diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-04-27 15:04:07 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-02 18:31:13 +0200 |
commit | c179ee88d91a84fc75dc4602cca500e8fa72ed66 (patch) | |
tree | b6b149622e02c81265a673145d6b9a260776f799 /src/config-parser.y |
initial commit
This patch bootstrap the new nft-sync software. Basically, this
software aims to support two different setups:
1) Rule-set repository server. The software serves the nft rule-set to
clients that request the ruleset.
Basically from the system that acts as repository, you have to run:
# nft-sync -c ../contrib/nft-sync.conf.server
Then, from the client:
# nft-sync -c ../contrib/nft-sync.conf.client --fetch
Which displays the nft rule-set in the standard output, so you
can inspect the nft rule-set.
Alternatively, the client can also retrieve and apply the nft
rule-set using the pull command instead:
# nft-sync -c ../contrib/nft-sync.conf.client --pull
[ Note that this command above does not work in this bootstrap yet ]
2) Rule-set synchronization: In case of primary-backup and multiprimary
firewall configurations, the software makes sure that the firewall
cluster is deploying the same filtering policy. In this case, you have
to launch the process:
# nft-sync -c ../contrib/nft-sync.conf --sync
[ Note that this command above does not work in this bootstrap yet ]
This bootstrap provides the basic infrastructure as a proof-of-concept.
Many of the necessary features are still lacking:
* Implement --sync and --pull commands.
* Interaction with nft through libnftnl, which allows the software to
retrieve the local nft rule-set, as well as to parse it and apply it.
* SSL support, specifically the repository mode needs it to make sure
nobody can steal your filtering policy from the network.
* IPv6 support.
* Allow to serve different rule-sets in the repository mode.
And many others that will be added progressively.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/config-parser.y')
-rw-r--r-- | src/config-parser.y | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/src/config-parser.y b/src/config-parser.y new file mode 100644 index 0000000..41c37b9 --- /dev/null +++ b/src/config-parser.y @@ -0,0 +1,143 @@ +%{ +/* + * (C) 2014 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <string.h> +#include <errno.h> +#include <stdarg.h> +#include <netinet/in.h> + +#include "config.h" +#include "logging.h" + +extern char *yytext; +extern int yylineno; + +static int parse_addr(const char *text, struct in_addr *addr, + uint16_t *port) +{ + char *colon = strchr(text, ':'); + + if (colon == NULL) { + fprintf(stderr, "missing `:' to indicate port\n"); + return -1; + } + *colon = '\0'; + + if (inet_pton(AF_INET, text, addr) < 0) { + fprintf(stderr, "%s not valid IPv4 address\n", text); + return -1; + } + *port = atoi(colon + 1); + + return 0; +} + +%} + +%union { + int val; + char *string; +} + +%token T_LOCAL_ADDR +%token T_REMOTE_ADDR +%token T_ADDR +%token T_NUMBER +%token T_LOG +%token T_MODE + +%token <string> T_STRING +%token <val> T_INTEGER + +%% + +configfile : + | sections + ; + +sections : section + | sections section + ; + +section : network + | log + ; + +network : local_addr + | remote_addr + ; + +local_addr : T_LOCAL_ADDR T_STRING + { + nfts_inst.tcp.ipproto = AF_INET; + if (parse_addr($2, + &nfts_inst.tcp.server.ipv4.inet_addr, + &nfts_inst.tcp.port) < 0) + break; + + nfts_inst.mode = NFTS_MODE_SERVER; + } + ; + +remote_addr : T_REMOTE_ADDR T_STRING + { + nfts_inst.tcp.ipproto = AF_INET; + if (parse_addr($2, &nfts_inst.tcp.client.inet_addr, + &nfts_inst.tcp.port) < 0) + break; + + nfts_inst.mode = NFTS_MODE_CLIENT; + } + ; + +log : T_LOG T_STRING + { + if (strcmp($2, "syslog") == 0) { + nfts_inst.log.type = NFTS_LOG_T_SYSLOG; + } else if (strcmp($2, "stdout") == 0) { + nfts_inst.log.type = NFTS_LOG_T_FILE; + nfts_inst.log.color = true; + } else { + nfts_inst.log.type = NFTS_LOG_T_FILE; + strncpy(nfts_inst.log.filename, $2, PATH_MAX); + nfts_inst.log.filename[PATH_MAX - 1] = '\0'; + } + } + ; + +%% + +int __attribute__((noreturn)) yyerror(char *msg) +{ + fprintf(stderr, "parsing config file in line (%d), symbol '%s': %s\n", + yylineno, yytext, msg); + exit(EXIT_FAILURE); +} + +int nft_sync_config_parse(const char *filename) +{ + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + fprintf(stderr, "Cannot open configuration file %s\n", + filename); + return -1; + } + + yyrestart(fp); + yyparse(); + fclose(fp); + + return 0; +} |