summaryrefslogtreecommitdiff
path: root/src/libstrongswan/selectors
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
commited7d79f96177044949744da10f4431c1d6242241 (patch)
tree3aabaa55ed3b5291daef891cfee9befb5235e2b8 /src/libstrongswan/selectors
parent7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff)
downloadvyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz
vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'src/libstrongswan/selectors')
-rw-r--r--src/libstrongswan/selectors/traffic_selector.c916
-rw-r--r--src/libstrongswan/selectors/traffic_selector.h315
2 files changed, 1231 insertions, 0 deletions
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
new file mode 100644
index 000000000..68bbbe2fd
--- /dev/null
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -0,0 +1,916 @@
+/*
+ * Copyright (C) 2007-2009 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <arpa/inet.h>
+#include <string.h>
+#include <netdb.h>
+#include <stdio.h>
+
+#include "traffic_selector.h"
+
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+#define NON_SUBNET_ADDRESS_RANGE 255
+
+ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE,
+ "TS_IPV4_ADDR_RANGE",
+ "TS_IPV6_ADDR_RANGE",
+);
+
+typedef struct private_traffic_selector_t private_traffic_selector_t;
+
+/**
+ * Private data of an traffic_selector_t object
+ */
+struct private_traffic_selector_t {
+
+ /**
+ * Public part
+ */
+ traffic_selector_t public;
+
+ /**
+ * Type of address
+ */
+ ts_type_t type;
+
+ /**
+ * IP protocol (UDP, TCP, ICMP, ...)
+ */
+ u_int8_t protocol;
+
+ /**
+ * narrow this traffic selector to hosts external ip
+ * if set, from and to have no meaning until set_address() is called
+ */
+ bool dynamic;
+
+ /**
+ * subnet size in CIDR notation, 255 means a non-subnet address range
+ */
+ u_int8_t netbits;
+
+ /**
+ * begin of address range, network order
+ */
+ union {
+ /** dummy char for common address manipulation */
+ char from[0];
+ /** IPv4 address */
+ u_int32_t from4[1];
+ /** IPv6 address */
+ u_int32_t from6[4];
+ };
+
+ /**
+ * end of address range, network order
+ */
+ union {
+ /** dummy char for common address manipulation */
+ char to[0];
+ /** IPv4 address */
+ u_int32_t to4[1];
+ /** IPv6 address */
+ u_int32_t to6[4];
+ };
+
+ /**
+ * begin of port range
+ */
+ u_int16_t from_port;
+
+ /**
+ * end of port range
+ */
+ u_int16_t to_port;
+};
+
+/**
+ * calculate the "to"-address for the "from" address and a subnet size
+ */
+static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
+{
+ size_t len;
+ int bytes, bits;
+ u_int8_t mask;
+
+ this->netbits = netbits;
+
+ len = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+ bytes = (netbits + 7)/8;
+ bits = (bytes * 8) - netbits;
+ mask = bits ? (1 << bits) - 1 : 0;
+
+ memcpy(this->to, this->from, bytes);
+ memset(this->from + bytes, 0x00, len - bytes);
+ memset(this->to + bytes, 0xff, len - bytes);
+ this->from[bytes-1] &= ~mask;
+ this->to[bytes-1] |= mask;
+}
+
+/**
+ * calculate the subnet size from the "to" and "from" addresses
+ */
+static u_int8_t calc_netbits(private_traffic_selector_t *this)
+{
+ int byte, bit;
+ u_int8_t netbits;
+ size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+ bool prefix = TRUE;
+
+ /* a perfect match results in a single address with a /32 or /128 netmask */
+ netbits = (size * 8);
+ this->netbits = netbits;
+
+ /* go through all bits of the addresses, beginning in the front.
