1 /*
2  *  Copyright (c) 2016, The OpenThread Authors.
3  *  All rights reserved.
4  *
5  *  Redistribution and use in source and binary forms, with or without
6  *  modification, are permitted provided that the following conditions are met:
7  *  1. Redistributions of source code must retain the above copyright
8  *     notice, this list of conditions and the following disclaimer.
9  *  2. Redistributions in binary form must reproduce the above copyright
10  *     notice, this list of conditions and the following disclaimer in the
11  *     documentation and/or other materials provided with the distribution.
12  *  3. Neither the name of the copyright holder nor the
13  *     names of its contributors may be used to endorse or promote products
14  *     derived from this software without specific prior written permission.
15  *
16  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
20  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26  *  POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /**
30  * @file
31  *   This file implements IPv6 datagram filtering.
32  */
33 
34 #include "ip6_filter.hpp"
35 
36 #include <stdio.h>
37 
38 #include "common/code_utils.hpp"
39 #include "common/instance.hpp"
40 #include "common/locator_getters.hpp"
41 #include "common/log.hpp"
42 #include "meshcop/meshcop.hpp"
43 #include "net/ip6.hpp"
44 #include "net/tcp6.hpp"
45 #include "net/udp6.hpp"
46 #include "thread/mle.hpp"
47 
48 namespace ot {
49 namespace Ip6 {
50 
51 RegisterLogModule("Ip6Filter");
52 
Accept(Message & aMessage) const53 bool Filter::Accept(Message &aMessage) const
54 {
55     bool     rval = false;
56     Headers  headers;
57     uint16_t dstPort;
58 
59     // Allow all received IPv6 datagrams with link security enabled
60     if (aMessage.IsLinkSecurityEnabled())
61     {
62         ExitNow(rval = true);
63     }
64 
65     SuccessOrExit(headers.ParseFrom(aMessage));
66 
67     // Allow only link-local unicast or multicast
68     VerifyOrExit(headers.GetDestinationAddress().IsLinkLocal() ||
69                  headers.GetDestinationAddress().IsLinkLocalMulticast());
70 
71     // Allow all link-local IPv6 datagrams when Thread is not enabled
72     if (Get<Mle::MleRouter>().GetRole() == Mle::kRoleDisabled)
73     {
74         ExitNow(rval = true);
75     }
76 
77     dstPort = headers.GetDestinationPort();
78 
79     switch (headers.GetIpProto())
80     {
81     case kProtoUdp:
82         // Allow MLE traffic
83         if (dstPort == Mle::kUdpPort)
84         {
85             ExitNow(rval = true);
86         }
87 
88 #if OPENTHREAD_CONFIG_BORDER_AGENT_ENABLE
89         // Allow native commissioner traffic
90         if (Get<KeyManager>().GetSecurityPolicy().mNativeCommissioningEnabled &&
91             dstPort == Get<MeshCoP::BorderAgent>().GetUdpPort())
92         {
93             ExitNow(rval = true);
94         }
95 #endif
96         break;
97 
98     case kProtoTcp:
99         break;
100 
101     default:
102         // Allow UDP or TCP traffic only
103         ExitNow();
104     }
105 
106     // Check against allowed unsecure port list
107     rval = mUnsecurePorts.Contains(dstPort);
108 
109 exit:
110     return rval;
111 }
112 
UpdateUnsecurePorts(Action aAction,uint16_t aPort)113 Error Filter::UpdateUnsecurePorts(Action aAction, uint16_t aPort)
114 {
115     Error     error = kErrorNone;
116     uint16_t *entry;
117 
118     VerifyOrExit(aPort != 0, error = kErrorInvalidArgs);
119 
120     entry = mUnsecurePorts.Find(aPort);
121 
122     if (aAction == kAdd)
123     {
124         VerifyOrExit(entry == nullptr);
125         SuccessOrExit(error = mUnsecurePorts.PushBack(aPort));
126     }
127     else
128     {
129         VerifyOrExit(entry != nullptr, error = kErrorNotFound);
130         mUnsecurePorts.Remove(*entry);
131     }
132 
133     LogInfo("%s unsecure port %d", (aAction == kAdd) ? "Added" : "Removed", aPort);
134 
135 exit:
136     return error;
137 }
138 
139 } // namespace Ip6
140 } // namespace ot
141