From 40c3686041b475727da409e14461bd6242eeac50 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 16 Nov 2007 09:34:01 +0000 Subject: [PATCH] remove old netdomain syntax --- parser/immunix.h | 12 - parser/parser.h | 17 - parser/parser_interface.c | 49 --- parser/parser_lex.l | 70 ---- parser/parser_merge.c | 16 - parser/parser_misc.c | 142 -------- parser/parser_policy.c | 16 - parser/parser_yacc.y | 312 ------------------ .../{tcp_server_ok1.sd => netdomain_bad_1.sd} | 4 +- .../{tcp_server_ok2.sd => netdomain_bad_2.sd} | 4 +- .../{tcp_server_ok3.sd => netdomain_bad_3.sd} | 3 +- .../{tcp_server_ok4.sd => netdomain_bad_4.sd} | 4 +- .../{tcp_client_ok1.sd => netdomain_bad_5.sd} | 4 +- .../{tcp_client_ok2.sd => netdomain_bad_6.sd} | 4 +- .../{tcp_client_ok3.sd => netdomain_bad_7.sd} | 3 +- .../{tcp_client_ok4.sd => netdomain_bad_8.sd} | 4 +- .../{tcp_client_ok5.sd => netdomain_bad_9.sd} | 4 +- 17 files changed, 18 insertions(+), 650 deletions(-) rename parser/tst/simple_tests/{tcp_server_ok1.sd => netdomain_bad_1.sd} (75%) rename parser/tst/simple_tests/{tcp_server_ok2.sd => netdomain_bad_2.sd} (76%) rename parser/tst/simple_tests/{tcp_server_ok3.sd => netdomain_bad_3.sd} (75%) rename parser/tst/simple_tests/{tcp_server_ok4.sd => netdomain_bad_4.sd} (79%) rename parser/tst/simple_tests/{tcp_client_ok1.sd => netdomain_bad_5.sd} (75%) rename parser/tst/simple_tests/{tcp_client_ok2.sd => netdomain_bad_6.sd} (76%) rename parser/tst/simple_tests/{tcp_client_ok3.sd => netdomain_bad_7.sd} (75%) rename parser/tst/simple_tests/{tcp_client_ok4.sd => netdomain_bad_8.sd} (91%) rename parser/tst/simple_tests/{tcp_client_ok5.sd => netdomain_bad_9.sd} (79%) diff --git a/parser/immunix.h b/parser/immunix.h index 55ece2d37..157a4f492 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -52,18 +52,6 @@ #define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_0 | AA_EXEC_MOD_1) -/* Network subdomain extensions. */ -#define AA_TCP_CONNECT (1 << 16) -#define AA_TCP_ACCEPT (1 << 17) -#define AA_TCP_CONNECTED (1 << 18) -#define AA_TCP_ACCEPTED (1 << 19) -#define AA_UDP_SEND (1 << 20) -#define AA_UDP_RECEIVE (1 << 21) - -/* logging only */ -#define AA_LOGTCP_SEND (1 << 22) -#define AA_LOGTCP_RECEIVE (1 << 23) - #define AA_HAT_SIZE 975 /* Maximum size of a subdomain * ident (hat) */ #define AA_IP_TCP 0x0001 diff --git a/parser/parser.h b/parser/parser.h index d6ce61eb9..5593accc9 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -49,15 +49,6 @@ struct cod_entry { struct cod_entry *next; }; -struct cod_net_entry { - struct in_addr *saddr, *smask; - struct in_addr *daddr, *dmask; - unsigned short src_port[2], dst_port[2]; - char *iface; - int mode; - struct cod_net_entry *next; -}; - /* supported AF protocols */ struct aa_network_entry { unsigned int family; @@ -82,7 +73,6 @@ struct codomain { * indexed by AF_FAMILY */ struct cod_entry *entries; - struct cod_net_entry * net_entries; void *hat_table; //struct codomain *next; @@ -94,7 +84,6 @@ struct codomain { struct cod_global_entry { struct cod_entry *entry; - struct cod_net_entry *net_entry; struct codomain *hats ; unsigned int capabilities; }; @@ -206,9 +195,6 @@ extern int name_to_capability(const char *keyword); extern char *process_var(const char *var); extern int parse_mode(const char *mode); extern struct cod_entry *new_entry(char *namespace, char *id, int mode); -extern struct cod_net_entry *new_network_entry(int action, - struct ipv4_endpoints *addrs, - char *interface); extern struct aa_network_entry *new_network_ent(unsigned int family, unsigned int type, unsigned int protocol); @@ -221,8 +207,6 @@ extern void debug_cod_list(struct codomain *list); extern int