experimental and untested reimplementation of sql based IP pool
[strongswan.git] / src / charon / plugins / sql / pool.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #define _GNU_SOURCE
19 #include <getopt.h>
20 #include <unistd.h>
21 #include <stdio.h>
22 #include <time.h>
23
24 #include <debug.h>
25 #include <library.h>
26 #include <utils/host.h>
27
28 /**
29 * global database handle
30 */
31 database_t *db;
32
33 /**
34 * --start/--end addresses of various subcommands
35 */
36 host_t *start = NULL, *end = NULL;
37
38 /**
39 * create a host from a blob
40 */
41 static host_t *host_create_from_blob(chunk_t blob)
42 {
43 return host_create_from_chunk(blob.len == 4 ? AF_INET : AF_INET6, blob, 0);
44 }
45
46 /**
47 * calculate the size of a pool using start and end address chunk
48 */
49 static u_int get_pool_size(chunk_t start, chunk_t end)
50 {
51 u_int *start_ptr, *end_ptr;
52
53 if (start.len < sizeof(u_int) || end.len < sizeof(u_int))
54 {
55 return 0;
56 }
57 start_ptr = (u_int*)(start.ptr + start.len - sizeof(u_int));
58 end_ptr = (u_int*)(end.ptr + end.len - sizeof(u_int));
59 return ntohl(*end_ptr) - ntohl(*start_ptr) + 1;
60 }
61
62 /**
63 * print usage info
64 */
65 static void usage(void)
66 {
67 printf("\
68 Usage:\n\
69 ipsec pool --status|--add|--del|--resize|--purge [options]\n\
70 \n\
71 ipsec pool --status\n\
72 Show a list of installed pools with statistics.\n\
73 \n\
74 ipsec pool --add <name> --start <start> --end <end> [--timeout <timeout>]\n\
75 Add a new pool to the database.\n\
76 name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\
77 start: Start address of the pool\n\
78 end: End address of the pool\n\
79 timeout: Lease time in hours, 0 for static leases\n\
80 \n\
81 ipsec pool --del <name>\n\
82 Delete a pool from the database.\n\
83 name: Name of the pool to delete\n\
84 \n\
85 ipsec pool --resize <name> --end <end>\n\
86 Grow or shrink an existing pool.\n\
87 name: Name of the pool to resize\n\
88 end: New end address for the pool\n\
89 \n\
90 ipsec pool --leases <name> [--filter <filter>] [--utc]\n\
91 Show lease information using filters:\n\
92 name: Name of the pool to show leases from\n\
93 filter: Filter string containing comma separated key=value filters,\n\
94 e.g. id=alice@strongswan.org,addr=1.1.1.1\n\
95 pool: name of the pool\n\
96 id: assigned identity of the lease\n\
97 addr: lease IP address\n\
98 tstamp: UNIX timestamp when lease was valid, as integer\n\
99 status: status of the lease: online|valid|expired\n\
100 utc: Show times in UTC instead of local time\n\
101 \n\
102 ipsec pool --purge <name>\n\
103 Delete lease history of a pool:\n\
104 name: Name of the pool to purge\n\
105 \n");
106 exit(0);
107 }
108
109 /**
110 * ipsec pool --status - show pool overview
111 */
112 static void status(void)
113 {
114 enumerator_t *pool, *lease;
115 bool found = FALSE;
116
117 pool = db->query(db, "SELECT id, name, start, end, timeout FROM pools",
118 DB_INT, DB_TEXT, DB_BLOB, DB_BLOB, DB_UINT);
119 if (pool)
120 {
121 char *name;
122 chunk_t start_chunk, end_chunk;
123 host_t *start, *end;
124 u_int id, timeout, online = 0, used = 0, size = 0;
