#include <tr_comm.h>
#include <tr_apc.h>
#include <tr_rp.h>
-#include <trust_router/tr_name.h>
+#include <tr_name_internal.h>
#include <trp_internal.h>
#include <tr_gss.h>
#include <trp_ptable.h>
void trps_set_ctable(TRPS_INSTANCE *trps, TR_COMM_TABLE *comm)
{
- if (trps->ctable!=NULL)
- tr_comm_table_free(trps->ctable);
trps->ctable=comm;
}
case TRP_UPDATE:
trp_upd_set_peer(tr_msg_get_trp_upd(*msg), tr_dup_name(conn_peer));
trp_upd_set_next_hop(tr_msg_get_trp_upd(*msg), trp_peer_get_server(peer), 0); /* TODO: 0 should be the configured TID port */
+ /* update provenance if necessary */
+ trp_upd_add_to_provenance(tr_msg_get_trp_upd(*msg), trp_peer_get_label(peer));
break;
case TRP_REQUEST:
static struct timespec *trps_compute_expiry(TRPS_INSTANCE *trps, unsigned int interval, struct timespec *ts)
{
const unsigned int small_factor=3; /* how many intervals we wait before expiring */
- if (0!=clock_gettime(CLOCK_REALTIME, ts)) {
+ if (0!=clock_gettime(TRP_CLOCK, ts)) {
tr_err("trps_compute_expiry: could not read realtime clock.");
ts->tv_sec=0;
ts->tv_nsec=0;
}
+ tr_debug("trps_compute_expiry: tv_sec=%u, interval=%u, small_factor*interval=%u", ts->tv_sec, interval, small_factor*interval);
ts->tv_sec += small_factor*interval;
return ts;
}
}
if (trps_name_in_provenance(our_peer_label, trp_inforec_get_provenance(rec)))
- tr_debug("trps_handle_inforec_comm: rejecting community inforec to avoid loop.");
+ tr_debug("trps_handle_inforec_comm: rejecting community inforec to avoid provenance loop.");
else {
/* no loop occurring, accept the update */
comm=tr_comm_table_find_comm(trps->ctable, comm_id);
return rc;
}
+/**
+ * Apply applicable TRP_INBOUND filters to an inforec. Rejects everything if peer has no filters.
+ *
+ * @param trps Active TRPS instance
+ * @param upd TRP_UPD that contains the inforec to filter
+ * @param rec Inforec to filter
+ * @return 1 if accepted by the filter, 0 otherwise
+ */
+static int trps_filter_inbound_inforec(TRPS_INSTANCE *trps, TRP_UPD *upd, TRP_INFOREC *rec)
+{
+ TRP_PEER *peer=NULL;
+ TR_NAME *peer_name=NULL;
+ TR_FILTER_ACTION action=TR_FILTER_ACTION_REJECT;
+ TR_FILTER_TARGET *target=NULL;
+ int retval=0;
+
+ /* Look up the peer. For inbound messages, the peer is identified by its GSS name */
+ peer_name=trp_upd_get_peer(upd);
+ peer=trps_get_peer_by_gssname(trps, peer_name);
+ if (peer==NULL) {
+ tr_err("trps_filter_inbound_inforec: received inforec from unknown peer (%.*s), rejecting.",
+ peer_name->len,
+ peer_name->buf);
+ return 0;
+ }
+
+ /* tr_filter_apply() and tr_filter_set_get() handle null filter sets/filters by rejecting */
+ target= tr_filter_target_trp_inforec(NULL, upd, rec);
+ if (target==NULL) {
+ /* TODO: signal that filtering failed. Until then, just filter everything and give an error message. */
+ tr_crit("trps_filter_inbound_inforec: Unable to allocate filter target, cannot apply filter!");
+ }
+ if ((target==NULL)
+ || (TR_FILTER_NO_MATCH==tr_filter_apply(target,
+ tr_filter_set_get(peer->filters, TR_FILTER_TYPE_TRP_INBOUND),
+ NULL,
+ &action))
+ || (action!=TR_FILTER_ACTION_ACCEPT)) {
