/* * Filters: utility functions * * Copyright 1998 Pavel Machek * * Can be freely distributed and used under the terms of the GNU GPL. * */ /** * DOC: Filters * * You can find sources of the filter language in |filter/| * directory. File |filter/config.Y| contains filter grammar and basically translates * the source from user into a tree of &f_inst structures. These trees are * later interpreted using code in |filter/filter.c|. * * A filter is represented by a tree of &f_inst structures, one structure per * "instruction". Each &f_inst contains @code, @aux value which is * usually the data type this instruction operates on and two generic * arguments (@a[0], @a[1]). Some instructions contain pointer(s) to other * instructions in their (@a[0], @a[1]) fields. * * Filters use a &f_val structure for their data. Each &f_val * contains type and value (types are constants prefixed with %T_). Few * of the types are special; %T_RETURN can be or-ed with a type to indicate * that return from a function or from the whole filter should be * forced. Important thing about &f_val's is that they may be copied * with a simple |=|. That's fine for all currently defined types: strings * are read-only (and therefore okay), paths are copied for each * operation (okay too). */ #undef LOCAL_DEBUG #include "nest/bird.h" #include "lib/lists.h" #include "lib/resource.h" #include "lib/socket.h" #include "lib/string.h" #include "lib/unaligned.h" #include "lib/net.h" #include "lib/ip.h" #include "nest/route.h" #include "nest/protocol.h" #include "nest/iface.h" #include "nest/attrs.h" #include "conf/conf.h" #include "filter/filter.h" #include "filter/f-inst.h" #include "filter/data.h" /* Internal filter state, to be allocated on stack when executing filters */ struct filter_state { struct rte **rte; struct rta *old_rta; struct ea_list **eattrs; struct linpool *pool; struct buffer buf; int flags; }; void (*bt_assert_hook)(int result, const struct f_line_item *assert); static const char * const f_instruction_name_str[] = { /* TODO: Make this better */ [FI_ADD] = "FI_ADD", [FI_SUBTRACT] = "FI_SUBTRACT", [FI_MULTIPLY] = "FI_MULTIPLY", [FI_DIVIDE] = "FI_DIVIDE", [FI_AND] = "FI_AND", [FI_OR] = "FI_OR", [FI_PAIR_CONSTRUCT] = "FI_PAIR_CONSTRUCT", [FI_EC_CONSTRUCT] = "FI_EC_CONSTRUCT", [FI_LC_CONSTRUCT] = "FI_LC_CONSTRUCT", [FI_PATHMASK_CONSTRUCT] = "FI_PATHMASK_CONSTRUCT", [FI_NEQ] = "FI_NEQ", [FI_EQ] = "FI_EQ", [FI_LT] = "FI_LT", [FI_LTE] = "FI_LTE", [FI_NOT] = "FI_NOT", [FI_MATCH] = "FI_MATCH", [FI_NOT_MATCH] = "FI_NOT_MATCH", [FI_DEFINED] = "FI_DEFINED", [FI_TYPE] = "FI_TYPE", [FI_IS_V4] = "FI_IS_V4", [FI_SET] = "FI_SET", [FI_CONSTANT] = "FI_CONSTANT", [FI_VARIABLE] = "FI_VARIABLE", [FI_CONSTANT_INDIRECT] = "FI_CONSTANT_INDIRECT", [FI_PRINT] = "FI_PRINT", [FI_CONDITION] = "FI_CONDITION", [FI_PRINT_AND_DIE] = "FI_PRINT_AND_DIE", [FI_RTA_GET] = "FI_RTA_GET", [FI_RTA_SET] = "FI_RTA_SET", [FI_EA_GET] = "FI_EA_GET", [FI_EA_SET] = "FI_EA_SET", [FI_EA_UNSET] = "FI_EA_UNSET", [FI_PREF_GET] = "FI_PREF_GET", [FI_PREF_SET] = "FI_PREF_SET", [FI_LENGTH] = "FI_LENGTH", [FI_SADR_SRC] = "FI_SADR_SRC", [FI_ROA_MAXLEN] = "FI_ROA_MAXLEN", [FI_ROA_ASN] = "FI_ROA_ASN", [FI_IP] = "FI_IP", [FI_ROUTE_DISTINGUISHER] = "FI_ROUTE_DISTINGUISHER", [FI_AS_PATH_FIRST] = "FI_AS_PATH_FIRST", [FI_AS_PATH_LAST] = "FI_AS_PATH_LAST", [FI_AS_PATH_LAST_NAG] = "FI_AS_PATH_LAST_NAG", [FI_RETURN] = "FI_RETURN", [FI_CALL] = "FI_CALL", [FI_DROP_RESULT] = "FI_DROP_RESULT", [FI_SWITCH] = "FI_SWITCH", [FI_IP_MASK] = "FI_IP_MASK", [FI_PATH_PREPEND] = "FI_PATH_PREPEND", [FI_CLIST_ADD] = "FI_CLIST_ADD", [FI_CLIST_DEL] = "FI_CLIST_DEL", [FI_CLIST_FILTER] = "FI_CLIST_FILTER", [FI_ROA_CHECK_IMPLICIT] = "FI_ROA_CHECK_IMPLICIT", [FI_ROA_CHECK_EXPLICIT] = "FI_ROA_CHECK_EXPLICIT", [FI_FORMAT] = "FI_FORMAT", [FI_ASSERT] = "FI_ASSERT", }; const