-converting regular expressions of vpn/pt to non-binary format and adding proper policy parsing

author: Christian Grothoff <christian@grothoff.org> 2013-10-26 14:34:39 +0000
committer: Christian Grothoff <christian@grothoff.org> 2013-10-26 14:34:39 +0000
commit: 0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1 (patch)
tree: 434cab0d8aa45a4edc2cf9bd91c89bf3f2d5061b /src/tun
parent: aeb922926c639ffdd992f96cd125e47bb0e2c301 (diff)
download: gnunet-0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1.tar.gz
gnunet-0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1.zip
2 files changed, 444 insertions, 117 deletions
diff --git a/src/tun/regex.c b/src/tun/regex.c
index 87e75b511..3d3ebd8ba 100644
--- a/src/tun/regex.c
+++ b/src/tun/regex.c
@@ -21,6 +21,7 @@
 * @file src/tun/regex.c
 * @brief functions to convert IP networks to regexes
 * @author Maximilian Szengel
+ * @author Christian Grothoff
 */
 #include "platform.h"
 #include "gnunet_util_lib.h"
@@ -28,114 +29,311 @@
 /**
- * Create a string with binary IP notation for the given 'addr' in 'str'.
+ * Create a regex in @a rxstr from the given @a ip and @a netmask.
 *
- * @param af address family of the given 'addr'.
+ * @param ip IPv4 representation.
- * @param addr address that should be converted to a string.
+ * @param port destination port
- *             struct in_addr * for IPv4 and struct in6_addr * for IPv6.
+ * @param rxstr generated regex, must be at least #GNUNET_TUN_IPV4_REGEXLEN
- * @param str string that will contain binary notation of 'addr'. Expected
+ *              bytes long.
- *            to be at least 33 bytes long for IPv4 and 129 bytes long for IPv6.
+ */
+void
+GNUNET_TUN_ipv4toregexsearch (const struct in_addr *ip,
+                              uint16_t port,
+                              char *rxstr)
+{
+  GNUNET_snprintf (rxstr,
+                   GNUNET_TUN_IPV4_REGEXLEN,
+                   "4-%04X-%08X",
+                   (unsigned int) port,
+                   ntohl (ip->s_addr));
+}
+/**
+ * Create a regex in @a rxstr from the given @a ipv6 and @a prefixlen.
+ *
+ * @param ipv6 IPv6 representation.
+ * @param port destination port
+ * @param rxstr generated regex, must be at least #GNUNET_TUN_IPV6_REGEXLEN
+ *              bytes long.
+ */
+void
+GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6,
+                              uint16_t port,
+                              char *rxstr)
+{
+  const uint32_t *addr;
+  addr = (const uint32_t *) ipv6;
+  GNUNET_snprintf (rxstr,
+                   GNUNET_TUN_IPV6_REGEXLEN,
+                   "6-%04X-%08X%08X%08X%08X",
+                   (unsigned int) port,
+                   ntohl (addr[0]),
+                   ntohl (addr[1]),
+                   ntohl (addr[2]),
+                   ntohl (addr[3]));
+}
+/**
+ * Convert the given 4-bit (!) number to a regex.
+ *
+ * @param value the value, only the lowest 4 bits will be looked at
+ * @param mask which bits in value are wildcards (any value)?
 */
-static void
+static char *
-iptobinstr (const int af, const void *addr, char *str)
+nibble_to_regex (uint8_t value,
+                 uint8_t mask)
 {
-  int i;
+  char *ret;
-  switch (af)
+  value &= mask;
+  switch (mask)
  {
-    case AF_INET:
+  case 0:
-    {
+    return GNUNET_strdup ("."); /* wildcard */
-      uint32_t b = htonl (((struct in_addr *) addr)->s_addr);
+  case 8:
+    GNUNET_asprintf (&ret,
-      str[32] = '\0';
+                     "(%X|%X|%X|%X|%X|%X|%X|%X)",
-          str += 31;
+                     value,
-          for (i = 31; i >= 0; i--)
+                     value + 1,
-          {
+                     value + 2,
-            *str = (b & 1) + '0';
+                     value + 3,
-            str--;
+                     value + 4,
-            b >>= 1;
+                     value + 5,
-          }
+                     value + 6,
-              break;
+                     value + 7);
-    }
+    return ret;
-    case AF_INET6:
+  case 12:
+    GNUNET_asprintf (&ret,
+                     "(%X|%X|%X|%X)",
+                     value,
+                     value + 1,
+                     value + 2,
+                     value + 3);
+    return ret;
+  case 14:
+    GNUNET_asprintf (&ret,
+                     "(%X|%X)",
+                     value,
+                     value + 1);
+    return ret;
+  case 15:
+    GNUNET_asprintf (&ret,
+                     "%X",
+                     value);
+    return ret;
+  default:
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Bad mask: %d\n",
+                mask);
+    GNUNET_break (0);
+    return NULL;
+  }
+}
+/**
+ * Convert the given 16-bit number to a regex.
+ *
+ * @param value the value
+ * @param mask which bits in value are wildcards (any value)?
+ */
+static char *
+num_to_regex (uint16_t value,
+              uint16_t mask)
+{
+  const uint8_t *v = (const uint8_t *) &value;
+  const uint8_t *m = (const uint8_t *) &mask;
+  char *a;
+  char *b;
+  char *c;
+  char *d;
+  char *ret;
+  a = nibble_to_regex (v[0] >> 4, m[0] >> 4);
+  b = nibble_to_regex (v[0] & 15, m[0] & 15);
+  c = nibble_to_regex (v[1] >> 4, m[1] >> 4);
+  d = nibble_to_regex (v[1] & 15, m[1] & 15);
+  ret = NULL;
+  if ( (NULL != a) &&
+       (NULL != b) &&
+       (NULL != c) &&
+       (NULL != d) )
+    GNUNET_asprintf (&ret,
+                     "%s%s%s%s",
+                     a, b, c, d);
+  GNUNET_free_non_null (a);
+  GNUNET_free_non_null (b);
+  GNUNET_free_non_null (c);
+  GNUNET_free_non_null (d);
+  return ret;
+}
+/**
+ * Convert a port policy to a regular expression.  Note: this is a
+ * very simplistic implementation, we might want to consider doing
+ * something more sophisiticated (resulting in smaller regular
+ * expressions) at a later time.
