From 8b82f1c6095bc9761a5961154c5c3bd1b57b9510 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 14 Feb 2017 16:43:22 -0800 Subject: [PATCH] Add rules compiler script. --- rule-compiler/README.md | 5 + rule-compiler/cli.js | 29 + .../examples/capabilities-and-tags.ztrules | 40 + rule-compiler/package.json | 18 + rule-compiler/rule-compiler.js | 854 ++++++++++++++++++ 5 files changed, 946 insertions(+) create mode 100644 rule-compiler/README.md create mode 100644 rule-compiler/cli.js create mode 100644 rule-compiler/examples/capabilities-and-tags.ztrules create mode 100644 rule-compiler/package.json create mode 100644 rule-compiler/rule-compiler.js diff --git a/rule-compiler/README.md b/rule-compiler/README.md new file mode 100644 index 000000000..e3aa2615f --- /dev/null +++ b/rule-compiler/README.md @@ -0,0 +1,5 @@ +ZeroTier Rules Compiler +====== + +This script converts ZeroTier rules in human-readable format into rules suitable for import into a ZeroTier network controller. It's the script that is used in the rules editor on [ZeroTier Central](https://my.zerotier.com/). + diff --git a/rule-compiler/cli.js b/rule-compiler/cli.js new file mode 100644 index 000000000..c4a3b2919 --- /dev/null +++ b/rule-compiler/cli.js @@ -0,0 +1,29 @@ +'use strict'; + +var fs = require('fs'); + +var RuleCompiler = require('./rule-compiler.js'); + +if (process.argv.length < 3) { + console.log('Usage: node cli.js '); + process.exit(1); +} + +var src = fs.readFileSync(process.argv[2]).toString(); + +var rules = []; +var caps = {}; +var tags = {}; +var err = RuleCompiler.compile(src,rules,caps,tags); + +if (err) { + console.log('ERROR parsing '+process.argv[2]+' line '+err[0]+' column '+err[1]+': '+err[2]); + process.exit(1); +} else { + console.log(JSON.stringify({ + rules: rules, + caps: caps, + tags: tags + },null,2)); + process.exit(0); +} diff --git a/rule-compiler/examples/capabilities-and-tags.ztrules b/rule-compiler/examples/capabilities-and-tags.ztrules new file mode 100644 index 000000000..9b35f28da --- /dev/null +++ b/rule-compiler/examples/capabilities-and-tags.ztrules @@ -0,0 +1,40 @@ +# This is a default rule set that allows IPv4 and IPv6 traffic. +# You can edit as needed. If your rule set gets large we recommend +# cutting and pasting it somewhere to keep a backup. + +# Drop all Ethernet frame types that are not IPv4 or IPv6 +drop + not ethertype 0x0800 # IPv4 + not ethertype 0x0806 # IPv4 ARP + not ethertype 0x86dd # IPv6 +; + +# Capability: outgoing SSH +cap ssh + id 1000 + accept + ipprotocol tcp + dport 22 + ; +; + +# A tag indicating which department people belong to +tag department + id 1000 + enum 100 sales + enum 200 marketing + enum 300 accounting + enum 400 engineering +; + +# Accept all traffic between members of the same department +accept + tdiff department 0 +; + +# You can insert other drop, tee, etc. rules here. This rule +# set ends with a blanket accept, making it permissive by +# default. + +accept; + diff --git a/rule-compiler/package.json b/rule-compiler/package.json new file mode 100644 index 000000000..9bdc63ff3 --- /dev/null +++ b/rule-compiler/package.json @@ -0,0 +1,18 @@ +{ + "name": "zerotier-rule-compiler", + "version": "1.1.17", + "description": "ZeroTier Rule Script Compiler", + "main": "cli.