str_to_boolean(const char* str); extern struct cod_entry *copy_cod_entry(struct cod_entry *cod); extern void free_cod_entries(struct cod_entry *list); -extern void free_net_entries(struct cod_net_entry *list); -extern void free_ipv4_endpoints(struct ipv4_endpoints *addrs); /* parser_symtab.c */ extern int add_boolean_var(const char *var, int boolean); @@ -247,7 +231,6 @@ extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod, extern void add_to_list(struct codomain *codomain); extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat); extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry); -extern void add_netrule_to_policy(struct codomain *policy, struct cod_net_entry *net_entry); extern int post_process_policy(void); extern int process_hat_regex(struct codomain *cod); extern int process_hat_variables(struct codomain *cod); diff --git a/parser/parser_interface.c b/parser/parser_interface.c index 9ffafc84e..939ff20cc 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -430,42 +430,6 @@ inline int sd_write_listend(sd_serialize *p) return 1; } -int -sd_serialize_net_entry(sd_serialize *p, struct cod_net_entry *net_entry) -{ - - if (!sd_write_struct(p, "ne")) - return 0; - if (!sd_write32(p, net_entry->mode)) - return 0; - - if (!sd_write32(p, net_entry->saddr->s_addr)) - return 0; - if (!sd_write32(p, net_entry->smask->s_addr)) - return 0; - if (!sd_write16(p, net_entry->src_port[0])) - return 0; - if (!sd_write16(p, net_entry->src_port[1])) - return 0; - if (!sd_write32(p, net_entry->daddr->s_addr)) - return 0; - if (!sd_write32(p, net_entry->dmask->s_addr)) - return 0; - if (!sd_write16(p, net_entry->dst_port[0])) - return 0; - if (!sd_write16(p, net_entry->dst_port[1])) - return 0; - - if (net_entry->iface) - if (!sd_write_string(p, net_entry->iface, NULL)) - return 0; - - if (!sd_write_structend(p)) - return 0; - - return 1; -} - int sd_serialize_pattern(sd_serialize *p, pcre *pat) { if (!sd_write_struct(p, "pcre")) @@ -565,7 +529,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile, int flattened) { struct cod_entry *entry; - struct cod_net_entry *net_entry; if (!sd_write_struct(p, "profile")) return 0; @@ -660,18 +623,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile, } } - if (profile->net_entries && (regex_type != AARE_DFA)) { - if (!sd_write_list(p, "net")) - return 0; - list_for_each(profile->net_entries, net_entry) { - if (!sd_serialize_net_entry(p, net_entry)) - return 0; - } - if (!sd_write_listend(p)) - return 0; - - } - if (profile->hat_table && regex_type != AARE_DFA) { if (!sd_write_list(p, "hats")) return 0; diff --git a/parser/parser_lex.l b/parser/parser_lex.l index c29ddc8b5..05b77a37c 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -73,8 +73,6 @@ BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME}) PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}* QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\" -IFACE [[:alnum:]:]+ - FLAGOPEN_PAREN \( FLAGCLOSE_PAREN \) FLAGSEP \, @@ -82,8 +80,6 @@ EQUALS = ADD_ASSIGN \+= %x SUB_NAME -%x IP_MODE -%x IF_MODE %x NETWORK_MODE %x FLAGS_MODE %x ASSIGN_MODE @@ -124,61 +120,6 @@ ADD_ASSIGN \+= } } -{ - {COLON} { - PDEBUG("(ip_mode) Found a colon\n"); - return TOK_COLON; - } - {NUMBER} { - yylval = (YYSTYPE) strtoul(yytext, NULL, 10); - PDEBUG("(ip_mode) Found a number %d\n", yylval); - return TOK_NUM; - } - {IP} { - yylval = (YYSTYPE) strdup(yytext); - PDEBUG("Found ip %s\n", yylval); - return TOK_IP; - } - {SLASH} { - PDEBUG("(ip_mode) Found a slash\n"); - return TOK_SLASH; - } - {RANGE} { - PDEBUG("(ip_mode) Found a slash\n"); - return TOK_RANGE; - } - {WS} { - /* Ignoring whitespace */ - PDEBUG("Ending ip