3 * Policy parsing and implementation
5 * (c) 2012 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Yet Another Ident Daemon (YAID).
12 * YAID is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * YAID is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with YAID; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Memory management -------------------------------------------------*/
33 /* Initialize a policy structure. In this state, it doesn't actually have
34 * any resources allocated (so can be simply discarded) but it's safe to free
35 * (using `free_policy').
37 void init_policy(struct policy
*p
) { p
->act
.act
= A_LIMIT
; }
39 /* Free an action structure, resetting it to a safe state. This function is
42 static void free_action(struct action
*a
)
52 /* Free a policy structure, resetting it to its freshly-initialized state.
53 * This function is idempotent.
55 void free_policy(struct policy
*p
)
56 { free_action(&p
->act
); }
58 /*----- Diagnostics -------------------------------------------------------*/
60 static void print_addrpat(const struct addrops
*ao
, const struct addrpat
*ap
)
68 inet_ntop(ao
->af
, &ap
->addr
, buf
, sizeof(buf
)),
73 static void print_portpat(const struct portpat
*pp
)
75 if (pp
->lo
== 0 && pp
->hi
== 65535) putchar('*');
76 else if (pp
->lo
== pp
->hi
) printf("%u", pp
->lo
);
77 else printf("%u-%u", pp
->lo
, pp
->hi
);
80 static void print_sockpat(const struct addrops
*ao
, const struct sockpat
*sp
)
81 { print_addrpat(ao
, &sp
->addr
); putchar(' '); print_portpat(&sp
->port
); }
83 static const char *const acttab
[] = {
84 #define DEFACT(tag, name) name,
90 static void print_action(const struct action
*act
)
92 assert(act
->act
< A_LIMIT
);
93 printf("%s", acttab
[act
->act
]);
98 for (i
= 0, m
= 1; i
< A_LIMIT
; i
++, m
<<= 1)
99 if (act
->u
.user
& m
) printf(" %s", acttab
[i
]);
102 printf(" %s", act
->u
.lie
);
107 /* Print a policy rule to standard output. */
108 void print_policy(const struct policy
*p
)
110 print_sockpat(p
->ao
, &p
->sp
[L
]); putchar(' ');
111 print_sockpat(p
->ao
, &p
->sp
[R
]); putchar(' ');
112 print_action(&p
->act
); putchar('\n');
115 /*----- Matching ----------------------------------------------------------*/
117 /* Return true if the port matches the pattern. */
118 static int match_portpat(const struct portpat
*pp
, unsigned port
)
119 { return (pp
->lo
<= port
&& port
<= pp
->hi
); }
121 /* Return true if the socket matches the pattern. */
122 static int match_sockpat(const struct addrops
*ao
,
123 const struct sockpat
*sp
, const struct socket
*s
)
125 return (ao
->match_addrpat(&sp
->addr
, &s
->addr
) &&
126 match_portpat(&sp
->port
, s
->port
));
129 /* Return true if the query matches the patterns in the policy rule. */
130 int match_policy(const struct policy
*p
, const struct query
*q
)
132 return ((!p
->ao
|| p
->ao
== q
->ao
) &&
133 match_sockpat(q
->ao
, &p
->sp
[L
], &q
->s
[L
]) &&
134 match_sockpat(q
->ao
, &p
->sp
[R
], &q
->s
[R
]));
137 /*----- Parsing -----------------------------------------------------------*/
139 /* Advance FP to the next line. */
140 static void nextline(FILE *fp
)
144 if (ch
== '\n' || ch
== EOF
) break;
148 /* Scan a whitespace-separated token from FP, writing it to BUF. The token
149 * must fit in a buffer of size SZ, including a terminating null. Return
150 * an appropriate T_* error code.
152 static int scan(FILE *fp
, char *buf
, size_t sz
)
157 /* Before we start grabbing a token proper, find out what's in store. */
163 /* Found a newline. Leave it where it is and report it. */
169 /* Found end-of-file, or an I/O error. Return an appropriate code. */
170 return (ferror(fp
) ? T_ERROR
: T_EOF
);
173 /* Found a comment. Consume it, and continue appropriately: it must
174 * be terminated either by a newline or end-of-file.
178 if (ch
== '\n') goto newline
;
179 else if (ch
== EOF
) goto eof
;
183 /* Whitespace means we just continue around. Anything else and we
186 if (isspace(ch
)) goto skip_ws
;
192 /* If there's buffer space left, store the character. */
193 if (sz
) { *buf
++ = ch
; sz
--; }
195 /* Get a new one, and find out what to do about it. */
204 if (isspace(ch
)) goto done
;
210 /* If there's no space for a terminating null then report an error. */
211 if (!sz
) return (T_ERROR
);
218 /* Parse an action name, storing the code in *ACT. Return an appropriate T_*
221 static int parse_actname(FILE *fp
, unsigned *act
)
225 const char *const *p
;
227 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
228 for (p
= acttab
; *p
; p
++)
229 if (strcmp(buf
, *p
) == 0) { *act
= p
- acttab
; return (0); }
233 /* Parse an action, returning a T_* code. */
234 static int parse_action(FILE *fp
, struct action
*act
)
241 /* Collect the action name. */
242 if ((t
= parse_actname(fp
, &a
)) != 0) return (t
);
244 /* Parse parameters, if there are any. */
248 /* `user ACTION ACTION ...': store permitted actions in a bitmask. */
251 if ((t
= parse_actname(fp
, &a
)) != 0) break;
252 if (a
== A_USER
) return (T_ERROR
);
255 if (t
!= T_EOL
&& t
!= T_EOF
) return (t
);
264 /* Dull actions which don't accept parameters. */
269 /* `lie NAME': store the string we're to report. */
270 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
272 act
->u
.lie
= xstrdup(buf
);
276 /* Make sure we've reached the end of the line. */
277 t
= scan(fp
, buf
, sizeof(buf
));
278 if (t
!= T_EOF
&& t
!= T_EOL
) {
287 /* Parse an address pattern, writing it to AP. If the pattern has an
288 * identifiable address family, update *AOP to point to its operations table;
289 * if *AOP is already set to something different then report an error.
