error in the rules file : '%s' is not a valid > IP\n", + t); > + continue; > + } > + else > + { > + rules->client_ip = 1; > + } > + } > + > + if(v) > + rules->mask = atoi(v+sizeof(char)); > + else > + rules->mask = rules->family == AF_INET ? 32 : 128; > + > + if(rules->family == AF_INET) > + { > + if(rules->mask < 0 || rules->mask > 32) > + { > + printf("Error in the rules file. %s is not a valid cidr > netmask\n", + v+sizeof(char)); > + EXIT(1); > + } > + if(rules->mask > 0) > + { > + rules->inaddrs.ip.s_addr = ntohl(rules->inaddrs.ip.s_addr) >> > (32 - rules->mask); + rules->inaddrs.ip.s_addr = > htonl(rules->inaddrs.ip.s_addr << (32 - rules->mask)); > ; + > } > + else > + rules->inaddrs.ip.s_addr = 0; > + } > + else > + { > + if(rules->mask < 0 || rules->mask > 128) > + { > + printf("Error in the rules file. %s is not a valid cidr > netmask\n", + v+sizeof(char)); > + EXIT(1); > + } > + if(rules->mask > 0) > + rules_ipv6addrmask(&rules->inaddrs.ip6, rules->mask); > + else > + { > + rules->inaddrs.ip6.s6_addr32[0] = 0; > + rules->inaddrs.ip6.s6_addr32[1] = 0; > + rules->inaddrs.ip6.s6_addr32[2] = 0; > + rules->inaddrs.ip6.s6_addr32[3] = 0; > + } > + } > + rules->next = emalloc(sizeof(*rules)); > + rules = rules->next; > + } > + } > + } > } > - > > void > rules_init(rules, preferences) > @@ -194,32 +312,6 @@ > } > > struct openvas_rules * > -rules_dup_aux(s, r) > - struct openvas_rules * s, *r; > -{ > - printf("rules_dup called - does not work\n"); > - if(!s->next)return r; > - else > - { > - r->ip.s_addr = s->ip.s_addr; > - r->mask = s->mask; > - r->rule = s->rule; > - r->not = s->not; > - r->def = s->def; > - r->next = emalloc(sizeof(*r)); > - return rules_dup_aux(s->next,r->next); > - } > -} > -struct openvas_rules * > -rules_dup(struct openvas_rules *s) > -{ > - struct openvas_rules * r = emalloc(sizeof(*r)); > - return rules_dup_aux(s, r); > -} > - > - > - > -struct openvas_rules * > rules_cat(struct openvas_rules * a, > struct openvas_rules * b) > { > @@ -239,17 +331,25 @@ > } > > > -void rules_set_client_ip(struct openvas_rules * r, struct in_addr client) > +void rules_set_client_ip(struct openvas_rules * r, inaddrs_t *addrs, int > family) { > - if(!r) > - return; > - else > + while(r) > { > - if(r->client_ip) > - r->ip = client; > - rules_set_client_ip(r->next, client); > + if(r->client_ip) > + { > + if(family == AF_INET) > + { > + r->inaddrs.ip.s_addr = addrs->ip.s_addr; > + } > + else > + { > + memcpy(&r->inaddrs.ip6,&addrs->ip6,sizeof(struct in6_addr)); > + } > + } > + r = r->next; > } > } > + > void rules_set_def(struct openvas_rules * r, int def) > { > if(!r)return; > @@ -291,7 +391,13 @@ > { > if(!username) > { > - accept_rules->ip.s_addr = t->ip.s_addr; > + if(t->family == AF_INET) > + accept_rules->inaddrs.ip.s_addr = t->inaddrs.ip.s_addr; > + else > + { > + memcpy(&accept_rules->inaddrs.ip6, &t->inaddrs.ip6, sizeof(struct > in6_addr)); + } > + accept_rules->family = t->family; > accept_rules->client_ip = t->client_ip; > accept_rules->mask = t->mask; > accept_rules->rule = t->rule; > @@ -302,12 +408,18 @@ > else > { > log_write("user %s : attempted to gain more rights by adding accept > %s/%d", - username, inet_ntoa(t->ip), t->mask); > + username, inet_ntoa(t->inaddrs.ip), t->mask); > } > } > else > { > - reject_rules->ip.s_addr = t->ip.s_addr; > + if(t->family == AF_INET) > + reject_rules->inaddrs.ip.s_addr = t->inaddrs.ip.s_addr; > + else > + { > + memcpy(&reject_rules->inaddrs.ip6, &t->inaddrs.ip6, sizeof(struct > in6_addr)); + } > + reject_rules->family = t->family; > reject_rules->client_ip = t->client_ip; > reject_rules->mask = t->mask; > reject_rules->rule = t->rule; > @@ -327,7 +439,7 @@ > > rules_set_def(*rules, def); > > -#ifdef DEBUG_RULES > +#ifdef DEBUG_RULES > printf("After rules_cat : \n"); > rules_dump(*rules); > #endif > @@ -337,49 +449,106 @@ > void > rules_dump(struct openvas_rules * rules) > { > - if(!rules->next)return; > - printf("%d %c%s/%d (def %d)\n", rules->rule, rules->not?'!':' ', > inet_ntoa(rules->ip), rules->mask, - > rules->def); > - rules_dump(rules->next); > + struct openvas_rules *r; > + char buf[INET6_ADDRSTRLEN]; > + r = rules; > + while(r) > + { > + if(r->family == AF_INET) > + printf("%d %c%s/%d (def %d)\n", r->rule, r->not?'!':' ', > inet_ntop(r->family, &r->inaddrs.ip, buf,sizeof(buf)), r->mask, + > r->def); > + else > + printf("%d %c%s/%d (def %d)\n", r->rule, r->not?'