varnish-cache/lib/libvcc/vcc_acl.c
0 
/*-
1 
 * Copyright (c) 2006 Verdens Gang AS
2 
 * Copyright (c) 2006-2010 Varnish Software AS
3 
 * All rights reserved.
4 
 *
5 
 * Author: Poul-Henning Kamp <phk@phk.freebsd.dk>
6 
 *
7 
 * SPDX-License-Identifier: BSD-2-Clause
8 
 *
9 
 * Redistribution and use in source and binary forms, with or without
10 
 * modification, are permitted provided that the following conditions
11 
 * are met:
12 
 * 1. Redistributions of source code must retain the above copyright
13 
 *    notice, this list of conditions and the following disclaimer.
14 
 * 2. Redistributions in binary form must reproduce the above copyright
15 
 *    notice, this list of conditions and the following disclaimer in the
16 
 *    documentation and/or other materials provided with the distribution.
17 
 *
18 
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
22 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 
 * SUCH DAMAGE.
29 
 */
30 





31
  
  
#include "config.h"





32
  
  





33
  
  
#include <sys/socket.h>





34
  
  





35
  
  
#include <netinet/in.h>





36
  
  





37
  
  
#include <netdb.h>





38
  
  
#include <stdlib.h>





39
  
  
#include <string.h>





40
  
  





41
  
  
#include "vcc_compile.h"





42
  
  
#include <vtcp.h>





43
  
  
#include <vtree.h>





44
  
  
#include <vsa.h>





45
  
  





46
  
  
#define ACL_MAXADDR     (sizeof(struct in6_addr) + 1)





47
  
  





48
  
  
VRBT_HEAD(acl_tree, acl_e);





49
  
  





50
  
  
struct acl {





51
  
  
        unsigned                magic;





52
  
  
#define VCC_ACL_MAGIC           0xb9fb3cd0





53
  
  





54
  
  
        int                     flag_log;





55
  
  
        int                     flag_fold;





56
  
  
        int                     flag_pedantic;





57
  
  
        int                     flag_table;





58
  
  





59
  
  
        struct acl_tree         acl_tree;





60
  
  
};





61
  
  





62
  
  
struct acl_e {





63
  
  
        unsigned                magic;





64
  
  
#define VCC_ACL_E_MAGIC 0xcac81e23





65
  
  
        VRBT_ENTRY(acl_e)       branch;





66
  
  
        unsigned char           data[ACL_MAXADDR];





67
  
  
        unsigned                mask;





68
  
  
        unsigned                not;





69
  
  
        unsigned                para;





70
  
  
        unsigned                overlapped;





71
  
  
        char                    *addr;





72
  
  
        const char              *fixed;





73
  
  
        struct token            *t_addr;





74
  
  
        struct token            *t_mask;





75
  
  
};





76
  
  





77
  
  
enum acl_cmp_e {





78
  
  
        ACL_EQ = 0,





79
  
  
        ACL_LT = -1,            // a < b





80
  
  
        ACL_GT = 1,             // b > a





81
  
  
        ACL_CONTAINED = -2,     // b contains a





82
  
  
        ACL_CONTAINS = 2,       // a contains b





83
  
  
        ACL_LEFT = -3,          // a + 1 == b





84
  
  
        ACL_RIGHT = 3           // a == b + 1





85
  
  
};





86
  
  





87
  
  
static void vcc_acl_insert_entry(struct vcc *, struct acl_e **);





88
  
  





89
  
  
/*





90
  
  
 * Compare two acl rules for relation





91
  
  
 */





92
  
  





93
  
  
#define CMP(n, a, b)                                                    \





94
  
  
        do {                                                            \





95
  
  
                if ((a) < (b))                                          \





96
  
  
                        return (enum acl_cmp_e)(-n);                    \





97
  
  
                else if ((b) < (a))                                     \





98
  
  
                        return (n);                                     \





99
  
  
        } while (0)





100
  
  





101
  
  
#define CMPA(a, b)                                                      \





102
  
  
        do {                                                            \





103
  
  
                if (((a) | 1) == (b))                                   \





104
  
  
                        return (ACL_LEFT);                              \





105
  
  
                else if (((b) | 1) == (a))                              \





106
  
  
                        return (ACL_RIGHT);                             \





107
  
  
        } while (0)





108
  
  





109
  
  
static void





110
  234
  
vcl_acl_free(struct acl_e **aep)





111
  
  
{





112
  
  
        struct acl_e *a;





113
  
  





114
  234
  
        TAKE_OBJ_NOTNULL(a, aep, VCC_ACL_E_MAGIC);





115
  234
  
        free(a->addr);





116
  234
  
        FREE_OBJ(a);





117
  234
  
}





118
  
  





119
  
  
static enum acl_cmp_e





120
  21450
  
vcl_acl_cmp(const struct acl_e *ae1, const struct acl_e *ae2)





121
  
  
{





122
  
  
        const unsigned char *p1, *p2;





123
  
  
        unsigned m;





124
  
  
        unsigned char a1, a2;





125
  
  





126
  21450
  
        CHECK_OBJ_NOTNULL(ae1, VCC_ACL_E_MAGIC);





127
  21450
  
        CHECK_OBJ_NOTNULL(ae2, VCC_ACL_E_MAGIC);





128
  
  





129
  21450
  
        p1 = ae1->data;





130
  21450
  
        p2 = ae2->data;





131
  21450
  
        m = vmin_t(unsigned, ae1->mask, ae2->mask);