125
126 while (pool->enumerate(pool, &id, &name,
127 &start_chunk, &end_chunk, &timeout))
128 {
129 if (!found)
130 {
131 printf("%8s %15s %15s %8s %6s %11s %11s\n",
132 "name", "start", "end", "timeout", "size", "online", "leases");
133 found = TRUE;
134 }
135
136 start = host_create_from_blob(start_chunk);
137 end = host_create_from_blob(end_chunk);
138 size = get_pool_size(start_chunk, end_chunk);
139 printf("%8s %15H %15H ", name, start, end);
140 if (timeout)
141 {
142 printf("%7dh ", timeout/3600);
143 }
144 else
145 {
146 printf("%8s ", "static");
147 }
148 printf("%6d ", size);
149 /* get number of online hosts */
150 lease = db->query(db, "SELECT COUNT(*) FROM addresses "
151 "WHERE pool = ? AND acquired != 0 AND released = 0",
152 DB_UINT, id, DB_INT);
153 if (lease)
154 {
155 lease->enumerate(lease, &online);
156 lease->destroy(lease);
157 }
158 printf("%5d (%2d%%) ", online, online*100/size);
159 /* get number of online or valid lieases */
160 lease = db->query(db, "SELECT COUNT(*) FROM addresses JOIN pools "
161 "ON addresses.pool = pools.id "
162 "WHERE pools.id = ? AND acquired != 0 "
163 "AND (released = 0 OR released > ? - timeout) ",
164 DB_UINT, id, DB_UINT, time(NULL), DB_UINT);
165 if (lease)
166 {
167 lease->enumerate(lease, &used);
168 lease->destroy(lease);
169 }
170 printf("%5d (%2d%%) ", used, used*100/size);
171
172 printf("\n");
173 DESTROY_IF(start);
174 DESTROY_IF(end);
175 }
176 pool->destroy(pool);
177 }
178 if (!found)
179 {
180 printf("no pools found.\n");
181 }
182 exit(0);
183 }
184
185 /**
186 * increment a chunk, as it would reprensent a network order integer
187 */
188 static void increment_chunk(chunk_t chunk)
189 {
190 int i;
191
192 for (i = chunk.len - 1; i >= 0; i--)
193 {
194 if (++chunk.ptr[i] != 0)
195 {
196 return;
197 }
198 }
199 }
200
201 /**
202 * ipsec pool --add - add a new pool
203 */
204 static void add(char *name, host_t *start, host_t *end, int timeout)
205 {
206 chunk_t start_addr, end_addr, cur_addr;
207 u_int id, count;
208
209 start_addr = start->get_address(start);
210 end_addr = end->get_address(end);
211 cur_addr = chunk_clonea(start_addr);
212 count = get_pool_size(start_addr, end_addr);
213
214 if (start_addr.len != end_addr.len ||
215 memcmp(start_addr.ptr, end_addr.ptr, start_addr.len) > 0)
216 {
217 fprintf(stderr, "invalid start/end pair specified.\n");
218 exit(-1);
219 }
220 if (db->execute(db, &id,
221 "INSERT INTO pools (name, start, end, timeout) "
222 "VALUES (?, ?, ?, ?)",
223 DB_TEXT, name, DB_BLOB, start_addr,
224 DB_BLOB, end_addr, DB_INT, timeout*3600) != 1)
225 {
226 fprintf(stderr, "creating pool failed.\n");
227 exit(-1);
228 }
229 printf("allocating %d addresses... ", count);
230 fflush(stdout);
231 if (db->get_driver(db) == DB_SQLITE)
232 { /* run population in a transaction for sqlite */
233 db->execute(db, NULL, "BEGIN TRANSACTION");
234 }
235 do
236 {
237 db->execute(db, NULL,
238 "INSERT INTO addresses (pool, address, identity, acquired, released) "
239 "VALUES (?, ?, ?, ?, ?)",
240 DB_UINT, id, DB_BLOB, cur_addr, DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
241 increment_chunk(cur_addr);
242 }
243 while (!chunk_equals(cur_addr, end_addr));
244 if (db->get_driver(db) == DB_SQLITE)
245 {
246 db->execute(db, NULL, "END TRANSACTION");
247 }
248 printf("done.\n", count);
249
250 exit(0);
251 }
252
253 /**
254 * ipsec pool --del - delete a pool
255 */
256 static void del(char *name)
257 {
258 enumerator_t *query;
259 u_int id;
260 bool found = FALSE;
261
262 query = db->query(db, "SELECT id FROM pools WHERE name = ?",
263 DB_TEXT, name, DB_UINT);
264 if (!query)
265 {
266 fprintf(stderr, "deleting pool failed.\n");
267 exit(-1);
268 }
269 while (query->enumerate(query, &id))
270 {
271 found = TRUE;
272 if (db->execute(db, NULL,
273 "DELETE FROM leases WHERE address IN ("
274 " SELECT id FROM addresses WHERE pool = ?)", DB_UINT, id) < 0 ||
275 db->execute(db, NULL,
276 "DELETE FROM addresses WHERE pool = ?", DB_UINT, id) < 0 ||
277 db->execute(db, NULL,
278 "DELETE FROM pools WHERE id = ?", DB_UINT, id) < 0)
279 {
280 fprintf(stderr, "deleting pool failed.\n");
281 query->destroy(query);
282 exit(-1);
283 }
284 }
285 query->destroy(query);
286 if (!found)
287 {
288 fprintf(stderr, "pool '%s' not found.\n", name);
289 exit(-1);
290 }
291 exit(0);
292 }
293
294 /**
295 * ipsec pool --resize - resize a pool
296 */
297 static void resize(char *name, host_t *end)
298 {
299 enumerator_t *query;
300 chunk_t old_addr, new_addr, cur_addr;
301 u_int id, count;
302
303 new_addr = end->get_address(end);
304
305 query = db->query(db, "SELECT id, end FROM pools WHERE name = ?",
306 DB_TEXT, name, DB_UINT, DB_BLOB);
307 if (!query || !query->enumerate(query, &id, &old_addr))
308 {
309 DESTROY_IF(query);
310 fprintf(stderr, "resizing pool failed.\n");
311 exit(-1);
312 }
313 if (old_addr.len != new_addr.len ||
314 memcmp(new_addr.ptr, old_addr.ptr, old_addr.len) < 0)
315 {
316 fprintf(stderr, "shrinking of pools not supported.\n");
317 query->destroy(query);
318 exit(-1);
319 }
320 cur_addr = chunk_clonea(old_addr);
321 count = get_pool_size(old_addr, new_addr) - 1;
322 query->destroy(query);
323
324 if (db->execute(db, NULL,
325 "UPDATE pools SET end = ? WHERE name = ?",
326 DB_BLOB, new_addr, DB_TEXT, name) <= 0)
327 {
328 fprintf(stderr, "pool '%s' not found.\n", name);
329 exit(-1);
330 }
331
332 printf("allocating %d new addresses... ", count);
333 fflush(stdout);
334 if (db->get_driver(db) == DB_SQLITE)
335 { /* run population in a transaction for sqlite */
336 db->execute(db, NULL, "BEGIN TRANSACTION");
337 }
338 while (count-- > 0)
339 {
340 increment_chunk(cur_addr);
341 db->execute(db, NULL,
342 "INSERT INTO addresses (pool, address, identity, acquired, released) "
343 "VALUES (?, ?, ?, ?, ?)",
344 DB_UINT, id, DB_BLOB, cur_addr, DB_UINT, 0, DB_UINT, 0, DB_UINT, 1);
345 }
346 if (db->get_driver(db) == DB_SQLITE)
347 {
348 db->execute(db, NULL, "END TRANSACTION");
349 }
350 printf("done.\n", count);
351
352 exit(0);
353 }
354
355 /**
356 * create the lease query using the filter string
357 */
358 static enumerator_t *create_lease_query(char *filter)
359 {
360 enumerator_t *query;
361 identification_t *id = NULL;
362 host_t *addr = NULL;