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "repository": { + "type": "git", + "url": "https://github.com/zerotier/ZeroTierOne/rule-compiler" + }, + "keywords": [ + "ZeroTier" + ], + "author": "ZeroTier, Inc. ", + "license": "GPL-2.0" +} diff --git a/rule-compiler/rule-compiler.js b/rule-compiler/rule-compiler.js new file mode 100644 index 000000000..763586065 --- /dev/null +++ b/rule-compiler/rule-compiler.js @@ -0,0 +1,854 @@ +'use strict'; + +// Names for bits in characteristics -- 0==LSB, 63==MSB +const CHARACTERISTIC_BITS = { + 'inbound': 63, + 'multicast': 62, + 'broadcast': 61, + 'tcp_fin': 0, + 'tcp_syn': 1, + 'tcp_rst': 2, + 'tcp_psh': 3, + 'tcp_ack': 4, + 'tcp_urg': 5, + 'tcp_ece': 6, + 'tcp_cwr': 7, + 'tcp_ns': 8, + 'tcp_rs2': 9, + 'tcp_rs1': 10, + 'tcp_rs0': 11 +}; + +// Shorthand names for ethernet types +const ETHERTYPES = { + 'ipv4': 0x0800, + 'arp': 0x0806, + 'rarp': 0x8035, + 'ipv6': 0x86dd, + 'atalk': 0x809b, + 'aarp': 0x80f3, + 'ipx_a': 0x8137, + 'ipx_b': 0x8138 +}; + +// Shorthand names for IP protocols +const IP_PROTOCOLS = { + 'icmp': 0x01, + 'igmp': 0x02, + 'ipip': 0x04, + 'tcp': 0x06, + 'egp': 0x08, + 'igp': 0x09, + 'udp': 0x11, + 'rdp': 0x1b, + 'esp': 0x32, + 'ah': 0x33, + 'icmp6': 0x3a, + 'icmpv6': 0x3a, + 'l2tp': 0x73, + 'sctp': 0x84, + 'udplite': 0x88 +}; + +// Keywords that open new blocks that must be terminated by a semicolon +const OPEN_BLOCK_KEYWORDS = { + 'macro': true, + 'tag': true, + 'cap': true, + 'drop': true, + 'accept': true, + 'tee': true, + 'watch': true, + 'redirect': true, + 'break': true +}; + +// Reserved words that can't be used as tag, capability, or rule set names +const RESERVED_WORDS = { + 'macro': true, + 'tag': true, + 'cap': true, + + 'drop': true, + 'accept': true, + 'tee': true, + 'watch': true, + 'redirect': true, + 'break': true, + + 'ztsrc': true, + 'ztdest': true, + 'vlan': true, + 'vlanpcp': true, + 'vlandei': true, + 'ethertype': true, + 'macsrc': true, + 'macdest': true, + 'ipsrc': true, + 'ipdest': true, + 'iptos': true, + 'ipprotocol': true, + 'icmp': true, + 'sport': true, + 'dport': true, + 'chr': true, + 'framesize': true, + 'random': true, + 'tand': true, + 'tor': true, + 'txor': true, + 'tdiff': true, + 'teq': true, + + 'type': true, + 'enum': true, + 'class': true, + 'define': true, + 'import': true, + 'include': true, + 'log': true, + 'not': true, + 'xor': true, + 'or': true, + 'and': true, + 'set': true, + 'var': true, + 'let': true +}; + +const KEYWORD_TO_API_MAP = { + 'drop': 'ACTION_DROP', + 'accept': 'ACTION_ACCEPT', + 'tee': 'ACTION_TEE', + 'watch': 'ACTION_WATCH', + 'redirect': 'ACTION_REDIRECT', + 'break': 'ACTION_BREAK', + + 'ztsrc': 'MATCH_SOURCE_ZEROTIER_ADDRESS', + 'ztdest': 'MATCH_DEST_ZEROTIER_ADDRESS', + 'vlan': 'MATCH_VLAN_ID', + 'vlanpcp': 'MATCH_VLAN_PCP', + 'vlandei': 'MATCH_VLAN_DEI', + 'ethertype': 'MATCH_ETHERTYPE', + 'macsrc': 'MATCH_MAC_SOURCE', + 'macdest': 'MATCH_MAC_DEST', + //'ipsrc': '', // special handling since we programmatically differentiate between V4 and V6 + //'ipdest': '', // special handling + 'iptos': 'MATCH_IP_TOS', + 'ipprotocol': 'MATCH_IP_PROTOCOL', + 'icmp': 'MATCH_ICMP', + 'sport': 'MATCH_IP_SOURCE_PORT_RANGE', + 'dport': 'MATCH_IP_DEST_PORT_RANGE', + 'chr': 'MATCH_CHARACTERISTICS', + 'framesize': 'MATCH_FRAME_SIZE_RANGE', + 'random': 'MATCH_RANDOM', + 'tand': 'MATCH_TAGS_BITWISE_AND', + 'tor': 'MATCH_TAGS_BITWISE_OR', + 'txor': 'MATCH_TAGS_BITWISE_XOR', + 'tdiff': 'MATCH_TAGS_DIFFERENCE', + 'teq': 'MATCH_TAGS_EQUAL' +}; + +// Number of args for each match +const MATCH_ARG_COUNTS = { + 'ztsrc': 1, + 