pf/pfs/parse.y

1.4    andvar /* $NetBSD: parse.y,v 1.4 2023/03/17 17:12:54 andvar Exp $ */
1.1  degroote
1.1  degroote /*-
1.1  degroote  * Copyright (c) 2010 The NetBSD Foundation, Inc.
1.1  degroote  * All rights reserved.
1.1  degroote  *
1.1  degroote  * Redistribution and use in source and binary forms, with or without
1.1  degroote  * modification, are permitted provided that the following conditions
1.1  degroote  * are met:
1.1  degroote  * 1. Redistributions of source code must retain the above copyright
1.1  degroote  *    notice, this list of conditions and the following disclaimer.
1.1  degroote  * 2. Redistributions in binary form must reproduce the above copyright
1.1  degroote  *    notice, this list of conditions and the following disclaimer in the
1.1  degroote  *    documentation and/or other materials provided with the distribution.
1.1  degroote  *
1.1  degroote  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
1.1  degroote  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
1.1  degroote  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.1  degroote  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
1.1  degroote  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
1.1  degroote  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
1.1  degroote  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
1.1  degroote  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
1.1  degroote  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.1  degroote  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
1.1  degroote  * POSSIBILITY OF SUCH DAMAGE.
1.1  degroote  */
1.1  degroote
1.1  degroote %{
1.1  degroote #include <sys/cdefs.h>
1.1  degroote
1.1  degroote #ifndef lint
1.4    andvar __RCSID("$NetBSD: parse.y,v 1.4 2023/03/17 17:12:54 andvar Exp $");
1.1  degroote #endif
1.1  degroote
1.1  degroote #include <stdio.h>
1.1  degroote #include <stdlib.h>
1.1  degroote #include <string.h>
1.1  degroote #include <stdint.h>
1.1  degroote #include <stdbool.h>
1.1  degroote #include <inttypes.h>
1.1  degroote #include <errno.h>
1.1  degroote
1.1  degroote #include <net/if.h>
1.1  degroote #include <netinet/in.h>
1.1  degroote #include <net/pfvar.h>
1.1  degroote #include <arpa/inet.h>
1.1  degroote #include <netdb.h>
1.1  degroote #include <netinet/tcp_fsm.h>
1.1  degroote
1.1  degroote #include "parser.h"
1.1  degroote
1.3     joerg int lineno;
1.3     joerg
1.3     joerg struct pfioc_states* states;
1.3     joerg size_t allocated;
1.3     joerg
1.1  degroote // XXX it is really correct ?
1.1  degroote extern const char * const tcpstates[];
1.1  degroote
1.1  degroote
1.1  degroote struct pfsync_state global_state;
1.1  degroote struct pfsync_state_peer *src_peer, *dst_peer;
1.1  degroote struct pfsync_state_peer current_peer;
1.1  degroote
1.1  degroote static void parse_init(void);
1.1  degroote static void add_state(void);
1.1  degroote static bool get_pfsync_host(const char*, struct pfsync_state_host*, sa_family_t*);
1.1  degroote static uint8_t retrieve_peer_state(const char*, int);
1.1  degroote static bool retrieve_seq(const char*, struct pfsync_state_peer*);
1.1  degroote static bool strtou32(const char*, uint32_t*);
1.1  degroote
1.1  degroote %}
1.1  degroote
1.1  degroote %union {
1.1  degroote 	uintmax_t num;
1.1  degroote 	char* str;
1.1  degroote }
1.1  degroote
1.1  degroote %token STATE
1.1  degroote %token IN OUT
