| | varnish-cache/lib/libvcc/vcc_acl.c |
|---|
| 0 |
|
/*- |
| 1 |
|
* Copyright (c) 2006 Verdens Gang AS |
| 2 |
|
* Copyright (c) 2006-2010 Varnish Software AS |
| 3 |
|
* All rights reserved. |
| 4 |
|
* |
| 5 |
|
* Author: Poul-Henning Kamp <phk@phk.freebsd.dk> |
| 6 |
|
* |
| 7 |
|
* SPDX-License-Identifier: BSD-2-Clause |
| 8 |
|
* |
| 9 |
|
* Redistribution and use in source and binary forms, with or without |
| 10 |
|
* modification, are permitted provided that the following conditions |
| 11 |
|
* are met: |
| 12 |
|
* 1. Redistributions of source code must retain the above copyright |
| 13 |
|
* notice, this list of conditions and the following disclaimer. |
| 14 |
|
* 2. Redistributions in binary form must reproduce the above copyright |
| 15 |
|
* notice, this list of conditions and the following disclaimer in the |
| 16 |
|
* documentation and/or other materials provided with the distribution. |
| 17 |
|
* |
| 18 |
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| 19 |
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 20 |
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 21 |
|
* ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE |
| 22 |
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 23 |
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 24 |
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 25 |
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 26 |
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 27 |
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 28 |
|
* SUCH DAMAGE. |
| 29 |
|
*/ |
| 30 |
|
|
| 31 |
|
#include "config.h" |
| 32 |
|
|
| 33 |
|
#include <sys/socket.h> |
| 34 |
|
|
| 35 |
|
#include <netinet/in.h> |
| 36 |
|
|
| 37 |
|
#include <netdb.h> |
| 38 |
|
#include <stdlib.h> |
| 39 |
|
#include <string.h> |
| 40 |
|
|
| 41 |
|
#include "vcc_compile.h" |
| 42 |
|
#include <vtcp.h> |
| 43 |
|
#include <vtree.h> |
| 44 |
|
#include <vsa.h> |
| 45 |
|
|
| 46 |
|
#define ACL_MAXADDR (sizeof(struct in6_addr) + 1) |
| 47 |
|
|
| 48 |
|
VRBT_HEAD(acl_tree, acl_e); |
| 49 |
|
|
| 50 |
|
struct acl { |
| 51 |
|
unsigned magic; |
| 52 |
|
#define VCC_ACL_MAGIC 0xb9fb3cd0 |
| 53 |
|
|
| 54 |
|
int flag_log; |
| 55 |
|
int flag_fold; |
| 56 |
|
int flag_pedantic; |
| 57 |
|
int flag_table; |
| 58 |
|
|
| 59 |
|
struct acl_tree acl_tree; |
| 60 |
|
}; |
| 61 |
|
|
| 62 |
|
struct acl_e { |
| 63 |
|
unsigned magic; |
| 64 |
|
#define VCC_ACL_E_MAGIC 0xcac81e23 |
| 65 |
|
VRBT_ENTRY(acl_e) branch; |
| 66 |
|
unsigned char data[ACL_MAXADDR]; |
| 67 |
|
unsigned mask; |
| 68 |
|
unsigned not; |
| 69 |
|
unsigned para; |
| 70 |
|
unsigned overlapped; |
| 71 |
|
char *addr; |
| 72 |
|
const char *fixed; |
| 73 |
|
struct token *t_addr; |
| 74 |
|
struct token *t_mask; |
| 75 |
|
}; |
| 76 |
|
|
| 77 |
|
enum acl_cmp_e { |
| 78 |
|
ACL_EQ = 0, |
| 79 |
|
ACL_LT = -1, // a < b |
| 80 |
|
ACL_GT = 1, // b > a |
| 81 |
|
ACL_CONTAINED = -2, // b contains a |
| 82 |
|
ACL_CONTAINS = 2, // a contains b |
| 83 |
|
ACL_LEFT = -3, // a + 1 == b |
| 84 |
|
ACL_RIGHT = 3 // a == b + 1 |
| 85 |
|
}; |
| 86 |
|
|
| 87 |
|
static void vcc_acl_insert_entry(struct vcc *, struct acl_e **); |
| 88 |
|
|
| 89 |
|
/* |
| 90 |
|
* Compare two acl rules for relation |
| 91 |
|
*/ |
| 92 |
|
|
| 93 |
|
#define CMP(n, a, b) \ |
| 94 |
|
do { \ |
| 95 |
|
if ((a) < (b)) \ |
| 96 |
|
return (enum acl_cmp_e)(-n); \ |
| 97 |
|
else if ((b) < (a)) \ |
| 98 |
|
return (n); \ |
| 99 |
|
} while (0) |
| 100 |
|
|
| 101 |
|
#define CMPA(a, b) \ |
| 102 |
|
do { \ |
| 103 |
|
if (((a) | 1) == (b)) \ |
| 104 |
|
return (ACL_LEFT); \ |
| 105 |
|
else if (((b) | 1) == (a)) \ |
| 106 |
|
return (ACL_RIGHT); \ |
| 107 |
|
} while (0) |
| 108 |
|
|
| 109 |
|
static void |