+ *
+ * @param pp port policy to convert
+ * @return NULL on error
+ */
+static char *
+port_to_regex (const struct GNUNET_STRINGS_PortPolicy *pp)
+{
+  char *reg;
+  char *ret;
+  char *tmp;
+  unsigned int i;
+  if ( (0 == pp->start_port) ||
+       ( (1 == pp->start_port) &&
+         (0xFFFF == pp->end_port) &&
+         (GNUNET_NO == pp->negate_portrange)) )
+    return GNUNET_strdup ("....");
+  if ( (pp->start_port == pp->end_port) &&
+       (GNUNET_NO == pp->negate_portrange))
+  {
+    GNUNET_asprintf (&ret,
+                     "%04X",
+                     pp->start_port);
+    return ret;
+  }
+  reg = NULL;
+  for (i=1;i<=0xFFFF;i++)
+  {
+    if ( ( (i >= pp->start_port) && (i <= pp->end_port) ) ^
+         (GNUNET_YES == pp->negate_portrange) )
    {
-      struct in6_addr b = *(const struct in6_addr *) addr;
+      if (NULL == reg)
+      {
-      str[128] = '\0';
+        GNUNET_asprintf (&tmp,
-            str += 127;
+                         "%04X",
-            for (i = 127; i >= 0; i--)
+                         i);
-            {
+      }
-              *str = (b.s6_addr[i / 8] & 1) + '0';
+      else
-            str--;
+      {
-            b.s6_addr[i / 8] >>= 1;
+        GNUNET_asprintf (&tmp,
-            }
+                         "%s|%04X",
-                break;
+                         reg,
+                         i);
+        GNUNET_free (reg);
+      }
+      reg = tmp;
    }
  }
+  GNUNET_asprintf (&ret,
+                   "(%s)",
+                   reg);
+  GNUNET_free (reg);
+  return ret;
 }
 /**
- * Get the ipv4 network prefix from the given 'netmask'.
+ * Convert an address (IPv4 or IPv6) to a regex.
 *
- * @param netmask netmask for which to get the prefix len.
+ * @param addr address
- *
+ * @param mask network mask
- * @return length of ipv4 prefix for 'netmask'.
+ * @param len number of bytes in @a addr and @a mask
+ * @return NULL on error, otherwise regex for the address
 */
-static unsigned int
+static char *
-ipv4netmasktoprefixlen (const char *netmask)
+address_to_regex (const void *addr,
+                  const void *mask,
+                  size_t len)
 {
-  struct in_addr a;
+  const uint16_t *a = addr;
-  unsigned int len;
+  const uint16_t *m = mask;
-  uint32_t t;
+  char *ret;
+  char *tmp;
-  if (1 != inet_pton (AF_INET, netmask, &a))
+  char *reg;
-    return 0;
+  unsigned int i;
-  len = 32;
-  for (t = htonl (~a.s_addr); 0 != t; t >>= 1)
+  ret = NULL;
-    len--;
+  GNUNET_assert (1 != (len % 2));
-  return len;
+  for (i=0;i<len / 2;i++)
+  {
+    reg = num_to_regex (a[i], m[i]);
+    if (NULL == reg)
+    {
+      GNUNET_free_non_null (ret);
+      return NULL;
+    }
+    if (NULL == ret)
+    {
+      ret = reg;
+    }
+    else
+    {
+      GNUNET_asprintf (&tmp,
+                       "%s%s",
+                       ret, reg);
+      GNUNET_free (ret);
+      GNUNET_free (reg);
+      ret = tmp;
+    }
+  }
+  return ret;
 }
 /**
- * Create a regex in 'rxstr' from the given 'ip' and 'netmask'.
+ * Convert a single line of an IPv4 policy to a regular expression.
 *
- * @param ip IPv4 representation.
+ * @param v4 line to convert
- * @param netmask netmask for the ip.
+ * @return NULL on error
- * @param rxstr generated regex, must be at least GNUNET_REGEX_IPV4_REGEXLEN
- *              bytes long.
 */
-void
+static char *
-GNUNET_TUN_ipv4toregexsearch (const struct in_addr *ip, const char *netmask,
+ipv4_to_regex (const struct GNUNET_STRINGS_IPv4NetworkPolicy *v4)
-                        char *rxstr)
 {
-  unsigned int pfxlen;
+  char *reg;
+  char *pp;
+  char *ret;
-  pfxlen = ipv4netmasktoprefixlen (netmask);
+  reg = address_to_regex (&v4->network,
-  iptobinstr (AF_INET, ip, rxstr);
+                          &v4->netmask,
-  rxstr[pfxlen] = '\0';
+                          sizeof (struct in_addr));
-            if (pfxlen < 32)
+  if (NULL == reg)
-              strcat (rxstr, "(0|1)+");
+    return NULL;
+  pp = port_to_regex (&v4->pp);
+  GNUNET_asprintf (&ret,
+                   "4-%s-%s",
+                   pp, reg);
+  GNUNET_free (pp);
+  GNUNET_free (reg);
+  return ret;
 }
 /**
- * Create a regex in 'rxstr' from the given 'ipv6' and 'prefixlen'.
+ * Convert a single line of an IPv4 policy to a regular expression.
 *
- * @param ipv6 IPv6 representation.
