|
|
|
|
@ -25,6 +25,9 @@
|
|
|
|
|
* LLC. Start here: http://www.zerotier.com/
|
|
|
|
|
*/ |
|
|
|
|
|
|
|
|
|
#include <stdio.h> |
|
|
|
|
#include <stdlib.h> |
|
|
|
|
#include <string.h> |
|
|
|
|
#include <stdint.h> |
|
|
|
|
|
|
|
|
|
#include "RuntimeEnvironment.hpp" |
|
|
|
|
@ -34,21 +37,19 @@
|
|
|
|
|
|
|
|
|
|
namespace ZeroTier { |
|
|
|
|
|
|
|
|
|
const char *const Filter::UNKNOWN_NAME = "(unknown)"; |
|
|
|
|
|
|
|
|
|
bool Filter::Rule::operator()(unsigned int etype,const void *data,unsigned int len) const |
|
|
|
|
throw(std::invalid_argument) |
|
|
|
|
{ |
|
|
|
|
if ((!_etherType)||(_etherType(etype))) { // ethertype is ANY, or matches
|
|
|
|
|
// Ethertype determines meaning of protocol and port
|
|
|
|
|
switch(etype) { |
|
|
|
|
default: |
|
|
|
|
if ((!_protocol)&&(!_port)) |
|
|
|
|
return true; // match other ethertypes if protocol and port are ANY, since we don't know what to do with them
|
|
|
|
|
break; |
|
|
|
|
|
|
|
|
|
case ZT_ETHERTYPE_IPV4: |
|
|
|
|
if (len > 20) { |
|
|
|
|
if ((!_protocol)||(_protocol(((const uint8_t *)data)[9]))) { // IP protocol
|
|
|
|
|
if (!_port) |
|
|
|
|
return true; // protocol matches or is ANY, port is ANY
|
|
|
|
|
if ((!_protocol)||(_protocol(((const uint8_t *)data)[9]))) { // protocol is ANY or match
|
|
|
|
|
if (!_port) // port is ANY
|
|
|
|
|
return true; |
|
|
|
|
|
|
|
|
|
// Don't match on fragments beyond fragment 0. If we've blocked
|
|
|
|
|
// fragment 0, further fragments will fall on deaf ears anyway.
|
|
|
|
|
@ -60,22 +61,27 @@ bool Filter::Rule::operator()(unsigned int etype,const void *data,unsigned int l
|
|
|
|
|
|
|
|
|
|
switch(((const uint8_t *)data)[9]) { // port's meaning depends on IP protocol
|
|
|
|
|
case ZT_IPPROTO_ICMP: |
|
|
|
|
return _port(((const uint8_t *)data)[ihl]); // port = ICMP type
|
|
|
|
|
// For ICMP, port is ICMP type
|
|
|
|
|
return _port(((const uint8_t *)data)[ihl]); |
|
|
|
|
case ZT_IPPROTO_TCP: |
|
|
|
|
case ZT_IPPROTO_UDP: |
|
|
|
|
case ZT_IPPROTO_SCTP: |
|
|
|
|
case ZT_IPPROTO_UDPLITE: |
|
|
|
|
return _port(((const uint16_t *)data)[(ihl / 2) + 1]); // destination port
|
|
|
|
|
// For these, port is destination port. Protocol designers were
|
|
|
|
|
// nice enough to put the field in the same place.