+ * as long as they are equal, the subnet gets larger
+ */
+ for (byte = 0; byte < size; byte++)
+ {
+ for (bit = 7; bit >= 0; bit--)
+ {
+ u_int8_t bitmask = 1 << bit;
+
+ if (prefix)
+ {
+ if ((bitmask & this->from[byte]) != (bitmask & this->to[byte]))
+ {
+ /* store the common prefix which might be a true subnet */
+ netbits = (7 - bit) + (byte * 8);
+ this->netbits = netbits;
+ prefix = FALSE;
+ }
+ }
+ else
+ {
+ if ((bitmask & this->from[byte]) || !(bitmask & this->to[byte]))
+ {
+ this->netbits = NON_SUBNET_ADDRESS_RANGE;
+ return netbits; /* return a pseudo subnet */
+
+ }
+ }
+ }
+ }
+ return netbits; /* return a true subnet */
+}
+
+/**
+ * internal generic constructor
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Described in header.
+ */
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+ const void *const *args)
+{
+ private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
+ linked_list_t *list = *((linked_list_t**)(args[0]));
+ iterator_t *iterator;
+ char from_str[INET6_ADDRSTRLEN] = "";
+ char to_str[INET6_ADDRSTRLEN] = "";
+ char *serv_proto = NULL;
+ bool has_proto;
+ bool has_ports;
+ size_t written = 0;
+ u_int32_t from[4], to[4];
+
+ if (this == NULL)
+ {
+ return print_in_hook(dst, len, "(null)");
+ }
+
+ if (spec->hash)
+ {
+ iterator = list->create_iterator(list, TRUE);
+ while (iterator->iterate(iterator, (void**)&this))
+ {
+ /* call recursivly */
+ written += print_in_hook(dst, len, "%R ", this);
+ }
+ iterator->destroy(iterator);
+ return written;
+ }
+
+ memset(from, 0, sizeof(from));
+ memset(to, 0xFF, sizeof(to));
+ if (this->dynamic &&
+ memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) &&
+ memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
+ {
+ written += print_in_hook(dst, len, "dynamic");
+ }
+ else
+ {
+ if (this->type == TS_IPV4_ADDR_RANGE)
+ {
+ inet_ntop(AF_INET, &this->from4, from_str, sizeof(from_str));
+ }
+ else
+ {
+ inet_ntop(AF_INET6, &this->from6, from_str, sizeof(from_str));
+ }
+ if (this->netbits == NON_SUBNET_ADDRESS_RANGE)
+ {
+ if (this->type == TS_IPV4_ADDR_RANGE)
+ {
+ inet_ntop(AF_INET, &this->to4, to_str, sizeof(to_str));
+ }
+ else
+ {
+ inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str));
+ }
+ written += print_in_hook(dst, len, "%s..%s", from_str, to_str);
+ }
+ else
+ {
+ written += print_in_hook(dst, len, "%s/%d", from_str, this->netbits);
+ }
+ }
+
+ /* check if we have protocol and/or port selectors */
+ has_proto = this->protocol != 0;
+ has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+
+ if (!has_proto && !has_ports)
+ {
+ return written;
+ }
+
+ written += print_in_hook(dst, len, "[");
+
+ /* build protocol string */
+ if (has_proto)
+ {
+ struct protoent *proto = getprotobynumber(this->protocol);
+
+ if (proto)
+ {
+ written += print_in_hook(dst, len, "%s", proto->p_name);
+ serv_proto = proto->p_name;
+ }
+ else
+ {
+ written += print_in_hook(dst, len, "%d", this->protocol);
+ }
+ }
+
+ if (has_proto && has_ports)
+ {
+ written += print_in_hook(dst, len, "/");
+ }
+
+ /* build port string */
+ if (has_ports)
+ {
+ if (this->from_port == this->to_port)
+ {
+ struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+
+ if (serv)
+ {
+ written += print_in_hook(dst, len, "%s", serv->s_name);
+ }
+ else
+ {
+ written += print_in_hook(dst, len, "%d", this->from_port);
+ }
+ }
+ else
+ {
+ written += print_in_hook(dst, len, "%d-%d", this->from_port, this->to_port);
+ }
+ }
