gNFS: Fix multi-homed m/c issue in NFS subdir auth

NFS subdir authentication doesn't correctly handle multi-homed (host with multiple NIC having multiple IP addr) OR multi-protocol (IPv4 and IPv6) network addresses. When user/admin sets HOSTNAME in gluster CLI for NFS subdir auth, mnt3_verify_auth() routine does not iterate over all the resolved n/w addrs returned by getaddrinfo() n/w API. Instead, it just tests with the one returned first. 1. Iterate over all the n/w addrs (linked list) returned by getaddrinfo(). 2. Move the n/w mask calculation part to mnt3_export_fill_hostspec() instead of doing it in mnt3_verify_auth() i.e. calculating for each mount request. It does not change for MOUNT req. 3. Integrate "subnet support code rpc-auth.addr.<volname>.allow" and "NFS subdir auth code" to remove code duplication. Cherry-picked from commit d3f0de90d0c5166e63f5764d2f21703fd29ce976: > Change-Id: I26b0def52c22cda35ca11766afca3df5fd4360bf > BUG: 1102293 > Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com> > Reviewed-on: http://review.gluster.org/8048 > Reviewed-by: Rajesh Joseph <rjoseph@redhat.com> > Tested-by: Gluster Build System <jenkins@build.gluster.com> > Reviewed-by: Niels de Vos <ndevos@redhat.com> Change-Id: Ie92a8ac602bec2cd77268acb7b23ad8ba3c52f5f BUG: 1112980 Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/8198 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Santosh Pradhan <spradhan@redhat.com>
author: Niels de Vos <ndevos@redhat.com> 2014-06-29 16:30:30 +0200
committer: Niels de Vos <ndevos@redhat.com> 2014-07-02 00:53:18 -0700
commit: cacc1311626aa8b2dfe9f937cf1b14bb534a8937 (patch)
tree: 63369e3f37d058444f2ce93640684af0f407ecae /xlators/nfs
parent: cf5a5ab1a81bb61bb66982757ccd301d015ac16e (diff)
2 files changed, 105 insertions, 90 deletions
diff --git a/xlators/nfs/server/src/mount3.c b/xlators/nfs/server/src/mount3.c
index b0824bf1029..dd66c44af77 100644
--- a/xlators/nfs/server/src/mount3.c
+++ b/xlators/nfs/server/src/mount3.c
@@ -37,22 +37,6 @@
 #include <sys/uio.h>
 
 
-#define IPv4_ADDR_SIZE  32
-
-/* Macro to typecast the parameter to struct sockaddr_in
- */
-#define SA(addr) ((struct sockaddr_in*)(addr))
-
-/* Macro will mask the ip address with netmask.
- */
-#define MASKED_IP(ipv4addr, netmask)                    \
-                (ntohl(SA(ipv4addr)->sin_addr.s_addr) & (netmask))
-
-/* Macro will compare two IP address after applying the mask
- */
-#define COMPARE_IPv4_ADDRS(ip1, ip2, netmask)           \
-                ((MASKED_IP(ip1, netmask)) == (MASKED_IP(ip2, netmask)))
-
 /* This macro will assist in freeing up entire link list
  * of host_auth_spec structure.
  */
@@ -1017,6 +1001,23 @@ err:
 }
 
 
+static gf_boolean_t
+mnt3_match_subnet_v4 (struct addrinfo *ai, uint32_t saddr, uint32_t mask)
+{
+        for (; ai; ai = ai->ai_next) {
+                struct sockaddr_in *sin = (struct sockaddr_in *)ai->ai_addr;
+
+                if (sin->sin_family != AF_INET)
+                        continue;
+
+                if (mask_match (saddr, sin->sin_addr.s_addr, mask))
+                        return _gf_true;
+        }
+
+        return _gf_false;
+}
+
+
 /**
  * This function will verify if the client is allowed to mount
  * the directory or not. Client's IP address will be compared with
@@ -1026,20 +1027,25 @@ err:
  * @param export - mnt3_export structure. Contains allowed IP list/range.
  *
  * @return 0 - on Success and -EACCES on failure.
+ *
+ * TODO: Support IPv6 subnetwork
  */
 int
 mnt3_verify_auth (rpcsvc_request_t *req, struct mnt3_export *export)
 {
         int                     retvalue = -EACCES;
         int                     ret = 0;
-        int                     shiftbits = 0;
-        uint32_t                ipv4netmask = 0;
-        uint32_t                routingprefix = 0;
         struct host_auth_spec   *host = NULL;
         struct sockaddr_in      *client_addr = NULL;
         struct sockaddr_in      *allowed_addr = NULL;
         struct addrinfo         *allowed_addrinfo = NULL;
 
+        struct addrinfo         hint = {
+                .ai_family      = AF_INET,
+                .ai_protocol    = (int)IPPROTO_TCP,
+                .ai_flags       = AI_CANONNAME,
+        };
+
         /* Sanity check */
         if ((NULL == req) ||
             (NULL == req->trans) ||
@@ -1051,10 +1057,19 @@ mnt3_verify_auth (rpcsvc_request_t *req, struct mnt3_export *export)
 
         host = export->hostspec;
 
-
         /* Client's IP address. */
         client_addr = (struct sockaddr_in *)(&(req->trans->peerinfo.sockaddr));
 
+        /*
+         * Currently IPv4 subnetwork is supported i.e. AF_INET.
+         * TODO: IPv6 subnetwork i.e. AF_INET6.
+         */
+        if (client_addr->sin_family != AF_INET) {
+                gf_log (GF_MNT, GF_LOG_ERROR,
+                        "Only IPv4 is supported for subdir-auth");
+                return retvalue;
+        }
+
         /* Try to see if the client IP matches the allowed IP list.*/
         while (NULL != host){
                 GF_ASSERT (host->host_addr);
@@ -1065,77 +1080,38 @@ mnt3_verify_auth (rpcsvc_request_t *req, struct mnt3_export *export)
                 }
 
                 /* Get the addrinfo for the allowed host (host_addr). */
-                ret = getaddrinfo (host->host_addr,
-                                NULL,
-                                NULL,
-                                &allowed_addrinfo);
+                ret = getaddrinfo (host->host_addr, NULL,
+                                   &hint, &allowed_addrinfo);
                 if (0 != ret){
-                        gf_log (GF_MNT, GF_LOG_ERROR, "getaddrinfo: %s\n",
-                                gai_strerror (ret));
-                        host = host->next;
-
-                        /* Failed to get IP addrinfo. Continue to check other
-                         * allowed IPs in the list.
+                        /*
+                         * getaddrinfo() FAILED for the host IP addr. Continue
+                         * to search other allowed hosts in the  hostspec list.
                          */
+                        gf_log (GF_MNT, GF_LOG_DEBUG,
+                                "getaddrinfo: %s\n", gai_strerror (ret));
+                        host = host->next;
                         continue;
                 }
 
                 allowed_addr = (struct sockaddr_in *)(allowed_addrinfo->ai_addr);
-
                 if (NULL == allowed_addr) {
                         gf_log (GF_MNT, GF_LOG_ERROR, "Invalid structure");
                         break;
                 }
 
-                if (AF_INET == allowed_addr->sin_family){
-                        if (IPv4_ADDR_SIZE < host->routeprefix) {
-                                gf_log (GF_MNT, GF_LOG_ERROR, "invalid IP "
-                                        "configured for export-dir AUTH");
-                                host = host->next;
-                                continue;
-                        }
-
-                        /* -1 means no route prefix is provided. In this case
-                         * the IP should be an exact match. Which is same as
-                         * providing a route prefix of IPv4_ADDR_SIZE.
-                         */
-                        if (-1 == host->routeprefix) {
-                                routingprefix = IPv4_ADDR_SIZE;
-                        } else {
-                                routingprefix = host->routeprefix;
-                        }
-
-                        /* Create a mask from the routing prefix. User provided
-                         * CIDR address is split into IP address (host_addr) and
-                         * routing prefix (routeprefix). This CIDR address may
-                         * denote a single, distinct interface address or the
-                         * beginning address of an entire network.
-                         *
-                         * e.g. the IPv4 block 192.168.100.0/24 represents the
-                         * 256 IPv4 addresses from 192.168.100.0 to
-                         * 192.168.100.255.
-                         * Therefore to check if an IP matches 192.168.100.0/24
-                         * we should mask the IP with FFFFFF00 and compare it
-                         * with host address part of CIDR.
-                         */
-                        shiftbits = IPv4_ADDR_SIZE - routingprefix;
-                        ipv4netmask = 0xFFFFFFFFUL << shiftbits;
-
-                        /* Mask both the IPs and then check if they match
-                         * or not. */
-                        if (COMPARE_IPv4_ADDRS (allowed_addr,
-                                                client_addr,
-                                                ipv4netmask)){
-                                retvalue = 0;
-                                break;
-                        }
+                /* Check if the network addr of both IPv4 socket match */
+                if (mnt3_match_subnet_v4 (allowed_addrinfo,
+                                          client_addr->sin_addr.s_addr,
+                                          host->netmask)) {
+                        retvalue = 0;
+                        break;
                 }
 
-                /* Client IP didn't match the allowed IP.
-                 * Check with the next allowed IP.*/
+                /* No match yet, continue the search */
                host = host->next;
         }
 