132
  110838
  
        for (; m >= 8; m -= 8) {





133
  101556
  
                if (m == 8 && ae1->mask == ae2->mask)





134
  2223
  
                        CMPA(*p1, *p2);





135
  190437
  
                CMP(ACL_GT, *p1, *p2);





136
  89388
  
                p1++;





137
  89388
  
                p2++;





138
  89388
  
        }





139
  9282
  
        if (m) {





140
  8892
  
                assert (m < 8);





141
  8892
  
                a1 = *p1 >> (8 - m);





142
  8892
  
                a2 = *p2 >> (8 - m);





143
  8892
  
                if (ae1->mask == ae2->mask)





144
  2769
  
                        CMPA(a1, a2);





145
  12012
  
                CMP(ACL_GT, a1, a2);





146
  4173
  
        } else if (ae1->mask == ae2->mask) {





147
  390
  
                CMPA(*p1, *p2);





148
  195
  
        }





149
  
  
        /* Long mask is less than short mask */





150
  4407
  
        CMP(ACL_CONTAINS, ae2->mask, ae1->mask);





151
  
  





152
  234
  
        return (ACL_EQ);





153
  21450
  
}





154
  
  





155
  
  
static int





156
  4134
  
vcl_acl_disjoint(const struct acl_e *ae1, const struct acl_e *ae2)





157
  
  
{





158
  
  
        const unsigned char *p1, *p2;





159
  
  
        unsigned m;





160
  
  





161
  4134
  
        CHECK_OBJ_NOTNULL(ae1, VCC_ACL_E_MAGIC);





162
  4134
  
        CHECK_OBJ_NOTNULL(ae2, VCC_ACL_E_MAGIC);





163
  
  





164
  4134
  
        p1 = ae1->data;





165
  4134
  
        p2 = ae2->data;





166
  4134
  
        m = vmin_t(unsigned, ae1->mask, ae2->mask);





167
  29874
  
        for (; m >= 8; m -= 8) {





168
  52689
  
                CMP(ACL_GT, *p1, *p2);





169
  25740
  
                p1++;





170
  25740
  
                p2++;





171
  25740
  
        }





172
  2925
  
        if (m) {





173
  2808
  
                m = 0xff00 >> m;





174
  2808
  
                m &= 0xff;





175
  5226
  
                CMP(ACL_GT, *p1 & m, *p2 & m);





176
  2418
  
        }





177
  2535
  
        return (0);





178
  4134
  
}





179
  
  





180
  14157
  
VRBT_GENERATE_INSERT_COLOR(acl_tree, acl_e, branch, static)





181
  7137
  
VRBT_GENERATE_INSERT_FINISH(acl_tree, acl_e, branch, static)





182
  24297
  
VRBT_GENERATE_INSERT(acl_tree, acl_e, branch, vcl_acl_cmp, static)





183
  1755
  
VRBT_GENERATE_REMOVE_COLOR(acl_tree, acl_e, branch, static)





184
  3159
  
VRBT_GENERATE_REMOVE(acl_tree, acl_e, branch, static)





185
  6903
  
VRBT_GENERATE_MINMAX(acl_tree, acl_e, branch, static)





186
  23478
  
VRBT_GENERATE_NEXT(acl_tree, acl_e, branch, static)





187
  18135
  
VRBT_GENERATE_PREV(acl_tree, acl_e, branch, static)





188
  
  





189
  
  
static char *





190
  6864
  
vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l,





191
  
  
    unsigned char *p, int fam)





192
  
  
{





193
  
  
        const unsigned char *u;





194
  
  
        char h[VTCP_ADDRBUFSIZE];





195
  
  
        char t[VTCP_ADDRBUFSIZE + 10];





196
  6864
  
        char s[vsa_suckaddr_len];





197
  6864
  
        char *r = NULL;





198
  
  
        const struct suckaddr *sa;





199
  
  
        unsigned m;





200
  6864
  
        int ll, ret = 0;





201
  
  





202
  6864
  
        u = p;





203
  6864
  
        ll = l;





204
  6864
  
        m = ae->mask;





205
  
  





206
  6864
  
        p += m / 8;





207
  6864
  
        ll -= m / 8;





208
  6864
  
        assert (ll >= 0);





209
  6864
  
        m %= 8;





210
  
  





211
  6864
  
        if (m && ((unsigned)*p << m & 0xff) != 0) {





212
  156
  
                ret = 1;





213
  156
  
                m = 0xff00 >> m;





214
  156
  
                *p &= m;





215
  156
  
        }





216
  6864
  
        if (m) {





217
  3861
  
                p++;





218
  3861
  
                ll--;





219
  3861
  
        }





220
  
  





221
  12870
  
        for ( ; ll > 0; p++, ll--) {





222
  6006
  
                if (*p == 0)





223
  5811
  
                        continue;





224
  195
  
                ret = 1;





225
  195
  
                *p = 0;





226
  195
  
        }





227
  6864
  
        if (ret == 0)





228
  6513
  
                return (NULL);





229
  
  





230
  351
  
        sa = VSA_BuildFAP(s, fam, u, l, NULL, 0);





231
  351
  
        AN(sa);





232
  351
  
        VTCP_name(sa, h, sizeof h, NULL, 0);





233
  351
  
        bprintf(t, "%s/%d", h, ae->mask);





234
  351
  
        if (tl->acl->flag_pedantic != 0) {





235
  78
  
                VSB_cat(tl->sb, "Non-zero bits in masked part, ");





