blob: 0a654b2c28105d001654d0975fb61a94a02b3d66 [file] [log] [blame] [raw]
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id$
*/
#include <ctype.h>
#include "ipf.h"
#include "opts.h"
static frentry_t *fp = NULL;
/* parse()
*
* parse a line read from the input filter rule file
*/
struct frentry *parse(line, linenum)
char *line;
int linenum;
{
static fripf_t fip;
char *cps[31], **cpp, *endptr, *proto = NULL, *s;
struct protoent *p = NULL;
int i, cnt = 1, j;
u_int k;
if (fp == NULL) {
fp = malloc(sizeof(*fp));
if (fp == NULL)
return NULL;
}
while (*line && ISSPACE(*line))
line++;
if (!*line)
return NULL;
bzero((char *)fp, sizeof(*fp));
bzero((char *)&fip, sizeof(fip));
fp->fr_v = use_inet6 ? 6 : 4;
fp->fr_ipf = &fip;
fp->fr_dsize = sizeof(fip);
fp->fr_ip.fi_v = fp->fr_v;
fp->fr_mip.fi_v = 0xf;
fp->fr_type = FR_T_NONE;
fp->fr_loglevel = 0xffff;
fp->fr_isc = (void *)-1;
fp->fr_tag = FR_NOTAG;
/*
* break line up into max of 20 segments
*/
if (opts & OPT_DEBUG)
fprintf(stderr, "parse [%s]\n", line);
for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
cps[++i] = strtok(NULL, " \b\t\r\n");
cps[i] = NULL;
if (cnt < 3) {
fprintf(stderr, "%d: not enough segments in line\n", linenum);
return NULL;
}
cpp = cps;
/*
* The presence of an '@' followed by a number gives the position in
* the current rule list to insert this one.
*/
if (**cpp == '@')
fp->fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
/*
* Check the first keyword in the rule and any options that are
* expected to follow it.
*/
if (!strcasecmp("block", *cpp)) {
fp->fr_flags |= FR_BLOCK;
if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
(i = 19))
fp->fr_flags |= FR_FAKEICMP;
else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
fp->fr_flags |= FR_RETICMP;
if (fp->fr_flags & FR_RETICMP) {
cpp++;
if (strlen(*cpp) == i) {
if (*(cpp + 1) && **(cpp +1) == '(') {
cpp++;
i = 0;
} else
i = -1;
}
/*
* The ICMP code is not required to follow in ()'s
*/
if ((i >= 0) && (*(*cpp + i) == '(')) {
i++;
j = icmpcode(*cpp + i);
if (j == -1) {
fprintf(stderr,
"%d: unrecognised icmp code %s\n",
linenum, *cpp + 20);
return NULL;
}
fp->fr_icode = j;
}
} else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
fp->fr_flags |= FR_RETRST;
cpp++;
}
} else if (!strcasecmp("count", *cpp)) {
fp->fr_flags |= FR_ACCOUNT;
} else if (!strcasecmp("pass", *cpp)) {
fp->fr_flags |= FR_PASS;
} else if (!strcasecmp("auth", *cpp)) {
fp->fr_flags |= FR_AUTH;
} else if (fp->fr_arg != 0) {
printf("skip %u", fp->fr_arg);
} else if (!strcasecmp("preauth", *cpp)) {
fp->fr_flags |= FR_PREAUTH;
} else if (!strcasecmp("nomatch", *cpp)) {
fp->fr_flags |= FR_NOMATCH;
} else if (!strcasecmp("skip", *cpp)) {
cpp++;
if (ratoui(*cpp, &k, 0, UINT_MAX))
fp->fr_arg = k;
else {
fprintf(stderr, "%d: integer must follow skip\n",
linenum);
return NULL;
}
} else if (!strcasecmp("log", *cpp)) {
fp->fr_flags |= FR_LOG;
if (!strcasecmp(*(cpp+1), "body")) {
fp->fr_flags |= FR_LOGBODY;
cpp++;
}
if (!strcasecmp(*(cpp+1), "first")) {
fp->fr_flags |= FR_LOGFIRST;
cpp++;
}
if (*cpp && !strcasecmp(*(cpp+1), "or-block")) {
fp->fr_flags |= FR_LOGORBLOCK;
cpp++;
}
if (!strcasecmp(*(cpp+1), "level")) {
cpp++;
if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1)
return NULL;
cpp++;
}
} else {
/*
* Doesn't start with one of the action words
*/
fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
return NULL;
}
/*
* Get the direction for filtering. Impose restrictions on direction
* if blocking with returning ICMP or an RST has been requested.
*/
if (!strcasecmp("in", *cpp))
fp->fr_flags |= FR_INQUE;
else if (!strcasecmp("out", *cpp)) {
fp->fr_flags |= FR_OUTQUE;
if (fp->fr_flags & FR_RETICMP) {
fprintf(stderr,
"%d: Can only use return-icmp with 'in'\n",
linenum);
return NULL;
} else if (fp->fr_flags & FR_RETRST) {
fprintf(stderr,
"%d: Can only use return-rst with 'in'\n",
linenum);
return NULL;
}
}
if (!*++cpp) {
fprintf(stderr, "%d: missing source specification\n", linenum);
return NULL;
}
if (!strcasecmp("log", *cpp)) {
if (!*++cpp) {
fprintf(stderr, "%d: missing source specification\n",
linenum);
return NULL;
}
if (FR_ISPASS(fp->fr_flags))
fp->fr_flags |= FR_LOGP;
else if (FR_ISBLOCK(fp->fr_flags))
fp->fr_flags |= FR_LOGB;
if (*cpp && !strcasecmp(*cpp, "body")) {
fp->fr_flags |= FR_LOGBODY;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "first")) {
fp->fr_flags |= FR_LOGFIRST;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "or-block")) {
if (!FR_ISPASS(fp->fr_flags)) {
fprintf(stderr,
"%d: or-block must be used with pass\n",
linenum);
return NULL;
}
fp->fr_flags |= FR_LOGORBLOCK;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "level")) {
if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1)
return NULL;
cpp++;
cpp++;
}
}
if (*cpp && !strcasecmp("quick", *cpp)) {
if (fp->fr_arg != 0) {
fprintf(stderr, "%d: cannot use skip with quick\n",
linenum);
return NULL;
}
cpp++;
fp->fr_flags |= FR_QUICK;
}
/*
* Parse rule options that are available if a rule is tied to an
* interface.
*/
*fp->fr_ifname = '\0';
*fp->fr_oifname = '\0';
if (*cpp && !strcasecmp(*cpp, "on")) {
if (!*++cpp) {
fprintf(stderr, "%d: interface name missing\n",
linenum);
return NULL;
}
(void)strncpy(fp->fr_ifname, *cpp, IFNAMSIZ-1);
fp->fr_ifname[IFNAMSIZ-1] = '\0';
cpp++;
if (!*cpp) {
if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) {
fprintf(stderr,
"%d: %s can only be used with TCP\n",
linenum, "return-rst");
return NULL;
}
return fp;
}
if (!strcasecmp(*cpp, "out-via")) {
if (fp->fr_flags & FR_OUTQUE) {
fprintf(stderr,
"out-via must be used with in\n");
return NULL;
}
cpp++;
(void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1);
fp->fr_oifname[IFNAMSIZ-1] = '\0';
cpp++;
} else if (!strcasecmp(*cpp, "in-via")) {
if (fp->fr_flags & FR_INQUE) {
fprintf(stderr,
"in-via must be used with out\n");
return NULL;
}
cpp++;
(void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1);
fp->fr_oifname[IFNAMSIZ-1] = '\0';
cpp++;
}
if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
cpp++;
if (to_interface(&fp->fr_dif, *cpp, linenum))
return NULL;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) {
cpp++;
if (to_interface(&fp->fr_tif, *cpp, linenum))
return NULL;
cpp++;
} else if (*cpp && !strcasecmp(*cpp, "fastroute")) {
if (!(fp->fr_flags & FR_INQUE)) {
fprintf(stderr,
"can only use %s with 'in'\n",
"fastroute");
return NULL;
}
fp->fr_flags |= FR_FASTROUTE;
cpp++;
}
/*
* Set the "other" interface name. Lets you specify both
* inbound and outbound interfaces for state rules. Do not
* prevent both interfaces from being the same.
*/
strcpy(fp->fr_ifnames[3], "*");
if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
((((fp->fr_flags & FR_INQUE) != 0) &&
(strcasecmp(*cpp, "out-via") == 0)) ||
(((fp->fr_flags & FR_OUTQUE) != 0) &&
(strcasecmp(*cpp, "in-via") == 0)))) {
cpp++;
s = strchr(*cpp, ',');
if (s != NULL) {
*s++ = '\0';
(void)strncpy(fp->fr_ifnames[3], s,
IFNAMSIZ - 1);
fp->fr_ifnames[3][IFNAMSIZ - 1] = '\0';
}
(void)strncpy(fp->fr_ifnames[2], *cpp, IFNAMSIZ - 1);
fp->fr_ifnames[2][IFNAMSIZ - 1] = '\0';
cpp++;
} else
strcpy(fp->fr_ifnames[2], "*");
}
if (*cpp && !strcasecmp(*cpp, "tos")) {
if (!*++cpp) {
fprintf(stderr, "%d: tos missing value\n", linenum);
return NULL;
}
fp->fr_tos = strtol(*cpp, NULL, 0);
fp->fr_mip.fi_tos = 0xff;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "ttl")) {
if (!*++cpp) {
fprintf(stderr, "%d: ttl missing hopcount value\n",
linenum);
return NULL;
}
if (ratoi(*cpp, &i, 0, 255))
fp->fr_ttl = i;
else {
fprintf(stderr, "%d: invalid ttl (%s)\n",
linenum, *cpp);
return NULL;
}
fp->fr_mip.fi_ttl = 0xff;
cpp++;
}
/*
* check for "proto <protoname>" only decode udp/tcp/icmp as protoname
*/
if (*cpp && !strcasecmp(*cpp, "proto")) {
if (!*++cpp) {
fprintf(stderr, "%d: protocol name missing\n", linenum);
return NULL;
}
fp->fr_type = FR_T_IPF;
proto = *cpp++;
if (!strcasecmp(proto, "tcp/udp")) {
fp->fr_flx |= FI_TCPUDP;
fp->fr_mflx |= FI_TCPUDP;
} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
fprintf(stderr,
"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
linenum);
return NULL;
} else {
fp->fr_proto = getproto(proto);
fp->fr_mip.fi_p = 0xff;
}
}
if ((fp->fr_proto != IPPROTO_TCP) &&
((fp->fr_flags & FR_RETMASK) == FR_RETRST)) {
fprintf(stderr, "%d: %s can only be used with TCP\n",
linenum, "return-rst");
return NULL;
}
/*
* get the from host and bit mask to use against packets
*/
if (!*cpp) {
fprintf(stderr, "%d: missing source specification\n", linenum);
return NULL;
}
if (!strcasecmp(*cpp, "all")) {
cpp++;
if (!*cpp) {
if (fp->fr_type == FR_T_NONE) {
fp->fr_dsize = 0;
fp->fr_data = NULL;
}
return fp;
}
fp->fr_type = FR_T_IPF;
#ifdef IPFILTER_BPF
} else if (!strcmp(*cpp, "{")) {
struct bpf_program bpf;
struct pcap *p;
char **cp;
u_32_t l;
if (fp->fr_type != FR_T_NONE) {
fprintf(stderr,
"%d: cannot mix BPF/ipf matching\n", linenum);
return NULL;
}
fp->fr_type = FR_T_BPFOPC;
cpp++;
if (!strncmp(*cpp, "0x", 2)) {
fp->fr_data = malloc(4);
for (cp = cpp, i = 0; *cp; cp++, i++) {
if (!strcmp(*cp, "}"))
break;
fp->fr_data = realloc(fp->fr_data,
(i + 1) * 4);
l = strtoul(*cp, NULL, 0);
((u_32_t *)fp->fr_data)[i] = l;
}
if (!*cp) {
fprintf(stderr, "Missing closing '}'\n");
return NULL;
}
fp->fr_dsize = i * sizeof(l);
bpf.bf_insns = fp->fr_data;
bpf.bf_len = fp->fr_dsize / sizeof(struct bpf_insn);
} else {
for (cp = cpp; *cp; cp++) {
if (!strcmp(*cp, "}"))
break;
(*cp)[-1] = ' ';
}
if (!*cp) {
fprintf(stderr, "Missing closing '}'\n");
return NULL;
}
bzero((char *)&bpf, sizeof(bpf));
