core: Add IpAddressPredicate for white-/blacklisting IP address subnets
Change-Id: I9f67c4bcbc55e8a8de0bb70812c5562ba083c948
Refs: #4546
diff --git a/core/network-interface-predicate.cpp b/core/network-interface-predicate.cpp
deleted file mode 100644
index c212ecd..0000000
--- a/core/network-interface-predicate.cpp
+++ /dev/null
@@ -1,138 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/*
- * Copyright (c) 2014-2017, Regents of the University of California,
- * Arizona Board of Regents,
- * Colorado State University,
- * University Pierre & Marie Curie, Sorbonne University,
- * Washington University in St. Louis,
- * Beijing Institute of Technology,
- * The University of Memphis.
- *
- * This file is part of NFD (Named Data Networking Forwarding Daemon).
- * See AUTHORS.md for complete list of NFD authors and contributors.
- *
- * NFD is free software: you can redistribute it and/or modify it under the terms
- * of the GNU General Public License as published by the Free Software Foundation,
- * either version 3 of the License, or (at your option) any later version.
- *
- * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
- * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "network-interface-predicate.hpp"
-
-#include "config-file.hpp"
-#include "network.hpp"
-
-#include <fnmatch.h>
-
-namespace nfd {
-
-NetworkInterfacePredicate::NetworkInterfacePredicate()
-{
- this->clear();
-}
-
-void
-NetworkInterfacePredicate::clear()
-{
- m_whitelist = std::set<std::string>{"*"};
- m_blacklist.clear();
-}
-
-static void
-parseList(std::set<std::string>& set, const boost::property_tree::ptree& list, const std::string& section)
-{
- set.clear();
-
- for (const auto& item : list) {
- if (item.first == "*") {
- // insert wildcard
- set.insert(item.first);
- }
- else if (item.first == "ifname") {
- // very basic sanity check for interface names
- auto name = item.second.get_value<std::string>();
- if (name.empty()) {
- BOOST_THROW_EXCEPTION(ConfigFile::Error("Empty interface name in \"" + section + "\" section"));
- }
- set.insert(name);
- }
- else if (item.first == "ether") {
- // validate ethernet address
- auto addr = item.second.get_value<std::string>();
- if (ndn::ethernet::Address::fromString(addr).isNull()) {
- BOOST_THROW_EXCEPTION(ConfigFile::Error("Malformed ether address \"" + addr +
- "\" in \"" + section + "\" section"));
- }
- set.insert(addr);
- }
- else if (item.first == "subnet") {
- // example subnet: 10.0.0.0/8
- auto cidr = item.second.get_value<std::string>();
- if (!Network::isValidCidr(cidr)) {
- BOOST_THROW_EXCEPTION(ConfigFile::Error("Malformed subnet declaration \"" + cidr +
- "\" in \"" + section + "\" section"));
- }
- set.insert(cidr);
- }
- }
-}
-
-void
-NetworkInterfacePredicate::parseWhitelist(const boost::property_tree::ptree& list)
-{
- parseList(m_whitelist, list, "whitelist");
-}
-
-void
-NetworkInterfacePredicate::parseBlacklist(const boost::property_tree::ptree& list)
-{
- parseList(m_blacklist, list, "blacklist");
-}
-
-static bool
-doesMatchPattern(const std::string& ifname, const std::string& pattern)
-{
- // use fnmatch(3) to provide unix glob-style matching for interface names
- // fnmatch returns 0 if there is a match
- return ::fnmatch(pattern.data(), ifname.data(), 0) == 0;
-}
-
-static bool
-doesMatchRule(const ndn::net::NetworkInterface& netif, const std::string& rule)
-{
- // if '/' is in rule, this is a subnet, check if IP in subnet
- if (rule.find('/') != std::string::npos) {
- Network n = boost::lexical_cast<Network>(rule);
- for (const auto& addr : netif.getNetworkAddresses()) {
- if (n.doesContain(addr.getIp())) {
- return true;
- }
- }
- }
-
- return rule == "*" ||
- doesMatchPattern(netif.getName(), rule) ||
- netif.getEthernetAddress().toString() == rule;
-}
-
-bool
-NetworkInterfacePredicate::operator()(const ndn::net::NetworkInterface& netif) const
-{
- return std::any_of(m_whitelist.begin(), m_whitelist.end(), bind(&doesMatchRule, cref(netif), _1)) &&
- std::none_of(m_blacklist.begin(), m_blacklist.end(), bind(&doesMatchRule, cref(netif), _1));
-}
-
-bool
-NetworkInterfacePredicate::operator==(const NetworkInterfacePredicate& other) const
-{
- return this->m_whitelist == other.m_whitelist &&
- this->m_blacklist == other.m_blacklist;
-}
-
-} // namespace nfd
diff --git a/core/network-interface-predicate.hpp b/core/network-interface-predicate.hpp
deleted file mode 100644
index 1b2d5a0..0000000
--- a/core/network-interface-predicate.hpp
+++ /dev/null
@@ -1,79 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/*
- * Copyright (c) 2014-2017, Regents of the University of California,
- * Arizona Board of Regents,
- * Colorado State University,
- * University Pierre & Marie Curie, Sorbonne University,
- * Washington University in St. Louis,
- * Beijing Institute of Technology,
- * The University of Memphis.
- *
- * This file is part of NFD (Named Data Networking Forwarding Daemon).
- * See AUTHORS.md for complete list of NFD authors and contributors.
- *
- * NFD is free software: you can redistribute it and/or modify it under the terms
- * of the GNU General Public License as published by the Free Software Foundation,
- * either version 3 of the License, or (at your option) any later version.
- *
- * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
- * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef NFD_CORE_NETWORK_INTERFACE_PREDICATE_HPP
-#define NFD_CORE_NETWORK_INTERFACE_PREDICATE_HPP
-
-#include "common.hpp"
-#include <ndn-cxx/net/network-interface.hpp>
-
-namespace nfd {
-
-/**
- * \brief Represents a predicate to accept or reject a NetworkInterfaceInfo.
- *
- * The predicate consists of a whitelist and a blacklist. Whitelist and blacklist can contain,
- * in no particular order, interface names (e.g., ifname eth0), mac addresses
- * (e.g., ether 85:3b:4d:d3:5f:c2), subnets (e.g., subnet 192.0.2.0/24) or a wildcard (*) that matches
- * all interfaces. A NetworkInterfaceInfo is accepted if it matches any entry in the whitelist and none
- * of the entries in the blacklist.
- */
-class NetworkInterfacePredicate
-{
-public:
- NetworkInterfacePredicate();
-
- /**
- * \brief Set the whitelist to "*" and clear the blacklist
- */
- void
- clear();
-
- void
- parseWhitelist(const boost::property_tree::ptree& list);
-
- void
- parseBlacklist(const boost::property_tree::ptree& list);
-
- bool
- operator()(const ndn::net::NetworkInterface& netif) const;
-
- bool
- operator==(const NetworkInterfacePredicate& other) const;
-
- bool
- operator!=(const NetworkInterfacePredicate& other) const
- {
- return !this->operator==(other);
- }
-
-private:
- std::set<std::string> m_whitelist;
- std::set<std::string> m_blacklist;
-};
-
-} // namespace nfd
-
-#endif // NFD_CORE_NETWORK_INTERFACE_PREDICATE_HPP
diff --git a/core/network-predicate.cpp b/core/network-predicate.cpp
new file mode 100644
index 0000000..5755f32
--- /dev/null
+++ b/core/network-predicate.cpp
@@ -0,0 +1,221 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/*
+ * Copyright (c) 2014-2018, Regents of the University of California,
+ * Arizona Board of Regents,
+ * Colorado State University,
+ * University Pierre & Marie Curie, Sorbonne University,
+ * Washington University in St. Louis,
+ * Beijing Institute of Technology,
+ * The University of Memphis.
+ *
+ * This file is part of NFD (Named Data Networking Forwarding Daemon).
+ * See AUTHORS.md for complete list of NFD authors and contributors.