+ * @param v6 line to convert
- * @param prefixlen length of the ipv6 prefix.
+ * @return NULL on error
- * @param rxstr generated regex, must be at least GNUNET_REGEX_IPV6_REGEXLEN
- *              bytes long.
 */
-void
+static char *
-GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6, unsigned int prefixlen,
+ipv6_to_regex (const struct GNUNET_STRINGS_IPv6NetworkPolicy *v6)
-                        char *rxstr)
 {
-  iptobinstr (AF_INET6, ipv6, rxstr);
+  char *reg;
-  rxstr[prefixlen] = '\0';
+  char *pp;
-    if (prefixlen < 128)
+  char *ret;
-      strcat (rxstr, "(0|1)+");
+  reg = address_to_regex (&v6->network,
+                          &v6->netmask,
+                          sizeof (struct in6_addr));
+  if (NULL == reg)
+    return NULL;
+  pp = port_to_regex (&v6->pp);
+  GNUNET_asprintf (&ret,
+                   "6-%s-%s",
+                   pp, reg);
+  GNUNET_free (pp);
+  GNUNET_free (reg);
+  return ret;
 }
@@ -151,8 +349,39 @@ GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6, unsigned int prefixle
 char *
 GNUNET_TUN_ipv4policy2regex (const char *policy)
 {
-  // FIXME: do actual policy parsing here, see #2919
+  struct GNUNET_STRINGS_IPv4NetworkPolicy *np;
-  return GNUNET_strdup (policy);
+  char *reg;
+  char *tmp;
+  char *line;
+  unsigned int i;
+  np = GNUNET_STRINGS_parse_ipv4_policy (policy);
+  if (NULL == np)
+    return NULL;
+  reg = NULL;
+  for (i=0; 0 != np[i].network.s_addr; i++)
+  {
+    line = ipv4_to_regex (&np[i]);
+    if (NULL == line)
+    {
+      GNUNET_free_non_null (reg);
+      return NULL;
+    }
+    if (NULL == reg)
+    {
+      reg = line;
+    }
+    else
+    {
+      GNUNET_asprintf (&tmp,
+                       "%s|(%s)",
+                       reg, line);
+      GNUNET_free (reg);
+      GNUNET_free (line);
+      reg = tmp;
+    }
+  }
+  return reg;
 }
@@ -160,7 +389,7 @@ GNUNET_TUN_ipv4policy2regex (const char *policy)
 * Convert an exit policy to a regular expression.  The exit policy
 * specifies a set of subnets this peer is willing to serve as an
 * exit for; the resulting regular expression will match the
- * IPv4 address strings as returned by 'GNUNET_TUN_ipv4toregexsearch'.
+ * IPv6 address strings as returned by 'GNUNET_TUN_ipv6toregexsearch'.
 *
 * @param policy exit policy specification
 * @return regular expression, NULL on error
@@ -168,8 +397,41 @@ GNUNET_TUN_ipv4policy2regex (const char *policy)
 char *
 GNUNET_TUN_ipv6policy2regex (const char *policy)
 {
-  // FIXME: do actual policy parsing here, see #2919
+  struct in6_addr zero;
-  return GNUNET_strdup (policy);
+  struct GNUNET_STRINGS_IPv6NetworkPolicy *np;
+  char *reg;
+  char *tmp;
+  char *line;
+  unsigned int i;
+  np = GNUNET_STRINGS_parse_ipv6_policy (policy);
+  if (NULL == np)
+    return NULL;
+  reg = NULL;
+  memset (&zero, 0, sizeof (struct in6_addr));
+  for (i=0; 0 != memcmp (&zero, &np[i].network, sizeof (struct in6_addr)); i++)
+  {
+    line = ipv6_to_regex (&np[i]);
+    if (NULL == line)
+    {
+      GNUNET_free_non_null (reg);
+      return NULL;
+    }
+    if (NULL == reg)
+    {
+      reg = line;
+    }
+    else
+    {
+      GNUNET_asprintf (&tmp,
+                       "%s|(%s)",
+                       reg, line);
+      GNUNET_free (reg);
+      GNUNET_free (line);
+      reg = tmp;
+    }
+  }
+  return reg;
 }
diff --git a/src/tun/test_regex.c b/src/tun/test_regex.c
index a0c3e99fd..341d8b9a0 100644
--- a/src/tun/test_regex.c
+++ b/src/tun/test_regex.c
@@ -27,8 +27,11 @@
 static int
-test_iptoregex (const char *ipv4, const char *netmask, const char *expectedv4,
+test_iptoregex (const char *ipv4,
-                const char *ipv6, unsigned int prefixlen,
+                uint16_t port,
+                const char *expectedv4,
+                const char *ipv6,
+                uint16_t port6,
                const char *expectedv6)
 {
  int error = 0;
@@ -39,29 +42,82 @@ test_iptoregex (const char *ipv4, const char *netmask, const char *expectedv4,
  char rxv6[GNUNET_TUN_IPV6_REGEXLEN];
  GNUNET_assert (1 == inet_pton (AF_INET, ipv4, &a));
-  GNUNET_TUN_ipv4toregexsearch (&a, netmask, rxv4);
+  GNUNET_TUN_ipv4toregexsearch (&a, port, rxv4);
  if (0 != strcmp (rxv4, expectedv4))
  {
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Expected: %s but got: %s\n",
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                expectedv4, rxv4);
+                "Expected: %s but got: %s\n",
+                expectedv4,
+                rxv4);
    error++;
  }
  GNUNET_assert (1 == inet_pton (AF_INET6, ipv6, &b));
-  GNUNET_TUN_ipv6toregexsearch (&b, prefixlen, rxv6);
+  GNUNET_TUN_ipv6toregexsearch (&b, port6, rxv6);
  if (0 != strcmp (rxv6, expectedv6))
  {
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Expected: %s but got: %s\n",
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Expected: %s but got: %s\n",
                expectedv6, rxv6);
    error++;
  }
  return error;
 }
+static int