'ztdest': 1, + 'vlan': 1, + 'vlanpcp': 1, + 'vlandei': 1, + 'ethertype': 1, + 'macsrc': 1, + 'macdest': 1, + 'ipsrc': 1, + 'ipdest': 1, + 'iptos': 2, + 'ipprotocol': 1, + 'icmp': 2, + 'sport': 1, + 'dport': 1, + 'chr': 1, + 'framesize': 1, + 'random': 1, + 'tand': 2, + 'tor': 2, + 'txor': 2, + 'tdiff': 2, + 'teq': 2 +}; + +const INTL_ALPHANUM_REGEX = new RegExp('[0-9A-Za-z\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0370-\u0374\u0376\u0377\u037A-\u037D\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u048A-\u0527\u0531-\u0556\u0559\u0561-\u0587\u05D0-\u05EA\u05F0-\u05F2\u0620-\u064A\u066E\u066F\u0671-\u06D3\u06D5\u06E5\u06E6\u06EE\u06EF\u06FA-\u06FC\u06FF\u0710\u0712-\u072F\u074D-\u07A5\u07B1\u07CA-\u07EA\u07F4\u07F5\u07FA\u0800-\u0815\u081A\u0824\u0828\u0840-\u0858\u08A0\u08A2-\u08AC\u0904-\u0939\u093D\u0950\u0958-\u0961\u0971-\u0977\u0979-\u097F\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BD\u09CE\u09DC\u09DD\u09DF-\u09E1\u09F0\u09F1\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A59-\u0A5C\u0A5E\u0A72-\u0A74\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABD\u0AD0\u0AE0\u0AE1\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3D\u0B5C\u0B5D\u0B5F-\u0B61\u0B71\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BD0\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C33\u0C35-\u0C39\u0C3D\u0C58\u0C59\u0C60\u0C61\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBD\u0CDE\u0CE0\u0CE1\u0CF1\u0CF2\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D\u0D4E\u0D60\u0D61\u0D7A-\u0D7F\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0E01-\u0E30\u0E32\u0E33\u0E40-\u0E46\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB0\u0EB2\u0EB3\u0EBD\u0EC0-\u0EC4\u0EC6\u0EDC-\u0EDF\u0F00\u0F40-\u0F47\u0F49-\u0F6C\u0F88-\u0F8C\u1000-\u102A\u103F\u1050-\u1055\u105A-\u105D\u1061\u1065\u1066\u106E-\u1070\u1075-\u1081\u108E\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u1380-\u138F\u13A0-\u13F4\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u1700-\u170C\u170E-\u1711\u1720-\u1731\u1740-\u1751\u1760-\u176C\u176E-\u1770\u1780-\u17B3\u17D7\u17DC\u1820-\u1877\u1880-\u18A8\u18AA\u18B0-\u18F5\u1900-\u191C\u1950-\u196D\u1970-\u1974\u1980-\u19AB\u19C1-\u19C7\u1A00-\u1A16\u1A20-\u1A54\u1AA7\u1B05-\u1B33\u1B45-\u1B4B\u1B83-\u1BA0\u1BAE\u1BAF\u1BBA-\u1BE5\u1C00-\u1C23\u1C4D-\u1C4F\u1C5A-\u1C7D\u1CE9-\u1CEC\u1CEE-\u1CF1\u1CF5\u1CF6\u1D00-\u1DBF\u1E00-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u2071\u207F\u2090-\u209C\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2183\u2184\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CEE\u2CF2\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D80-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2E2F\u3005\u3006\u3031-\u3035\u303B\u303C\u3041-\u3096\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FCC\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA61F\uA62A\uA62B\uA640-\uA66E\uA67F-\uA697\uA6A0-\uA6E5\uA717-\uA71F\uA722-\uA788\uA78B-\uA78E\uA790-\uA793\uA7A0-\uA7AA\uA7F8-\uA801\uA803-\uA805\uA807-\uA80A\uA80C-\uA822\uA840-\uA873\uA882-\uA8B3\uA8F2-\uA8F7\uA8FB\uA90A-\uA925\uA930-\uA946\uA960-\uA97C\uA984-\uA9B2\uA9CF\uAA00-\uAA28\uAA40-\uAA42\uAA44-\uAA4B\uAA60-\uAA76\uAA7A\uAA80-\uAAAF\uAAB1\uAAB5\uAAB6\uAAB9-\uAABD\uAAC0\uAAC2\uAADB-\uAADD\uAAE0-\uAAEA\uAAF2-\uAAF4\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uABC0-\uABE2\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D\uFB1F-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE70-\uFE74\uFE76-\uFEFC\uFF21-\uFF3A\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]'); +function _isValidName(n) +{ + if ((typeof n !== 'string')||(n.length === 0)) + return false; + if ("0123456789".indexOf(n.charAt(0)) >= 0) + return false; + for(let i=0;i 2)&&(n.substr(0,2) === '0x')) + n = parseInt(n.substr(2),16); + else n = parseInt(n,10); + return (((typeof n === 'number')&&(n !== null)&&(!isNaN(n))) ? n : -1); + } catch (e) { + return -1; + } +} + +function _cleanMac(m) +{ + m = m.toLowerCase(); + var m2 = ''; + for(let i=0;((i= 0) { + m2 += c; + if ((m2.length > 0)&&(m2.length !== 17)&&((m2.length & 1) === 0)) + m2 += ':'; + } + } + return m2; +} + +function _cleanHex(m) +{ + m = m.toLowerCase(); + var m2 = ''; + for(let i=0;i= 0) + m2 += c; + } + return m2; +} + +function _renderMatches(mtree,rules,macros,caps,tags,params) +{ + let not = false; + let or = false; + for(let k=0;k= mtree.length) + return [ mtree[k - 1][1],mtree[k - 1][2],'Missing argument(s) to match.' ]; + let arg = mtree[k][0]; + if ((typeof arg !== 'string')||(arg in RESERVED_WORDS)||(arg.length === 0)) + return [ mtree[k - 1][1],mtree[k - 1][2],'Missing argument(s) to match (invalid argument or argument is reserved word).' ]; + if (arg.charAt(0) === '$') { + let tmp = params[arg]; + if (typeof tmp === 'undefined') + return [ mtree[k][1],mtree[k][2],'Undefined variable name.' ]; + args.push([ tmp,mtree[k][1],mtree[k][2] ]); + } else { + args.push(mtree[k]); + } + } + + switch(match) { + case 'ztsrc': + case 'ztdest': { + let zt = _cleanHex(args[0][0]); + if (zt.length !== 10) + return [ args[0][1],args[0][2],'Invalid ZeroTier address.' ]; + rules.push({ + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or, + 'zt': zt + }); + } break; + + case 'vlan': + case 'vlanpcp': + case 'vlandei': + case 'ethertype': + case 'ipprotocol': { + let num = null; + switch (match) { + case 'ethertype': num = ETHERTYPES[args[0][0]]; break; + case 'ipprotocol': num = IP_PROTOCOLS[args[0][0]]; break; + } + if (typeof num !== 'number') + num = _parseNum(args[0][0]); + if ((typeof num !== 'number')||(num < 0)||(num > 0xffffffff)||(num === null)) + return [ args[0][1],args[0][2],'Invalid numeric value.' ]; + let r = { + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or + }; + switch(match) { + case 'vlan': r['vlanId'] = num; break; + case 'vlanpcp': r['vlanPcp'] = num; break; + case 'vlandei': r['vlanDei'] = num; break; + case 'ethertype': r['etherType'] = num; break; + case 'ipprotocol': r['ipProtocol'] = num; break; + } + rules.push(r); + } break; + + case 'random': { + let num = parseFloat(args[0][0])||0.0; + if (num < 0.0) num = 0.0; + if (num > 1.0) num = 1.0; + rules.push({ + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or, + 'probability': Math.floor(4294967295 * num) + }); + } break; + + case 'macsrc': + case 'macdest': { + let mac = _cleanMac(args[0][0]); + if (mac.length !== 17) + return [ args[0][1],args[0][2],'Invalid MAC address.' ]; + rules.push({ + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or, + 'mac': mac + }); + } break; + + case 'ipsrc': + case 'ipdest': { + let ip = args[0][0]; + let slashIdx = ip.indexOf('/'); + if (slashIdx <= 0) + return [ args[0][1],args[0][2],'Missing /bits netmask length designation in IP.' ]; + let ipOnly = ip.substr(0,slashIdx); + if (IPV6_REGEX.test(ipOnly)) { + rules.push({ + 'type': ((match === 'ipsrc') ? 