7 files changed, 148 insertions, 14 deletions

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index c3892d16..688e76ae 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -126,10 +126,10 @@
 

 

 // Version number

-#define	CEDAR_VER					431

+#define	CEDAR_VER					432

 

 // Build Number

-#define	CEDAR_BUILD					9727

+#define	CEDAR_BUILD					9731

 

 // Beta number

 //#define	BETA_NUMBER					3

@@ -148,12 +148,12 @@
 #endif	// BUILD_PLACE

 

 // Specifies the build date

-#define	BUILD_DATE_Y		2019

-#define	BUILD_DATE_M		11

-#define	BUILD_DATE_D		18

-#define	BUILD_DATE_HO		10

-#define	BUILD_DATE_MI		55

-#define	BUILD_DATE_SE		38

+#define	BUILD_DATE_Y		2020

+#define	BUILD_DATE_M		1

+#define	BUILD_DATE_D		1

+#define	BUILD_DATE_HO		17

+#define	BUILD_DATE_MI		54

+#define	BUILD_DATE_SE		10

 

 // Tolerable time difference

 #define	ALLOW_TIMESTAMP_DIFF		(UINT64)(3 * 24 * 60 * 60 * 1000)

diff --git a/src/Cedar/Hub.c b/src/Cedar/Hub.c
index da339c2a..9bddd08e 100644
--- a/src/Cedar/Hub.c
+++ b/src/Cedar/Hub.c
@@ -1660,13 +1660,15 @@ void HubWatchDogThread(THREAD *t, void *param)
 		o2 = NewListFast(NULL);

 

 		// Send an ARP packet

-		LockList(hub->IpTable);

+		LockHashList(hub->MacHashTable);

 		{

 			num = LIST_NUM(hub->IpTable);

 			for (i = 0;i < LIST_NUM(hub->IpTable);i++)

 			{

 				IP_TABLE_ENTRY *e = LIST_DATA(hub->IpTable, i);

 

+				if (e == NULL) continue;

+

 				if ((e->UpdatedTime + (UINT64)(IP_TABLE_EXPIRE_TIME)) > Tick64())

 				{

 					if (e->MacAddress[0] != 0xff || e->MacAddress[1] != 0xff || e->MacAddress[2] != 0xff ||

@@ -1742,7 +1744,7 @@ void HubWatchDogThread(THREAD *t, void *param)
 				}

 			}

 		}

-		UnlockList(hub->IpTable);

+		UnlockHashList(hub->MacHashTable);

 

 		if ((LIST_NUM(o) + LIST_NUM(o2)) != 0)

 		{

@@ -4120,6 +4122,17 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
 		}

 	}

 

+	if (s != NULL)

+	{

+		if (s->EnableLightRecvFilter)

+		{

+			if (IsValidUnicastMacAddress(packet->MacAddressSrc))

+			{

+				s->LightRecvFilterMac = READ_UINT(packet->MacAddressSrc + 2);

+			}

+		}

+	}

+

 	// Lock the entire MAC address table

 	LockHashList(hub->MacHashTable);

 	{

@@ -4789,6 +4802,18 @@ UPDATE_FDB:
 

 									Insert(hub->IpTable, e);

 

+									if (s->EnableLightRecvFilter)

+									{

+										if (s->LightRecvFilterIPv4_1 == 0)

+										{

+											s->LightRecvFilterIPv4_1 = uint_ip;

+										}

+										else

+										{

+											s->LightRecvFilterIPv4_2 = uint_ip;

+										}

+									}

+

 									if (0)

 									{

 										char ip_address[64];

@@ -5036,6 +5061,7 @@ DISCARD_UNICAST_PACKET:
 				{

 					// Flooding as a broadcast packet

 					UINT current_tcp_queue_size = 0;

+					UINT bcast_mac_dst = READ_UINT(packet->MacAddressDest + 2);

 

 					// Take a packet log

 					if (s != NULL)

@@ -5061,9 +5087,60 @@ DISCARD_UNICAST_PACKET:
 							{

 								bool delete_default_router_in_ra = false;

 

+								if (dest_session->Policy != NULL && dest_session->Policy->DHCPNoServer)

+								{

+									if (packet->TypeL3 == L3_IPV4 &&

+										packet->TypeL4 == L4_UDP &&

+										packet->TypeL7 == L7_DHCPV4 &&

+										(packet->DhcpOpCode == DHCP_DISCOVER || packet->DhcpOpCode == DHCP_REQUEST || packet->DhcpOpCode == DHCP_RELEASE || packet->DhcpOpCode == DHCP_INFORM))

+									{

+										discard = true;

+										goto L_SKIP_TO_DISCARD;

+									}

+								}

+

+								if (dest_session->EnableLightRecvFilter)

+								{

+									if (packet->BroadcastPacket == false &&

+										dest_session->LightRecvFilterMac != 0 &&

+										dest_session->LightRecvFilterMac != bcast_mac_dst)