363 u_int tstamp = 0;
364 bool online = FALSE, valid = FALSE, expired = FALSE;
365 char *value, *pos, *pool = NULL;
366 enum {
367 FIL_POOL = 0,
368 FIL_ID,
369 FIL_ADDR,
370 FIL_TSTAMP,
371 FIL_STATE,
372 };
373 char *const token[] = {
374 [FIL_POOL] = "pool",
375 [FIL_ID] = "id",
376 [FIL_ADDR] = "addr",
377 [FIL_TSTAMP] = "tstamp",
378 [FIL_STATE] = "status",
379 NULL
380 };
381
382 /* if the filter string contains a distinguished name as a ID, we replace
383 * ", " by "/ " in order to not confuse the getsubopt parser */
384 pos = filter;
385 while ((pos = strchr(pos, ',')))
386 {
387 if (pos[1] == ' ')
388 {
389 pos[0] = '/';
390 }
391 pos++;
392 }
393
394 while (filter && *filter != '\0')
395 {
396 switch (getsubopt(&filter, token, &value))
397 {
398 case FIL_POOL:
399 if (value)
400 {
401 pool = value;
402 }
403 break;
404 case FIL_ID:
405 if (value)
406 {
407 id = identification_create_from_string(value);
408 }
409 if (!id)
410 {
411 fprintf(stderr, "invalid 'id' in filter string.\n");
412 exit(-1);
413 }
414 break;
415 case FIL_ADDR:
416 if (value)
417 {
418 addr = host_create_from_string(value, 0);
419 }
420 if (!addr)
421 {
422 fprintf(stderr, "invalid 'addr' in filter string.\n");
423 exit(-1);
424 }
425 break;
426 case FIL_TSTAMP:
427 if (value)
428 {
429 tstamp = atoi(value);
430 }
431 if (tstamp == 0)
432 {
433 online = TRUE;
434 }
435 break;
436 case FIL_STATE:
437 if (value)
438 {
439 if (streq(value, "online"))
440 {
441 online = TRUE;
442 }
443 else if (streq(value, "valid"))
444 {
445 valid = TRUE;
446 }
447 else if (streq(value, "expired"))
448 {
449 expired = TRUE;
450 }
451 else
452 {
453 fprintf(stderr, "invalid 'state' in filter string.\n");
454 exit(-1);
455 }
456 }
457 break;
458 default:
459 fprintf(stderr, "invalid filter string.\n");
460 exit(-1);
461 break;
462 }
463 }
464 query = db->query(db,
465 "SELECT name, addresses.address, identities.type, "
466 "identities.data, leases.acquired, leases.released, timeout "
467 "FROM leases JOIN addresses ON leases.address = addresses.id "
468 "JOIN pools ON addresses.pool = pools.id "
469 "JOIN identities ON leases.identity = identities.id "
470 "WHERE (? OR name = ?) "
471 "AND (? OR (identities.type = ? AND identities.data = ?)) "
472 "AND (? OR addresses.address = ?) "
473 "AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
474 "AND (? OR leases.released > ? - timeout) "
475 "AND (? OR leases.released < ? - timeout) "
476 "AND ? "
477 "UNION "
478 "SELECT name, address, identities.type, identities.data, "
479 "acquired, released, timeout FROM addresses "
480 "JOIN pools ON addresses.pool = pools.id "
481 "JOIN identities ON addresses.identity = identities.id "
482 "WHERE ? AND released = 0 "
483 "AND (? OR name = ?) "
484 "AND (? OR (identities.type = ? AND identities.data = ?)) "
485 "AND (? OR address = ?)",
486 DB_INT, pool == NULL, DB_TEXT, pool,
487 DB_INT, id == NULL,
488 DB_INT, id ? id->get_type(id) : 0,
489 DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
490 DB_INT, addr == NULL,
491 DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