+        /* FREE the dynamic memory allocated by getaddrinfo() */
         if (NULL != allowed_addrinfo) {
                freeaddrinfo (allowed_addrinfo);
         }
@@ -2020,15 +1996,21 @@ mount3udp_delete_mountlist (char *hostname, dirpath *expname)
  * @param hostip   - IP address, IP range (CIDR format) or hostname
  *
  * @return 0 - on success and -1 on failure
+ *
+ * NB: This does not support IPv6 currently.
  */
 int
 mnt3_export_fill_hostspec (struct host_auth_spec* hostspec, const char* hostip)
 {
-        char *ipdupstr = NULL;
-        char *savptr = NULL;
-        char *ip = NULL;
-        char *token = NULL;
-        int  ret = -1;
+        char     *ipdupstr = NULL;
+        char     *savptr = NULL;
+        char     *endptr = NULL;
+        char     *ip = NULL;
+        char     *token = NULL;
+        int      ret = -1;
+        long     prefixlen = IPv4_ADDR_SIZE; /* default */
+        uint32_t shiftbits = 0;
+        size_t   length = 0;
 
         /* Create copy of the string so that the source won't change
          */
@@ -2039,25 +2021,58 @@ mnt3_export_fill_hostspec (struct host_auth_spec* hostspec, const char* hostip)
         }
 
         ip = strtok_r (ipdupstr, "/", &savptr);
+        /* Validate the Hostname or IPv4 address
+         * TODO: IPv6 support for subdir auth.
+         */
+        length = strlen (ip);
+        if ((!valid_ipv4_address (ip, (int)length, _gf_false)) &&
+            (!valid_host_name (ip, (int)length))) {
+                gf_log (GF_MNT, GF_LOG_ERROR,
+                        "Invalid hostname or IPv4 address: %s", ip);
+                goto err;
+        }
+
         hostspec->host_addr = gf_strdup (ip);
         if (NULL == hostspec->host_addr) {
                 gf_log (GF_MNT, GF_LOG_ERROR, "Memory allocation failed");
                 goto err;
         }
 
-        /* Check if the IP is in <IP address> / <Range> format.
-         * If yes, then strip the range and store it separately.
+        /**
+         * User provided CIDR address (xx.xx.xx.xx/n format) is split
+         * into HOST (IP addr or hostname) and network prefix(n) from
+         * which netmask would be calculated. This CIDR address may
+         * denote a single, distinct interface address or the beginning
+         * address of an entire network.
+         *
+         * e.g. the IPv4 block 192.168.100.0/24 represents the 256
+         * IPv4 addresses from 192.168.100.0 to 192.168.100.255.
+         * Therefore to check if an IP matches 192.168.100.0/24
+         * we should mask the IP with FFFFFF00 and compare it with
+         * host address part of CIDR.
+         *
+         * Refer: mask_match() in common-utils.c.
          */
         token = strtok_r (NULL, "/", &savptr);
-
-        if (NULL == token) {
-              hostspec->routeprefix = -1;
-        } else {
-              hostspec->routeprefix = atoi (token);
+        if (token != NULL) {
+              prefixlen = strtol (token, &endptr, 10);
+              if ((errno != 0) || (*endptr != '\0') ||
+                  (prefixlen < 0) || (prefixlen > IPv4_ADDR_SIZE)) {
+                      gf_log (THIS->name, GF_LOG_WARNING,
+                              "Invalid IPv4 subnetwork mask");
+                      goto err;
+              }
         }
 
-        // success
-        ret = 0;
+        /*
+         * 1. Calculate the network mask address.
+         * 2. Convert it into Big-Endian format.
+         * 3. Store it in hostspec netmask.
+         */
+        shiftbits = IPv4_ADDR_SIZE - prefixlen;
+        hostspec->netmask = htonl ((uint32_t)~0 << shiftbits);
+
+        ret = 0; /* SUCCESS */
 err:
         if (NULL != ipdupstr) {
                 GF_FREE (ipdupstr);
diff --git a/xlators/nfs/server/src/mount3.h b/xlators/nfs/server/src/mount3.h
index 7fc16ed5790..8474244f191 100644
--- a/xlators/nfs/server/src/mount3.h
+++ b/xlators/nfs/server/src/mount3.h
@@ -68,7 +68,7 @@ struct mountentry {
 /* Structure to hold export-dir AUTH parameter */
 struct host_auth_spec {
         char                    *host_addr;    /* Allowed IP or host name */
-        int                     routeprefix;   /* Routing prefix */
+        uint32_t                netmask;       /* Network mask (Big-Endian) */
         struct host_auth_spec   *next;         /* Pointer to next AUTH struct */
 };
author	Niels de Vos <ndevos@redhat.com>	2014-06-29 16:30:30 +0200
committer	Niels de Vos <ndevos@redhat.com>	2014-07-02 00:53:18 -0700
commit	cacc1311626aa8b2dfe9f937cf1b14bb534a8937 (patch)
tree	63369e3f37d058444f2ce93640684af0f407ecae /xlators/nfs
parent	cf5a5ab1a81bb61bb66982757ccd301d015ac16e (diff)