npf_parse.y revision 1.27
1 /* $NetBSD: npf_parse.y,v 1.27 2013/11/08 00:38:26 rmind Exp $ */ 2 3 /*- 4 * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Martin Husemann, Christos Zoulas and Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 %{ 33 34 #include <stdio.h> 35 #include <err.h> 36 #include <vis.h> 37 #include <netdb.h> 38 39 #include "npfctl.h" 40 41 #define YYSTACKSIZE 4096 42 43 int yyparsetarget; 44 const char * yyfilename; 45 46 extern int yylineno, yycolumn; 47 extern int yylex(void); 48 49 /* Variable under construction (bottom up). */ 50 static npfvar_t * cvar; 51 52 void 53 yyerror(const char *fmt, ...) 54 { 55 extern int yyleng; 56 extern char *yytext; 57 58 char *msg, *context = estrndup(yytext, yyleng); 59 bool eol = (*context == '\n'); 60 va_list ap; 61 62 va_start(ap, fmt); 63 vasprintf(&msg, fmt, ap); 64 va_end(ap); 65 66 fprintf(stderr, "%s:%d:%d: %s", yyfilename, 67 yylineno - (int)eol, yycolumn, msg); 68 if (!eol) { 69 size_t len = strlen(context); 70 char *dst = ecalloc(1, len * 4 + 1); 71 72 strvisx(dst, context, len, VIS_WHITE|VIS_CSTYLE); 73 fprintf(stderr, " near '%s'", dst); 74 } 75 fprintf(stderr, "\n"); 76 exit(EXIT_FAILURE); 77 } 78 79 #define CHECK_PARSER_FILE \ 80 if (yyparsetarget != NPFCTL_PARSE_FILE) \ 81 yyerror("rule must be in the group"); 82 83 #define CHECK_PARSER_STRING \ 84 if (yyparsetarget != NPFCTL_PARSE_STRING) \ 85 yyerror("invalid rule syntax"); 86 87 %} 88 89 %token ALG 90 %token ALL 91 %token ANY 92 %token APPLY 93 %token ARROWBOTH 94 %token ARROWLEFT 95 %token ARROWRIGHT 96 %token BLOCK 97 %token CURLY_CLOSE 98 %token CURLY_OPEN 99 %token CODE 100 %token COLON 101 %token COMMA 102 %token DEFAULT 103 %token TDYNAMIC 104 %token TSTATIC 105 %token EQ 106 %token TFILE 107 %token FLAGS 108 %token FROM 109 %token GROUP 110 %token HASH 111 %token ICMPTYPE 112 %token ID 113 %token IFNET 114 %token IN 115 %token INET 116 %token INET6 117 %token INTERFACE 118 %token MAP 119 %token MINUS 120 %token NAME 121 %token ON 122 %token OUT 123 %token PAR_CLOSE 124 %token PAR_OPEN 125 %token PASS 126 %token PCAP_FILTER 127 %token PORT 128 %token PROCEDURE 129 %token PROTO 130 %token FAMILY 131 %token FINAL 132 %token FORW 133 %token RETURN 134 %token RETURNICMP 135 %token RETURNRST 136 %token RULESET 137 %token SEPLINE 138 %token SLASH 139 %token STATEFUL 140 %token TABLE 141 %token TCP 142 %token TO 143 %token TREE 144 %token TYPE 145 %token <num> ICMP 146 %token <num> ICMP6 147 148 %token <num> HEX 149 %token <str> IDENTIFIER 150 %token <str> IPV4ADDR 151 %token <str> IPV6ADDR 152 %token <num> NUM 153 %token <fpnum> FPNUM 154 %token <str> STRING 155 %token <str> TABLE_ID 156 %token <str> VAR_ID 157 158 %type <str> addr, some_name, list_elem, table_store, string 159 %type <str> proc_param_val, opt_apply, ifname, on_ifname 160 %type <num> port, opt_final, number, afamily, opt_family 161 %type <num> block_or_pass, rule_dir, group_dir, block_opts 162 %type <num> opt_stateful, icmp_type, table_type, map_sd, map_type 163 %type <var> ifnet, addr_or_ifnet, port_range, icmp_type_and_code 164 %type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask 165 %type <var> procs, proc_call, proc_param_list, proc_param 166 %type <addrport> mapseg 167 %type <filtopts> filt_opts, all_or_filt_opts 168 %type <optproto> opt_proto 169 %type <rulegroup> group_opts 170 171 %union { 172 char * str; 173 unsigned long num; 174 double fpnum; 175 npfvar_t * var; 176 addr_port_t addrport; 177 filt_opts_t filtopts; 178 opt_proto_t optproto; 179 rule_group_t rulegroup; 180 } 181 182 %% 183 184 input 185 : { CHECK_PARSER_FILE } lines 186 | { CHECK_PARSER_STRING } rule 187 ; 188 189 lines 190 : line SEPLINE lines 191 | line 192 ; 193 194 line 195 : def 196 | table 197 | map 198 | group 199 | rproc 200 | alg 201 | 202 ; 203 204 def 205 : VAR_ID 206 { 207 cvar = npfvar_create($1); 208 npfvar_add(cvar); 209 } 210 EQ definition 211 { 212 cvar = NULL; 213 } 214 ; 215 216 definition 217 : list_elem 218 | listdef 219 ; 220 221 listdef 222 : CURLY_OPEN list_elems CURLY_CLOSE 223 ; 224 225 list_elems 226 : list_elem COMMA list_elems 227 | list_elem 228 ; 229 230 list_elem 231 : IDENTIFIER 232 { 233 npfvar_t *vp = npfvar_create(".identifier"); 234 npfvar_add_element(vp, NPFVAR_IDENTIFIER, $1, strlen($1) + 1); 235 npfvar_add_elements(cvar, vp); 236 } 237 | STRING 238 { 239 npfvar_t *vp = npfvar_create(".string"); 240 npfvar_add_element(vp, NPFVAR_STRING, $1, strlen($1) + 1); 241 npfvar_add_elements(cvar, vp); 242 } 243 | number MINUS number 244 { 245 npfvar_t *vp = npfctl_parse_port_range($1, $3); 246 npfvar_add_elements(cvar, vp); 247 } 248 | number 249 { 250 npfvar_t *vp = npfvar_create(".num"); 251 npfvar_add_element(vp, NPFVAR_NUM, &$1, sizeof($1)); 252 npfvar_add_elements(cvar, vp); 253 } 254 | VAR_ID 255 { 256 npfvar_t *vp = npfvar_create(".var_id"); 257 npfvar_add_element(vp, NPFVAR_VAR_ID, $1, strlen($1) + 1); 258 npfvar_add_elements(cvar, vp); 259 } 260 | ifnet 261 { 262 npfvar_add_elements(cvar, $1); 263 } 264 | addr_and_mask 265 { 266 npfvar_add_elements(cvar, $1); 267 } 268 ; 269 270 table 271 : TABLE TABLE_ID TYPE table_type table_store 272 { 273 npfctl_build_table($2, $4, $5); 274 } 275 ; 276 277 table_type 278 : HASH { $$ = NPF_TABLE_HASH; } 279 | TREE { $$ = NPF_TABLE_TREE; } 280 ; 281 282 table_store 283 : TDYNAMIC { $$ = NULL; } 284 | TFILE STRING { $$ = $2; } 285 ; 286 287 map_sd 288 : TSTATIC { $$ = NPFCTL_NAT_STATIC; } 289 | TDYNAMIC { $$ = NPFCTL_NAT_DYNAMIC; } 290 | { $$ = NPFCTL_NAT_DYNAMIC; } 291 ; 292 293 map_type 294 : ARROWBOTH { $$ = NPF_NATIN | NPF_NATOUT; } 295 | ARROWLEFT { $$ = NPF_NATIN; } 296 | ARROWRIGHT { $$ = NPF_NATOUT; } 297 ; 298 299 mapseg 300 : addr_or_ifnet port_range 301 { 302 $$.ap_netaddr = $1; 303 $$.ap_portrange = $2; 304 } 305 ; 306 307 map 308 : MAP ifname map_sd mapseg map_type mapseg PASS filt_opts 309 { 310 npfctl_build_natseg($3, $5, $2, &$4, &$6, &$8); 311 } 312 | MAP ifname map_sd mapseg map_type mapseg 313 { 314 npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL); 315 } 316 | MAP RULESET group_opts 317 { 318 npfctl_build_maprset($3.rg_name, $3.rg_attr, $3.rg_ifname); 319 } 320 ; 321 322 rproc 323 : PROCEDURE STRING CURLY_OPEN procs CURLY_CLOSE 324 { 325 npfctl_build_rproc($2, $4); 326 } 327 ; 328 329 alg 330 : ALG STRING 331 { 332 npfctl_build_alg($2); 333 } 334 ; 335 336 procs 337 : proc_call SEPLINE procs 338 { 339 $$ = npfvar_add_elements($1, $3); 340 } 341 | proc_call { $$ = $1; } 342 ; 343 344 proc_call 345 : IDENTIFIER COLON proc_param_list 346 { 347 proc_call_t pc; 348 349 pc.pc_name = estrdup($1); 350 pc.pc_opts = $3; 351 $$ = npfvar_create(".proc_call"); 352 npfvar_add_element($$, NPFVAR_PROC, &pc, sizeof(pc)); 353 } 354 | { $$ = NULL; } 355 ; 356 357 proc_param_list 358 : proc_param COMMA proc_param_list 359 { 360 $$ = npfvar_add_elements($1, $3); 361 } 362 | proc_param { $$ = $1; } 363 | { $$ = NULL; } 364 ; 365 366 proc_param 367 /* Key and value pair. */ 368 : some_name proc_param_val 369 { 370 proc_param_t pp; 371 372 pp.pp_param = estrdup($1); 373 pp.pp_value = $2 ? estrdup($2) : NULL; 374 $$ = npfvar_create(".proc_param"); 375 npfvar_add_element($$, NPFVAR_PROC_PARAM, &pp, sizeof(pp)); 376 } 377 ; 378 379 proc_param_val 380 : some_name { $$ = $1; } 381 | number { (void)asprintf(&$$, "%ld", $1); } 382 | FPNUM { (void)asprintf(&$$, "%lf", $1); } 383 | { $$ = NULL; } 384 ; 385 386 group 387 : GROUP group_opts 388 { 389 /* Build a group. Increases the nesting level. */ 390 npfctl_build_group($2.rg_name, $2.rg_attr, 391 $2.rg_ifname, $2.rg_default); 392 } 393 ruleset_block 394 { 395 /* Decrease the nesting level. */ 396 npfctl_build_group_end(); 397 } 398 ; 399 400 ruleset 401 : RULESET group_opts 402 { 403 /* Ruleset is a dynamic group. */ 404 npfctl_build_group($2.rg_name, $2.rg_attr | NPF_RULE_DYNAMIC, 405 $2.rg_ifname, $2.rg_default); 406 npfctl_build_group_end(); 407 } 408 ; 409 410 group_dir 411 : FORW { $$ = NPF_RULE_FORW; } 412 | rule_dir 413 ; 414 415 group_opts 416 : DEFAULT 417 { 418 memset(&$$, 0, sizeof(rule_group_t)); 419 $$.rg_default = true; 420 } 421 | STRING group_dir on_ifname 422 { 423 memset(&$$, 0, sizeof(rule_group_t)); 424 $$.rg_name = $1; 425 $$.rg_attr = $2; 426 $$.rg_ifname = $3; 427 } 428 ; 429 430 ruleset_block 431 : CURLY_OPEN ruleset_def CURLY_CLOSE 432 ; 433 434 ruleset_def 435 : rule_group SEPLINE ruleset_def 436 | rule_group 437 ; 438 439 rule_group 440 : rule 441 | group 442 | ruleset 443 | 444 ; 445 446 rule 447 : block_or_pass opt_stateful rule_dir opt_final on_ifname 448 opt_family opt_proto all_or_filt_opts opt_apply 449 { 450 npfctl_build_rule($1 | $2 | $3 | $4, $5, 451 $6, &$7, &$8, NULL, $9); 452 } 453 | block_or_pass opt_stateful rule_dir opt_final on_ifname 454 PCAP_FILTER STRING opt_apply 455 { 456 npfctl_build_rule($1 | $2 | $3 | $4, $5, 457 AF_UNSPEC, NULL, NULL, $7, $8); 458 } 459 ; 460 461 block_or_pass 462 : BLOCK block_opts { $$ = $2; } 463 | PASS { $$ = NPF_RULE_PASS; } 464 ; 465 466 rule_dir 467 : IN { $$ = NPF_RULE_IN; } 468 | OUT { $$ = NPF_RULE_OUT; } 469 | { $$ = NPF_RULE_IN | NPF_RULE_OUT; } 470 ; 471 472 opt_final 473 : FINAL { $$ = NPF_RULE_FINAL; } 474 | { $$ = 0; } 475 ; 476 477 on_ifname 478 : ON ifname { $$ = $2; } 479 | { $$ = NULL; } 480 ; 481 482 afamily 483 : INET { $$ = AF_INET; } 484 | INET6 { $$ = AF_INET6; } 485 ; 486 487 opt_family 488 : FAMILY afamily { $$ = $2; } 489 | { $$ = AF_UNSPEC; } 490 ; 491 492 opt_proto 493 : PROTO TCP tcp_flags_and_mask 494 { 495 $$.op_proto = IPPROTO_TCP; 496 $$.op_opts = $3; 497 } 498 | PROTO ICMP icmp_type_and_code 499 { 500 $$.op_proto = IPPROTO_ICMP; 501 $$.op_opts = $3; 502 } 503 | PROTO ICMP6 icmp_type_and_code 504 { 505 $$.op_proto = IPPROTO_ICMPV6; 506 $$.op_opts = $3; 507 } 508 | PROTO some_name 509 { 510 $$.op_proto = npfctl_protono($2); 511 $$.op_opts = NULL; 512 } 513 | PROTO number 514 { 515 $$.op_proto = $2; 516 $$.op_opts = NULL; 517 } 518 | 519 { 520 $$.op_proto = -1; 521 $$.op_opts = NULL; 522 } 523 ; 524 525 all_or_filt_opts 526 : ALL 527 { 528 $$.fo_from.ap_netaddr = NULL; 529 $$.fo_from.ap_portrange = NULL; 530 $$.fo_to.ap_netaddr = NULL; 531 $$.fo_to.ap_portrange = NULL; 532 } 533 | filt_opts { $$ = $1; } 534 ; 535 536 opt_stateful 537 : STATEFUL { $$ = NPF_RULE_STATEFUL; } 538 | { $$ = 0; } 539 ; 540 541 opt_apply 542 : APPLY STRING { $$ = $2; } 543 | { $$ = NULL; } 544 ; 545 546 block_opts 547 : RETURNRST { $$ = NPF_RULE_RETRST; } 548 | RETURNICMP { $$ = NPF_RULE_RETICMP; } 549 | RETURN { $$ = NPF_RULE_RETRST | NPF_RULE_RETICMP; } 550 | { $$ = 0; } 551 ; 552 553 filt_opts 554 : FROM filt_addr port_range TO filt_addr port_range 555 { 556 $$.fo_from.ap_netaddr = $2; 557 $$.fo_from.ap_portrange = $3; 558 $$.fo_to.ap_netaddr = $5; 559 $$.fo_to.ap_portrange = $6; 560 } 561 | FROM filt_addr port_range 562 { 563 $$.fo_from.ap_netaddr = $2; 564 $$.fo_from.ap_portrange = $3; 565 $$.fo_to.ap_netaddr = NULL; 566 $$.fo_to.ap_portrange = NULL; 567 } 568 | TO filt_addr port_range 569 { 570 $$.fo_from.ap_netaddr = NULL; 571 $$.fo_from.ap_portrange = NULL; 572 $$.fo_to.ap_netaddr = $2; 573 $$.fo_to.ap_portrange = $3; 574 } 575 ; 576 577 filt_addr 578 : addr_or_ifnet { $$ = $1; } 579 | TABLE_ID { $$ = npfctl_parse_table_id($1); } 580 | ANY { $$ = NULL; } 581 ; 582 583 addr_and_mask 584 : addr SLASH number 585 { 586 $$ = npfctl_parse_fam_addr_mask($1, NULL, &$3); 587 } 588 | addr SLASH addr 589 { 590 $$ = npfctl_parse_fam_addr_mask($1, $3, NULL); 591 } 592 | addr 593 { 594 $$ = npfctl_parse_fam_addr_mask($1, NULL, NULL); 595 } 596 ; 597 598 addr_or_ifnet 599 : addr_and_mask 600 { 601 assert($1 != NULL); 602 $$ = $1; 603 } 604 | ifnet 605 { 606 ifnet_addr_t *ifna = npfvar_get_data($1, NPFVAR_INTERFACE, 0); 607 $$ = ifna->ifna_addrs; 608 } 609 | VAR_ID 610 { 611 npfvar_t *vp = npfvar_lookup($1); 612 int type = npfvar_get_type(vp, 0); 613 ifnet_addr_t *ifna; 614 615 again: 616 switch (type) { 617 case NPFVAR_IDENTIFIER: 618 case NPFVAR_STRING: 619 vp = npfctl_parse_ifnet(npfvar_expand_string(vp), 620 AF_UNSPEC); 621 type = npfvar_get_type(vp, 0); 622 goto again; 623 case NPFVAR_FAM: 624 $$ = vp; 625 break; 626 case NPFVAR_INTERFACE: 627 ifna = npfvar_get_data(vp, type, 0); 628 $$ = ifna->ifna_addrs; 629 break; 630 case -1: 631 yyerror("undefined variable '%s'", $1); 632 break; 633 default: 634 yyerror("wrong variable '%s' type '%s' for address " 635 "or interface", $1, npfvar_type(type)); 636 break; 637 } 638 } 639 ; 640 641 addr 642 : IPV4ADDR { $$ = $1; } 643 | IPV6ADDR { $$ = $1; } 644 ; 645 646 port_range 647 : PORT port /* just port */ 648 { 649 $$ = npfctl_parse_port_range($2, $2); 650 } 651 | PORT port MINUS port /* port from-to */ 652 { 653 $$ = npfctl_parse_port_range($2, $4); 654 } 655 | PORT VAR_ID 656 { 657 $$ = npfctl_parse_port_range_variable($2); 658 } 659 | 660 { 661 $$ = NULL; 662 } 663 ; 664 665 port 666 : number { $$ = $1; } 667 | IDENTIFIER { $$ = npfctl_portno($1); } 668 | STRING { $$ = npfctl_portno($1); } 669 ; 670 671 icmp_type_and_code 672 : ICMPTYPE icmp_type 673 { 674 $$ = npfctl_parse_icmp($<num>0, $2, -1); 675 } 676 | ICMPTYPE icmp_type CODE number 677 { 678 $$ = npfctl_parse_icmp($<num>0, $2, $4); 679 } 680 | ICMPTYPE icmp_type CODE IDENTIFIER 681 { 682 $$ = npfctl_parse_icmp($<num>0, $2, 683 npfctl_icmpcode($<num>0, $2, $4)); 684 } 685 | ICMPTYPE icmp_type CODE VAR_ID 686 { 687 char *s = npfvar_expand_string(npfvar_lookup($4)); 688 $$ = npfctl_parse_icmp($<num>0, $2, 689 npfctl_icmpcode($<num>0, $2, s)); 690 } 691 | { $$ = NULL; } 692 ; 693 694 tcp_flags_and_mask 695 : FLAGS tcp_flags SLASH tcp_flags 696 { 697 npfvar_add_elements($2, $4); 698 $$ = $2; 699 } 700 | FLAGS tcp_flags 701 { 702 char *s = npfvar_get_data($2, NPFVAR_TCPFLAG, 0); 703 npfvar_add_elements($2, npfctl_parse_tcpflag(s)); 704 $$ = $2; 705 } 706 | { $$ = NULL; } 707 ; 708 709 tcp_flags 710 : IDENTIFIER { $$ = npfctl_parse_tcpflag($1); } 711 ; 712 713 icmp_type 714 : number { $$ = $1; } 715 | IDENTIFIER { $$ = npfctl_icmptype($<num>-1, $1); } 716 | VAR_ID 717 { 718 char *s = npfvar_expand_string(npfvar_lookup($1)); 719 $$ = npfctl_icmptype($<num>-1, s); 720 } 721 ; 722 723 string 724 : IDENTIFIER 725 { 726 $$ = $1; 727 } 728 | VAR_ID 729 { 730 npfvar_t *vp = npfvar_lookup($1); 731 const int type = npfvar_get_type(vp, 0); 732 733 switch (type) { 734 case NPFVAR_STRING: 735 case NPFVAR_IDENTIFIER: 736 $$ = npfvar_expand_string(vp); 737 break; 738 case -1: 739 yyerror("undefined variable '%s' for interface", $1); 740 break; 741 default: 742 yyerror("wrong variable '%s' type '%s' for string", 743 $1, npfvar_type(type)); 744 break; 745 } 746 } 747 ; 748 749 ifnet 750 : IFNET PAR_OPEN string PAR_CLOSE 751 { 752 $$ = npfctl_parse_ifnet($3, AF_UNSPEC); 753 } 754 | afamily PAR_OPEN string PAR_CLOSE 755 { 756 $$ = npfctl_parse_ifnet($3, $1); 757 } 758 ; 759 760 ifname 761 : some_name 762 { 763 npfctl_note_interface($1); 764 $$ = $1; 765 } 766 | ifnet 767 { 768 ifnet_addr_t *ifna = npfvar_get_data($1, NPFVAR_INTERFACE, 0); 769 npfctl_note_interface(ifna->ifna_name); 770 $$ = ifna->ifna_name; 771 } 772 | VAR_ID 773 { 774 npfvar_t *vp = npfvar_lookup($1); 775 const int type = npfvar_get_type(vp, 0); 776 ifnet_addr_t *ifna; 777 778 switch (type) { 779 case NPFVAR_STRING: 780 case NPFVAR_IDENTIFIER: 781 $$ = npfvar_expand_string(vp); 782 break; 783 case NPFVAR_INTERFACE: 784 ifna = npfvar_get_data(vp, type, 0); 785 $$ = ifna->ifna_name; 786 break; 787 case -1: 788 yyerror("undefined variable '%s' for interface", $1); 789 break; 790 default: 791 yyerror("wrong variable '%s' type '%s' for interface", 792 $1, npfvar_type(type)); 793 break; 794 } 795 npfctl_note_interface($$); 796 } 797 ; 798 799 number 800 : HEX { $$ = $1; } 801 | NUM { $$ = $1; } 802 ; 803 804 some_name 805 : IDENTIFIER { $$ = $1; } 806 | STRING { $$ = $1; } 807 ; 808 809 %% 810
Indexes created Tue Sep 30 17:09:57 GMT 2025