diff options
Diffstat (limited to 'freebsd/lib/libipsec/policy_parse.y')
-rw-r--r-- | freebsd/lib/libipsec/policy_parse.y | 438 |
1 files changed, 0 insertions, 438 deletions
diff --git a/freebsd/lib/libipsec/policy_parse.y b/freebsd/lib/libipsec/policy_parse.y deleted file mode 100644 index 46e54e55..00000000 --- a/freebsd/lib/libipsec/policy_parse.y +++ /dev/null @@ -1,438 +0,0 @@ -/* $KAME: policy_parse.y,v 1.14 2003/06/27 03:39:20 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * IN/OUT bound policy configuration take place such below: - * in <policy> - * out <policy> - * - * <policy> is one of following: - * "discard", "none", "ipsec <requests>", "entrust", "bypass", - * - * The following requests are accepted as <requests>: - * - * protocol/mode/src-dst/level - * protocol/mode/src-dst parsed as protocol/mode/src-dst/default - * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default - * protocol/transport parsed as protocol/mode/any-any/default - * protocol/transport//level parsed as protocol/mode/any-any/level - * - * You can concatenate these requests with either ' '(single space) or '\n'. - */ - -%{ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/socket.h> - -#include <netinet/in.h> -#include <netipsec/ipsec.h> - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <netdb.h> - -#include "ipsec_strerror.h" - -#define ATOX(c) \ - (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) - -static caddr_t pbuf = NULL; /* sadb_x_policy buffer */ -static int tlen = 0; /* total length of pbuf */ -static int offset = 0; /* offset of pbuf */ -static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; -static struct sockaddr *p_src = NULL; -static struct sockaddr *p_dst = NULL; - -struct _val; -extern void yyerror(char *msg); -static struct sockaddr *parse_sockaddr(struct _val *buf); -static int rule_check(void); -static int init_x_policy(void); -static int set_x_request(struct sockaddr *src, struct sockaddr *dst); -static int set_sockaddr(struct sockaddr *addr); -static void policy_parse_request_init(void); -static caddr_t policy_parse(char *msg, int msglen); - -extern void __policy__strbuffer__init__(char *msg); -extern void __policy__strbuffer__free__(void); -extern int yylex(void); - -extern char *__libipsecyytext; /*XXX*/ - -%} - -%union { - u_int num; - struct _val { - int len; - char *buf; - } val; -} - -%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY -%token IPADDRESS -%token ME ANY -%token SLASH HYPHEN -%type <num> DIR ACTION PROTOCOL MODE LEVEL -%type <val> IPADDRESS LEVEL_SPECIFY - -%% -policy_spec - : DIR ACTION - { - p_dir = $1; - p_type = $2; - - if (init_x_policy()) - return -1; - } - rules - | DIR - { - p_dir = $1; - p_type = 0; /* ignored it by kernel */ - - if (init_x_policy()) - return -1; - } - ; - -rules - : /*NOTHING*/ - | rules rule { - if (rule_check() < 0) - return -1; - - if (set_x_request(p_src, p_dst) < 0) - return -1; - - policy_parse_request_init(); - } - ; - -rule - : protocol SLASH mode SLASH addresses SLASH level - | protocol SLASH mode SLASH addresses SLASH - | protocol SLASH mode SLASH addresses - | protocol SLASH mode SLASH - | protocol SLASH mode SLASH SLASH level - | protocol SLASH mode - | protocol SLASH { - __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; - return -1; - } - | protocol { - __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; - return -1; - } - ; - -protocol - : PROTOCOL { p_protocol = $1; } - ; - -mode - : MODE { p_mode = $1; } - ; - -level - : LEVEL { - p_level = $1; - p_reqid = 0; - } - | LEVEL_SPECIFY { - p_level = IPSEC_LEVEL_UNIQUE; - p_reqid = atol($1.buf); /* atol() is good. */ - } - ; - -addresses - : IPADDRESS { - p_src = parse_sockaddr(&$1); - if (p_src == NULL) - return -1; - } - HYPHEN - IPADDRESS { - p_dst = parse_sockaddr(&$4); - if (p_dst == NULL) - return -1; - } - | ME HYPHEN ANY { - if (p_dir != IPSEC_DIR_OUTBOUND) { - __ipsec_errcode = EIPSEC_INVAL_DIR; - return -1; - } - } - | ANY HYPHEN ME { - if (p_dir != IPSEC_DIR_INBOUND) { - __ipsec_errcode = EIPSEC_INVAL_DIR; - return -1; - } - } - /* - | ME HYPHEN ME - */ - ; - -%% - -void -yyerror(msg) - char *msg; -{ - fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", - msg, __libipsecyytext); - - return; -} - -static struct sockaddr * -parse_sockaddr(buf) - struct _val *buf; -{ - struct addrinfo hints, *res; - char *serv = NULL; - int error; - struct sockaddr *newaddr = NULL; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_flags = AI_NUMERICHOST; - error = getaddrinfo(buf->buf, serv, &hints, &res); - if (error != 0) { - yyerror("invalid IP address"); - __ipsec_set_strerror(gai_strerror(error)); - return NULL; - } - - if (res->ai_addr == NULL) { - yyerror("invalid IP address"); - __ipsec_set_strerror(gai_strerror(error)); - return NULL; - } - - newaddr = malloc(res->ai_addr->sa_len); - if (newaddr == NULL) { - __ipsec_errcode = EIPSEC_NO_BUFS; - freeaddrinfo(res); - return NULL; - } - memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len); - - freeaddrinfo(res); - - __ipsec_errcode = EIPSEC_NO_ERROR; - return newaddr; -} - -static int -rule_check() -{ - if (p_type == IPSEC_POLICY_IPSEC) { - if (p_protocol == IPPROTO_IP) { - __ipsec_errcode = EIPSEC_NO_PROTO; - return -1; - } - - if (p_mode != IPSEC_MODE_TRANSPORT - && p_mode != IPSEC_MODE_TUNNEL) { - __ipsec_errcode = EIPSEC_INVAL_MODE; - return -1; - } - - if (p_src == NULL && p_dst == NULL) { - if (p_mode != IPSEC_MODE_TRANSPORT) { - __ipsec_errcode = EIPSEC_INVAL_ADDRESS; - return -1; - } - } - else if (p_src->sa_family != p_dst->sa_family) { - __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; - return -1; - } - } - - __ipsec_errcode = EIPSEC_NO_ERROR; - return 0; -} - -static int -init_x_policy() -{ - struct sadb_x_policy *p; - - tlen = sizeof(struct sadb_x_policy); - - pbuf = malloc(tlen); - if (pbuf == NULL) { - __ipsec_errcode = EIPSEC_NO_BUFS; - return -1; - } - memset(pbuf, 0, tlen); - p = (struct sadb_x_policy *)pbuf; - p->sadb_x_policy_len = 0; /* must update later */ - p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - p->sadb_x_policy_type = p_type; - p->sadb_x_policy_dir = p_dir; - p->sadb_x_policy_id = 0; - - offset = tlen; - - __ipsec_errcode = EIPSEC_NO_ERROR; - return 0; -} - -static int -set_x_request(src, dst) - struct sockaddr *src, *dst; -{ - struct sadb_x_ipsecrequest *p; - int reqlen; - - reqlen = sizeof(*p) - + (src ? src->sa_len : 0) - + (dst ? dst->sa_len : 0); - tlen += reqlen; /* increment to total length */ - - pbuf = realloc(pbuf, tlen); - if (pbuf == NULL) { - __ipsec_errcode = EIPSEC_NO_BUFS; - return -1; - } - p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; - p->sadb_x_ipsecrequest_len = reqlen; - p->sadb_x_ipsecrequest_proto = p_protocol; - p->sadb_x_ipsecrequest_mode = p_mode; - p->sadb_x_ipsecrequest_level = p_level; - p->sadb_x_ipsecrequest_reqid = p_reqid; - offset += sizeof(*p); - - if (set_sockaddr(src) || set_sockaddr(dst)) - return -1; - - __ipsec_errcode = EIPSEC_NO_ERROR; - return 0; -} - -static int -set_sockaddr(addr) - struct sockaddr *addr; -{ - if (addr == NULL) { - __ipsec_errcode = EIPSEC_NO_ERROR; - return 0; - } - - /* tlen has already incremented */ - - memcpy(&pbuf[offset], addr, addr->sa_len); - - offset += addr->sa_len; - - __ipsec_errcode = EIPSEC_NO_ERROR; - return 0; -} - -static void -policy_parse_request_init() -{ - p_protocol = IPPROTO_IP; - p_mode = IPSEC_MODE_ANY; - p_level = IPSEC_LEVEL_DEFAULT; - p_reqid = 0; - if (p_src != NULL) { - free(p_src); - p_src = NULL; - } - if (p_dst != NULL) { - free(p_dst); - p_dst = NULL; - } - - return; -} - -static caddr_t -policy_parse(msg, msglen) - char *msg; - int msglen; -{ - int error; - pbuf = NULL; - tlen = 0; - - /* initialize */ - p_dir = IPSEC_DIR_INVALID; - p_type = IPSEC_POLICY_DISCARD; - policy_parse_request_init(); - __policy__strbuffer__init__(msg); - - error = yyparse(); /* it must be set errcode. */ - __policy__strbuffer__free__(); - - if (error) { - if (pbuf != NULL) - free(pbuf); - return NULL; - } - - /* update total length */ - ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); - - __ipsec_errcode = EIPSEC_NO_ERROR; - - return pbuf; -} - -caddr_t -ipsec_set_policy(msg, msglen) - char *msg; - int msglen; -{ - caddr_t policy; - - policy = policy_parse(msg, msglen); - if (policy == NULL) { - if (__ipsec_errcode == EIPSEC_NO_ERROR) - __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; - return NULL; - } - - __ipsec_errcode = EIPSEC_NO_ERROR; - return policy; -} - |