Mercurial > hg > freeDiameter
view libfdcore/fdd.y @ 1396:188c82b6690b
Add ProcessingPeersPattern and ProcessingPeersMinimum parameters.
If this is configured, the process will accept all connections from
peers matching ProcessingPeersPattern, but will NOT accept connections
from other peers until ProcessingPeersMinimum peers of the first
type are connected.
This allows relays to only go online if there are enough worker
peers connected behind them.
| author | Thomas Klausner <tk@giga.or.at> |
|---|---|
| date | Fri, 15 Nov 2019 11:38:30 +0100 |
| parents | afe0ecdb0692 |
| children | 239ba25870d8 |
line wrap: on
line source
/********************************************************************************************************* * Software License Agreement (BSD License) * * Author: Sebastien Decugis <sdecugis@freediameter.net> * * * * Copyright (c) 2015, WIDE Project and NICT * * All rights reserved. * * * * Redistribution and use of this software in source and binary forms, with or without modification, are * * permitted provided that the following conditions are met: * * * * * Redistributions of source code must retain the above * * copyright notice, this list of conditions and the * * following disclaimer. * * * * * Redistributions in binary form must reproduce the above * * copyright notice, this list of conditions and the * * following disclaimer in the documentation and/or other * * materials provided with the distribution. * * * * * Neither the name of the WIDE Project or NICT nor the * * names of its contributors may be used to endorse or * * promote products derived from this software without * * specific prior written permission of WIDE Project and * * NICT. * * * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * *********************************************************************************************************/ /* Yacc configuration parser. * * This file defines the grammar of the configuration file. * Note that each extension has a separate independant configuration file. * * Note : This module is NOT thread-safe. All processing must be done from one thread only. */ /* For development only : */ %debug %error-verbose %parse-param {struct fd_config * conf} /* Keep track of location */ %locations %pure-parser %{ #include "fdcore-internal.h" #include "fdd.tab.h" /* bug : bison does not define the YYLTYPE before including this bloc, so... */ /* The Lex parser prototype */ int fddlex(YYSTYPE *lvalp, YYLTYPE *llocp); /* Function to report error */ void yyerror (YYLTYPE *ploc, struct fd_config * conf, char const *s) { if (ploc->first_line != ploc->last_line) { TRACE_ERROR("%s:%d.%d-%d.%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, ploc->last_line, ploc->last_column, s); } else if (ploc->first_column != ploc->last_column) { TRACE_ERROR("%s:%d.%d-%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, ploc->last_column, s); } else { TRACE_ERROR("%s:%d.%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, s); } } int got_peer_noip = 0; int got_peer_noipv6 = 0; int got_peer_notcp = 0; int got_peer_nosctp = 0; struct peer_info fddpi; %} /* Values returned by lex for token */ %union { char *string; /* The string is allocated by strdup in lex.*/ int integer; /* Store integer values */ } /* In case of error in the lexical analysis */ %token LEX_ERROR %token <string> QSTRING %token <integer> INTEGER %type <string> extconf %token IDENTITY %token REALM %token PORT %token SECPORT %token SEC3436 %token NOIP %token NOIP6 %token NOTCP %token NOSCTP %token PREFERTCP %token OLDTLS %token NOTLS %token SCTPSTREAMS %token APPSERVTHREADS %token LISTENON %token THRPERSRV %token PROCESSINGPEERSPATTERN %token PROCESSINGPEERSMINIMUM %token TCTIMER %token TWTIMER %token NORELAY %token LOADEXT %token CONNPEER %token CONNTO %token TLS_CRED %token TLS_CA %token TLS_CRL %token TLS_PRIO %token TLS_DH_BITS %token TLS_DH_FILE %token RR_IN_ANSWERS %token ALWAYS %token NEVER /* -------------------------------------- */ %% /* The grammar definition - Sections blocs. */ conffile: /* Empty is OK -- for simplicity here, we reject in daemon later */ | conffile identity | conffile realm | conffile tctimer | conffile twtimer | conffile port | conffile secport | conffile sec3436 | conffile sctpstreams | conffile listenon | conffile thrpersrv | conffile processingpeerspattern | conffile processingpeersminimum | conffile norelay | conffile appservthreads | conffile noip | conffile noip6 | conffile notcp | conffile nosctp | conffile prefertcp | conffile oldtls | conffile loadext | conffile connpeer | conffile tls_cred | conffile tls_ca | conffile tls_crl | conffile tls_prio | conffile tls_dh | conffile rr_in_answers | conffile errors { yyerror(&yylloc, conf, "An error occurred while parsing the configuration file"); return EINVAL; } ; /* Lexical or syntax error */ errors: LEX_ERROR | error ; identity: IDENTITY '=' QSTRING ';' { conf->cnf_diamid = $3; } ; realm: REALM '=' QSTRING ';' { conf->cnf_diamrlm = $3; } ; tctimer: TCTIMER '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 > 0), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_timer_tc = (unsigned int)$3; } ; twtimer: TWTIMER '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 > 5), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_timer_tw = (unsigned int)$3; } ; port: PORT '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_port = (uint16_t)$3; } ; secport: SECPORT '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_port_tls = (uint16_t)$3; } ; sec3436: SEC3436 '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_port_3436 = (uint16_t)$3; } ; sctpstreams: SCTPSTREAMS '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 > 0) && ($3 < 1<<16), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_sctp_str = (uint16_t)$3; } ; listenon: LISTENON '=' QSTRING ';' { struct addrinfo hints, *ai; int ret; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; ret = getaddrinfo($3, NULL, &hints, &ai); if (ret) { yyerror (&yylloc, conf, gai_strerror(ret)); YYERROR; } CHECK_FCT_DO( fd_ep_add_merge( &conf->cnf_endpoints, ai->ai_addr, ai->ai_addrlen, EP_FL_CONF ), YYERROR ); freeaddrinfo(ai); free($3); } ; thrpersrv: THRPERSRV '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 > 0), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_thr_srv = $3; } ; processingpeerspattern: PROCESSINGPEERSPATTERN '=' QSTRING ';' { char *pattern = $3; int err; CHECK_FCT_DO( err=regcomp(&conf->cnf_processing_peers_pattern_regex, pattern, REG_EXTENDED | REG_NOSUB), { char * buf; size_t bl; /* Error while compiling the regex */ TRACE_DEBUG(INFO, "error while compiling the regular expression '%s':", pattern); /* Get the error message size */ bl = regerror(err, &conf->cnf_processing_peers_pattern_regex, NULL, 0); /* Alloc the buffer for error message */ CHECK_MALLOC( buf = malloc(bl) ); /* Get the error message content */ regerror(err, &conf->cnf_processing_peers_pattern_regex, buf, bl); TRACE_DEBUG(INFO, "\t%s", buf); /* Free the