diff options
Diffstat (limited to 'openbsc')
-rw-r--r-- | openbsc/include/openbsc/bsc_nat.h | 8 | ||||
-rw-r--r-- | openbsc/src/nat/bsc_filter.c | 29 | ||||
-rw-r--r-- | openbsc/src/nat/bsc_nat.c | 4 | ||||
-rw-r--r-- | openbsc/tests/bsc-nat/bsc_nat_test.c | 27 |
4 files changed, 45 insertions, 23 deletions
diff --git a/openbsc/include/openbsc/bsc_nat.h b/openbsc/include/openbsc/bsc_nat.h index b8a533fff..8293a4b5c 100644 --- a/openbsc/include/openbsc/bsc_nat.h +++ b/openbsc/include/openbsc/bsc_nat.h @@ -26,10 +26,8 @@ #include <sccp/sccp_types.h> #include "msgb.h" -#define FILTER_NONE 0 -#define FILTER_TO_BSC 1 -#define FILTER_TO_MSC 2 -#define FILTER_TO_BOTH 3 +#define DIR_BSC 1 +#define DIR_MSC 2 /* * For the NAT we will need to analyze and later patch @@ -72,6 +70,6 @@ struct bsc_nat_parsed *bsc_nat_parse(struct msgb *msg); /** * filter based on IP Access header in both directions */ -int bsc_nat_filter_ipa(struct msgb *msg, struct bsc_nat_parsed *parsed); +int bsc_nat_filter_ipa(int direction, struct msgb *msg, struct bsc_nat_parsed *parsed); #endif diff --git a/openbsc/src/nat/bsc_filter.c b/openbsc/src/nat/bsc_filter.c index 0727b33e6..ad2f6138f 100644 --- a/openbsc/src/nat/bsc_filter.c +++ b/openbsc/src/nat/bsc_filter.c @@ -39,6 +39,11 @@ #define ALLOW_ANY -1 +#define FILTER_TO_BSC 1 +#define FILTER_TO_MSC 2 +#define FILTER_TO_BOTH 3 + + struct bsc_pkt_filter { int ipa_proto; int dest_ssn; @@ -60,7 +65,7 @@ static struct bsc_pkt_filter black_list[] = { static struct bsc_pkt_filter white_list[] = { /* allow IPAC_PROTO_SCCP messages to both sides */ - { IPAC_PROTO_SCCP, ALLOW_ANY, ALLOW_ANY, ALLOW_ANY, FILTER_NONE }, + { IPAC_PROTO_SCCP, ALLOW_ANY, ALLOW_ANY, ALLOW_ANY, FILTER_TO_BOTH }, }; struct bsc_nat_parsed* bsc_nat_parse(struct msgb *msg) @@ -117,12 +122,17 @@ struct bsc_nat_parsed* bsc_nat_parse(struct msgb *msg) return parsed; } -int bsc_nat_filter_ipa(struct msgb *msg, struct bsc_nat_parsed *parsed) +int bsc_nat_filter_ipa(int dir, struct msgb *msg, struct bsc_nat_parsed *parsed) { int i; /* go through the blacklist now */ for (i = 0; i < ARRAY_SIZE(black_list); ++i) { + /* ignore the rule? */ + if (black_list[i].filter_dir != FILTER_TO_BOTH + && black_list[i].filter_dir != dir) + continue; + /* the proto is not blacklisted */ if (black_list[i].ipa_proto != ALLOW_ANY && black_list[i].ipa_proto != parsed->ipa_proto) @@ -146,16 +156,21 @@ int bsc_nat_filter_ipa(struct msgb *msg, struct bsc_nat_parsed *parsed) /* blacklisted */ LOGP(DNAT, LOGL_NOTICE, "Blacklisted with rule %d\n", i); - return black_list[i].filter_dir; + return 1; } else { /* blacklisted, we have no content sniffing yet */ LOGP(DNAT, LOGL_NOTICE, "Blacklisted with rule %d\n", i); - return black_list[i].filter_dir; + return 1; } } /* go through the whitelust now */ for (i = 0; i < ARRAY_SIZE(white_list); ++i) { + /* ignore the rule? */ + if (white_list[i].filter_dir != FILTER_TO_BOTH + && white_list[i].filter_dir != dir) + continue; + /* the proto is not whitelisted */ if (white_list[i].ipa_proto != ALLOW_ANY && white_list[i].ipa_proto != parsed->ipa_proto) @@ -179,12 +194,12 @@ int bsc_nat_filter_ipa(struct msgb *msg, struct bsc_nat_parsed *parsed) /* whitelisted */ LOGP(DNAT, LOGL_NOTICE, "Whitelisted with rule %d\n", i); - return FILTER_NONE; + return 0; } else { /* whitelisted */ - return FILTER_NONE; + return 0; } } - return FILTER_TO_BOTH; + return 1; } diff --git a/openbsc/src/nat/bsc_nat.c b/openbsc/src/nat/bsc_nat.c index 609a17d96..7a44d1783 100644 --- a/openbsc/src/nat/bsc_nat.c +++ b/openbsc/src/nat/bsc_nat.c @@ -112,7 +112,7 @@ static void forward_sccp_to_bts(struct msgb *msg) return; } - if (bsc_nat_filter_ipa(msg, parsed)) + if (bsc_nat_filter_ipa(DIR_BSC, msg, parsed)) goto exit; /* currently send this to every BSC connected */ @@ -189,7 +189,7 @@ static int forward_sccp_to_msc(struct msgb *msg) return -1; } - if (bsc_nat_filter_ipa(msg, parsed)) + if (bsc_nat_filter_ipa(DIR_MSC, msg, parsed)) goto exit; /* send the non-filtered but maybe modified msg */ diff --git a/openbsc/tests/bsc-nat/bsc_nat_test.c b/openbsc/tests/bsc-nat/bsc_nat_test.c index 282f2515b..8d1bd9b88 100644 --- a/openbsc/tests/bsc-nat/bsc_nat_test.c +++ b/openbsc/tests/bsc-nat/bsc_nat_test.c @@ -90,6 +90,7 @@ static const u_int8_t bssmap_release_complete[] = { struct filter_result { const u_int8_t *data; const u_int16_t length; + const int dir; const int result; }; @@ -97,42 +98,50 @@ static const struct filter_result results[] = { { .data = ipa_id, .length = ARRAY_SIZE(ipa_id), - .result = FILTER_TO_MSC, + .dir = DIR_MSC, + .result = 1, }, { .data = gsm_reset, .length = ARRAY_SIZE(gsm_reset), - .result = FILTER_TO_MSC, + .dir = DIR_MSC, + .result = 1, }, { .data = gsm_reset_ack, .length = ARRAY_SIZE(gsm_reset_ack), - .result = FILTER_TO_BSC, + .dir = DIR_BSC, + .result = 1, }, { .data = gsm_paging, .length = ARRAY_SIZE(gsm_paging), - .result = FILTER_NONE, + .dir = DIR_BSC, + .result = 0, }, { .data = bssmap_cr, .length = ARRAY_SIZE(bssmap_cr), - .result = FILTER_NONE, + .dir = DIR_MSC, + .result = 0, }, { .data = bssmap_cc, .length = ARRAY_SIZE(bssmap_cc), - .result = FILTER_NONE, + .dir = DIR_BSC, + .result = 0, }, { .data = bssmap_released, .length = ARRAY_SIZE(bssmap_released), - .result = FILTER_NONE, + .dir = DIR_MSC, + .result = 0, }, { .data = bssmap_release_complete, .length = ARRAY_SIZE(bssmap_release_complete), - .result = FILTER_NONE, + .dir = DIR_BSC, + .result = 0, }, }; @@ -157,7 +166,7 @@ int main(int argc, char **argv) continue; } - result = bsc_nat_filter_ipa(msg, parsed); + result = bsc_nat_filter_ipa(results[i].dir, msg, parsed); if (result != results[i].result) { fprintf(stderr, "FAIL: Not the expected result got: %d wanted: %d\n", result, results[i].result); |