Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/ipf/tools/ippool_y.y
+++ new/usr/src/cmd/ipf/tools/ippool_y.y
1 1 %{
2 2 /*
3 3 * Copyright (C) 2003 by Darren Reed.
4 4 *
5 5 * See the IPFILTER.LICENCE file for details on licencing.
6 6 *
7 7 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
8 8 * Use is subject to license terms.
9 + * Copyright 2019 Joyent, Inc.
9 10 */
10 11
11 12 #pragma ident "%Z%%M% %I% %E% SMI"
12 13
13 14 #include <sys/types.h>
14 15 #include <sys/time.h>
15 16 #include <sys/param.h>
16 17 #include <sys/socket.h>
17 18 #if defined(BSD) && (BSD >= 199306)
18 19 # include <sys/cdefs.h>
19 20 #endif
20 21 #include <sys/ioctl.h>
21 22
22 23 #include <net/if.h>
23 24 #if __FreeBSD_version >= 300000
24 25 # include <net/if_var.h>
25 26 #endif
26 27 #include <netinet/in.h>
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
27 28
28 29 #include <arpa/inet.h>
29 30
30 31 #include <stdio.h>
31 32 #include <fcntl.h>
32 33 #include <stdlib.h>
33 34 #include <string.h>
34 35 #include <netdb.h>
35 36 #include <ctype.h>
36 37 #include <unistd.h>
38 +#include <uuid/uuid.h>
37 39
38 40 #include "ipf.h"
39 41 #include "netinet/ip_lookup.h"
40 42 #include "netinet/ip_pool.h"
41 43 #include "netinet/ip_htable.h"
42 44 #include "ippool_l.h"
43 45 #include "kmem.h"
44 46
45 47 #define YYDEBUG 1
46 48
47 49 extern int yyparse __P((void));
48 50 extern int yydebug;
49 51 extern FILE *yyin;
50 52
51 53 static iphtable_t ipht;
52 54 static iphtent_t iphte;
53 55 static ip_pool_t iplo;
54 56 static ioctlfunc_t poolioctl = NULL;
55 57 static char poolname[FR_GROUPLEN];
56 58 static int set_ipv6_addr = 0;
57 59
58 60 %}
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
59 61
60 62 %union {
61 63 char *str;
62 64 u_32_t num;
63 65 struct in_addr addr;
64 66 struct alist_s *alist;
65 67 union i6addr adrmsk[2];
66 68 iphtent_t *ipe;
67 69 ip_pool_node_t *ipp;
68 70 union i6addr ip6;
71 + uuid_t uuid;
69 72 }
70 73
71 74 %token <num> YY_NUMBER YY_HEX
72 75 %token <str> YY_STR
73 76 %token YY_COMMENT
74 77 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
75 78 %token YY_RANGE_OUT YY_RANGE_IN
76 79 %token <ip6> YY_IPV6
80 +%token <uuid> YY_UUID
77 81
78 82 %token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT
79 83 %token IPT_TABLE IPT_GROUPMAP IPT_HASH
80 84 %token IPT_ROLE IPT_TYPE IPT_TREE
81 85 %token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME
82 86 %type <num> role table inout
83 87 %type <ipp> ipftree range addrlist
84 88 %type <adrmsk> addrmask
85 89 %type <ipe> ipfgroup ipfhash hashlist hashentry
86 90 %type <ipe> groupentry setgrouplist grouplist
87 91 %type <ip6> ipaddr mask ipv4
88 92 %type <str> number setgroup
89 93
90 94 %%
91 95 file: line
92 96 | assign
93 97 | file line
94 98 | file assign
95 99 ;
96 100
97 101 line: table role ipftree eol { iplo.ipo_unit = $2;
98 102 iplo.ipo_list = $3;
99 103 load_pool(&iplo, poolioctl);
100 104 resetlexer();
101 105 }
102 106 | table role ipfhash eol { ipht.iph_unit = $2;
103 107 ipht.iph_type = IPHASH_LOOKUP;
104 108 load_hash(&ipht, $3, poolioctl);
105 109 resetlexer();
106 110 }
107 111 | groupmap role number ipfgroup eol
108 112 { ipht.iph_unit = $2;
109 113 strncpy(ipht.iph_name, $3,
110 114 sizeof(ipht.iph_name));
111 115 ipht.iph_type = IPHASH_GROUPMAP;
112 116 load_hash(&ipht, $4, poolioctl);
113 117 resetlexer();
114 118 }
115 119 | YY_COMMENT
116 120 ;
117 121
118 122 eol: ';'
119 123 ;
120 124
121 125 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
122 126 resetlexer();
123 127 free($1);
124 128 free($3);
125 129 }
126 130 ;
127 131
128 132 assigning:
129 133 '=' { yyvarnext = 1; }
130 134 ;
131 135
132 136 table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht));
133 137 bzero((char *)&iphte, sizeof(iphte));
134 138 bzero((char *)&iplo, sizeof(iplo));
135 139 *ipht.iph_name = '\0';
136 140 iplo.ipo_flags = IPHASH_ANON;
137 141 iplo.ipo_name[0] = '\0';
138 142 }
139 143 ;
140 144
141 145 groupmap:
142 146 IPT_GROUPMAP inout { bzero((char *)&ipht, sizeof(ipht));
143 147 bzero((char *)&iphte, sizeof(iphte));
144 148 *ipht.iph_name = '\0';
145 149 ipht.iph_unit = IPHASH_GROUPMAP;
146 150 ipht.iph_flags = $2;
147 151 }
148 152 ;
149 153
150 154 inout: IPT_IN { $$ = FR_INQUE; }
151 155 | IPT_OUT { $$ = FR_OUTQUE; }
152 156 ;
153 157 role:
154 158 IPT_ROLE '=' IPT_IPF { $$ = IPL_LOGIPF; }
155 159 | IPT_ROLE '=' IPT_NAT { $$ = IPL_LOGNAT; }
156 160 | IPT_ROLE '=' IPT_AUTH { $$ = IPL_LOGAUTH; }
157 161 | IPT_ROLE '=' IPT_COUNT { $$ = IPL_LOGCOUNT; }
158 162 ;
159 163
160 164 ipftree:
161 165 IPT_TYPE '=' IPT_TREE number start addrlist end
162 166 { strncpy(iplo.ipo_name, $4,
163 167 sizeof(iplo.ipo_name));
164 168 $$ = $6;
165 169 }
166 170 ;
167 171
168 172 ipfhash:
169 173 IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
170 174 { strncpy(ipht.iph_name, $4,
171 175 sizeof(ipht.iph_name));
172 176 $$ = $7;
173 177 }
174 178 ;
175 179
176 180 ipfgroup:
177 181 setgroup hashopts start grouplist end
178 182 { iphtent_t *e;
179 183 for (e = $4; e != NULL;
180 184 e = e->ipe_next)
181 185 if (e->ipe_group[0] == '\0')
182 186 strncpy(e->ipe_group,
183 187 $1,
184 188 FR_GROUPLEN);
185 189 $$ = $4;
186 190 }
187 191 | hashopts start setgrouplist end { $$ = $3; }
188 192 ;
189 193
190 194 number: IPT_NUM '=' YY_NUMBER { snprintf(poolname, FR_GROUPLEN, "%u", $3);
191 195 $$ = poolname;
192 196 }
193 197 | IPT_NAME '=' YY_STR { $$ = $3; }
194 198 | { $$ = ""; }
195 199 ;
196 200
197 201 setgroup:
198 202 IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1];
199 203 strncpy(tmp, $3, FR_GROUPLEN);
200 204 $$ = strdup(tmp);
201 205 }
202 206 | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1];
203 207 snprintf(tmp, FR_GROUPLEN, "%u", $3);
204 208 $$ = strdup(tmp);
205 209 }
206 210 ;
207 211
208 212 hashopts:
209 213 | size
210 214 | seed
211 215 | size seed
212 216 ;
213 217
214 218 addrlist:
215 219 ';' { $$ = NULL; }
216 220 | range next addrlist { $1->ipn_next = $3; $$ = $1; }
217 221 | range next { $$ = $1; }
218 222 | range
219 223 ;
220 224
221 225 grouplist:
222 226 ';' { $$ = NULL; }
223 227 | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; }
224 228 | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t));
225 229 if ($$ == NULL)
226 230 yyerror("sorry, out of memory");
227 231 if (set_ipv6_addr)
228 232 $$->ipe_family = AF_INET6;
229 233 else
230 234 $$->ipe_family = AF_INET;
231 235 bcopy((char *)&($1[0]),
232 236 (char *)&($$->ipe_addr),
233 237 sizeof($$->ipe_addr));
234 238 bcopy((char *)&($1[1]),
235 239 (char *)&($$->ipe_mask),
236 240 sizeof($$->ipe_mask));
237 241 set_ipv6_addr = 0;
238 242 $$->ipe_next = $3;
239 243 }
240 244 | groupentry next { $$ = $1; }