+ /* either the filter did not match or it matched a reject rule or allocating the target failed */
+ retval=0;
+ } else
+ retval=1;
+ if (target!=NULL)
+ tr_filter_target_free(target);
+
+ /* filter matched an accept rule */
+ return retval;
+}
+
+
static TRP_RC trps_handle_update(TRPS_INSTANCE *trps, TRP_UPD *upd)
{
TRP_INFOREC *rec=NULL;
}
for (rec=trp_upd_get_inforec(upd); rec!=NULL; rec=trp_inforec_get_next(rec)) {
+ if (!trps_filter_inbound_inforec(trps, upd, rec)) {
+ tr_debug("trps_handle_update: inforec rejected by filter.");
+ continue; /* just go on to the next record */
+ }
+
switch (trp_inforec_get_type(rec)) {
case TRP_INFOREC_TYPE_ROUTE:
tr_debug("trps_handle_update: handling route inforec.");
tr_debug("trps_handle_update: handling community inforec.");
if (TRP_SUCCESS!=trps_handle_inforec_comm(trps, upd, rec))
tr_notice("trps_handle_update: error handling community inforec.");
+
break;
default:
tr_notice("trps_handle_update: unsupported inforec in TRP update.");
size_t ii=0;
/* use a single time for the entire sweep */
- if (0!=clock_gettime(CLOCK_REALTIME, &sweep_time)) {
+ if (0!=clock_gettime(TRP_CLOCK, &sweep_time)) {
tr_err("trps_sweep_routes: could not read realtime clock.");
sweep_time.tv_sec=0;
sweep_time.tv_nsec=0;
TRP_RC rc=TRP_ERROR;
/* use a single time for the entire sweep */
- if (0!=clock_gettime(CLOCK_REALTIME, &sweep_time)) {
+ if (0!=clock_gettime(TRP_CLOCK, &sweep_time)) {
tr_err("trps_sweep_ctable: could not read realtime clock.");
sweep_time.tv_sec=0;
sweep_time.tv_nsec=0;
/* This is the first expiration. Note this and reset the expiry time. */
tr_comm_memb_expire(memb);
trps_compute_expiry(trps, tr_comm_memb_get_interval(memb), tr_comm_memb_get_expiry(memb));
- tr_debug("trps_sweep_ctable: community membership expired, resetting expiry to %s (%.*s in %.*s, origin %.*s).",
+ tr_debug("trps_sweep_ctable: community membership expired at %s, resetting expiry to %s (%.*s in %.*s, origin %.*s).",
+ timespec_to_str(&sweep_time),
timespec_to_str(tr_comm_memb_get_expiry(memb)),
tr_comm_memb_get_realm_id(memb)->len, tr_comm_memb_get_realm_id(memb)->buf,
tr_comm_get_id(tr_comm_memb_get_comm(memb))->len, tr_comm_get_id(tr_comm_memb_get_comm(memb))->buf,
return rc;
}
+/**
+ * Filter the inforecs in a single update
+ *
+ * @param filt The filter to apply
+ * @param upd The update to filter
+ */
+static void trps_filter_one_outbound_update(TR_FILTER *filt, TRP_UPD *upd)
+{
+ TRP_INFOREC *this=NULL, *next=NULL;
+ TR_FILTER_ACTION action=TR_FILTER_ACTION_REJECT;
+ TR_FILTER_TARGET *target=NULL;
+
+ for(this=trp_upd_get_inforec(upd); this!=NULL; this=next) {
+ next=this->next;
+ target= tr_filter_target_trp_inforec(NULL, upd, this);
+ if (target==NULL) {
+ /* TODO: signal that filtering failed. Until then, just filter everything and give an error message. */
+ tr_crit("trps_filter_one_outbound_update: Unable to allocate filter target, cannot apply filter!");
+ }
+ if ((target==NULL)
+ || (TR_FILTER_NO_MATCH==tr_filter_apply(target, filt, NULL, &action))
+ || (action!=TR_FILTER_ACTION_ACCEPT)) {
+ /* Either no filter matched or one matched and rejected this record.
