3 * Policy parsing and implementation
5 * (c) 2012 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Yet Another Ident Daemon (YAID).
12 * YAID is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * YAID is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with YAID; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Data structures ---------------------------------------------------*/
33 /*----- Static variables --------------------------------------------------*/
35 /*----- Main code ---------------------------------------------------------*/
37 /* syntax: addrpat portpat addrpar portpat policy
39 * local address/port first, then remote
40 * addrpat ::= addr [/ len]
41 * portpat ::= num | num - num | *
42 * policy ::= user policy* | token | name | deny | hide |
45 void init_policy(struct policy
*p
) { p
->act
.act
= A_LIMIT
; }
47 static void free_action(struct action
*a
)
57 void free_policy(struct policy
*p
)
58 { free_action(&p
->act
); }
60 static void print_addrpat(int af
, const struct addrpat
*ap
)
64 if (ap
->len
== 0) putchar('*');
65 else printf("%s/%u", inet_ntop(af
, &ap
->addr
, buf
, sizeof(buf
)), ap
->len
);
68 static void print_portpat(const struct portpat
*pp
)
70 if (pp
->lo
== 0 && pp
->hi
== 65535) putchar('*');
71 else if (pp
->lo
== pp
->hi
) printf("%u", pp
->lo
);
72 else printf("%u-%u", pp
->lo
, pp
->hi
);
75 static void print_sockpat(int af
, const struct sockpat
*sp
)
76 { print_addrpat(af
, &sp
->addr
); putchar(' '); print_portpat(&sp
->port
); }
78 static const char *const acttab
[] = {
79 #define DEFACT(tag, name) name,
85 static void print_action(const struct action
*act
)
87 assert(act
->act
< A_LIMIT
);
88 printf("%s", acttab
[act
->act
]);
93 for (i
= 0, m
= 1; i
< A_LIMIT
; i
++, m
<<= 1)
94 if (act
->u
.user
& m
) printf(" %s", acttab
[i
]);
97 printf(" %s", act
->u
.lie
);
102 void print_policy(const struct policy
*p
)
104 print_sockpat(p
->af
, &p
->sp
[L
]); putchar(' ');
105 print_sockpat(p
->af
, &p
->sp
[R
]); putchar(' ');
106 print_action(&p
->act
); putchar('\n');
109 static int match_addrpat(int af
, const struct addrpat
*ap
,
116 unsigned mask
= htonl((MASK32
<< (32 - ap
->len
)) & MASK32
);
117 return (((ap
->addr
.ipv4
.s_addr
^ a
->ipv4
.s_addr
) & mask
) == 0);
120 unsigned i
, m
, n
= ap
->len
;
121 for (i
= 0; n
>= 8; i
++, n
-= 8) {
122 if (ap
->addr
.ipv6
.s6_addr
[i
] != a
->ipv6
.s6_addr
[i
])
126 m
= (MASK8
<< (8 - n
)) & MASK8
;
127 return (((ap
->addr
.ipv6
.s6_addr
[i
] ^ a
->ipv6
.s6_addr
[i
]) & m
) == 0);
133 static int match_portpat(const struct portpat
*pp
, unsigned port
)
134 { return (pp
->lo
<= port
&& port
<= pp
->hi
); }
136 static int match_sockpat(int af
, const struct sockpat
*sp
,
137 const struct socket
*s
)
139 return (match_addrpat(af
, &sp
->addr
, &s
->addr
) &&
140 match_portpat(&sp
->port
, s
->port
));
143 int match_policy(const struct policy
*p
, const struct query
*q
)
145 return ((!p
->af
|| p
->af
== q
->af
) &&
146 match_sockpat(p
->af
, &p
->sp
[L
], &q
->s
[L
]) &&
147 match_sockpat(p
->af
, &p
->sp
[R
], &q
->s
[R
]));
150 static void nextline(FILE *fp
)
154 if (ch
== '\n' || ch
== EOF
) break;
158 static int scan(FILE *fp
, char *buf
, size_t sz
)
171 return (ferror(fp
) ? T_ERROR
: T_EOF
);
175 if (ch
== '\n') goto newline
;
176 else if (ch
== EOF
) goto eof
;
179 if (isspace(ch
)) goto skip_ws
;
184 if (sz
) { *buf
++ = ch
; sz
--; }
193 if (isspace(ch
)) goto done
;
207 static int parse_actname(FILE *fp
, unsigned *act
)
211 const char *const *p
;
213 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
214 for (p
= acttab
; *p
; p
++)
215 if (strcmp(buf
, *p
) == 0) { *act
= p
- acttab
; return (0); }
219 static int parse_action(FILE *fp
, struct action
*act
)
226 if ((t
= parse_actname(fp
, &a
)) != 0) return (t
);
231 if ((t
= parse_actname(fp
, &a
)) != 0) break;
234 if (t
!= T_EOL
&& t
!= T_EOF
) return (t
);
245 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
247 act
->u
.lie
= xstrdup(buf
);
250 t
= scan(fp
, buf
, sizeof(buf
));
251 if (t
!= T_EOF
&& t
!= T_EOL
) {
258 static int parse_sockpat(FILE *fp
, int *afp
, struct sockpat
*sp
)
267 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (t
);
268 if (strcmp(buf
, "*") == 0)
271 if (strchr(buf
, ':')) {
278 if (!*afp
) *afp
= af
;
279 else if (*afp
!= af
) return (T_ERROR
);
280 delim
= strchr(buf
, '/');
281 if (delim
) *delim
++ = 0;
282 if (!inet_pton(af
, buf
, &sp
->addr
.addr
)) return (T_ERROR
);
283 if (!delim
) n
= alen
;
284 else n
= strtol(delim
, 0, 10);
285 if (n
< 0 || n
> alen
) return (T_ERROR
);
289 if ((t
= scan(fp
, buf
, sizeof(buf
))) != 0) return (T_ERROR
);
290 if (strcmp(buf
, "*") == 0) {
294 delim
= strchr(buf
, '-');
295 if (delim
) *delim
++ = 0;
296 n
= strtol(buf
, 0, 0);
297 if (n
< 0 || n
> 65535) return (T_ERROR
);
302 n
= strtol(delim
, 0, 0);
303 if (n
< 0 || n
> 65535) return (T_ERROR
);
310 int parse_policy(FILE *fp
, struct policy
*p
)
317 if ((t
= parse_sockpat(fp
, &p
->af
, &p
->sp
[L
])) != 0) goto fail
;
318 if ((t
= parse_sockpat(fp
, &p
->af
, &p
->sp
[R
])) != 0) goto err
;
319 if ((t
= parse_action(fp
, &p
->act
)) != 0) goto err
;
329 int open_policy_file(struct policy_file
*pf
, const char *name
,
330 const char *what
, const struct query
*q
)
332 if ((pf
->fp
= fopen(name
, "r")) == 0) {
333 logmsg(q
, LOG_ERR
, "failed to open %s `%s': %s",
334 what
, name
, strerror(errno
));
347 int read_policy_file(struct policy_file
*pf
)
353 t
= parse_policy(pf
->fp
, &pf
->p
);
359 logmsg(pf
->q
, LOG_ERR
, "%s:%d: parse error in %s",
360 pf
->name
, pf
->lno
, pf
->what
);
364 if (ferror(pf
->fp
)) {
365 logmsg(pf
->q
, LOG_ERR
, "failed to read %s `%s': %s",
366 pf
->what
, pf
->name
, strerror(errno
));
378 void close_policy_file(struct policy_file
*pf
)
384 int load_policy_file(const char *file
, policy_v
*pv
)
386 struct policy_file pf
;
387 policy_v v
= DA_INIT
;
389 if (open_policy_file(&pf
, file
, "policy file", 0))
391 while (!read_policy_file(&pf
)) {
395 close_policy_file(&pf
);
406 /*----- That's all, folks -------------------------------------------------*/