'MATCH_IPV6_SOURCE' : 'MATCH_IPV6_DEST'), + 'not': not, + 'or': or, + 'ip': ip + }); + } else if (IPV4_REGEX.test(ipOnly)) { + rules.push({ + 'type': ((match === 'ipsrc') ? 'MATCH_IPV4_SOURCE' : 'MATCH_IPV4_DEST'), + 'not': not, + 'or': or, + 'ip': ip + }); + } else { + return [ args[0][1],args[0][2],'Invalid IP address (not valid IPv4 or IPv6).' ]; + } + } break; + + case 'icmp': { + let icmpType = _parseNum(args[0][0]); + if ((icmpType < 0)||(icmpType > 0xff)) + return [ args[0][1],args[0][2],'Missing or invalid ICMP type.' ]; + let icmpCode = _parseNum(args[1][0]); // -1 okay, indicates don't match code + if (icmpCode > 0xff) + return [ args[1][1],args[1][2],'Invalid ICMP code (use -1 for none).' ]; + rules.push({ + 'type': 'MATCH_ICMP', + 'not': not, + 'or': or, + 'icmpType': icmpType, + 'icmpCode': ((icmpCode < 0) ? null : icmpCode) + }); + } break; + + case 'sport': + case 'dport': + case 'framesize': { + let arg = args[0][0]; + let fn = null; + let tn = null; + if (arg.indexOf('-') > 0) { + let asplit = arg.split('-'); + if (asplit.length !== 2) { + return [ args[0][1],args[0][2],'Invalid numeric range.' ]; + } else { + fn = _parseNum(asplit[0]); + tn = _parseNum(asplit[1]); + } + } else { + fn = _parseNum(arg); + tn = fn; + } + if ((fn < 0)||(fn > 0xffff)||(tn < 0)||(tn > 0xffff)||(tn < fn)) + return [ args[0][1],args[0][2],'Invalid numeric range.' ]; + rules.push({ + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or, + 'start': fn, + 'end': tn + }); + } break; + + case 'iptos': { + let mask = _parseNum(args[0][0]); + if ((typeof mask !== 'number')||(mask < 0)||(mask > 0xff)||(mask === null)) + return [ args[0][1],args[0][2],'Invalid mask.' ]; + let arg = args[1][0]; + let fn = null; + let tn = null; + if (arg.indexOf('-') > 0) { + let asplit = arg.split('-'); + if (asplit.length !== 2) { + return [ args[1][1],args[1][2],'Invalid value range.' ]; + } else { + fn = _parseNum(asplit[0]); + tn = _parseNum(asplit[1]); + } + } else { + fn = _parseNum(arg); + tn = fn; + } + if ((fn < 0)||(fn > 0xff)||(tn < 0)||(tn > 0xff)||(tn < fn)) + return [ args[1][1],args[1][2],'Invalid value range.' ]; + rules.push({ + 'type': 'MATCH_IP_TOS', + 'not': not, + 'or': or, + 'mask': mask, + 'start': fn, + 'end': tn + }); + } break; + + case 'chr': { + let chrb = args[0][0].split(/[,]+/); + let maskhi = 0; + let masklo = 0; + for(let i=0;i 0) { + let tmp = CHARACTERISTIC_BITS[chrb[i]]; + let bit = (typeof tmp === 'number') ? tmp : _parseNum(chrb[i]); + if ((bit < 0)||(bit > 63)) + return [ args[0][1],args[0][2],'Invalid bit index (range 0-63) or unrecognized name.' ]; + if (bit >= 32) + maskhi |= Math.abs(1 << (bit - 32)); + else masklo |= Math.abs(1 << bit); + } + } + maskhi = Math.abs(maskhi).toString(16); + while (maskhi.length < 8) maskhi = '0' + maskhi; + masklo = Math.abs(masklo).toString(16); + while (masklo.length < 8) masklo = '0' + masklo; + rules.push({ + 'type': 'MATCH_CHARACTERISTICS', + 'not': not, + 'or': or, + 'mask': (maskhi + masklo) + }); + } break; + + case 'tand': + case 'tor': + case 'txor': + case 'tdiff': + case 'teq': { + let tag = tags[args[0][0]]; + let tagId = -1; + let tagValue = -1; + if (tag) { + tagId = tag.id; + tagValue = args[1][0]; + if (tagValue in tag.flags) + tagValue = tag.flags[tagValue]; + else if (tagValue in tag.enums) + tagValue = tag.enums[tagValue]; + else tagValue = _parseNum(tagValue); + } else { + tagId = _parseNum(args[0][0]); + tagValue = _parseNum(args[1][0]); + } + if ((tagId < 0)||(tagId > 0xffffffff)) + return [ args[0][1],args[0][2],'Undefined tag name and invalid tag value.' ]; + if ((tagValue < 0)||(tagValue > 0xffffffff)) + return [ args[1][1],args[1][2],'Invalid tag value or unrecognized flag/enum name.' ]; + rules.push({ + 'type': KEYWORD_TO_API_MAP[match], + 'not': not, + 'or': or, + 'id': tagId, + 'value': tagValue + }); + } break; + } + + not = false; + or = false; + } + } + return null; +} + +function _renderActions(rtree,rules,macros,caps,tags,params) +{ + for(let k=0;k= rtree.length) + return [ rtree[k][1],rtree[k][2],'Include directive is missing a macro name.' ]; + let macroName = rtree[k + 1][0]; + ++k; + + let macroParamArray = []; + let parenIdx = macroName.indexOf('('); + if (parenIdx > 0) { + let pns = macroName.substr(parenIdx + 1).split(/[,)]+/); + for(let k=0;k 0) + macroParamArray.push(pns[k]); + } + macroName = macroName.substr(0,parenIdx); + } + + let macro = macros[macroName]; + if (!macro) + return [ rtree[k][1],rtree[k][2],'Macro name not found.' ]; + let macroParams = {}; + for(let param in macro.params) { + let pidx = macro.params[param]; + if (pidx >= macroParamArray.length) + return [ rtree[k][1],rtree[k][2],'Missing one or more required macro parameter.' ]; + macroParams[param] = macroParamArray[pidx]; + } + + let err = _renderActions(macro.rules,rules,macros,caps,tags,macroParams); + if (err !== null) + return err; + } else if ((action === 'drop')||(action === 'accept')||(action === 'break')) { // actions without arguments + if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))) { + let mtree = rtree[k + 1]; ++k; + let err = _renderMatches(mtree,rules,macros,caps,tags,params); + if (err !== null) + return err; + } + rules.push({ + 'type': KEYWORD_TO_API_MAP[action] + }); + } else if ((action === 'tee')||(action === 'watch')) { // actions with arguments (ZeroTier address) + if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))&&(rtree[k + 1][0].length >= 2)) { + let mtree = rtree[k + 1]; ++k; + let maxLength = _parseNum(mtree[0][0]); + if ((maxLength < -1)||(maxLength > 0xffff)) + return [ mtree[0][1],mtree[1][2],'Tee/watch max packet length to forward invalid or out of range.' ]; + let target = mtree[1][0]; + if ((typeof target !== 'string')||(target.length !== 10)) + return [ mtree[1][1],mtree[1][2],'Missing or invalid ZeroTier address target for tee/watch.' ]; + let err = _renderMatches(mtree.slice(2),rules,macros,caps,tags,params); + if (err !== null) + return err; + rules.push({ + 'type': KEYWORD_TO_API_MAP[action], + 'address': target, + 'length': maxLength + }); + } else { + return [ rtree[k][1],rtree[k][2],'The tee and watch actions require two paremters (max length or 0 for all, target).' ]; + } + } else if (action === 'redirect') { + if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))&&(rtree[k + 1][0].length >= 1)) { + let mtree = rtree[k + 1]; ++k; + let target = mtree[0][0]; + if ((typeof target !== 'string')||(target.length !== 10)) + return [ mtree[0][1],mtree[0][2],'Missing or invalid ZeroTier address target for redirect.' ]; + let err = _renderMatches(mtree.slice(1),rules,macros,caps,tags,params); + if (err !