!':' ', > inet_ntop(r->family, &r->inaddrs.ip6, buf,sizeof(buf)), r->mask, + > r->def); > + r = r->next; > + } > } > #endif > > int > -get_host_rules (struct openvas_rules * rules, struct in_addr addr, > - int netmask) > +get_host_rules (struct openvas_rules * rules, inaddrs_t addr) > { > - struct in_addr backup; > + struct in_addr tstaddr; > + struct in6_addr tstaddr6; > > + tstaddr.s_addr = 0; > + > if (!rules) > - { > - fprintf(stderr, "???? no rules - this is likely to be a bug\n"); > - fprintf(stderr, "Please report at bugs.openvas.org\n"); > - return RULES_ACCEPT; > - } > - if (!rules->next) > - return rules->def; > + { > + fprintf(stderr, "???? no rules - this is likely to be a bug\n"); > + fprintf(stderr, "Please report at bugs.openvas.org\n"); > + return RULES_ACCEPT; > + } > > - backup.s_addr = addr.s_addr; > - if (rules->mask > 0) > + while(rules) > + { > + if (!rules->next) > + return rules->def; > + > + if(rules->family == AF_INET) > { > - addr.s_addr = ntohl(addr.s_addr) >> (32 - rules->mask); > - addr.s_addr = htonl(addr.s_addr << (32 - rules->mask)); > - } > - else addr.s_addr = 0; > + tstaddr.s_addr = addr.ip.s_addr; > + if (rules->mask > 0) > + { > + tstaddr.s_addr = ntohl(tstaddr.s_addr) >> (32 - rules->mask); > + tstaddr.s_addr = htonl(tstaddr.s_addr << (32 - rules->mask)); > + } > + else tstaddr.s_addr = 0; > > - if(rules->not) > - { > - if (addr.s_addr != rules->ip.s_addr) > - return(rules->rule); > + if(rules->not) > + { > + if (tstaddr.s_addr != rules->inaddrs.ip.s_addr) > + return(rules->rule); > + } > + else > + { > + if (tstaddr.s_addr == rules->inaddrs.ip.s_addr) > + { > + return(rules->rule); > + } > + } > } > - else > + else > { > - if (addr.s_addr == rules->ip.s_addr) > + /* Check whether ipv6 address can be scanned */ > + memcpy(&tstaddr6, &addr.ip6, sizeof(struct in6_addr)); > + if (rules->mask > 0) > + rules_ipv6addrmask(&tstaddr6, rules->mask); > + else > + { > + tstaddr6.s6_addr32[0] = 0; > + tstaddr6.s6_addr32[1] = 0; > + tstaddr6.s6_addr32[2] = 0; > + tstaddr6.s6_addr32[3] = 0; > + } > + if(rules->not) > + { > + /* If not equal return rules->rule*/ > + if( tstaddr6.s6_addr32[0] != rules->inaddrs.ip6.s6_addr32[0] || \ > + tstaddr6.s6_addr32[1] != rules->inaddrs.ip6.s6_addr32[1] || \ > + tstaddr6.s6_addr32[2] != rules->inaddrs.ip6.s6_addr32[2] || \ > + tstaddr6.s6_addr32[3] != rules->inaddrs.ip6.s6_addr32[3] \ > + ) > + return(rules->rule); > + } > + else > + { > + /* If equal return rules->rule*/ > + if( tstaddr6.s6_addr32[0] == rules->inaddrs.ip6.s6_addr32[0] && \ > + tstaddr6.s6_addr32[1] == rules->inaddrs.ip6.s6_addr32[1] && \ > + tstaddr6.s6_addr32[2] == rules->inaddrs.ip6.s6_addr32[2] && \ > + tstaddr6.s6_addr32[3] == rules->inaddrs.ip6.s6_addr32[3] \ > + ) > + if (tstaddr.s_addr == rules->inaddrs.ip.s_addr) > { > return(rules->rule); > } > + } > } > - return get_host_rules (rules->next, backup, netmask); > + rules = rules->next; > + } > + fprintf(stderr, "Rules check ended: May be bug? Please report\n"); > + return RULES_ACCEPT; > } > > void > @@ -392,4 +561,3 @@ > rules = next; > } > } > - > > Modified: trunk/openvas-server/openvasd/rules.h > =================================================================== > --- trunk/openvas-server/openvasd/rules.h 2009-08-20 09:02:13 UTC (rev > 4633) +++ trunk/openvas-server/openvasd/rules.h 2009-08-20 09:20:32 UTC > (rev 4634) @@ -34,9 +34,16 @@ > /** > * Representation of a chain of rules. > */ > +typedef union inaddrs > +{ > + struct in_addr ip; > + struct in6_addr ip6; > +} inaddrs_t; > + > struct openvas_rules > { > - struct in_addr ip; > + inaddrs_t inaddrs; > + int family; > int client_ip; /**< If set to 1, then 'ip' will be replaced by the > client ip when appropriate. */ > int mask; > @@ -55,7 +62,7 @@ > struct openvas_rules * rules_parse(char * , struct openvas_rules *, int); > struct openvas_rules * rules_dup(struct openvas_rules *); > void rules_set_def(struct openvas_rules *, int); > -void rules_set_client_ip(struct openvas_rules *, struct in_addr); > -int get_host_rules(struct openvas_rules *, struct in_addr, int); > +void rules_set_client_ip(struct openvas_rules *, inaddrs_t *, int family); > +int get_host_rules(struct openvas_rules *, inaddrs_t inaddrs); > > #endif > > _______________________________________________ > Openvas-commits mailing list > openvas-comm...@wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-commits -- Felix Wolfsteller | ++49-541-335 08 3451 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
