summaryrefslogtreecommitdiffstats
path: root/modules/view/view.lua
blob: 41157eb8d42be2166d2d8e03c1ba025be0cc6db3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
local kres = require('kres')
local ffi = require('ffi')
local C = ffi.C

-- Module declaration
local view = {
	key = {}, -- map from :owner() to list of policy rules
	src = {},
	dst = {},
}

-- @function View based on TSIG key name.
function view.tsig(_, tsig, rule)
	if view.key[tsig] == nil then
		view.key[tsig] = { rule }
	else
		table.insert(view.key[tsig], rule)
	end
end

-- @function View based on source IP subnet.
function view.addr(_, subnet, rules, dst)
	local subnet_cd = ffi.new('char[16]')
	local family = C.kr_straddr_family(subnet)
	local bitlen = C.kr_straddr_subnet(subnet_cd, subnet)
	local t = {family, subnet_cd, bitlen, rules}
	table.insert(dst and view.dst or view.src, t)
	return t
end

-- @function Match IP against given subnet
local function match_subnet(family, subnet, bitlen, addr)
	return (family == addr:family()) and (C.kr_bitcmp(subnet, addr:ip(), bitlen) == 0)
end

-- @function Execute a policy callback (may be nil);
-- return boolean: whether to continue trying further rules.
local function execute(state, req, match_cb)
	if match_cb == nil then return false end
	local action = match_cb(req, req:current())
	if action == nil then return false end
	local next_state = action(state, req)
	if next_state then    -- Not a chain rule,
		req.state = next_state
		return true
	else
		return false
	end
end

-- @function Try all the rules in order, until a non-chain rule gets executed.
local function evaluate(state, req)
	-- Try :tsig rules first.
	local client_key = req.qsource.packet.tsig_rr
	local match_cbs = (client_key ~= nil) and view.key[client_key:owner()] or {}
	for _, match_cb in ipairs(match_cbs) do
		if execute(state, req, match_cb) then return end
	end
	-- Then try :addr by the source.
	if req.qsource.addr ~= nil then
		for i = 1, #view.src do
			local pair = view.src[i]
			if match_subnet(pair[1], pair[2], pair[3], req.qsource.addr) then
				local match_cb = pair[4]
				if execute(state, req, match_cb) then return end
			end
		end
	-- Finally try :addr by the destination.
	elseif req.qsource.dst_addr ~= nil then
		for i = 1, #view.dst do
			local pair = view.dst[i]
			if match_subnet(pair[1], pair[2], pair[3], req.qsource.dst_addr) then
				local match_cb = pair[4]
				if execute(state, req, match_cb) then return end
			end
		end
	end
end

-- @function Return policy based on source address
function view.rule_src(action, subnet)
	local subnet_cd = ffi.new('char[16]')
	local family = C.kr_straddr_family(subnet)
	local bitlen = C.kr_straddr_subnet(subnet_cd, subnet)
	return function(req, _)
		local addr = req.qsource.addr
		if addr ~= nil and match_subnet(family, subnet_cd, bitlen, addr) then
			return action
		end
	end
end

-- @function Return policy based on destination address
function view.rule_dst(action, subnet)
	local subnet_cd = ffi.new('char[16]')
	local family = C.kr_straddr_family(subnet)
	local bitlen = C.kr_straddr_subnet(subnet_cd, subnet)
	return function(req, _)
		local addr = req.qsource.dst_addr
		if addr ~= nil and match_subnet(family, subnet_cd, bitlen, addr) then
			return action
		end
	end
end

-- @function Module layers
view.layer = {
	begin = function(state, req)
		-- Don't act on "resolved" cases.
		if bit.band(state, bit.bor(kres.FAIL, kres.DONE)) ~= 0 then return state end

		req = kres.request_t(req)
		evaluate(state, req)
		return req.state
	end
}

return view