mode\n"); - BEGIN(INITIAL); - } - {END_OF_RULE} { /* Ugh, need this so we don't require a space - before the EoL marker */ - BEGIN(INITIAL); - return TOK_END_OF_RULE; - } - [^\n] { - /* Something we didn't expect */ - yylval = (YYSTYPE) strdup(yytext); - yyerror(_("(ip_mode) Found unexpected character: '%s'"), yylval); - } -} - -{ - {WS}+ { /* Eat whitespace preceding interface */ } - - {IFACE} { - yylval = (YYSTYPE) strdup(yytext); - PDEBUG("Found interface: %s\n", yylval); - BEGIN(INITIAL); - return TOK_IFACE; - } - [^\n] { - /* Something we didn't expect */ - yyerror(_("Unexpected character in interface name: '%s'"), yytext); - } -} - { {FLAGOPEN_PAREN} { PDEBUG("FLag (\n"); @@ -302,14 +243,6 @@ ADD_ASSIGN \+= return TOK_CLOSE; } - -{IP} { - yylval = (YYSTYPE) strdup(yytext); - PDEBUG("Found ip %s\n", yylval); - BEGIN(IP_MODE); - return TOK_IP; - } - {PATHNAME} { yylval = (YYSTYPE) processunquoted(yytext, yyleng); PDEBUG("Found id: \"%s\"\n", yylval); @@ -355,9 +288,6 @@ ADD_ASSIGN \+= PDEBUG("Found id: \"%s\"\n", yylval); return TOK_ID; break; - case TOK_VIA: - BEGIN(IF_MODE); /* look for an interface name next */ - break; case TOK_FLAGS: BEGIN(FLAGS_MODE); break; diff --git a/parser/parser_merge.c b/parser/parser_merge.c index 835043b6b..f167fa96c 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -29,15 +29,6 @@ #include "parser.h" -static inline int count_net_entries(struct codomain *cod) -{ - struct cod_net_entry *list; - int count = 0; - for (list = cod->net_entries; list; list = list->next) - count++; - return count; -} - static int file_comp(const void *c1, const void *c2) { struct cod_entry **e1, **e2; @@ -127,17 +118,10 @@ static int process_file_entries(struct codomain *cod) return 1; } -static int process_net_entries(struct codomain __unused *cod) -{ - return 1; -} - int codomain_merge_rules(struct codomain *cod) { if (!process_file_entries(cod)) goto fail; - if (!process_net_entries(cod)) - goto fail; /* XXX return error from this */ merge_hat_rules(cod); diff --git a/parser/parser_misc.c b/parser/parser_misc.c index fac454a82..587ac89c3 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -51,15 +51,6 @@ static struct keyword_table keyword_table[] = { /* flags */ {"flags", TOK_FLAGS}, /* network */ - {"via", TOK_VIA}, - {"tcp_connect", TOK_TCP_CONN}, - {"tcp_accept", TOK_TCP_ACPT}, - {"tcp_connected", TOK_TCP_CONN_ESTB}, - {"tcp_accepted", TOK_TCP_ACPT_ESTB}, - {"udp_send", TOK_UDP_SEND}, - {"udp_receive", TOK_UDP_RECV}, - {"to", TOK_TO}, - {"from", TOK_FROM}, {"network", TOK_NETWORK}, /* misc keywords */ {"capability", TOK_CAPABILITY}, @@ -564,58 +555,6 @@ reeval: return mode; } -struct cod_net_entry *new_network_entry(int action, - struct ipv4_endpoints *addrs, - char *interface) -{ - struct cod_net_entry *entry = NULL; - - entry = (struct cod_net_entry *) - malloc(sizeof(struct cod_net_entry)); - entry->saddr = (struct in_addr *)malloc(sizeof(struct in_addr)); - entry->smask = (struct in_addr *)malloc(sizeof(struct in_addr)); - entry->daddr = (struct in_addr *)malloc(sizeof(struct in_addr)); - entry->dmask = (struct in_addr *)malloc(sizeof(struct in_addr)); - - if (!addrs || !entry || !entry->saddr || !entry->smask || - !entry->daddr || !entry->dmask) { - yyerror(_("Memory allocation error.")); - return NULL; - } - - entry->next = NULL; - entry->mode = action; - entry->iface = interface ? interface : NULL; - - if (addrs->src) { - PDEBUG("Assigning source\n"); - entry->saddr->s_addr = addrs->src->addr.s_addr & addrs->src->mask; - entry->smask->s_addr = addrs->src->mask; - entry->src_port[0] = addrs->src->port[0]; - entry->src_port[1] = addrs->src->port[1]; - } else { - entry->saddr->s_addr = 