1c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh/* $NetBSD: policy_parse.y,v 1.9.6.2 2009/02/16 18:38:26 tteras Exp $ */ 20a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 30a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */ 40a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 50a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 60a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 70a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * All rights reserved. 80a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 90a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Redistribution and use in source and binary forms, with or without 100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * modification, are permitted provided that the following conditions 110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * are met: 120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1. Redistributions of source code must retain the above copyright 130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer. 140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 2. Redistributions in binary form must reproduce the above copyright 150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer in the 160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * documentation and/or other materials provided with the distribution. 170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 3. Neither the name of the project nor the names of its contributors 180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * may be used to endorse or promote products derived from this software 190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * without specific prior written permission. 200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * SUCH DAMAGE. 320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IN/OUT bound policy configuration take place such below: 360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * in <priority> <policy> 370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * out <priority> <policy> 380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * <priority> is one of the following: 400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * priority <signed int> where the integer is an offset from the default 410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * priority, where negative numbers indicate lower 420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * priority (towards end of list) and positive numbers 430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * indicate higher priority (towards beginning of list) 440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * priority {low,def,high} {+,-} <unsigned int> where low and high are 460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * constants which are closer 470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * to the end of the list and 480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * beginning of the list, 490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * respectively 500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * <policy> is one of following: 520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * "discard", "none", "ipsec <requests>", "entrust", "bypass", 530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * The following requests are accepted as <requests>: 550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * protocol/mode/src-dst/level 570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * protocol/mode/src-dst parsed as protocol/mode/src-dst/default 580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default 590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * protocol/transport parsed as protocol/mode/any-any/default 600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * protocol/transport//level parsed as protocol/mode/any-any/level 610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * You can concatenate these requests with either ' '(single space) or '\n'. 630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%{ 660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_CONFIG_H 670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "config.h" 680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/types.h> 710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/param.h> 720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/socket.h> 730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <netinet/in.h> 750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include PATH_IPSEC_H 760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdlib.h> 780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdio.h> 790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <string.h> 800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <netdb.h> 810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <errno.h> 830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "config.h" 850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "ipsec_strerror.h" 870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "libpfkey.h" 880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifndef INT32_MAX 900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define INT32_MAX (0xffffffff) 910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifndef INT32_MIN 940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define INT32_MIN (-INT32_MAX-1) 950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#define ATOX(c) \ 980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) 990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic u_int8_t *pbuf = NULL; /* sadb_x_policy buffer */ 1010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int tlen = 0; /* total length of pbuf */ 1020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int offset = 0; /* offset of pbuf */ 1030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; 1040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic u_int32_t p_priority = 0; 1050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic long p_priority_offset = 0; 1060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic struct sockaddr *p_src = NULL; 1070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic struct sockaddr *p_dst = NULL; 1080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct _val; 1100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void yyerror __P((char *msg)); 1110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic struct sockaddr *parse_sockaddr __P((struct _val *addrbuf, 1120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct _val *portbuf)); 1130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int rule_check __P((void)); 1140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int init_x_policy __P((void)); 1150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int set_x_request __P((struct sockaddr *, struct sockaddr *)); 1160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int set_sockaddr __P((struct sockaddr *)); 1170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic void policy_parse_request_init __P((void)); 1180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic void *policy_parse __P((const char *, int)); 1190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void __policy__strbuffer__init__ __P((const char *)); 1210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern void __policy__strbuffer__free__ __P((void)); 1220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int yyparse __P((void)); 1230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern int yylex __P((void)); 1240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangextern char *__libipsectext; /*XXX*/ 1260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%} 1280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%union { 1300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int num; 1310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int32_t num32; 1320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct _val { 1330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int len; 1340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang char *buf; 1350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } val; 1360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 1370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token DIR 1390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token PRIORITY PLUS 1400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token <num32> PRIO_BASE 1410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token <val> PRIO_OFFSET 1420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS PORT 1430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token ME ANY 1440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%token SLASH HYPHEN 1450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL 1460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%type <val> IPADDRESS LEVEL_SPECIFY PORT 1470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%% 1490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangpolicy_spec 1500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : DIR ACTION 1510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 1520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 1530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $2; 1540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PFKEY_POLICY_PRIORITY 1560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = PRIORITY_DEFAULT; 1570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 1580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = 0; 1590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 1600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 1620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 1650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR PRIORITY PRIO_OFFSET ACTION 1660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 1670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 1680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $4; 1691c71527b277e2dc256262da2ed2169c566c5bf4dChia-chi Yeh p_priority_offset = -atol($3.buf); 1700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang errno = 0; 1720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (errno != 0 || p_priority_offset < INT32_MIN) 1730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 1740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; 1750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; 1790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 1810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 1840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR PRIORITY HYPHEN PRIO_OFFSET ACTION 1850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 1860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 1870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $5; 1880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang errno = 0; 1900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority_offset = atol($4.buf); 1910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (errno != 0 || p_priority_offset > INT32_MAX) 1930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 1940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; 1950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 1960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* negative input value means lower priority, therefore higher 1990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang actual value so that is closer to the end of the list */ 2000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; 2010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 2030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 