diff options
Diffstat (limited to 'src/read_config_yy.y')
-rw-r--r-- | src/read_config_yy.y | 1698 |
1 files changed, 1698 insertions, 0 deletions
diff --git a/src/read_config_yy.y b/src/read_config_yy.y new file mode 100644 index 0000000..b22784c --- /dev/null +++ b/src/read_config_yy.y @@ -0,0 +1,1698 @@ +%{ +/* + * (C) 2006-2009 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * + * Description: configuration file abstract grammar + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <netdb.h> +#include <errno.h> +#include <stdarg.h> +#include "conntrackd.h" +#include "bitops.h" +#include "cidr.h" +#include <syslog.h> +#include <sched.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack.h> +#include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> + +extern char *yytext; +extern int yylineno; + +struct ct_conf conf; + +enum { + CTD_CFG_ERROR = 0, + CTD_CFG_WARN, +}; + +static void print_err(int err, const char *msg, ...); + +static void __kernel_filter_start(void); +static void __kernel_filter_add_state(int value); +static void __max_dedicated_links_reached(void); +%} + +%union { + int val; + char *string; +} + +%token T_IPV4_ADDR T_IPV4_IFACE T_PORT T_HASHSIZE T_HASHLIMIT T_MULTICAST +%token T_PATH T_UNIX T_REFRESH T_IPV6_ADDR T_IPV6_IFACE +%token T_IGNORE_UDP T_IGNORE_ICMP T_IGNORE_TRAFFIC T_BACKLOG T_GROUP +%token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_TCP T_IGNORE_PROTOCOL +%token T_LOCK T_STRIP_NAT T_BUFFER_SIZE_MAX_GROWN T_EXPIRE T_TIMEOUT +%token T_GENERAL T_SYNC T_STATS T_RELAX_TRANSITIONS T_BUFFER_SIZE T_DELAY +%token T_SYNC_MODE T_LISTEN_TO T_FAMILY T_RESEND_BUFFER_SIZE +%token T_ALARM T_FTFW T_CHECKSUM T_WINDOWSIZE T_ON T_OFF +%token T_REPLICATE T_FOR T_IFACE T_PURGE T_RESEND_QUEUE_SIZE +%token T_ESTABLISHED T_SYN_SENT T_SYN_RECV T_FIN_WAIT +%token T_CLOSE_WAIT T_LAST_ACK T_TIME_WAIT T_CLOSE T_LISTEN +%token T_SYSLOG T_WRITE_THROUGH T_STAT_BUFFER_SIZE T_DESTROY_TIMEOUT +%token T_RCVBUFF T_SNDBUFF T_NOTRACK T_POLL_SECS +%token T_FILTER T_ADDRESS T_PROTOCOL T_STATE T_ACCEPT T_IGNORE +%token T_FROM T_USERSPACE T_KERNELSPACE T_EVENT_ITER_LIMIT T_DEFAULT +%token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR +%token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE +%token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH +%token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC + +%token <string> T_IP T_PATH_VAL +%token <val> T_NUMBER +%token <val> T_SIGNED_NUMBER +%token <string> T_STRING + +%% + +configfile : + | lines + ; + +lines : line + | lines line + ; + +line : ignore_protocol + | ignore_traffic + | strip_nat + | general + | sync + | stats + ; + +logfile_bool : T_LOG T_ON +{ + strncpy(conf.logfile, DEFAULT_LOGFILE, FILENAME_MAXLEN); +}; + +logfile_bool : T_LOG T_OFF +{ +}; + +logfile_path : T_LOG T_PATH_VAL +{ + strncpy(conf.logfile, $2, FILENAME_MAXLEN); +}; + +syslog_bool : T_SYSLOG T_ON +{ + conf.syslog_facility = DEFAULT_SYSLOG_FACILITY; +}; + +syslog_bool : T_SYSLOG T_OFF +{ + conf.syslog_facility = -1; +} + +syslog_facility : T_SYSLOG T_STRING +{ + if (!strcmp($2, "daemon")) + conf.syslog_facility = LOG_DAEMON; + else if (!strcmp($2, "local0")) + conf.syslog_facility = LOG_LOCAL0; + else if (!strcmp($2, "local1")) + conf.syslog_facility = LOG_LOCAL1; + else if (!strcmp($2, "local2")) + conf.syslog_facility = LOG_LOCAL2; + else if (!strcmp($2, "local3")) + conf.syslog_facility = LOG_LOCAL3; + else if (!strcmp($2, "local4")) + conf.syslog_facility = LOG_LOCAL4; + else if (!strcmp($2, "local5")) + conf.syslog_facility = LOG_LOCAL5; + else if (!strcmp($2, "local6")) + conf.syslog_facility = LOG_LOCAL6; + else if (!strcmp($2, "local7")) + conf.syslog_facility = LOG_LOCAL7; + else { + print_err(CTD_CFG_WARN, "'%s' is not a known syslog facility, " + "ignoring", $2); + break; + } + + if (conf.stats.syslog_facility != -1 && + conf.syslog_facility != conf.stats.syslog_facility) + print_err(CTD_CFG_WARN, "conflicting Syslog facility " + "values, defaulting to General"); +}; + +lock : T_LOCK T_PATH_VAL +{ + strncpy(conf.lockfile, $2, FILENAME_MAXLEN); +}; + +strip_nat: T_STRIP_NAT +{ + print_err(CTD_CFG_WARN, "`StripNAT' clause is obsolete, ignoring"); +}; + +refreshtime : T_REFRESH T_NUMBER +{ + conf.refresh = $2; +}; + +expiretime: T_EXPIRE T_NUMBER +{ + conf.cache_timeout = $2; +}; + +timeout: T_TIMEOUT T_NUMBER +{ + conf.commit_timeout = $2; +}; + +purge: T_PURGE T_NUMBER +{ + conf.purge_timeout = $2; +}; + +checksum: T_CHECKSUM T_ON +{ + print_err(CTD_CFG_WARN, "the use of `Checksum' outside the " + "`Multicast' clause is ambiguous"); + /* + * XXX: The use of Checksum outside of the Multicast clause is broken + * if we have more than one dedicated links. + */ + conf.channel[0].u.mcast.checksum = 0; +}; + +checksum: T_CHECKSUM T_OFF +{ + print_err(CTD_CFG_WARN, "the use of `Checksum' outside the " + "`Multicast' clause is ambiguous"); + /* + * XXX: The use of Checksum outside of the Multicast clause is broken + * if we have more than one dedicated links. + */ + conf.channel[0].u.mcast.checksum = 1; +}; + +ignore_traffic : T_IGNORE_TRAFFIC '{' ignore_traffic_options '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_NEGATIVE); + + print_err(CTD_CFG_WARN, "the clause `IgnoreTrafficFor' is obsolete. " + "Use `Filter' instead"); +}; + +ignore_traffic_options : + | ignore_traffic_options ignore_traffic_option; + +ignore_traffic_option : T_IPV4_ADDR T_IP +{ + union inet_address ip; + + memset(&ip, 0, sizeof(union inet_address)); + + if (!inet_aton($2, &ip.ipv4)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4, " + "ignoring", $2); + break; + } + + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "IP %s is repeated " + "in the ignore pool", $2); + if (errno == ENOSPC) + print_err(CTD_CFG_WARN, "too many IP in the " + "ignore pool!"); + } +}; + +ignore_traffic_option : T_IPV6_ADDR T_IP +{ + union inet_address ip; + + memset(&ip, 0, sizeof(union inet_address)); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, &ip.ipv6) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6, ignoring", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); +#endif + + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET6)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "IP %s is repeated " + "in the ignore pool", $2); + if (errno == ENOSPC) + print_err(CTD_CFG_WARN, "too many IP in the " + "ignore pool!"); + } + +}; + +multicast_line : T_MULTICAST '{' multicast_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_MCAST) { + print_err(CTD_CFG_ERROR, "cannot use `Multicast' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_MCAST; + conf.channel[conf.channel_num].channel_type = CHANNEL_MCAST; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_BUFFERED; + conf.channel_num++; +}; + +multicast_line : T_MULTICAST T_DEFAULT '{' multicast_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_MCAST) { + print_err(CTD_CFG_ERROR, "cannot use `Multicast' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_MCAST; + conf.channel[conf.channel_num].channel_type = CHANNEL_MCAST; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_DEFAULT | + CHANNEL_F_BUFFERED; + conf.channel_default = conf.channel_num; + conf.channel_num++; +}; + +multicast_options : + | multicast_options multicast_option; + +multicast_option : T_IPV4_ADDR T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { + print_err(CTD_CFG_WARN, "your multicast address is IPv4 but " + "is binded to an IPv6 interface? " + "Surely, this is not what you want"); + break; + } + + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; +}; + +multicast_option : T_IPV6_ADDR T_IP +{ + __max_dedicated_links_reached(); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, + &conf.channel[conf.channel_num].u.mcast.in) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6 address", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET) { + print_err(CTD_CFG_WARN, "your multicast address is IPv6 but " + "is binded to an IPv4 interface? " + "Surely this is not what you want"); + break; + } + + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + + if (conf.channel[conf.channel_num].channel_ifname[0] && + !conf.channel[conf.channel_num].u.mcast.ifa.interface_index6) { + unsigned int idx; + + idx = if_nametoindex($2); + if (!idx) { + print_err(CTD_CFG_WARN, + "%s is an invalid interface", $2); + break; + } + + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } +}; + +multicast_option : T_IPV4_IFACE T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { + print_err(CTD_CFG_WARN, "your multicast interface is IPv4 but " + "is binded to an IPv6 interface? " + "Surely, this is not what you want"); + break; + } + + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET; +}; + +multicast_option : T_IPV6_IFACE T_IP +{ + print_err(CTD_CFG_WARN, "`IPv6_interface' not required, ignoring"); +} + +multicast_option : T_IFACE T_STRING +{ + unsigned int idx; + + __max_dedicated_links_reached(); + + strncpy(conf.channel[conf.channel_num].channel_ifname, $2, IFNAMSIZ); + + idx = if_nametoindex($2); + if (!idx) { + print_err(CTD_CFG_WARN, "%s is an invalid interface", $2); + break; + } + + if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) { + conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx; + conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6; + } +}; + +multicast_option : T_BACKLOG T_NUMBER +{ + print_err(CTD_CFG_WARN, "`Backlog' option inside Multicast clause is " + "obsolete. Please, remove it from " + "conntrackd.conf"); +}; + +multicast_option : T_GROUP T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.mcast.port = $2; +}; + +multicast_option: T_SNDBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.mcast.sndbuf = $2; +}; + +multicast_option: T_RCVBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.mcast.rcvbuf = $2; +}; + +multicast_option: T_CHECKSUM T_ON +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.mcast.checksum = 0; +}; + +multicast_option: T_CHECKSUM T_OFF +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.mcast.checksum = 1; +}; + +udp_line : T_UDP '{' udp_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_UDP) { + print_err(CTD_CFG_ERROR, "cannot use `UDP' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_UDP; + conf.channel[conf.channel_num].channel_type = CHANNEL_UDP; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_BUFFERED; + conf.channel_num++; +}; + +udp_line : T_UDP T_DEFAULT '{' udp_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_UDP) { + print_err(CTD_CFG_ERROR, "cannot use `UDP' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_UDP; + conf.channel[conf.channel_num].channel_type = CHANNEL_UDP; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_DEFAULT | + CHANNEL_F_BUFFERED; + conf.channel_default = conf.channel_num; + conf.channel_num++; +}; + +udp_options : + | udp_options udp_option; + +udp_option : T_IPV4_ADDR T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; +}; + +udp_option : T_IPV6_ADDR T_IP +{ + __max_dedicated_links_reached(); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, + &conf.channel[conf.channel_num].u.udp.server.ipv6) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6 address", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; +}; + +udp_option : T_IPV4_DEST_ADDR T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET; +}; + +udp_option : T_IPV6_DEST_ADDR T_IP +{ + __max_dedicated_links_reached(); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, + &conf.channel[conf.channel_num].u.udp.client) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6 address", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6; +}; + +udp_option : T_IFACE T_STRING +{ + int idx; + + __max_dedicated_links_reached(); + strncpy(conf.channel[conf.channel_num].channel_ifname, $2, IFNAMSIZ); + + idx = if_nametoindex($2); + if (!idx) { + print_err(CTD_CFG_WARN, "%s is an invalid interface", $2); + break; + } + conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx; +}; + +udp_option : T_PORT T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.udp.port = $2; +}; + +udp_option: T_SNDBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.udp.sndbuf = $2; +}; + +udp_option: T_RCVBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.udp.rcvbuf = $2; +}; + +udp_option: T_CHECKSUM T_ON +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.udp.checksum = 0; +}; + +udp_option: T_CHECKSUM T_OFF +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.udp.checksum = 1; +}; + +tcp_line : T_TCP '{' tcp_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_TCP) { + print_err(CTD_CFG_ERROR, "cannot use `TCP' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_TCP; + conf.channel[conf.channel_num].channel_type = CHANNEL_TCP; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_BUFFERED | + CHANNEL_F_STREAM | + CHANNEL_F_ERRORS; + conf.channel_num++; +}; + +tcp_line : T_TCP T_DEFAULT '{' tcp_options '}' +{ + if (conf.channel_type_global != CHANNEL_NONE && + conf.channel_type_global != CHANNEL_TCP) { + print_err(CTD_CFG_ERROR, "cannot use `TCP' with other " + "dedicated link protocols!"); + exit(EXIT_FAILURE); + } + conf.channel_type_global = CHANNEL_TCP; + conf.channel[conf.channel_num].channel_type = CHANNEL_TCP; + conf.channel[conf.channel_num].channel_flags = CHANNEL_F_DEFAULT | + CHANNEL_F_BUFFERED | + CHANNEL_F_STREAM | + CHANNEL_F_ERRORS; + conf.channel_default = conf.channel_num; + conf.channel_num++; +}; + +tcp_options : + | tcp_options