| 110 |
6 |
vcl_acl_free(struct acl_e **aep) |
| 111 |
|
{ |
| 112 |
|
struct acl_e *a; |
| 113 |
|
|
| 114 |
6 |
TAKE_OBJ_NOTNULL(a, aep, VCC_ACL_E_MAGIC); |
| 115 |
6 |
free(a->addr); |
| 116 |
6 |
FREE_OBJ(a); |
| 117 |
6 |
} |
| 118 |
|
|
| 119 |
|
static enum acl_cmp_e |
| 120 |
495 |
vcl_acl_cmp(const struct acl_e *ae1, const struct acl_e *ae2) |
| 121 |
|
{ |
| 122 |
|
const unsigned char *p1, *p2; |
| 123 |
|
unsigned m; |
| 124 |
|
unsigned char a1, a2; |
| 125 |
|
|
| 126 |
495 |
CHECK_OBJ_NOTNULL(ae1, VCC_ACL_E_MAGIC); |
| 127 |
495 |
CHECK_OBJ_NOTNULL(ae2, VCC_ACL_E_MAGIC); |
| 128 |
|
|
| 129 |
495 |
p1 = ae1->data; |
| 130 |
495 |
p2 = ae2->data; |
| 131 |
495 |
m = vmin_t(unsigned, ae1->mask, ae2->mask); |
| 132 |
2573 |
for (; m >= 8; m -= 8) { |
| 133 |
2351 |
if (m == 8 && ae1->mask == ae2->mask) |
| 134 |
39 |
CMPA(*p1, *p2); |
| 135 |
4420 |
CMP(ACL_GT, *p1, *p2); |
| 136 |
2078 |
p1++; |
| 137 |
2078 |
p2++; |
| 138 |
2078 |
} |
| 139 |
222 |
if (m) { |
| 140 |
212 |
assert (m < 8); |
| 141 |
212 |
a1 = *p1 >> (8 - m); |
| 142 |
212 |
a2 = *p2 >> (8 - m); |
| 143 |
212 |
if (ae1->mask == ae2->mask) |
| 144 |
68 |
CMPA(a1, a2); |
| 145 |
284 |
CMP(ACL_GT, a1, a2); |
| 146 |
98 |
} else if (ae1->mask == ae2->mask) { |
| 147 |
10 |
CMPA(*p1, *p2); |
| 148 |
5 |
} |
| 149 |
|
/* Long mask is less than short mask */ |
| 150 |
104 |
CMP(ACL_CONTAINS, ae2->mask, ae1->mask); |
| 151 |
|
|
| 152 |
6 |
return (ACL_EQ); |
| 153 |
495 |
} |
| 154 |
|
|
| 155 |
|
static int |
| 156 |
117 |
vcl_acl_disjoint(const struct acl_e *ae1, const struct acl_e *ae2) |
| 157 |
|
{ |
| 158 |
|
const unsigned char *p1, *p2; |
| 159 |
|
unsigned m; |
| 160 |
|
|
| 161 |
117 |
CHECK_OBJ_NOTNULL(ae1, VCC_ACL_E_MAGIC); |
| 162 |
117 |
CHECK_OBJ_NOTNULL(ae2, VCC_ACL_E_MAGIC); |
| 163 |
|
|
| 164 |
117 |
p1 = ae1->data; |
| 165 |
117 |
p2 = ae2->data; |
| 166 |
117 |
m = vmin_t(unsigned, ae1->mask, ae2->mask); |
| 167 |
884 |
for (; m >= 8; m -= 8) { |
| 168 |
1564 |
CMP(ACL_GT, *p1, *p2); |
| 169 |
767 |
p1++; |
| 170 |
767 |
p2++; |
| 171 |
767 |
} |
| 172 |
87 |
if (m) { |
| 173 |
80 |
m = 0xff00 >> m; |
| 174 |
80 |
m &= 0xff; |
| 175 |
151 |
CMP(ACL_GT, *p1 & m, *p2 & m); |
| 176 |
71 |
} |
| 177 |
78 |
return (0); |
| 178 |
117 |
} |
| 179 |
|
|
| 180 |
353 |
VRBT_GENERATE_INSERT_COLOR(acl_tree, acl_e, branch, static) |
| 181 |
173 |
VRBT_GENERATE_INSERT_FINISH(acl_tree, acl_e, branch, static) |
| 182 |
618 |
VRBT_GENERATE_INSERT(acl_tree, acl_e, branch, vcl_acl_cmp, static) |
| 183 |
29 |
VRBT_GENERATE_REMOVE_COLOR(acl_tree, acl_e, branch, static) |
| 184 |
49 |
VRBT_GENERATE_REMOVE(acl_tree, acl_e, branch, static) |
| 185 |
176 |
VRBT_GENERATE_MINMAX(acl_tree, acl_e, branch, static) |
| 186 |
448 |
VRBT_GENERATE_NEXT(acl_tree, acl_e, branch, static) |
| 187 |
279 |
VRBT_GENERATE_PREV(acl_tree, acl_e, branch, static) |
| 188 |
|
|
| 189 |
|
static char * |
| 190 |
170 |
vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l, |
| 191 |
|
unsigned char *p, int fam) |
| 192 |
|
{ |
| 193 |
|
const unsigned char *u; |
| 194 |
|
char h[VTCP_ADDRBUFSIZE]; |
| 195 |
|
char t[VTCP_ADDRBUFSIZE + 10]; |
| 196 |
170 |
char s[vsa_suckaddr_len]; |
| 197 |
170 |
char *r = NULL; |
| 198 |
|
const struct suckaddr *sa; |
| 199 |
|
unsigned m; |
| 200 |
170 |
int ll, ret = 0; |
| 201 |
|
|
| 202 |
170 |
u = p; |
| 203 |
170 |
ll = l; |
| 204 |
170 |
m = ae->mask; |
| 205 |
|
|
| 206 |
170 |
p += m / 8; |
| 207 |
170 |
ll -= m / 8; |
| 208 |
170 |
assert (ll >= 0); |
| 209 |
170 |
m %= 8; |
| 210 |
|
|
| 211 |
170 |
if (m && ((unsigned)*p << m & 0xff) != 0) { |
| 212 |
4 |
ret = 1; |
| 213 |
4 |
m = 0xff00 >> m; |
| 214 |
4 |
*p &= m; |
| 215 |
4 |
} |
| 216 |
170 |
if (m) { |
| 217 |
95 |
p++; |
| 218 |
95 |