+
+ written += print_in_hook(dst, len, "]");
+
+ return written;
+}
+
+/**
+ * implements traffic_selector_t.get_subset
+ */
+static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+ if (this->type == other->type && (this->protocol == other->protocol ||
+ this->protocol == 0 || other->protocol == 0))
+ {
+ u_int16_t from_port, to_port;
+ u_char *from, *to;
+ u_int8_t protocol;
+ size_t size;
+ private_traffic_selector_t *new_ts;
+
+ /* calculate the maximum port range allowed for both */
+ from_port = max(this->from_port, other->from_port);
+ to_port = min(this->to_port, other->to_port);
+ if (from_port > to_port)
+ {
+ return NULL;
+ }
+ /* select protocol, which is not zero */
+ protocol = max(this->protocol, other->protocol);
+
+ switch (this->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ size = sizeof(this->from4);
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ size = sizeof(this->from6);
+ break;
+ default:
+ return NULL;
+ }
+
+ /* get higher from-address */
+ if (memcmp(this->from, other->from, size) > 0)
+ {
+ from = this->from;
+ }
+ else
+ {
+ from = other->from;
+ }
+ /* get lower to-address */
+ if (memcmp(this->to, other->to, size) > 0)
+ {
+ to = other->to;
+ }
+ else
+ {
+ to = this->to;
+ }
+ /* if "from" > "to", we don't have a match */
+ if (memcmp(from, to, size) > 0)
+ {
+ return NULL;
+ }
+
+ /* we have a match in protocol, port, and address: return it... */
+ new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
+ new_ts->dynamic = this->dynamic || other->dynamic;
+ memcpy(new_ts->from, from, size);
+ memcpy(new_ts->to, to, size);
+ calc_netbits(new_ts);
+ return &new_ts->public;
+ }
+ return NULL;
+}
+
+/**
+ * implements traffic_selector_t.equals
+ */
+static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+ if (this->type != other->type)
+ {
+ return FALSE;
+ }
+ if (!(this->from_port == other->from_port &&
+ this->to_port == other->to_port &&
+ this->protocol == other->protocol))
+ {
+ return FALSE;
+ }
+ switch (this->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ if (memeq(this->from4, other->from4, sizeof(this->from4)))
+ {
+ return TRUE;
+ }
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ if (memeq(this->from6, other->from6, sizeof(this->from6)))
+ {
+ return TRUE;
+ }
+ break;
+ default:
+ break;
+ }
+ return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.get_from_address.
+ */
+static chunk_t get_from_address(private_traffic_selector_t *this)
+{
+ switch (this->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ return chunk_create(this->from, sizeof(this->from4));
+ case TS_IPV6_ADDR_RANGE:
+ return chunk_create(this->from, sizeof(this->from6));
+ default:
+ return chunk_empty;
+ }
+}
+
+/**
+ * Implements traffic_selector_t.get_to_address.
+ */
+static chunk_t get_to_address(private_traffic_selector_t *this)
+{
+ switch (this->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ return chunk_create(this->to, sizeof(this->to4));
+ case TS_IPV6_ADDR_RANGE:
+ return chunk_create(this->to, sizeof(this->to6));
+ default:
+ return chunk_empty;
+ }
+}
+
+/**
+ * Implements traffic_selector_t.get_from_port.
+ */
+static u_int16_t get_from_port(private_traffic_selector_t *this)
+{
+ return this->from_port;
+}
+
+/**
+ * Implements traffic_selector_t.get_to_port.
+ */
+static u_int16_t get_to_port(private_traffic_selector_t *this)
+{
+ return this->to_port;
+}
+
+/**
+ * Implements traffic_selector_t.get_type.