0; - entry->smask->s_addr = 0; - entry->src_port[0] = MIN_PORT; - entry->src_port[1] = MAX_PORT; - } - - if (addrs->dest) { - PDEBUG("Assigning source\n"); - entry->daddr->s_addr = addrs->dest->addr.s_addr & addrs->dest->mask; - entry->dmask->s_addr = addrs->dest->mask; - entry->dst_port[0] = addrs->dest->port[0]; - entry->dst_port[1] = addrs->dest->port[1]; - } else { - entry->daddr->s_addr = 0; - entry->dmask->s_addr = 0; - entry->dst_port[0] = MIN_PORT; - entry->dst_port[1] = MAX_PORT; - } - - return entry; -} - struct cod_entry *new_entry(char *namespace, char *id, int mode) { struct cod_entry *entry = NULL; @@ -662,17 +601,6 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) return entry; } -void free_ipv4_endpoints(struct ipv4_endpoints *addrs) -{ - if (!addrs) - return; - if (addrs->src) - free(addrs->src); - if (addrs->dest) - free(addrs->dest); - free(addrs); -} - void free_cod_entries(struct cod_entry *list) { if (!list) @@ -690,25 +618,6 @@ void free_cod_entries(struct cod_entry *list) free(list); } -void free_net_entries(struct cod_net_entry *list) -{ - if (!list) - return; - if (list->next) - free_net_entries(list->next); - if (list->saddr) - free(list->saddr); - if (list->smask) - free(list->smask); - if (list->daddr) - free(list->daddr); - if (list->dmask) - free(list->dmask); - if (list->iface) - free(list->iface); - free(list); -} - void debug_cod_entries(struct cod_entry *list) { struct cod_entry *item = NULL; @@ -763,54 +672,6 @@ void debug_cod_entries(struct cod_entry *list) } } -void debug_cod_net_entries(struct cod_net_entry *list) -{ - struct cod_net_entry *item = NULL; - struct in_addr src_addr, dst_addr; - unsigned long smask; - unsigned long dmask; - - printf("--- NetwerkEntries --- \n"); - - list_for_each(list, item) { - if (!item) - printf("Item is NULL"); - - src_addr.s_addr = item->saddr->s_addr; - dst_addr.s_addr = item->daddr->s_addr; - smask = ntohl(item->smask->s_addr); - dmask = ntohl(item->dmask->s_addr); - - printf("Source IP: %s\n", inet_ntoa(src_addr)); - printf("Source Port: (%hu) - (%hu)\n", item->src_port[0], - item->src_port[1]); - printf("Source netmask: %lx\n", smask); - fflush(stdout); - printf("Destination IP: %s\n", inet_ntoa(dst_addr)); - printf("Destination Port: %hu - %hu\n", item->dst_port[0], - item->dst_port[1]); - printf("Destination netmask: %lx\n", dmask); - fflush(stdout); - printf("Mode:\t"); - if (item->mode & AA_TCP_ACCEPT) - printf("TA"); - if (item->mode & AA_TCP_CONNECT) - printf("TC"); - if (item->mode & AA_TCP_ACCEPTED) - printf("Ta"); - if (item->mode & AA_TCP_CONNECTED) - printf("Tc"); - if (item->mode & AA_UDP_SEND) - printf("US"); - if (item->mode & AA_UDP_RECEIVE) - printf("UR"); - if (item->iface != NULL) - printf("\nInterface: %s\n", item->iface); - - printf("\n"); - } -} - static const char *capnames[] = { "chown", "dac_override", @@ -887,9 +748,6 @@ void debug_cod_list(struct codomain *cod) if (cod->entries) debug_cod_entries(cod->entries); - if (cod->net_entries) - debug_cod_net_entries(cod->net_entries); - printf("\n"); dump_policy_hats(cod); } diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 35d16ce56..b8bca57fa 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -99,12 +99,6 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry) cod->entries = entry; } -void add_netrule_to_policy(struct codomain *cod, struct cod_net_entry *net_entry) -{ - net_entry->next = cod->net_entries; - cod->net_entries = net_entry; -} - static void __merge_rules(const void *nodep, const VISIT value, const int __unused depth) { @@ -392,7 +386,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b) { struct codomain *ret = a; struct cod_entry *last; - struct cod_net_entry *lastnet; if (!a) { ret = b; goto out; @@ -415,14 +408,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b) } b->entries = NULL; - if (a->net_entries) { - list_last_entry(a->net_entries, lastnet); - lastnet->next = b->net_entries; - } else { - a->net_entries = b->net_entries; - } - b->net_entries = NULL; - a->flags.complain = a->flags.complain || b->flags.complain; a->flags.audit = a->flags.audit || b->flags.audit; @@ -482,7 +467,6 @@ void free_policy(struct codomain *cod) return; free_hat_table(cod->hat_table); free_cod_entries(cod->entries); - free_net_entries(cod->net_entries); if (cod->dfarules) aare_delete_ruleset(cod->dfarules); if (cod->dfa) diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 81a519d38..1ec1d2407 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -90,26 +90,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode); %token TOK_NETWORK %token TOK_HAT %token TOK_UNSAFE - -/* network tokens */ -%token TOK_IP -%token TOK_IFACE -%token TOK_ACTION -%token TOK_PORT -%token TOK_PORT_IDENT -%token TOK_NUM %token TOK_COLON -%token TOK_SLASH -%token TOK_RANGE -%token TOK_VIA -%token TOK_TO -%token TOK_FROM -%token TOK_TCP_CONN -%token TOK_TCP_ACPT -%token TOK_TCP_CONN_ESTB -%token TOK_TCP_ACPT_ESTB -%token TOK_UDP_SEND -%token TOK_UDP_RECV /* capabilities */ %token TOK_CAPABILITY @@ -124,23 +105,12 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode); %union { char *id; char *flag_id; - char *ip; - char *iface; char *mode; - char *eth; - /* char * action; */ - char *via; - /* char * port; */ - unsigned long int num; struct aa_network_entry *network_entry; struct codomain *cod; struct cod_global_entry *entry; struct cod_net_entry *net_entry; struct cod_entry *user_entry; - struct ipv4_desc *ipv4; - struct ipv4_endpoints *endpoints; - unsigned short (*port)[2]; - int action; struct flagval flags; int fmode; unsigned int cap; @@ -159,20 +129,8 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode); %type rules %type hat %type cond_rule -%type netrule %type network_rule %type rule -%type address -%type addresses -%type mask -%type ports -%type TOK_IP -%type TOK_IFACE interface -%type TOK_ACTION -%type TOK_VIA -%type TOK_PORT_IDENT -%type TOK_NUM -%type action %type flags %type flagvals %type flagval @@ -413,17 +371,6 @@ rules: rules rule $$ = $1; }; -rules: rules netrule - { - PDEBUG("Matched: netrules rule\n"); - if (!$2) - yyerror(_("Assert: `netrule' returned NULL.")); - PDEBUG("Assigning %s\n", inet_ntoa(*$2->saddr)); - PDEBUG("Assigning %s\n", inet_ntoa(*$2->daddr)); - add_netrule_to_policy($1, $2); - $$ = $1; - }; - rules: rules network_rule { struct aa_network_entry *entry, *tmp; @@ -647,44 +594,6 @@ network_rule: TOK_NETWORK TOK_ID TOK_ID TOK_END_OF_RULE $$ = entry; } -/* - * The addition of an entirely new grammer set to our (previously) slim - * profile spec is below. It's designed to look quite similar to - * (Free|Open)BSD's ipfw rules: - * - * 'tcp_connect to 10.0.0.40:80 via eth0' for example. - * - * - * mb: - * We need to verify the following rules: - */ - -netrule: action addresses interface TOK_END_OF_RULE - { - struct cod_net_entry *entry; - - entry = NULL; - - if (!