+test_policy4toregex (const char *policy,
+                     const char *regex)
+{
+  char *r;
+  int ret;
+  ret = 0;
+  r = GNUNET_TUN_ipv4policy2regex (policy);
+  if (NULL == r)
+  {
+    GNUNET_break (0);
+    return 1;
+  }
+  if (0 != strcmp (regex, r))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Expected: `%s' but got: `%s'\n",
+                regex, r);
+    ret = 2;
+  }
+  GNUNET_free (r);
+  return ret;
+}
+static int
+test_policy6toregex (const char *policy,
+                     const char *regex)
+{
+  char *r;
+  int ret;
+  ret = 0;
+  r = GNUNET_TUN_ipv6policy2regex (policy);
+  if (NULL == r)
+  {
+    GNUNET_break (0);
+    return 1;
+  }
+  if (0 != strcmp (regex, r))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Expected: `%s' but got: `%s'\n",
+                regex, r);
+    ret = 2;
+  }
+  GNUNET_free (r);
+  return ret;
+}
 int
 main (int argc, char *argv[])
 {
@@ -72,32 +128,41 @@ main (int argc, char *argv[])
  error = 0;
  error +=
-      test_iptoregex ("192.0.0.0", "255.255.255.0",
+    test_iptoregex ("192.1.2.3", 2086,
-                      "110000000000000000000000(0|1)+", "FFFF::0", 16,
+                    "4-0826-C0010203",
-                      "1111111111111111(0|1)+");
+                    "FFFF::1", 8080,
+                    "6-1F90-FFFF0000000000000000000000000001");
  error +=
-      test_iptoregex ("187.238.225.0", "255.255.255.128",
+    test_iptoregex ("187.238.255.0", 80,
-                      "1011101111101110111000010(0|1)+", "E1E1:73F9:51BE::0",
+                    "4-0050-BBEEFF00",
-                      49,
+                    "E1E1:73F9:51BE::0", 49,
-                      "1110000111100001011100111111100101010001101111100(0|1)+");
+                    "6-0031-E1E173F951BE00000000000000000000");
  error +=
-      test_iptoregex ("255.255.255.255", "255.255.255.255",
+    test_policy4toregex ("192.1.2.0/24:80;",
-                      "11111111111111111111111111111111",
+                         "4-0050-C00102..");
-                      "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128,
-                      "11111111111111111111111111111111"
-                      "11111111111111111111111111111111"
-                      "11111111111111111111111111111111"
-                      "11111111111111111111111111111111");
  error +=
-      test_iptoregex ("0.0.0.0", "255.255.255.255",
+    test_policy4toregex ("192.1.0.0/16;",
-                      "00000000000000000000000000000000", "0::0", 128,
+                         "4-....-C001....");
-                      "00000000000000000000000000000000"
+  error +=
-                      "00000000000000000000000000000000"
+    test_policy4toregex ("192.1.0.0/16:80-81;",
-                      "00000000000000000000000000000000"
+                         "4-(0050|0051)-C001....");
-                      "00000000000000000000000000000000");
+  error +=
+    test_policy4toregex ("192.1.0.0/8:!3-65535;",
+                         "4-(0001|0002)-C0......");
+  error +=
+    test_policy6toregex ("E1E1::1;",
+                         "6-....-E1E10000000000000000000000000001");
+  error +=
+    test_policy6toregex ("E1E1:ABCD::1/120;",
+                         "6-....-E1E1ABCD0000000000000000000000..");
+  error +=
+    test_policy6toregex ("E1E1:ABCD::ABCD/126;",
+                         "6-....-E1E1ABCD00000000000000000000ABC(C|D|E|F)");
+  error +=
+    test_policy6toregex ("E1E1:ABCD::ABCD/127;",
+                         "6-....-E1E1ABCD00000000000000000000ABC(C|D)");
+  error +=
+    test_policy6toregex ("E1E1:ABCD::ABCD/128:80;",
+                         "6-0050-E1E1ABCD00000000000000000000ABCD");
  return error;
 }
author	Christian Grothoff <christian@grothoff.org>	2013-10-26 14:34:39 +0000
committer	Christian Grothoff <christian@grothoff.org>	2013-10-26 14:34:39 +0000
commit	0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1 (patch)
tree	434cab0d8aa45a4edc2cf9bd91c89bf3f2d5061b /src/tun
parent	aeb922926c639ffdd992f96cd125e47bb0e2c301 (diff)
download	gnunet-0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1.tar.gz gnunet-0c9ca79b2eb820c3266e9117f3ba9179cbdc2ff1.zip

diff --git a/src/tun/regex.c b/src/tun/regex.c index 87e75b511..3d3ebd8ba 100644 --- a/src/tun/regex.c +++ b/src/tun/regex.c
@@ -21,6 +21,7 @@
21	* @file src/tun/regex.c	21	* @file src/tun/regex.c
22	* @brief functions to convert IP networks to regexes	22	* @brief functions to convert IP networks to regexes
23	* @author Maximilian Szengel	23	* @author Maximilian Szengel
		24	* @author Christian Grothoff
24	*/	25	*/
25	#include "platform.h"	26	#include "platform.h"
26	#include "gnunet_util_lib.h"	27	#include "gnunet_util_lib.h"
@@ -28,114 +29,311 @@
28		29
29		30
30	/**	31	/**
31	* Create a string with binary IP notation for the given 'addr' in 'str'.	32	* Create a regex in @a rxstr from the given @a ip and @a netmask.
32	*	33	*
33	* @param af address family of the given 'addr'.	34	* @param ip IPv4 representation.