492 DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
493 DB_INT, !valid, DB_INT, time(NULL),
494 DB_INT, !expired, DB_INT, time(NULL),
495 DB_INT, !online,
496 /* union */
497 DB_INT, !(valid || expired),
498 DB_INT, pool == NULL, DB_TEXT, pool,
499 DB_INT, id == NULL,
500 DB_INT, id ? id->get_type(id) : 0,
501 DB_BLOB, id ? id->get_encoding(id) : chunk_empty,
502 DB_INT, addr == NULL,
503 DB_BLOB, addr ? addr->get_address(addr) : chunk_empty,
504 /* res */
505 DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
506 /* id and addr leak but we can't destroy them until query is destroyed. */
507 return query;
508 }
509
510 /**
511 * ipsec pool --leases - show lease information of a pool
512 */
513 static void leases(char *filter, bool utc)
514 {
515 enumerator_t *query;
516 chunk_t address_chunk, identity_chunk;
517 int identity_type;
518 char *name;
519 u_int acquired, released, timeout;
520 host_t *address;
521 identification_t *identity;
522 bool found = FALSE;
523
524 query = create_lease_query(filter);
525 if (!query)
526 {
527 fprintf(stderr, "querying leases failed.\n");
528 exit(-1);
529 }
530 while (query->enumerate(query, &name, &address_chunk, &identity_type,
531 &identity_chunk, &acquired, &released, &timeout))
532 {
533 if (!found)
534 {
535 int len = utc ? 25 : 21;
536
537 found = TRUE;
538 printf("%-8s %-15s %-7s %-*s %-*s %s\n",
539 "name", "address", "status", len, "start", len, "end", "identity");
540 }
541 address = host_create_from_blob(address_chunk);
542 identity = identification_create_from_encoding(identity_type, identity_chunk);
543
544 printf("%-8s %-15H ", name, address);
545 if (released == 0)
546 {
547 printf("%-7s ", "online");
548 }
549 else if (timeout == 0)
550 {
551 printf("%-7s ", "static");
552 }
553 else if (released >= time(NULL) - timeout)
554 {
555 printf("%-7s ", "valid");
556 }
557 else
558 {
559 printf("%-7s ", "expired");
560 }
561
562 printf(" %#T ", &acquired, utc);
563 if (released)
564 {
565 printf("%#T ", &released, utc);
566 }
567 else
568 {
569 printf(" ");
570 if (utc)
571 {
572 printf(" ");
573 }
574 }
575 printf("%D\n", identity);
576 DESTROY_IF(address);
577 identity->destroy(identity);
578 }
579 query->destroy(query);
580 if (!found)
581 {
582 fprintf(stderr, "no matching leases found.\n");
583 exit(-1);
584 }
585 exit(0);
586 }
587
588 /**
589 * ipsec pool --purge - delete expired leases
590 */
591 static void purge(char *name)
592 {
593 int purged = 0;
594
595 purged = db->execute(db, NULL,
596 "DELETE FROM leases WHERE address IN ("
597 " SELECT id FROM addresses WHERE pool IN ("
598 " SELECT id FROM pools WHERE name = ?))",
599 DB_TEXT, name);
600 if (purged < 0)
601 {
602 fprintf(stderr, "purging pool '%s' failed.\n", name);
603 exit(-1);
604 }
605 fprintf(stderr, "purged %d leases in pool '%s'.\n", purged, name);
606 exit(0);
607 }
608
609 /**
610 * atexit handler to close db on shutdown
611 */
612 static void cleanup(void)
613 {
614 db->destroy(db);
615 DESTROY_IF(start);
616 DESTROY_IF(end);
617 }
618
619 /**
620 * Logging hook for library logs, using stderr output
621 */
622 static void dbg_stderr(int level, char *fmt, ...)
