From e9b472dc9e31def5c8559c6d007fdf770d99d308 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Fri, 4 Sep 2015 20:57:33 +0200 Subject: config: allow moving the 'on verify' clause into a peer group --- src/config.y | 23 ++++++++++++----------- src/fastd.h | 1 + src/options.c | 1 + src/protocols/ec25519_fhmqvc/handshake.c | 8 +++++++- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/src/config.y b/src/config.y index 196f862..8ab7b7b 100644 --- a/src/config.y +++ b/src/config.y @@ -201,7 +201,6 @@ statement: peer_group_statement | TOK_ON TOK_CONNECT on_connect ';' | TOK_ON TOK_ESTABLISH on_establish ';' | TOK_ON TOK_DISESTABLISH on_disestablish ';' - | TOK_ON TOK_VERIFY on_verify ';' | TOK_STATUS TOK_SOCKET status_socket ';' | TOK_FORWARD forward ';' ; @@ -211,6 +210,7 @@ peer_group_statement: | TOK_PEER TOK_GROUP peer_group '{' peer_group_config '}' peer_group_after | TOK_PEER TOK_LIMIT peer_limit ';' | TOK_METHOD method ';' + | TOK_ON TOK_VERIFY on_verify ';' | TOK_INCLUDE include ';' ; @@ -437,16 +437,6 @@ on_disestablish: sync TOK_STRING { } ; -on_verify: sync TOK_STRING { -#ifdef WITH_DYNAMIC_PEERS - fastd_shell_command_set(&conf.on_verify, $2->str, $1); -#else - fastd_config_error(&@$, state, "`on verify' is not supported by this version of fastd"); - YYERROR; -#endif - } - ; - status_socket: TOK_STRING { #ifdef WITH_STATUS_SOCKET free(conf.status_socket); conf.status_socket = fastd_strdup($1->str); @@ -594,6 +584,17 @@ method: TOK_STRING { } ; +on_verify: sync TOK_STRING { +#ifdef WITH_DYNAMIC_PEERS + fastd_shell_command_set(&conf.on_verify, $2->str, $1); + conf.on_verify_group = state->peer_group; +#else + fastd_config_error(&@$, state, "`on verify' is not supported by this version of fastd"); + YYERROR; +#endif + } + ; + forward: boolean { conf.forward = $1; } ; diff --git a/src/fastd.h b/src/fastd.h index 3531219..cc638cb 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -257,6 +257,7 @@ struct fastd_config { fastd_shell_command_t on_disestablish; /**< The command to execute when a connection has been disestablished */ #ifdef WITH_DYNAMIC_PEERS fastd_shell_command_t on_verify; /**< The command to execute to check if a connection from an unknown peer should be allowed */ + fastd_peer_group_t *on_verify_group; /**< The peer group to put dynamic peers into */ #endif #ifdef WITH_STATUS_SOCKET diff --git a/src/options.c b/src/options.c index a84830b..811adef 100644 --- a/src/options.c +++ b/src/options.c @@ -379,6 +379,7 @@ static void option_on_disestablish(const char *arg) { /** Handles the --on-verify option */ static void option_on_verify(const char *arg) { fastd_shell_command_set(&conf.on_verify, arg, false); + conf.on_verify_group = conf.peer_group; } #endif diff --git a/src/protocols/ec25519_fhmqvc/handshake.c b/src/protocols/ec25519_fhmqvc/handshake.c index bef4385..0cbe15a 100644 --- a/src/protocols/ec25519_fhmqvc/handshake.c +++ b/src/protocols/ec25519_fhmqvc/handshake.c @@ -565,12 +565,18 @@ static fastd_peer_t * add_dynamic(fastd_socket_t *sock, const fastd_peer_address } fastd_peer_t *peer = fastd_new0(fastd_peer_t); - peer->group = conf.peer_group; + peer->group = conf.on_verify_group; peer->config_state = CONFIG_DYNAMIC; peer->key = fastd_new(fastd_protocol_key_t); *peer->key = peer_key; + if (!fastd_peer_may_connect(peer)) { + pr_debug("not adding dynamic peer %P[%I] because of local constraints", peer, addr); + fastd_peer_free(peer); + return NULL; + } + if (!fastd_peer_add(peer)) exit_bug("failed to add dynamic peer"); -- cgit v1.2.3