ll--; |
| 219 |
95 |
} |
| 220 |
|
|
| 221 |
318 |
for ( ; ll > 0; p++, ll--) { |
| 222 |
148 |
if (*p == 0) |
| 223 |
143 |
continue; |
| 224 |
5 |
ret = 1; |
| 225 |
5 |
*p = 0; |
| 226 |
5 |
} |
| 227 |
170 |
if (ret == 0) |
| 228 |
161 |
return (NULL); |
| 229 |
|
|
| 230 |
9 |
sa = VSA_BuildFAP(s, fam, u, l, NULL, 0); |
| 231 |
9 |
AN(sa); |
| 232 |
9 |
VTCP_name(sa, h, sizeof h, NULL, 0); |
| 233 |
9 |
bprintf(t, "%s/%d", h, ae->mask); |
| 234 |
9 |
if (tl->acl->flag_pedantic != 0) { |
| 235 |
2 |
VSB_cat(tl->sb, "Non-zero bits in masked part, "); |
| 236 |
2 |
VSB_printf(tl->sb, "(maybe use %s ?)\n", t); |
| 237 |
2 |
vcc_ErrWhere(tl, ae->t_addr); |
| 238 |
2 |
} |
| 239 |
9 |
REPLACE(r, t); |
| 240 |
9 |
return (r); |
| 241 |
170 |
} |
| 242 |
|
|
| 243 |
|
static void |
| 244 |
44 |
vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r) |
| 245 |
|
{ |
| 246 |
|
enum acl_cmp_e cmp; |
| 247 |
|
|
| 248 |
44 |
AN(l); |
| 249 |
44 |
AN(r); |
| 250 |
44 |
CHECK_OBJ_NOTNULL(*l, VCC_ACL_E_MAGIC); |
| 251 |
44 |
CHECK_OBJ_NOTNULL(*r, VCC_ACL_E_MAGIC); |
| 252 |
|
|
| 253 |
44 |
if ((*l)->not || (*r)->not) |
| 254 |
0 |
return; |
| 255 |
|
|
| 256 |
44 |
cmp = vcl_acl_cmp(*l, *r); |
| 257 |
|
|
| 258 |
44 |
assert(cmp < 0); |
| 259 |
44 |
if (cmp == ACL_LT) |
| 260 |
29 |
return; |
| 261 |
|
|
| 262 |
15 |
do { |
| 263 |
16 |
switch (cmp) { |
| 264 |
|
case ACL_CONTAINED: |
| 265 |
7 |
VSB_cat(tl->sb, "ACL entry:\n"); |
| 266 |
7 |
vcc_ErrWhere(tl, (*r)->t_addr); |
| 267 |
7 |
VSB_cat(tl->sb, "supersedes / removes:\n"); |
| 268 |
7 |
vcc_ErrWhere(tl, (*l)->t_addr); |
| 269 |
7 |
vcc_Warn(tl); |
| 270 |
7 |
VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l); |
| 271 |
7 |
FREE_OBJ(*l); |
| 272 |
7 |
*l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, *r); |
| 273 |
7 |
break; |
| 274 |
|
case ACL_LEFT: |
| 275 |
9 |
(*l)->mask--; |
| 276 |
9 |
(*l)->fixed = "folded"; |
| 277 |
9 |
VSB_cat(tl->sb, "ACL entry:\n"); |
| 278 |
9 |
vcc_ErrWhere(tl, (*l)->t_addr); |
| 279 |
9 |
VSB_cat(tl->sb, "left of:\n"); |
| 280 |
9 |
vcc_ErrWhere(tl, (*r)->t_addr); |
| 281 |
18 |
VSB_printf(tl->sb, "removing the latter and expanding " |
| 282 |
|
"mask of the former by one to /%u\n", |
| 283 |
9 |
(*l)->mask - 8); |
| 284 |
9 |
vcc_Warn(tl); |
| 285 |
9 |
VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *r); |
| 286 |
9 |
FREE_OBJ(*r); |
| 287 |
9 |
VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l); |
| 288 |
9 |
vcc_acl_insert_entry(tl, l); |
| 289 |
9 |
return; |
| 290 |
|
default: |
| 291 |
0 |
INCOMPL(); |
| 292 |
0 |
} |
| 293 |
7 |
if (*l == NULL || *r == NULL) |
| 294 |
1 |
break; |
| 295 |
6 |
cmp = vcl_acl_cmp(*l, *r); |
| 296 |
6 |
} while (cmp != ACL_LT); |
| 297 |
44 |
} |
| 298 |
|
|
| 299 |
|
static void |
| 300 |
179 |
vcc_acl_insert_entry(struct vcc *tl, struct acl_e **aenp) |
| 301 |
|
{ |
| 302 |
|
struct acl_e *ae2, *l, *r; |
| 303 |
|
|
| 304 |
179 |
CHECK_OBJ_NOTNULL(*aenp, VCC_ACL_E_MAGIC); |
| 305 |
179 |
ae2 = VRBT_INSERT(acl_tree, &tl->acl->acl_tree, *aenp); |
| 306 |
179 |
if (ae2 != NULL) { |
| 307 |
6 |
if (ae2->not != (*aenp)->not) { |
| 308 |
1 |
VSB_cat(tl->sb, "Conflicting ACL entries:\n"); |
| 309 |
1 |
vcc_ErrWhere(tl, ae2->t_addr); |
| 310 |
1 |
VSB_cat(tl->sb, "vs:\n"); |
| 311 |
1 |
vcc_ErrWhere(tl, (*aenp)->t_addr); |
| 312 |
1 |
} |
| 313 |
6 |
return; |
| 314 |
|
} |
| 315 |
|
|
| 316 |
173 |
r = *aenp; |
| 317 |
173 |
*aenp = NULL; |
| 318 |
|
|
| 319 |
173 |
if (tl->acl->flag_fold == 0) |
| 320 |
136 |
return; |
| 321 |
|
|
| 322 |
37 |
l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, r); |
| 323 |
37 |
if (l != NULL) { |
| 324 |
35 |
vcl_acl_fold(tl, &l, &r); |
| 325 |
35 |
} |
| 326 |
37 |
if (r == NULL) |
| 327 |
8 |
return; |
| 328 |
29 |
l = r; |
| 329 |
29 |
r = VRBT_NEXT(acl_tree, &tl->acl->acl_tree, l); |
| 330 |
29 |
if (r == NULL) |
| 331 |
20 |
return; |
| 332 |
9 |
vcl_acl_fold(tl, &l, &r); |
| 333 |
179 |
} |
| 334 |
|
|
| 335 |
|
static void |
| 336 |
172 |
vcc_acl_add_entry(struct vcc *tl, const struct acl_e *ae, int l, |
| 337 |
|
unsigned char *u, int fam) |
| 338 |
|
{ |
| 339 |
|
struct acl_e *aen; |
| 340 |
|
|
| 341 |
172 |
if (fam == PF_INET && ae->mask > 32) { |
| 342 |
2 |
VSB_printf(tl->sb, |
| 343 |
1 |
"Too wide mask (/%u) for IPv4 address\n", ae->mask); |
| 344 |
1 |
if (ae->t_mask != NULL) |
| 345 |
1 |
vcc_ErrWhere(tl, ae->t_mask); |
| 346 |
|
else |
| 347 |
0 |
vcc_ErrWhere(tl, ae->t_addr); |
| 348 |
1 |
return; |
| 349 |
|
} |
| 350 |
171 |
if (fam == PF_INET6 && ae->mask > 128) { |
| 351 |
2 |
VSB_printf(tl->sb, |
| 352 |
1 |
"Too wide mask (/%u) for IPv6 address\n", ae->mask); |
| 353 |
1 |
vcc_ErrWhere(tl, ae->t_mask); |
| 354 |
1 |
return; |
| 355 |
|
} |
| 356 |
|
|
| 357 |
|
/* Make a copy from the template */ |
| 358 |
170 |
ALLOC_OBJ(aen, VCC_ACL_E_MAGIC); |
| 359 |
170 |
AN(aen); |
| 360 |
170 |
*aen = *ae; |
| 361 |
170 |
aen->addr = strdup(ae->addr); |
| 362 |
170 |
AN(aen->addr); |
| 363 |
|
|
| 364 |
170 |
aen->fixed = vcc_acl_chk(tl, ae, l, u, fam); |
| 365 |
|
|
| 366 |
|
/* We treat family as part of address, it saves code */ |
| 367 |
170 |
assert(fam <= 0xff); |
| 368 |
170 |
aen->data[0] = fam & 0xff; |
| 369 |
170 |
aen->mask += 8; |
| 370 |
|
|
| 371 |
170 |
assert(l + 1UL <= sizeof aen->data); |
| 372 |
170 |
memcpy(aen->data + 1L, u, l); |
| 373 |
|
|
| 374 |
170 |
vcc_acl_insert_entry(tl, &aen); |
| 375 |
170 |
if (aen != NULL) |
| 376 |
6 |
vcl_acl_free(&aen); |
| 377 |
172 |
} |
| 378 |
|
|
| 379 |
|
static void |
| 380 |
57 |
vcc_acl_try_getaddrinfo(struct vcc *tl, struct acl_e *ae) |
| 381 |
|
{ |
| 382 |
|
struct addrinfo *res0, *res, hint; |
| 383 |
|
struct sockaddr_in *sin4; |
| 384 |
|
struct sockaddr_in6 *sin6; |
| 385 |
|
unsigned char *u, i4, i6; |
| 386 |
|
int error; |
| 387 |
|
|
| 388 |
57 |
CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC); |
| 389 |
57 |
memset(&hint, 0, sizeof hint); |
| 390 |
57 |
hint.ai_family = PF_UNSPEC; |
| 391 |
57 |
hint.ai_socktype = SOCK_STREAM; |
| 392 |
57 |
error = getaddrinfo(ae->addr, "0", &hint, &res0); |
| 393 |
57 |
if (error) { |
| 394 |
4 |
if (ae->para) { |
| 395 |
4 |
VSB_printf(tl->sb, |
| 396 |
|
"Warning: %s ignored\n -- %s\n", |
| 397 |
2 |
ae->addr, gai_strerror(error)); |
| 398 |
4 |
Fh(tl, 1, "/* Ignored ACL entry: %s%s", |
| 399 |
2 |
ae->para ? "\"(\" " : "", ae->not ? "\"!\" " : ""); |
| 400 |
2 |
EncToken(tl->fh, ae->t_addr); |
| 401 |
2 |
if (ae->t_mask) |
| 402 |
1 |
Fh(tl, 0, "/%u", ae->mask); |
| 403 |
2 |
Fh(tl, 0, "%s\n", ae->para ? " \")\"" : ""); |
| 404 |
4 |
Fh(tl, 1, " * getaddrinfo: %s */\n", |
| 405 |
2 |
gai_strerror(error)); |
| 406 |
2 |
} else { |
| 407 |
4 |
VSB_printf(tl->sb, |
| 408 |
|
"DNS lookup(%s): %s\n", |
| 409 |
2 |
ae->addr, gai_strerror(error)); |
| 410 |
2 |
vcc_ErrWhere(tl, ae->t_addr); |
| 411 |
|
} |
| 412 |
4 |
return; |
| 413 |
|
} |
| 414 |
|
|
| 415 |
53 |
i4 = i6 = 0; |
| 416 |
108 |
for (res = res0; res != NULL; res = res->ai_next) { |
| 417 |
55 |
switch (res->ai_family) { |
| 418 |
|
case PF_INET: |
| 419 |
2 |
i4++; |
| 420 |
2 |
break; |
| 421 |
|
case PF_INET6: |
| 422 |
53 |
i6++; |
| 423 |
53 |
break; |
| 424 |
|
default: |
| 425 |
0 |
VSB_printf(tl->sb, |
| 426 |
|
"Ignoring unknown protocol family (%d) for %.*s\n", |
| 427 |
0 |
res->ai_family, PF(ae->t_addr)); |
| 428 |
0 |
continue; |
| 429 |
|
} |
| 430 |
55 |
} |
| 431 |
|
|
| 432 |
53 |
if (ae->t_mask != NULL && i4 > 0 && i6 > 0) { |
| 433 |
0 |
VSB_printf(tl->sb, |
| 434 |
|
