From f9457a2cab4ddc54b724c554bfdcdf12e8186dd2 Mon Sep 17 00:00:00 2001
From: sunguosong <sunguosong@cmhi.chinamobile.com>
Date: Sat, 12 Oct 2019 09:22:04 +0800
Subject: [PATCH] =?UTF-8?q?Mod=20=20aaa-12=20=E4=BF=AE=E6=94=B9nat?=
 =?UTF-8?q?=E6=A8=A1=E5=9D=97=E9=85=8D=E7=BD=AE=E4=BF=9D=E5=AD=98=E6=81=A2?=
 =?UTF-8?q?=E5=A4=8D=E5=8F=8A=E6=AD=A3=E5=88=99=E6=A3=80=E6=9F=A5=20RCA?=
 =?UTF-8?q?=EF=BC=9A=20SOL=EF=BC=9A=20=E4=BF=AE=E6=94=B9=E4=BA=BA=EF=BC=9A?=
 =?UTF-8?q?sunguosong=20=E6=A3=80=E8=A7=86=E4=BA=BA=EF=BC=9A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: sunguosong <sunguosong@cmhi.chinamobile.com>
---
 .../configm/config-server/include/configm.h   |   2 +-
 .../configm/config-server/nat_config/config.c | 103 ++++++++++++++++--
 .../configm/config-server/nat_config/config.h |   6 +-
 .../config-server/nat_config/natconfig.c      |  21 +++-
 4 files changed, 119 insertions(+), 13 deletions(-)

diff --git a/Platform/user/configm/config-server/include/configm.h b/Platform/user/configm/config-server/include/configm.h
index fb9538fa5..b98f06250 100755
--- a/Platform/user/configm/config-server/include/configm.h
+++ b/Platform/user/configm/config-server/include/configm.h
@@ -210,7 +210,7 @@
     {\
         NAT4_CONFIG,            \
         CONFIG_FROM_WEB,            \
-        FALSE,                      \
+        TRUE,                      \
         nat_config_chk,        \
         nat_config_proc,       \
         nat_config_get,           \
diff --git a/Platform/user/configm/config-server/nat_config/config.c b/Platform/user/configm/config-server/nat_config/config.c
index 7eb3d6cc8..68301d09e 100644
--- a/Platform/user/configm/config-server/nat_config/config.c
+++ b/Platform/user/configm/config-server/nat_config/config.c
@@ -157,6 +157,15 @@ static const char *__json = "{ \"config_type\":3, \"content\":[ \
     } \
 } while (0)
 
+// 宏: 字段正则检查
+#define _REG_CHK(reg, E) do { \
+    int status = __regex_match(reg, conf->E); \
+    if(status != 0) { \
+        __error_report(msg, current_id, "\"%s: %s\" is not vaild!", #E, conf->E); \
+        return FAIL; \
+    } \
+} while (0)
+
 // 宏: int拼接到字符串，并防止拼接越界
 #define strcat_int_free_count(des, src) do { \
     char s[21]; \
@@ -224,6 +233,23 @@ static int free_space = MAX_ERR_MSG;
 // 当前执行的命令id
 static int current_id = -1;
 
+static char *_ip_regex = "^(((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})\
+(\\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3}(/([0-9]|\\.){1,15}){0,1}){0,1}$";
+
+static char *_id_regex = "^([0-9]{0,5})$";
+static char *_port_regex = "^([0-9]{0,5})$";
+static char *_prot_regex = "^([0-9a-zA-Z]|-){0,15}$";
+static char *_device_regex = "^([0-9a-zA-Z]|-){0,15}$";
+
+static char *_addr_regex = "^((((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})\
+(\\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3})(-\
+(((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})\
+(\\.((2(5[0-5]|[0-4][0-9]))|[0-1]?[0-9]{1,2})){3})){0,1}\
+(:[0-9]{0,5}(-[0-9]{0,5}){0,1}){0,1}){0,1}$";
+
+static char *_match_regex = "^(mark){0,1}$";
+static char *_match_info_regex = "^[0-9]{0,4}$";
+
 typedef void *(*jsonfunc)(cJSON *json_arr, int *output_len, ret_code *ret, char **msg);
 
 // iptables 命令参数拼接前缀
@@ -316,6 +342,8 @@ ret_code __nf_conntrack_parse(const char *conn, nf_conntrack *conf);
 char *__error_report(char** msg, int id, char *fmt, ...) 
                     __attribute__((format(printf, 3, 4)));
 
