Add netmask filter transport configuration + interface allowlist and …

…blocklist (#4241) * Allowlist and blocklist implementation Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Update XML parser Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Update versions.md Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Fix linker errors in security and statistics tests Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Rename NetmaskFilterKind.h -> NetmaskFilterKind.hpp Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Add safety check Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Rebase fix Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Apply suggestions Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Minor changes Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Add IP string attribute to NetworkInterface and move implementation to cpp Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Windows fixes Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Uncrustify Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Add missing change: serialize writer GUID before locators Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Apply more suggestions Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * One more suggestion Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> * Make NetmaskFilterKind optional in allowlist XML parsing Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]> --------- Signed-off-by: Juan Lopez Fernandez <[email protected]> Signed-off-by: EduPonz <[email protected]>
eProsima · Mar 17, 2024 · 725f1c7 · 725f1c7
1 parent 0c439a0
commit 725f1c7
Show file tree

Hide file tree

Showing 121 changed files with 3,726 additions and 675 deletions.
diff --git a/include/fastdds/dds/core/policy/QosPolicies.hpp b/include/fastdds/dds/core/policy/QosPolicies.hpp
@@ -33,6 +33,8 @@
 #include <fastdds/rtps/common/Types.h>
 #include <fastdds/rtps/flowcontrol/FlowControllerConsts.hpp>
 #include <fastdds/rtps/resources/ResourceManagement.h>
+#include <fastdds/rtps/transport/network/NetmaskFilterKind.hpp>
+
 #include <fastrtps/types/TypeObject.h>
 #include <fastrtps/utils/collections/ResourceLimitedVector.hpp>
 
@@ -2748,6 +2750,7 @@ class TransportConfigQos : public QosPolicy
         , send_socket_buffer_size(0)
         , listen_socket_buffer_size(0)
         , max_msg_size_no_frag(0)
+        , netmask_filter(fastdds::rtps::NetmaskFilterKind::AUTO)
     {
     }
 
@@ -2765,6 +2768,7 @@ class TransportConfigQos : public QosPolicy
                (this->listen_socket_buffer_size == b.listen_socket_buffer_size) &&
                (this->builtin_transports_reception_threads_ == b.builtin_transports_reception_threads_) &&
                (this->max_msg_size_no_frag == b.max_msg_size_no_frag) &&
+               (this->netmask_filter == b.netmask_filter) &&
                QosPolicy::operator ==(b);
     }
 
@@ -2799,6 +2803,9 @@ class TransportConfigQos : public QosPolicy
      * higher than 65500K.
      */
     uint32_t max_msg_size_no_frag;
+
+    //! Netmask filter configuration
+    fastdds::rtps::NetmaskFilterKind netmask_filter;
 };
 
 //! Qos Policy to configure the endpoint

diff --git a/include/fastdds/rtps/attributes/RTPSParticipantAttributes.h b/include/fastdds/rtps/attributes/RTPSParticipantAttributes.h
@@ -35,6 +35,7 @@
 #include <fastdds/rtps/flowcontrol/FlowControllerDescriptor.hpp>
 #include <fastdds/rtps/flowcontrol/ThroughputControllerDescriptor.h>
 #include <fastdds/rtps/resources/ResourceManagement.h>
+#include <fastdds/rtps/transport/network/NetmaskFilterKind.hpp>
 #include <fastdds/rtps/transport/TransportInterface.h>
 #include <fastrtps/fastrtps_dll.h>
 #include <fastrtps/utils/fixed_size_string.hpp>
@@ -467,6 +468,7 @@ class RTPSParticipantAttributes
                (this->ignore_non_matching_locators == b.ignore_non_matching_locators) &&
                (this->sendSocketBufferSize == b.sendSocketBufferSize) &&
                (this->listenSocketBufferSize == b.listenSocketBufferSize) &&
+               (this->netmaskFilter == b.netmaskFilter) &&
                (this->builtin == b.builtin) &&
                (this->port == b.port) &&
                (this->userData == b.userData) &&
@@ -530,6 +532,9 @@ class RTPSParticipantAttributes
      */
     uint32_t listenSocketBufferSize = 0;
 
+    //! Netmask filter configuration
+    fastdds::rtps::NetmaskFilterKind netmaskFilter = fastdds::rtps::NetmaskFilterKind::AUTO;
+
     //! Optionally allows user to define the GuidPrefix_t
     GuidPrefix_t prefix;
 

diff --git a/include/fastdds/rtps/common/Guid.h b/include/fastdds/rtps/common/Guid.h
@@ -76,7 +76,9 @@ struct RTPS_DllAPI GUID_t
     }
 