2060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR PRIORITY PRIO_BASE ACTION 2070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 2090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $4; 2100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = $3; 2120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 2140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 2170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION 2180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 2200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $6; 2210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang errno = 0; 2230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority_offset = atol($5.buf); 2240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX) 2260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; 2280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* adding value means higher priority, therefore lower 2320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang actual value so that is closer to the beginning of the list */ 2330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = $3 - (u_int32_t) p_priority_offset; 2340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 2360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 2390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION 2400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 2420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = $6; 2430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang errno = 0; 2450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority_offset = atol($5.buf); 2460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX) 2480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; 2500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* subtracting value means lower priority, therefore higher 2540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang actual value so that is closer to the end of the list */ 2550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = $3 + (u_int32_t) p_priority_offset; 2560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 2580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang rules 2610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | DIR 2620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 2630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = $1; 2640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = 0; /* ignored it by kernel */ 2650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_priority = 0; 2670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (init_x_policy()) 2690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 2720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangrules 2740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : /*NOTHING*/ 2750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | rules rule { 2760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (rule_check() < 0) 2770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (set_x_request(p_src, p_dst) < 0) 2800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang policy_parse_request_init(); 2830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 2850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 2860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangrule 2870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : protocol SLASH mode SLASH addresses SLASH level 2880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH mode SLASH addresses SLASH 2890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH mode SLASH addresses 2900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH mode SLASH 2910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH mode SLASH SLASH level 2920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH mode 2930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol SLASH { 2940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; 2950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 2960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 2970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | protocol { 2980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; 2990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 3020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangprotocol 3040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : PROTOCOL { p_protocol = $1; } 3050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 3060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangmode 3080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : MODE { p_mode = $1; } 3090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 3100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wanglevel 3120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : LEVEL { 3130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_level = $1; 3140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_reqid = 0; 3150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | LEVEL_SPECIFY { 3170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_level = IPSEC_LEVEL_UNIQUE; 3180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_reqid = atol($1.buf); /* atol() is good. */ 3190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 3210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangaddresses 3230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang : IPADDRESS { 3240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_src = parse_sockaddr(&$1, NULL); 3250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_src == NULL) 3260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang HYPHEN 3290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang IPADDRESS { 3300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dst = parse_sockaddr(&$4, NULL); 3310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_dst == NULL) 3320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | IPADDRESS PORT { 3350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_src = parse_sockaddr(&$1, &$2); 3360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_src == NULL) 3370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang HYPHEN 3400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang IPADDRESS PORT { 3410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dst = parse_sockaddr(&$5, &$6); 3420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_dst == NULL) 3430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | ME HYPHEN ANY { 3460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_dir != IPSEC_DIR_OUTBOUND) { 3470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_DIR; 3480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | ANY HYPHEN ME { 3520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_dir != IPSEC_DIR_INBOUND) { 3530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_DIR; 3540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 3550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 3580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang | ME HYPHEN ME 3590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 3600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ; 3610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang%% 3630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangvoid 3650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangyyerror(msg) 3660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang char *msg; 3670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 3680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", 3690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang msg, __libipsectext); 3700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return; 3720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 3730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic struct sockaddr * 3750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangparse_sockaddr(addrbuf, portbuf) 3760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct _val *addrbuf; 3770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct _val *portbuf; 3780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 3790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct addrinfo hints, *res; 3800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang char *addr; 3810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang char *serv = NULL; 3820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error; 3830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr *newaddr = NULL; 3840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((addr = malloc(addrbuf->len + 1)) == NULL) { 3860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang yyerror("malloc failed"); 3870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_set_strerror(strerror(errno)); 3880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 3890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (portbuf && ((serv = malloc(portbuf->len + 1)) == NULL)) { 3920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(addr); 3930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang yyerror("malloc failed"); 3940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_set_strerror(strerror(errno)); 3950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 3960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 3970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 3980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang strncpy(addr, addrbuf->buf, addrbuf->len); 3990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang addr[addrbuf->len] = '\0'; 4000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (portbuf) { 4020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang strncpy(serv, portbuf->buf, portbuf->len); 4030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang serv[portbuf->len] = '\0'; 4040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memset(&hints, 0, sizeof(hints)); 4070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang hints.ai_family = PF_UNSPEC; 4080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang hints.ai_flags = AI_NUMERICHOST; 4090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang hints.ai_socktype = SOCK_DGRAM; 4100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = getaddrinfo(addr, serv, &hints, &res); 4110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(addr); 4120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (serv != NULL) 4130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(serv); 4140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error != 0) { 4150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang yyerror("invalid IP address"); 4160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_set_strerror(gai_strerror(error)); 4170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 4180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (res->ai_addr == NULL) { 4210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang yyerror("invalid IP address"); 4220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_set_strerror(gai_strerror(error)); 4230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 4240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang newaddr = malloc(res->ai_addrlen); 4270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (newaddr == NULL) { 4280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_BUFS; 4290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang freeaddrinfo(res); 4300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 4310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(newaddr, res->ai_addr, res->ai_addrlen); 4330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang freeaddrinfo(res); 