241 245 | addrmask next { $$ = calloc(1, sizeof(iphtent_t));
242 246 if ($$ == NULL)
243 247 yyerror("sorry, out of memory");
244 248 if (set_ipv6_addr)
245 249 $$->ipe_family = AF_INET6;
246 250 else
247 251 $$->ipe_family = AF_INET;
248 252 bcopy((char *)&($1[0]),
249 253 (char *)&($$->ipe_addr),
250 254 sizeof($$->ipe_addr));
251 255 bcopy((char *)&($1[1]),
252 256 (char *)&($$->ipe_mask),
253 257 sizeof($$->ipe_mask));
254 258 set_ipv6_addr = 0;
255 259 }
256 260 ;
257 261
258 262 setgrouplist:
259 263 ';' { $$ = NULL; }
260 264 | groupentry next { $$ = $1; }
261 265 | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; }
262 266 ;
263 267
264 268 groupentry:
265 269 addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t));
266 270 if ($$ == NULL)
267 271 yyerror("sorry, out of memory");
268 272 if (set_ipv6_addr)
269 273 $$->ipe_family = AF_INET6;
270 274 else
271 275 $$->ipe_family = AF_INET;
272 276 bcopy((char *)&($1[0]),
273 277 (char *)&($$->ipe_addr),
274 278 sizeof($$->ipe_addr));
275 279 bcopy((char *)&($1[1]),
276 280 (char *)&($$->ipe_mask),
277 281 sizeof($$->ipe_mask));
278 282 set_ipv6_addr = 0;
279 283 strncpy($$->ipe_group, $3,
280 284 FR_GROUPLEN);
281 285 free($3);
282 286 }
283 287 ;
284 288
285 289 range: addrmask { $$ = calloc(1, sizeof(*$$));
286 290 if ($$ == NULL)
287 291 yyerror("sorry, out of memory");
288 292 $$->ipn_info = 0;
289 293 $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
290 294 $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
291 295 if (set_ipv6_addr) {
292 296 $$->ipn_addr.adf_family = AF_INET6;
293 297 $$->ipn_addr.adf_addr = $1[0];
294 298 $$->ipn_mask.adf_addr = $1[1];
295 299
296 300 } else {
297 301 $$->ipn_addr.adf_family = AF_INET;
298 302 $$->ipn_addr.adf_addr.in4.s_addr = $1[0].in4.s_addr;
299 303 $$->ipn_mask.adf_addr.in4.s_addr = $1[1].in4.s_addr;
300 304 }
301 305 set_ipv6_addr = 0;
302 306 }
303 307 | '!' addrmask { $$ = calloc(1, sizeof(*$$));
304 308 if ($$ == NULL)
305 309 yyerror("sorry, out of memory");
306 310 $$->ipn_info = 1;
307 311 $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
308 312 $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
309 313 if (set_ipv6_addr) {
310 314 $$->ipn_addr.adf_family = AF_INET6;
311 315 $$->ipn_addr.adf_addr = $2[0];
312 316 $$->ipn_mask.adf_addr = $2[1];
313 317 } else {
314 318 $$->ipn_addr.adf_family = AF_INET;
315 319 $$->ipn_addr.adf_addr.in4.s_addr = $2[0].in4.s_addr;
316 320 $$->ipn_mask.adf_addr.in4.s_addr = $2[1].in4.s_addr;
317 321 }
318 322 set_ipv6_addr = 0;
319 323 }
320 324
321 325 hashlist:
322 326 ';' { $$ = NULL; }
323 327 | hashentry next { $$ = $1; }
324 328 | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; }
325 329 ;
326 330
327 331 hashentry:
328 332 addrmask { $$ = calloc(1, sizeof(iphtent_t));
329 333 if ($$ == NULL)
330 334 yyerror("sorry, out of memory");
331 335 if (set_ipv6_addr)
332 336 $$->ipe_family = AF_INET6;
333 337 else
334 338 $$->ipe_family = AF_INET;
335 339 bcopy((char *)&($1[0]),
336 340 (char *)&($$->ipe_addr),
337 341 sizeof($$->ipe_addr));
338 342 bcopy((char *)&($1[1]),
339 343 (char *)&($$->ipe_mask),
340 344 sizeof($$->ipe_mask));
341 345 }
342 346 ;
343 347
344 348 addrmask:
345 349 ipaddr '/' mask { $$[0] = $1; $$[1] = $3;
346 350 yyexpectaddr = 0;
347 351 }
348 352 | ipaddr { $$[0] = $1;
349 353 yyexpectaddr = 0;
350 354 if (set_ipv6_addr)