     /**
-     * Checks whether this guid is for an entity on the same host as another guid.
+     * Checks whether this guid is from an entity on the same host as another guid.
+     *
+     * @note This method assumes the value of \c other_guid was originally assigned by Fast-DDS vendor.
      *
      * @param other_guid GUID_t to compare to.
      *
@@ -85,20 +87,42 @@ struct RTPS_DllAPI GUID_t
     bool is_on_same_host_as(
             const GUID_t& other_guid) const
     {
-        return memcmp(guidPrefix.value, other_guid.guidPrefix.value, 4) == 0;
+        return guidPrefix.is_on_same_host_as(other_guid.guidPrefix);
+    }
+
+    /**
+     * Checks whether this guid is from a (Fast-DDS) entity created on this host (from where this method is called).
+     *
+     * @return true when this guid is from a (Fast-DDS) entity created on this host, false otherwise.
+     */
+    bool is_from_this_host() const
+    {
+        return guidPrefix.is_from_this_host();
     }
 
     /**
      * Checks whether this guid is for an entity on the same host and process as another guid.
      *
+     * @note This method assumes the value of \c other_guid was originally assigned by Fast-DDS vendor.
+     *
      * @param other_guid GUID_t to compare to.
      *
      * @return true when this guid is on the same host and process, false otherwise.
      */
     bool is_on_same_process_as(
             const GUID_t& other_guid) const
     {
-        return memcmp(guidPrefix.value, other_guid.guidPrefix.value, 8) == 0;
+        return guidPrefix.is_on_same_process_as(other_guid.guidPrefix);
+    }
+
+    /**
+     * Checks whether this guid is from a (Fast-DDS) entity created on this process (from where this method is called).
+     *
+     * @return true when this guid is from a (Fast-DDS) entity created on this process, false otherwise.
+     */
+    bool is_from_this_process() const
+    {
+        return guidPrefix.is_from_this_process();
     }
 
     /**

diff --git a/include/fastdds/rtps/common/GuidPrefix_t.hpp b/include/fastdds/rtps/common/GuidPrefix_t.hpp
@@ -44,6 +44,44 @@ struct RTPS_DllAPI GuidPrefix_t
         memset(value, 0, size);
     }
 
+    /**
+     * Checks whether this guid prefix is from an entity on the same host as another guid prefix.
+     *
+     * @note This method assumes the value of \c other_guid_prefix was originally assigned by Fast-DDS vendor.
+     *
+     * @param other_guid_prefix GuidPrefix_t to compare to.
+     *
+     * @return true when this guid prefix is on the same host, false otherwise.
+     */
+    bool is_on_same_host_as(
+            const GuidPrefix_t& other_guid_prefix) const;
+
+    /**
+     * Checks whether this guid prefix is from a (Fast-DDS) entity created on this host (from where this method is called).
+     *
+     * @return true when this guid prefix is from a (Fast-DDS) entity created on this host, false otherwise.
+     */
+    bool is_from_this_host() const;
+
+    /**
+     * Checks whether this guid prefix is for an entity on the same host and process as another guid prefix.
+     *
+     * @note This method assumes the value of \c other_guid_prefix was originally assigned by Fast-DDS vendor.
+     *
+     * @param other_guid_prefix GuidPrefix_t to compare to.
+     *
+     * @return true when this guid prefix is on the same host and process, false otherwise.
+     */
+    bool is_on_same_process_as(
+            const GuidPrefix_t& other_guid_prefix) const;
+
+    /**
+     * Checks whether this guid prefix is from a (Fast-DDS) entity created on this host and process (from where this method is called).
+     *
+     * @return true when this guid prefix is from a (Fast-DDS) entity created on this host and process, false otherwise.
+     */
+    bool is_from_this_process() const;
+
     static GuidPrefix_t unknown()
     {
         return GuidPrefix_t();

diff --git a/include/fastdds/rtps/common/LocatorWithMask.hpp b/include/fastdds/rtps/common/LocatorWithMask.hpp
@@ -19,6 +19,8 @@
 #ifndef _FASTDDS_RTPS_COMMON_LOCATORWITHMASK_HPP_
 #define _FASTDDS_RTPS_COMMON_LOCATORWITHMASK_HPP_
 