236
  78
  
                VSB_printf(tl->sb, "(maybe use %s ?)\n", t);





237
  78
  
                vcc_ErrWhere(tl, ae->t_addr);





238
  78
  
        }





239
  351
  
        REPLACE(r, t);





240
  351
  
        return (r);





241
  6864
  
}





242
  
  





243
  
  
static void





244
  7956
  
vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r)





245
  
  
{





246
  
  
        enum acl_cmp_e cmp;





247
  
  





248
  7956
  
        AN(l);





249
  7956
  
        AN(r);





250
  7956
  
        CHECK_OBJ_NOTNULL(*l, VCC_ACL_E_MAGIC);





251
  7956
  
        CHECK_OBJ_NOTNULL(*r, VCC_ACL_E_MAGIC);





252
  
  





253
  7956
  
        if ((*l)->not || (*r)->not)





254
  3978
  
                return;





255
  
  





256
  3978
  
        cmp = vcl_acl_cmp(*l, *r);





257
  
  





258
  3978
  
        assert(cmp < 0);





259
  3978
  
        if (cmp == ACL_LT)





260
  2769
  
                return;





261
  
  





262
  1209
  
        do {





263
  1248
  
                switch (cmp) {





264
  
  
                case ACL_CONTAINED:





265
  741
  
                        VSB_cat(tl->sb, "ACL entry:\n");





266
  741
  
                        vcc_ErrWhere(tl, (*r)->t_addr);





267
  741
  
                        VSB_cat(tl->sb, "supersedes / removes:\n");





268
  741
  
                        vcc_ErrWhere(tl, (*l)->t_addr);





269
  741
  
                        vcc_Warn(tl);





270
  741
  
                        VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l);





271
  741
  
                        FREE_OBJ(*l);





272
  741
  
                        *l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, *r);





273
  741
  
                        break;





274
  
  
                case ACL_LEFT:





275
  507
  
                        (*l)->mask--;





276
  507
  
                        (*l)->fixed = "folded";





277
  507
  
                        VSB_cat(tl->sb, "ACL entry:\n");





278
  507
  
                        vcc_ErrWhere(tl, (*l)->t_addr);





279
  507
  
                        VSB_cat(tl->sb, "left of:\n");





280
  507
  
                        vcc_ErrWhere(tl, (*r)->t_addr);





281
  1014
  
                        VSB_printf(tl->sb, "removing the latter and expanding "





282
  
  
                            "mask of the former by one to /%u\n",





283
  507
  
                            (*l)->mask - 8);





284
  507
  
                        vcc_Warn(tl);





285
  507
  
                        VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *r);





286
  507
  
                        FREE_OBJ(*r);





287
  507
  
                        VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l);





288
  507
  
                        vcc_acl_insert_entry(tl, l);





289
  507
  
                        return;





290
  
  
                default:





291
  0
  
                        INCOMPL();





292
  0
  
                }





293
  741
  
                if (*l == NULL || *r == NULL || (*l)->not || (*r)->not)





294
  429
  
                        break;





295
  312
  
                cmp = vcl_acl_cmp(*l, *r);





296
  312
  
        } while (cmp != ACL_LT);





297
  7956
  
}





298
  
  





299
  
  
static void





300
  7371
  
vcc_acl_insert_entry(struct vcc *tl, struct acl_e **aenp)





301
  
  
{





302
  
  
        struct acl_e *ae2, *l, *r;





303
  
  





304
  7371
  
        CHECK_OBJ_NOTNULL(*aenp, VCC_ACL_E_MAGIC);





305
  7371
  
        ae2 = VRBT_INSERT(acl_tree, &tl->acl->acl_tree, *aenp);





306
  7371
  
        if (ae2 != NULL) {





307
  234
  
                if (ae2->not != (*aenp)->not) {





308
  39
  
                        VSB_cat(tl->sb, "Conflicting ACL entries:\n");





309
  39
  
                        vcc_ErrWhere(tl, ae2->t_addr);





310
  39
  
                        VSB_cat(tl->sb, "vs:\n");





311
  39
  
                        vcc_ErrWhere(tl, (*aenp)->t_addr);





312
  39
  
                }





313
  234
  
                return;





314
  
  
        }





315
  
  





316
  7137
  
        r = *aenp;





317
  7137
  
        *aenp = NULL;





318
  
  





319
  7137
  
        if (tl->acl->flag_fold == 0)





320
  546
  
                return;





321
  
  





322
  6591
  
        l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, r);





323
  6591
  
        if (l != NULL) {





324
  4836
  
                vcl_acl_fold(tl, &l, &r);





325
  4836
  
        }





326
  6591
  
        if (r == NULL)





327
  312
  
                return;





328
  6279
  
        l = r;





329
  6279
  
        r = VRBT_NEXT(acl_tree, &tl->acl->acl_tree, l);





330
  6279
  
        if (r == NULL)





331
  3159
  
                return;





332
  3120
  
        vcl_acl_fold(tl, &l, &r);





333
  7371
  
}





334
  
  





335
  
  
static void





336
  6942
  
vcc_acl_add_entry(struct vcc *tl, const struct acl_e *ae, int l,





337
  
  
    unsigned char *u, int fam)





338
  
  
{





339
  
  
        struct acl_e *aen;





340
  
  





341
  6942
  
        if (fam == PF_INET && ae->mask > 32) {





342
  78
  
                VSB_printf(tl->sb,





343
  39
  
                    "Too wide mask (/%u) for IPv4 address\n", ae->mask);