p = pcap_open_dead(DLT_RAW, 1);
if (!p) {
fprintf(stderr, "pcap_open_dead failed\n");
return NULL;
}
if (pcap_compile(p, &bpf, *cpp, 1, 0xffffffff)) {
pcap_perror(p, "ipf");
pcap_close(p);
fprintf(stderr, "pcap parsing failed\n");
return NULL;
}
pcap_close(p);
fp->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
fp->fr_data = bpf.bf_insns;
if (!bpf_validate(fp->fr_data, bpf.bf_len)) {
fprintf(stderr, "BPF validation failed\n");
return NULL;
}
if (opts & OPT_DEBUG)
bpf_dump(&bpf, 0);
}
cpp = cp;
(*cpp)++;
#endif
} else {
fp->fr_type = FR_T_IPF;
if (strcasecmp(*cpp, "from")) {
fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
linenum, *cpp);
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: missing host after from\n",
linenum);
return NULL;
}
if (**cpp == '!') {
fp->fr_flags |= FR_NOTSRCIP;
(*cpp)++;
} else if (!strcmp(*cpp, "!")) {
fp->fr_flags |= FR_NOTSRCIP;
cpp++;
}
s = *cpp;
i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_src,
(u_32_t *)&fp->fr_smsk, linenum);
if (i == -1)
return NULL;
if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname))
fp->fr_satype = FRI_DYNAMIC;
if (i == 1) {
if (fp->fr_v == 6) {
fprintf(stderr,
"can only use pools with ipv4\n");
return NULL;
}
fp->fr_satype = FRI_LOOKUP;
}
if (ports(&cpp, proto, &fp->fr_sport, &fp->fr_scmp,
&fp->fr_stop, linenum))
return NULL;
if (!*cpp) {
fprintf(stderr, "%d: missing to fields\n", linenum);
return NULL;
}
/*
* do the same for the to field (destination host)
*/
if (strcasecmp(*cpp, "to")) {
fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
linenum, *cpp);
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: missing host after to\n", linenum);
return NULL;
}
if (**cpp == '!') {
fp->fr_flags |= FR_NOTDSTIP;
(*cpp)++;
} else if (!strcmp(*cpp, "!")) {
fp->fr_flags |= FR_NOTDSTIP;
cpp++;
}
s = *cpp;
i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_dst,
(u_32_t *)&fp->fr_dmsk, linenum);
if (i == -1)
return NULL;
if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname))
fp->fr_datype = FRI_DYNAMIC;
if (i == 1) {
if (fp->fr_v == 6) {
fprintf(stderr,
"can only use pools with ipv4\n");
return NULL;
}
fp->fr_datype = FRI_LOOKUP;
}
if (ports(&cpp, proto, &fp->fr_dport, &fp->fr_dcmp,
&fp->fr_dtop, linenum))
return NULL;
}
if (fp->fr_type == FR_T_IPF) {
/*
* check some sanity, make sure we don't have icmp checks
* with tcp or udp or visa versa.
*/
if (fp->fr_proto && (fp->fr_dcmp || fp->fr_scmp) &&
fp->fr_proto != IPPROTO_TCP &&
fp->fr_proto != IPPROTO_UDP) {
fprintf(stderr,
"%d: port operation on non tcp/udp\n",linenum);
return NULL;
}
if (fp->fr_icmp && fp->fr_proto != IPPROTO_ICMP) {
fprintf(stderr,
"%d: icmp comparisons on wrong protocol\n",
linenum);
return NULL;
}
if (!*cpp)
return fp;
if (*cpp && (fp->fr_type == FR_T_IPF) &&
!strcasecmp(*cpp, "flags")) {
if (!*++cpp) {
fprintf(stderr, "%d: no flags present\n",
linenum);
return NULL;
}
fp->fr_tcpf = tcp_flags(*cpp, &fp->fr_tcpfm, linenum);
cpp++;
}
/*
* extras...