"Mask (/%u) specified, but string resolves to" |
| 435 |
0 |
" both IPv4 and IPv6 addresses.\n", ae->mask); |
| 436 |
0 |
vcc_ErrWhere(tl, ae->t_mask); |
| 437 |
0 |
freeaddrinfo(res0); |
| 438 |
0 |
return; |
| 439 |
|
} |
| 440 |
|
|
| 441 |
106 |
for (res = res0; res != NULL; res = res->ai_next) { |
| 442 |
55 |
switch (res->ai_family) { |
| 443 |
|
case PF_INET: |
| 444 |
2 |
assert(PF_INET < 256); |
| 445 |
2 |
sin4 = (void*)res->ai_addr; |
| 446 |
2 |
assert(sizeof(sin4->sin_addr) == 4); |
| 447 |
2 |
u = (void*)&sin4->sin_addr; |
| 448 |
2 |
if (ae->t_mask == NULL) |
| 449 |
2 |
ae->mask = 32; |
| 450 |
2 |
vcc_acl_add_entry(tl, ae, 4, u, res->ai_family); |
| 451 |
2 |
break; |
| 452 |
|
case PF_INET6: |
| 453 |
53 |
assert(PF_INET6 < 256); |
| 454 |
53 |
sin6 = (void*)res->ai_addr; |
| 455 |
53 |
assert(sizeof(sin6->sin6_addr) == 16); |
| 456 |
53 |
u = (void*)&sin6->sin6_addr; |
| 457 |
53 |
if (ae->t_mask == NULL) |
| 458 |
8 |
ae->mask = 128; |
| 459 |
53 |
vcc_acl_add_entry(tl, ae, 16, u, res->ai_family); |
| 460 |
53 |
break; |
| 461 |
|
default: |
| 462 |
0 |
continue; |
| 463 |
|
} |
| 464 |
55 |
if (tl->err) |
| 465 |
2 |
freeaddrinfo(res0); |
| 466 |
55 |
ERRCHK(tl); |
| 467 |
53 |
} |
| 468 |
51 |
freeaddrinfo(res0); |
| 469 |
|
|
| 470 |
57 |
} |
| 471 |
|
|
| 472 |
|
/*-------------------------------------------------------------------- |
| 473 |
|
* Ancient stupidity on the part of X/Open and other standards orgs |
| 474 |
|
* dictate that "192.168" be translated to 192.0.0.168. Ever since |
| 475 |
|
* CIDR happened, "192.168/16" notation has been used, but apparently |
| 476 |
|
* no API supports parsing this, so roll our own. |
| 477 |
|
*/ |
| 478 |
|
|
| 479 |
|
static int |
| 480 |
174 |
vcc_acl_try_netnotation(struct vcc *tl, struct acl_e *ae) |
| 481 |
|
{ |
| 482 |
|
unsigned char b[4]; |
| 483 |
|
int i, j, k; |
| 484 |
|
unsigned u; |
| 485 |
|
const char *p; |
| 486 |
|
|
| 487 |
174 |
CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC); |
| 488 |
174 |
memset(b, 0, sizeof b); |
| 489 |
174 |
p = ae->addr; |
| 490 |
506 |
for (i = 0; i < 4; i++) { |
| 491 |
506 |
j = sscanf(p, "%u%n", &u, &k); |
| 492 |
506 |
if (j != 1) |
| 493 |
52 |
return (0); |
| 494 |
454 |
if (u & ~0xff) |
| 495 |
2 |
return (0); |
| 496 |
452 |
b[i] = (unsigned char)u; |
| 497 |
452 |
if (p[k] == '\0') |
| 498 |
117 |
break; |
| 499 |
335 |
if (p[k] != '.') |
| 500 |
3 |
return (0); |
| 501 |
332 |
p += k + 1; |
| 502 |
332 |
} |
| 503 |
117 |
if (ae->t_mask == NULL) |
| 504 |
28 |
ae->mask = 8 + 8 * i; |
| 505 |
117 |
vcc_acl_add_entry(tl, ae, 4, b, AF_INET); |
| 506 |
117 |
return (1); |
| 507 |
174 |
} |
| 508 |
|
|
| 509 |
|
static void |
| 510 |
178 |
vcc_acl_entry(struct vcc *tl) |
| 511 |
|
{ |
| 512 |
|
struct acl_e ae[1]; |
| 513 |
|
char *sl, *e; |
| 514 |
|
|
| 515 |
178 |
INIT_OBJ(ae, VCC_ACL_E_MAGIC); |
| 516 |
|
|
| 517 |
178 |
if (tl->t->tok == '!') { |
| 518 |
40 |
ae->not = 1; |
| 519 |
40 |
vcc_NextToken(tl); |
| 520 |
40 |
} |
| 521 |
|
|
| 522 |
178 |
if (tl->t->tok == '(') { |
| 523 |
3 |
ae->para = 1; |
| 524 |
3 |
vcc_NextToken(tl); |
| 525 |
3 |
} |
| 526 |
|
|
| 527 |
178 |
if (!ae->not && tl->t->tok == '!') { |
| 528 |
1 |
ae->not = 1; |
| 529 |
1 |
vcc_NextToken(tl); |
| 530 |
1 |
} |
| 531 |
|
|
| 532 |
178 |
ExpectErr(tl, CSTR); |
| 533 |
178 |
ae->t_addr = tl->t; |
| 534 |
178 |
ae->addr = ae->t_addr->dec; |
| 535 |
178 |
vcc_NextToken(tl); |
| 536 |
|
|
| 537 |
178 |
if (strchr(ae->t_addr->dec, '/') != NULL) { |
| 538 |
3 |
sl = strchr(ae->addr, '/'); |
| 539 |
3 |
AN(sl); |
| 540 |
3 |
*sl++ = '\0'; |
| 541 |
3 |
e = NULL; |
| 542 |
3 |
ae->mask = strtoul(sl, &e, 10); |
| 543 |
3 |
if (*e != '\0') { |
| 544 |
2 |
VSB_cat(tl->sb, ".../mask is not numeric.\n"); |
