void safemode::create_rules()
{
safemode_rules.clear();
//process include/exclude in order of rules, global first, then character specific
add_rules( global_rules );
add_rules( character_rules );
}
StateMachinePtr construct_asm(BindingsPtr bindings, NodePtr root,
const AbstractStateMachineTable& asmt) {
assert(root && root->get_op() == Op::abstract_state_machine);
assert(root->size() == 4 || root->size() == 5);
int argi = 0;
std::string name = root->get_operand(argi++)->get_token().get_text();
std::string base_sm;
if (root->size() == 5) {
base_sm = root->get_operand(argi++)->get_token().get_text();
}
NodePtr vars = root->get_operand(argi++);
NodePtr funcs = root->get_operand(argi++);
NodePtr rules = root->get_operand(argi++);
StateMachinePtr sm = std::make_shared<StateMachine>(bindings, name);
if (base_sm != "") {
AbstractStateMachineTable::const_iterator it = asmt.find(base_sm);
if (it == asmt.end()) {
throw Exception(root->get_operand(1)->get_location(),
"no such abstract state machine");
}
sm->import_asm(it->second);
}
assert(vars->get_op() == Op::sm_vars);
if (vars->size() > 0) {
add_vars(sm, vars->get_operand(0));
}
assert(funcs->get_op() == Op::sm_functions);
if (funcs->size() > 0) {
add_functions(sm, funcs->get_operand(0));
}
add_rules(sm, bindings, rules);
return sm;
}
static void add_rules(StateMachinePtr sm, BindingsPtr bindings, NodePtr root) {
if (root->get_op() == Op::sm_rules) {
add_rules(sm, bindings, root->get_operand(0));
root = root->get_operand(1);
}
assert(root->get_op() == Op::sm_rule);
if (root->size() == 1) {
// handler
root = root->get_operand(0);
assert(root->get_op() == Op::ON);
assert(root->get_operand(0)->get_op() == Op::CLOSE);
root = root->get_operand(1);
assert(root->get_op() == Op::sm_handler);
if (root->size() == 1) {
StateSet states;
sm->add_close_handler(states, root->get_operand(0));
} else {
StateSet states(sm->get_nofstates());
get_states(sm, root->get_operand(0), states);
sm->add_close_handler(states, root->get_operand(1));
}
} else {
// regular rule
NodePtr smcond = root->get_operand(0);
StateMachineRulePtr rule;
NodePtr node_expr;
if (smcond->size() == 2) {
NodePtr tree_expr = smcond->get_operand(0);
NodeTypeSet nodetypes(nof_node_types(bindings));
get_node_expression(bindings, smcond->get_operand(1),
nodetypes, node_expr);
rule = std::make_shared<StateMachineRule>(sm,
tree_expr, nodetypes, bindings->get_rules());
} else {
if (smcond->get_operand(0)->get_op() == Op::cfg_node_expression) {
NodeTypeSet nodetypes(nof_node_types(bindings));
get_node_expression(bindings, smcond->get_operand(0),
nodetypes, node_expr);
rule = std::make_shared<StateMachineRule>(sm,
nodetypes, bindings->get_rules());
} else {
NodePtr tree_expr = smcond->get_operand(0);
rule = std::make_shared<StateMachineRule>(sm,
tree_expr, bindings->get_rules());
}
}
if (node_expr) {
rule->add_node_condition(node_expr);
}
if (root->get_operand(1)->get_op() == Op::sm_block) {
NodePtr smblock = root->get_operand(1);
