In this part, few examples are given, how the entries in the route permission file are mapped into the internal table.
Field |
Meaning |
Possible Values |
---|---|---|
t |
type |
P = permitted; D = denied; T = SNC target |
s |
SNC |
X = secure network communication required |
n |
native |
X = native protocols permitted |
shs |
previous SAProuter hops |
number |
dsh |
post SAProuter hops |
number |
s-add |
source address |
|
s-msk |
source address mask |
|
d-add |
destination address |
|
d-msk |
destination address mask |
|
a |
all destination ports |
X = no port specified |
d-p-l |
destination port min (low) |
16-bit integer |
d-p-m |
destination port max (high) |
16-bit integer |
pwd |
password |
string |
snc-n |
SNC name |
string |
The route table file
D 10.1.0.0 * *
P0,* 10.1.*.* * *
S*,0 * 10.2.00001xxx.* *
P*,1 * 10.2.*.* *
P 10.3.0.0 10.4.*.* 7
P 10.3.0.1 10.4.0.1 * test
P 10.3.0.2 localhost *
P 10.3.0.3 localhost * info
S 10.3.0.4
KT "p:CN=s0" 10.5.0.0 *
KD "p:CN=s1" 10.5.0.1 *
KP "p:CN=s1" * *
KS * 10.5.0.* *
D * * *
is mapped into the following internal route table:
t |
s |
n |
shs |
dsh |
s-add |
s-msk |
d-add |
d-msk |
a |
d-p-l |
d-p-h |
pwd |
snc-n |
Entry |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
D |
~ |
~~~ |
~~~ |
a.1.0.0 |
00.00.00.00 |
0.0.0.0 |
ff.ff.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
a |
|
P |
X |
0 |
255 |
a.1.0.0 |
00.00.ff.ff |
0.0.0.0 |
ff.ff.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
b |
|
P |
255 |
0 |
0.0.0.0 |
ff.ff.ff.ff |
a.2.8.0 |
00.00.07.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
c |
||
P |
X |
255 |
1 |
0.0.0.0 |
ff.ff.ff.ff |
a.2.0.0 |
00.00.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
d |
|
P |
X |
255 |
255 |
a.3.0.0 |
00.00.00.00 |
a.4.0.0 |
00.00.ff.ff |
7 |
7 |
* |
~~~~~~~ |
e |
||
P |
X |
255 |
255 |
a.3.0.1 |
00.00.00.00 |
a.4.0.1 |
00.00.00.00 |
X |
~~~~~~~ |
~~~~~~~ |
test |
~~~~~~~ |
f |
|
P |
X |
255 |
255 |
a.3.0.2 |
00.00.00.00 |
7f.0.0.1 |
00.00.00.00 |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
g |
|
P |
X |
255 |
255 |
a.3.0.3 |
00.00.00.00 |
7f.0.0.1 |
00.00.00.00 |
X |
~~~~~~~ |
~~~~~~~ |
info |
~~~~~~~ |
h |
|
P |
255 |
255 |
a.3.0.4 |
00.00.00.00 |
0.0.0.0 |
ff.ff.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
i |
||
T |
X |
~ |
255 |
255 |
0.0.0.0 |
ff.ff.ff.ff |
a.5.0.0 |
00.00.00.00 |
X |
~~~~~~~ |
~~~~~~~ |
* |
p:CN=s0 |
j |
D |
X |
~ |
~~~ |
~~~ |
0.0.0.0 |
ff.ff.ff.ff |
a.5.0.1 |
00.00.00.00 |
X |
~~~~~~~ |
~~~~~~~ |
* |
p:CN=s1 |
k |
P |
X |
X |
255 |
255 |
0.0.0.0 |
ff.ff.ff.ff |
0.0.0.0 |
ff.ff.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
p:CN=s1 |
l |
P |
X |
255 |
255 |
0.0.0.0 |
ff.ff.ff.ff |
a.5.0.0 |
00.00.00.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
* |
m |
|
D |
~ |
~~~ |
~~~ |
0.0.0.0 |
ff.ff.ff.ff |
0.0.0.0 |
ff.ff.ff.ff |
X |
~~~~~~~ |
~~~~~~~ |
* |
~~~~~~~ |
n |
The entry '~' will specify a filed as not initialized respectively unused.
Permission example with permission table above
The current SAProuter is running on the host "this" on port 3299. A '*' indicates a parameter without effect.
For a match, one of the following conditions for the destination port must be complied:
Entry 'destination port' is valid and equal with destination port of route
Entry 'native' is not set and 'all destination ports' is set, i.e. no destination port specified
Entry 'type' is not 'permitted' and 'all destination ports' is set
Route has further destination nodes and 'all destination ports' is set
Client |
native |
Route |
Entry |
P/D |
Reason |
---|---|---|---|---|---|
10.1.0.0 |
/H/this/H/*/S/3299/W/test |
a |
D |
All connections from host 10.1.0.0 are denied. |
|
* |
/H/10.1.0.0/H/this/H/* |
a |
D |
All connections from host 10.1.0.0 are denied. |
|
10.1.0.1 |
X |
/H/this/H/10.2.9.0/S/* |
n |
D |
Entry b doesn't match because 'native' is set and the route has no further destinations. |
10.1.0.1 |
X |
/H/this/H/10.2.9.0/H/*/S/* |
b |
P |
b matches as the route has further destinations (4.) |
* |
X |
/H/10.1.0.1/H/this/H/10.2.9.0/S/* |
n |
D |
No match with b (native with no further destinations), c (native) and d (native with no further destinations). |
* |
X |
/H/10.1.0.1/H/this/H/10.2.9.0/H/*/S/* |
b |
D |
Matches b but has one previous hop, so denied. |
10.9.0.0 |
/H/this/H/10.2.9.0/S/* |
c |
P |
Matches c (2.) |
|
10.9.0.0 |
X |
/H/this/H/10.2.9.0/S/* |
n |
D |
Does not match c (native with no further destinations) |
10.9.0.0 |
X |
/H/this/H/10.2.9.0/H/*/S/* |
c |
D |
Matches c (4.), is denied because it is native (type S). |
10.9.0.0 |
/H/this/H/10.2.9.0/H/*/S/* |
c |
D |
Matches c (2.), is denied because no following hop is allowed. |
|
10.9.0.0 |
/H/this/H/10.2.7.0/H/*/S/* |
d |
P |
Doesn't match c because of IP address; matches d (2.) |
|
10.3.0.0 |
X |
/H/this/H/10.4.0.0/S/7 |
e |
P |
Matches e (1.) |
10.3.0.0 |
/H/this/H/10.4.0.0/S/7 |
e |
P |
Matches e (1.) |
|
10.3.0.0 |
X |
/H/this/H/10.4.0.0/H/*/S/7 |
n |
D |
Doesn't match e because the port 7 must be used on host 10.4.0.0 (see 1.) |
10.3.0.1 |
/H/this/H/10.4.0.1/H/* |
f |
D |
Matches e, is denied because password test is missing |