1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
use crate::config::subnet::IpSubnet;
/// One part of a BitTree
#[derive(Debug, Copy, Clone, Default, PartialEq, Eq)]
struct TreeNode {
// Where in the array the child nodes of this
// node are located. A child node is only
// generated if the symbol cannot be used to
// make a final decision at this level
child_offset: u32,
inset: u16,
outset: u16,
}
#[derive(Debug, Clone, PartialEq, Eq)]
/// BitTree is a Trie on 128 bit integers encoding
/// which integers are part of the set.
///
/// It matches the integer a 4-bit segment at a time
/// recording at each level whether for a given symbol
/// all integers with the prefix extended with that
/// symbol are either in or outside of the set.
struct BitTree {
nodes: Vec<TreeNode>,
}
const fn top_nibble(v: u128) -> u8 {
((v >> 124) & 0xF) as u8
}
/// retain only the top `128 - len` bits
const fn apply_mask(val: u128, len: u8) -> u128 {
match u128::MAX.checked_shl((128 - len) as u32) {
Some(mask) => val & mask,
None => 0,
}
}
impl BitTree {
/// Lookup whether a given value is in the set encoded in this BitTree
/// Complexity is O(log(l)), where l is the length of the longest
/// prefix in the set.
fn lookup(&self, mut val: u128) -> bool {
let mut node = &self.nodes[0];
loop {
// extract the current symbol as bit and see if we know the answer immediately.
// (example: symbol 1 maps to 0x2, symbol 5 maps to 0x10)
let cur = 1 << top_nibble(val);
if node.inset & cur != 0 {
return true;
}
if node.outset & cur != 0 {
return false;
}
// no decision, shift to next symbol
val <<= 4;
// To calculate the child index we need to know how many symbols smaller
// than our symbol are not decided here. We do this by generating the bitmap
// of symbols neither in in or out, then masking out all symbols >=cur
// and finaly counting how many are left.
let next_idx =
node.child_offset + (!(node.inset | node.outset) & (cur - 1)).count_ones();
node = &self.nodes[next_idx as usize];
}
}
/// Create a BitTree from the given prefixes. Complexity is O(n*log(l)),
/// where n is the number of prefixes, and l the length of the longest
/// prefix.
fn create(data: &mut [(u128, u8)]) -> Self {
// Ensure values only have 1s in significant positions
for (val, len) in data.iter_mut() {
*val = apply_mask(*val, *len);
}
// Ensure values are sorted by value and then by length
data.sort();
let mut result = BitTree {
nodes: vec![TreeNode::default()],
};
result.fill_node(data, 0);
result
}
/// Create the substructure for a node, recursively.
/// Max recursion depth is maximum value of data[i].1/4
/// for any i
fn fill_node(&mut self, mut data: &mut [(u128, u8)], node_index: usize) {
// distribute the data into 16 4-bit buckets
let mut counts = [0; 16];
for (val, _) in data.iter() {
counts[top_nibble(*val) as usize] += 1;
}
// Actually split into the relevant subsegments, relies on the input being sorted.
let mut subsegments: [&mut [(u128, u8)]; 16] = Default::default();
for (i, start) in counts.iter().enumerate() {
(subsegments[i], data) = data.split_at_mut(*start);
}
// Fill in node
let child_offset = self.nodes.len();
let node = &mut self.nodes[node_index];
node.child_offset = child_offset as u32;
for (i, segment) in subsegments.iter().enumerate() {
match segment.first().copied() {
// Probably empty, unless covered earlier, but we fix that later
None => node.outset |= 1 << i,
// Definetly covered, mark all that is needed
// Note that due to sorting order, len here
// is guaranteed to be largest amongst all
// parts of the segment
Some((_, len)) if len <= 4 => {
// mark ALL parts of node covered by the segment as in the set.
for j in 0..(1 << (4 - len)) {
node.inset |= 1 << (i + j as usize)
}
}
// May be covered by a the union of all its parts, we need to check
// for that. Otherwise it is undecided
Some(_) => {
let offset = (i as u128) << 124;
let mut last = 0;
for part in segment.iter() {
if part.0 - offset <= last {
last = u128::max(last, part.0 - offset + (1_u128 << (128 - part.1)));
}
}
if last >= (1 << 124) {
// All parts together cover the segment, so mark as in
node.inset |= 1 << i;
}
}
}
}
// the outset should not contain anything that is included in the inset
// (this can happen due to overcoverage)
node.outset &= !node.inset;
// bitmap of subsegments for which we have a decision
let known_bitmap = node.inset | node.outset;
// allocate additional empty nodes
let unknown_count = known_bitmap.count_zeros() as usize;
self.nodes
.extend(std::iter::repeat(TreeNode::default()).take(unknown_count));
// Create children for segments undecided at this level.
let mut child_offset = child_offset;
for (i, segment) in subsegments.iter_mut().enumerate() {
if known_bitmap & (1 << i) != 0 {
continue; // no child needed
}
// we've taken care of the top nibble,
// so shift everything over and do a recursive call
for (val, len) in segment.iter_mut() {
*val <<= 4;
*len -= 4;
}
self.fill_node(segment, child_offset);
child_offset += 1;
}
}
}
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct IpFilter {
ipv4_filter: BitTree,
ipv6_filter: BitTree,
}
impl IpFilter {
/// Create a filter from a list of subnets
/// Complexity: O(n) with n length of list
pub fn new(subnets: &[IpSubnet]) -> Self {
let mut ipv4list = Vec::new();
let mut ipv6list = Vec::new();
for subnet in subnets {
match subnet.addr {
IpAddr::V4(addr) => ipv4list.push((
(u32::from_be_bytes(addr.octets()) as u128) << 96,
subnet.mask,
)),
IpAddr::V6(addr) => {
ipv6list.push((u128::from_be_bytes(addr.octets()), subnet.mask))
}
}
}
IpFilter {
ipv4_filter: BitTree::create(ipv4list.as_mut_slice()),
ipv6_filter: BitTree::create(ipv6list.as_mut_slice()),
}
}
pub fn all() -> Self {
let mut temp_v4 = [(0, 0)];
let mut temp_v6 = [(0, 0)];
IpFilter {
ipv4_filter: BitTree::create(&mut temp_v4),
ipv6_filter: BitTree::create(&mut temp_v6),
}
}
pub fn none() -> Self {
let mut temp_v4 = [];
let mut temp_v6 = [];
IpFilter {
ipv4_filter: BitTree::create(&mut temp_v4),
ipv6_filter: BitTree::create(&mut temp_v6),
}
}
/// Check whether a given ip address is contained in the filter.
/// Complexity: O(1)
pub fn is_in(&self, addr: &IpAddr) -> bool {
match addr {
IpAddr::V4(addr) => self.is_in4(addr),
IpAddr::V6(addr) => self.is_in6(addr),
}
}
fn is_in4(&self, addr: &Ipv4Addr) -> bool {
self.ipv4_filter
.lookup((u32::from_be_bytes(addr.octets()) as u128) << 96)
}
fn is_in6(&self, addr: &Ipv6Addr) -> bool {
self.ipv6_filter.lookup(u128::from_be_bytes(addr.octets()))
}
}
//#[cfg(fuzz)]
pub mod fuzz {
use super::*;
fn contains(subnet: &IpSubnet, addr: &IpAddr) -> bool {
match (subnet.addr, addr) {
(IpAddr::V4(net), IpAddr::V4(addr)) => {
let net = u32::from_be_bytes(net.octets());
let addr = u32::from_be_bytes(addr.octets());
let mask = 0xFFFFFFFF_u32
.checked_shl((32 - subnet.mask) as u32)
.unwrap_or(0);
(net & mask) == (addr & mask)
}
(IpAddr::V6(net), IpAddr::V6(addr)) => {
let net = u128::from_be_bytes(net.octets());
let addr = u128::from_be_bytes(addr.octets());
let mask = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF_u128
.checked_shl((128 - subnet.mask) as u32)
.unwrap_or(0);
(net & mask) == (addr & mask)
}
_ => false,
}
}
fn any_contains(subnets: &[IpSubnet], addr: &IpAddr) -> bool {
for net in subnets {
if contains(net, addr) {
return true;
}
}
false
}
pub fn fuzz_ipfilter(nets: &[IpSubnet], addr: &[IpAddr]) {
let filter = IpFilter::new(nets);
for addr in addr {
assert_eq!(filter.is_in(addr), any_contains(nets, addr));
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_bittree() {
let mut data = [
(0x10 << 120, 4),
(0x20 << 120, 3),
(0x43 << 120, 8),
(0x82 << 120, 7),
];
let tree = BitTree::create(&mut data);
assert!(tree.lookup(0x11 << 120));
assert!(!tree.lookup(0x40 << 120));
assert!(tree.lookup(0x30 << 120));
assert!(tree.lookup(0x43 << 120));
assert!(!tree.lookup(0xC4 << 120));
assert!(tree.lookup(0x82 << 120));
assert!(tree.lookup(0x83 << 120));
assert!(!tree.lookup(0x81 << 120));
}
#[test]
fn test_filter() {
let filter = IpFilter::new(&[
"127.0.0.0/24".parse().unwrap(),
"::FFFF:0000:0000/96".parse().unwrap(),
]);
assert!(filter.is_in(&"127.0.0.1".parse().unwrap()));
assert!(!filter.is_in(&"192.168.1.1".parse().unwrap()));
assert!(filter.is_in(&"::FFFF:ABCD:0123".parse().unwrap()));
assert!(!filter.is_in(&"::FEEF:ABCD:0123".parse().unwrap()));
}
#[test]
fn test_subnet_edgecases() {
let filter = IpFilter::new(&["0.0.0.0/0".parse().unwrap(), "::/0".parse().unwrap()]);
assert!(filter.is_in(&"0.0.0.0".parse().unwrap()));
assert!(filter.is_in(&"255.255.255.255".parse().unwrap()));
assert!(filter.is_in(&"::".parse().unwrap()));
assert!(filter.is_in(&"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF".parse().unwrap()));
let filter = IpFilter::new(&[
"1.2.3.4/32".parse().unwrap(),
"10:32:54:76:98:BA:DC:FE/128".parse().unwrap(),
]);
assert!(filter.is_in(&"1.2.3.4".parse().unwrap()));
assert!(!filter.is_in(&"1.2.3.5".parse().unwrap()));
assert!(filter.is_in(&"10:32:54:76:98:BA:DC:FE".parse().unwrap()));
assert!(!filter.is_in(&"10:32:54:76:98:BA:DC:FF".parse().unwrap()));
}
}