== null) + return err; + rules.push({ + 'type': KEYWORD_TO_API_MAP[action], + 'address': target + }); + } else { + return [ rtree[k][1],rtree[k][2],'The redirect action requires a target parameter.' ]; + } + } else { + return [ rtree[k][1],rtree[k][2],'Unrecognized action or directive in rule set.' ]; + } + } + + return null; +} + +function compile(src,rules,caps,tags) +{ + try { + if (typeof src !== 'string') + return [ 0,0,'"src" parameter must be a string.' ]; + + // Pass 1: parse source into a tree of arrays of elements. Each element is a 3-item + // tuple consisting of string, line number, and character index in line to enable + // informative error messages to be returned. + + var blockStack = [ [] ]; + var curr = [ '',-1,-1 ]; + var skipRestOfLine = false; + for(let idx=0,lineNo=1,lineIdx=0;idx 0) { + let endOfBlock = false; + if (curr[0].charAt(curr[0].length - 1) === ';') { + endOfBlock = true; + curr[0] = curr[0].substr(0,curr[0].length - 1); + } + + if (curr[0].length > 0) { + blockStack[blockStack.length - 1].push(curr); + } + if ((endOfBlock)&&(blockStack.length > 1)&&(blockStack[blockStack.length - 1].length > 0)) { + blockStack[blockStack.length - 2].push(blockStack[blockStack.length - 1]); + blockStack.pop(); + } else if (curr[0] in OPEN_BLOCK_KEYWORDS) { + blockStack.push([]); + } + + curr = [ '',-1,-1 ]; + } + break; + default: + if (curr[0].length === 0) { + if (ch === '#') { + skipRestOfLine = true; + continue; + } else { + curr[1] = lineNo; + curr[2] = lineIdx; + } + } + curr[0] += ch; + break; + } + } + } + + if (curr[0].length > 0) { + if (curr[0].charAt(curr[0].length - 1) === ';') + curr[0] = curr[0].substr(0,curr[0].length - 1); + if (curr[0].length > 0) + blockStack[blockStack.length - 1].push(curr); + } + while ((blockStack.length > 1)&&(blockStack[blockStack.length - 1].length > 0)) { + blockStack[blockStack.length - 2].push(blockStack[blockStack.length - 1]); + blockStack.pop(); + } + var parsed = blockStack[0]; + + // Pass 2: parse tree into capabilities, tags, rule sets, and document-level rules. + + let baseRuleTree = []; + let macros = {}; + for(let i=0;i= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) ) + return [ parsed[i][1],parsed[i][2],'Macro definition is missing name.' ]; + let macro = parsed[++i]; + let macroName = macro[0][0].toLowerCase(); + + let params = {}; + let parenIdx = macroName.indexOf('('); + if (parenIdx > 0) { + let pns = macroName.substr(parenIdx + 1).split(/[,)]+/); + for(let k=0;k 0) + params[pns[k]] = k; + } + macroName = macroName.substr(0,parenIdx); + } + + if (!_isValidName(macroName)) + return [ macro[0][1],macro[0][2],'Invalid macro name.' ]; + if (macroName in RESERVED_WORDS) + return [ macro[0][1],macro[0][2],'Macro name is a reserved word.' ]; + + if (macroName in macros) + return [ macro[0][1],macro[0][2],'Multiple definition of macro name.' ]; + + macros[macroName] = { + params: params, + rules: macro.slice(1) + }; + } else if (keyword === 'tag') { + if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) ) + return [ parsed[i][1],parsed[i][2],'Tag definition is missing name.' ]; + let tag = parsed[++i]; + let tagName = tag[0][0].toLowerCase(); + + if (!