+#include <sstream>
+
 #include <fastrtps/fastrtps_dll.h>
 
 #include <fastdds/rtps/common/Locator.h>
@@ -39,27 +41,39 @@ class RTPS_DllAPI LocatorWithMask : public Locator
      *
      * @return number of significant bits on the address of this locator.
      */
-    uint8_t mask() const
-    {
-        return mask_;
-    }
+    uint8_t mask() const;
 
     /**
      * Set the number of significant bits on the address of this locator.
      *
      * @param mask number of significant bits on the address of this locator.
      */
     void mask(
-            uint8_t mask)
-    {
-        mask_ = mask;
-    }
+            uint8_t mask);
+
+    /**
+     * Check whether the given locator is from the same network as this locator.
+     *
+     * @param loc locator to check if belonging to the same network as this locator.
+     *
+     * @return true if the two locators are from the same network, false otherwise.
+     */
+    bool matches(
+            const Locator& loc) const;
+
+    //! Copy assignment
+    LocatorWithMask& operator =(
+            const Locator& loc);
 
 private:
 
     uint8_t mask_ = 24;
 };
 
+RTPS_DllAPI std::ostream& operator <<(
+        std::ostream& output,
+        const LocatorWithMask& loc);
+
 } // namespace rtps
 } // namespace fastdds
 } // namespace eprosima

diff --git a/include/fastdds/rtps/participant/RTPSParticipant.h b/include/fastdds/rtps/participant/RTPSParticipant.h
@@ -299,6 +299,13 @@ class RTPS_DllAPI RTPSParticipant
     bool ignore_reader(
             const GUID_t& reader_guid);
 
+    /**
+     * @brief Returns registered transports' netmask filter information (transport's netmask filter kind and allowlist).
+     *
+     * @return A vector with all registered transports' netmask filter information.
+     */
+    std::vector<fastdds::rtps::TransportNetmaskFilterInfo> get_netmask_filter_info() const;
+
 #if HAVE_SECURITY
 
     /**

diff --git a/include/fastdds/rtps/transport/ChainingTransport.h b/include/fastdds/rtps/transport/ChainingTransport.h
@@ -171,6 +171,15 @@ class ChainingTransport : public TransportInterface
         return low_level_transport_->is_localhost_allowed();
     }
 
+    /*!
+     * Call the low-level transport `netmask_filter_info()`.
+     * Returns netmask filter information (transport's netmask filter kind and allowlist)
+     */
+    RTPS_DllAPI NetmaskFilterInfo netmask_filter_info() const override
+    {
+        return low_level_transport_->netmask_filter_info();
+    }
+
     /*!
      * Call the low-level transport `DoInputLocatorsMatch()`.
      * Must report whether two locators map to the same internal channel.

diff --git a/include/fastdds/rtps/transport/SocketTransportDescriptor.h b/include/fastdds/rtps/transport/SocketTransportDescriptor.h
@@ -19,6 +19,9 @@
 #include <vector>
 #include <string>
 
+#include <fastdds/rtps/transport/network/AllowedNetworkInterface.hpp>
+#include <fastdds/rtps/transport/network/BlockedNetworkInterface.hpp>
+#include <fastdds/rtps/transport/network/NetmaskFilterKind.hpp>
 #include <fastdds/rtps/transport/PortBasedTransportDescriptor.hpp>
 
 namespace eprosima {
@@ -50,6 +53,7 @@ struct SocketTransportDescriptor : public PortBasedTransportDescriptor
         : PortBasedTransportDescriptor(maximumMessageSize, maximumInitialPeersRange)
         , sendBufferSize(0)
         , receiveBufferSize(0)
+        , netmask_filter(NetmaskFilterKind::AUTO)
         , TTL(s_defaultTTL)
     {
     }
@@ -77,6 +81,9 @@ struct SocketTransportDescriptor : public PortBasedTransportDescriptor
         return (this->sendBufferSize == t.min_send_buffer_size() &&
                this->receiveBufferSize == t.receiveBufferSize &&
                this->interfaceWhiteList == t.interfaceWhiteList &&
+               this->netmask_filter == t.netmask_filter &&
+               this->interface_allowlist == t.interface_allowlist &&
+               this->interface_blocklist == t.interface_blocklist &&
                this->TTL == t.TTL &&
                PortBasedTransportDescriptor::operator ==(t));
     }
@@ -85,8 +92,14 @@ struct SocketTransportDescriptor : public PortBasedTransportDescriptor
     uint32_t sendBufferSize;
     //! Length of the receive buffer.
     uint32_t receiveBufferSize;
-    //! Allowed interfaces in an IP string format.
+    //! Allowed interfaces in an IP or device name string format.
     std::vector<std::string> interfaceWhiteList;
+    //! Transport's netmask filter configuration.
+    NetmaskFilterKind netmask_filter;
+    //! Allowed interfaces in an IP or device name string format, each with a specific netmask filter configuration.
+    std::vector<AllowedNetworkInterface> interface_allowlist;
+    //! Blocked interfaces in an IP or device name string format.
+    std::vector<BlockedNetworkInterface> interface_blocklist;
     //! Specified time to live (8bit - 255 max TTL)
     uint8_t TTL;
 };

diff --git a/include/fastdds/rtps/transport/TransportDescriptorInterface.h b/include/fastdds/rtps/transport/TransportDescriptorInterface.h
@@ -16,6 +16,7 @@
 #define _FASTDDS_TRANSPORT_DESCRIPTOR_INTERFACE_H_
 
 #include <cstdint>
+#include <mutex>
 #include <vector>
 
 #include <fastrtps/fastrtps_dll.h>
@@ -51,11 +52,20 @@ struct TransportDescriptorInterface
 
     //! Copy constructor
     RTPS_DllAPI TransportDescriptorInterface(
-            const TransportDescriptorInterface& t) = default;
+            const TransportDescriptorInterface& t)
+        : maxMessageSize(t.maxMessageSize)
+        , maxInitialPeersRange(t.maxInitialPeersRange)
+    {
+    }
 
     //! Copy assignment
     RTPS_DllAPI TransportDescriptorInterface& operator =(
-            const TransportDescriptorInterface& t) = default;
+            const TransportDescriptorInterface& t)
+    {
+        maxMessageSize = t.maxMessageSize;
+        maxInitialPeersRange = t.maxInitialPeersRange;
+        return *this;
+    }
 
     //! Destructor
     virtual RTPS_DllAPI ~TransportDescriptorInterface() = default;
@@ -92,11 +102,27 @@ struct TransportDescriptorInterface
                this->maxInitialPeersRange == t.max_initial_peers_range());
     }
 
+    //! Lock internal mutex (for Fast-DDS internal use)
+    RTPS_DllAPI void lock()
+    {
+        mtx_.lock();
+    }
+
+    //! Unlock internal mutex (for Fast-DDS internal use)
+    RTPS_DllAPI void unlock()
+    {
+        mtx_.unlock();
+    }
+
     //! Maximum size of a single message in the transport
     uint32_t maxMessageSize;
 
     //! Number of channels opened with each initial remote peer.
     uint32_t maxInitialPeersRange;
+
+private:
+
+    mutable std::mutex mtx_;
 };
 
 } // namespace rtps

diff --git a/include/fastdds/rtps/transport/TransportInterface.h b/include/fastdds/rtps/transport/TransportInterface.h
@@ -22,7 +22,10 @@
 #include <fastdds/rtps/common/Locator.h>
 #include <fastdds/rtps/common/LocatorSelector.hpp>
 #include <fastdds/rtps/common/LocatorSelectorEntry.hpp>
+#include <fastdds/rtps/common/LocatorWithMask.hpp>
 #include <fastdds/rtps/common/PortParameters.h>
+#include <fastdds/rtps/transport/network/AllowedNetworkInterface.hpp>
+#include <fastdds/rtps/transport/network/NetmaskFilterKind.hpp>
 #include <fastdds/rtps/transport/SenderResource.h>
 #include <fastdds/rtps/transport/TransportDescriptorInterface.h>
 #include <fastdds/rtps/transport/TransportReceiverInterface.h>
@@ -43,6 +46,8 @@ static const std::string s_IPv4AddressAny = "0.0.0.0";
 static const std::string s_IPv6AddressAny = "::";
 
 using SendResourceList = std::vector<std::unique_ptr<fastrtps::rtps::SenderResource>>;
+using NetmaskFilterInfo = std::pair<NetmaskFilterKind, std::vector<AllowedNetworkInterface>>;
+using TransportNetmaskFilterInfo = std::pair<int32_t, NetmaskFilterInfo>;
 
 /**
  * Interface against which to implement a transport layer, decoupled from FastRTPS internals.
@@ -302,6 +307,12 @@ class RTPS_DllAPI TransportInterface
         return true;
     }
 
+    //! Returns netmask filter information (transport's netmask filter kind and allowlist)
+    virtual NetmaskFilterInfo netmask_filter_info() const
+    {
+        return {NetmaskFilterKind::AUTO, {}};
+    }
+
 protected:
 
     TransportInterface(