344
  39
  
                if (ae->t_mask != NULL)





345
  39
  
                        vcc_ErrWhere(tl, ae->t_mask);





346
  
  
                else





347
  0
  
                        vcc_ErrWhere(tl, ae->t_addr);





348
  39
  
                return;





349
  
  
        }





350
  6903
  
        if (fam == PF_INET6 && ae->mask > 128) {





351
  78
  
                VSB_printf(tl->sb,





352
  39
  
                    "Too wide mask (/%u) for IPv6 address\n", ae->mask);





353
  39
  
                vcc_ErrWhere(tl, ae->t_mask);





354
  39
  
                return;





355
  
  
        }





356
  
  





357
  
  
        /* Make a copy from the template */





358
  6864
  
        ALLOC_OBJ(aen, VCC_ACL_E_MAGIC);





359
  6864
  
        AN(aen);





360
  6864
  
        *aen = *ae;





361
  6864
  
        aen->addr = strdup(ae->addr);





362
  6864
  
        AN(aen->addr);





363
  
  





364
  6864
  
        aen->fixed = vcc_acl_chk(tl, ae, l, u, fam);





365
  
  





366
  
  
        /* We treat family as part of address, it saves code */





367
  6864
  
        assert(fam <= 0xff);





368
  6864
  
        aen->data[0] = fam & 0xff;





369
  6864
  
        aen->mask += 8;





370
  
  





371
  6864
  
        assert(l + 1UL <= sizeof aen->data);





372
  6864
  
        memcpy(aen->data + 1L, u, l);





373
  
  





374
  6864
  
        vcc_acl_insert_entry(tl, &aen);





375
  6864
  
        if (aen != NULL)





376
  234
  
                vcl_acl_free(&aen);





377
  6942
  
}





378
  
  





379
  
  
static void





380
  2223
  
vcc_acl_try_getaddrinfo(struct vcc *tl, struct acl_e *ae)





381
  
  
{





382
  
  
        struct addrinfo *res0, *res, hint;





383
  
  
        struct sockaddr_in *sin4;





384
  
  
        struct sockaddr_in6 *sin6;





385
  
  
        unsigned char *u, i4, i6;





386
  
  
        int error;





387
  
  





388
  2223
  
        CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC);





389
  2223
  
        memset(&hint, 0, sizeof hint);





390
  2223
  
        hint.ai_family = PF_UNSPEC;





391
  2223
  
        hint.ai_socktype = SOCK_STREAM;





392
  2223
  
        error = getaddrinfo(ae->addr, "0", &hint, &res0);





393
  2223
  
        if (error) {





394
  156
  
                if (ae->para) {





395
  156
  
                        VSB_printf(tl->sb,





396
  
  
                            "Warning: %s ignored\n  -- %s\n",





397
  78
  
                            ae->addr, gai_strerror(error));





398
  156
  
                        Fh(tl, 1, "/* Ignored ACL entry: %s%s",





399
  78
  
                            ae->para ? "\"(\" " : "", ae->not ? "\"!\" " : "");





400
  78
  
                        EncToken(tl->fh, ae->t_addr);





401
  78
  
                        if (ae->t_mask)





402
  39
  
                                Fh(tl, 0, "/%u", ae->mask);





403
  78
  
                        Fh(tl, 0, "%s\n", ae->para ? " \")\"" : "");





404
  156
  
                        Fh(tl, 1, " * getaddrinfo:  %s */\n",





405
  78
  
                             gai_strerror(error));





406
  78
  
                } else {





407
  156
  
                        VSB_printf(tl->sb,





408
  
  
                            "DNS lookup(%s): %s\n",





409
  78
  
                            ae->addr, gai_strerror(error));





410
  78
  
                        vcc_ErrWhere(tl, ae->t_addr);





411
  
  
                }





412
  156
  
                return;





413
  
  
        }





414
  
  





415
  2067
  
        i4 = i6 = 0;





416
  4212
  
        for (res = res0; res != NULL; res = res->ai_next) {





417
  2145
  
                switch (res->ai_family) {





418
  
  
                case PF_INET:





419
  78
  
                        i4++;





420
  78
  
                        break;





421
  
  
                case PF_INET6:





422
  2067
  
                        i6++;





423
  2067
  
                        break;





424
  
  
                default:





425
  0
  
                        VSB_printf(tl->sb,





426
  
  
                            "Ignoring unknown protocol family (%d) for %.*s\n",





427
  0
  
                                res->ai_family, PF(ae->t_addr));





428
  0
  
                        continue;





429
  
  
                }





430
  2145
  
        }





431
  
  





432
  2067
  
        if (ae->t_mask != NULL && i4 > 0 && i6 > 0) {





433
  0
  
                VSB_printf(tl->sb,





434
  
  
                    "Mask (/%u) specified, but string resolves to"





435
  0
  
                    " both IPv4 and IPv6 addresses.\n", ae->mask);





436
  0
  
                vcc_ErrWhere(tl, ae->t_mask);





437
  0
  
                freeaddrinfo(res0);





438
  0
  
                return;





439
  
  
        }





440
  
  





441
  4134
  
        for (res = res0; res != NULL; res = res->ai_next) {





442
  2145
  
                switch (res->ai_family) {





443
  
  
                case PF_INET:





444
  78
  
                        assert(PF_INET < 256);





445
  78
  
                        sin4 = (void*)res->ai_addr;





446
  78
  
                        assert(sizeof(sin4->sin_addr) == 4);





447
  78
  
                        u = (void*)&sin4->sin_addr;





