source-git / iptables

Clone
Source Code
GIT

Files

  1.   dd8e2bd7014ff0d97d7851c2ac646f58a69c1677
  2.   bootstrap_ver
  3.   iptables
  4.   xtables-config-parser.y
Blob Blame History Raw 
%{
/*
 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <stdarg.h>
#include <libiptc/linux_list.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>

#include <netinet/in.h>
#include <linux/netfilter.h>

extern char *yytext;
extern int yylineno;

static LIST_HEAD(xtables_stack);

struct stack_elem {
	struct list_head	head;
	int			token;
	size_t			size;
	char			data[];
};

static void *stack_push(int token, size_t size)
{
	struct stack_elem *e;

	e = calloc(1, sizeof(struct stack_elem) + size);

	e->token = token;
	e->size = size;

	list_add(&e->head, &xtables_stack);

	return e->data;
}

static struct stack_elem *stack_pop(void)
{
	struct stack_elem *e;

	e = list_entry(xtables_stack.next, struct stack_elem, head);

	if (&e->head == &xtables_stack)
		return NULL;

	list_del(&e->head);
	return e;
}

static inline void stack_put_i32(void *data, int value)
{
	memcpy(data, &value, sizeof(int));
}

static inline void stack_put_str(void *data, const char *str)
{
	memcpy(data, str, strlen(str));
}

static void stack_free(struct stack_elem *e)
{
	free(e);
}

%}

%union {
	int	val;
	char	*string;
}

%token T_FAMILY
%token T_TABLE
%token T_CHAIN
%token T_HOOK
%token T_PRIO

%token <string> T_STRING
%token <val>	T_INTEGER

%%

configfile	:
		| lines
		;

lines		: line
		| lines line
		;

line		: family
		;

family		: T_FAMILY T_STRING '{' tables '}'
		{
			void *data = stack_push(T_FAMILY, strlen($2)+1);
			stack_put_str(data, $2);
		}
		;

tables		: table
		| tables table
		;

table		: T_TABLE T_STRING '{' chains '}'
		{
			/* added in reverse order to pop it in order */
			void *data = stack_push(T_TABLE, strlen($2)+1);
			stack_put_str(data, $2);
		}
		;

chains		: chain
		| chains chain
		;

chain		: T_CHAIN T_STRING T_HOOK T_STRING T_PRIO T_INTEGER
		{
			/* added in reverse order to pop it in order */
			void *data = stack_push(T_PRIO, sizeof(int32_t));
			stack_put_i32(data, $6);
			data = stack_push(T_HOOK, strlen($4)+1);
			stack_put_str(data, $4);
			data = stack_push(T_CHAIN, strlen($2)+1);
			stack_put_str(data, $2);
		}
		;

%%

int __attribute__((noreturn))
yyerror(char *msg)
{
	fprintf(stderr, "parsing config file in line (%d), symbol '%s': %s\n",
			 yylineno, yytext, msg);
	exit(EXIT_FAILURE);
}

static int hooknametonum(const char *hookname)
{
	if (strcmp(hookname, "NF_INET_LOCAL_IN") == 0)
		return NF_INET_LOCAL_IN;
	else if (strcmp(hookname, "NF_INET_FORWARD") == 0)
		return NF_INET_FORWARD;
	else if (strcmp(hookname, "NF_INET_LOCAL_OUT") == 0)
		return NF_INET_LOCAL_OUT;
	else if (strcmp(hookname, "NF_INET_PRE_ROUTING") == 0)
		return NF_INET_PRE_ROUTING;
	else if (strcmp(hookname, "NF_INET_POST_ROUTING") == 0)
		return NF_INET_POST_ROUTING;

	return -1;
}

static int32_t familytonumber(const char *family)
{
	if (strcmp(family, "ipv4") == 0)
		return AF_INET;
	else if (strcmp(family, "ipv6") == 0)
		return AF_INET6;

	return -1;
}

int xtables_config_parse(char *filename, struct nftnl_table_list *table_list,
			 struct nftnl_chain_list *chain_list)
{
	FILE *fp;
	struct stack_elem *e;
	struct nftnl_table *table = NULL;
	struct nftnl_chain *chain = NULL;
	int prio = 0;
	int32_t family = 0;

	fp = fopen(filename, "r");
	if (!fp)
		return -1;

	yyrestart(fp);
	yyparse();
	fclose(fp);

	for (e = stack_pop(); e != NULL; e = stack_pop()) {
		switch(e->token) {
		case T_FAMILY:
			family = familytonumber(e->data);
			if (family == -1)
				return -1;
			break;
		case T_TABLE:
			table = nftnl_table_alloc();
			if (table == NULL)
				return -1;

			nftnl_table_set_u32(table, NFTNL_TABLE_FAMILY, family);
			nftnl_table_set(table, NFTNL_TABLE_NAME, e->data);
			/* This is intentionally prepending, instead of
			 * appending, since the elements in the stack are in
			 * the reverse order that chains appear in the
			 * configuration file.
			 */
			nftnl_table_list_add(table, table_list);
			break;
		case T_PRIO:
			memcpy(&prio, e->data, sizeof(int32_t));
			break;
		case T_CHAIN:
			chain = nftnl_chain_alloc();
			if (chain == NULL)
				return -1;

			nftnl_chain_set(chain, NFTNL_CHAIN_TABLE,
				(char *)nftnl_table_get(table, NFTNL_TABLE_NAME));
			nftnl_chain_set_u32(chain, NFTNL_CHAIN_FAMILY,
				nftnl_table_get_u32(table, NFTNL_TABLE_FAMILY));
			nftnl_chain_set_s32(chain, NFTNL_CHAIN_PRIO, prio);
			nftnl_chain_set(chain, NFTNL_CHAIN_NAME, e->data);
			/* Intentionally prepending, instead of appending */
			nftnl_chain_list_add(chain, chain_list);
			break;
		case T_HOOK:
			nftnl_chain_set_u32(chain, NFTNL_CHAIN_HOOKNUM,
						hooknametonum(e->data));
			break;
		default:
			printf("unknown token type %d\n", e->token);
			break;
		}
		stack_free(e);
	}

	return 0;
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation