2 +----------------------------------------------------------------------+
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
19 #include "hphp/util/hdf.h"
20 #include "hphp/runtime/base/ini-setting.h"
21 #include <folly/portability/Sockets.h>
24 ///////////////////////////////////////////////////////////////////////////////
25 // Blacklisted IP address range support. Loads a set of networks from
26 // configuration, then is used to test candidate addresses to see if they
27 // fall into one of the forbidden networks for a particular request type.
30 // Reads a textual IPv4 or IPv6 address, possibly including a bit count,
31 // and turns it into an IPv6 address and a number of significant bits.
32 // IPv4 addresses are turned into mapped IPv6 addresses.
33 static bool ReadIPv6Address(const char *text
,
34 struct in6_addr
*output
,
35 int &significant_bits
);
38 IpBlockMap(const IniSetting::Map
& ini
, const Hdf
& config
);
40 bool isBlocking(const std::string
&command
, const std::string
&ip
) const;
42 /////////////////////////////////////////////////////////////////////////////
43 // We put all the network addresses (which are simply strings of bits) in a
44 // trie that we can match against a candidate network address. Each trie
45 // node has a flag to indicate whether matching addresses are allowed or
46 // disallowed. The value at the deepest trie node that matches a prefix of
47 // the candidate address is the value for that address's network.
48 struct BinaryPrefixTrie
{
49 explicit BinaryPrefixTrie(bool allow
);
51 // Returns the "allow" value of the longest matching prefix of the
53 bool isAllowed(const void *search
,
54 const int search_bits
= 128);
56 void setAllowed(bool allow
);
58 // Inserts a new prefix into the trie with an allow value at the leaf node.
59 // Nodes other than the new leaf will inherit the allow setting of the
60 // longest existing prefix.
61 static void InsertNewPrefix(BinaryPrefixTrie
*root
,
67 bool isAllowedImpl(const void *search
,
68 const int search_bits
,
69 const int bit_offset
);
71 BinaryPrefixTrie
*m_children
[2];
78 BinaryPrefixTrie m_networks
; // prefix => true: allow; false: deny
80 hphp_string_map
<std::shared_ptr
<Acl
>> m_acls
; // location => acl
82 static void LoadIpList(std::shared_ptr
<Acl
> acl
, const IniSetting::Map
& ini
,
83 const Hdf
& hdf
, const std::string
& name
, bool allow
);
86 ///////////////////////////////////////////////////////////////////////////////