+ */
+static ts_type_t get_type(private_traffic_selector_t *this)
+{
+ return this->type;
+}
+
+/**
+ * Implements traffic_selector_t.get_protocol.
+ */
+static u_int8_t get_protocol(private_traffic_selector_t *this)
+{
+ return this->protocol;
+}
+
+/**
+ * Implements traffic_selector_t.is_host.
+ */
+static bool is_host(private_traffic_selector_t *this, host_t *host)
+{
+ if (host)
+ {
+ chunk_t addr;
+ int family = host->get_family(host);
+
+ if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+ (family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+ {
+ addr = host->get_address(host);
+ if (memeq(addr.ptr, this->from, addr.len) &&
+ memeq(addr.ptr, this->to, addr.len))
+ {
+ return TRUE;
+ }
+ }
+ }
+ else
+ {
+ size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+
+ if (this->dynamic)
+ {
+ return TRUE;
+ }
+
+ if (memeq(this->from, this->to, length))
+ {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+/**
+ * Implementation of traffic_selector_t.is_dynamic
+ */
+static bool is_dynamic(private_traffic_selector_t *this)
+{
+ return this->dynamic;
+}
+
+/**
+ * Implements traffic_selector_t.set_address.
+ */
+static void set_address(private_traffic_selector_t *this, host_t *host)
+{
+ if (this->dynamic)
+ {
+ this->type = host->get_family(host) == AF_INET ?
+ TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+
+ if (host->is_anyaddr(host))
+ {
+ memset(this->from6, 0x00, sizeof(this->from6));
+ memset(this->to6, 0xFF, sizeof(this->to6));
+ this->netbits = 0;
+ }
+ else
+ {
+ chunk_t from = host->get_address(host);
+ memcpy(this->from, from.ptr, from.len);
+ memcpy(this->to, from.ptr, from.len);
+ this->netbits = from.len * 8;
+ }
+ }
+}
+
+/**
+ * Implements traffic_selector_t.is_contained_in.
+ */
+static bool is_contained_in(private_traffic_selector_t *this,
+ private_traffic_selector_t *other)
+{
+ private_traffic_selector_t *subset;
+ bool contained_in = FALSE;
+
+ subset = (private_traffic_selector_t*)get_subset(this, other);
+
+ if (subset)
+ {
+ if (equals(subset, this))
+ {
+ contained_in = TRUE;
+ }
+ free(subset);
+ }
+ return contained_in;
+}
+
+/**
+ * Implements traffic_selector_t.includes.
+ */
+static bool includes(private_traffic_selector_t *this, host_t *host)
+{
+ chunk_t addr;
+ int family = host->get_family(host);
+
+ if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+ (family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+ {
+ addr = host->get_address(host);
+
+ return memcmp(this->from, addr.ptr, addr.len) <= 0 &&
+ memcmp(this->to, addr.ptr, addr.len) >= 0;
+ }
+
+ return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.to_subnet.
+ */
+static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *mask)
+{
+ /* there is no way to do this cleanly, as the address range may
+ * be anything else but a subnet. We use from_addr as subnet
+ * and try to calculate a usable subnet mask.
+ */
+ int family, byte;
+ u_int16_t port = 0;
+ chunk_t net_chunk;
+
+ *mask = (this->netbits == NON_SUBNET_ADDRESS_RANGE) ? calc_netbits(this)
+ : this->netbits;
+
+ switch (this->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ family = AF_INET;
+ net_chunk.len = sizeof(this->from4);
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ family = AF_INET6;
+ net_chunk.len = sizeof(this->from6);
+ break;
+ default:
+ /* unreachable */
+ return;
+ }
+
+ net_chunk.ptr = malloc(net_chunk.len);
+ memcpy(net_chunk.ptr, this->from, net_chunk.len);
+
+ for (byte = net_chunk.len - 1; byte >= (*mask / 8); --byte)
+ {
+ int shift = (byte + 1) * 8 - *mask;
+ net_chunk.ptr[byte] = net_chunk.ptr[byte] & (0xFF << shift);
+ }
+
+ if (this->to_port == this->from_port)
+ {
+ port = this->to_port;
+ }
+
+ *net = host_create_from_chunk(family, net_chunk, port);
+ chunk_free(&net_chunk);
+}
+
+/**
+ * Implements traffic_selector_t.clone.