+int __regex_match(char* pattern, char* buf);
+
 // 字符串指针（char**）释放函数
 void __free_dptr_char(char ***ptr, int len);
 
@@ -352,12 +380,27 @@ char* __error_report (char **msg, int id, char *fmt, ...) {
     }
     
     strcat_str_free_count(*msg, _msg_head);
-    printf("%s\n", *msg);
+    //printf("%s\n", *msg);
     
 err:
     return NULL;
 }
 
+int __regex_match(char* pattern, char* buf) {
+  int status,i;
+  regmatch_t pmatch[1];
+  const size_t nmatch=1;
+  regex_t  reg;
+
+  //编译正则模式
+  regcomp(&reg, pattern, REG_EXTENDED|REG_NEWLINE);
+  //执行正则表达式和缓存的比较
+  status=regexec(&reg,  buf, nmatch, pmatch, 0);
+
+  regfree(&reg);
+  return status;
+}
+
 
 /*
  * 将int整数转化成char*字符串
@@ -602,10 +645,10 @@ char **split(const char * const targetString, const char * const delimiter,
      
     *length = 0;
     char ** resultString = NULL;
-    char inputString[strlen(targetString)];
+    char inputString[strlen(targetString) + 1];
     strcpy(inputString,targetString);
 
-    char inputDelimiter[strlen(delimiter)];
+    char inputDelimiter[strlen(delimiter) + 1];
     strcpy(inputDelimiter,delimiter);
      
     char * splitedString = strtok(inputString, inputDelimiter);
@@ -699,7 +742,11 @@ ret_code __ipt_conf_parse(const iptables_rule rule, const struct ipt_config *con
     *match = SUCCESS;
     while(option = __extract_parm(&_optind, _argc, _argv)) {
         if (_optind >= _argc) break;
-        switch(option) {            
+        switch(option) {    
+            case '!':
+                // to do
+                break;
+
             case 'A':
                 CMP_IPT_OPTION(chain);
                 FILL_IPT_OPTION(chain, MAX_CHAIN);
@@ -1073,11 +1120,27 @@ boolean __iptconfig_chk(struct ipt_config *conf, char **msg) {
 
     switch (option = __parse_action(conf)) {
         case DELETE:
-            
+            if (!isempty_str(conf->id)) {
+                _REG_CHK(_id_regex, id);
+            }
+            else {              
+                goto setmode;
+            }
             break;
 
-        case SET: 
-            
+        case SET:
+            _REG_CHK(_id_regex, id); 
+        setmode:
+            _REG_CHK(_ip_regex, source);
+            _REG_CHK(_ip_regex, destination);
+            _REG_CHK(_port_regex, sport);
+            _REG_CHK(_port_regex, dport);
+            _REG_CHK(_prot_regex, prot);
+            _REG_CHK(_device_regex, i_device);
+            _REG_CHK(_device_regex, o_device);
+            _REG_CHK(_match_regex, match);
+            _REG_CHK(_match_info_regex, match_info);
+            _REG_CHK(_addr_regex, to);
             break;
 
         case SAVE:
@@ -1107,7 +1170,7 @@ ret_code set_iptables_config(const char *json, char **msg) {
     struct ipt_config *conf = NULL, *conf_start = NULL;
 
     free_space = MAX_ERR_MSG;
-    __chk_malloc((*msg), char*, sizeof(char) * free_space, ret, msg);
+    __chk_malloc((*msg), char*, sizeof(char) * free_space, ret, NULL);
     memset(*msg, 0, sizeof(char) * free_space);
 
     conf = (struct ipt_config*)__jsontxt_to_struct(json, &len, 
@@ -1140,6 +1203,8 @@ ret_code set_iptables_config(const char *json, char **msg) {
         }
     }
 
+    ret = run_command("sudo iptables-save -t nat > ./iptables-conf.txt 2>&1", msg);
+
 MEMerr:    
 err:
     xfree(rule);
@@ -1201,7 +1266,7 @@ ret_code get_iptables_config(const char *json, const char * __restrict__ __filen
     boolean match = FAIL;
     ret_code ret = RET_OK;
 
-    __chk_malloc((*msg), char*, sizeof(char) * free_space, ret, msg);
+    __chk_malloc((*msg), char*, sizeof(char) * free_space, ret, NULL);
     memset(*msg, 0, sizeof(char)*free_space);
     
     ret = run_command("sudo iptables-save -t nat > ./iptables-conf.txt 2>&1", msg);
@@ -1220,6 +1285,8 @@ ret_code get_iptables_config(const char *json, const char * __restrict__ __filen
     rules = __read_iptables_conf(__filename, &len, 0, -1, &ret, msg);
     rules_start = rules;
     if (!__iptconfig_chk(&(rwconf->conf), msg)) goto err;
+
+    rwconf->begin -= 1;
     if (rwconf->begin < 0) rwconf->begin = 0;
     if (rwconf->offset < 0) rwconf->offset = len;
 