|
|
|
|
|
return _port(((const uint16_t *)data)[(ihl / 2) + 1]); |
|
|
|
|
default: |
|
|
|
|
// port has no meaning for other IP types, so ignore it
|
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return false; // no match on port
|
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} else throw std::invalid_argument("undersized IPv4 packet"); |
|
|
|
|
break; |
|
|
|
|
|
|
|
|
|
case ZT_ETHERTYPE_IPV6: |
|
|
|
|
if (len > 40) { |
|
|
|
|
// see: http://stackoverflow.com/questions/17518951/is-the-ipv6-header-really-this-nutty
|
|
|
|
|
int nextHeader = ((const uint8_t *)data)[6]; |
|
|
|
|
unsigned int pos = 40; |
|
|
|
|
while ((pos < len)&&(nextHeader >= 0)&&(nextHeader != 59)) { // 59 == no next header
|
|
|
|
|
@ -102,9 +108,11 @@ bool Filter::Rule::operator()(unsigned int etype,const void *data,unsigned int l
|
|
|
|
|
case ZT_IPPROTO_ESP: // ESP
|
|
|
|
|
return _protocol(ZT_IPPROTO_ESP); // true if ESP is matched protocol, otherwise false since packet will be IPsec
|
|
|
|
|
case ZT_IPPROTO_ICMPV6: |
|
|
|
|
if (_protocol(ZT_IPPROTO_ICMPV6)) { // only match ICMPv6 if specified
|
|
|
|
|
// Only match ICMPv6 if we've selected it specifically
|
|
|
|
|
if (_protocol(ZT_IPPROTO_ICMPV6)) { |
|
|
|
|
// Port is interpreted as ICMPv6 type
|
|
|
|
|
if ((!_port)||(_port(((const uint8_t *)data)[pos]))) |
|
|
|
|
return true; // protocol matches, port is ANY or matches ICMP type
|
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
break; |
|
|
|
|
case ZT_IPPROTO_TCP: |
|
|
|
|
@ -118,25 +126,75 @@ bool Filter::Rule::operator()(unsigned int etype,const void *data,unsigned int l
|
|
|
|
|
return true; // protocol matches or is ANY, port is ANY or matches
|
|
|
|
|
} |
|
|
|
|
break; |
|
|
|
|
default: { |
|
|
|
|
char foo[128]; |
|
|
|
|
sprintf(foo,"unrecognized IPv6 header type %d",(int)nextHeader); |
|
|
|
|
throw std::invalid_argument(foo); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
fprintf(stderr,"[rule] V6: end header parse, next header %.2x, new pos %d\n",nextHeader,pos); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} else throw std::invalid_argument("undersized IPv6 packet"); |
|
|
|
|
break; |
|
|
|
|
|
|
|
|
|
default: |
|
|
|
|
// For other ethertypes, protocol and port are ignored. What would they mean?
|
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
Filter::Filter(const RuntimeEnvironment *renv) : |
|
|
|
|
_r(renv) |
|
|
|
|
std::string Filter::Rule::toString() const |
|
|
|
|
{ |
|
|
|
|
} |
|
|
|
|
char buf[128]; |
|
|
|
|
std::string s; |
|
|
|
|
|
|
|
|
|
Filter::~Filter() |
|
|
|
|
{ |
|
|
|
|
switch(_etherType.magnitude()) { |
|
|
|
|
case 0: |
|
|
|
|
s.push_back('*'); |
|
|
|
|
break; |
|
|
|
|
case 1: |
|
|
|
|
sprintf(buf,"%u",_etherType.start); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
default: |
|
|
|
|