$2) - yyerror(_("Assert: `addresses' returned NULL.")); - - PDEBUG("Matched action (%d) via (%s)\n", $1, $3); - entry = new_network_entry($1, $2, $3); - if (!entry) - yyerror(_("Memory allocation error.")); - - free_ipv4_endpoints($2); - $$ = entry; - }; - -action: TOK_TCP_CONN { $$ = AA_TCP_CONNECT; } - | TOK_TCP_ACPT { $$ = AA_TCP_ACCEPT; } - | TOK_TCP_CONN_ESTB { $$ = AA_TCP_CONNECTED; } - | TOK_TCP_ACPT_ESTB { $$ = AA_TCP_ACCEPTED; } - | TOK_UDP_SEND { $$ = AA_UDP_SEND; } - | TOK_UDP_RECV { $$ = AA_UDP_RECEIVE; } - ; - hat_start: TOK_SEP {} | TOK_HAT {} @@ -694,227 +603,6 @@ file_mode: TOK_MODE free($1); } -interface: /* nothing, no interface specified */ - { - $$ = NULL; - }; -interface: TOK_VIA TOK_IFACE - { - PDEBUG ("Matched an interface (%s)\n", $2); - $$ = $2; - }; - -addresses: /* Nothing */ - { - struct ipv4_endpoints *addresses; - - addresses = (struct ipv4_endpoints *) - malloc (sizeof (struct ipv4_endpoints)); - if (!addresses) - yyerror(_("Memory allocation error.")); - addresses->src = NULL; - addresses->dest = NULL; - - $$ = addresses; - }; - -addresses: TOK_TO address - { - struct ipv4_endpoints *addresses; - - addresses = (struct ipv4_endpoints *) - malloc(sizeof (struct ipv4_endpoints)); - if (!addresses) - yyerror(_("Memory allocation error.")); - addresses->src = NULL; - addresses->dest = $2; - - $$ = addresses; - }; - -addresses: TOK_FROM address - { - struct ipv4_endpoints *addresses; - - addresses = (struct ipv4_endpoints *) - malloc(sizeof (struct ipv4_endpoints)); - if (!addresses) - yyerror(_("Memory allocation error.")); - addresses->src = $2; - addresses->dest = NULL; - - $$ = addresses; - }; - -addresses: TOK_FROM address TOK_TO address - { - struct ipv4_endpoints *addresses; - - addresses = (struct ipv4_endpoints *) - malloc (sizeof (struct ipv4_endpoints)); - if (!addresses) - yyerror(_("Memory allocation error.")); - addresses->src = $2; - addresses->dest = $4; - - $$ = addresses; - }; - -addresses: TOK_TO address TOK_FROM address - { - struct ipv4_endpoints *addresses; - - addresses = (struct ipv4_endpoints *) - malloc(sizeof (struct ipv4_endpoints)); - if (!addresses) - yyerror(_("Memory allocation error.")); - addresses->src = $4; - addresses->dest = $2; - - $$ = addresses; - }; - -addresses: TOK_TO address TOK_TO - { - /* better error warnings (hopefully) */ - yyerror(_("Network entries can only have one TO address.")); - }; -addresses: TOK_FROM address TOK_FROM - { - /* better error warnings (hopefully) */ - yyerror(_("Network entries can only have one FROM address.")); - }; -address: TOK_IP ports - { - /* Bleah, I have to handle address as two rules, because - * if the user provides an ip of 0.0.0.0 and no mask, we - * treat it as 0.0.0.0/0 instead of 0.0.0.0/32. */ - - struct ipv4_desc *address; - - address = (struct ipv4_desc *) - malloc (sizeof (struct ipv4_desc)); - if (!address) - yyerror(_("Memory allocation error.")); - - address->port[0] = (*$2)[0]; - address->port[1] = (*$2)[1]; - if (inet_aton($1, &(address->addr)) == 0) - yyerror(_("`%s' is not a valid ip address."), $1); - if (address->addr.s_addr == 0) { - /* the user specified 0.0.0.0 without giving an - * explicit mask, so treat it as 0.0.0.0/0 */ - address->mask = htonl (0UL); - } else { - /* otherwise, treat it as /32 */ - address->mask = htonl (0xffffffff); - } - PDEBUG("Matched an IP (%s/%d:%d-%d)\n", - inet_ntoa(address->addr), address->mask, - address->port[0], address->port[1]); - - free($1); - free(*$2); - $$ = address; - }; - -address: TOK_IP mask ports - { - struct ipv4_desc *address; - - address = (struct ipv4_desc *) - malloc(sizeof (struct ipv4_desc)); - if (!address) - yyerror(_("Memory allocation error.")); - - address->mask = $2; - address->port[0] = (*$3)[0]; - address->port[1] = (*$3)[1]; - if (inet_aton($1, &(address->addr)) == 0) - yyerror(_("`%s' is not a valid ip address."), $1); - PDEBUG("Matched an IP (%s/%d:%d-%d)\n", - inet_ntoa(address->addr), address->mask, - address->port[0], address->port[1]); - free($1); - free(*$3); - $$ = address; - }; - -mask: TOK_SLASH TOK_NUM - { - PDEBUG("Matched a netmask (%d)\n", $2); - if (($2 < 0) || ($2 > 32)) - yyerror(_("`/%d' is not a valid netmask."), $2); - $$ = htonl(0xffffffff << (32 - $2)); - }; -mask: TOK_SLASH TOK_IP - { - struct in_addr mask; - if (inet_aton($2, &mask) == 0) - yyerror(_("`%s' is not a valid netmask."), $2); - PDEBUG("Matched a netmask (%d)\n", mask.s_addr); - $$ = mask.s_addr; - }; - -ports: { - /* nothing, return all ports */ - unsigned short (*ports)[2]; - - ports = (unsigned short (*)[2]) - malloc(sizeof (unsigned short [2])); - if (!ports) - yyerror(_("Memory allocation error.")); - (*ports)[0] = MIN_PORT; - (*ports)[1] = MAX_PORT; - - $$ = ports; - }; -ports: TOK_COLON TOK_NUM - { - unsigned short (*ports)[2]; - - PDEBUG("Matched a single port (%d)\n", $2); - ports = (unsigned short (*)[2]) - malloc(sizeof (unsigned short [2])); - if (($2 < MIN_PORT) || ($2 > MAX_PORT)) - yyerror(_("ports must be between %d and %d"), - MIN_PORT, MAX_PORT); - if (!ports) - yyerror(_("Memory allocation error.")); - (*ports)[0] = $2; - (*ports)[1] = $2; - - $$ = ports; - }; -ports: TOK_COLON TOK_NUM TOK_RANGE TOK_NUM - { - unsigned short (*ports)[2]; - - PDEBUG("Matched a port range (%d,%d)\n", $2, $4); - ports = (unsigned short (*)[2]) - malloc(sizeof (unsigned short [2])); - if (!ports) - yyerror(_("Memory allocation error.")); - if (($2 < MIN_PORT) || ($4 > MAX_PORT) - || ($2 < MIN_PORT) || ($4 > MAX_PORT)) - yyerror(_("ports must be between %d and %d"), - MIN_PORT, MAX_PORT); - (*ports)[0] = $2; - (*ports)[1] = $4; - - if ((*ports)[0] > (*ports)[1]) - { - unsigned short tmp; - pwarn("expected first port number to be less than the second, swapping (%ld,%ld)\n", - $2, $4); - tmp = (*ports)[0]; - (*ports)[0] = (*ports)[1]; - (*ports)[1] = tmp; - } - - $$ = ports; - }; - change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; diff --git a/parser/tst/simple_tests/tcp_server_ok1.sd b/parser/tst/simple_tests/netdomain_bad_1.sd similarity index 75% rename from parser/tst/simple_tests/tcp_server_ok1.sd rename to parser/tst/simple_tests/netdomain_bad_1.sd index 60d20f524..408cddb8a 100644 --- a/parser/tst/simple_tests/tcp_server_ok1.sd +++ b/parser/tst/simple_tests/netdomain_bad_1.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_server_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp accept simple parse test (from,via) -#=EXRESULT PASS +#=EXRESULT FAIL # /tmp/tcp/tcp_server { tcp_accept from 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_server_ok2.sd b/parser/tst/simple_tests/netdomain_bad_2.sd similarity index 76% rename from parser/tst/simple_tests/tcp_server_ok2.sd rename to parser/tst/simple_tests/netdomain_bad_2.sd index c937405d7..b5b2786c2 100644 --- a/parser/tst/simple_tests/tcp_server_ok2.sd +++ b/parser/tst/simple_tests/netdomain_bad_2.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_server_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp accept from ip/cidr netmask/port range via -#=EXRESULT PASS +#=EXRESULT FAIL /tmp/tcp/tcp_server { tcp_accept from 10.0.0.17/16:50-100 via eth1, tcp_accept from 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_server_ok3.sd b/parser/tst/simple_tests/netdomain_bad_3.sd similarity index 75% rename from parser/tst/simple_tests/tcp_server_ok3.sd rename to parser/tst/simple_tests/netdomain_bad_3.sd index 7ac9094da..ea4299131 100644 --- a/parser/tst/simple_tests/tcp_server_ok3.sd +++ b/parser/tst/simple_tests/netdomain_bad_3.sd @@ -1,6 +1,7 @@ # -# $Id$ +# $Id: tcp_server_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp accept from,to,via +#=EXRESULT FAIL /tmp/tcp/tcp_server { tcp_accept from 10.0.0.17/16:50-100 to 127.0.0.1 via eth1, tcp_accept from 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_server_ok4.sd b/parser/tst/simple_tests/netdomain_bad_4.sd similarity index 79% rename from parser/tst/simple_tests/tcp_server_ok4.sd rename to parser/tst/simple_tests/netdomain_bad_4.sd index 7181e20eb..e8e51e5e1 100644 --- a/parser/tst/simple_tests/tcp_server_ok4.sd +++ b/parser/tst/simple_tests/netdomain_bad_4.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_server_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain accept from port 65535 -#=EXRESULT PASS +#=EXRESULT FAIL # /tmp/tcp/tcp_client { tcp_accept to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1, diff --git a/parser/tst/simple_tests/tcp_client_ok1.sd b/parser/tst/simple_tests/netdomain_bad_5.sd similarity index 75% rename from parser/tst/simple_tests/tcp_client_ok1.sd rename to parser/tst/simple_tests/netdomain_bad_5.sd index 7d67abacc..3001bfd29 100644 --- a/parser/tst/simple_tests/tcp_client_ok1.sd +++ b/parser/tst/simple_tests/netdomain_bad_5.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_client_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp connect simple parse test (to,via) -#=EXRESULT PASS +#=EXRESULT FAIL # /tmp/tcp/tcp_client { tcp_connect to 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_client_ok2.sd b/parser/tst/simple_tests/netdomain_bad_6.sd similarity index 76% rename from parser/tst/simple_tests/tcp_client_ok2.sd rename to parser/tst/simple_tests/netdomain_bad_6.sd index 1528d4c18..ac00d4bce 100644 --- a/parser/tst/simple_tests/tcp_client_ok2.sd +++ b/parser/tst/simple_tests/netdomain_bad_6.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_client_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp connect to ip/cidr netmask/port range via -#=EXRESULT PASS +#=EXRESULT FAIL /tmp/tcp/tcp_client { tcp_connect to 10.0.0.17/16:50-100 via eth1, tcp_connect to 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_client_ok3.sd b/parser/tst/simple_tests/netdomain_bad_7.sd similarity index 75% rename from parser/tst/simple_tests/tcp_client_ok3.sd rename to parser/tst/simple_tests/netdomain_bad_7.sd index 08f6ac0ab..8349f4f4c 100644 --- a/parser/tst/simple_tests/tcp_client_ok3.sd +++ b/parser/tst/simple_tests/netdomain_bad_7.sd @@ -1,6 +1,7 @@ # -# $Id$ +# $Id: tcp_client_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp connect to,from,via +#=EXRESULT FAIL /tmp/tcp/tcp_client { tcp_connect to 10.0.0.17/16:50-100 from 127.0.0.1 via eth1, tcp_connect to 127.0.0.1, diff --git a/parser/tst/simple_tests/tcp_client_ok4.sd b/parser/tst/simple_tests/netdomain_bad_8.sd similarity index 91% rename from parser/tst/simple_tests/tcp_client_ok4.sd rename to parser/tst/simple_tests/netdomain_bad_8.sd index 2067cc80b..2692dff4a 100644 --- a/parser/tst/simple_tests/tcp_client_ok4.sd +++ b/parser/tst/simple_tests/netdomain_bad_8.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_client_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain tcp (accept,connect), udp (send,receive) conglomerate test -#=EXRESULT PASS +#=EXRESULT FAIL # /tmp/tcp/tcp_client { tcp_connect to 10.0.0.17/16:50-100 from 0.0.0.0:50-100 via eth1, diff --git a/parser/tst/simple_tests/tcp_client_ok5.sd b/parser/tst/simple_tests/netdomain_bad_9.sd similarity index 79% rename from parser/tst/simple_tests/tcp_client_ok5.sd rename to parser/tst/simple_tests/netdomain_bad_9.sd index a10decf14..c07fe0bc8 100644 --- a/parser/tst/simple_tests/tcp_client_ok5.sd +++ b/parser/tst/simple_tests/netdomain_bad_9.sd @@ -1,7 +1,7 @@ # -# $Id$ +# $Id: tcp_client_ok5.sd 66 2006-06-01 18:02:28Z steve-beattie $ #=DESCRIPTION netdomain connect to port 65535 -#=EXRESULT PASS +#=EXRESULT FAIL # /tmp/tcp/tcp_client { tcp_connect to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1,