@@ -1275,6 +1342,24 @@ MEMerr:
     return ret;
 }
 
+ret_code nat_config_recovery(char **msg) {
+    FILE *fp = NULL;
+    free_space = MAX_ERR_MSG;
+    ret_code ret = RET_OK;
+
+    __chk_malloc((*msg), char*, sizeof(char) * free_space, ret, NULL);
+    memset(*msg, 0, sizeof(char) * free_space);
+    
+    fp = fopen("./iptables-conf.txt", "r");
+    if (fp != NULL) {
+	fclose(fp);
+        ret = run_command("sudo iptables-restore ./iptables-conf.txt 2>&1", msg);
+    }
+
+MEMerr:
+    return ret;
+}
+
 /*
  * 原始调试程序,待修改,暂不可使用
  */
diff --git a/Platform/user/configm/config-server/nat_config/config.h b/Platform/user/configm/config-server/nat_config/config.h
index 854795569..2ad0726da 100644
--- a/Platform/user/configm/config-server/nat_config/config.h
+++ b/Platform/user/configm/config-server/nat_config/config.h
@@ -13,6 +13,8 @@
 #include <string.h>
 #include <stdlib.h>
 #include <stdarg.h>
+#include <regex.h>
+//#include <io.h>
 
 #include <cjson/cJSON.h>
 
@@ -40,7 +42,7 @@ typedef enum ret_code {
 #define MAX_PROT 15
 #define MAX_ADDR 45
 #define MAX_IP 33
-#define MAX_PORT 5
+#define MAX_PORT 6
 #define MAX_DEVICE 15
 #define MAX_MATCH 6
 #define MAX_MATCH_INFO 10 
@@ -111,4 +113,6 @@ ret_code set_iptables_config(const char *json, char **msg);
 // linux系统命令执行函数, 返回shell信息
 ret_code run_command(char *const cmd, char **msg);
 
+ret_code nat_config_recovery(char **msg);
+
 #endif /* config_h */
diff --git a/Platform/user/configm/config-server/nat_config/natconfig.c b/Platform/user/configm/config-server/nat_config/natconfig.c
index 362a440f5..74f7534ac 100644
--- a/Platform/user/configm/config-server/nat_config/natconfig.c
+++ b/Platform/user/configm/config-server/nat_config/natconfig.c
@@ -32,8 +32,17 @@ ret_code nat_config_chk(uint source,uint *config_type,
 
 {
 	int config_len = sizeof(ip_config_t);
+    int code = 0;
     ret_code ret = RET_OK;
 
+    if(source == CONFIG_FROM_RECOVER1) {
+        return RET_OK;
+	}
+
+	if(source == CONFIG_FROM_RECOVER2){
+        return RET_CHKERR;
+    }
+
     get_config_type(input, config_type);
     switch (*config_type)
     {
@@ -68,10 +77,17 @@ ret_code nat_config_proc(uint source, uint config_type,
 {   
     char *errmsg;
     char *jsontxt = (char*)input;
+    int code = 0;
     ret_code ret = RET_OK;
 
+    if(source == CONFIG_FROM_RECOVER1 || source == CONFIG_FROM_RECOVER2) {
+        ret = nat_config_recovery(&errmsg);
+        goto pass;
+	}
+
     ret = set_iptables_config(jsontxt, &errmsg);
-    //rpc_log_info("NAT message: %s \n", errmsg);
+pass:
+    rpc_log_info("NAT message: %s \n", errmsg);
     free(errmsg);
 
     RET_ERR_FORMART(ret, output, *output_len);
@@ -87,10 +103,11 @@ ret_code nat_config_get(uint source,
 {
     char *errmsg;
     char *jsontxt = (char*)input;
+    int code = 0;
     ret_code ret = RET_OK;
 
     ret = get_iptables_config(jsontxt, iptables_save_dir, output, output_len, &errmsg);
-    //rpc_log_info("NAT message:\n %s \n", errmsg);
+    rpc_log_info("NAT message:\n %s \n", errmsg);
     free(errmsg);
 
     RET_ERR_FORMART(ret, output, *output_len);