_isValidName(tagName)) + return [ tag[0][1],tag[0][2],'Invalid tag name.' ]; + if (tagName in RESERVED_WORDS) + return [ tag[0][1],tag[0][2],'Tag name is a reserved word.' ]; + + if (tagName in tags) + return [ tag[0][1],tag[0][2],'Multiple definition of tag name.' ]; + + let flags = {}; + let enums = {}; + let id = -1; + for(let k=1;k= 0) + return [ tag[k][1],tag[k][2],'Duplicate tag id definition.' ]; + if ((k + 1) >= tag.length) + return [ tag[k][1],tag[k][2],'Missing numeric value for ID.' ]; + id = _parseNum(tag[++k][0]); + if ((id < 0)||(id > 0xffffffff)) + return [ tag[k][1],tag[k][2],'Invalid or out of range tag ID.' ]; + } else if (tkeyword === 'flag') { + if ((k + 2) >= tag.length) + return [ tag[k][1],tag[k][2],'Missing tag flag name or bit index.' ]; + ++k; + let bits = tag[k][0].split(/[,]+/); + let mask = 0; + for(let j=0;j 31)) + return [ tag[k][1],tag[k][2],'Bit index invalid, out of range, or references an undefined flag name.' ]; + mask |= (1 << b); + } + } + let flagName = tag[++k][0].toLowerCase(); + if (!_isValidName(flagName)) + return [ tag[k][1],tag[k][2],'Invalid or reserved flag name.' ]; + if (flagName in flags) + return [ tag[k][1],tag[k][2],'Duplicate flag name in tag definition.' ]; + flags[flagName] = mask; + } else if (tkeyword === 'enum') { + if ((k + 2) >= tag.length) + return [ tag[k][1],tag[k][2],'Missing tag enum name or value.' ]; + ++k; + let value = _parseNum(tag[k][0]); + if ((value < 0)||(value > 0xffffffff)) + return [ tag[k][1],tag[k][2],'Tag enum value invalid or out of range.' ]; + let enumName = tag[++k][0].toLowerCase(); + if (!_isValidName(enumName)) + return [ tag[k][1],tag[k][2],'Invalid or reserved tag enum name.' ]; + if (enumName in enums) + return [ tag[k][1],tag[k][2],'Duplicate enum name in tag definition.' ]; + enums[enumName] = value; + } else { + return [ tag[k][1],tag[k][2],'Unrecognized keyword in tag definition.' ]; + } + } + if (id < 0) + return [ tag[0][1],tag[0][2],'Tag definition is missing a numeric ID.' ]; + + tags[tagName] = { + id: id, + enums: enums, + flags: flags + }; + } else if (keyword === 'cap') { + if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) ) + return [ parsed[i][1],parsed[i][2],'Capability definition is missing name.' ]; + let cap = parsed[++i]; + let capName = cap[0][0].toLowerCase(); + + if (!_isValidName(capName)) + return [ cap[0][1],cap[0][2],'Invalid capability name.' ]; + if (capName in RESERVED_WORDS) + return [ cap[0][1],cap[0][2],'Capability name is a reserved word.' ]; + + if (capName in caps) + return [ cap[0][1],cap[0][2],'Multiple definition of capability name.' ]; + + let capRules = []; + let id = -1; + for(let k=1;k= 0) + return [ cap[k][1],cap[k][2],'Duplicate id directive in capability definition.' ]; + if ((k + 1) >= cap.length) + return [ cap[k][1],cap[k][2],'Missing value for ID.' ]; + id = _parseNum(cap[++k][0]); + if ((id < 0)||(id > 0xffffffff)) + return [ cap[k - 1][1],cap[k - 1][2],'Invalid or out of range capability ID.' ]; + for(let cn in caps) { + if (caps[cn].id === id) + return [ cap[k - 1][1],cap[k - 1][2],'Duplicate capability ID.' ]; + } + } else { + capRules.push(cap[k]); + } + } + if (id < 0) + return [ cap[0][1],cap[0][2],'Capability definition is missing a numeric ID.' ]; + + caps[capName] = { + id: id, + rules: capRules + }; + } else { + baseRuleTree.push(parsed[i]); + } + } + + // Pass 3: render low-level ZeroTier rules arrays for capabilities and base. + + for(let capName in caps) { + let r = []; + let err = _renderActions(caps[capName].rules,r,macros,caps,tags,{}); + if (err !== null) + return err; + caps[capName].rules = r; + } + + let err = _renderActions(baseRuleTree,rules,macros,caps,tags,{}); + if (err !== null) + return err; + + return null; + } catch (e) { + console.log(e.stack); + return [ 0,0,'Unexpected exception: '+e.toString() ]; + } +} + +exports.compile = compile;