34	* @param addr address that should be converted to a string.	35	* @param port destination port
35	* struct in_addr * for IPv4 and struct in6_addr * for IPv6.	36	* @param rxstr generated regex, must be at least #GNUNET_TUN_IPV4_REGEXLEN
36	* @param str string that will contain binary notation of 'addr'. Expected	37	* bytes long.
37	* to be at least 33 bytes long for IPv4 and 129 bytes long for IPv6.	38	*/
		39	void
		40	GNUNET_TUN_ipv4toregexsearch (const struct in_addr *ip,
		41	uint16_t port,
		42	char *rxstr)
		43	{
		44	GNUNET_snprintf (rxstr,
		45	GNUNET_TUN_IPV4_REGEXLEN,
		46	"4-%04X-%08X",
		47	(unsigned int) port,
		48	ntohl (ip->s_addr));
		49	}
		50
		51
		52	/**
		53	* Create a regex in @a rxstr from the given @a ipv6 and @a prefixlen.
		54	*
		55	* @param ipv6 IPv6 representation.
		56	* @param port destination port
		57	* @param rxstr generated regex, must be at least #GNUNET_TUN_IPV6_REGEXLEN
		58	* bytes long.
		59	*/
		60	void
		61	GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6,
		62	uint16_t port,
		63	char *rxstr)
		64	{
		65	const uint32_t *addr;
		66
		67	addr = (const uint32_t *) ipv6;
		68	GNUNET_snprintf (rxstr,
		69	GNUNET_TUN_IPV6_REGEXLEN,
		70	"6-%04X-%08X%08X%08X%08X",
		71	(unsigned int) port,
		72	ntohl (addr[0]),
		73	ntohl (addr[1]),
		74	ntohl (addr[2]),
		75	ntohl (addr[3]));
		76	}
		77
		78
		79	/**
		80	* Convert the given 4-bit (!) number to a regex.
		81	*
		82	* @param value the value, only the lowest 4 bits will be looked at
		83	* @param mask which bits in value are wildcards (any value)?
38	*/	84	*/
39	static void	85	static char *
40	iptobinstr (const int af, const void addr, char str)	86	nibble_to_regex (uint8_t value,
		87	uint8_t mask)
41	{	88	{
42	int i;	89	char *ret;
43		90
44	switch (af)	91	value &= mask;
		92	switch (mask)
45	{	93	{
46	case AF_INET:	94	case 0:
47	{	95	return GNUNET_strdup ("."); /* wildcard */
48	uint32_t b = htonl (((struct in_addr *) addr)->s_addr);	96	case 8:
49		97	GNUNET_asprintf (&ret,
50	str[32] = '\0';	98	"(%X\|%X\|%X\|%X\|%X\|%X\|%X\|%X)",
51	str += 31;	99	value,
52	for (i = 31; i >= 0; i--)	100	value + 1,
53	{	101	value + 2,
54	*str = (b & 1) + '0';	102	value + 3,
55	str--;	103	value + 4,
56	b >>= 1;	104	value + 5,
57	}	105	value + 6,
58	break;	106	value + 7);
59	}	107	return ret;
60	case AF_INET6:	108	case 12:
		109	GNUNET_asprintf (&ret,
		110	"(%X\|%X\|%X\|%X)",
		111	value,
		112	value + 1,
		113	value + 2,
		114	value + 3);
		115	return ret;
		116	case 14:
		117	GNUNET_asprintf (&ret,
		118	"(%X\|%X)",
		119	value,
		120	value + 1);
		121	return ret;
		122	case 15:
		123	GNUNET_asprintf (&ret,
		124	"%X",
		125	value);
		126	return ret;
		127	default:
		128	GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
		129	"Bad mask: %d\n",
		130	mask);
		131	GNUNET_break (0);
		132	return NULL;
		133	}
		134	}
		135
		136
		137	/**
		138	* Convert the given 16-bit number to a regex.
		139	*
		140	* @param value the value
		141	* @param mask which bits in value are wildcards (any value)?
		142	*/
		143	static char *
		144	num_to_regex (uint16_t value,
		145	uint16_t mask)
		146	{
		147	const uint8_t v = (const uint8_t ) &value;
		148	const uint8_t m = (const uint8_t ) &mask;
		149	char *a;
		150	char *b;
		151	char *c;
		152	char *d;
		153	char *ret;
		154
		155	a = nibble_to_regex (v[0] >> 4, m[0] >> 4);
		156	b = nibble_to_regex (v[0] & 15, m[0] & 15);
		157	c = nibble_to_regex (v[1] >> 4, m[1] >> 4);
		158	d = nibble_to_regex (v[1] & 15, m[1] & 15);
		159	ret = NULL;
		160	if ( (NULL != a) &&
		161	(NULL != b) &&
		162	(NULL != c) &&
		163	(NULL != d) )
		164	GNUNET_asprintf (&ret,
		165	"%s%s%s%s",
		166	a, b, c, d);
		167	GNUNET_free_non_null (a);
		168	GNUNET_free_non_null (b);
		169	GNUNET_free_non_null (c);
		170	GNUNET_free_non_null (d);
		171	return ret;
		172	}
		173
		174
		175	/**
		176	* Convert a port policy to a regular expression. Note: this is a
		177	* very simplistic implementation, we might want to consider doing
		178	* something more sophisiticated (resulting in smaller regular
		179	* expressions) at a later time.