buffer, return the error */ free(buf); yyerror (&yylloc, conf, "Invalid regular expression in ProcessingPeersPattern"); YYERROR; } ); } ; processingpeersminimum: PROCESSINGPEERSMINIMUM '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 >= 0), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_processing_peers_minimum = $3; } ; norelay: NORELAY ';' { conf->cnf_flags.no_fwd = 1; } ; appservthreads: APPSERVTHREADS '=' INTEGER ';' { CHECK_PARAMS_DO( ($3 > 0) && ($3 < 256), { yyerror (&yylloc, conf, "Invalid value"); YYERROR; } ); conf->cnf_dispthr = (uint16_t)$3; } ; noip: NOIP ';' { if (got_peer_noipv6) { yyerror (&yylloc, conf, "No_IP conflicts with a ConnectPeer directive No_IPv6."); YYERROR; } conf->cnf_flags.no_ip4 = 1; } ; noip6: NOIP6 ';' { if (got_peer_noip) { yyerror (&yylloc, conf, "No_IP conflicts with a ConnectPeer directive No_IP."); YYERROR; } conf->cnf_flags.no_ip6 = 1; } ; notcp: NOTCP ';' { #ifdef DISABLE_SCTP yyerror (&yylloc, conf, "No_TCP cannot be specified for daemon compiled with DISABLE_SCTP option."); YYERROR; #endif if (conf->cnf_flags.no_sctp) { yyerror (&yylloc, conf, "No_TCP conflicts with No_SCTP directive." ); YYERROR; } if (got_peer_nosctp) { yyerror (&yylloc, conf, "No_TCP conflicts with a ConnectPeer directive No_SCTP."); YYERROR; } conf->cnf_flags.no_tcp = 1; } ; nosctp: NOSCTP ';' { if (conf->cnf_flags.no_tcp) { yyerror (&yylloc, conf, "No_SCTP conflicts with No_TCP directive." ); YYERROR; } if (got_peer_notcp) { yyerror (&yylloc, conf, "No_SCTP conflicts with a ConnectPeer directive No_TCP."); YYERROR; } conf->cnf_flags.no_sctp = 1; } ; prefertcp: PREFERTCP ';' { conf->cnf_flags.pr_tcp = 1; } ; oldtls: OLDTLS ';' { conf->cnf_flags.tls_alg = 1; } ; loadext: LOADEXT '=' QSTRING extconf ';' { char * fname; char * cfname; FILE * fd; /* Try and open the extension file */ fname = $3; fd = fopen(fname, "r"); if ((fd == NULL) && (*fname != '/')) { char * bkp = fname; CHECK_MALLOC_DO( fname = malloc( strlen(bkp) + strlen(DEFAULT_EXTENSIONS_PATH) + 2 ), { yyerror (&yylloc, conf, "Not enough memory"); YYERROR; } ); sprintf(fname, DEFAULT_EXTENSIONS_PATH "/%s", bkp); fd = fopen(fname, "r"); if (fd == NULL) { free(fname); fname = bkp; } else { free(bkp); } } if (fd != NULL) { fclose(fd); } /* otherwise, LD_LIBRARY_PATH will be tested by dl_open. This should not give any security issue, otherwise we can add an "else fail" here. */ /* Try and open the configuration file (optional) */ cfname = $4; if (cfname) { fd = fopen(cfname, "r"); if ((fd == NULL) && (*cfname != '/')) { char * test; CHECK_MALLOC_DO( test = malloc( strlen(cfname) + strlen(DEFAULT_CONF_PATH) + 2 ), { yyerror (&yylloc, conf, "Not enough memory"); YYERROR; } ); sprintf(test, DEFAULT_CONF_PATH "/%s", cfname); fd = fopen(test, "r"); if (fd) { free(cfname); cfname=test; } else { /* This is not an error, we allow an extension to wait for something else than a real conf file. */ free(test); } } if (fd) fclose(fd); } CHECK_FCT_DO( fd_ext_add( fname, cfname ), { yyerror (&yylloc, conf, "Error adding extension"); YYERROR; } ); } ; extconf: /* empty */ { $$ = NULL; } | ':' QSTRING { $$ = $2; } ; connpeer: { memset(&fddpi, 0, sizeof(fddpi)); fddpi.config.pic_flags.persist = PI_PRST_ALWAYS; fd_list_init( &fddpi.pi_endpoints, NULL ); } CONNPEER '=' QSTRING peerinfo ';' { fddpi.pi_diamid = $4; CHECK_FCT_DO( fd_peer_add ( &fddpi, conf->cnf_file, NULL, NULL ), { yyerror (&yylloc, conf, "Error adding ConnectPeer information"); YYERROR; } ); /* Now destroy any content in the structure */ free(fddpi.pi_diamid); free(fddpi.config.pic_realm); free(fddpi.config.pic_priority); while (!FD_IS_LIST_EMPTY(&fddpi.pi_endpoints)) { struct fd_list * li = fddpi.pi_endpoints.next; fd_list_unlink(li); free(li); } } ; peerinfo: /* empty */ | '{' peerparams '}' ; peerparams: /* empty */ | peerparams NOIP ';' { if ((conf->cnf_flags.no_ip6) || (fddpi.config.pic_flags.pro3 == PI_P3_IP)) { yyerror (&yylloc, conf, "No_IP conflicts with a No_IPv6 directive."); YYERROR; } got_peer_noip++; fddpi.config.pic_flags.pro3 = PI_P3_IPv6; } | peerparams NOIP6 ';' { if ((conf->cnf_flags.no_ip4) || (fddpi.config.pic_flags.pro3 == PI_P3_IPv6)) { yyerror (&yylloc, conf, "No_IPv6 conflicts with a No_IP directive."); YYERROR; } got_peer_noipv6++; fddpi.config.pic_flags.pro3 = PI_P3_IP; } | peerparams NOTCP ';' { #ifdef DISABLE_SCTP yyerror (&yylloc, conf, "No_TCP cannot be specified in daemon compiled with DISABLE_SCTP option."); YYERROR; #endif if ((conf->cnf_flags.no_sctp) || (fddpi.config.pic_flags.pro4 == PI_P4_TCP)) { yyerror (&yylloc, conf, "No_TCP conflicts with a No_SCTP directive."); YYERROR; } got_peer_notcp++; fddpi.config.pic_flags.pro4 = PI_P4_SCTP; } | peerparams NOSCTP ';' { if ((conf->cnf_flags.no_tcp) || (fddpi.config.pic_flags.pro4 == PI_P4_SCTP)) { yyerror (&yylloc, conf, "No_SCTP conflicts with a No_TCP directive."); YYERROR; } got_peer_nosctp++; fddpi.config.pic_flags.pro4 = PI_P4_TCP; } | peerparams PREFERTCP ';' { fddpi.config.pic_flags.alg = PI_ALGPREF_TCP; } | peerparams OLDTLS ';' { fddpi.config.pic_flags.sec |= PI_SEC_TLS_OLD; } | peerparams NOTLS ';' { fddpi.config.pic_flags.sec |= PI_SEC_NONE; } | peerparams SEC3436 ';' { fddpi.config.pic_flags.sctpsec |= PI_SCTPSEC_3436; } | peerparams REALM '=' QSTRING ';' { fddpi.config.pic_realm = $4; } | peerparams PORT '=' INTEGER ';' { CHECK_PARAMS_DO( ($4 > 0) && ($4 < 1<<16), { yyerror (&yylloc, conf, "Invalid port value"); YYERROR; } ); fddpi.config.pic_port = (uint16_t)$4; } | peerparams TCTIMER '=' INTEGER ';' { fddpi.config.pic_tctimer = $4; } | peerparams TWTIMER '=' INTEGER ';' { fddpi.config.pic_twtimer = $4; } | peerparams TLS_PRIO '=' QSTRING ';' { fddpi.config.pic_priority = $4; } | peerparams CONNTO '=' QSTRING ';' { struct addrinfo hints, *ai; int ret; int disc = 0; memset(&hints, 0, sizeof(hints)); hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST; ret = getaddrinfo($4, NULL, &hints, &ai); if (ret == EAI_NONAME) { /* The name was maybe not numeric, try again */ disc = EP_FL_DISC; hints.ai_flags &= ~ AI_NUMERICHOST; ret = getaddrinfo($4, NULL, &hints, &ai); } if (ret) { yyerror (&yylloc, conf, gai_strerror(ret)); YYERROR; } CHECK_FCT_DO( fd_ep_add_merge( &fddpi.pi_endpoints, ai->ai_addr, ai->ai_addrlen, EP_FL_CONF | (disc ?: EP_ACCEPTALL) ), YYERROR ); free($4); freeaddrinfo(ai); } ; tls_cred: TLS_CRED '=' QSTRING ',' QSTRING ';' { FILE * fd; fd = fopen($3, "r"); if (fd == NULL) { int ret = errno; TRACE_ERROR("Unable to open certificate file %s for reading: %s", $3, strerror(ret)); yyerror (&yylloc, conf, "Error on file name"); YYERROR; } fclose(fd); fd = fopen($5, "r"); if (fd == NULL) { int ret = errno; TRACE_ERROR("Unable to open private key file %s for reading: %s", $5, strerror(ret)); yyerror (&yylloc, conf, "Error on file name"); YYERROR; } fclose(fd); conf->cnf_sec_data.cert_file = $3; conf->cnf_sec_data.key_file = $5; CHECK_GNUTLS_DO( gnutls_certificate_set_x509_key_file( conf->cnf_sec_data.credentials, conf->cnf_sec_data.cert_file, conf->cnf_sec_data.key_file, GNUTLS_X509_FMT_PEM), { yyerror (&yylloc, conf, "Error opening certificate or private key file."); YYERROR; } ); } ; tls_ca: TLS_CA '=' QSTRING ';' { FILE * fd; fd = fopen($3, "rb"); if (fd == NULL) { int ret = errno; TRACE_ERROR("Unable to open CA file %s for reading: %s", $3, strerror(ret)); yyerror (&yylloc, conf, "Error on file name"); YYERROR; } #ifdef GNUTLS_VERSION_300 { /* We import these CA in the trust list */ gnutls_x509_crt_t * calist; unsigned int cacount; gnutls_datum_t cafile; CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &cafile), { yyerror (&yylloc, conf, "Error reading CA file."); YYERROR; } ); CHECK_GNUTLS_DO( gnutls_x509_crt_list_import2(&calist, &cacount, &cafile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED), { yyerror (&yylloc, conf, "Error importing CA file."); YYERROR; } ); free(cafile.data); CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_cas (fd_g_config->cnf_sec_data.trustlist, calist, cacount, 0), { yyerror (&yylloc, conf, "Error saving CA in trust list."); YYERROR; } ); } #endif /* GNUTLS_VERSION_300 */ fclose(fd); conf->cnf_sec_data.ca_file = $3; CHECK_GNUTLS_DO( conf->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file( conf->cnf_sec_data.credentials, conf->cnf_sec_data.ca_file, GNUTLS_X509_FMT_PEM), { yyerror (&yylloc, conf, "Error setting CA parameters."); YYERROR; } ); } ; tls_crl: TLS_CRL '=' QSTRING ';' { FILE * fd; fd = fopen($3, "rb"); if (fd == NULL) { int ret = errno; TRACE_ERROR("Unable to open CRL file %s for reading: %s", $3, strerror(ret)); yyerror (&yylloc, conf, "Error on file name"); YYERROR; } #ifdef GNUTLS_VERSION_300 { /* We import these CRL in the trust list */ gnutls_x509_crl_t * crllist; unsigned int crlcount; gnutls_datum_t crlfile; CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &crlfile), { yyerror (&yylloc, conf, "Error reading CRL file."); YYERROR; } ); CHECK_GNUTLS_DO( gnutls_x509_crl_list_import2(&crllist, &crlcount, &crlfile, GNUTLS_X509_FMT_PEM, 0), { yyerror (&yylloc, conf, "Error importing CRL file."); YYERROR; } ); free(crlfile.data); CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_crls (fd_g_config->cnf_sec_data.trustlist, crllist, crlcount, GNUTLS_TL_VERIFY_CRL, 0), { yyerror (&yylloc, conf, "Error importing CRL in trust list."); YYERROR; } ); } #endif /* GNUTLS_VERSION_300 */ fclose(fd); conf->cnf_sec_data.crl_file = $3; CHECK_GNUTLS_DO( gnutls_certificate_set_x509_crl_file( conf->cnf_sec_data.credentials, conf->cnf_sec_data.crl_file, GNUTLS_X509_FMT_PEM), { yyerror (&yylloc, conf, "Error setting CRL parameters."); YYERROR; } ); } ; tls_prio: TLS_PRIO '=' QSTRING ';' { const char * err_pos = NULL; conf->cnf_sec_data.prio_string = $3; CHECK_GNUTLS_DO( gnutls_priority_init( &conf->cnf_sec_data.prio_cache, conf->cnf_sec_data.prio_string, &err_pos), { yyerror (&yylloc, conf, "Error setting Priority parameter."); TRACE_ERROR("Error at position : %s", err_pos); YYERROR; } ); } ; tls_dh: TLS_DH_BITS '=' INTEGER ';' { conf->cnf_sec_data.dh_bits = $3; } | TLS_DH_FILE '=' QSTRING ';' { FILE * fd; free(conf->cnf_sec_data.dh_file); conf->cnf_sec_data.dh_file = $3; fd = fopen($3, "r"); if (fd == NULL) { int ret = errno; TRACE_ERROR("Unable to open DH file %s for reading: %s", $3, strerror(ret)); yyerror (&yylloc, conf, "Error on file name"); YYERROR; } fclose(fd); } ; rr_values: ALWAYS { conf->cnf_rr_in_answers = 1; } | NEVER { conf->cnf_rr_in_answers = 0; } ; rr_in_answers: RR_IN_ANSWERS '=' rr_values ';' ;