rule->add_alternative(create_alternative(sm, smblock));
} else {
add_alternatives(sm, rule, bindings, root->get_operand(1));
}
sm->add_rule(rule);
}
}
void
do_add_sa(struct shaft_conn *conn, char * rules)
{
u_int status, id, type;
Buffer msg;
id = conn->msg_id++;
buffer_init(&msg);
buffer_put_char(&msg, SHAFT_ADD_SA);
buffer_put_int(&msg, id);
send_msg(conn->fd_out, &msg);
add_rules(rules);
buffer_clear(&msg);
status = get_status(conn->fd_in, id);
if (status != SHAFT_OK)
fatal("Couldn't add SA");
}
int
acl_init(int is_ipv4)
{
unsigned int i;
struct rte_acl_rule *acl_base_ipv4 = NULL, *acl_base_ipv6 = NULL;
unsigned int acl_num_ipv4 = 0, acl_num_ipv6 = 0;
struct rte_acl_ctx *acl_ctx;
if (check_acl_config() != 0) {
acl_log("Failed to get valid ACL options\n");
return -1;
}
dump_acl_config();
if (is_ipv4) {
/* Load rules from the input file */
if (add_rules(acl_parm_config.rule_ipv4_name, &acl_base_ipv4,
&acl_num_ipv4, sizeof(struct acl4_rule),
&parse_cb_ipv4vlan_rule) < 0) {
acl_log("Failed to add ipv4 rules\n");
return -1;
}
acl_log("IPv4 ACL entries %u:\n", acl_num_ipv4);
dump_ipv4_rules((struct acl4_rule *)acl_base_ipv4, acl_num_ipv4,
1);
for (i = 0; i < NB_SOCKETS; i++) {
if ((acl_ctx = setup_acl(acl_base_ipv4, acl_num_ipv4, 0,
i)) != NULL) {
ipv4_acx[i] = acl_ctx;
} else if (acl_num_ipv4 == 0) {
ipv4_acx[i] = NULL;
} else {
acl_log("setup_acl failed for ipv4 with "
"socketid %d, keeping previous rules "
"for that socket\n",
i);
}
}
#ifdef L3FWDACL_DEBUG
if (acl_base_ipv4) {
acl_config.rule_ipv4 =
(struct acl4_rule *)acl_base_ipv4;
}
#else
free(acl_base_ipv4);
#endif
} else {
if (add_rules(acl_parm_config.rule_ipv6_name, &acl_base_ipv6,
&acl_num_ipv6, sizeof(struct acl6_rule),
&parse_cb_ipv6_rule) < 0) {
acl_log("Failed to add ipv6 rules\n");
return -1;
}
acl_log("IPv6 ACL entries %u:\n", acl_num_ipv6);
dump_ipv6_rules((struct acl6_rule *)acl_base_ipv6, acl_num_ipv6,
1);
for (i = 0; i < NB_SOCKETS; i++) {
if ((acl_ctx = setup_acl(acl_base_ipv6, acl_num_ipv6, 1,
i)) != NULL) {
ipv6_acx[i] = acl_ctx;
} else if (acl_num_ipv6 == 0) {
ipv6_acx[i] = NULL;
} else {
acl_log("setup_acl failed for ipv6 with "
"socketid %d, keeping previous rules "
"for that socket\n",
i);
}
}
#ifdef L3FWDACL_DEBUG
if (acl_base_ipv6) {
acl_config.rule_ipv6 =
(struct acl6_rule *)acl_base_ipv6;
}
#else
free(acl_base_ipv6);
#endif
}
int socketid, lcore_id;
for (lcore_id = 0; lcore_id < RTE_MAX_LCORE; lcore_id++) {
if (rte_lcore_is_enabled(lcore_id) == 0)
continue;
if (numa_on)
socketid = rte_lcore_to_socket_id(lcore_id);
else
socketid = 0;
rte_atomic64_cmpset(
(uintptr_t *)&lcore_conf[lcore_id].new_acx_ipv4,
(uintptr_t)lcore_conf[lcore_id].new_acx_ipv4,
(uintptr_t)ipv4_acx[socketid]);
rte_atomic64_cmpset(
(uintptr_t *)&lcore_conf[lcore_id].new_acx_ipv6,
(uintptr_t)lcore_conf[lcore_id].new_acx_ipv6,
(uintptr_t)ipv6_acx[socketid]);
}
return 0;
}
//
// init_rules
// create the rule table
//
void init_rules(char rules[255][20]) {
int i,j;
for (i = 0; i < 256; ++i)
for (j = 0; j < 20; ++j)