		180	*
		181	* @param pp port policy to convert
		182	* @return NULL on error
		183	*/
		184	static char *
		185	port_to_regex (const struct GNUNET_STRINGS_PortPolicy *pp)
		186	{
		187	char *reg;
		188	char *ret;
		189	char *tmp;
		190	unsigned int i;
		191
		192	if ( (0 == pp->start_port) \|\|
		193	( (1 == pp->start_port) &&
		194	(0xFFFF == pp->end_port) &&
		195	(GNUNET_NO == pp->negate_portrange)) )
		196	return GNUNET_strdup ("....");
		197	if ( (pp->start_port == pp->end_port) &&
		198	(GNUNET_NO == pp->negate_portrange))
		199	{
		200	GNUNET_asprintf (&ret,
		201	"%04X",
		202	pp->start_port);
		203	return ret;
		204	}
		205	reg = NULL;
		206	for (i=1;i<=0xFFFF;i++)
		207	{
		208	if ( ( (i >= pp->start_port) && (i <= pp->end_port) ) ^
		209	(GNUNET_YES == pp->negate_portrange) )
61	{	210	{
62	struct in6_addr b = (const struct in6_addr ) addr;	211	if (NULL == reg)
63		212	{
64	str[128] = '\0';	213	GNUNET_asprintf (&tmp,
65	str += 127;	214	"%04X",
66	for (i = 127; i >= 0; i--)	215	i);
67	{	216	}
68	*str = (b.s6_addr[i / 8] & 1) + '0';	217	else
69	str--;	218	{
70	b.s6_addr[i / 8] >>= 1;	219	GNUNET_asprintf (&tmp,
71	}	220	"%s\|%04X",
72	break;	221	reg,
		222	i);
		223	GNUNET_free (reg);
		224	}
		225	reg = tmp;
73	}	226	}
74	}	227	}
		228	GNUNET_asprintf (&ret,
		229	"(%s)",
		230	reg);
		231	GNUNET_free (reg);
		232	return ret;
75	}	233	}
76		234
77		235
78	/**	236	/**
79	* Get the ipv4 network prefix from the given 'netmask'.	237	* Convert an address (IPv4 or IPv6) to a regex.
80	*	238	*
81	* @param netmask netmask for which to get the prefix len.	239	* @param addr address
82	*	240	* @param mask network mask
83	* @return length of ipv4 prefix for 'netmask'.	241	* @param len number of bytes in @a addr and @a mask
		242	* @return NULL on error, otherwise regex for the address
84	*/	243	*/
85	static unsigned int	244	static char *
86	ipv4netmasktoprefixlen (const char *netmask)	245	address_to_regex (const void *addr,
		246	const void *mask,
		247	size_t len)
87	{	248	{
88	struct in_addr a;	249	const uint16_t *a = addr;
89	unsigned int len;	250	const uint16_t *m = mask;
90	uint32_t t;	251	char *ret;
91		252	char *tmp;
92	if (1 != inet_pton (AF_INET, netmask, &a))	253	char *reg;
93	return 0;	254	unsigned int i;
94	len = 32;	255
95	for (t = htonl (~a.s_addr); 0 != t; t >>= 1)	256	ret = NULL;
96	len--;	257	GNUNET_assert (1 != (len % 2));
97	return len;	258	for (i=0;i<len / 2;i++)
		259	{
		260	reg = num_to_regex (a[i], m[i]);
		261	if (NULL == reg)
		262	{
		263	GNUNET_free_non_null (ret);
		264	return NULL;
		265	}
		266	if (NULL == ret)
		267	{
		268	ret = reg;
		269	}
		270	else
		271	{
		272	GNUNET_asprintf (&tmp,
		273	"%s%s",
		274	ret, reg);
		275	GNUNET_free (ret);
		276	GNUNET_free (reg);
		277	ret = tmp;
		278	}
		279	}
		280	return ret;
98	}	281	}
99		282
100		283
101	/**	284	/**
102	* Create a regex in 'rxstr' from the given 'ip' and 'netmask'.	285	* Convert a single line of an IPv4 policy to a regular expression.
103	*	286	*
104	* @param ip IPv4 representation.	287	* @param v4 line to convert
105	* @param netmask netmask for the ip.	288	* @return NULL on error
106	* @param rxstr generated regex, must be at least GNUNET_REGEX_IPV4_REGEXLEN
107	* bytes long.
108	*/	289	*/
109	void	290	static char *
110	GNUNET_TUN_ipv4toregexsearch (const struct in_addr ip, const char netmask,	291	ipv4_to_regex (const struct GNUNET_STRINGS_IPv4NetworkPolicy *v4)
111	char *rxstr)
112	{	292	{
113	unsigned int pfxlen;	293	char *reg;
		294	char *pp;
		295	char *ret;
114		296
115	pfxlen = ipv4netmasktoprefixlen (netmask);	297	reg = address_to_regex (&v4->network,
116	iptobinstr (AF_INET, ip, rxstr);	298	&v4->netmask,
117	rxstr[pfxlen] = '\0';	299	sizeof (struct in_addr));
118	if (pfxlen < 32)	300	if (NULL == reg)
119	strcat (rxstr, "(0\|1)+");	301	return NULL;
		302	pp = port_to_regex (&v4->pp);
		303	GNUNET_asprintf (&ret,
		304	"4-%s-%s",
		305	pp, reg);
		306	GNUNET_free (pp);
		307	GNUNET_free (reg);
		308	return ret;
120	}	309	}
121		310
122		311
123	/**	312	/**
124	* Create a regex in 'rxstr' from the given 'ipv6' and 'prefixlen'.	313	* Convert a single line of an IPv4 policy to a regular expression.
125	*	314	*
126	* @param ipv6 IPv6 representation.	315	* @param v6 line to convert
127	* @param prefixlen length of the ipv6 prefix.	316	* @return NULL on error
128	* @param rxstr generated regex, must be at least GNUNET_REGEX_IPV6_REGEXLEN
129	* bytes long.