| 545 |
2 |
vcc_ErrWhere(tl, ae->t_addr); |
| 546 |
2 |
return; |
| 547 |
|
} |
| 548 |
1 |
ae->t_mask = ae->t_addr; |
| 549 |
1 |
if (tl->t->tok == '/') { |
| 550 |
1 |
VSB_cat(tl->sb, "/mask only allowed once.\n"); |
| 551 |
1 |
vcc_ErrWhere(tl, tl->t); |
| 552 |
1 |
return; |
| 553 |
|
} |
| 554 |
175 |
} else if (tl->t->tok == '/') { |
| 555 |
135 |
vcc_NextToken(tl); |
| 556 |
135 |
ae->t_mask = tl->t; |
| 557 |
135 |
ExpectErr(tl, CNUM); |
| 558 |
135 |
ae->mask = vcc_UintVal(tl); |
| 559 |
135 |
} |
| 560 |
|
|
| 561 |
175 |
if (ae->para) |
| 562 |
3 |
SkipToken(tl, ')'); |
| 563 |
|
|
| 564 |
174 |
if (!vcc_acl_try_netnotation(tl, ae)) { |
| 565 |
57 |
ERRCHK(tl); |
| 566 |
57 |
vcc_acl_try_getaddrinfo(tl, ae); |
| 567 |
57 |
} |
| 568 |
174 |
ERRCHK(tl); |
| 569 |
178 |
} |
| 570 |
|
|
| 571 |
|
/********************************************************************* |
| 572 |
|
* Emit the tokens making up an entry as C-strings |
| 573 |
|
*/ |
| 574 |
|
|
| 575 |
|
static void |
| 576 |
51 |
vcc_acl_emit_tokens(const struct vcc *tl, const struct acl_e *ae) |
| 577 |
|
{ |
| 578 |
|
struct token *t; |
| 579 |
51 |
const char *sep = ""; |
| 580 |
|
|
| 581 |
51 |
CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC); |
| 582 |
51 |
t = ae->t_addr; |
| 583 |
51 |
do { |
| 584 |
149 |
if (t->tok == CSTR) { |
| 585 |
51 |
Fh(tl, 0, "%s\"\\\"\" ", sep); |
| 586 |
51 |
EncToken(tl->fh, t); |
| 587 |
51 |
Fh(tl, 0, " \"\\\"\""); |
| 588 |
149 |
} else if (t == ae->t_mask) { |
| 589 |
49 |
Fh(tl, 0, " \"%u\"", ae->mask - 8); |
| 590 |
49 |
} else { |
| 591 |
49 |
Fh(tl, 0, "%s\"%.*s\"", sep, PF(t)); |
| 592 |
|
} |
| 593 |
149 |
if (t == ae->t_mask) |
| 594 |
49 |
break; |
| 595 |
100 |
t = vcc_PeekTokenFrom(tl, t); |
| 596 |
100 |
AN(t); |
| 597 |
100 |
sep = " "; |
| 598 |
100 |
} while (ae->t_mask != NULL); |
| 599 |
51 |
if (ae->fixed) |
| 600 |
10 |
Fh(tl, 0, "\" fixed: %s\"", ae->fixed); |
| 601 |
51 |
} |
| 602 |
|
|
| 603 |
|
/********************************************************************* |
| 604 |
|
* Emit ACL on table format |
| 605 |
|
*/ |
| 606 |
|
|
| 607 |
|
static unsigned |
| 608 |
2 |
vcc_acl_emit_tables(const struct vcc *tl, unsigned n, const char *name) |
| 609 |
|
{ |
| 610 |
|
struct acl_e *ae; |
| 611 |
2 |
unsigned rv = sizeof(ae->data) + 3; |
| 612 |
2 |
unsigned nn = 0; |
| 613 |
|
size_t sz; |
| 614 |
|
|
| 615 |
4 |
Fh(tl, 0, "\nstatic unsigned char acl_tbl_%s[%u*%u] = {\n", |
| 616 |
2 |
name, n, rv); |
| 617 |
50 |
VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) { |
| 618 |
48 |
if (ae->overlapped) |
| 619 |
40 |
continue; |
| 620 |
8 |
Fh(tl, 0, "\t0x%02x,", ae->not ? 0 : 1); |
| 621 |
8 |
Fh(tl, 0, "0x%02x,", (ae->mask >> 3) - 1); |
| 622 |
8 |
Fh(tl, 0, "0x%02x,", (0xff00 >> (ae->mask & 7)) & 0xff); |
| 623 |
144 |
for (sz = 0; sz < sizeof(ae->data); sz++) |
| 624 |
136 |
Fh(tl, 0, "0x%02x,", ae->data[sz]); |
| 625 |
8 |
for (; sz < rv - 3; sz++) |
| 626 |
0 |
Fh(tl, 0, "0,"); |
| 627 |
8 |
Fh(tl, 0, "\n"); |
| 628 |
8 |
nn++; |
| 629 |
8 |
} |
| 630 |
2 |
assert(n == nn); |
| 631 |
2 |
Fh(tl, 0, "};\n"); |
| 632 |
2 |
if (tl->acl->flag_log) { |
| 633 |
2 |
Fh(tl, 0, "\nstatic const char *acl_str_%s[%d] = {\n", |
| 634 |
1 |
name, n); |
| 635 |
25 |
VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) { |
| 636 |
24 |
if (ae->overlapped) |
| 637 |
20 |
continue; |
| 638 |
4 |
Fh(tl, 0, "\t"); |
| 639 |
8 |
Fh(tl, 0, "\"%sMATCH %s \" ", |
| 640 |
4 |
ae->not ? "NEG_" : "", name); |
| 641 |
4 |
vcc_acl_emit_tokens(tl, ae); |
| 642 |
4 |
Fh(tl, 0, ",\n"); |
| 643 |
4 |
} |
| 644 |
1 |
Fh(tl, 0, "};\n"); |
| 645 |
1 |
} |
| 646 |
2 |
return (rv); |
| 647 |
|
} |
| 648 |
|
|
| 649 |
|
/********************************************************************* |