+ */
+static traffic_selector_t *clone_(private_traffic_selector_t *this)
+{
+ private_traffic_selector_t *clone;
+
+ clone = traffic_selector_create(this->protocol, this->type,
+ this->from_port, this->to_port);
+ clone->netbits = this->netbits;
+ clone->dynamic = this->dynamic;
+
+ switch (clone->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ memcpy(clone->from4, this->from4, sizeof(this->from4));
+ memcpy(clone->to4, this->to4, sizeof(this->to4));
+ return &clone->public;
+ case TS_IPV6_ADDR_RANGE:
+ memcpy(clone->from6, this->from6, sizeof(this->from6));
+ memcpy(clone->to6, this->to6, sizeof(this->to6));
+ return &clone->public;
+ default:
+ /* unreachable */
+ return &clone->public;
+ }
+}
+
+/**
+ * Implements traffic_selector_t.destroy.
+ */
+static void destroy(private_traffic_selector_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
+ ts_type_t type,
+ chunk_t from, u_int16_t from_port,
+ chunk_t to, u_int16_t to_port)
+{
+ private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+ from_port, to_port);
+
+ switch (type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ if (from.len != 4 || to.len != 4)
+ {
+ free(this);
+ return NULL;
+ }
+ memcpy(this->from4, from.ptr, from.len);
+ memcpy(this->to4, to.ptr, to.len);
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ if (from.len != 16 || to.len != 16)
+ {
+ free(this);
+ return NULL;
+ }
+ memcpy(this->from6, from.ptr, from.len);
+ memcpy(this->to6, to.ptr, to.len);
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+ calc_netbits(this);
+ return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+ chunk_t from, chunk_t to)
+{
+ size_t len;
+ private_traffic_selector_t *this = traffic_selector_create(0, type, 0, 65535);
+
+ switch (type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ len = 4;
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ len = 16;
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+ memset(this->from, 0x00, len);
+ memset(this->to , 0xff, len);
+
+ if (from.len > 1)
+ {
+ memcpy(this->from, from.ptr+1, from.len-1);
+ }
+ if (to.len > 1)
+ {
+ u_int8_t mask = to.ptr[0] ? (1 << to.ptr[0]) - 1 : 0;
+
+ memcpy(this->to, to.ptr+1, to.len-1);
+ this->to[to.len-2] |= mask;
+ }
+ this->netbits = chunk_equals(from, to) ? (from.len-1)*8 - from.ptr[0]
+ : NON_SUBNET_ADDRESS_RANGE;
+ return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
+ u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+{
+ private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
+
+ switch (net->get_family(net))
+ {
+ case AF_INET:
+ {
+ chunk_t from;
+
+ this->type = TS_IPV4_ADDR_RANGE;
+ from = net->get_address(net);
+ memcpy(this->from, from.ptr, from.len);
+ if (this->from4[0] == 0)
+ {
+ /* use /0 for 0.0.0.0 */
+ this->to4[0] = ~0;
+ this->netbits = 0;
+ }
+ else
+ {
+ calc_range(this, netbits);
+ }
+ break;
+ }
+ case AF_INET6:
+ {
+ chunk_t from;
+
+ this->type = TS_IPV6_ADDR_RANGE;
+ from = net->get_address(net);
+ memcpy(this->from, from.ptr, from.len);
+ if (this->from6[0] == 0 && this->from6[1] == 0 &&
+ this->from6[2] == 0 && this->from6[3] == 0)
+ {
+ /* use /0 for ::0 */
+ this->to6[0] = ~0;
+ this->to6[1] = ~0;
+ this->to6[2] = ~0;
+ this->to6[3] = ~0;
+ this->netbits = 0;
+ }
+ else
+ {
+ calc_range(this, netbits);
+ }
+ break;
+ }
+ default:
+ {
+ net->destroy(net);
+ free(this);
+ return NULL;
+ }
+ }
+ if (port)
+ {
+ this->from_port = port;
+ this->to_port = port;
+ }
+ net->destroy(net);
+ return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+ u_int8_t protocol, ts_type_t type,
+ char *from_addr, u_int16_t from_port,
+ char *to_addr, u_int16_t to_port)
+{
+ private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+ from_port, to_port);
+
+ switch (type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
+ {
+ free(this);
+ return NULL;
+ }
+ if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
+ {
+ free(this);
+ return NULL;
+ }
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
+ {
+ free(this);
+ return NULL;
+ }
+ if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
+ {
+ free(this);
+ return NULL;
+ }
+ break;
+ }
+ calc_netbits(this);
+ return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
+ u_int16_t from_port, u_int16_t to_port)
+{
+ private_traffic_selector_t *this = traffic_selector_create(
+ protocol, TS_IPV4_ADDR_RANGE, from_port, to_port);
+
+ memset(this->from6, 0, sizeof(this->from6));
+ memset(this->to6, 0xFF, sizeof(this->to6));
+ this->netbits = 0;
+ this->dynamic = TRUE;
+
+ return &this->public;
+}
+
+/*
+ * see declaration
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+ ts_type_t type, u_int16_t from_port, u_int16_t to_port)
+{
+ private_traffic_selector_t *this = malloc_thing(private_traffic_selector_t);
+
+ /* public functions */
+ this->public.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset;
+ this->public.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals;
+ this->public.get_from_address = (chunk_t(*)(traffic_selector_t*))get_from_address;
+ this->public.get_to_address = (chunk_t(*)(traffic_selector_t*))get_to_address;
+ this->public.get_from_port = (u_int16_t(*)(traffic_selector_t*))get_from_port;
+ this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;
+ this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
+ this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
+ this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
+ this->public.is_dynamic = (bool(*)(traffic_selector_t*))is_dynamic;
+ this->public.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in;
+ this->public.includes = (bool(*)(traffic_selector_t*,host_t*))includes;
+ this->public.set_address = (void(*)(traffic_selector_t*,host_t*))set_address;
+ this->public.to_subnet = (void(*)(traffic_selector_t*,host_t**,u_int8_t*))to_subnet;
+ this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
+ this->public.destroy = (void(*)(traffic_selector_t*))destroy;
+
+ this->from_port = from_port;
+ this->to_port = to_port;
+ this->protocol = protocol;
+ this->type = type;
+ this->dynamic = FALSE;
+
+ return this;
+}
+
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
new file mode 100644
index 000000000..b5964b541
--- /dev/null
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -0,0 +1,315 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup traffic_selector traffic_selector
+ * @{ @ingroup config
+ */
+
+#ifndef TRAFFIC_SELECTOR_H_
+#define TRAFFIC_SELECTOR_H_
+
+typedef enum ts_type_t ts_type_t;
+typedef struct traffic_selector_t traffic_selector_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Traffic selector types.
+ */
+enum ts_type_t {
+
+ /**
+ * A range of IPv4 addresses, represented by two four (4) octet
+ * values. The first value is the beginning IPv4 address
+ * (inclusive) and the second value is the ending IPv4 address
+ * (inclusive). All addresses falling between the two specified
+ * addresses are considered to be within the list.
+ */
+ TS_IPV4_ADDR_RANGE = 7,
+
+ /**
+ * A range of IPv6 addresses, represented by two sixteen (16)
+ * octet values. The first value is the beginning IPv6 address
+ * (inclusive) and the second value is the ending IPv6 address
+ * (inclusive). All addresses falling between the two specified
+ * addresses are considered to be within the list.