sprintf(buf,"%u-%u",_etherType.start,_etherType.end); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
s.push_back('/'); |
|
|
|
|
switch(_protocol.magnitude()) { |
|
|
|
|
case 0: |
|
|
|
|
s.push_back('*'); |
|
|
|
|
break; |
|
|
|
|
case 1: |
|
|
|
|
sprintf(buf,"%u",_protocol.start); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
default: |
|
|
|
|
sprintf(buf,"%u-%u",_protocol.start,_protocol.end); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
s.push_back('/'); |
|
|
|
|
switch(_port.magnitude()) { |
|
|
|
|
case 0: |
|
|
|
|
s.push_back('*'); |
|
|
|
|
break; |
|
|
|
|
case 1: |
|
|
|
|
sprintf(buf,"%u",_port.start); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
default: |
|
|
|
|
sprintf(buf,"%u-%u",_port.start,_port.end); |
|
|
|
|
s.append(buf); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return s; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
void Filter::add(const Rule &r,const Action &a) |
|
|
|
|
@ -153,60 +211,18 @@ void Filter::add(const Rule &r,const Action &a)
|
|
|
|
|
|
|
|
|
|
std::string Filter::toString(const char *sep) const |
|
|
|
|
{ |
|
|
|
|
char buf[256]; |
|
|
|
|
|
|
|
|
|
if (!sep) |
|
|
|
|
sep = ","; |
|
|
|
|
|
|
|
|
|
std::string s; |
|
|
|
|
|
|
|
|
|
bool first = true; |
|
|
|
|
Mutex::Lock _l(_chain_m); |
|
|
|
|
for(std::vector<Entry>::const_iterator i(_chain.begin());i!=_chain.end();++i) { |
|
|
|
|
bool first = (i == _chain.begin()); |
|
|
|
|
|
|
|
|
|
s.push_back('['); |
|
|
|
|
|
|
|
|
|
if (i->rule.etherType()) { |
|
|
|
|
if (i->rule.etherType().magnitude() > 1) |
|
|
|
|
sprintf(buf,"%u-%u",i->rule.etherType().start,i->rule.etherType().end); |
|
|
|
|
else sprintf(buf,"%u",i->rule.etherType().start); |
|
|
|
|
s.append(buf); |
|
|
|
|
} else s.push_back('*'); |
|
|
|
|
|
|
|
|
|
s.push_back(';'); |
|
|
|
|
|
|
|
|
|
if (i->rule.protocol()) { |
|
|
|
|
if (i->rule.protocol().magnitude() > 1) |
|
|
|
|
sprintf(buf,"%u-%u",i->rule.protocol().start,i->rule.protocol().end); |
|
|
|
|
else sprintf(buf,"%u",i->rule.protocol().start); |
|
|
|
|
s.append(buf); |
|
|
|
|
} else s.push_back('*'); |
|
|
|
|
|
|
|
|
|
s.push_back(';'); |
|
|
|
|
|
|
|
|
|
if (i->rule.port()) { |
|
|
|
|
if (i->rule.port().magnitude() > 1) |
|
|
|
|
sprintf(buf,"%u-%u",i->rule.port().start,i->rule.port().end); |
|
|
|
|
else sprintf(buf,"%u",i->rule.port().start); |
|
|
|
|
s.append(buf); |
|
|
|
|
} else s.push_back('*'); |
|
|
|
|
|
|
|
|
|
s.append("]:"); |
|
|
|
|
|
|
|
|
|
switch(i->action) { |
|
|
|
|
case ACTION_DENY: |
|
|
|
|
s.append("DENY"); |
|
|
|
|
break; |
|
|
|
|
case ACTION_ALLOW: |
|
|
|
|
s.append("ALLOW"); |
|
|
|
|
break; |
|
|
|
|
case ACTION_LOG: |
|
|
|
|
s.append("LOG"); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if (!first) |
|
|
|
|
s.append(sep); |
|
|
|
|
s.append(i->rule.toString()); |
|
|
|
|
if (first) |
|
|
|
|
first = false; |
|
|
|
|
else s.append(sep); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return s; |
|
|
|
|
@ -215,27 +231,137 @@ std::string Filter::toString(const char *sep) const
|
|
|
|
|
const char *Filter::etherTypeName(const unsigned int etherType) |
|
|
|
|
throw() |
|
|
|
|
{ |
|
|
|
|
static char tmp[6]; |
|
|
|
|
switch(etherType) { |
|
|
|
|
case ZT_ETHERTYPE_IPV4: |
|
|
|
|
return "IPV4"; |
|
|
|
|
case ZT_ETHERTYPE_ARP: |
|
|
|
|
return "ARP"; |
|
|
|
|
case ZT_ETHERTYPE_RARP: |
|
|
|
|
return "RARP"; |
|
|
|
|
case ZT_ETHERTYPE_ATALK: |
|
|
|
|
return "ATALK"; |
|
|
|
|
case ZT_ETHERTYPE_AARP: |
|
|
|
|
return "AARP"; |
|
|
|
|
case ZT_ETHERTYPE_IPX_A: |
|
|
|
|
return "IPX_A"; |
|
|
|
|
case ZT_ETHERTYPE_IPX_B: |
|
|
|
|
return "IPX_B"; |
|
|
|
|
case ZT_ETHERTYPE_IPV6: |
|
|
|
|
return "IPV6"; |
|
|
|
|
case ZT_ETHERTYPE_IPV4: return "ETHERTYPE_IPV4"; |
|
|
|
|
case ZT_ETHERTYPE_ARP: return "ETHERTYPE_ARP"; |
|
|
|
|
case ZT_ETHERTYPE_RARP: return "ETHERTYPE_RARP"; |
|
|
|
|
case ZT_ETHERTYPE_ATALK: return "ETHERTYPE_ATALK"; |
|
|
|
|
case ZT_ETHERTYPE_AARP: return "ETHERTYPE_AARP"; |
|
|
|
|
case ZT_ETHERTYPE_IPX_A: return "ETHERTYPE_IPX_A"; |
|
|
|
|
case ZT_ETHERTYPE_IPX_B: return "ETHERTYPE_IPX_B"; |
|
|
|
|
case ZT_ETHERTYPE_IPV6: return "ETHERTYPE_IPV6"; |
|
|
|
|
} |
|
|
|
|
return UNKNOWN_NAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
const char *Filter::ipProtocolName(const unsigned int ipp) |
|
|
|
|
throw() |
|
|
|
|
{ |
|
|
|
|
switch(ipp) { |
|
|
|
|
case ZT_IPPROTO_ICMP: return "IPPROTO_ICMP"; |
|
|
|
|
case ZT_IPPROTO_IGMP: return "IPPROTO_IGMP"; |
|
|
|
|
case ZT_IPPROTO_TCP: return "IPPROTO_TCP"; |
|
|
|
|
case ZT_IPPROTO_UDP: return "IPPROTO_UDP"; |
|
|
|
|
case ZT_IPPROTO_GRE: return "IPPROTO_GRE"; |
|
|
|
|
case ZT_IPPROTO_ESP: return "IPPROTO_ESP"; |
|
|
|
|
case ZT_IPPROTO_AH: return "IPPROTO_AH"; |
|
|
|
|
case ZT_IPPROTO_ICMPV6: return "IPPROTO_ICMPV6"; |
|
|
|
|
case ZT_IPPROTO_OSPF: return "IPPROTO_OSPF"; |
|
|
|
|
case ZT_IPPROTO_IPIP: return "IPPROTO_IPIP"; |
|
|
|
|
case ZT_IPPROTO_IPCOMP: return "IPPROTO_IPCOMP"; |
|
|
|
|
case ZT_IPPROTO_L2TP: return "IPPROTO_L2TP"; |
|
|
|
|
case ZT_IPPROTO_SCTP: return "IPPROTO_SCTP"; |
|
|
|
|
case ZT_IPPROTO_FC: return "IPPROTO_FC"; |
|
|
|
|
case ZT_IPPROTO_UDPLITE: return "IPPROTO_UDPLITE"; |
|
|
|
|
case ZT_IPPROTO_HIP: return "IPPROTO_HIP"; |
|
|
|
|
} |
|
|
|
|
return UNKNOWN_NAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
const char *Filter::icmpTypeName(const unsigned int icmpType) |
|
|
|
|
throw() |
|
|
|
|
{ |
|
|
|
|
switch(icmpType) { |
|
|
|
|
case ZT_ICMP_ECHO_REPLY: return "ICMP_ECHO_REPLY"; |
|
|
|
|
case ZT_ICMP_DESTINATION_UNREACHABLE: return "ICMP_DESTINATION_UNREACHABLE"; |
|
|
|
|
case ZT_ICMP_SOURCE_QUENCH: return "ICMP_SOURCE_QUENCH"; |
|
|
|
|
case ZT_ICMP_REDIRECT: return "ICMP_REDIRECT"; |