291 static int parse_addrpat(FILE *fp
, const struct addrops
**aop
,
296 const struct addrops
*ao
;
300 /* Scan a token for the address pattern. */
301 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
303 /* If this is a wildcard, then leave everything as it is. */
304 if (strcmp(buf
, "*") == 0) {
309 /* Decide what kind of address this must be. A bit grim, sorry. */
310 if (strchr(buf
, ':'))
311 ao
= &addroptab
[ADDR_IPV6
];
313 ao
= &addroptab
[ADDR_IPV4
];
315 /* Update the caller's idea of the address family in use. */
316 if (!*aop
) *aop
= ao
;
317 else if (*aop
!= ao
) return (T_ERROR
);
319 /* See whether there's a prefix length. If so, clobber it. */
320 delim
= strchr(buf
, '/');
321 if (delim
) *delim
++ = 0;
323 /* Parse the address. */
324 if (!inet_pton(ao
->af
, buf
, &ap
->addr
)) return (T_ERROR
);
326 /* Parse the prefix length, or use the maximum one. */
327 if (!delim
) n
= ao
->len
;
328 else n
= strtol(delim
, 0, 10);
329 if (n
< 0 || n
> ao
->len
) return (T_ERROR
);
336 static int parse_portpat(FILE *fp
, struct portpat
*pp
)
343 /* Parse a token for the pattern. */
344 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (T_ERROR
);
346 /* If this is a wildcard, then we're done. */
347 if (strcmp(buf
, "*") == 0) {
353 /* Find a range delimiter. */
354 delim
= strchr(buf
, '-');
355 if (delim
) *delim
++ = 0;
357 /* Parse the only or low end of the range. */
358 n
= strtol(buf
, 0, 0);
359 if (n
< 0 || n
> 65535) return (T_ERROR
);
362 /* If there's no delimiter, then the high end is equal to the low end;
363 * otherwise, parse the high end.
368 n
= strtol(delim
, 0, 0);
369 if (n
< pp
->lo
|| n
> 65535) return (T_ERROR
);
377 /* Parse a socket pattern, writing it to SP. */
378 static int parse_sockpat(FILE *fp
, const struct addrops
**aop
,
383 if ((t
= parse_addrpat(fp
, aop
, &sp
->addr
)) != 0) return (t
);
384 if ((t
= parse_portpat(fp
, &sp
->port
)) != 0) return (T_ERROR
);
388 /* Parse a policy rule line, writing it to P. */
389 static int parse_policy(FILE *fp
, struct policy
*p
)
396 if ((t
= parse_sockpat(fp
, &p
->ao
, &p
->sp
[L
])) != 0) goto fail
;
397 if ((t
= parse_sockpat(fp
, &p
->ao
, &p
->sp
[R
])) != 0) goto err
;
398 if ((t
= parse_action(fp
, &p
->act
)) != 0) goto err
;
408 /* Open a policy file by NAME. The description WHAT and query Q are used for
409 * formatting error messages for the log.
411 int open_policy_file(struct policy_file
*pf
, const char *name
,
412 const char *what
, const struct query
*q
)
414 if ((pf
->fp
= fopen(name
, "r")) == 0) {
415 logmsg(q
, LOG_ERR
, "failed to open %s `%s': %s",
416 what
, name
, strerror(errno
));
429 /* Read a policy rule from the file, storing it in PF->p. Return one of the
432 int read_policy_file(struct policy_file
*pf
)
438 t
= parse_policy(pf
->fp
, &pf
->p
);
444 logmsg(pf
->q
, LOG_ERR
, "%s:%d: parse error in %s",
445 pf
->name
, pf
->lno
, pf
->what
);
449 if (ferror(pf
->fp
)) {
450 logmsg(pf
->q
, LOG_ERR
, "failed to read %s `%s': %s",
451 pf
->what
, pf
->name
, strerror(errno
));
463 /* Close a policy file. It doesn't matter whether the file was completely
466 void close_policy_file(struct policy_file
*pf
)
472 /* Load a policy file, writing a vector of records into PV. If the policy
473 * file has errors, then leave PV unchanged and return nonzero.
475 int load_policy_file(const char *file
, policy_v
*pv
)
477 struct policy_file pf
;
478 policy_v v
= DA_INIT
;
480 if (open_policy_file(&pf
, file
, "policy file", 0))
482 while (!read_policy_file(&pf
)) {
486 close_policy_file(&pf
);
497 /*----- That's all, folks -------------------------------------------------*/