+ */
+ TS_IPV6_ADDR_RANGE = 8
+};
+
+/**
+ * enum names for ts_type_t
+ */
+extern enum_name_t *ts_type_name;
+
+/**
+ * Object representing a traffic selector entry.
+ *
+ * A traffic selector defines an range of addresses
+ * and a range of ports. IPv6 is not fully supported yet.
+ */
+struct traffic_selector_t {
+
+ /**
+ * Compare two traffic selectors, and create a new one
+ * which is the largest subset of both (subnet & port).
+ *
+ * Resulting traffic_selector is newly created and must be destroyed.
+ *
+ * @param other traffic selector to compare
+ * @return
+ * - created subset of them
+ * - or NULL if no match between this and other
+ */
+ traffic_selector_t *(*get_subset) (traffic_selector_t *this,
+ traffic_selector_t *other);
+
+ /**
+ * Clone a traffic selector.
+ *
+ * @return clone of it
+ */
+ traffic_selector_t *(*clone) (traffic_selector_t *this);
+
+ /**
+ * Get starting address of this ts as a chunk.
+ *
+ * Chunk is in network order and points to internal data.
+ *
+ * @return chunk containing the address
+ */
+ chunk_t (*get_from_address) (traffic_selector_t *this);
+
+ /**
+ * Get ending address of this ts as a chunk.
+ *
+ * Chunk is in network order and points to internal data.
+ *
+ * @return chunk containing the address
+ */
+ chunk_t (*get_to_address) (traffic_selector_t *this);
+
+ /**
+ * Get starting port of this ts.
+ *
+ * Port is in host order, since the parser converts it.
+ * Size depends on protocol.
+ *
+ * @return port
+ */
+ u_int16_t (*get_from_port) (traffic_selector_t *this);
+
+ /**
+ * Get ending port of this ts.
+ *
+ * Port is in host order, since the parser converts it.
+ * Size depends on protocol.
+ *
+ * @return port
+ */
+ u_int16_t (*get_to_port) (traffic_selector_t *this);
+
+ /**
+ * Get the type of the traffic selector.
+ *
+ * @return ts_type_t specifying the type
+ */
+ ts_type_t (*get_type) (traffic_selector_t *this);
+
+ /**
+ * Get the protocol id of this ts.
+ *
+ * @return protocol id
+ */
+ u_int8_t (*get_protocol) (traffic_selector_t *this);
+
+ /**
+ * Check if the traffic selector is for a single host.
+ *
+ * Traffic selector may describe the end of *-to-host tunnel. In this
+ * case, the address range is a single address equal to the hosts
+ * peer address.
+ * If host is NULL, the traffic selector is checked if it is a single host,
+ * but not a specific one.
+ *
+ * @param host host_t specifying the address range
+ */
+ bool (*is_host) (traffic_selector_t *this, host_t* host);
+
+ /**
+ * Check if a traffic selector has been created by create_dynamic().
+ *
+ * @return TRUE if TS is dynamic
+ */
+ bool (*is_dynamic)(traffic_selector_t *this);
+
+ /**
+ * Update the address of a traffic selector.
+ *
+ * Update the address range of a traffic selector, if it is
+ * constructed with the traffic_selector_create_dynamic().
+ *
+ * @param host host_t specifying the address
+ */
+ void (*set_address) (traffic_selector_t *this, host_t* host);
+
+ /**
+ * Compare two traffic selectors for equality.
+ *
+ * @param other ts to compare with this
+ * @return TRUE if equal, FALSE otherwise
+ */
+ bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
+
+ /**
+ * Check if a traffic selector is contained completly in another.
+ *
+ * contains() allows to check if multiple traffic selectors are redundant.
+ *
+ * @param other ts that contains this
+ * @return TRUE if other contains this completly, FALSE otherwise
+ */
+ bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
+
+ /**
+ * Check if a specific host is included in the address range of
+ * this traffic selector.