| 650 |
|
* Emit a function to match the ACL we have collected |
| 651 |
|
*/ |
| 652 |
|
|
| 653 |
|
static void |
| 654 |
28 |
vcc_acl_emit(struct vcc *tl, const struct symbol *sym) |
| 655 |
|
{ |
| 656 |
|
struct acl_e *ae, *ae2; |
| 657 |
|
int depth, l, m, i; |
| 658 |
|
unsigned at[ACL_MAXADDR]; |
| 659 |
28 |
struct inifin *ifp = NULL; |
| 660 |
|
struct vsb *func; |
| 661 |
28 |
unsigned n, no, nw = 0; |
| 662 |
|
|
| 663 |
28 |
func = VSB_new_auto(); |
| 664 |
28 |
AN(func); |
| 665 |
28 |
VSB_cat(func, "match_acl_"); |
| 666 |
28 |
VCC_PrintCName(func, sym->name, NULL); |
| 667 |
28 |
AZ(VSB_finish(func)); |
| 668 |
|
|
| 669 |
28 |
depth = -1; |
| 670 |
28 |
at[0] = 256; |
| 671 |
28 |
ae2 = NULL; |
| 672 |
28 |
n = no = 0; |
| 673 |
172 |
VRBT_FOREACH_REVERSE(ae, acl_tree, &tl->acl->acl_tree) { |
| 674 |
144 |
n++; |
| 675 |
144 |
if (ae2 == NULL) { |
| 676 |
27 |
ae2 = ae; |
| 677 |
144 |
} else if (vcl_acl_disjoint(ae, ae2)) { |
| 678 |
39 |
ae2 = ae; |
| 679 |
39 |
} else { |
| 680 |
78 |
no++; |
| 681 |
78 |
ae->overlapped = 1; |
| 682 |
|
} |
| 683 |
144 |
} |
| 684 |
|
|
| 685 |
28 |
Fh(tl, 0, "/* acl_n_%s n %u no %u */\n", sym->name, n, no); |
| 686 |
28 |
if (n - no < (1<<1)) |
| 687 |
15 |
no = n; |
| 688 |
13 |
else if (!tl->acl->flag_table) |
| 689 |
11 |
no = n; |
| 690 |
|
|
| 691 |
28 |
if (no < n) |
| 692 |
2 |
nw = vcc_acl_emit_tables(tl, n - no, sym->name); |
| 693 |
|
|
| 694 |
|
|
| 695 |
28 |
Fh(tl, 0, "\nstatic int v_matchproto_(acl_match_f)\n"); |
| 696 |
28 |
Fh(tl, 0, "%s(VRT_CTX, const VCL_IP p)\n", VSB_data(func)); |
| 697 |
28 |
Fh(tl, 0, "{\n"); |
| 698 |
28 |
Fh(tl, 0, "\tconst unsigned char *a;\n"); |
| 699 |
28 |
Fh(tl, 0, "\tint fam;\n"); |
| 700 |
28 |
Fh(tl, 0, "\n"); |
| 701 |
28 |
Fh(tl, 0, "\tfam = VRT_VSA_GetPtr(ctx, p, &a);\n"); |
| 702 |
28 |
Fh(tl, 0, "\tif (fam < 0) {\n"); |
| 703 |
28 |
Fh(tl, 0, "\t\tVRT_fail(ctx,"); |
| 704 |
28 |
Fh(tl, 0, " \"ACL %s: no protocol family\");\n", sym->name); |
| 705 |
28 |
Fh(tl, 0, "\t\treturn(0);\n"); |
| 706 |
28 |
Fh(tl, 0, "\t}\n\n"); |
| 707 |
28 |
if (!tl->err_unref) { |
| 708 |
2 |
ifp = New_IniFin(tl); |
| 709 |
4 |
VSB_printf(ifp->ini, |
| 710 |
2 |
"\t(void)%s;\n", VSB_data(func)); |
| 711 |
2 |
} |
| 712 |
|
|
| 713 |
172 |
VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) { |
| 714 |
|
|
| 715 |
144 |
if (no < n && !ae->overlapped) |
| 716 |
8 |
continue; |
| 717 |
|
|
| 718 |
|
/* Find how much common prefix we have */ |
| 719 |
828 |
for (l = 0; l <= depth && l * 8 < (int)ae->mask - 7; l++) { |
| 720 |
740 |
assert(l >= 0); |
| 721 |
740 |
if (ae->data[l] != at[l]) |
| 722 |
48 |
break; |
| 723 |
692 |
} |
| 724 |
|
|
| 725 |
|
/* Back down, if necessary */ |
| 726 |
314 |
while (l <= depth) { |
| 727 |
178 |
Fh(tl, 0, "\t%*s}\n", -depth, ""); |
| 728 |
178 |
depth--; |
| 729 |
|
} |
| 730 |
|
|
| 731 |
136 |
m = (int)ae->mask; |
| 732 |
136 |
assert(m >= l*8); |
| 733 |
136 |
m -= l * 8; |
| 734 |
|
|
| 735 |
|
/* Do whole byte compares */ |
| 736 |
482 |
for (i = l; m >= 8; m -= 8, i++) { |
| 737 |
346 |
if (i == 0) |
| 738 |
78 |
Fh(tl, 0, "\t%*s%sif (fam == %d) {\n", |
| 739 |
39 |
-i, "", "", ae->data[i]); |
| 740 |
|
else |
| 741 |
614 |
Fh(tl, 0, "\t%*s%sif (a[%d] == %d) {\n", |
| 742 |
307 |
-i, "", "", i - 1, ae->data[i]); |
| 743 |
346 |
at[i] = ae->data[i]; |
| 744 |
346 |
depth = i; |
| 745 |
346 |
} |
| 746 |
|
|
| 747 |
136 |
if (m > 0) { |
| 748 |
|
// XXX can remove masking due to fixup |
| 749 |
|
/* Do fractional byte compares */ |
| 750 |
152 |
Fh(tl, 0, "\t%*s%sif ((a[%d] & 0x%x) == %d) {\n", |
| 751 |
76 |
-i, "", "", i - 1, (0xff00 >> m) & 0xff, |
| 752 |
76 |
ae->data[i] & ((0xff00 >> m) & 0xff)); |
| 753 |
76 |
at[i] = 256; |
