2 +----------------------------------------------------------------------+
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2010-present Facebook, Inc. (http://www.facebook.com) |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
17 #ifndef incl_HPHP_IP_BLOCK_MAP_H_
18 #define incl_HPHP_IP_BLOCK_MAP_H_
20 #include "hphp/util/hdf.h"
21 #include "hphp/runtime/base/ini-setting.h"
22 #include <folly/portability/Sockets.h>
25 ///////////////////////////////////////////////////////////////////////////////
26 // Blacklisted IP address range support. Loads a set of networks from
27 // configuration, then is used to test candidate addresses to see if they
28 // fall into one of the forbidden networks for a particular request type.
31 // Reads a textual IPv4 or IPv6 address, possibly including a bit count,
32 // and turns it into an IPv6 address and a number of significant bits.
33 // IPv4 addresses are turned into mapped IPv6 addresses.
34 static bool ReadIPv6Address(const char *text
,
35 struct in6_addr
*output
,
36 int &significant_bits
);
39 IpBlockMap(const IniSetting::Map
& ini
, const Hdf
& config
);
41 bool isBlocking(const std::string
&command
, const std::string
&ip
) const;
43 /////////////////////////////////////////////////////////////////////////////
44 // We put all the network addresses (which are simply strings of bits) in a
45 // trie that we can match against a candidate network address. Each trie
46 // node has a flag to indicate whether matching addresses are allowed or
47 // disallowed. The value at the deepest trie node that matches a prefix of
48 // the candidate address is the value for that address's network.
49 struct BinaryPrefixTrie
{
50 explicit BinaryPrefixTrie(bool allow
);
52 // Returns the "allow" value of the longest matching prefix of the
54 bool isAllowed(const void *search
,
55 const int search_bits
= 128);
57 void setAllowed(bool allow
);
59 // Inserts a new prefix into the trie with an allow value at the leaf node.
60 // Nodes other than the new leaf will inherit the allow setting of the
61 // longest existing prefix.
62 static void InsertNewPrefix(BinaryPrefixTrie
*root
,
68 bool isAllowedImpl(const void *search
,
69 const int search_bits
,
70 const int bit_offset
);
72 BinaryPrefixTrie
*m_children
[2];
79 BinaryPrefixTrie m_networks
; // prefix => true: allow; false: deny
81 hphp_string_map
<std::shared_ptr
<Acl
>> m_acls
; // location => acl
83 static void LoadIpList(std::shared_ptr
<Acl
> acl
, const IniSetting::Map
& ini
,
84 const Hdf
& hdf
, const std::string
& name
, bool allow
);
87 ///////////////////////////////////////////////////////////////////////////////
90 #endif // incl_HPHP_IP_BLOCK_MAP_H_