351 355 fill6bits(128, (u_32_t *)$$[1].in6.s6_addr);
352 356 else
353 357 $$[1].in4.s_addr = 0xffffffff;
354 358 }
355 359 ;
356 360
357 361 ipaddr: ipv4 { $$ = $1; }
358 362 | YY_NUMBER { $$.in4.s_addr = htonl($1); }
359 363 | YY_IPV6 { set_ipv6_addr = 1;
360 364 bcopy(&$1, &$$, sizeof($$));
361 365 yyexpectaddr = 0; }
362 366 | YY_STR { if (gethost($1, &$$, 0) == -1)
363 367 yyerror("Unknown hostname");
364 368 }
365 369 ;
366 370
367 371 mask: YY_NUMBER { if (set_ipv6_addr)
368 372 ntomask(6, $1, (u_32_t *)$$.in6.s6_addr);
369 373 else
370 374 ntomask(4, $1, (u_32_t *)&$$.in4.s_addr); }
371 375 | ipv4 { $$ = $1; }
372 376 ;
373 377
374 378 start: '{' { yyexpectaddr = 1; }
375 379 ;
376 380
377 381 end: '}' { yyexpectaddr = 0; }
378 382 ;
379 383
380 384 next: ',' { yyexpectaddr = 1; }
381 385 | ';' { yyexpectaddr = 1; }
382 386 ;
383 387
384 388 size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
385 389 ;
386 390
387 391 seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
388 392 ;
389 393
390 394 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
391 395 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
392 396 yyerror("Invalid octet string for IP address");
393 397 return 0;
394 398 }
395 399 $$.in4.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
396 400 $$.in4.s_addr = htonl($$.in4.s_addr);
397 401 }
398 402 ;
399 403 %%
400 404 static wordtab_t yywords[] = {
401 405 { "auth", IPT_AUTH },
402 406 { "count", IPT_COUNT },
403 407 { "group", IPT_GROUP },
404 408 { "group-map", IPT_GROUPMAP },
405 409 { "hash", IPT_HASH },
406 410 { "in", IPT_IN },
407 411 { "ipf", IPT_IPF },
408 412 { "name", IPT_NAME },
409 413 { "nat", IPT_NAT },
410 414 { "number", IPT_NUM },
411 415 { "out", IPT_OUT },
412 416 { "role", IPT_ROLE },
413 417 { "seed", IPT_SEED },
414 418 { "size", IPT_SIZE },
415 419 { "table", IPT_TABLE },
416 420 { "tree", IPT_TREE },
417 421 { "type", IPT_TYPE },
418 422 { NULL, 0 }
419 423 };
420 424
421 425
422 426 int ippool_parsefile(fd, filename, iocfunc)
423 427 int fd;
424 428 char *filename;
425 429 ioctlfunc_t iocfunc;
426 430 {
427 431 FILE *fp = NULL;
428 432 char *s;
429 433
430 434 yylineNum = 1;
431 435 (void) yysettab(yywords);
432 436
433 437 s = getenv("YYDEBUG");
434 438 if (s)
435 439 yydebug = atoi(s);
436 440 else
437 441 yydebug = 0;
438 442
439 443 if (strcmp(filename, "-")) {
440 444 fp = fopen(filename, "r");
441 445 if (!fp) {
442 446 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
443 447 STRERROR(errno));
444 448 return -1;
445 449 }
446 450 } else
447 451 fp = stdin;
448 452
449 453 while (ippool_parsesome(fd, fp, iocfunc) == 1)
450 454 ;
451 455 if (fp != NULL)
452 456 fclose(fp);
453 457 return 0;
454 458 }
455 459
456 460
457 461 int ippool_parsesome(fd, fp, iocfunc)
458 462 int fd;
459 463 FILE *fp;
460 464 ioctlfunc_t iocfunc;
461 465 {
462 466 char *s;
463 467 int i;
464 468
465 469 poolioctl = iocfunc;
466 470
467 471 if (feof(fp))
468 472 return 0;
469 473 i = fgetc(fp);
470 474 if (i == EOF)
471 475 return 0;
472 476 if (ungetc(i, fp) == EOF)
473 477 return 0;
474 478 if (feof(fp))
475 479 return 0;
476 480 s = getenv("YYDEBUG");
477 481 if (s)
478 482 yydebug = atoi(s);
479 483 else
480 484 yydebug = 0;
481 485
482 486 yyin = fp;
483 487 yyparse();
484 488 return 1;
485 489 }
|
↓ open down ↓ |
399 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX