[nat] Specify the direction of the message
Do not run into the situation where we need to filter in one
direction but it should not be filtered..
diff --git a/openbsc/src/nat/bsc_filter.c b/openbsc/src/nat/bsc_filter.c
index 0727b33..ad2f613 100644
--- a/openbsc/src/nat/bsc_filter.c
+++ b/openbsc/src/nat/bsc_filter.c
@@ -39,6 +39,11 @@
#define ALLOW_ANY -1
+#define FILTER_TO_BSC 1
+#define FILTER_TO_MSC 2
+#define FILTER_TO_BOTH 3
+
+
struct bsc_pkt_filter {
int ipa_proto;
int dest_ssn;
@@ -60,7 +65,7 @@
static struct bsc_pkt_filter white_list[] = {
/* allow IPAC_PROTO_SCCP messages to both sides */
- { IPAC_PROTO_SCCP, ALLOW_ANY, ALLOW_ANY, ALLOW_ANY, FILTER_NONE },
+ { IPAC_PROTO_SCCP, ALLOW_ANY, ALLOW_ANY, ALLOW_ANY, FILTER_TO_BOTH },
};
struct bsc_nat_parsed* bsc_nat_parse(struct msgb *msg)
@@ -117,12 +122,17 @@
return parsed;
}
-int bsc_nat_filter_ipa(struct msgb *msg, struct bsc_nat_parsed *parsed)
+int bsc_nat_filter_ipa(int dir, struct msgb *msg, struct bsc_nat_parsed *parsed)
{
int i;
/* go through the blacklist now */
for (i = 0; i < ARRAY_SIZE(black_list); ++i) {
+ /* ignore the rule? */
+ if (black_list[i].filter_dir != FILTER_TO_BOTH
+ && black_list[i].filter_dir != dir)
+ continue;
+
/* the proto is not blacklisted */
if (black_list[i].ipa_proto != ALLOW_ANY
&& black_list[i].ipa_proto != parsed->ipa_proto)
@@ -146,16 +156,21 @@
/* blacklisted */
LOGP(DNAT, LOGL_NOTICE, "Blacklisted with rule %d\n", i);
- return black_list[i].filter_dir;
+ return 1;
} else {
/* blacklisted, we have no content sniffing yet */
LOGP(DNAT, LOGL_NOTICE, "Blacklisted with rule %d\n", i);
- return black_list[i].filter_dir;
+ return 1;
}
}
/* go through the whitelust now */
for (i = 0; i < ARRAY_SIZE(white_list); ++i) {
+ /* ignore the rule? */
+ if (white_list[i].filter_dir != FILTER_TO_BOTH
+ && white_list[i].filter_dir != dir)
+ continue;
+
/* the proto is not whitelisted */
if (white_list[i].ipa_proto != ALLOW_ANY
&& white_list[i].ipa_proto != parsed->ipa_proto)
@@ -179,12 +194,12 @@
/* whitelisted */
LOGP(DNAT, LOGL_NOTICE, "Whitelisted with rule %d\n", i);
- return FILTER_NONE;
+ return 0;
} else {
/* whitelisted */
- return FILTER_NONE;
+ return 0;
}
}
- return FILTER_TO_BOTH;
+ return 1;
}
diff --git a/openbsc/src/nat/bsc_nat.c b/openbsc/src/nat/bsc_nat.c
index 609a17d..7a44d17 100644
--- a/openbsc/src/nat/bsc_nat.c
+++ b/openbsc/src/nat/bsc_nat.c
@@ -112,7 +112,7 @@
return;
}
- if (bsc_nat_filter_ipa(msg, parsed))
+ if (bsc_nat_filter_ipa(DIR_BSC, msg, parsed))
goto exit;
/* currently send this to every BSC connected */
@@ -189,7 +189,7 @@
return -1;
}
- if (bsc_nat_filter_ipa(msg, parsed))
+ if (bsc_nat_filter_ipa(DIR_MSC, msg, parsed))
goto exit;
/* send the non-filtered but maybe modified msg */