checkacl.cpp

著名的防火墙源代码

//=============================================================================================
/*
	文件：		CheckAcl.cpp

	说明:
	---------------------------------------------------
		控管规则访问控制，通过控管规则的检查认证，确定
	Socket 连接是否允许通过。
	---------------------------------------------------

	工程：		Xfilter 个人防火墙
	作者：		朱雁辉，朱雁冰
	创建日期：	2001/08/21
	网址：		http://www.xfilt.com
	电子邮件：	xstudio@xfilt.com
	版权所有 (c) 2001-2002 X 工作室

	警告:
	---------------------------------------------------
		本电脑程序受著作权法的保护。未经授权，不能使用
	和修改本软件全部或部分源代码。凡擅自复制、盗用或散
	布此程序或部分程序或者有其它任何越权行为，将遭到民
	事赔偿及刑事的处罚，并将依法以最高刑罚进行追诉。
	
		凡通过合法途径购买本软件源代码的用户被默认授权
	可以在自己的程序中使用本软件的部分代码，但作者不对
	代码产生的任何后果负责。
	
		使用了本软件代码的程序只能以可执行文件形式发布，
	未经特别许可，不能将含有本软件源代码的源程序以任何
	形式发布。
	---------------------------------------------------	
*/
//=============================================================================================

#include "stdafx.h"
#include "CheckAcl.h"
#include "ProtocolInfo.h"
#include "TcpIpDog.h"

//=============================================================================================
// share data

#pragma data_seg(".inidata")
	int			CCheckAcl::m_iWorkMode		= XF_PASS_ALL;
	BOOL		CCheckAcl::m_bAclIsChange	= FALSE;
	HWND		CCheckAcl::m_GuiHwnd		= NULL;
	BOOL		CCheckAcl::m_bIsWin9x		= FALSE;
#pragma data_seg()

#pragma bss_seg(".uinidata")
	XACL_FILE	CCheckAcl::m_AclFile;
	SESSION		CCheckAcl::m_SessionBuf[MAX_SESSION_BUFFER];
	TCHAR		CCheckAcl::m_sGuiPathName[MAX_PATH];
	TCHAR		CCheckAcl::m_sSystemPath[MAX_PATH];
	TCHAR		CCheckAcl::m_sWin9xSys1[MAX_PATH];
	TCHAR		CCheckAcl::m_sWin2kSys1[MAX_PATH];
#pragma bss_seg()

//=============================================================================================
// extern globals variable

extern CRITICAL_SECTION		gCriticalSection;
extern TCHAR				m_sProcessName[MAX_PATH];

//=============================================================================================
// initialize class function and pre-destroy class function.

CCheckAcl::CCheckAcl()
{
	m_SessionCount = 0;
}

CCheckAcl::~CCheckAcl()
{
	FinallySession();
	free(m_Session);
}

BOOL CCheckAcl::SetWindowsVersion()
{
	EnterCriticalSection(&gCriticalSection);
	{
		OSVERSIONINFO VerInfo;  
		VerInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
		GetVersionEx(&VerInfo);

		if (VerInfo.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS)
		{
			m_bIsWin9x = TRUE;
		}
		else if(VerInfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
			(VerInfo.dwMajorVersion == 4 || VerInfo.dwMajorVersion == 5))
		{
			m_bIsWin9x = FALSE;
		}

		GetSystemDirectory(m_sSystemPath, MAX_PATH);

		_tcscpy(m_sWin9xSys1, m_sSystemPath);
		_tcscat(m_sWin9xSys1, _T("\\icsmgr.exe"));
		_tcscpy(m_sWin2kSys1, m_sSystemPath);
		_tcscat(m_sWin2kSys1, _T("\\services.exe"));
	}
	LeaveCriticalSection(&gCriticalSection);
	
	return TRUE; 
}

//=============================================================================================
// Static function, XFILTER.EXE to change the work mode and ACL information, 
// it's operate by XfIoControl.

int CCheckAcl::SetWorkMode(int iWorkMode)
{
	EnterCriticalSection(&gCriticalSection);
	{
		CCheckAcl::m_iWorkMode = iWorkMode;
	}
	LeaveCriticalSection(&gCriticalSection);

	return XERR_SUCCESS;
}

int CCheckAcl::SetAcl(XACL_FILE AclFile)
{
	EnterCriticalSection(&gCriticalSection);
	{
		m_bAclIsChange = TRUE;

		CCheckAcl::m_iWorkMode = CAclFile::GetBit(AclFile.mAclHeader.bSet, 4, 2);
		CCheckAcl::m_AclFile	= AclFile;

		m_bAclIsChange = FALSE;
	}
	LeaveCriticalSection(&gCriticalSection);

	return XERR_SUCCESS;
}

BOOL CCheckAcl::SetAclToChangedMode(BOOL IsChange)
{
	EnterCriticalSection(&gCriticalSection);
	{
		m_bAclIsChange = IsChange;
	}
	LeaveCriticalSection(&gCriticalSection);
	
	return TRUE;
}

//=============================================================================================
// Check rule operation. it's return access value with the ACL.

