/* -*-c-*-
*
- * $Id: fw.c,v 1.10 2001/02/03 20:30:03 mdw Exp $
+ * $Id: fw.c,v 1.15 2003/11/25 14:46:50 mdw Exp $
*
* Port forwarding thingy
*
/*----- Revision history --------------------------------------------------*
*
* $Log: fw.c,v $
+ * Revision 1.15 2003/11/25 14:46:50 mdw
+ * Update docco for new options.
+ *
+ * Revision 1.14 2003/01/24 20:12:40 mdw
+ * Correctly cast uid and gid sentinel values.
+ *
+ * Revision 1.13 2002/02/22 23:45:20 mdw
+ * Add option to change the listen(2) parameter. Receive `fw'-specific
+ * code from `conf.c'.
+ *
+ * Revision 1.12 2002/01/13 14:49:17 mdw
+ * Track @dstr_vputf@ change.
+ *
+ * Revision 1.11 2001/02/03 20:33:26 mdw
+ * Fix flags to be unsigned.
+ *
* Revision 1.10 2001/02/03 20:30:03 mdw
* Support re-reading config files on SIGHUP.
*
#include "endpt.h"
#include "exec.h"
#include "fattr.h"
+#include "file.h"
#include "fw.h"
#include "scan.h"
+#include "socket.h"
#include "source.h"
/*----- Global variables --------------------------------------------------*/
#define FW_QUIET 2u
#define FW_SET 4u
-/*----- Main code ---------------------------------------------------------*/
+/*----- Configuration parsing ---------------------------------------------*/
+
+/* --- @parse@ --- *
+ *
+ * Arguments: @scanner *sc@ = pointer to scanner definition
+ *
+ * Returns: ---
+ *
+ * Use: Parses a configuration file from the scanner.
+ */
+
+static source_ops *sources[] =
+ { &xsource_ops, &fsource_ops, &ssource_ops, 0 };
+static target_ops *targets[] =
+ { &xtarget_ops, &ftarget_ops, &starget_ops, 0 };
+
+void parse(scanner *sc)
+{
+ token(sc);
+
+ for (;;) {
+ if (sc->t == CTOK_EOF)
+ break;
+ if (sc->t != CTOK_WORD)
+ error(sc, "parse error, keyword expected");
+
+ /* --- Handle a forwarding request --- */
+
+ if (strcmp(sc->d.buf, "forward") == 0 ||
+ strcmp(sc->d.buf, "fw") == 0 ||
+ strcmp(sc->d.buf, "from") == 0) {
+ source *s;
+ target *t;
+
+ token(sc);
+
+ /* --- Read a source description --- */
+
+ {
+ source_ops **sops;
+
+ /* --- Try to find a source type which understands --- */
+
+ s = 0;
+ for (sops = sources; *sops; sops++) {
+ if ((s = (*sops)->read(sc)) != 0)
+ goto found_source;
+ }
+ error(sc, "unknown source name `%s'", sc->d.buf);
+
+ /* --- Read any source-specific options --- */
+
+ found_source:
+ if (sc->t == '{') {
+ token(sc);
+ while (sc->t == CTOK_WORD) {
+ if (!s->ops->option || !s->ops->option(s, sc)) {
+ error(sc, "unknown %s source option `%s'",
+ s->ops->name, sc->d.buf);
+ }
+ if (sc->t == ';')
+ token(sc);
+ }
+ if (sc->t != '}')
+ error(sc, "parse error, missing `}'");
+ token(sc);
+ }
+ }
+
+ /* --- Read a destination description --- */
+
+ if (sc->t == CTOK_WORD && (strcmp(sc->d.buf, "to") == 0 ||
+ strcmp(sc->d.buf, "->") == 0))
+ token(sc);
+
+ {
+ target_ops **tops;
+
+ /* --- Try to find a target which understands --- */
+
+ t = 0;
+ for (tops = targets; *tops; tops++) {
+ if ((t = (*tops)->read(sc)) != 0)
+ goto found_target;
+ }
+ error(sc, "unknown target name `%s'", sc->d.buf);
+
+ /* --- Read any target-specific options --- */
+
+ found_target:
+ if (sc->t == '{') {
+ token(sc);
+ while (sc->t == CTOK_WORD) {
+ if (!t->ops->option || !t->ops->option(t, sc)) {
+ error(sc, "unknown %s target option `%s'",
+ t->ops->name, sc->d.buf);
+ }
+ if (sc->t == ';')
+ token(sc);
+ }
+ if (sc->t != '}')
+ error(sc, "parse error, `}' expected");
+ token(sc);
+ }
+ }
+
+ /* --- Combine the source and target --- */
+
+ s->ops->attach(s, sc, t);
+ }
+
+ /* --- Include configuration from a file --- *
+ *
+ * Slightly tricky. Scan the optional semicolon from the including
+ * stream, not the included one.
