|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--edu.uiuc.cs.net.DPRPManager.ServerPortMgr
The Server Port Manager - handles the management of leases and restrictions in the Server. This class has a lot of code because of it's dual nature -- it must track leases, as well as the server's security (client restrictions). When the server starts, it will instantiate a 'ServerPortManager', and then query it as requests are processed.
ABOUT THE LINUX PORT ALLOCATION CODE:
If an appropriate Linux-based machine with netfilter support is detected,
the server will enable "linux mode" in the server port manager. In
this mode, the allocFreeExternalPort() method will
place a reservation rule for the client in the "destination NAT"
netfilter chain. This will enable actual packets, sourced externally,
to pass through the gateway (through the port specified) to the internal
client host. This reservation is setup via the iptables
command, which is prepared and exec'd by this code. The commands
executed conform to the following template:
/usr/sbin/iptables -v -t nat -A PREROUTING -i eth0 -j DNAT \ -p <protocol> --destination <external IP> \ --dport <allocPort> --to <clientIP>:<allocPort>The following table details each parameter, and it's intended function:
Parameter: | Description: |
---|---|
-v |
Enables verbosity, which is only useful for debugging. |
-t nat |
Selects the "nat" table. |
-A PREROUTING |
Selects the "PREROUTING" chain of the nat table. This means that the packets will be mangled before being passed to the IP routing code. |
-i eth0 |
Specifies that the inbound interface for packets matching this
rule should be eth0 . NOTE: This should
not be hard-coded, and will be parameterized in a future
release. |
-j DNAT |
Causes the packet match to jump to the "destination nat" builtin target. |
-p <protocol> |
Sets the protocol (tcp or udp) type that packets must be in order to match. |
--destination <external IP> |
Ensures that the packets are bound for the external address of the gateway before they are mangled. |
--dport <allocPort> |
This is the actual port that we have reserved -- if the packet is bound for the external IP address, and matches this port, then it will be NAT'd and routed into our client. |
--to <clientIP>:<allocPort> |
The ultimate destination for these packets -- an IP address and port on the client that made this reservation, and wants to eat these packets for lunch. |
The final caveat to mention about this port allocation code is that I needed to devise some way in order to avoid conflicts between ports reserved by DPRP clients, and ports reserved in the gateway during the normal course of source NAT routing. Since the 'iptables' command doesn't emit an error in the case of such a conflict, I decided to make this an administrative issue. The range of ports allowable for use with SNAT needs to be restricted, and the left-overs given to the DPRP code.
ABOUT THE CLIENT RESTRICTION CODE:
The most code-intensive part of the client restrictions aspect is actually
reading the restrictions in from disk. This involves a lot of text parsing,
and the like, and is quite a pain. Nevertheless, here is the format
for the restriction entries that the server can read in from disk:
host[renewAllowed = true | false] default = true [numRetries = <#>] default = 0 (unlimited) [portRange = <#> - <#>] default = 0 - 65536 [minDuration = <#>] default = 500 [maxDuration = <#>] default = 2147483647 [deny = true | false] default = false At least one option must be specified for each host block. Comments can be inserted anywhere, so long as they begin wtih a '#' character.