+ *
+ * NFD is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "network-predicate.hpp"
+
+#include "config-file.hpp"
+#include "network.hpp"
+
+#include <fnmatch.h>
+
+namespace nfd {
+
+NetworkPredicateBase::NetworkPredicateBase()
+{
+ this->clear();
+}
+
+NetworkPredicateBase::~NetworkPredicateBase() = default;
+
+void
+NetworkPredicateBase::clear()
+{
+ m_whitelist = std::set<std::string>{"*"};
+ m_blacklist.clear();
+}
+
+void
+NetworkPredicateBase::parseList(std::set<std::string>& set, const boost::property_tree::ptree& list, const std::string& section)
+{
+ set.clear();
+
+ for (const auto& item : list) {
+ if (item.first == "*") {
+ // insert wildcard
+ set.insert(item.first);
+ }
+ else {
+ if (!isRuleSupported(item.first)) {
+ BOOST_THROW_EXCEPTION(ConfigFile::Error("Unrecognized rule \"" + item.first + "\" in \"" + section + "\" section"));
+ }
+
+ auto value = item.second.get_value<std::string>();
+ if (!isRuleValid(item.first, value)) {
+ BOOST_THROW_EXCEPTION(ConfigFile::Error("Malformed " + item.first + " \"" + value + "\" in \"" + section + "\" section"));
+ }
+ set.insert(value);
+ }
+ }
+}
+
+void
+NetworkPredicateBase::parseList(std::set<std::string>& set, std::initializer_list<std::pair<std::string, std::string>> list)
+{
+ set.clear();
+
+ for (const auto& item : list) {
+ if (item.first == "*") {
+ // insert wildcard
+ set.insert(item.first);
+ }
+ else {
+ if (!isRuleSupported(item.first)) {
+ BOOST_THROW_EXCEPTION(std::runtime_error("Unrecognized rule \"" + item.first + "\""));
+ }
+
+ if (!isRuleValid(item.first, item.second)) {
+ BOOST_THROW_EXCEPTION(std::runtime_error("Malformed " + item.first + " \"" + item.second + "\""));
+ }
+ set.insert(item.second);
+ }
+ }
+}
+
+void
+NetworkPredicateBase::parseWhitelist(const boost::property_tree::ptree& list)
+{
+ parseList(m_whitelist, list, "whitelist");
+}
+
+void
+NetworkPredicateBase::parseBlacklist(const boost::property_tree::ptree& list)
+{
+ parseList(m_blacklist, list, "blacklist");
+}
+
+void
+NetworkPredicateBase::assign(std::initializer_list<std::pair<std::string, std::string>> whitelist,
+ std::initializer_list<std::pair<std::string, std::string>> blacklist)
+{
+ parseList(m_whitelist, whitelist);
+ parseList(m_blacklist, blacklist);
+}
+
+bool
+NetworkInterfacePredicate::isRuleSupported(const std::string& key)
+{
+ return key == "ifname" || key == "ether" || key == "subnet";
+}
+
+bool
+NetworkInterfacePredicate::isRuleValid(const std::string& key, const std::string& value)
+{
+ if (key == "ifname") {
+ // very basic sanity check for interface names
+ return !value.empty();
+ }
+ else if (key == "ether") {
+ // validate ethernet address
+ return !ndn::ethernet::Address::fromString(value).isNull();
+ }
+ else if (key == "subnet") {
+ // example subnet: 10.0.0.0/8
+ return Network::isValidCidr(value);
+ }
+ else {
+ BOOST_THROW_EXCEPTION(std::logic_error("Only supported rules are expected"));
+ }
+}
+
+bool
+IpAddressPredicate::isRuleSupported(const std::string& key)
+{
+ return key == "subnet";
+}
+
+bool
+IpAddressPredicate::isRuleValid(const std::string& key, const std::string& value)
+{
+ if (key == "subnet") {
+ // example subnet: 10.0.0.0/8
+ return Network::isValidCidr(value);
+ }
+ else {
+ BOOST_THROW_EXCEPTION(std::logic_error("Only supported rules are expected"));
+ }
+}
+
+bool
+NetworkPredicateBase::operator==(const NetworkPredicateBase& other) const
+{
+ return this->m_whitelist == other.m_whitelist &&
+ this->m_blacklist == other.m_blacklist;
+}
+
+static bool
+doesMatchPattern(const std::string& ifname, const std::string& pattern)
+{
+ // use fnmatch(3) to provide unix glob-style matching for interface names
+ // fnmatch returns 0 if there is a match
+ return ::fnmatch(pattern.data(), ifname.data(), 0) == 0;
+}
+
+static bool
+doesNetifMatchRule(const ndn::net::NetworkInterface& netif, const std::string& rule)
+{
+ // if '/' is in rule, this is a subnet, check if IP in subnet
+ if (rule.find('/') != std::string::npos) {
+ Network n = boost::lexical_cast<Network>(rule);
+ for (const auto& addr : netif.getNetworkAddresses()) {
+ if (n.doesContain(addr.getIp())) {
+ return true;
+ }
+ }
+ }
+
+ return rule == "*" ||
+ doesMatchPattern(netif.getName(), rule) ||
+ netif.getEthernetAddress().toString() == rule;
+}
+
+bool
+NetworkInterfacePredicate::operator()(const ndn::net::NetworkInterface& netif) const
+{
+ return std::any_of(m_whitelist.begin(), m_whitelist.end(), bind(&doesNetifMatchRule, cref(netif), _1)) &&
+ std::none_of(m_blacklist.begin(), m_blacklist.end(), bind(&doesNetifMatchRule, cref(netif), _1));
+}
+
+static bool
+doesAddressMatchRule(const boost::asio::ip::address& address, const std::string& rule)
+{
+ // if '/' is in rule, this is a subnet, check if IP in subnet
+ if (rule.find('/') != std::string::npos) {
+ Network n = boost::lexical_cast<Network>(rule);
+ if (n.doesContain(address)) {
+ return true;
+ }
+ }
+
+ return rule == "*";
+}
+
+bool
+IpAddressPredicate::operator()(const boost::asio::ip::address& address) const
+{
+ return std::any_of(m_whitelist.begin(), m_whitelist.end(), bind(&doesAddressMatchRule, cref(address), _1)) &&
+ std::none_of(m_blacklist.begin(), m_blacklist.end(), bind(&doesAddressMatchRule, cref(address), _1));
+}
+
+} // namespace nfd
diff --git a/core/network-predicate.hpp b/core/network-predicate.hpp
new file mode 100644
index 0000000..dc86c70
--- /dev/null
+++ b/core/network-predicate.hpp
@@ -0,0 +1,133 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/*
+ * Copyright (c) 2014-2018, Regents of the University of California,
+ * Arizona Board of Regents,
+ * Colorado State University,
+ * University Pierre & Marie Curie, Sorbonne University,
+ * Washington University in St. Louis,
+ * Beijing Institute of Technology,
+ * The University of Memphis.