tcp_option; + +tcp_option : T_IPV4_ADDR T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; +}; + +tcp_option : T_IPV6_ADDR T_IP +{ + __max_dedicated_links_reached(); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, + &conf.channel[conf.channel_num].u.tcp.server.ipv6) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6 address", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; +}; + +tcp_option : T_IPV4_DEST_ADDR T_IP +{ + __max_dedicated_links_reached(); + + if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4 address", $2); + break; + } + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET; +}; + +tcp_option : T_IPV6_DEST_ADDR T_IP +{ + __max_dedicated_links_reached(); + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, + &conf.channel[conf.channel_num].u.tcp.client) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6 address", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6; +}; + +tcp_option : T_IFACE T_STRING +{ + int idx; + + __max_dedicated_links_reached(); + strncpy(conf.channel[conf.channel_num].channel_ifname, $2, IFNAMSIZ); + + idx = if_nametoindex($2); + if (!idx) { + print_err(CTD_CFG_WARN, "%s is an invalid interface", $2); + break; + } + conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx; +}; + +tcp_option : T_PORT T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.tcp.port = $2; +}; + +tcp_option: T_SNDBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.tcp.sndbuf = $2; +}; + +tcp_option: T_RCVBUFF T_NUMBER +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.tcp.rcvbuf = $2; +}; + +tcp_option: T_CHECKSUM T_ON +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.tcp.checksum = 0; +}; + +tcp_option: T_CHECKSUM T_OFF +{ + __max_dedicated_links_reached(); + conf.channel[conf.channel_num].u.tcp.checksum = 1; +}; + +tcp_option: T_ERROR_QUEUE_LENGTH T_NUMBER +{ + __max_dedicated_links_reached(); + CONFIG(channelc).error_queue_length = $2; +}; + +hashsize : T_HASHSIZE T_NUMBER +{ + conf.hashsize = $2; +}; + +hashlimit: T_HASHLIMIT T_NUMBER +{ + conf.limit = $2; +}; + +unix_line: T_UNIX '{' unix_options '}'; + +unix_options: + | unix_options unix_option + ; + +unix_option : T_PATH T_PATH_VAL +{ + strcpy(conf.local.path, $2); +}; + +unix_option : T_BACKLOG T_NUMBER +{ + conf.local.backlog = $2; +}; + +ignore_protocol: T_IGNORE_PROTOCOL '{' ignore_proto_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_NEGATIVE); + + print_err(CTD_CFG_WARN, "the clause `IgnoreProtocol' is " + "obsolete. Use `Filter' instead"); +}; + +ignore_proto_list: + | ignore_proto_list ignore_proto + ; + +ignore_proto: T_NUMBER +{ + if ($1 < IPPROTO_MAX) + ct_filter_add_proto(STATE(us_filter), $1); + else + print_err(CTD_CFG_WARN, "protocol number `%d' is freak", $1); +}; + +ignore_proto: T_STRING +{ + struct protoent *pent; + + pent = getprotobyname($1); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols", $1); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); +}; + +sync: T_SYNC '{' sync_list '}' +{ + if (conf.flags & CTD_STATS_MODE) { + print_err(CTD_CFG_ERROR, "cannot use both `Stats' and `Sync' " + "clauses in conntrackd.conf"); + exit(EXIT_FAILURE); + } + conf.flags |= CTD_SYNC_MODE; +}; + +sync_list: + | sync_list sync_line; + +sync_line: refreshtime + | expiretime + | timeout + | purge + | checksum + | multicast_line + | udp_line + | tcp_line + | relax_transitions + | delay_destroy_msgs + | sync_mode_alarm + | sync_mode_ftfw + | sync_mode_notrack + | listen_to + | state_replication + | cache_writethrough + | destroy_timeout + | option_line + ; + +option_line: T_OPTIONS '{' options '}'; + +options: + | options option + ; + +option: T_TCP_WINDOW_TRACKING T_ON +{ + CONFIG(sync).tcp_window_tracking = 1; +}; + +option: T_TCP_WINDOW_TRACKING T_OFF +{ + CONFIG(sync).tcp_window_tracking = 0; +}; + +option: T_EXPECT_SYNC T_ON +{ + CONFIG(flags) |= CTD_EXPECT; + CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE; + CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW | + NF_NETLINK_CONNTRACK_UPDATE | + NF_NETLINK_CONNTRACK_DESTROY | + NF_NETLINK_CONNTRACK_EXP_NEW | + NF_NETLINK_CONNTRACK_EXP_UPDATE | + NF_NETLINK_CONNTRACK_EXP_DESTROY; +}; + +option: T_EXPECT_SYNC T_OFF +{ + CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK; + CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW | + NF_NETLINK_CONNTRACK_UPDATE | + NF_NETLINK_CONNTRACK_DESTROY; +}; + +option: T_EXPECT_SYNC '{' expect_list '}' +{ + CONFIG(flags) |= CTD_EXPECT; + CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE; + CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW | + NF_NETLINK_CONNTRACK_UPDATE | + NF_NETLINK_CONNTRACK_DESTROY | + NF_NETLINK_CONNTRACK_EXP_NEW | + NF_NETLINK_CONNTRACK_EXP_UPDATE | + NF_NETLINK_CONNTRACK_EXP_DESTROY; +}; + +expect_list: + | expect_list expect_item ; + +expect_item: T_STRING +{ + exp_filter_add(STATE(exp_filter), $1); +} + +sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}' +{ + conf.flags |= CTD_SYNC_ALARM; +}; + +sync_mode_ftfw: T_SYNC_MODE T_FTFW '{' sync_mode_ftfw_list '}' +{ + conf.flags |= CTD_SYNC_FTFW; +}; + +sync_mode_notrack: T_SYNC_MODE T_NOTRACK '{' sync_mode_notrack_list '}' +{ + conf.flags |= CTD_SYNC_NOTRACK; +}; + +sync_mode_alarm_list: + | sync_mode_alarm_list sync_mode_alarm_line; + +sync_mode_alarm_line: refreshtime + | expiretime + | timeout + | purge + | relax_transitions + | delay_destroy_msgs + ; + +sync_mode_ftfw_list: + | sync_mode_ftfw_list sync_mode_ftfw_line; + +sync_mode_ftfw_line: resend_queue_size + | resend_buffer_size + | timeout + | purge + | window_size + | disable_external_cache + ; + +sync_mode_notrack_list: + | sync_mode_notrack_list sync_mode_notrack_line; + +sync_mode_notrack_line: timeout + | purge + | disable_internal_cache + | disable_external_cache + ; + +disable_internal_cache: T_DISABLE_INTERNAL_CACHE T_ON +{ + conf.sync.internal_cache_disable = 1; +}; + +disable_internal_cache: T_DISABLE_INTERNAL_CACHE T_OFF +{ + conf.sync.internal_cache_disable = 0; +}; + +disable_external_cache: T_DISABLE_EXTERNAL_CACHE T_ON +{ + conf.sync.external_cache_disable = 1; +}; + +disable_external_cache: T_DISABLE_EXTERNAL_CACHE T_OFF +{ + conf.sync.external_cache_disable = 0; +}; + +resend_buffer_size: T_RESEND_BUFFER_SIZE T_NUMBER +{ + print_err(CTD_CFG_WARN, "`ResendBufferSize' is deprecated. " + "Use `ResendQueueSize' instead"); +}; + +resend_queue_size: T_RESEND_QUEUE_SIZE T_NUMBER +{ + conf.resend_queue_size = $2; +}; + +window_size: T_WINDOWSIZE T_NUMBER +{ + conf.window_size = $2; +}; + +destroy_timeout: T_DESTROY_TIMEOUT T_NUMBER +{ + print_err(CTD_CFG_WARN, "`DestroyTimeout' is deprecated. Remove it"); +}; + +relax_transitions: T_RELAX_TRANSITIONS +{ + print_err(CTD_CFG_WARN, "`RelaxTransitions' clause is obsolete. " + "Please, remove it from conntrackd.conf"); +}; + +delay_destroy_msgs: T_DELAY +{ + print_err(CTD_CFG_WARN, "`DelayDestroyMessages' clause is obsolete. " + "Please, remove it from conntrackd.conf"); +}; + +listen_to: T_LISTEN_TO T_IP +{ + print_err(CTD_CFG_WARN, "the clause `ListenTo' is obsolete, ignoring"); +}; + +state_replication: T_REPLICATE states T_FOR state_proto +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_POSITIVE); + + print_err(CTD_CFG_WARN, "the clause `Replicate' is obsolete. " + "Use `Filter' instead"); +}; + +states: + | states state; + +state_proto: T_STRING +{ + if (strncmp($1, "TCP", strlen("TCP")) != 0) { + print_err(CTD_CFG_WARN, "unsupported protocol `%s' in line %d", + $1, yylineno); + } +}; +state: tcp_state; + +tcp_states: + | tcp_states tcp_state; + +tcp_state: T_SYN_SENT +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_SYN_SENT); + + __kernel_filter_add_state(TCP_CONNTRACK_SYN_SENT); +}; +tcp_state: T_SYN_RECV +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_SYN_RECV); + + __kernel_filter_add_state(TCP_CONNTRACK_SYN_RECV); +}; +tcp_state: T_ESTABLISHED +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_ESTABLISHED); + + __kernel_filter_add_state(TCP_CONNTRACK_ESTABLISHED); +}; +tcp_state: T_FIN_WAIT +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_FIN_WAIT); + + __kernel_filter_add_state(TCP_CONNTRACK_FIN_WAIT); +}; +tcp_state: T_CLOSE_WAIT +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_CLOSE_WAIT); + + __kernel_filter_add_state(TCP_CONNTRACK_CLOSE_WAIT); +}; +tcp_state: T_LAST_ACK +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_LAST_ACK); + + __kernel_filter_add_state(TCP_CONNTRACK_LAST_ACK); +}; +tcp_state: T_TIME_WAIT +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_TIME_WAIT); + + __kernel_filter_add_state(TCP_CONNTRACK_TIME_WAIT); +}; +tcp_state: T_CLOSE +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_CLOSE); + + __kernel_filter_add_state(TCP_CONNTRACK_CLOSE); +}; +tcp_state: T_LISTEN +{ + ct_filter_add_state(STATE(us_filter), + IPPROTO_TCP, + TCP_CONNTRACK_LISTEN); + + __kernel_filter_add_state(TCP_CONNTRACK_LISTEN); +}; + +cache_writethrough: T_WRITE_THROUGH T_ON +{ + print_err(CTD_CFG_WARN, "`CacheWriteThrough' clause is obsolete, " + "ignoring"); +}; + +cache_writethrough: T_WRITE_THROUGH T_OFF +{ + print_err(CTD_CFG_WARN, "`CacheWriteThrough' clause is obsolete, " + "ignoring"); +}; + +general: T_GENERAL '{' general_list '}'; + +general_list: + | general_list general_line + ; + +general_line: hashsize + | hashlimit + | logfile_bool + | logfile_path + | syslog_facility + | syslog_bool + | lock + | unix_line + | netlink_buffer_size + | netlink_buffer_size_max_grown + | family + | event_iterations_limit + | poll_secs + | filter + | netlink_overrun_resync + | netlink_events_reliable + | nice + | scheduler + ; + +netlink_buffer_size: T_BUFFER_SIZE T_NUMBER +{ + conf.netlink_buffer_size = $2; +}; + +netlink_buffer_size_max_grown : T_BUFFER_SIZE_MAX_GROWN T_NUMBER +{ + conf.netlink_buffer_size_max_grown = $2; +}; + +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_ON +{ + conf.nl_overrun_resync = 30; +}; + +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_OFF +{ + conf.nl_overrun_resync = -1; +}; + +netlink_overrun_resync : T_NETLINK_OVERRUN_RESYNC T_NUMBER +{ + conf.nl_overrun_resync = $2; +}; + +netlink_events_reliable : T_NETLINK_EVENTS_RELIABLE T_ON +{ + conf.netlink.events_reliable = 1; +}; + +netlink_events_reliable : T_NETLINK_EVENTS_RELIABLE T_OFF +{ + conf.netlink.events_reliable = 0; +}; + +nice : T_NICE T_SIGNED_NUMBER +{ + conf.nice = $2; +}; + +scheduler : T_SCHEDULER '{' scheduler_options '}'; + +scheduler_options : + | scheduler_options scheduler_line + ; + +scheduler_line : T_TYPE T_STRING +{ + if (strcasecmp($2, "rr") == 0) { + conf.sched.type = SCHED_RR; + } else if (strcasecmp($2, "fifo") == 0) { + conf.sched.type = SCHED_FIFO; + } else { + print_err(CTD_CFG_ERROR, "unknown scheduler `%s'", $2); + exit(EXIT_FAILURE); + } +}; + +scheduler_line : T_PRIO T_NUMBER +{ + conf.sched.prio = $2; + if (conf.sched.prio < 0 || conf.sched.prio > 99) { + print_err(CTD_CFG_ERROR, "`Priority' must be [0, 99]\n", $2); + exit(EXIT_FAILURE); + } +}; + +family : T_FAMILY T_STRING +{ + if (strncmp($2, "IPv6", strlen("IPv6")) == 0) + conf.family = AF_INET6; + else + conf.family = AF_INET; +}; + +event_iterations_limit : T_EVENT_ITER_LIMIT T_NUMBER +{ + CONFIG(event_iterations_limit) = $2; +}; + +poll_secs: T_POLL_SECS T_NUMBER +{ + conf.flags |= CTD_POLL; + conf.poll_kernel_secs = $2; + if (conf.poll_kernel_secs == 0) { + print_err(CTD_CFG_ERROR, "`PollSecs' clause must be > 0"); + exit(EXIT_FAILURE); + } +}; + +filter : T_FILTER '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_USERSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 0; +}; + +filter : T_FILTER T_FROM T_KERNELSPACE '{' filter_list '}' +{ + CONFIG(filter_from_kernelspace) = 1; +}; + +filter_list : + | filter_list filter_item; + +filter_item : T_PROTOCOL T_ACCEPT '{' filter_protocol_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_POSITIVE); + + __kernel_filter_start(); +}; + +filter_item : T_PROTOCOL T_IGNORE '{' filter_protocol_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_L4PROTO, + CT_FILTER_NEGATIVE); + + __kernel_filter_start(); + + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_L4PROTO, + NFCT_FILTER_LOGIC_NEGATIVE); +}; + +filter_protocol_list : + | filter_protocol_list filter_protocol_item; + +filter_protocol_item : T_STRING +{ + struct protoent *pent; + + pent = getprotobyname($1); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `%s' in /etc/protocols", $1); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); + + nfct_filter_add_attr_u32(STATE(filter), + NFCT_FILTER_L4PROTO, + pent->p_proto); +}; + +filter_protocol_item : T_TCP +{ + struct protoent *pent; + + pent = getprotobyname("tcp"); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `tcp' in /etc/protocols"); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); + + nfct_filter_add_attr_u32(STATE(filter), + NFCT_FILTER_L4PROTO, + pent->p_proto); +}; + +filter_protocol_item : T_UDP +{ + struct protoent *pent; + + pent = getprotobyname("udp"); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `udp' in /etc/protocols"); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); + + nfct_filter_add_attr_u32(STATE(filter), + NFCT_FILTER_L4PROTO, + pent->p_proto); +}; + +filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_POSITIVE); + + __kernel_filter_start(); +}; + +filter_item : T_ADDRESS T_IGNORE '{' filter_address_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_ADDRESS, + CT_FILTER_NEGATIVE); + + __kernel_filter_start(); + + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_SRC_IPV4, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_DST_IPV4, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_SRC_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_DST_IPV6, + NFCT_FILTER_LOGIC_NEGATIVE); +}; + +filter_address_list : + | filter_address_list filter_address_item; + +filter_address_item : T_IPV4_ADDR T_IP +{ + union inet_address ip; + char *slash; + unsigned int cidr = 32; + + memset(&ip, 0, sizeof(union inet_address)); + + slash = strchr($2, '/'); + if (slash) { + *slash = '\0'; + cidr = atoi(slash+1); + if (cidr > 32) { + print_err(CTD_CFG_WARN, "%s/%d is not a valid network, " + "ignoring", $2, cidr); + break; + } + } + + if (!inet_aton($2, &ip.ipv4)) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv4, ignoring", $2); + break; + } + + if (slash && cidr < 32) { + /* network byte order */ + struct ct_filter_netmask_ipv4 tmp = { + .ip = ip.ipv4, + .mask = ipv4_cidr2mask_net(cidr) + }; + + if (!ct_filter_add_netmask(STATE(us_filter), &tmp, AF_INET)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "netmask %s is " + "repeated in the " + "ignore pool", $2); + } + } else { + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "IP %s is repeated in " + "the ignore pool", $2); + if (errno == ENOSPC) + print_err(CTD_CFG_WARN, "too many IP in the " + "ignore pool!"); + } + } + __kernel_filter_start(); + + /* host byte order */ + struct nfct_filter_ipv4 filter_ipv4 = { + .addr = ntohl(ip.ipv4), + .mask = ipv4_cidr2mask_host(cidr), + }; + + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV4, &filter_ipv4); + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV4, &filter_ipv4); +}; + +filter_address_item : T_IPV6_ADDR T_IP +{ + union inet_address ip; + char *slash; + int cidr = 128; + struct nfct_filter_ipv6 filter_ipv6; + + memset(&ip, 0, sizeof(union inet_address)); + + slash = strchr($2, '/'); + if (slash) { + *slash = '\0'; + cidr = atoi(slash+1); + if (cidr > 128) { + print_err(CTD_CFG_WARN, "%s/%d is not a valid network, " + "ignoring", $2, cidr); + break; + } + } + +#ifdef HAVE_INET_PTON_IPV6 + if (inet_pton(AF_INET6, $2, &ip.ipv6) <= 0) { + print_err(CTD_CFG_WARN, "%s is not a valid IPv6, ignoring", $2); + break; + } +#else + print_err(CTD_CFG_WARN, "cannot find inet_pton(), IPv6 unsupported!"); + break; +#endif + if (slash && cidr < 128) { + struct ct_filter_netmask_ipv6 tmp; + + memcpy(tmp.ip, ip.ipv6, sizeof(uint32_t)*4); + ipv6_cidr2mask_net(cidr, tmp.mask); + if (!ct_filter_add_netmask(STATE(us_filter), &tmp, AF_INET6)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "netmask %s is " + "repeated in the " + "ignore pool", $2); + } + } else { + if (!ct_filter_add_ip(STATE(us_filter), &ip, AF_INET6)) { + if (errno == EEXIST) + print_err(CTD_CFG_WARN, "IP %s is repeated in " + "the ignore pool", $2); + if (errno == ENOSPC) + print_err(CTD_CFG_WARN, "too many IP in the " + "ignore pool!"); + } + } + __kernel_filter_start(); + + /* host byte order */ + ipv6_addr2addr_host(ip.ipv6, filter_ipv6.addr); + ipv6_cidr2mask_host(cidr, filter_ipv6.mask); + + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_SRC_IPV6, &filter_ipv6); + nfct_filter_add_attr(STATE(filter), NFCT_FILTER_DST_IPV6, &filter_ipv6); +}; + +filter_item : T_STATE T_ACCEPT '{' filter_state_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_POSITIVE); + + __kernel_filter_start(); +}; + +filter_item : T_STATE T_IGNORE '{' filter_state_list '}' +{ + ct_filter_set_logic(STATE(us_filter), + CT_FILTER_STATE, + CT_FILTER_NEGATIVE); + + + __kernel_filter_start(); + + nfct_filter_set_logic(STATE(filter), + NFCT_FILTER_L4PROTO_STATE, + NFCT_FILTER_LOGIC_NEGATIVE); +}; + +filter_state_list : + | filter_state_list filter_state_item; + +filter_state_item : tcp_states T_FOR T_TCP; + +stats: T_STATS '{' stats_list '}' +{ + if (conf.flags & CTD_SYNC_MODE) { + print_err(CTD_CFG_ERROR, "cannot use both `Stats' and `Sync' " + "clauses in conntrackd.conf"); + exit(EXIT_FAILURE); + } + conf.flags |= CTD_STATS_MODE; +}; + +stats_list: + | stats_list stat_line + ; + +stat_line: stat_logfile_bool + | stat_logfile_path + | stat_syslog_bool + | stat_syslog_facility + | buffer_size + ; + +stat_logfile_bool : T_LOG T_ON +{ + strncpy(conf.stats.logfile, DEFAULT_STATS_LOGFILE, FILENAME_MAXLEN); +}; + +stat_logfile_bool : T_LOG T_OFF +{ +}; + +stat_logfile_path : T_LOG T_PATH_VAL +{ + strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN); +}; + +stat_syslog_bool : T_SYSLOG T_ON +{ + conf.stats.syslog_facility = DEFAULT_SYSLOG_FACILITY; +}; + +stat_syslog_bool : T_SYSLOG T_OFF +{ + conf.stats.syslog_facility = -1; +} + +stat_syslog_facility : T_SYSLOG T_STRING +{ + if (!strcmp($2, "daemon")) + conf.stats.syslog_facility = LOG_DAEMON; + else if (!strcmp($2, "local0")) + conf.stats.syslog_facility = LOG_LOCAL0; + else if (!strcmp($2, "local1")) + conf.stats.syslog_facility = LOG_LOCAL1; + else if (!strcmp($2, "local2")) + conf.stats.syslog_facility = LOG_LOCAL2; + else if (!strcmp($2, "local3")) + conf.stats.syslog_facility = LOG_LOCAL3; + else if (!strcmp($2, "local4")) + conf.stats.syslog_facility = LOG_LOCAL4; + else if (!strcmp($2, "local5")) + conf.stats.syslog_facility = LOG_LOCAL5; + else if (!strcmp($2, "local6")) + conf.stats.syslog_facility = LOG_LOCAL6; + else if (!strcmp($2, "local7")) + conf.stats.syslog_facility = LOG_LOCAL7; + else { + print_err(CTD_CFG_WARN, "'%s' is not a known syslog facility, " + "ignoring.", $2); + break; + } + + if (conf.syslog_facility != -1 && + conf.stats.syslog_facility != conf.syslog_facility) + print_err(CTD_CFG_WARN, "conflicting Syslog facility " + "values, defaulting to General"); +}; + +buffer_size: T_STAT_BUFFER_SIZE T_NUMBER +{ + print_err(CTD_CFG_WARN, "`LogFileBufferSize' is deprecated"); +}; + +%% + +int __attribute__((noreturn)) +yyerror(char *msg) +{ + print_err(CTD_CFG_ERROR, "parsing config file in " + "line (%d), symbol '%s': %s", + yylineno, yytext, msg); + exit(EXIT_FAILURE); +} + +static void print_err(int type, const char *msg, ...) +{ + va_list args; + + va_start(args, msg); + switch(type) { + case CTD_CFG_ERROR: + fprintf(stderr, "ERROR: "); + break; + case CTD_CFG_WARN: + fprintf(stderr, "WARNING: "); + break; + default: + fprintf(stderr, "?: "); + } + vfprintf(stderr, msg, args); + va_end(args); + fprintf(stderr,"\n"); +} + +static void __kernel_filter_start(void) +{ + if (!STATE(filter)) { + STATE(filter) = nfct_filter_create(); + if (!STATE(filter)) { + print_err(CTD_CFG_ERROR, "cannot create ignore pool!"); + exit(EXIT_FAILURE); + } + } +} + +static void __kernel_filter_add_state(int value) +{ + __kernel_filter_start(); + + struct nfct_filter_proto filter_proto = { + .proto = IPPROTO_TCP, + .state = value + }; + nfct_filter_add_attr(STATE(filter), + NFCT_FILTER_L4PROTO_STATE, + &filter_proto); +} + +static void __max_dedicated_links_reached(void) +{ + if (conf.channel_num >= MULTICHANNEL_MAX) { + print_err(CTD_CFG_ERROR, "too many dedicated links in " + "the configuration file " + "(Maximum: %d)", MULTICHANNEL_MAX); + exit(EXIT_FAILURE); + } +} + +int +init_config(char *filename) +{ + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) + return -1; + + /* Zero may be a valid facility */ + CONFIG(syslog_facility) = -1; + CONFIG(stats).syslog_facility = -1; + CONFIG(netlink).subsys_id = -1; + + yyrestart(fp); + yyparse(); + fclose(fp); + + /* default to IPv4 */ + if (CONFIG(family) == 0) + CONFIG(family) = AF_INET; + + /* set to default is not specified */ + if (strcmp(CONFIG(lockfile), "") == 0) + strncpy(CONFIG(lockfile), DEFAULT_LOCKFILE, FILENAME_MAXLEN); + + /* default to 180 seconds of expiration time: cache entries */ + if (CONFIG(cache_timeout) == 0) + CONFIG(cache_timeout) = 180; + + /* default to 60 seconds: purge kernel entries */ + if (CONFIG(purge_timeout) == 0) + CONFIG(purge_timeout) = 60; + + /* default to 60 seconds of refresh time */ + if (CONFIG(refresh) == 0) + CONFIG(refresh) = 60; + + if (CONFIG(resend_queue_size) == 0) + CONFIG(resend_queue_size) = 131072; + + /* default to a window size of 300 packets */ + if (CONFIG(window_size) == 0) + CONFIG(window_size) = 300; + + if (CONFIG(event_iterations_limit) == 0) + CONFIG(event_iterations_limit) = 100; + + /* default number of bucket of the hashtable that are committed in + one run loop. XXX: no option available to tune this value yet. */ + if (CONFIG(general).commit_steps == 0) + CONFIG(general).commit_steps = 8192; + + /* if overrun, automatically resync with kernel after 30 seconds */ + if (CONFIG(nl_overrun_resync) == 0) + CONFIG(nl_overrun_resync) = 30; + + /* default to 128 elements in the channel error queue */ + if (CONFIG(channelc).error_queue_length == 0) + CONFIG(channelc).error_queue_length = 128; + + if (CONFIG(netlink).subsys_id == -1) { + CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK; + CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW | + NF_NETLINK_CONNTRACK_UPDATE | + NF_NETLINK_CONNTRACK_DESTROY; + } + + return 0; +} |