623 {
624 va_list args;
625
626 if (level <= 1)
627 {
628 va_start(args, fmt);
629 vfprintf(stderr, fmt, args);
630 fprintf(stderr, "\n");
631 va_end(args);
632 }
633 }
634
635 int main(int argc, char *argv[])
636 {
637 char *uri, *name = "", *filter = "";
638 int timeout = 0;
639 bool utc = FALSE;
640 enum {
641 OP_USAGE,
642 OP_STATUS,
643 OP_ADD,
644 OP_DEL,
645 OP_RESIZE,
646 OP_LEASES,
647 OP_PURGE,
648 } operation = OP_USAGE;
649
650 dbg = dbg_stderr;
651 library_init(STRONGSWAN_CONF);
652 atexit(library_deinit);
653 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
654 lib->settings->get_str(lib->settings, "pool.load", PLUGINS));
655
656 uri = lib->settings->get_str(lib->settings, "charon.plugins.sql.database", NULL);
657 if (!uri)
658 {
659 fprintf(stderr, "database URI charon.plugins.sql.database not set.\n");
660 exit(-1);
661 }
662 db = lib->db->create(lib->db, uri);
663 if (!db)
664 {
665 fprintf(stderr, "opening database failed.\n");
666 exit(-1);
667 }
668 atexit(cleanup);
669
670 while (TRUE)
671 {
672 int c;
673
674 struct option long_opts[] = {
675 { "help", no_argument, NULL, 'h' },
676
677 { "utc", no_argument, NULL, 'u' },
678 { "status", no_argument, NULL, 'w' },
679 { "add", required_argument, NULL, 'a' },
680 { "del", required_argument, NULL, 'd' },
681 { "resize", required_argument, NULL, 'r' },
682 { "leases", no_argument, NULL, 'l' },
683 { "purge", required_argument, NULL, 'p' },
684
685 { "start", required_argument, NULL, 's' },
686 { "end", required_argument, NULL, 'e' },
687 { "timeout", required_argument, NULL, 't' },
688 { "filter", required_argument, NULL, 'f' },
689 { 0,0,0,0 }
690 };
691
692 c = getopt_long(argc, argv, "", long_opts, NULL);
693 switch (c)
694 {
695 case EOF:
696 break;
697 case 'h':
698 break;
699 case 'w':
700 operation = OP_STATUS;
701 break;
702 case 'u':
703 utc = TRUE;
704 continue;
705 case 'a':
706 operation = OP_ADD;
707 name = optarg;
708 continue;
709 case 'd':
710 operation = OP_DEL;
711 name = optarg;
712 continue;
713 case 'r':
714 operation = OP_RESIZE;
715 name = optarg;
716 continue;
717 case 'l':
718 operation = OP_LEASES;
719 continue;
720 case 'p':
721 operation = OP_PURGE;
722 name = optarg;
723 continue;
724 case 's':
725 start = host_create_from_string(optarg, 0);
726 if (start == NULL)
727 {
728 fprintf(stderr, "invalid start address: '%s'.\n", optarg);
729 operation = OP_USAGE;
730 break;
731 }
732 continue;
733 case 'e':
734 end = host_create_from_string(optarg, 0);
735 if (end == NULL)
736 {
737 fprintf(stderr, "invalid end address: '%s'.\n", optarg);
738 operation = OP_USAGE;
739 break;
740 }
741 continue;
742 case 't':
743 timeout = atoi(optarg);
744 if (timeout == 0 && strcmp(optarg, "0") != 0)
745 {
746 fprintf(stderr, "invalid timeout '%s'.\n", optarg);
747 operation = OP_USAGE;
748 break;
749 }
750 continue;
751 case 'f':
752 filter = optarg;
753 continue;
754 default:
755 operation = OP_USAGE;
756 break;
757 }
758 break;
759 }
760
761 switch (operation)
762 {
763 case OP_USAGE:
764 usage();
765 break;
766 case OP_STATUS:
767 status();
768 break;
769 case OP_ADD:
770 if (start == NULL || end == NULL)
771 {
772 fprintf(stderr, "missing arguments.\n");
773 usage();
774 }
775 add(name, start, end, timeout);
776 break;
777 case OP_DEL:
778 del(name);
779 break;
780 case OP_RESIZE:
781 if (end == NULL)
782 {
783 fprintf(stderr, "missing arguments.\n");
784 usage();
785 }
786 resize(name, end);
787 break;
788 case OP_LEASES:
789 leases(filter, utc);
790 break;
791 case OP_PURGE:
792 purge(name);
793 break;
794 }
795 exit(0);
796 }
797