rules[i][j] = 0;
add_rules(rules,0b00000000,""); // 0
add_rules(rules,0b11111111,""); // ~0
add_rules(rules,0b00000001,"eda"); // 1
add_rules(rules,0b11111110,"ade"); // ~1
add_rules(rules,0b00000011,"fed dbf"); // 2
add_rules(rules,0b11111100,"def fbd"); // ~2
add_rules(rules,0b00100001,"eda jif"); // 3
add_rules(rules,0b11011110,"ade fij"); // ~3
add_rules(rules,0b10000001,"eda gkj"); // 4
add_rules(rules,0b01111110,"ade jkg"); // ~4
add_rules(rules,0b00001110,"fhg fdh fad"); // 5
add_rules(rules,0b11110001,"ghf hdf daf"); // ~5
add_rules(rules,0b10000011,"fed fdb gkj"); // 6
add_rules(rules,0b01111100,"def bdf jkg"); // ~6
add_rules(rules,0b10010010,"bfa ile gkj"); // 7
add_rules(rules,0b01101101,"afb eli jkg"); // ~7
add_rules(rules,0b00001111,"ehg feg"); // 8
add_rules(rules,0b11110000,"ghe gef"); // ~8
add_rules(rules,0b01001101,"elk eka akg agb"); // 9
add_rules(rules,0b10110010,"kle ake gka bga"); // ~9
add_rules(rules,0b10011001,"ild ida ckj cjb"); // 10
add_rules(rules,0b01100110,"dli adi jkc bjc"); // ~10
add_rules(rules,0b10001101,"hkj hja hae ajb"); // 11
add_rules(rules,0b01110010,"jkh ajh eah bja"); // ~11
add_rules(rules,0b00011110,"ile hgf hfd dfa"); // 12
add_rules(rules,0b11100001,"eli fgh dfh afd"); // ~12
add_rules(rules,0b01101001,"eda bcg lkh jif"); // 13
add_rules(rules,0b10010110,"ade gcb hkl fij"); // ~13
add_rules(rules,0b01001110,"lkg lga lad agf"); // 14
add_rules(rules,0b10110001,"gkl agl dal fga"); // ~14
}
BOOL
add_rules_name(const char *main_name, const char *config, int chain)
{
char buf[1024], *p, *p2, *section = NULL;
BOOL result = FALSE;
DWORD n;
section = (char *)malloc(MAX_SECTION_SIZE);
if (section == NULL) {
liberr("malloc");
goto done;
}
/* 1. get ruleset string */
GetPrivateProfileString("_main_", main_name, "", buf, sizeof(buf), config);
if (*buf == '\0')
goto done; // no rules
// reset all rules for chain
if (!DeviceIoControl(g_device, IOCTL_CMD_CLEARCHAIN, &chain, sizeof(chain),
NULL, 0, &n, NULL)) {
winerr("DeviceIoControl");
goto done;
}
if (chain != 0) {
// set chain name
int len = sizeof(int) + MAX_PATH;
char *data = (char *)malloc(len);
if (data == NULL) {
liberr("malloc");
goto done;
}
*(int *)data = chain;
// try to extract environment variables from p to main_name
ExpandEnvironmentStrings(main_name, data + sizeof(int), MAX_PATH);
len = sizeof(int) + strlen(data + sizeof(int)) + 1;
if (!DeviceIoControl(g_device, IOCTL_CMD_SETCHAINPNAME, data, len,
NULL, 0, &n, NULL)) {
winerr("DeviceIoControl");
free(data);
goto done;
}
free(data);
}
/* 2. for each word in main_name string */
p = buf;
while (p != NULL) {
p2 = strchr(p, ' ');
if (p2 != NULL) {
while (*p2 == ' ')
*(p2++) = '\0';
}
if (*p != '\0') {
// get section by name in p
GetPrivateProfileSection(p, section, MAX_SECTION_SIZE, config);
if (*section == '\0')
error("\"%s\": unexistant or empty section %s", config, p);
else
add_rules(config, section, p, chain);
}
p = p2;
}
result = TRUE;
done:
free(section);
return result;
}