448
  78
  
                        if (ae->t_mask == NULL)





449
  78
  
                                ae->mask = 32;





450
  78
  
                        vcc_acl_add_entry(tl, ae, 4, u, res->ai_family);





451
  78
  
                        break;





452
  
  
                case PF_INET6:





453
  2067
  
                        assert(PF_INET6 < 256);





454
  2067
  
                        sin6 = (void*)res->ai_addr;





455
  2067
  
                        assert(sizeof(sin6->sin6_addr) == 16);





456
  2067
  
                        u = (void*)&sin6->sin6_addr;





457
  2067
  
                        if (ae->t_mask == NULL)





458
  312
  
                                ae->mask = 128;





459
  2067
  
                        vcc_acl_add_entry(tl, ae, 16, u, res->ai_family);





460
  2067
  
                        break;





461
  
  
                default:





462
  0
  
                        continue;





463
  
  
                }





464
  2145
  
                if (tl->err)





465
  78
  
                        freeaddrinfo(res0);





466
  2145
  
                ERRCHK(tl);





467
  2067
  
        }





468
  1989
  
        freeaddrinfo(res0);





469
  
  





470
  2223
  
}





471
  
  





472
  
  
/*--------------------------------------------------------------------





473
  
  
 * Ancient stupidity on the part of X/Open and other standards orgs





474
  
  
 * dictate that "192.168" be translated to 192.0.0.168.  Ever since





475
  
  
 * CIDR happened, "192.168/16" notation has been used, but apparently





476
  
  
 * no API supports parsing this, so roll our own.





477
  
  
 */





478
  
  





479
  
  
static int





480
  7020
  
vcc_acl_try_netnotation(struct vcc *tl, struct acl_e *ae)





481
  
  
{





482
  
  
        unsigned char b[4];





483
  
  
        int i, j, k;





484
  
  
        unsigned u;





485
  
  
        const char *p;





486
  
  





487
  7020
  
        CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC);





488
  7020
  
        memset(b, 0, sizeof b);





489
  7020
  
        p = ae->addr;





490
  20670
  
        for (i = 0; i < 4; i++) {





491
  20670
  
                j = sscanf(p, "%u%n", &u, &k);





492
  20670
  
                if (j != 1)





493
  2028
  
                        return (0);





494
  18642
  
                if (u & ~0xff)





495
  78
  
                        return (0);





496
  18564
  
                b[i] = (unsigned char)u;





497
  18564
  
                if (p[k] == '\0')





498
  4797
  
                        break;





499
  13767
  
                if (p[k] != '.')





500
  117
  
                        return (0);





501
  13650
  
                p += k + 1;





502
  13650
  
        }





503
  4797
  
        if (ae->t_mask == NULL)





504
  1092
  
                ae->mask = 8 + 8 * i;





505
  4797
  
        vcc_acl_add_entry(tl, ae, 4, b, AF_INET);





506
  4797
  
        return (1);





507
  7020
  
}





508
  
  





509
  
  
static void





510
  7176
  
vcc_acl_entry(struct vcc *tl)





511
  
  
{





512
  
  
        struct acl_e ae[1];





513
  
  
        char *sl, *e;





514
  
  





515
  7176
  
        INIT_OBJ(ae, VCC_ACL_E_MAGIC);





516
  
  





517
  7176
  
        if (tl->t->tok == '!') {





518
  1638
  
                ae->not = 1;





519
  1638
  
                vcc_NextToken(tl);





520
  1638
  
        }





521
  
  





522
  7176
  
        if (tl->t->tok == '(') {





523
  117
  
                ae->para = 1;





524
  117
  
                vcc_NextToken(tl);





525
  117
  
        }





526
  
  





527
  7176
  
        if (!ae->not && tl->t->tok == '!') {





528
  39
  
                ae->not = 1;





529
  39
  
                vcc_NextToken(tl);





530
  39
  
        }





531
  
  





532
  7176
  
        ExpectErr(tl, CSTR);





533
  7176
  
        ae->t_addr = tl->t;





534
  7176
  
        ae->addr = ae->t_addr->dec;





535
  7176
  
        vcc_NextToken(tl);





536
  
  





537
  7176
  
        if (strchr(ae->t_addr->dec, '/') != NULL) {





538
  117
  
                sl = strchr(ae->addr, '/');





539
  117
  
                AN(sl);





540
  117
  
                *sl++ = '\0';





541
  117
  
                e = NULL;





542
  117
  
                ae->mask = strtoul(sl, &e, 10);





543
  117
  
                if (*e != '\0') {





544
  78
  
                        VSB_cat(tl->sb, ".../mask is not numeric.\n");





545
  78
  
                        vcc_ErrWhere(tl, ae->t_addr);





546
  78
  
                        return;





547
  
  
                }





548
  39
  
                ae->t_mask = ae->t_addr;





549
  39
  
                if (tl->t->tok == '/') {





550
  39
  
                        VSB_cat(tl->sb, "/mask only allowed once.\n");





551
  39
  
                        vcc_ErrWhere(tl, tl->t);





552
  39
  
                        return;





553
  
  
                }





554
  7059
  
        } else if (tl->t->tok == '/') {





555
  5499
  
                vcc_NextToken(tl);





556
  5499
  
                ae->t_mask = tl->t;





557
  5499
  
                ExpectErr(tl, CNUM);





558
  5499
  
                ae->mask = vcc_UintVal(tl);





559
  5499
  
        }





560
  
  





561
  7059
  
        if (ae->para)