+ * Also filter out record if we were unable to allocate a target. */
+ trp_upd_remove_inforec(upd, this); /* "this" is now invalid */
+ }
+ if (target!=NULL)
+ tr_filter_target_free(target);
+ }
+}
+
+/**
+ * May shuffle the update list.
+ *
+ * @param filters The filter set for the relevant TRP peer
+ * @param updates GPtrArray of updates to filter
+ */
+static void trps_filter_outbound_updates(TR_FILTER_SET *filters, GPtrArray *updates)
+{
+ TRP_UPD *upd=NULL;
+ guint ii=0;
+
+ /* Walk backward through the array so we can remove elements. Careful about loop
+ * termination - remember that ii is unsigned. */
+ for (ii=updates->len; ii>0; ii--) {
+ upd=g_ptr_array_index(updates, ii-1);
+ trps_filter_one_outbound_update(tr_filter_set_get(filters, TR_FILTER_TYPE_TRP_OUTBOUND), upd);
+ /* see if we removed all the records from this update */
+ if (trp_upd_num_inforecs(upd)==0)
+ g_ptr_array_remove_index_fast(updates, ii-1); /* does not preserve order at index ii or higher */
+ }
+}
/* helper for trps_update_one_peer. Frees the TRP_UPD pointed to by a GPtrArray element */
static void trps_trp_upd_destroy(gpointer data)
static TRP_RC trps_update_one_peer(TRPS_INSTANCE *trps,
TRP_PEER *peer,
TRP_UPDATE_TYPE update_type,
- TR_NAME *comm,
- TR_NAME *realm)
+ TR_NAME *realm,
+ TR_NAME *comm)
{
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
TR_MSG msg; /* not a pointer! */
if (updates->len<=0)
tr_debug("trps_update_one_peer: no updates for %.*s", peer_label->len, peer_label->buf);
else {
- tr_debug("trps_update_one_peer: sending %d update messages.", updates->len);
- for (ii=0; ii<updates->len; ii++) {
- upd=(TRP_UPD *)g_ptr_array_index(updates, ii);
- /* now encode the update message */
- tr_msg_set_trp_upd(&msg, upd);
- encoded=tr_msg_encode(&msg);
- if (encoded==NULL) {
- tr_err("trps_update_one_peer: error encoding update.");
- rc=TRP_ERROR;
- goto cleanup;
- }
+ /* Apply outbound TRP filters for this peer */
+ trps_filter_outbound_updates(peer->filters, updates);
- tr_debug("trps_update_one_peer: adding message to queue.");
- if (trps_send_msg(trps, peer, encoded) != TRP_SUCCESS)
- tr_err("trps_update_one_peer: error queueing update.");
- else
- tr_debug("trps_update_one_peer: update queued successfully.");
+ if (updates->len<=0)
+ tr_debug("trps_update_one_peer: no updates for %.*s after filtering.", peer_label->len, peer_label->buf);
+ else {
+ tr_debug("trps_update_one_peer: sending %d update messages.", updates->len);
+ for (ii=0; ii<updates->len; ii++) {
+ upd = (TRP_UPD *) g_ptr_array_index(updates, ii);
+ /* now encode the update message */
+ tr_msg_set_trp_upd(&msg, upd);
+ encoded = tr_msg_encode(&msg);
+ if (encoded == NULL) {
+ tr_err("trps_update_one_peer: error encoding update.");
+ rc = TRP_ERROR;
+ goto cleanup;
+ }
- tr_msg_free_encoded(encoded);
- encoded=NULL;
+ tr_debug("trps_update_one_peer: adding message to queue.");
+ if (trps_send_msg(trps, peer, encoded) != TRP_SUCCESS)
+ tr_err("trps_update_one_peer: error queueing update.");
+ else
+ tr_debug("trps_update_one_peer: update queued successfully.");
+
+ tr_msg_free_encoded(encoded);
+ encoded = NULL;
+ }
}
}
return trps_update_one_peer(trps,
trps_get_peer_by_gssname(trps, trp_req_get_peer(req)),
TRP_UPDATE_REQUESTED,
- comm,
- realm);
+ realm,
+ comm);
}