130	*/	317	*/
131	void	318	static char *
132	GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6, unsigned int prefixlen,	319	ipv6_to_regex (const struct GNUNET_STRINGS_IPv6NetworkPolicy *v6)
133	char *rxstr)
134	{	320	{
135	iptobinstr (AF_INET6, ipv6, rxstr);	321	char *reg;
136	rxstr[prefixlen] = '\0';	322	char *pp;
137	if (prefixlen < 128)	323	char *ret;
138	strcat (rxstr, "(0\|1)+");	324
		325	reg = address_to_regex (&v6->network,
		326	&v6->netmask,
		327	sizeof (struct in6_addr));
		328	if (NULL == reg)
		329	return NULL;
		330	pp = port_to_regex (&v6->pp);
		331	GNUNET_asprintf (&ret,
		332	"6-%s-%s",
		333	pp, reg);
		334	GNUNET_free (pp);
		335	GNUNET_free (reg);
		336	return ret;
139	}	337	}
140		338
141		339
@@ -151,8 +349,39 @@ GNUNET_TUN_ipv6toregexsearch (const struct in6_addr *ipv6, unsigned int prefixle
151	char *	349	char *
152	GNUNET_TUN_ipv4policy2regex (const char *policy)	350	GNUNET_TUN_ipv4policy2regex (const char *policy)
153	{	351	{
154	// FIXME: do actual policy parsing here, see #2919	352	struct GNUNET_STRINGS_IPv4NetworkPolicy *np;
155	return GNUNET_strdup (policy);	353	char *reg;
		354	char *tmp;
		355	char *line;
		356	unsigned int i;
		357
		358	np = GNUNET_STRINGS_parse_ipv4_policy (policy);
		359	if (NULL == np)
		360	return NULL;
		361	reg = NULL;
		362	for (i=0; 0 != np[i].network.s_addr; i++)
		363	{
		364	line = ipv4_to_regex (&np[i]);
		365	if (NULL == line)
		366	{
		367	GNUNET_free_non_null (reg);
		368	return NULL;
		369	}
		370	if (NULL == reg)
		371	{
		372	reg = line;
		373	}
		374	else
		375	{
		376	GNUNET_asprintf (&tmp,
		377	"%s\|(%s)",
		378	reg, line);
		379	GNUNET_free (reg);
		380	GNUNET_free (line);
		381	reg = tmp;
		382	}
		383	}
		384	return reg;
156	}	385	}
157		386
158		387
@@ -160,7 +389,7 @@ GNUNET_TUN_ipv4policy2regex (const char *policy)
160	* Convert an exit policy to a regular expression. The exit policy	389	* Convert an exit policy to a regular expression. The exit policy
161	* specifies a set of subnets this peer is willing to serve as an	390	* specifies a set of subnets this peer is willing to serve as an
162	* exit for; the resulting regular expression will match the	391	* exit for; the resulting regular expression will match the
163	* IPv4 address strings as returned by 'GNUNET_TUN_ipv4toregexsearch'.	392	* IPv6 address strings as returned by 'GNUNET_TUN_ipv6toregexsearch'.
164	*	393	*
165	* @param policy exit policy specification	394	* @param policy exit policy specification
166	* @return regular expression, NULL on error	395	* @return regular expression, NULL on error
@@ -168,8 +397,41 @@ GNUNET_TUN_ipv4policy2regex (const char *policy)
168	char *	397	char *
169	GNUNET_TUN_ipv6policy2regex (const char *policy)	398	GNUNET_TUN_ipv6policy2regex (const char *policy)
170	{	399	{
171	// FIXME: do actual policy parsing here, see #2919	400	struct in6_addr zero;
172	return GNUNET_strdup (policy);	401	struct GNUNET_STRINGS_IPv6NetworkPolicy *np;
		402	char *reg;
		403	char *tmp;
		404	char *line;
		405	unsigned int i;
		406
		407	np = GNUNET_STRINGS_parse_ipv6_policy (policy);
		408	if (NULL == np)
		409	return NULL;
		410	reg = NULL;
		411	memset (&zero, 0, sizeof (struct in6_addr));
		412	for (i=0; 0 != memcmp (&zero, &np[i].network, sizeof (struct in6_addr)); i++)
		413	{
		414	line = ipv6_to_regex (&np[i]);
		415	if (NULL == line)
		416	{
		417	GNUNET_free_non_null (reg);
		418	return NULL;
		419	}
		420	if (NULL == reg)
		421	{
		422	reg = line;
		423	}
		424	else
		425	{
		426	GNUNET_asprintf (&tmp,
		427	"%s\|(%s)",
		428	reg, line);
		429	GNUNET_free (reg);
		430	GNUNET_free (line);
		431	reg = tmp;
		432	}
		433	}
		434	return reg;
173	}	435	}
174		436
175		437


diff --git a/src/tun/test_regex.c b/src/tun/test_regex.c index a0c3e99fd..341d8b9a0 100644 --- a/src/tun/test_regex.c +++ b/src/tun/test_regex.c
@@ -27,8 +27,11 @@
27		27
28		28
29	static int	29	static int
30	test_iptoregex (const char ipv4, const char netmask, const char *expectedv4,	30	test_iptoregex (const char *ipv4,
31	const char *ipv6, unsigned int prefixlen,	31	uint16_t port,
		32	const char *expectedv4,
		33	const char *ipv6,
		34	uint16_t port6,
32	const char *expectedv6)	35	const char *expectedv6)
33	{	36	{
34	int error = 0;	37	int error = 0;
@@ -39,29 +42,82 @@ test_iptoregex (const char ipv4, const char netmask, const char *expectedv4,
39	char rxv6[GNUNET_TUN_IPV6_REGEXLEN];	42	char rxv6[GNUNET_TUN_IPV6_REGEXLEN];
40		43
41	GNUNET_assert (1 == inet_pton (AF_INET, ipv4, &a));	44	GNUNET_assert (1 == inet_pton (AF_INET, ipv4, &a));