*/
if ((fp->fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") ||
!strcasecmp(*cpp, "and")))
if (extras(&cpp, fp, linenum))
return NULL;
/*
* icmp types for use with the icmp protocol
*/
if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
if (fp->fr_proto != IPPROTO_ICMP &&
fp->fr_proto != IPPROTO_ICMPV6) {
fprintf(stderr,
"%d: icmp with wrong protocol (%d)\n",
linenum, fp->fr_proto);
return NULL;
}
if (addicmp(&cpp, fp, linenum))
return NULL;
fp->fr_icmp = htons(fp->fr_icmp);
fp->fr_icmpm = htons(fp->fr_icmpm);
}
}
/*
* Keep something...
*/
while (*cpp && !strcasecmp(*cpp, "keep"))
if (addkeep(&cpp, fp, linenum))
return NULL;
/*
* This is here to enforce the old interface binding behaviour.
* That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
*/
if (fp->fr_flags & FR_KEEPSTATE) {
if (*fp->fr_ifnames[0] && !*fp->fr_ifnames[3]) {
bcopy(fp->fr_ifnames[0], fp->fr_ifnames[3],
sizeof(fp->fr_ifnames[3]));
strncpy(fp->fr_ifnames[2], "*",
sizeof(fp->fr_ifnames[3]));
}
}
/*
* head of a new group ?
*/
if (*cpp && !strcasecmp(*cpp, "head")) {
if (fp->fr_arg != 0) {
fprintf(stderr, "%d: cannot use skip with head\n",
linenum);
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: head without group #\n", linenum);
return NULL;
}
if (strlen(*cpp) > FR_GROUPLEN) {
fprintf(stderr, "%d: head name too long #\n", linenum);
return NULL;
}
strncpy(fp->fr_grhead, *cpp, FR_GROUPLEN);
cpp++;
}
/*
* reference to an already existing group ?
*/
if (*cpp && !strcasecmp(*cpp, "group")) {
if (!*++cpp) {
fprintf(stderr, "%d: group without group #\n",
linenum);
return NULL;
}
if (strlen(*cpp) > FR_GROUPLEN) {
fprintf(stderr, "%d: group name too long #\n", linenum);
return NULL;
}
strncpy(fp->fr_group, *cpp, FR_GROUPLEN);
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "tag")) {
if (!*++cpp) {
fprintf(stderr, "%d: tag id missing value\n", linenum);
return NULL;
}
fp->fr_tag = strtol(*cpp, NULL, 0);
cpp++;
}
/*
* pps counter
*/
if (*cpp && !strcasecmp(*cpp, "pps")) {
if (!*++cpp) {
fprintf(stderr, "%d: pps without rate\n", linenum);
return NULL;
}
if (ratoui(*cpp, &k, 0, INT_MAX))
fp->fr_pps = k;
else {
fprintf(stderr, "%d: invalid pps rate (%s)\n",
linenum, *cpp);
return NULL;
}
cpp++;
}
/*
* leftovers...yuck
*/
if (*cpp && **cpp) {
fprintf(stderr, "%d: unknown words at end: [", linenum);
for (; *cpp; cpp++)
fprintf(stderr, "%s ", *cpp);
fprintf(stderr, "]\n");
return NULL;
}
/*
* lazy users...
*/
if (fp->fr_type == FR_T_IPF) {
if ((fp->fr_tcpf || fp->fr_tcpfm) &&
(fp->fr_proto != IPPROTO_TCP)) {
fprintf(stderr,
"%d: TCP protocol not specified\n", linenum);
return NULL;
}
if (!(fp->fr_flx & FI_TCPUDP) &&
(fp->fr_proto != IPPROTO_TCP) &&
(fp->fr_proto != IPPROTO_UDP) &&
(fp->fr_dcmp || fp->fr_scmp)) {
if (!fp->fr_proto) {
fp->fr_flx |= FI_TCPUDP;
fp->fr_mflx |= FI_TCPUDP;
} else {
fprintf(stderr,
"%d: port check for non-TCP/UDP\n",
linenum);
return NULL;
}
}
}
if (*fp->fr_oifname && strcmp(fp->fr_oifname, "*") &&
!(fp->fr_flags & FR_KEEPSTATE)) {
fprintf(stderr, "%d: *-via <if> must be used %s\n",
linenum, "with keep-state");
return NULL;
}
return fp;
}