| 754 |
76 |
depth = i; |
| 755 |
76 |
} |
| 756 |
|
|
| 757 |
136 |
i = ((int)ae->mask + 7) / 8; |
| 758 |
|
|
| 759 |
136 |
if (tl->acl->flag_log) { |
| 760 |
94 |
Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ", |
| 761 |
47 |
-i, "", ae->not ? "NEG_" : "", sym->name); |
| 762 |
47 |
vcc_acl_emit_tokens(tl, ae); |
| 763 |
47 |
Fh(tl, 0, ");\n"); |
| 764 |
47 |
} |
| 765 |
|
|
| 766 |
136 |
Fh(tl, 0, "\t%*sreturn (%d);\n", -i, "", ae->not ? 0 : 1); |
| 767 |
136 |
} |
| 768 |
|
|
| 769 |
|
/* Unwind */ |
| 770 |
272 |
for (; 0 <= depth; depth--) |
| 771 |
244 |
Fh(tl, 0, "\t%*.*s}\n", depth, depth, ""); |
| 772 |
|
|
| 773 |
28 |
if (no < n) { |
| 774 |
2 |
Fh(tl, 0, "\treturn(\n\t VPI_acl_table(ctx,\n"); |
| 775 |
2 |
Fh(tl, 0, "\t\tp,\n"); |
| 776 |
2 |
Fh(tl, 0, "\t\t%u, %u,\n", n - no, nw); |
| 777 |
2 |
Fh(tl, 0, "\t\tacl_tbl_%s,\n", sym->name); |
| 778 |
2 |
if (tl->acl->flag_log) |
| 779 |
1 |
Fh(tl, 0, "\t\tacl_str_%s,\n", sym->name); |
| 780 |
|
else |
| 781 |
1 |
Fh(tl, 0, "\t\tNULL,\n"); |
| 782 |
2 |
Fh(tl, 0, "\t\t\"NO MATCH %s\"\n\t )\n\t);\n", sym->name); |
| 783 |
2 |
} else { |
| 784 |
|
/* Deny by default */ |
| 785 |
26 |
if (tl->acl->flag_log) |
| 786 |
6 |
Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n", |
| 787 |
3 |
sym->name); |
| 788 |
26 |
Fh(tl, 0, "\treturn(0);\n"); |
| 789 |
|
} |
| 790 |
28 |
Fh(tl, 0, "}\n"); |
| 791 |
|
|
| 792 |
|
/* Emit the struct that will be referenced */ |
| 793 |
28 |
Fh(tl, 0, "\nstatic const struct vrt_acl %s[] = {{\n", sym->rname); |
| 794 |
28 |
Fh(tl, 0, "\t.magic = VRT_ACL_MAGIC,\n"); |
| 795 |
28 |
Fh(tl, 0, "\t.match = &%s,\n", VSB_data(func)); |
| 796 |
28 |
Fh(tl, 0, "\t.name = \"%s\",\n", sym->name); |
| 797 |
28 |
Fh(tl, 0, "}};\n\n"); |
| 798 |
28 |
if (!tl->err_unref) { |
| 799 |
2 |
AN(ifp); |
| 800 |
2 |
VSB_printf(ifp->ini, "\t(void)%s;", sym->rname); |
| 801 |
2 |
} |
| 802 |
28 |
VSB_destroy(&func); |
| 803 |
28 |
} |
| 804 |
|
|
| 805 |
|
void |
| 806 |
43 |
vcc_ParseAcl(struct vcc *tl) |
| 807 |
|
{ |
| 808 |
|
struct symbol *sym; |
| 809 |
|
int sign; |
| 810 |
|
struct acl acl[1]; |
| 811 |
|
|
| 812 |
43 |
INIT_OBJ(acl, VCC_ACL_MAGIC); |
| 813 |
43 |
tl->acl = acl; |
| 814 |
43 |
acl->flag_pedantic = 1; |
| 815 |
43 |
vcc_NextToken(tl); |
| 816 |
43 |
VRBT_INIT(&acl->acl_tree); |
| 817 |
|
|
| 818 |
43 |
vcc_ExpectVid(tl, "ACL"); |
| 819 |
43 |
ERRCHK(tl); |
| 820 |
42 |
sym = VCC_HandleSymbol(tl, ACL); |
| 821 |
42 |
ERRCHK(tl); |
| 822 |
42 |
AN(sym); |
| 823 |
|
|
| 824 |
57 |
while (1) { |
| 825 |
57 |
sign = vcc_IsFlag(tl); |
| 826 |
57 |
if (tl->err) { |
| 827 |
1 |
VSB_cat(tl->sb, |
| 828 |
|
"Valid ACL flags are `log` and `table`:\n"); |
| 829 |
1 |
return; |
| 830 |
|
} |
| 831 |
56 |
if (sign < 0) |
| 832 |
40 |
break; |
| 833 |
16 |
if (vcc_IdIs(tl->t, "log")) { |
| 834 |
4 |
acl->flag_log = sign; |
| 835 |
4 |
vcc_NextToken(tl); |
| 836 |
16 |
} else if (vcc_IdIs(tl->t, "fold")) { |
| 837 |
1 |
acl->flag_fold = sign; |
| 838 |
1 |
vcc_NextToken(tl); |
| 839 |
12 |
} else if (vcc_IdIs(tl->t, "pedantic")) { |
| 840 |
8 |
acl->flag_pedantic = sign; |
| 841 |
8 |
vcc_NextToken(tl); |
| 842 |
11 |
} else if (vcc_IdIs(tl->t, "table")) { |
| 843 |
2 |
acl->flag_table = sign; |
| 844 |
2 |
vcc_NextToken(tl); |
| 845 |
2 |
} else { |
| 846 |
1 |
VSB_cat(tl->sb, "Unknown ACL flag:\n"); |
| 847 |
1 |
vcc_ErrWhere(tl, tl->t); |
| 848 |
1 |
return; |
| 849 |
|
} |
| 850 |
|
} |
| 851 |
|
|
| 852 |
40 |
SkipToken(tl, '{'); |
| 853 |
|
|
| 854 |
206 |
while (tl->t->tok != '}') { |
| 855 |
178 |
vcc_acl_entry(tl); |
| 856 |
178 |
ERRCHK(tl); |
| 857 |
167 |
SkipToken(tl, ';'); |
| 858 |
|
} |
| 859 |
28 |
SkipToken(tl, '}'); |
| 860 |
|
|
| 861 |
28 |
vcc_acl_emit(tl, sym); |
| 862 |
43 |
} |