+ */
+
+ else if (strcmp(sc->d.buf, "include") == 0) {
+ FILE *fp;
+ dstr d = DSTR_INIT;
+
+ token(sc);
+ conf_name(sc, '/', &d);
+ if ((fp = fopen(d.buf, "r")) == 0)
+ error(sc, "can't include `%s': %s", d.buf, strerror(errno));
+ if (sc->t == ';')
+ token(sc);
+ pushback(sc);
+ scan_push(sc, scan_file(fp, d.buf, 0));
+ token(sc);
+ dstr_destroy(&d);
+ continue; /* Don't parse a trailing `;' */
+ }
+
+ /* --- Other configuration is handled elsewhere --- */
+
+ else {
+
+ /* --- First try among the sources --- */
+
+ {
+ source_ops **sops;
+
+ for (sops = sources; *sops; sops++) {
+ if ((*sops)->option && (*sops)->option(0, sc))
+ goto found_option;
+ }
+ }
+
+ /* --- Then try among the targets --- */
+
+ {
+ target_ops **tops;
+
+ for (tops = targets; *tops; tops++) {
+ if ((*tops)->option && (*tops)->option(0, sc))
+ goto found_option;
+ }
+ }
+
+ /* --- Nobody wants the option --- */
+
+ error(sc, "unknown global option or prefix `%s'", sc->d.buf);
+
+ found_option:;
+ }
+
+ if (sc->t == ';')
+ token(sc);
+ }
+}
+
+/*----- General utility functions -----------------------------------------*/
/* --- @fw_log@ --- *
*
DENSURE(&d, 64);
d.len += strftime(d.buf, d.sz, "%Y-%m-%d %H:%M:%S ", tm);
va_start(ap, fmt);
- dstr_vputf(&d, fmt, ap);
+ dstr_vputf(&d, fmt, &ap);
va_end(ap);
if (flags & FW_SYSLOG)
syslog(LOG_NOTICE, "%s", d.buf);
else
scan_add(&sc, scan_file(fp, cf->name, 0));
}
- conf_parse(&sc);
+ parse(&sc);
fw_log(-1, "... reload completed OK");
}
+/*----- Startup and options parsing ---------------------------------------*/
+
/* --- Standard GNU help options --- */
static void version(FILE *fp)
Grammar summary\n\
\n\
Basic syntax\n\
- file ::= empty | file stmt [`;']\n\
- stmt ::= option-stmt | fw-stmt\n\
- fw-stmt ::= `fw' source options [`to'|`->'] target options\n\
- options ::= `{' option-seq `}'\n\
- option-seq ::= empty | option-stmt [`;'] option-seq\n\
+ FILE ::= EMPTY | FILE STMT [`;']\n\
+ STMT ::= OPTION-STMT | FW-STMT\n\
+ FW-STMT ::= `fw' SOURCE OPTIONS [`to'|`->'] TARGET OPTIONS\n\
+ OPTIONS ::= `{' OPTION-SEQ `}'\n\
+ OPTION-SEQ ::= EMPTY | OPTION-STMT [`;'] OPTION-SEQ\n\
\n\
Option syntax\n\
- option-stmt ::= q-option\n\
- q-option ::= option\n\
- | prefix `.' q-option\n\
- | prefix `{' option-seq `}'\n\
- prefix ::= word\n\
+ OPTION-STMT ::= Q-OPTION\n\
+ Q-OPTION ::= OPTION\n\
+ | PREFIX `.' Q-OPTION\n\
+ | PREFIX `{' OPTION-SEQ `}'\n\
+ PREFIX ::= WORD\n\
\n\
File source and target\n\
- source ::= file\n\
- target ::= file\n\
- file ::= `file' [`.'] fspec [`,' fspec]\n\
- fspec ::= fd-spec | name-spec | null-spec\n\
- fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout'\n\
- name-spec ::= [[`:']`file'[`:']] file-name\n\
- file-name ::= path-seq | [ path-seq ]\n\
- path-seq ::= path-elt | path-seq path-elt\n\
- path-elt ::= `/' | word\n\
- null-spec ::= [`:']`null'[`:']\n\
+ SOURCE ::= FILE\n\
+ TARGET ::= FILE\n\
+ FILE ::= `file' [`.'] FSPEC [`,' FSPEC]\n\
+ FSPEC ::= FD-SPEC | NAME-SPEC | NULL-SPEC\n\
+ FD-SPEC ::= [[`:']`fd'[`:']] NUMBER|`stdin'|`stdout'\n\
+ NAME-SPEC ::= [[`:']`file'[`:']] FILE-NAME\n\
+ FILE-NAME ::= PATH-SEQ | [ PATH-SEQ ]\n\
+ PATH-SEQ ::= PATH-ELT | PATH-SEQ PATH-ELT\n\
+ PATH-ELT ::= `/' | WORD\n\
+ NULL-SPEC ::= [`:']`null'[`:']\n\
\n\
Exec source and target\n\
- source ::= exec\n\
- target ::= exec\n\
- exec ::= `exec' [`.'] cmd-spec\n\
- cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]'\n\
- arg-seq ::= word | arg-seq word\n\
- shell-cmd ::= word\n\
- argv0 ::= word\n\
+ SOURCE ::= EXEC\n\
+ TARGET ::= EXEC\n\
+ EXEC ::= `exec' [`.'] CMD-SPEC\n\
+ CMD-SPEC ::= SHELL-CMD | [PROG-NAME] `[' ARGV0 ARG-SEQ `]'\n\
+ ARG-SEQ ::= WORD | ARG-SEQ WORD\n\
+ SHELL-CMD ::= WORD\n\
+ ARGV0 ::= WORD\n\
\n\
Socket source and target\n\
- source ::= socket-source\n\
- target ::= socket-target\n\
- socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr\n\
- socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr\n\
+ SOURCE ::= SOCKET-SOURCE\n\
+ TARGET ::= SOCKET-TARGET\n\
+ SOCKET-SOURCE ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] SOURCE-ADDR\n\
+ SOCKET-TARGET ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] TARGET-ADDR\n\
\n\
- inet-source-addr ::= [port] port\n\
- inet-target-addr ::= address [`:'] port\n\
- address ::= addr-elt | address addr-elt\n\
- addr-elt ::= `.' | word\n\
+ INET-SOURCE-ADDR ::= [`port'] PORT\n\
+ INET-TARGET-ADDR ::= ADDRESS [`:'] PORT\n\
+ ADDRESS ::= ADDR-ELT | ADDRESS ADDR-ELT\n\
+ ADDR-ELT ::= `.' | WORD\n\
\n\
- unix-source-addr ::= file-name\n\
- unix-target-addr ::= file-name\n\
+ UNIX-SOURCE-ADDR ::= FILE-NAME\n\
+ UNIX-TARGET-ADDR ::= FILE-NAME\n\
");
}
Options summary\n\
\n\
File attributes (`fattr')\n\
- prefix.fattr.mode [=] mode\n\
- prefix.fattr.owner [=] user\n\
- prefix.fattr.group [=] group\n\
+ prefix.FATTR.MODE [=] MODE\n\
+ prefix.FATTR.OWNER [=] USER\n\
+ prefix.FATTR.GROUP [=] GROUP\n\
\n\
File options\n\
file.create [=] yes|no\n\
\n\
Exec options\n\
exec.logging [=] yes|no\n\
- exec.dir [=] file-name\n\
- exec.root [=] file-name\n\
- exec.user [=] user\n\
- exec.group [=] group\n\
- exec.rlimit.limit[.hard|.soft] [=] value\n\
+ exec.dir [=] FILE-NAME\n\
+ exec.root [=] FILE-NAME\n\
+ exec.user [=] USER\n\
+ exec.group [=] GROUP\n\
+ exec.rlimit.LIMIT[.hard|.soft] [=] VALUE\n\
exec.env.clear\n\
- exec.env.unset var\n\
- exec.env.[set] var [=] value\n\
+ exec.env.unset VAR\n\
+ exec.env.[set] VAR [=] VALUE\n\
\n\
Socket options\n\
- socket.conn [=] number|unlimited|one-shot\n\
+ socket.conn [=] NUMBER|unlimited|one-shot\n\
+ socket.listen [=] NUMBER\n\
socket.logging [=] yes|no\n\
- socket.inet.[allow|deny] [from] address [/ address]\n\
+\n\
+ socket.inet.source.[allow|deny] [host] ADDR [/ ADDR]\n\
+ socket.inet.source.[allow|deny] priv-port\n\
+ socket.inet.source.addr [=] any|ADDR\n\
+ socket.inet.dest.addr [=] any|ADDR\n\
+\n\
socket.unix.fattr.*\n\
");
}
conffile *cf, **cff = &conffiles;
#define f_bogus 1u
-#define f_file 2u
-#define f_syslog 4u
-#define f_fork 8u
+#define f_file 2u
+#define f_syslog 4u
+#define f_fork 8u
/* --- Initialize things --- */
/* --- Parse the configuration now gathered --- */
- conf_parse(&sc);
+ parse(&sc);
/* --- Set up some signal handlers --- *
*
/* --- Drop privileges --- */
#ifdef HAVE_SETGROUPS
- if ((dropg != -1 && (setgid(dropg) || setgroups(1, &dropg))) ||
- (drop != -1 && setuid(drop)))
+ if ((dropg != (gid_t)-1 && (setgid(dropg) || setgroups(1, &dropg))) ||
+ (drop != (uid_t)-1 && setuid(drop)))
die(1, "couldn't drop privileges: %s", strerror(errno));
#else
- if ((dropg != -1 && setgid(dropg)) ||
- (drop != -1 && setuid(drop)))
+ if ((dropg != (gid_t)-1 && setgid(dropg)) ||
+ (drop != (uid_t)-1 && setuid(drop)))
die(1, "couldn't drop privileges: %s", strerror(errno));
#endif