+ *
+ * @param host the host to check
+ */
+ bool (*includes) (traffic_selector_t *this, host_t *host);
+
+ /**
+ * Convert a traffic selector address range to a subnet
+ * and its net mask.
+ * If from and to ports of this traffic selector are equal,
+ * the port of the returned host_t is set to that port.
+ *
+ * @param net converted subnet (has to be freed)
+ * @param mask converted net mask
+ */
+ void (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
+
+ /**
+ * Destroys the ts object
+ */
+ void (*destroy) (traffic_selector_t *this);
+};
+
+/**
+ * Create a new traffic selector using human readable params.
+ *
+ * @param protocol protocol for this ts, such as TCP or UDP
+ * @param type type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr start of address range as string
+ * @param from_port port number in host order
+ * @param to_addr end of address range as string
+ * @param to_port port number in host order
+ * @return
+ * - traffic_selector_t object
+ * - NULL if invalid address strings/protocol
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+ u_int8_t protocol, ts_type_t type,
+ char *from_addr, u_int16_t from_port,
+ char *to_addr, u_int16_t to_port);
+
+/**
+ * Create a new traffic selector using data read from the net.
+ *
+ * There exists a mix of network and host order in the params.
+ * But the parser gives us this data in this format, so we
+ * don't have to convert twice.
+ *
+ * @param protocol protocol for this ts, such as TCP or UDP
+ * @param type type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr start of address range, network order
+ * @param from_port port number, host order
+ * @param to_addr end of address range, network order
+ * @param to_port port number, host order
+ * @return traffic_selector_t object
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(
+ u_int8_t protocol, ts_type_t type,
+ chunk_t from_address, u_int16_t from_port,
+ chunk_t to_address, u_int16_t to_port);
+
+/**
+ * Create a new traffic selector using the RFC 3779 ASN.1 min/max address format
+ *
+ * @param type type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr start of address range in RFC 3779 ASN.1 BIT STRING format
+ * @param to_addr end of address range in RFC 3779 ASN.1 BIT STRING format
+ * @return traffic_selector_t object
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+ chunk_t from_addr, chunk_t to_addr);
+
+/**
+ * Create a new traffic selector defining a whole subnet.
+ *
+ * In most cases, definition of a traffic selector for full subnets
+ * is sufficient. This constructor creates a traffic selector for
+ * all protocols, all ports and the address range specified by the
+ * subnet.
+ * Additionally, a protocol and a port may be specified. Port ranges
+ * are not supported via this constructor.
+ *
+ * @param net subnet to use
+ * @param netbits size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @param protocol protocol for this ts, such as TCP or UDP
+ * @param port port number, host order
+ * @return
+ * - traffic_selector_t object
+ * - NULL if address family of net not supported
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(
+ host_t *net, u_int8_t netbits,
+ u_int8_t protocol, u_int16_t port);
+
+/**
+ * Create a traffic selector for host-to-host cases.
+ *
+ * For host2host or virtual IP setups, the traffic selectors gets
+ * created at runtime using the external/virtual IP. Using this constructor,
+ * a call to set_address() sets this traffic selector to the supplied host.
+ *
+ *
+ * @param protocol upper layer protocl to allow
+ * @param from_port start of allowed port range
+ * @param to_port end of range
+ * @return
+ * - traffic_selector_t object
+ * - NULL if type not supported
+ */
+traffic_selector_t *traffic_selector_create_dynamic(u_int8_t protocol,
+ u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * printf hook function for traffic_selector_t.
+ *
+ * Arguments are:
+ * traffic_selector_t *ts
+ * With the #-specifier, arguments are:
+ * linked_list_t *list containing traffic_selector_t*
+ */
+int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
+ const void *const *args);
+
+#endif /** TRAFFIC_SELECTOR_H_ @}*/