1.1  degroote %token ON PROTO
1.1  degroote %token FROM TO USING
1.1  degroote %token ID CID EXPIRE TIMEOUT
1.1  degroote %token SRC DST
1.1  degroote %token SEQ  MAX_WIN WSCALE MSS
1.1  degroote %token NOSCRUB SCRUB FLAGS TTL MODE
1.1  degroote %token NUMBER STRING
1.1  degroote
1.1  degroote %type <str> STRING
1.1  degroote %type <num> NUMBER
1.1  degroote %%
1.1  degroote
1.1  degroote states
1.1  degroote 	: /* NOTHING */
1.1  degroote 	| state states  { parse_init(); }
1.1  degroote 	;
1.1  degroote
1.1  degroote state
1.1  degroote 	: STATE direction iface proto addrs id cid expire timeout src_peer dst_peer {
1.1  degroote 			add_state();
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote direction
1.1  degroote 	: IN {
1.1  degroote 		   global_state.direction = PF_IN;
1.1  degroote 		   src_peer = &global_state.dst;
1.1  degroote 		   dst_peer = &global_state.src;
1.1  degroote 		}
1.1  degroote 	| OUT {
1.1  degroote 			 global_state.direction = PF_OUT;
1.1  degroote 			 src_peer = &global_state.src;
1.1  degroote 			 dst_peer = &global_state.dst;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote iface
1.1  degroote 	: ON STRING {
1.1  degroote 			strlcpy(global_state.ifname, $2, sizeof(global_state.ifname));
1.1  degroote 			free($2);
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote proto
1.1  degroote 	: PROTO STRING {
1.1  degroote 			struct protoent *p;
1.1  degroote 			p = getprotobyname($2);
1.1  degroote 			if (p == NULL)
1.1  degroote 				yyfatal("Invalid protocol name");
1.1  degroote 			global_state.proto = p->p_proto;
1.1  degroote 			free($2);
1.1  degroote 			}
1.1  degroote 	| PROTO NUMBER {
1.1  degroote 			// check that the number may be valid proto ?
1.1  degroote 			global_state.proto = $2;
1.1  degroote 			}
1.1  degroote 	;
1.1  degroote
1.1  degroote addrs
1.1  degroote 	: FROM STRING TO STRING {
1.1  degroote 		get_pfsync_host($2, &global_state.lan, &global_state.af);
1.1  degroote 		get_pfsync_host($4, &global_state.ext, &global_state.af);
1.1  degroote 		memcpy(&global_state.gwy, &global_state.lan, sizeof(struct pfsync_state_host));
1.1  degroote 		free($2);
1.1  degroote 		free($4);
1.1  degroote 		}
1.1  degroote 	| FROM STRING TO STRING USING STRING {
1.1  degroote 		get_pfsync_host($2, &global_state.lan, &global_state.af);
1.1  degroote 		get_pfsync_host($4, &global_state.ext, &global_state.af);
1.1  degroote 		get_pfsync_host($6, &global_state.gwy, &global_state.af);
1.1  degroote 		free($2);
1.1  degroote 		free($4);
1.1  degroote 		free($6);
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote id
1.1  degroote 	: ID NUMBER {
1.1  degroote 			if ( $2 > UINT64_MAX)
1.1  degroote 				yyfatal("id is too big");
1.1  degroote 			uint64_t value = (uint64_t)$2;
1.1  degroote 			memcpy(global_state.id, &value, sizeof(global_state.id));
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote cid
1.1  degroote 	: CID NUMBER {
1.1  degroote 			if ( $2 > UINT32_MAX)
1.1  degroote 				yyfatal("creator id is too big");
1.1  degroote 			global_state.creatorid = (uint32_t)$2;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote expire
1.1  degroote 	: EXPIRE NUMBER {
1.1  degroote 			if ( $2 > UINT32_MAX)
1.1  degroote 				yyfatal("expire time is too big");
1.1  degroote 			global_state.expire = (uint32_t) $2;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote timeout
1.1  degroote 	: TIMEOUT NUMBER {
1.1  degroote 			if ($2 > UINT8_MAX)
1.1  degroote 				yyfatal("timeout time is too big");
1.1  degroote 			global_state.timeout = (uint8_t) $2;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote src_peer
1.1  degroote 	: SRC peer {
1.1  degroote 			memcpy(src_peer, &current_peer, sizeof(current_peer));
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote dst_peer
1.1  degroote 	: DST peer {
1.1  degroote 			memcpy(dst_peer, &current_peer, sizeof(current_peer));
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote peer
1.1  degroote 	: peer_state scrub
1.1  degroote 	| peer_state tcp_options scrub
1.1  degroote 	;
1.1  degroote
1.1  degroote peer_state
1.1  degroote 	: STATE STRING {
1.1  degroote 			current_peer.state = retrieve_peer_state($2, global_state.proto);
1.1  degroote 			free($2);
1.1  degroote 		}
1.1  degroote 	| STATE	NUMBER {
1.1  degroote 		if ( $2 > UINT8_MAX)
1.1  degroote 			yyfatal("peer state is too big");
1.1  degroote 		current_peer.state = $2;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote tcp_options
1.1  degroote 	: SEQ seqs MAX_WIN NUMBER WSCALE NUMBER {
1.1  degroote 			if ($4 > UINT16_MAX)
1.1  degroote 				yyfatal("max_win is too big");
1.1  degroote 			current_peer.max_win = $4;
1.1  degroote
1.1  degroote 			if ($6 > UINT8_MAX)
1.1  degroote 				yyfatal("wscale is too big");
1.1  degroote 			current_peer.wscale = $6;
1.1  degroote 		}
1.1  degroote 	| SEQ seqs MAX_WIN NUMBER WSCALE NUMBER MSS NUMBER {
1.1  degroote 			if ($4 > UINT16_MAX)
1.1  degroote 				yyfatal("max_win is too big");
1.1  degroote 			current_peer.max_win = $4;
1.1  degroote
1.1  degroote 			if ($6 > UINT8_MAX)
1.1  degroote 				yyfatal("wscale is too big");
1.1  degroote 			current_peer.wscale = $6;
1.1  degroote
1.1  degroote 			if ($8 > UINT16_MAX)
1.1  degroote 				yyfatal("mss is too big");
1.1  degroote 			current_peer.mss = $8;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote seqs
1.1  degroote 	: STRING {
1.1  degroote 		if (!retrieve_seq($1, &current_peer))
1.1  degroote 			yyfatal("invalid seq number");
1.1  degroote
1.1  degroote 		free($1);
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote scrub
1.1  degroote 	: NOSCRUB { current_peer.scrub.scrub_flag= 0;}
1.1  degroote 	| SCRUB FLAGS NUMBER MODE NUMBER TTL NUMBER {
1.1  degroote 			current_peer.scrub.scrub_flag= PFSYNC_SCRUB_FLAG_VALID;
1.1  degroote 			if ($3 > UINT16_MAX)
1.1  degroote 				yyfatal("scrub flags is too big");
1.1  degroote 			current_peer.scrub.pfss_flags = $3;
1.1  degroote
1.1  degroote 			if ($5 > UINT32_MAX)
1.1  degroote 				yyfatal("scrub mode is too big");
1.1  degroote 			current_peer.scrub.pfss_ts_mod = $5;
1.1  degroote
1.1  degroote 			if ($7 > UINT8_MAX)
1.1  degroote 				yyfatal("scrub ttl is too big");
1.1  degroote 			current_peer.scrub.pfss_ttl = $7;
1.1  degroote 		}
1.1  degroote 	;
1.1  degroote
1.1  degroote
1.1  degroote %%
1.1  degroote
1.1  degroote static void
1.1  degroote parse_init(void)
1.1  degroote {
1.1  degroote 	memset(&global_state, 0, sizeof(global_state));
1.1  degroote 	memset(&current_peer, 0, sizeof(current_peer));
1.1  degroote 	src_peer = NULL;
1.1  degroote 	dst_peer = NULL;
1.1  degroote }
1.1  degroote
1.1  degroote static bool
1.1  degroote get_pfsync_host(const char* str, struct pfsync_state_host* host, sa_family_t* af)
1.1  degroote {
1.1  degroote 	size_t count_colon, addr_len, port_len;
1.1  degroote 	const char* p, *last_colon, *first_bracket, *last_bracket;
1.1  degroote 	char buf[48];
1.1  degroote 	char buf_port[6];
1.1  degroote
1.1  degroote 	if (str == NULL || *str == '\0')
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	p = str;
1.1  degroote 	last_colon = NULL;
1.1  degroote 	count_colon = 0;
1.1  degroote
1.1  degroote 	while (*p != '\0') {
1.1  degroote 		if (*p == ':') {
1.1  degroote 			count_colon++;
1.1  degroote 			last_colon = p;
1.1  degroote 		}
1.1  degroote 		p++;
1.1  degroote 	}
1.1  degroote
1.1  degroote 	/*
1.1  degroote 	 * If no colon, it is not an expected addr
1.1  degroote 	 * If there are more than one colon, we guess that af = AF_INET6
1.1  degroote 	 */
1.1  degroote
1.1  degroote 	if (count_colon == 0)
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	if (count_colon == 1)
1.1  degroote 		*af = AF_INET;
1.1  degroote 	else
1.1  degroote 		*af = AF_INET6;
1.1  degroote
1.1  degroote 	/*
1.1  degroote 	 * First bracket must be next character after last colon
1.1  degroote 	 * Last bracket must be the last character
1.1  degroote 	 * distance between both must be <= 7
1.1  degroote 	 */
1.1  degroote
1.1  degroote 	if (*(last_colon+1) == '[')
1.1  degroote 		first_bracket = last_colon + 1;
1.1  degroote 	else
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	last_bracket = str + (strlen(str) - 1);
1.1  degroote 	if (*last_bracket != ']')
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	port_len = last_bracket - first_bracket;
1.1  degroote 	if (last_bracket - first_bracket > 7)
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	memcpy(buf_port, first_bracket +1, port_len - 1);
1.1  degroote 	buf_port[port_len-1]= '\0';
1.1  degroote
1.1  degroote 	addr_len = last_colon - str;
1.1  degroote 	if (addr_len >= sizeof(buf))
1.1  degroote 		return false;
1.1  degroote 	memcpy(buf, str, addr_len);
1.1  degroote 	buf[addr_len] = '\0';
1.1  degroote
1.1  degroote 	if (inet_pton(*af, buf, &host->addr) != 1)
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	host->port = htons(atoi(buf_port));
1.1  degroote
1.1  degroote 	return true;
1.1  degroote }
1.1  degroote
1.1  degroote static uint8_t
1.1  degroote retrieve_peer_state(const char* str, int proto)
1.1  degroote {
1.1  degroote 	uint8_t i;
1.1  degroote
1.1  degroote 	if (proto == IPPROTO_TCP) {
1.1  degroote 		i = 0;
1.1  degroote 		while (i < TCP_NSTATES) {
1.1  degroote 			if (strcmp(str, tcpstates[i]) == 0)
1.1  degroote 				return i;
1.1  degroote 			i++;
1.1  degroote 		}
1.1  degroote 		yyfatal("Invalid peer state");
1.1  degroote
1.1  degroote 	} else {
1.1  degroote 		if (proto == IPPROTO_UDP) {
1.1  degroote 			const char* mystates[] = PFUDPS_NAMES;
1.1  degroote 			i = 0;
1.1  degroote
1.1  degroote 			while (i < PFUDPS_NSTATES) {
1.1  degroote 				if (strcmp(str, mystates[i]) == 0)
1.1  degroote 					return i;
1.1  degroote 				i++;
1.1  degroote 			}
1.1  degroote
1.1  degroote 			yyfatal("Invalid peer state");
1.1  degroote 		} else {
1.1  degroote 			const char *mystates[] = PFOTHERS_NAMES;
1.1  degroote 			i = 0;
1.1  degroote
1.1  degroote 			while (i < PFOTHERS_NSTATES) {
1.1  degroote 				if (strcmp(str, mystates[i]) == 0)
1.1  degroote 					return i;
1.1  degroote 				i++;
1.1  degroote 			}
1.1  degroote
1.1  degroote 			yyfatal("Invalid peer state");
1.1  degroote 		}
1.1  degroote 	}
1.1  degroote      /*NOTREACHED*/
1.1  degroote 	return 0;
1.1  degroote }
1.1  degroote
1.1  degroote static bool
1.1  degroote strtou32(const char* str, uint32_t* res)
1.1  degroote {
1.1  degroote 	uintmax_t u;
1.1  degroote 	errno = 0;
1.1  degroote 	u = strtoumax(str, NULL, 10);
1.1  degroote 	if (errno == ERANGE && u == UINTMAX_MAX)
1.1  degroote 		return false;
1.1  degroote 	if (u > UINT32_MAX)
1.1  degroote 		return false;
1.1  degroote 	*res = (uint32_t) u;
1.1  degroote 	return true;
1.1  degroote }
1.1  degroote
1.1  degroote static bool
1.1  degroote retrieve_seq(const char* str, struct pfsync_state_peer* peer)
1.1  degroote {
1.1  degroote 	const char* p, *p_colon, *p_comma;
1.1  degroote 	char buf[100];
1.1  degroote 	size_t size;
1.1  degroote
1.1  degroote 	if (str == NULL || *str == '\0')
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	if (*str != '[' || *(str+(strlen(str) -1)) != ']')
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	p = str;
1.1  degroote 	p_colon = NULL;
1.1  degroote 	p_comma = NULL;
1.1  degroote 	while (*p != '\0') {
1.1  degroote 		if (*p == ':') {
1.1  degroote 			if (p_colon !=NULL)
1.1  degroote 				return false;
1.1  degroote 			else
1.1  degroote 				p_colon = p;
1.1  degroote 		}
1.1  degroote
1.1  degroote 		if (*p == ',') {
1.1  degroote 			if (p_comma != NULL)
1.1  degroote 				return false;
1.1  degroote 			else
1.1  degroote 				p_comma = p;
1.1  degroote 		}
1.1  degroote 		p++;
1.1  degroote 	}
1.1  degroote
1.1  degroote 	size = p_colon - str;
1.1  degroote 	if (size > sizeof(buf))
1.1  degroote 		return false;
1.1  degroote 	memcpy(buf, str+1, size-1);
1.1  degroote 	buf[size-1] = '\0';
1.1  degroote
1.1  degroote 	if (!strtou32(buf, &peer->seqlo))
1.1  degroote 		return false;
1.1  degroote
1.1  degroote
1.1  degroote 	if (p_comma == NULL)
1.1  degroote 		size = str + strlen(str) - 1 - p_colon;
1.1  degroote 	else
1.1  degroote 		size = p_comma - p_colon;
1.1  degroote
1.1  degroote 	if (size > sizeof(buf))
1.1  degroote 		return false;
1.1  degroote 	memcpy(buf, p_colon+1, size -1);
1.1  degroote 	buf[size-1] = '\0';
1.1  degroote
1.1  degroote 	if (!strtou32(buf, &peer->seqhi))
1.1  degroote 		return false;
1.1  degroote
1.1  degroote 	if (p_comma == NULL) {
1.1  degroote 		peer->seqdiff = 0;
1.1  degroote 	} else {
1.1  degroote 		size = str + strlen(str) - 1 - p_comma;
1.1  degroote 		if (size > sizeof(buf))
1.1  degroote 			return false;
1.1  degroote 		memcpy(buf, p_comma +1, size -1);
1.1  degroote 		buf[size-1] = '\0';
1.1  degroote
1.1  degroote 		if (!strtou32(buf, &peer->seqdiff))
1.1  degroote 			return false;
1.1  degroote 	}
1.1  degroote
1.1  degroote 	return true;
1.1  degroote }
1.1  degroote
1.1  degroote static void
1.1  degroote add_state(void)
1.1  degroote {
1.1  degroote
1.1  degroote 	if (allocated == 0) {
1.1  degroote 		allocated = 5;
1.1  degroote 		states->ps_buf = malloc(allocated * sizeof(struct pfsync_state));
1.1  degroote 		if (states->ps_buf == NULL)
1.4    andvar 			yyfatal("Not enough memory");
1.1  degroote 	}
1.1  degroote
1.1  degroote 	if (allocated == (states->ps_len / sizeof(struct pfsync_state))) {
1.1  degroote 		void *buf;
1.1  degroote 		allocated = allocated * 2 + 1;
1.1  degroote 		buf = realloc(states->ps_buf, allocated * sizeof(struct pfsync_state));
1.1  degroote 		if (buf == NULL) {
1.1  degroote 			free(states->ps_buf);
1.4    andvar 			yyfatal("Not enough memory");
1.1  degroote 		}
1.1  degroote 		states->ps_buf = buf;
1.1  degroote 	}
1.1  degroote
1.1  degroote }