+ *
+ * This file is part of NFD (Named Data Networking Forwarding Daemon).
+ * See AUTHORS.md for complete list of NFD authors and contributors.
+ *
+ * NFD is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef NFD_CORE_NETWORK_PREDICATE_HPP
+#define NFD_CORE_NETWORK_PREDICATE_HPP
+
+#include "common.hpp"
+#include <ndn-cxx/net/network-interface.hpp>
+
+namespace nfd {
+
+class NetworkPredicateBase
+{
+public:
+ NetworkPredicateBase();
+
+ virtual
+ ~NetworkPredicateBase();
+
+ /**
+ * \brief Set the whitelist to "*" and clear the blacklist
+ */
+ void
+ clear();
+
+ void
+ parseWhitelist(const boost::property_tree::ptree& list);
+
+ void
+ parseBlacklist(const boost::property_tree::ptree& list);
+
+ void
+ assign(std::initializer_list<std::pair<std::string, std::string>> whitelist,
+ std::initializer_list<std::pair<std::string, std::string>> blacklist);
+
+ bool
+ operator==(const NetworkPredicateBase& other) const;
+
+ bool
+ operator!=(const NetworkPredicateBase& other) const
+ {
+ return !this->operator==(other);
+ }
+
+private:
+ virtual bool
+ isRuleSupported(const std::string& key) = 0;
+
+ virtual bool
+ isRuleValid(const std::string& key, const std::string& value) = 0;
+
+ void
+ parseList(std::set<std::string>& set, const boost::property_tree::ptree& list, const std::string& section);
+
+ void
+ parseList(std::set<std::string>& set, std::initializer_list<std::pair<std::string, std::string>> list);
+
+PUBLIC_WITH_TESTS_ELSE_PROTECTED:
+ std::set<std::string> m_whitelist;
+ std::set<std::string> m_blacklist;
+};
+
+/**
+ * \brief Represents a predicate to accept or reject a ndn::net::NetworkInterface.
+ *
+ * The predicate consists of a whitelist and a blacklist. Whitelist and blacklist can contain,
+ * in no particular order, interface names (e.g., `ifname eth0`), MAC addresses (e.g., `ether
+ * 85:3b:4d:d3:5f:c2`), IPv4 and IPv6 subnets (e.g., `subnet 192.0.2.0/24` or `subnet
+ * 2001:db8:2::/64`), or a wildcard (`*`) that matches all interfaces. A
+ * ndn::net::NetworkInterface is accepted if it matches any entry in the whitelist and none of
+ * the entries in the blacklist.
+ */
+class NetworkInterfacePredicate : public NetworkPredicateBase
+{
+public:
+ bool
+ operator()(const ndn::net::NetworkInterface& netif) const;
+
+private:
+ bool
+ isRuleSupported(const std::string& key) final;
+
+ bool
+ isRuleValid(const std::string& key, const std::string& value) final;
+};
+
+/**
+ * \brief Represents a predicate to accept or reject an IP address.
+ *
+ * The predicate consists of a whitelist and a blacklist. Whitelist and blacklist can contain,
+ * in no particular order, IPv4 and IPv6 subnets (e.g., `subnet 192.0.2.0/24` or `subnet
+ * 2001:db8:2::/64`) or a wildcard (`*`) that matches all IP addresses. An IP address is
+ * accepted if it matches any entry in the whitelist and none of the entries in the blacklist.
+ */
+class IpAddressPredicate : public NetworkPredicateBase
+{
+public:
+ bool
+ operator()(const boost::asio::ip::address& address) const;
+
+private:
+ bool
+ isRuleSupported(const std::string& key) final;
+
+ bool
+ isRuleValid(const std::string& key, const std::string& value) final;
+};
+
+} // namespace nfd
+
+#endif // NFD_CORE_NETWORK_PREDICATE_HPP