BOOL CCheckAcl::IsLocalIP(DWORD *ip)
{
	BYTE IsLocalIP[4];
	memcpy(IsLocalIP, ip, sizeof(DWORD));

	if(*ip == 0 || IsLocalIP[3] == 127)
		return TRUE;

	ODS(m_sWin9xSys1);
	ODS(m_sWin2kSys1);

	static CString Win9xSys1 = m_sWin9xSys1;
	static CString Win2kSys1 = m_sWin2kSys1;

	if(m_bIsWin9x)
	{
		if(Win9xSys1.CompareNoCase(m_sProcessName) == 0)
			return TRUE;
	}
	else
	{
		if(Win2kSys1.CompareNoCase(m_sProcessName) == 0)
		{
			ODS(_T("Is Win2000 System Process ..."));
			return TRUE;
		}
	}

	ODS(_T("Not Is Win2000 System Process ..."));
	return FALSE;
}

int CCheckAcl::GetAccessInfo(SESSION *session)
{
	int		iRet;

	iRet = GetAccessFromAcl(session);

	EnterCriticalSection(&gCriticalSection);
	{
		if(iRet != XF_PASS)
			session->bAction = ACL_ACTION_DENY;
		else
			session->bAction = ACL_ACTION_PASS;
	}
	LeaveCriticalSection(&gCriticalSection);

	return iRet;
}

int CCheckAcl::GetAccessFromWorkMode()
{
	if(m_bAclIsChange)
		return XF_UNKNOWN;

	if(CCheckAcl::m_iWorkMode == XF_PASS_ALL)
		return XF_PASS;

	if(CCheckAcl::m_iWorkMode == XF_DENY_ALL)
		return XF_DENY;

	if(CCheckAcl::m_iWorkMode != XF_QUERY_ALL)
		return XF_UNKNOWN;

	return XF_FILTER;
}

int CCheckAcl::GetAccessFromAcl(SESSION *mSession)
{
	if(_tcscmp(m_AclFile.mAclHeader.sSignature, XF_INVALID_PROCESS) == 0
		|| _tcscmp(m_sGuiPathName, m_sProcessName) == 0
		|| IsLocalIP(&mSession->ulRemoteIP)
		)
		return XF_PASS;

	int		iRet;

	if((iRet = GetAccessFromWorkMode()) != XF_FILTER)
		return iRet;

	BOOL	IsOne	= TRUE;
	DWORD	iIndex	= 0;
	BYTE	bAction = ACL_ACTION_PASS;
	
COMPARE:

	if(!IsOne) iIndex ++;

	iIndex = FindAcl(m_sProcessName, iIndex);

	if(iIndex >= m_AclFile.mAclHeader.ulAclCount)
	{
		if(IsOne)
		{
			if(m_bIsWin9x)
			{
				if(!QueryAccess())
					return XF_DENY;
				else
					return XF_PASS;
			}
			else
				return XF_QUERY;
		}
		else
		{
			if(bAction == ACL_ACTION_DENY)
				return XF_PASS;
			else
				return XF_DENY;
		}
	}

	if(IsOne) IsOne = FALSE;
	bAction = m_AclFile.mpAcl[iIndex].bAction;

	if(m_AclFile.mpAcl[iIndex].bDirection != ACL_DIRECTION_IN_OUT
		&& mSession->bDirection	!= m_AclFile.mpAcl[iIndex].bDirection)
			goto COMPARE;

	if(m_AclFile.mpAcl[iIndex].bServiceType != ACL_SERVICE_TYPE_ALL
		&& mSession->bProtocol != m_AclFile.mpAcl[iIndex].bServiceType)
			goto COMPARE;

	if(m_AclFile.mpAcl[iIndex].bAccessTimeType != ACL_TIME_TYPE_ALL
		&& FindTime(mSession->tStartTime) != m_AclFile.mpAcl[iIndex].bAccessTimeType)
			goto COMPARE;

	if(m_AclFile.mpAcl[iIndex].bRemoteNetType != ACL_NET_TYPE_ALL
		&& FindIP(mSession->ulRemoteIP) != m_AclFile.mpAcl[iIndex].bRemoteNetType)
			goto COMPARE;

	if(m_AclFile.mpAcl[iIndex].uiServicePort != ACL_SERVICE_PORT_ALL
		&& mSession->uiPort != m_AclFile.mpAcl[iIndex].uiServicePort)
			goto COMPARE;
	
	if(m_AclFile.mpAcl[iIndex].bAction == ACL_ACTION_DENY)
		return XF_DENY;

	return XF_PASS;
}

DWORD CCheckAcl::FindAcl(CString sApplication, DWORD iStart)
{
	DWORD		iIndex = 0;

	for(iIndex = iStart; iIndex < m_AclFile.mAclHeader.ulAclCount; iIndex ++)
		if(sApplication.CompareNoCase(m_AclFile.mpAcl[iIndex].sApplication) == 0)
			break;

	return iIndex;
}

int CCheckAcl::FindTime(CTime time)
{
	for(DWORD i = 0; i < m_AclFile.mAclHeader.ulTimeCount; i ++)
	{
		if(CAclFile::GetBit(m_AclFile.mAclTime[i].bWeekDay,time.GetDayOfWeek() - 1) != 1)
			continue;

		if(m_AclFile.mAclTime[i].tStartTime == m_AclFile.mAclTime[i].tEndTime)
			return i + 1;

		CTime t = time.GetHour() * 3600 + time.GetMinute() * 60 + time.GetSecond();

		if(m_AclFile.mAclTime[i].tStartTime < m_AclFile.mAclTime[i].tEndTime)
		{
			if(t >= m_AclFile.mAclTime[i].tStartTime && t <= m_AclFile.mAclTime[i].tEndTime)
				return i + 1;
		}
		else
		{
			if(t >= m_AclFile.mAclTime[i].tStartTime || t <= m_AclFile.mAclTime[i].tEndTime)
				return i + 1;
		}
	}

	return ACL_TIME_TYPE_ALL;
}

int CCheckAcl::FindIP(DWORD IP)
{
	DWORD i = 0;

	if(IP >= m_AclFile.mAclIntranetIP.ulStartIP && IP <= m_AclFile.mAclIntranetIP.ulEndIP)
		return ACL_NET_TYPE_INTRANET;

	for(i = 0; i< m_AclFile.mAclHeader.ulDistrustIPCount; i++)
		if(IP >= m_AclFile.mpAclDistrustIP[i].ulStartIP && IP <= m_AclFile.mpAclDistrustIP[i].ulEndIP)
			return ACL_NET_TYPE_DISTRUST;

	for(i = 0; i< m_AclFile.mAclHeader.ulTrustIPCount; i++)
		if(IP >= m_AclFile.mpAclTrustIP[i].ulStartIP && IP <= m_AclFile.mpAclTrustIP[i].ulEndIP)
			return ACL_NET_TYPE_TRUST;

	for(i = 0; i< m_AclFile.mAclHeader.ulCustomIPCount; i++)
		if(IP >= m_AclFile.mpAclCustomIP[i].ulStartIP && IP <= m_AclFile.mpAclCustomIP[i].ulEndIP)
			return ACL_NET_TYPE_CUSTOM;

	return ACL_NET_TYPE_ALL;
}

//=============================================================================================
// session operation. session include the socket connection info.

BOOL CCheckAcl::InitializeSession(SESSION* session)
{
	ODS(_T("Initialize Session ..."));

	EnterCriticalSection(&gCriticalSection);
	{
		session->bDirection		= ACL_DIRECTION_IN_OUT;
		session->bProtocol 		= ACL_SERVICE_TYPE_ALL;
		session->bAction		= ACL_ACTION_PASS;
		session->tStartTime 	= 0;
		session->uiPort 		= 0;
		session->ulRemoteIP 	= 0;
		session->ulSendData		= 0;
		session->ulRecvData		= 0;
		session->sMemo[0]		= '\0';
		session->uiLocalPort	= 0;
		session->ulLocalIP		= 0;
	}
	LeaveCriticalSection(&gCriticalSection);

	return TRUE;
}

int CCheckAcl::CreateSession(SOCKET s, int nProtocol)
{
	ODS("XFILTER.DLL: Create Session...");

	EnterCriticalSection(&gCriticalSection);
	{
		for(int i = 0; i < m_SessionCount; i++)
		{
			if(m_Session[i].s == s)
			{
				LeaveCriticalSection(&gCriticalSection);
				return XERR_SESSION_ALREDAY_EXISTS;
			}