562
  117
  
                SkipToken(tl, ')');





563
  
  





564
  7020
  
        if (!vcc_acl_try_netnotation(tl, ae)) {





565
  2223
  
                ERRCHK(tl);





566
  2223
  
                vcc_acl_try_getaddrinfo(tl, ae);





567
  2223
  
        }





568
  7020
  
        ERRCHK(tl);





569
  7176
  
}





570
  
  





571
  
  
/*********************************************************************





572
  
  
 * Emit the tokens making up an entry as C-strings





573
  
  
 */





574
  
  





575
  
  
static void





576
  2067
  
vcc_acl_emit_tokens(const struct vcc *tl, const struct acl_e *ae)





577
  
  
{





578
  
  
        struct token *t;





579
  2067
  
        const char *sep = "";





580
  
  





581
  2067
  
        CHECK_OBJ_NOTNULL(ae, VCC_ACL_E_MAGIC);





582
  2067
  
        t = ae->t_addr;





583
  2067
  
        do {





584
  6045
  
                if (t->tok == CSTR) {





585
  2067
  
                        Fh(tl, 0, "%s\"\\\"\" ", sep);





586
  2067
  
                        EncToken(tl->fh, t);





587
  2067
  
                        Fh(tl, 0, " \"\\\"\"");





588
  6045
  
                } else if (t == ae->t_mask) {





589
  1989
  
                        Fh(tl, 0, " \"%u\"", ae->mask - 8);





590
  1989
  
                } else {





591
  1989
  
                        Fh(tl, 0, "%s\"%.*s\"", sep, PF(t));





592
  
  
                }





593
  6045
  
                if (t == ae->t_mask)





594
  1989
  
                        break;





595
  4056
  
                t = vcc_PeekTokenFrom(tl, t);





596
  4056
  
                AN(t);





597
  4056
  
                sep = " ";





598
  4056
  
        } while (ae->t_mask != NULL);





599
  2067
  
        if (ae->fixed)





600
  390
  
                Fh(tl, 0, "\" fixed: %s\"", ae->fixed);





601
  2067
  
}





602
  
  





603
  
  
/*********************************************************************





604
  
  
 * Emit ACL on table format





605
  
  
 */





606
  
  





607
  
  
static unsigned





608
  78
  
vcc_acl_emit_tables(const struct vcc *tl, unsigned n, const char *name)





609
  
  
{





610
  
  
        struct acl_e *ae;





611
  78
  
        unsigned rv = sizeof(ae->data) + 3;





612
  78
  
        unsigned nn = 0;





613
  
  
        size_t sz;





614
  
  





615
  156
  
        Fh(tl, 0, "\nstatic unsigned char acl_tbl_%s[%u*%u] = {\n",





616
  78
  
            name, n, rv);





617
  1794
  
        VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) {





618
  1716
  
                if (ae->overlapped)





619
  1404
  
                        continue;





620
  312
  
                Fh(tl, 0, "\t0x%02x,", ae->not ? 0 : 1);





621
  312
  
                Fh(tl, 0, "0x%02x,", (ae->mask >> 3) - 1);





622
  312
  
                Fh(tl, 0, "0x%02x,", (0xff00 >> (ae->mask & 7)) & 0xff);





623
  5616
  
                for (sz = 0; sz < sizeof(ae->data); sz++)





624
  5304
  
                        Fh(tl, 0, "0x%02x,", ae->data[sz]);





625
  312
  
                for (; sz < rv - 3; sz++)





626
  0
  
                        Fh(tl, 0, "0,");





627
  312
  
                Fh(tl, 0, "\n");





628
  312
  
                nn++;





629
  312
  
        }





630
  78
  
        assert(n == nn);





631
  78
  
        Fh(tl, 0, "};\n");





632
  78
  
        if (tl->acl->flag_log) {





633
  78
  
                Fh(tl, 0, "\nstatic const char *acl_str_%s[%d] = {\n",





634
  39
  
                    name, n);





635
  897
  
                VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) {





636
  858
  
                        if (ae->overlapped)





637
  702
  
                                continue;





638
  156
  
                        Fh(tl, 0, "\t");





639
  312
  
                        Fh(tl, 0, "\"%sMATCH %s \" ",





640
  156
  
                            ae->not ? "NEG_" : "", name);





641
  156
  
                        vcc_acl_emit_tokens(tl, ae);





642
  156
  
                        Fh(tl, 0, ",\n");





643
  156
  
                }





644
  39
  
                Fh(tl, 0, "};\n");





645
  39
  
        }





646
  78
  
        return (rv);





647
  
  
}





648
  
  





649
  
  
/*********************************************************************





650
  
  
 * Emit a function to match the ACL we have collected





651
  
  
 */





652
  
  





653
  
  
static void





654
  1131
  
vcc_acl_emit(struct vcc *tl, const struct symbol *sym)





655
  
  
{





656
  
  
        struct acl_e *ae, *ae2;





657
  
  
        int depth, l, m, i;





658
  
  
        unsigned at[ACL_MAXADDR];





659
  1131
  
        struct inifin *ifp = NULL;





660
  
  
        struct vsb *func;





661
  1131
  
        unsigned n, no, nw = 0;





662
  
  





663
  1131
  
        func = VSB_new_auto();





664
  1131
  
        AN(func);





665
  1131
  
        VSB_cat(func, "match_acl_");





666
  1131
  
        VCC_PrintCName(func, sym->name, NULL);





667
  1131
  
        AZ(VSB_finish(func));





668
  
  





669
  1131
  
        depth = -1;





670
  1131
  
        at[0] = 256;





671
  1131
  
        ae2 = NULL;





672
  1131
  
        n = no = 0;





673
  6357
  
        VRBT_FOREACH_REVERSE(ae, acl_tree, &tl->acl->acl_tree) {





674
  5226
  
                n++;





675
  5226
  
                if (ae2 == NULL) {





676
  1092
  
                        ae2 = ae;





677
  5226
  
                } else if (vcl_acl_disjoint(ae, ae2)) {





678
  1599
  
                        ae2 = ae;





679
  1599
  
                } else {





680
  2535
  
                        no++;





681
  2535
  
                        ae->overlapped = 1;





682
  
  
                }





683
  5226
  
        }





684
  
  





685
  1131
  
        Fh(tl, 0, "/* acl_n_%s n %u no %u */\n", sym->name, n, no);





686
  1131
  
        if (n - no < (1<<1))





687
  585
  
                no = n;





688
  546
  
        else if (!tl->acl->flag_table)





689
  468
  
                no = n;





690
  
  





691
  1131
  
        if (no < n)





692
  78
  
                nw = vcc_acl_emit_tables(tl, n - no, sym->name);





693
  
  





694
  
  





695
  1131
  
        Fh(tl, 0, "\nstatic int v_matchproto_(acl_match_f)\n");





696
  1131
  
        Fh(tl, 0, "%s(VRT_CTX, const VCL_IP p)\n", VSB_data(func));





697
  1131
  
        Fh(tl, 0, "{\n");





698
  1131
  
        Fh(tl, 0, "\tconst unsigned char *a;\n");





699
  1131
  
        Fh(tl, 0, "\tint fam;\n");





700
  1131
  
        Fh(tl, 0, "\n");





701
  1131
  
        Fh(tl, 0, "\tfam = VRT_VSA_GetPtr(ctx, p, &a);\n");





702
  1131
  
        Fh(tl, 0, "\tif (fam < 0) {\n");





703
  1131
  
        Fh(tl, 0, "\t\tVRT_fail(ctx,");





704
  1131
  
        Fh(tl, 0, " \"ACL %s: no protocol family\");\n", sym->name);





705
  1131
  
        Fh(tl, 0, "\t\treturn(0);\n");





706
  1131
  
        Fh(tl, 0, "\t}\n\n");





707
  1131
  
        if (!tl->err_unref) {





708
  78
  
                ifp = New_IniFin(tl);





709
  156
  
                VSB_printf(ifp->ini,





710
  78
  
                        "\t(void)%s;\n", VSB_data(func));





711
  78
  
        }





712
  
  





713
  6357
  
        VRBT_FOREACH(ae, acl_tree, &tl->acl->acl_tree) {





714
  
  





715
  5226
  
                if (no < n && !ae->overlapped)





716
  312
  
                        continue;





717
  
  





718
  
  
                /* Find how much common prefix we have */





719
  27729
  
                for (l = 0; l <= depth && l * 8 < (int)ae->mask - 7; l++) {





720
  24726
  
                        assert(l >= 0);





721
  24726
  
                        if (ae->data[l] != at[l])





722
  1911
  
                                break;





723
  22815
  
                }





724
  
  





725
  
  
                /* Back down, if necessary */





726
  11544
  
                while (l <= depth) {





727
  6630
  
                        Fh(tl, 0, "\t%*s}\n", -depth, "");





728
  6630
  
                        depth--;





729
  
  
                }





730
  
  





731
  4914
  
                m = (int)ae->mask;





732
  4914
  
                assert(m >= l*8);





733
  4914
  
                m -= l * 8;





734
  
  





735
  
  
                /* Do whole byte compares */





736
  18252
  
                for (i = l; m >= 8; m -= 8, i++) {





737
  13338
  
                        if (i == 0)





738
  3120
  
                                Fh(tl, 0, "\t%*s%sif (fam == %d) {\n",





739
  1560
  
                                    -i, "", "", ae->data[i]);





740
  
  
                        else





741
  23556
  
                                Fh(tl, 0, "\t%*s%sif (a[%d] == %d) {\n",





742
  11778
  
                                    -i, "", "", i - 1, ae->data[i]);





743
  13338
  
                        at[i] = ae->data[i];





744
  13338
  
                        depth = i;





745
  13338
  
                }





746
  
  





747
  4914
  
                if (m > 0) {





748
  
  
                        // XXX can remove masking due to fixup





749
  
  
                        /* Do fractional byte compares */





750
  5928
  
                        Fh(tl, 0, "\t%*s%sif ((a[%d] & 0x%x) == %d) {\n",





751
  2964
  
                            -i, "", "", i - 1, (0xff00 >> m) & 0xff,





752
  2964
  
                            ae->data[i] & ((0xff00 >> m) & 0xff));





753
  2964
  
                        at[i] = 256;





754
  2964
  
                        depth = i;





755
  2964
  
                }





756
  
  





757
  4914
  
                i = ((int)ae->mask + 7) / 8;





758
  
  





759
  4914
  
                if (tl->acl->flag_log) {





760
  3822
  
                        Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ",





761
  1911
  
                            -i, "", ae->not ? "NEG_" : "", sym->name);





762
  1911
  
                        vcc_acl_emit_tokens(tl, ae);





763
  1911
  
                        Fh(tl, 0, ");\n");





764
  1911
  
                }





765
  
  