Field Summary | |
private java.util.HashMap |
clientRestrictions
Map that stores all of the client restrictions. |
private int |
curPort
The current port to be allocated in the external range. |
private static int |
DEFAULT_MAX_PORT
The default maximum external port in the range. |
private static int |
DEFAULT_MIN_PORT
The default minimum external port in the range. |
private java.net.InetAddress |
externalIP
The external IP address upon which we are allocating ports (lame). |
private boolean |
hostIsLinux
Set to true if server is running on a compliant Linux/netfilter box. |
private java.lang.String |
leaseFileName
The name of the on-disk lease database. |
private int |
maxExtPort
The maximum external port of those which we are allowed to allocate. |
private int |
minExtPort
The minimum allocatable external port, as configured. |
private java.util.HashMap |
portResv
Map that stores all of the ports that have been reserved. |
private boolean[] |
resvdPorts
A bit field, marking the ports in range that are reserved or not. |
Constructor Summary | |
ServerPortMgr()
Creates a new ServerPortManager instance. |
Method Summary | |
void |
addReservation(DPRPLease lea,
boolean wf)
Adds a lease to the Map, and optionally synchronizes the Map with disk. |
int |
allocExternalPort(java.net.InetAddress clientIP,
int allocPort,
byte prot)
Reserves a specific external port in netfilter. |
int |
allocFreeExternalPort(java.net.InetAddress clientIP,
byte prot)
|
int |
allocLinuxPort(java.net.InetAddress clientIP,
int allocPort,
byte prot)
Builds the iptables command that creates a DNAT hole
on the gateway. |
boolean |
checkDenied(java.net.InetAddress cli)
Check to see if a client is denied access to the DPRP service. |
boolean |
checkDuration(DPRPLease lea)
Checks to see that the specified duration is in-range, with respect to client restrictions. |
boolean |
checkPort(DPRPLease lea)
Checks to see if the external port in a given lease is okay. |
boolean |
checkRetries(DPRPLease lea)
Examines the number of times a lease has been renewed. |
void |
delReservation(DPRPLease lea,
boolean wf)
Deletes a reservation (nee Lease) from the Map. |
private void |
execCmd(java.lang.String[] cmdAry)
Actually makes the Runtime.exec() call, for the pre-setup
command-array. |
int |
getMaxAllowedDuration(DPRPLease lea)
Returns the maximum allowed duration for a given client. |
int |
getMaxExtPort()
Returns the maximum external port in range. |
int |
getMinExtPort()
Returns the minimum external port in range. |
DPRPLease |
getReservation(DPRPMessage inMessage)
Retrieves a lease from the Map that corresponds to the given message. |
boolean |
isLinux()
Returns true if Linux flag has been set, false otherwise. |
void |
markAsLinux()
Sets the Linux flag. |
private DPRPRestriction |
parseAllHostOptions(java.net.InetAddress cliIP,
java.lang.String curLine,
java.io.LineNumberReader lnr)
Parses out all of the options inside of a given host block. |
private boolean |
parseBoolean(java.util.StringTokenizer tok,
int lineNum)
Parses out a boolean value from the host security configuration file. |
int |
parseConfigFile(java.lang.String filename)
Parses a "Host Security Configuration File" in order to build a map of 'DPRPRestriction' objects. |
private int |
parseInteger(java.util.StringTokenizer tok,
java.lang.String sep,
int lineNum)
Parses out an integer value from the host security configuration file. |
void |
printConfigFormat()
Prints the format of the configuration file to stderr. |
int |
readLeaseFile(java.lang.String fname)
Sucks in the on-disk lease database, and reconstructs the lease map in memory. |
boolean |
renewOK(java.net.InetAddress cli)
Checks to see if a specific client is allowed to negotiate for a lease renewal. |
void |
setExternalIP(java.net.InetAddress ia)
Sets the external IP address. |
boolean |
setExtPortRange(int sm,
int lm)
|
boolean |
unallocExternalPort(java.net.InetAddress clientIP,
int allocPort,
byte prot)
Removes a port allocation from the system. |
private boolean |
unallocLinuxPort(java.net.InetAddress clientIP,
int allocPort,
byte prot)
Prepares the iptables command for unallocating a reservation. |
void |
updateReservation(DPRPLease lea)
Updates the object stored at the primary key with a new lease object. |
private int |
writeLeaseFile()
Writes all of the leases in the Map out to disk, and also purges dead leases along the way. |
Methods inherited from class java.lang.Object |
|
Field Detail |
private java.util.HashMap portResv
HashMap
is
not thread-safe, and thus all accesses to it must be protected
by a semaphore.private java.util.HashMap clientRestrictions
HashMap
is not thread-safe,
and thus all accesses to it must be protected by a semaphore.private java.lang.String leaseFileName
private static final int DEFAULT_MIN_PORT
private static final int DEFAULT_MAX_PORT
private int minExtPort
private int maxExtPort
private boolean hostIsLinux
private int curPort
private boolean[] resvdPorts
private java.net.InetAddress externalIP
Constructor Detail |
public ServerPortMgr()
Method Detail |
public boolean checkPort(DPRPLease lea)
lea
- A DPRPLease, whose external port is
to be checked.public boolean checkDuration(DPRPLease lea)
lea
- A lease, specifying a client IP address and a duration.public boolean renewOK(java.net.InetAddress cli)
cli
- A client IP address to be looked up.public boolean checkRetries(DPRPLease lea)
lea
- A lease, containing a client IP address and the
number of times the lease has been renewed.public boolean checkDenied(java.net.InetAddress cli)
cli
- A client IP address to be looked up in the
restriction database.public int getMaxAllowedDuration(DPRPLease lea)
lea
- A lease, containing a client IP address.public boolean setExtPortRange(int sm, int lm)
public int getMinExtPort()
public int getMaxExtPort()
public void setExternalIP(java.net.InetAddress ia)
public void markAsLinux()
public boolean isLinux()
public int allocFreeExternalPort(java.net.InetAddress clientIP, byte prot) throws DPRPAllocatePortException
public int allocExternalPort(java.net.InetAddress clientIP, int allocPort, byte prot) throws DPRPAllocatePortException
clientIP
- The clients IP address for this reservation.allocPort
- The external port to be reserved for the client.prot
- The IP protocol for this reservation.DPRPAllocatePortException
- If an error occurs down in
allocLinuxPort, or if clientIP
is null.public int allocLinuxPort(java.net.InetAddress clientIP, int allocPort, byte prot) throws DPRPAllocatePortException
iptables
command that creates a DNAT hole
on the gateway. I really wish that this method was marked as
private. Also, I need to configure the internal and external
interface names into the SPM.clientIP
- The clients IP address for this reservation.allocPort
- The external port to be reserved for the client.prot
- The IP protocol for this reservation.DPRPAllocatePortException
- If an error occurs down in
execCmd.public boolean unallocExternalPort(java.net.InetAddress clientIP, int allocPort, byte prot)
resvdPorts
array
as false, and then exec'ing the proper iptables
command, via the unallocLinuxPort method.clientIP
- The clients IP address for this reservation.allocPort
- The external port reserved for the client.prot
- The IP protocol for this reservation.exec()
goes okay, false otherwise.(InetAddress clientIP, int allocPort, byte prot)
private boolean unallocLinuxPort(java.net.InetAddress clientIP, int allocPort, byte prot)
clientIP
- The clients IP address for this reservation.allocPort
- The external port reserved for the client.prot
- The IP protocol for this reservation.exec()
goes okay, false otherwise.private void execCmd(java.lang.String[] cmdAry) throws DPRPAllocatePortException
Runtime.exec()
call, for the pre-setup
command-array. The command array format is such that the command
itself (with full path name, just to be safe) is in slot 0. Each
parameter (that would normally be space-separated if invoking from
a shell) are in the ajoining array slots. If no exception is
thrown, then it is presumed that the command completed successfully.cmdAry
- A properly-formatted command array, for the command to
be executed.DPRPAllocatePortException
- If something goes arwy.public void addReservation(DPRPLease lea, boolean wf)
lea
- The lease object to be added.wf
- If true, writes the leases out to disk.public void delReservation(DPRPLease lea, boolean wf)
lea
- The lease object to be deleted.wf
- Controls wether-or-not the leases should be flushed to disk.
As an optimization in some cases, the writing of the leases to disk
can be handled by the callee.public void updateReservation(DPRPLease lea)
lea
- The new lease object that replaces a prior object.public DPRPLease getReservation(DPRPMessage inMessage)
inMessage
- A valid DPRPMessage, which will be used to
locate a lease.private int writeLeaseFile()
public int readLeaseFile(java.lang.String fname) throws java.io.IOException
fname
- The name of the file to open.java.io.IOException
- If an error occurs dealing with the file
(usually, indicates that the given file doesn't exist).public int parseConfigFile(java.lang.String filename) throws DPRPConfigException, java.io.IOException
filename
- The name of the file to be parsed.DPRPConfigException
- If some sort of parsing error is
encountered within the configuration file.java.io.IOException
- If an IO error occurs.private DPRPRestriction parseAllHostOptions(java.net.InetAddress cliIP, java.lang.String curLine, java.io.LineNumberReader lnr) throws DPRPConfigException, java.io.IOException
cliIP
- The client IP address that we're currently parsing
options for.curLine
- The current line in the configuration file.lnr
- The buffer that we get new lines from.DPRPConfigException
- If one of the options was invalid.java.io.IOException
- If there was a problem reading from the file.private int parseInteger(java.util.StringTokenizer tok, java.lang.String sep, int lineNum) throws DPRPConfigException
tok
- A string tokenizer, from which we can extract tokens.sep
- A string representing the separator, what we should
look for first. This gives this method a degree of flexability.lineNum
- The current line number that we're on, used to
make pretty error messages.DPRPConfigException
- If we don't find valid input.private boolean parseBoolean(java.util.StringTokenizer tok, int lineNum) throws DPRPConfigException
tok
- A string tokenizer, from which we can extract tokens.lineNum
- The current line number that we're on, used to
make pretty error messages.DPRPConfigException
- If we don't find valid input.public void printConfigFormat()
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |