search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
track total size of static array and Unit/Class/Func
[hiphop-php.git] / hphp / runtime / server / ip-block-map.h
bloba3affad9dc78c7c1af676051692eabd71e1ee8f2
1 /*
2 +----------------------------------------------------------------------+
3 | HipHop for PHP |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 */
16
17 #ifndef incl_HPHP_IP_BLOCK_MAP_H_
18 #define incl_HPHP_IP_BLOCK_MAP_H_
19
20 #include "hphp/util/hdf.h"
21 #include "hphp/runtime/base/ini-setting.h"
22 #include <folly/portability/Sockets.h>
23
24 namespace HPHP {
25 ///////////////////////////////////////////////////////////////////////////////
26 // Blacklisted IP address range support. Loads a set of networks from
27 // configuration, then is used to test candidate addresses to see if they
28 // fall into one of the forbidden networks for a particular request type.
29
30 struct IpBlockMap {
31 // Reads a textual IPv4 or IPv6 address, possibly including a bit count,
32 // and turns it into an IPv6 address and a number of significant bits.
33 // IPv4 addresses are turned into mapped IPv6 addresses.
34 static bool ReadIPv6Address(const char *text,
35 struct in6_addr *output,
36 int &significant_bits);
37
38 public:
39 IpBlockMap(const IniSetting::Map& ini, const Hdf& config);
40
41 bool isBlocking(const std::string &command, const std::string &ip) const;
42
43 /////////////////////////////////////////////////////////////////////////////
44 // We put all the network addresses (which are simply strings of bits) in a
45 // trie that we can match against a candidate network address. Each trie
46 // node has a flag to indicate whether matching addresses are allowed or
47 // disallowed. The value at the deepest trie node that matches a prefix of
48 // the candidate address is the value for that address's network.
49 struct BinaryPrefixTrie {
50 explicit BinaryPrefixTrie(bool allow);
51
52 // Returns the "allow" value of the longest matching prefix of the
53 // search value.
54 bool isAllowed(const void *search,
55 const int search_bits = 128);
56
57 void setAllowed(bool allow);
58
59 // Inserts a new prefix into the trie with an allow value at the leaf node.
60 // Nodes other than the new leaf will inherit the allow setting of the
61 // longest existing prefix.
62 static void InsertNewPrefix(BinaryPrefixTrie *root,
63 const void *value,
64 const int num_bits,
65 const bool allow);
66
67 private:
68 bool isAllowedImpl(const void *search,
69 const int search_bits,
70 const int bit_offset);
71
72 BinaryPrefixTrie *m_children[2];
73 bool m_allow;
74 };
75
76 private:
77 struct Acl {
78 Acl();
79 BinaryPrefixTrie m_networks; // prefix => true: allow; false: deny
80 };
81 hphp_string_map<std::shared_ptr<Acl>> m_acls; // location => acl
82
83 static void LoadIpList(std::shared_ptr<Acl> acl, const IniSetting::Map& ini,
84 const Hdf& hdf, const std::string& name, bool allow);
85 };
86
87 ///////////////////////////////////////////////////////////////////////////////
88 }
89
90 #endif // incl_HPHP_IP_BLOCK_MAP_H_