766
  4914
  
                Fh(tl, 0, "\t%*sreturn (%d);\n", -i, "", ae->not ? 0 : 1);





767
  4914
  
        }





768
  
  





769
  
  
        /* Unwind */





770
  10803
  
        for (; 0 <= depth; depth--)





771
  9672
  
                Fh(tl, 0, "\t%*.*s}\n", depth, depth, "");





772
  
  





773
  1131
  
        if (no < n) {





774
  78
  
                Fh(tl, 0, "\treturn(\n\t    VPI_acl_table(ctx,\n");





775
  78
  
                Fh(tl, 0, "\t\tp,\n");





776
  78
  
                Fh(tl, 0, "\t\t%u, %u,\n", n - no, nw);





777
  78
  
                Fh(tl, 0, "\t\tacl_tbl_%s,\n", sym->name);





778
  78
  
                if (tl->acl->flag_log)





779
  39
  
                        Fh(tl, 0, "\t\tacl_str_%s,\n", sym->name);





780
  
  
                else





781
  39
  
                        Fh(tl, 0, "\t\tNULL,\n");





782
  78
  
                Fh(tl, 0, "\t\t\"NO MATCH %s\"\n\t    )\n\t);\n", sym->name);





783
  78
  
        } else {





784
  
  
                /* Deny by default */





785
  1053
  
                if (tl->acl->flag_log)





786
  312
  
                        Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n",





787
  156
  
                            sym->name);





788
  1053
  
                Fh(tl, 0, "\treturn(0);\n");





789
  
  
        }





790
  1131
  
        Fh(tl, 0, "}\n");





791
  
  





792
  
  
        /* Emit the struct that will be referenced */





793
  1131
  
        Fh(tl, 0, "\nstatic const struct vrt_acl %s[] = {{\n", sym->rname);





794
  1131
  
        Fh(tl, 0, "\t.magic = VRT_ACL_MAGIC,\n");





795
  1131
  
        Fh(tl, 0, "\t.match = &%s,\n", VSB_data(func));





796
  1131
  
        Fh(tl, 0, "\t.name = \"%s\",\n", sym->name);





797
  1131
  
        Fh(tl, 0, "}};\n\n");





798
  1131
  
        if (!tl->err_unref) {





799
  78
  
                AN(ifp);





800
  78
  
                VSB_printf(ifp->ini, "\t(void)%s;", sym->rname);





801
  78
  
        }





802
  1131
  
        VSB_destroy(&func);





803
  1131
  
}





804
  
  





805
  
  
void





806
  1716
  
vcc_ParseAcl(struct vcc *tl)





807
  
  
{





808
  
  
        struct symbol *sym;





809
  
  
        int sign;





810
  
  
        struct acl acl[1];





811
  
  





812
  1716
  
        INIT_OBJ(acl, VCC_ACL_MAGIC);





813
  1716
  
        tl->acl = acl;





814
  1716
  
        acl->flag_pedantic = 1;





815
  1716
  
        acl->flag_fold = 1;





816
  1716
  
        vcc_NextToken(tl);





817
  1716
  
        VRBT_INIT(&acl->acl_tree);





818
  
  





819
  1716
  
        vcc_ExpectVid(tl, "ACL");





820
  1716
  
        ERRCHK(tl);





821
  1677
  
        sym = VCC_HandleSymbol(tl, ACL);





822
  1677
  
        ERRCHK(tl);





823
  1677
  
        AN(sym);





824
  
  





825
  
  
#define FLAGS_MSG "Valid ACL flags are `log`, `fold`, `pedantic` and `table`:\n"





826
  
  





827
  2340
  
        while (1) {





828
  2340
  
                sign = vcc_IsFlag(tl);





829
  2340
  
                if (tl->err) {





830
  39
  
                        VSB_cat(tl->sb, FLAGS_MSG);





831
  39
  
                        return;





832
  
  
                }





833
  2301
  
                if (sign < 0)





834
  1599
  
                        break;





835
  702
  
                if (vcc_IdIs(tl->t, "log")) {





836
  195
  
                        acl->flag_log = sign;





837
  195
  
                        vcc_NextToken(tl);





838
  702
  
                } else if (vcc_IdIs(tl->t, "fold")) {





839
  78
  
                        acl->flag_fold = sign;





840
  78
  
                        vcc_NextToken(tl);





841
  507
  
                } else if (vcc_IdIs(tl->t, "pedantic")) {





842
  312
  
                        acl->flag_pedantic = sign;





843
  312
  
                        vcc_NextToken(tl);





844
  429
  
                } else if (vcc_IdIs(tl->t, "table")) {





845
  78
  
                        acl->flag_table = sign;





846
  78
  
                        vcc_NextToken(tl);





847
  78
  
                } else {





848
  39
  
                        VSB_cat(tl->sb, "Unknown ACL flag. " FLAGS_MSG);





849
  39
  
                        vcc_ErrWhere(tl, tl->t);





850
  39
  
                        return;





851
  
  
                }





852
  
  
        }





853
  
  





854
  
  
#undef FLAGS_MSG





855
  
  





856
  1599
  
        SkipToken(tl, '{');





857
  
  





858
  8307
  
        while (tl->t->tok != '}') {





859
  7176
  
                vcc_acl_entry(tl);





860
  7176
  
                ERRCHK(tl);





861
  6747
  
                SkipToken(tl, ';');





862
  
  
        }





863
  1131
  
        SkipToken(tl, '}');





864
  
  





865
  1131
  
        vcc_acl_emit(tl, sym);





866
  1716
  
}