1 /* $FreeBSD: src/lib/libipsec/policy_parse.y,v 1.1.2.1 2000/07/15 07:24:04 kris Exp $ */
2 /* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
5 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * IN/OUT bound policy configuration take place such below:
38 * <policy> is one of following:
39 * "discard", "none", "ipsec <requests>", "entrust", "bypass",
41 * The following requests are accepted as <requests>:
43 * protocol/mode/src-dst/level
44 * protocol/mode/src-dst parsed as protocol/mode/src-dst/default
45 * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default
46 * protocol/transport parsed as protocol/mode/any-any/default
47 * protocol/transport//level parsed as protocol/mode/any-any/level
49 * You can concatenate these requests with either ' '(single space) or '\n'.
53 #include <sys/types.h>
54 #include <sys/param.h>
55 #include <sys/socket.h>
57 #include <netinet/in.h>
58 #include <netinet6/ipsec.h>
65 #include "ipsec_strerror.h"
68 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
70 static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
71 static int tlen = 0; /* total length of pbuf */
72 static int offset = 0; /* offset of pbuf */
73 static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
74 static struct sockaddr *p_src = NULL;
75 static struct sockaddr *p_dst = NULL;
78 extern void yyerror __P((char *msg));
79 static struct sockaddr *parse_sockaddr __P((struct _val *buf));
80 static int rule_check __P((void));
81 static int init_x_policy __P((void));
82 static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
83 static int set_sockaddr __P((struct sockaddr *addr));
84 static void policy_parse_request_init __P((void));
85 static caddr_t policy_parse __P((char *msg, int msglen));
87 extern void __policy__strbuffer__init__ __P((char *msg));
88 extern int yyparse __P((void));
89 extern int yylex __P((void));
101 %token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
105 %type <num> DIR ACTION PROTOCOL MODE LEVEL
106 %type <val> IPADDRESS LEVEL_SPECIFY
122 p_type = 0; /* ignored it by kernel */
132 if (rule_check() < 0)
135 if (set_x_request(p_src, p_dst) < 0)
138 policy_parse_request_init();
143 : protocol SLASH mode SLASH addresses SLASH level
144 | protocol SLASH mode SLASH addresses SLASH
145 | protocol SLASH mode SLASH addresses
146 | protocol SLASH mode SLASH
147 | protocol SLASH mode SLASH SLASH level
148 | protocol SLASH mode
150 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
154 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
160 : PROTOCOL { p_protocol = $1; }
164 : MODE { p_mode = $1; }
173 p_level = IPSEC_LEVEL_UNIQUE;
174 p_reqid = atol($1.buf); /* atol() is good. */
180 p_src = parse_sockaddr(&$1);
186 p_dst = parse_sockaddr(&$4);
191 if (p_dir != IPSEC_DIR_OUTBOUND) {
192 __ipsec_errcode = EIPSEC_INVAL_DIR;
197 if (p_dir != IPSEC_DIR_INBOUND) {
198 __ipsec_errcode = EIPSEC_INVAL_DIR;
213 extern char *__libipsecyytext; /*XXX*/
215 fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
216 msg, __libipsecyytext);
221 static struct sockaddr *
225 struct addrinfo hints, *res;
228 struct sockaddr *newaddr = NULL;
230 memset(&hints, 0, sizeof(hints));
231 hints.ai_family = PF_UNSPEC;
232 hints.ai_flags = AI_NUMERICHOST;
233 error = getaddrinfo(buf->buf, serv, &hints, &res);
235 yyerror("invalid IP address");
236 __ipsec_set_strerror(gai_strerror(error));
240 if (res->ai_addr == NULL) {
241 yyerror("invalid IP address");
242 __ipsec_set_strerror(gai_strerror(error));
246 newaddr = malloc(res->ai_addr->sa_len);
247 if (newaddr == NULL) {
248 __ipsec_errcode = EIPSEC_NO_BUFS;
252 memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
256 __ipsec_errcode = EIPSEC_NO_ERROR;
263 if (p_type == IPSEC_POLICY_IPSEC) {
264 if (p_protocol == IPPROTO_IP) {
265 __ipsec_errcode = EIPSEC_NO_PROTO;
269 if (p_mode != IPSEC_MODE_TRANSPORT
270 && p_mode != IPSEC_MODE_TUNNEL) {
271 __ipsec_errcode = EIPSEC_INVAL_MODE;
275 if (p_src == NULL && p_dst == NULL) {
276 if (p_mode != IPSEC_MODE_TRANSPORT) {
277 __ipsec_errcode = EIPSEC_INVAL_ADDRESS;
281 else if (p_src->sa_family != p_dst->sa_family) {
282 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
287 __ipsec_errcode = EIPSEC_NO_ERROR;
294 struct sadb_x_policy *p;
296 tlen = sizeof(struct sadb_x_policy);
300 __ipsec_errcode = EIPSEC_NO_BUFS;
303 p = (struct sadb_x_policy *)pbuf;
304 p->sadb_x_policy_len = 0; /* must update later */
305 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
306 p->sadb_x_policy_type = p_type;
307 p->sadb_x_policy_dir = p_dir;
308 p->sadb_x_policy_reserved = 0;
311 __ipsec_errcode = EIPSEC_NO_ERROR;
316 set_x_request(src, dst)
317 struct sockaddr *src, *dst;
319 struct sadb_x_ipsecrequest *p;
323 + (src ? src->sa_len : 0)
324 + (dst ? dst->sa_len : 0);
325 tlen += reqlen; /* increment to total length */
327 pbuf = realloc(pbuf, tlen);
329 __ipsec_errcode = EIPSEC_NO_BUFS;
332 p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
333 p->sadb_x_ipsecrequest_len = reqlen;
334 p->sadb_x_ipsecrequest_proto = p_protocol;
335 p->sadb_x_ipsecrequest_mode = p_mode;
336 p->sadb_x_ipsecrequest_level = p_level;
337 p->sadb_x_ipsecrequest_reqid = p_reqid;
338 offset += sizeof(*p);
340 if (set_sockaddr(src) || set_sockaddr(dst))
343 __ipsec_errcode = EIPSEC_NO_ERROR;
349 struct sockaddr *addr;
352 __ipsec_errcode = EIPSEC_NO_ERROR;
356 /* tlen has already incremented */
358 memcpy(&pbuf[offset], addr, addr->sa_len);
360 offset += addr->sa_len;
362 __ipsec_errcode = EIPSEC_NO_ERROR;
367 policy_parse_request_init()
369 p_protocol = IPPROTO_IP;
370 p_mode = IPSEC_MODE_ANY;
371 p_level = IPSEC_LEVEL_DEFAULT;
386 policy_parse(msg, msglen)
395 p_dir = IPSEC_DIR_INVALID;
396 p_type = IPSEC_POLICY_DISCARD;
397 policy_parse_request_init();
398 __policy__strbuffer__init__(msg);
400 error = yyparse(); /* it must be set errcode. */
407 /* update total length */
408 ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
410 __ipsec_errcode = EIPSEC_NO_ERROR;
416 ipsec_set_policy(msg, msglen)
422 policy = policy_parse(msg, msglen);
423 if (policy == NULL) {
424 if (__ipsec_errcode == EIPSEC_NO_ERROR)
425 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
429 __ipsec_errcode = EIPSEC_NO_ERROR;
projects / dragonfly.git / blob