4350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 4370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return newaddr; 4380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 4390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int 4410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangrule_check() 4420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 4430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_type == IPSEC_POLICY_IPSEC) { 4440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_protocol == IPPROTO_IP) { 4450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_PROTO; 4460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 4470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_mode != IPSEC_MODE_TRANSPORT 4500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang && p_mode != IPSEC_MODE_TUNNEL) { 4510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_MODE; 4520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 4530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_src == NULL && p_dst == NULL) { 4560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_mode != IPSEC_MODE_TRANSPORT) { 4570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_ADDRESS; 4580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 4590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang else if (p_src->sa_family != p_dst->sa_family) { 4620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 4630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 4640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 4680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 4690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 4700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int 4720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wanginit_x_policy() 4730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 4740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sadb_x_policy *p; 4750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf) { 4770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(pbuf); 4780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tlen = 0; 4790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = malloc(sizeof(struct sadb_x_policy)); 4810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf == NULL) { 4820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_BUFS; 4830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 4840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 4850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tlen = sizeof(struct sadb_x_policy); 4860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 4870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memset(pbuf, 0, tlen); 4880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p = (struct sadb_x_policy *)pbuf; 4890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_len = 0; /* must update later */ 4900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 4910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_type = p_type; 4920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_dir = p_dir; 4930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_id = 0; 4940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#ifdef HAVE_PFKEY_POLICY_PRIORITY 4950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_policy_priority = p_priority; 4960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#else 4970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* fail if given a priority and libipsec was not compiled with 4980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang priority support */ 4990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_priority != 0) 5000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang { 5010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED; 5020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 5030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#endif 5050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang offset = tlen; 5070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 5090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 5100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 5110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int 5130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangset_x_request(src, dst) 5140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr *src, *dst; 5150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 5160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sadb_x_ipsecrequest *p; 5170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int reqlen; 5180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang u_int8_t *n; 5190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang reqlen = sizeof(*p) 5210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang + (src ? sysdep_sa_len(src) : 0) 5220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang + (dst ? sysdep_sa_len(dst) : 0); 5230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tlen += reqlen; /* increment to total length */ 5240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang n = realloc(pbuf, tlen); 5260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (n == NULL) { 5270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_BUFS; 5280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 5290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = n; 5310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; 5330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_ipsecrequest_len = reqlen; 5340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_ipsecrequest_proto = p_protocol; 5350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_ipsecrequest_mode = p_mode; 5360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_ipsecrequest_level = p_level; 5370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p->sadb_x_ipsecrequest_reqid = p_reqid; 5380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang offset += sizeof(*p); 5390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (set_sockaddr(src) || set_sockaddr(dst)) 5410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return -1; 5420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5430a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 5440a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 5450a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 5460a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5470a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic int 5480a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangset_sockaddr(addr) 5490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr *addr; 5500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 5510a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (addr == NULL) { 5520a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 5530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 5540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* tlen has already incremented */ 5570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&pbuf[offset], addr, sysdep_sa_len(addr)); 5590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang offset += sysdep_sa_len(addr); 5610a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 5630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 5640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 5650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic void 5670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangpolicy_parse_request_init() 5680a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 5690a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_protocol = IPPROTO_IP; 5700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_mode = IPSEC_MODE_ANY; 5710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_level = IPSEC_LEVEL_DEFAULT; 5720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_reqid = 0; 5730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_src != NULL) { 5740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(p_src); 5750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_src = NULL; 5760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (p_dst != NULL) { 5780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(p_dst); 5790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dst = NULL; 5800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 5810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return; 5830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 5840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5850a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstatic void * 5860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangpolicy_parse(msg, msglen) 5870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang const char *msg; 5880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int msglen; 5890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 5900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int error; 5910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang pbuf = NULL; 5930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang tlen = 0; 5940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 5950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* initialize */ 5960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_dir = IPSEC_DIR_INVALID; 5970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang p_type = IPSEC_POLICY_DISCARD; 5980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang policy_parse_request_init(); 5990a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __policy__strbuffer__init__(msg); 6000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang error = yyparse(); /* it must be set errcode. */ 6020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __policy__strbuffer__free__(); 6030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6040a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (error) { 6050a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (pbuf != NULL) 6060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang free(pbuf); 6070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 6080a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6090a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* update total length */ 6110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); 6120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 6140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return pbuf; 6160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 6170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangipsec_policy_t 6190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangipsec_set_policy(msg, msglen) 6200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_const char *msg; 6210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int msglen; 6220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 6230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang caddr_t policy; 6240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang policy = policy_parse(msg, msglen); 6260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (policy == NULL) { 6270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (__ipsec_errcode == EIPSEC_NO_ERROR) 6280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 6290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 6300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 6310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 6320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang __ipsec_errcode = EIPSEC_NO_ERROR; 6330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return policy; 6340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 635