char * f_instruction_name(enum f_instruction_code fi) { if (fi < (sizeof(f_instruction_name_str) / sizeof(f_instruction_name_str[0]))) return f_instruction_name_str[fi]; else bug("Got unknown instruction code: %d", fi); } static inline void f_cache_eattrs(struct filter_state *fs) { fs->eattrs = &((*fs->rte)->attrs->eattrs); } static inline void f_rte_cow(struct filter_state *fs) { if (!((*fs->rte)->flags & REF_COW)) return; *fs->rte = rte_cow(*fs->rte); } /* * rta_cow - prepare rta for modification by filter */ static void f_rta_cow(struct filter_state *fs) { if (!rta_is_cached((*fs->rte)->attrs)) return; /* Prepare to modify rte */ f_rte_cow(fs); /* Store old rta to free it later, it stores reference from rte_cow() */ fs->old_rta = (*fs->rte)->attrs; /* * Get shallow copy of rta. Fields eattrs and nexthops of rta are shared * with fs->old_rta (they will be copied when the cached rta will be obtained * at the end of f_run()), also the lock of hostentry is inherited (we * suppose hostentry is not changed by filters). */ (*fs->rte)->attrs = rta_do_cow((*fs->rte)->attrs, fs->pool); /* Re-cache the ea_list */ f_cache_eattrs(fs); } static char * val_format_str(struct filter_state *fs, struct f_val *v) { buffer b; LOG_BUFFER_INIT(b); val_format(v, &b); return lp_strdup(fs->pool, b.start); } static struct tbf rl_runtime_err = TBF_DEFAULT_LOG_LIMITS; #define INDENT (((const char *) f_dump_line_indent_str) + sizeof(f_dump_line_indent_str) - (indent) - 1) static const char f_dump_line_indent_str[] = " "; static void f_dump_line(const struct f_line *dest, int indent); static void f_dump_line_item(const struct f_line_item *item, int indent) { debug("%sInstruction %s at line %u\n", INDENT, f_instruction_name(item->fi_code), item->lineno); switch (item->fi_code) { #include "filter/f-inst-dump.c" } } static void f_dump_line(const struct f_line *dest, int indent) { if (!dest) { debug("%sNo filter line (NULL)\n", INDENT); return; } debug("%sFilter line %p (len=%u)\n", INDENT, dest, dest->len); for (uint i=0; ilen; i++) f_dump_line_item(&dest->items[i], indent+1); debug("%sFilter line %p dump done\n", INDENT, dest); #undef INDENT } static uint postfixify(struct f_line *dest, const struct f_inst *what_, uint pos) { for ( ; what_; what_ = what_->next) { switch (what_->fi_code) { #include "filter/f-inst-postfixify.c" } pos++; } return pos; } struct f_line * f_postfixify_concat(const struct f_inst * const inst[], uint count) { uint len = 0; for (uint i=0; inext) len += what->size; struct f_line *out = cfg_allocz(sizeof(struct f_line) + sizeof(struct f_line_item)*len); for (uint i=0; ilen = postfixify(out, inst[i], out->len); #if DEBUGGING f_dump_line(out, 0); #endif return out; } /** * interpret * @fs: filter state * @what: filter to interpret * * Interpret given tree of filter instructions. This is core function * of filter system and does all the hard work. * * Each instruction has 4 fields: code (which is instruction code), * aux (which is extension to instruction code, typically type), * arg1 and arg2 - arguments. Depending on instruction, arguments * are either integers, or pointers to instruction trees. Common * instructions like +, that have two expressions as arguments use * TWOARGS macro to get both of them evaluated. */ static enum filter_return interpret(struct filter_state *fs, const struct f_line *line, struct f_val *val) { #define F_VAL_STACK_MAX 4096 /* Value stack for execution */ struct f_val_stack { uint cnt; /* Current stack size; 0 for empty */ struct f_val val[F_VAL_STACK_MAX]; /* The stack itself */ } vstk; /* The stack itself is intentionally kept as-is for performance reasons. * Do NOT rewrite this to initialization by struct literal. It's slow. */ vstk.cnt = 0; #define F_EXEC_STACK_MAX 4096 /* Exception bits */ enum f_exception { FE_RETURN = 0x1, }; /* Instruction stack for execution */ struct f_exec_stack { struct { const struct f_line *line; /* The line that is being executed */ uint pos; /* Instruction index in the line */ uint ventry; /* Value stack depth on entry */ enum f_exception emask; /* Exception mask */ } item[F_EXEC_STACK_MAX]; uint cnt; /* Current stack size; 0 for empty */ } estk; /* The same as with the value stack. Not resetting the stack for performance reasons. */ estk.cnt = 1; estk.item[0].line = line; estk.item[0].pos = 0; #define curline estk.item[estk.cnt-1] while (estk.cnt > 0) { while (curline.pos < curline.line->len) { const struct f_line_item *what = &(curline.line->items[curline.pos++]); switch (what->fi_code) { #define res vstk.val[vstk.cnt] #define v1 vstk.val[vstk.cnt] #define v2 vstk.val[vstk.cnt + 1] #define v3 vstk.val[vstk.cnt + 2] #define runtime(fmt, ...) do { \ if (!(fs->flags & FF_SILENT)) \ log_rl(&rl_runtime_err, L_ERR "filters, line %d: " fmt, what->lineno, ##__VA_ARGS__); \ return F_ERROR; \ } while(0) #define ACCESS_RTE do { if (!fs->rte) runtime("No route to access"); } while (0) #define ACCESS_EATTRS do { if (!fs->eattrs) f_cache_eattrs(fs); } while (0) #include "filter/f-inst-interpret.c" #undef res #undef v1 #undef v2 #undef v3 #undef runtime #undef ACCESS_RTE #undef ACCESS_EATTRS } } estk.cnt--; } switch (vstk.cnt) { case 0: if (val) { log_rl(&rl_runtime_err, L_ERR "filters: No value left on stack"); return F_ERROR; } return F_NOP; case 1: if (val) { *val = vstk.val[0]; return F_NOP; } /* fallthrough */ default: log_rl(&rl_runtime_err, L_ERR "Too many items left on stack: %u", vstk.cnt); return F_ERROR; } } /* * f_same - function that does real comparing of instruction trees, you should call filter_same from outside */ int f_same(const struct f_line *fl1, const struct f_line *fl2) { if ((!fl1) && (!fl2)) return 1; if ((!fl1) || (!fl2)) return 0; if (fl1->len != fl2->len) return 0; for (uint i=0; ilen; i++) { #define f1 (&(fl1->items[i])) #define f2 (&(fl2->items[i])) if (f1->fi_code != f2->fi_code) return 0; if (f1->flags != f2->flags) return 0; switch(f1->fi_code) { #include "filter/f-inst-same.c" } } return 1; } /** * f_run - run a filter for a route * @filter: filter to run * @rte: route being filtered, may be modified * @tmp_pool: all filter allocations go from this pool * @flags: flags * * If filter needs to modify the route, there are several * posibilities. @rte might be read-only (with REF_COW flag), in that * case rw copy is obtained by rte_cow() and @rte is replaced. If * @rte is originally rw, it may be directly modified (and it is never * copied). * * The returned rte may reuse the (possibly cached, cloned) rta, or * (if rta was modificied) contains a modified uncached rta, which * uses parts allocated from @tmp_pool and parts shared from original * rta. There