Codebase list filtergen / HEAD gen.c
HEAD

Tree @HEAD (Download .tar.gz)

gen.c @HEADraw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
/* filter compilation routines
 *
 * Copyright (c) 2002 Matthew Kirkwood
 * Copyright (c) 2003,2004 Jamie Wilkinson <jaq@spacepants.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "filter.h"

void applydefaults(struct filterent *e, long flags) {
  if (!e->rtype) {
    if (flags & FF_LOCAL)
      e->rtype = LOCALONLY;
    else if (flags & FF_ROUTE)
      e->rtype = ROUTEDONLY;
  }
}

int checkmatch(const struct filterent *e) {
  int r = 0;
#define MUST(t)                                                                \
  do                                                                           \
    if (!(e->t)) {                                                             \
      fprintf(stderr, "%s missing from filter\n", #t);                         \
      r++;                                                                     \
    }                                                                          \
  while (0)
  if (!e->subgroup)
    MUST(target);
  if (!e->groupname) {
    MUST(direction);
    MUST(iface);
  }
#undef MUST

  if ((e->u.ports.src.minstr || e->u.ports.dst.minstr) &&
      (e->proto.num != IPPROTO_TCP) && (e->proto.num != IPPROTO_UDP)) {
    fprintf(stderr, "can only use ports with tcp or udp\n");
    r++;
  }

  if (e->u.icmp && (e->proto.num != IPPROTO_ICMP)) {
    fprintf(stderr, "icmptype can only be used with icmp\n");
    r++;
  }

  if ((e->rtype == LOCALONLY) && (e->target == MASQ)) {
    fprintf(stderr, "\"local\" and masquerading are incompatible\n");
    r++;
  }

  return r;
}

int __fg_apply(struct filterent *e, const struct filter *f, fg_callback *cb,
               struct fg_misc *misc);

int __fg_applylist(struct filterent *e, const struct filter *f, fg_callback *cb,
                   struct fg_misc *misc) {
  /* This is the interesting one.  The filters are
   * unrolled by now, so there's only one way to
   * follow it */
  int c = 0;
  for (; f; f = f->next) {
    int _c = __fg_apply(e, f, cb, misc);
    if (_c < 0)
      return _c;
    c += _c;
  }
  return c;
}

int __fg_applyone(struct filterent *e, const struct filter *f, fg_callback *cb,
                  struct fg_misc *misc) {
#define _NA(t, f)                                                              \
  if (f) {                                                                     \
    fprintf(stderr, "filter has already defined a %s\n", t);                   \
    return -1;                                                                 \
  }
#define NA(t) _NA(#t, e->t)

#define NC(type, str)                                                          \
  case F_##type:                                                               \
    _NA(str, ESET(e, type));                                                   \
    e->whats_set |= (1 << F_##type);

  switch (f->type) {
    NC(TARGET, "target")
    e->target = f->u.target;
    break;

    NC(SUBGROUP, "subgroup") {
      struct filterent fe;
      int r;

      if (e->subgroup) {
        fprintf(stderr, "cannot compose subgroups\n");
        return -1;
      }
      if (!cb->group) {
        fprintf(
            stderr,
            "backend doesn't support grouping, but hasn't removed groups\n");
        return -1;
      }
      e->target = f->type;
      e->subgroup = f->u.sub.name;

      memset(&fe, 0, sizeof(fe));
      fe.groupname = f->u.sub.name;
      /* direction is special -- we need to save it */
      fe.direction = e->direction;
      cb->group(fe.groupname);
      if ((r = __fg_applylist(&fe, f->u.sub.list, cb, misc)) < 0)
        return r;

      break;
    }

    NC(DIRECTION, "direction and interface")
    NA(iface);
    e->direction = f->u.ifinfo.direction;
    e->iface = f->u.ifinfo.iface;
    break;

  case F_LOG:
    e->whats_set |= (1 << F_LOG);
    e->logmsg = f->u.logmsg;
    break;

#define _DV(tag, str, test, targ, source)                                      \
  case F_##tag:                                                                \
    _NA(str, e->test);                                                         \
    e->targ = f->u.source;                                                     \
    break
#define DV(tag, targ, source) _DV(tag, #targ, targ, targ, source)

    _DV(PROTO, "protocol", proto.name, proto, proto);
    _DV(SOURCE, "source address", srcaddr.addrstr, srcaddr, addrs);
    _DV(DEST, "destination address", dstaddr.addrstr, dstaddr, addrs);
    _DV(SPORT, "source port", u.ports.src.minstr, u.ports.src, ports);
    _DV(DPORT, "destination port", u.ports.src.maxstr, u.ports.dst, ports);
    DV(ICMPTYPE, u.icmp, icmp);
    DV(RTYPE, rtype, rtype);

  case F_ONEWAY:
    e->oneway = 1;
    break;

  case F_SIBLIST:
    return __fg_applylist(e, f->u.sib, cb, misc);

  default:
    fprintf(stderr, "invalid filter type %d\n", f->type);
    return -1;
  }

  if (f->negate)
    e->whats_negated |= (1 << f->type);

  return 0;
}

int __fg_apply(struct filterent *_e, const struct filter *f, fg_callback *cb,
               struct fg_misc *misc) {
  struct filterent e = *_e;

  /* Looks like we're all done */
  if (!f) {
    applydefaults(&e, misc->flags);
    if (checkmatch(&e)) {
      fprintf(stderr, "filter definition incomplete\n");
      return -1;
    }
    return cb->rule(&e, misc);
  }

  return __fg_applyone(&e, f, cb, misc) ? __fg_applyone(&e, f, cb, misc)
                                        : __fg_apply(&e, f->child, cb, misc);
}

int filtergen_cprod(struct filter *filter, fg_callback *cb,
                    struct fg_misc *misc) {
  struct filterent e;
  memset(&e, 0, sizeof(e));
  return __fg_applylist(&e, filter, cb, misc);
}