+									{

+										discard = true;

+										goto L_SKIP_TO_DISCARD;

+									}

+

+									if (packet->BroadcastPacket &&

+										packet->TypeL3 == L3_ARPV4 &&

+										packet->L3.ARPv4Header->HardwareSize == 6 &&

+										Endian16(packet->L3.ARPv4Header->HardwareType) == ARP_HARDWARE_TYPE_ETHERNET &&

+										packet->L3.ARPv4Header->ProtocolSize == 4 &&

+										Endian16(packet->L3.ARPv4Header->ProtocolType) == MAC_PROTO_IPV4)

+									{

+										if (Endian16(packet->L3.ARPv4Header->Operation) == ARP_OPERATION_REQUEST)

+										{

+											bool ok = false;

+

+											if (dest_session->LightRecvFilterIPv4_1 != 0)

+												if (dest_session->LightRecvFilterIPv4_1 == packet->L3.ARPv4Header->TargetIP)

+													ok = true;

+

+											if (dest_session->LightRecvFilterIPv4_2 != 0)

+												if (dest_session->LightRecvFilterIPv4_2 == packet->L3.ARPv4Header->TargetIP)

+													ok = true;

+

+											if (ok == false)

+											{

+												discard = true;

+												goto L_SKIP_TO_DISCARD;

+											}

+										}

+									}

+								}

+

 								if (dest_session->IsMonitorMode)

 								{

 									discard = true;

+									goto L_SKIP_TO_DISCARD;

 								}

 

 								if (dest_session->NormalClient)

@@ -5075,6 +5152,7 @@ DISCARD_UNICAST_PACKET:
 										{

 											// This is dormant session

 											discard = true;

+											goto L_SKIP_TO_DISCARD;

 										}

 									}

 								}

@@ -5090,6 +5168,7 @@ DISCARD_UNICAST_PACKET:
 											dest_session->Connection->Protocol == CONNECTION_TCP)

 										{

 											discard = true;

+											goto L_SKIP_TO_DISCARD;

 										}

 

 										if (dest_session->LinkModeServer)

@@ -5097,6 +5176,7 @@ DISCARD_UNICAST_PACKET:
 											LINK *k = dest_session->Link;

 

 											discard = true;

+											goto L_SKIP_TO_DISCARD;

 										}

 									}

 								}

@@ -5105,6 +5185,7 @@ DISCARD_UNICAST_PACKET:
 									packet->VlanId != dest_session->VLanId)

 								{

 									discard = true;

+									goto L_SKIP_TO_DISCARD;

 								}

 

 								if (dest_session->Policy->NoIPv6DefaultRouterInRA ||

@@ -5128,6 +5209,7 @@ DISCARD_UNICAST_PACKET:
 										 packet->ICMPv6HeaderPacketInfo.Type == ICMPV6_TYPE_ROUTER_ADVERTISEMENT))

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

@@ -5138,6 +5220,7 @@ DISCARD_UNICAST_PACKET:
 										packet->TypeL7 == L7_DHCPV4)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

@@ -5148,6 +5231,7 @@ DISCARD_UNICAST_PACKET:
 										(Endian16(packet->L4.UDPHeader->DstPort) == 546 || Endian16(packet->L4.UDPHeader->DstPort) == 547))

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

@@ -5191,6 +5275,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 == L3_IPV4 || packet->TypeL3 == L3_ARPV4)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 								if (dest_session->Policy->FilterIPv6)

@@ -5198,6 +5283,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 == L3_IPV6)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 								if (dest_session->Policy->FilterNonIP)

@@ -5205,6 +5291,7 @@ DISCARD_UNICAST_PACKET:
 									if (packet->TypeL3 != L3_IPV4 && packet->TypeL3 != L3_ARPV4 && packet->TypeL3 != L3_IPV6)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

@@ -5218,6 +5305,7 @@ DISCARD_UNICAST_PACKET:
 									if (drop_arp_packet_privacy || packet->TypeL3 != L3_ARPV4)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

@@ -5227,9 +5315,12 @@ DISCARD_UNICAST_PACKET:
 										memcmp(packet->MacAddressDest, s->Hub->HubMacAddr, 6) == 0)

 									{

 										discard = true;

+										goto L_SKIP_TO_DISCARD;

 									}

 								}

 

+L_SKIP_TO_DISCARD:

+

 								if (discard == false && dest_pa != NULL)

 								{

 									if (s == NULL ||

@@ -5899,6 +5990,21 @@ bool StorePacketFilterByPolicy(SESSION *s, PKT *p)
 							UINTToIP(&ip, ip_uint);

 							Copy(&t.Ip, &ip, sizeof(IP));

 

+							if (mac_table->Session != NULL)

+							{

+								if (mac_table->Session->EnableLightRecvFilter)

+								{

+									if (mac_table->Session->LightRecvFilterIPv4_1 == 0)

+									{

+										mac_table->Session->LightRecvFilterIPv4_1 = ip_uint;

+									}

+									else

+									{

+										mac_table->Session->LightRecvFilterIPv4_2 = ip_uint;

+									}

+								}

+							}

+

 							e = Search(hub->IpTable, &t);

 							if (e == NULL)

 							{

diff --git a/src/Cedar/IPsec_IPC.c b/src/Cedar/IPsec_IPC.c
index 82831784..fb127018 100644
--- a/src/Cedar/IPsec_IPC.c
+++ b/src/Cedar/IPsec_IPC.c
@@ -179,6 +179,12 @@ IPC_ASYNC *NewIPCAsync(CEDAR *cedar, IPC_PARAM *param, SOCK_EVENT *sock_event)
 

 	Copy(&a->Param, param, sizeof(IPC_PARAM));

 

+	if (param->ClientCertificate != NULL)

+	{

+		// Client certificate must be copied for async processing

+		a->Param.ClientCertificate = CloneX(param->ClientCertificate);

+	}

+

 	if (sock_event != NULL)

 	{

 		a->SockEvent = sock_event;

@@ -297,6 +303,12 @@ void FreeIPCAsync(IPC_ASYNC *a)
 	ReleaseCedar(a->Cedar);

 

 	ReleaseTube(a->TubeForDisconnect);

+

+	if (a->Param.ClientCertificate != NULL)

+	{

+		FreeX(a->Param.ClientCertificate);

+	}

+

 	Free(a);

 }

 

diff --git a/src/Cedar/Logging.c b/src/Cedar/Logging.c
index 38510bc0..5aaae6d5 100644
--- a/src/Cedar/Logging.c
+++ b/src/Cedar/Logging.c
@@ -1478,12 +1478,19 @@ void AddLogBufToStr(BUF *b, char *name, char *value)
 void MakeSafeLogStr(char *str)

 {

 	UINT i, len;

+	bool is_http = false;

 	// Validate arguments

 	if (str == NULL)

 	{

 		return;

 	}

 

+	if (str[0] == 'h' && str[1] == 't' && str[2] == 't' && str[3] == 'p' &&

+		((str[4] == 's' && str[5] == ':') || (str[4] == ':')))

+	{

+		is_http = true;

+	}

+

 	EnPrintableAsciiStr(str, '?');

 

 	len = StrLen(str);

@@ -1495,7 +1502,10 @@ void MakeSafeLogStr(char *str)
 		}

 		else if (str[i] == ' ')

 		{

-			str[i] = '_';

+			if (is_http == false)

+			{

+				str[i] = '_';

+			}

 		}

 	}

 }

@@ -2242,8 +2252,6 @@ void ReplaceForCsv(char *str)
 		return;

 	}

 

-	// If there are blanks, trim it

-	Trim(str);

 	len = StrLen(str);

 

 	for (i = 0;i < len;i++)

diff --git a/src/Cedar/Session.c b/src/Cedar/Session.c
index 6a44a1ab..c0374ed8 100644
--- a/src/Cedar/Session.c
+++ b/src/Cedar/Session.c
@@ -1399,6 +1399,7 @@ void CleanupSession(SESSION *s)
 

 	ReleaseSharedBuffer(s->IpcSessionSharedBuffer);

 

+

 	Free(s);

 }

 

@@ -2361,6 +2362,7 @@ SESSION *NewServerSessionEx(CEDAR *cedar, CONNECTION *c, HUB *h, char *username,
 		}

 	}

 

+

 	return s;

 }

 

diff --git a/src/Cedar/Session.h b/src/Cedar/Session.h
index d2704994..5fca38ee 100644
--- a/src/Cedar/Session.h
+++ b/src/Cedar/Session.h
@@ -326,6 +326,12 @@ struct SESSION
 

 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session

 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// A shared data between IPC and Session

+

+

+	bool EnableLightRecvFilter;		// Enable light receive filter

+	UINT LightRecvFilterMac;		// Light receive filter MAC address

+	UINT LightRecvFilterIPv4_1;		// Light receive filter IPv4 address #1

+	UINT LightRecvFilterIPv4_2;		// Light receive filter IPv4 address #2

 };

 

 // Password dialog

diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c
index ff1fa536..cfa8ae87 100644
--- a/src/Cedar/Virtual.c
+++ b/src/Cedar/Virtual.c
@@ -1543,7 +1543,7 @@ void NnTcpRecvForInternet(VH *v, UINT src_ip, UINT src_port, UINT dest_ip, UINT
 		// Create a new session because there is no existing one

 		UINT public_port;

 

-		if (old_tcp->Flag != TCP_SYN)

+		if (((old_tcp->Flag & TCP_SYN) && ((old_tcp->Flag & TCP_ACK) == 0)) == false)

 		{

 			// If there is no existing session, pass through only for SYN packet

 			return;