is one exception - if @rte is rw but contains a cached * rta and that is modified, rta in returned rte is also cached. * * Ownership of cached rtas is consistent with rte, i.e. * if a new rte is returned, it has its own clone of cached rta * (and cached rta of read-only source rte is intact), if rte is * modified in place, old cached rta is possibly freed. */ enum filter_return f_run(const struct filter *filter, struct rte **rte, struct linpool *tmp_pool, int flags) { if (filter == FILTER_ACCEPT) return F_ACCEPT; if (filter == FILTER_REJECT) return F_REJECT; int rte_cow = ((*rte)->flags & REF_COW); DBG( "Running filter `%s'...", filter->name ); struct filter_state fs = { .rte = rte, .pool = tmp_pool, .flags = flags, }; LOG_BUFFER_INIT(fs.buf); enum filter_return fret = interpret(&fs, filter->root, NULL); if (fs.old_rta) { /* * Cached rta was modified and fs->rte contains now an uncached one, * sharing some part with the cached one. The cached rta should * be freed (if rte was originally COW, fs->old_rta is a clone * obtained during rte_cow()). * * This also implements the exception mentioned in f_run() * description. The reason for this is that rta reuses parts of * fs->old_rta, and these may be freed during rta_free(fs->old_rta). * This is not the problem if rte was COW, because original rte * also holds the same rta. */ if (!rte_cow) (*fs.rte)->attrs = rta_lookup((*fs.rte)->attrs); rta_free(fs.old_rta); } if (fret < F_ACCEPT) { if (!(fs.flags & FF_SILENT)) log_rl(&rl_runtime_err, L_ERR "Filter %s did not return accept nor reject. Make up your mind", filter->name); return F_ERROR; } DBG( "done (%u)\n", res.val.i ); return fret; } /* TODO: perhaps we could integrate f_eval(), f_eval_rte() and f_run() */ enum filter_return f_eval_rte(const struct f_line *expr, struct rte **rte, struct linpool *tmp_pool) { struct filter_state fs = { .rte = rte, .pool = tmp_pool, }; LOG_BUFFER_INIT(fs.buf); /* Note that in this function we assume that rte->attrs is private / uncached */ return interpret(&fs, expr, NULL); } enum filter_return f_eval(const struct f_line *expr, struct linpool *tmp_pool, struct f_val *pres) { struct filter_state fs = { .pool = tmp_pool, }; LOG_BUFFER_INIT(fs.buf); enum filter_return fret = interpret(&fs, expr, pres); return fret; } uint f_eval_int(const struct f_line *expr) { /* Called independently in parse-time to eval expressions */ struct filter_state fs = { .pool = cfg_mem, }; struct f_val val; LOG_BUFFER_INIT(fs.buf); if (interpret(&fs, expr, &val) > F_RETURN) cf_error("Runtime error while evaluating expression"); if (val.type != T_INT) cf_error("Integer expression expected"); return val.val.i; } enum filter_return f_eval_buf(const struct f_line *expr, struct linpool *tmp_pool, buffer *buf) { struct f_val val; enum filter_return fret = f_eval(expr, tmp_pool, &val); if (fret > F_RETURN) val_format(&val, buf); return fret; } /** * filter_same - compare two filters * @new: first filter to be compared * @old: second filter to be compared, notice that this filter is * damaged while comparing. * * Returns 1 in case filters are same, otherwise 0. If there are * underlying bugs, it will rather say 0 on same filters than say * 1 on different. */ int filter_same(struct filter *new, struct filter *old) { if (old == new) /* Handle FILTER_ACCEPT and FILTER_REJECT */ return 1; if (old == FILTER_ACCEPT || old == FILTER_REJECT || new == FILTER_ACCEPT || new == FILTER_REJECT) return 0; return f_same(new->root, old->root); }