|
|
|
|
case ZT_ICMP_ALTERNATE_HOST_ADDRESS: return "ICMP_ALTERNATE_HOST_ADDRESS"; |
|
|
|
|
case ZT_ICMP_ECHO_REQUEST: return "ICMP_ECHO_REQUEST"; |
|
|
|
|
case ZT_ICMP_ROUTER_ADVERTISEMENT: return "ICMP_ROUTER_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP_ROUTER_SOLICITATION: return "ICMP_ROUTER_SOLICITATION"; |
|
|
|
|
case ZT_ICMP_TIME_EXCEEDED: return "ICMP_TIME_EXCEEDED"; |
|
|
|
|
case ZT_ICMP_BAD_IP_HEADER: return "ICMP_BAD_IP_HEADER"; |
|
|
|
|
case ZT_ICMP_TIMESTAMP: return "ICMP_TIMESTAMP"; |
|
|
|
|
case ZT_ICMP_TIMESTAMP_REPLY: return "ICMP_TIMESTAMP_REPLY"; |
|
|
|
|
case ZT_ICMP_INFORMATION_REQUEST: return "ICMP_INFORMATION_REQUEST"; |
|
|
|
|
case ZT_ICMP_INFORMATION_REPLY: return "ICMP_INFORMATION_REPLY"; |
|
|
|
|
case ZT_ICMP_ADDRESS_MASK_REQUEST: return "ICMP_ADDRESS_MASK_REQUEST"; |
|
|
|
|
case ZT_ICMP_ADDRESS_MASK_REPLY: return "ICMP_ADDRESS_MASK_REPLY"; |
|
|
|
|
case ZT_ICMP_TRACEROUTE: return "ICMP_TRACEROUTE"; |
|
|
|
|
case ZT_ICMP_MOBILE_HOST_REDIRECT: return "ICMP_MOBILE_HOST_REDIRECT"; |
|
|
|
|
case ZT_ICMP_MOBILE_REGISTRATION_REQUEST: return "ICMP_MOBILE_REGISTRATION_REQUEST"; |
|
|
|
|
case ZT_ICMP_MOBILE_REGISTRATION_REPLY: return "ICMP_MOBILE_REGISTRATION_REPLY"; |
|
|
|
|
} |
|
|
|
|
return UNKNOWN_NAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
const char *Filter::icmp6TypeName(const unsigned int icmp6Type) |
|
|
|
|
throw() |
|
|
|
|
{ |
|
|
|
|
switch(icmp6Type) { |
|
|
|
|
case ZT_ICMP6_DESTINATION_UNREACHABLE: return "ICMP6_DESTINATION_UNREACHABLE"; |
|
|
|
|
case ZT_ICMP6_PACKET_TOO_BIG: return "ICMP6_PACKET_TOO_BIG"; |
|
|
|
|
case ZT_ICMP6_TIME_EXCEEDED: return "ICMP6_TIME_EXCEEDED"; |
|
|
|
|
case ZT_ICMP6_PARAMETER_PROBLEM: return "ICMP6_PARAMETER_PROBLEM"; |
|
|
|
|
case ZT_ICMP6_ECHO_REQUEST: return "ICMP6_ECHO_REQUEST"; |
|
|
|
|
case ZT_ICMP6_ECHO_REPLY: return "ICMP6_ECHO_REPLY"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_LISTENER_QUERY: return "ICMP6_MULTICAST_LISTENER_QUERY"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_LISTENER_REPORT: return "ICMP6_MULTICAST_LISTENER_REPORT"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_LISTENER_DONE: return "ICMP6_MULTICAST_LISTENER_DONE"; |
|
|
|
|
case ZT_ICMP6_ROUTER_SOLICITATION: return "ICMP6_ROUTER_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_ROUTER_ADVERTISEMENT: return "ICMP6_ROUTER_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_NEIGHBOR_SOLICITATION: return "ICMP6_NEIGHBOR_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_NEIGHBOR_ADVERTISEMENT: return "ICMP6_NEIGHBOR_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_REDIRECT_MESSAGE: return "ICMP6_REDIRECT_MESSAGE"; |
|
|
|
|
case ZT_ICMP6_ROUTER_RENUMBERING: return "ICMP6_ROUTER_RENUMBERING"; |
|
|
|
|
case ZT_ICMP6_NODE_INFORMATION_QUERY: return "ICMP6_NODE_INFORMATION_QUERY"; |