42	GNUNET_TUN_ipv4toregexsearch (&a, netmask, rxv4);	45	GNUNET_TUN_ipv4toregexsearch (&a, port, rxv4);
43
44		46
45	if (0 != strcmp (rxv4, expectedv4))	47	if (0 != strcmp (rxv4, expectedv4))
46	{	48	{
47	GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Expected: %s but got: %s\n",	49	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
48	expectedv4, rxv4);	50	"Expected: %s but got: %s\n",
		51	expectedv4,
		52	rxv4);
49	error++;	53	error++;
50	}	54	}
51		55
52	GNUNET_assert (1 == inet_pton (AF_INET6, ipv6, &b));	56	GNUNET_assert (1 == inet_pton (AF_INET6, ipv6, &b));
53	GNUNET_TUN_ipv6toregexsearch (&b, prefixlen, rxv6);	57	GNUNET_TUN_ipv6toregexsearch (&b, port6, rxv6);
54
55	if (0 != strcmp (rxv6, expectedv6))	58	if (0 != strcmp (rxv6, expectedv6))
56	{	59	{
57	GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Expected: %s but got: %s\n",	60	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
		61	"Expected: %s but got: %s\n",
58	expectedv6, rxv6);	62	expectedv6, rxv6);
59	error++;	63	error++;
60	}	64	}
61
62	return error;	65	return error;
63	}	66	}
64		67
		68
		69	static int
		70	test_policy4toregex (const char *policy,
		71	const char *regex)
		72	{
		73	char *r;
		74	int ret;
		75
		76	ret = 0;
		77	r = GNUNET_TUN_ipv4policy2regex (policy);
		78	if (NULL == r)
		79	{
		80	GNUNET_break (0);
		81	return 1;
		82	}
		83	if (0 != strcmp (regex, r))
		84	{
		85	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
		86	"Expected: `%s' but got: `%s'\n",
		87	regex, r);
		88	ret = 2;
		89	}
		90	GNUNET_free (r);
		91	return ret;
		92	}
		93
		94
		95	static int
		96	test_policy6toregex (const char *policy,
		97	const char *regex)
		98	{
		99	char *r;
		100	int ret;
		101
		102	ret = 0;
		103	r = GNUNET_TUN_ipv6policy2regex (policy);
		104	if (NULL == r)
		105	{
		106	GNUNET_break (0);
		107	return 1;
		108	}
		109	if (0 != strcmp (regex, r))
		110	{
		111	GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
		112	"Expected: `%s' but got: `%s'\n",
		113	regex, r);
		114	ret = 2;
		115	}
		116	GNUNET_free (r);
		117	return ret;
		118	}
		119
		120
65	int	121	int
66	main (int argc, char *argv[])	122	main (int argc, char *argv[])
67	{	123	{
@@ -72,32 +128,41 @@ main (int argc, char *argv[])
72	error = 0;	128	error = 0;
73		129
74	error +=	130	error +=
75	test_iptoregex ("192.0.0.0", "255.255.255.0",	131	test_iptoregex ("192.1.2.3", 2086,
76	"110000000000000000000000(0\|1)+", "FFFF::0", 16,	132	"4-0826-C0010203",
77	"1111111111111111(0\|1)+");	133	"FFFF::1", 8080,
78		134	"6-1F90-FFFF0000000000000000000000000001");
79	error +=	135	error +=
80	test_iptoregex ("187.238.225.0", "255.255.255.128",	136	test_iptoregex ("187.238.255.0", 80,
81	"1011101111101110111000010(0\|1)+", "E1E1:73F9:51BE::0",	137	"4-0050-BBEEFF00",
82	49,	138	"E1E1:73F9:51BE::0", 49,
83	"1110000111100001011100111111100101010001101111100(0\|1)+");	139	"6-0031-E1E173F951BE00000000000000000000");
84
85	error +=	140	error +=
86	test_iptoregex ("255.255.255.255", "255.255.255.255",	141	test_policy4toregex ("192.1.2.0/24:80;",
87	"11111111111111111111111111111111",	142	"4-0050-C00102..");
88	"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF", 128,
89	"11111111111111111111111111111111"
90	"11111111111111111111111111111111"
91	"11111111111111111111111111111111"
92	"11111111111111111111111111111111");
93
94	error +=	143	error +=
95	test_iptoregex ("0.0.0.0", "255.255.255.255",	144	test_policy4toregex ("192.1.0.0/16;",
96	"00000000000000000000000000000000", "0::0", 128,	145	"4-....-C001....");
97	"00000000000000000000000000000000"	146	error +=
98	"00000000000000000000000000000000"	147	test_policy4toregex ("192.1.0.0/16:80-81;",
99	"00000000000000000000000000000000"	148	"4-(0050\|0051)-C001....");
100	"00000000000000000000000000000000");	149	error +=
101		150	test_policy4toregex ("192.1.0.0/8:!3-65535;",
		151	"4-(0001\|0002)-C0......");
		152	error +=
		153	test_policy6toregex ("E1E1::1;",
		154	"6-....-E1E10000000000000000000000000001");
		155	error +=
		156	test_policy6toregex ("E1E1:ABCD::1/120;",
		157	"6-....-E1E1ABCD0000000000000000000000..");
		158	error +=
		159	test_policy6toregex ("E1E1:ABCD::ABCD/126;",
		160	"6-....-E1E1ABCD00000000000000000000ABC(C\|D\|E\|F)");
		161	error +=
		162	test_policy6toregex ("E1E1:ABCD::ABCD/127;",
		163	"6-....-E1E1ABCD00000000000000000000ABC(C\|D)");
		164	error +=
		165	test_policy6toregex ("E1E1:ABCD::ABCD/128:80;",
		166	"6-0050-E1E1ABCD00000000000000000000ABCD");
102	return error;	167	return error;
103	}	168	}