|
|
|
|
case ZT_ICMP6_NODE_INFORMATION_RESPONSE: return "ICMP6_NODE_INFORMATION_RESPONSE"; |
|
|
|
|
case ZT_ICMP6_INV_NEIGHBOR_SOLICITATION: return "ICMP6_INV_NEIGHBOR_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_INV_NEIGHBOR_ADVERTISEMENT: return "ICMP6_INV_NEIGHBOR_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_MLDV2: return "ICMP6_MLDV2"; |
|
|
|
|
case ZT_ICMP6_HOME_AGENT_ADDRESS_DISCOVERY_REQUEST: return "ICMP6_HOME_AGENT_ADDRESS_DISCOVERY_REQUEST"; |
|
|
|
|
case ZT_ICMP6_HOME_AGENT_ADDRESS_DISCOVERY_REPLY: return "ICMP6_HOME_AGENT_ADDRESS_DISCOVERY_REPLY"; |
|
|
|
|
case ZT_ICMP6_MOBILE_PREFIX_SOLICITATION: return "ICMP6_MOBILE_PREFIX_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_MOBILE_PREFIX_ADVERTISEMENT: return "ICMP6_MOBILE_PREFIX_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_CERTIFICATION_PATH_SOLICITATION: return "ICMP6_CERTIFICATION_PATH_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_CERTIFICATION_PATH_ADVERTISEMENT: return "ICMP6_CERTIFICATION_PATH_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_ROUTER_ADVERTISEMENT: return "ICMP6_MULTICAST_ROUTER_ADVERTISEMENT"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_ROUTER_SOLICITATION: return "ICMP6_MULTICAST_ROUTER_SOLICITATION"; |
|
|
|
|
case ZT_ICMP6_MULTICAST_ROUTER_TERMINATION: return "ICMP6_MULTICAST_ROUTER_TERMINATION"; |
|
|
|
|
case ZT_ICMP6_RPL_CONTROL_MESSAGE: return "ICMP6_RPL_CONTROL_MESSAGE"; |
|
|
|
|
} |
|
|
|
|
sprintf(tmp,"%.4x",etherType); |
|
|
|
|
return tmp; // technically not thread safe, but we're only going to see this in debugging if ever
|
|
|
|
|
return UNKNOWN_NAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
Filter::Action Filter::operator()(const RuntimeEnvironment *_r,unsigned int etherType,const void *frame,unsigned int len) const |
|
|
|
|
{ |
|
|
|
|
Mutex::Lock _l(_chain_m); |
|
|
|
|
|
|
|
|
|
int ruleNo = 0; |
|
|
|
|
for(std::vector<Entry>::const_iterator r(_chain.begin());r!=_chain.end();++r,++ruleNo) { |
|
|
|
|
try { |
|
|
|
|
if (r->rule(etherType,frame,len)) { |
|
|
|
|
switch(r->action) { |
|
|
|
|
case ACTION_ALLOW: |
|
|
|
|
case ACTION_DENY: |
|
|
|
|
return r->action; |
|
|
|
|
case ACTION_LOG: |
|
|
|
|
break; |
|
|
|
|
default: |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} catch (std::invalid_argument &exc) { |
|
|
|
|
LOG("filter: unable to parse packet on rule %s (%d): %s",r->rule.toString().c_str(),ruleNo,exc.what()); |
|
|
|
|
return ACTION_UNPARSEABLE; |
|
|
|
|
} catch ( ... ) { |
|
|
|
|
LOG("filter: unable to parse packet on rule %s (%d): unknown exception",r->rule.toString().c_str(),ruleNo); |
|
|
|
|
return ACTION_UNPARSEABLE; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return ACTION_ALLOW; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
} // namespace ZeroTier
|
|
|
|
|
|
Adam Ierymenko
13 years ago