Merge branch '0.12' of https://github.com/jaqx0r/filtergen into 0.12

HISTORY

@@ -1,3 +1,9 @@
+0.12.8:
+    Fix some easy to cause crashes.
+    Remove some obsolete code that caused long compilation times.
+    Prevents inclusion of the root filesystem path directly.
+    Test that the example programs compile.
+
 0.12.7:
 	Supports iptables-restore output format.
 	Supports IPv6 names.

Makefile.am

@@ -19,7 +19,7 @@ filtergen_SOURCES = \
 	resolver.c \
 	icmpent.c
 
-filtergen_LDADD = @GETOPT_LIBS@
+filtergen_LDADD = @GETOPT_LIBS@ @LIBPROFILER@
 
 headers = filter.h util.h ast.h resolver.h icmpent.h
 

configure.ac

@@ -1,6 +1,6 @@
 AC_PREREQ(2.50)
 
-AC_INIT(filtergen, 0.12.7, jaq@spacepants.org)
+AC_INIT(filtergen, 0.12.8, jaq@spacepants.org)
 
 AC_CONFIG_AUX_DIR(.)
 AC_CONFIG_SRCDIR(filtergen.c)
@@ -43,6 +43,22 @@ if test "x$HAVE_GETOPT" = xyes ; then
 	AC_SUBST(GETOPT_LIBS)
 fi
 
+# Google profiler
+AC_MSG_CHECKING([whether to enable profiler])
+AC_ARG_WITH([profiler],
+  [AS_HELP_STRING([--with-profiler],[enable support for profiler [default=no]])],
+  [with_profiler=$withval],
+  [with_profiler=no]
+)
+AC_MSG_RESULT([$with_profiler])
+
+if test "x${with_profiler}" = "xyes"; then
+  AC_CHECK_LIB([profiler], [ProfilerStart],
+    [AC_SUBST([LIBPROFILER], ["-lprofiler"])],
+    [AC_MSG_FAILURE([check for profiler failed. Have you installed google-perftools-devel?])],
+  )
+fi
+
 dnl -----------------
 dnl set warning level
 dnl -----------------

fg-cisco.c

@@ -71,8 +71,8 @@ static int cb_cisco_rule(const struct filterent *ent,
     APP(rule_r, "IN");
     break;
   default:
-    fprintf(stderr, "unknown direction\n");
-    abort();
+    fprintf(stderr, "invalid direction: %d\n", ent->direction);
+    return -1;
   }
 
   /* target */
@@ -91,7 +91,8 @@ static int cb_cisco_rule(const struct filterent *ent,
     APPS(rule_r, "deny");
     break;
   default:
-    abort();
+    fprintf(stderr, "invalid target: %d\n", ent->target);
+    return -1;
   }
 
   /* protocol */
@@ -147,6 +148,5 @@ int fg_cisco(struct filter *filter, int flags) {
         "can generate broken rulesets.");
   filter_nogroup(filter);
   filter_unroll(&filter);
-  filter_apply_flags(filter, flags);
   return filtergen_cprod(filter, &cb_cisco, &misc);
 }

fg-ipchains.c

@@ -103,8 +103,8 @@ static int cb_ipchains_rule(const struct filterent *ent,
     forrevchain = strdup("forward");
     break;
   default:
-    fprintf(stderr, "unknown direction\n");
-    abort();
+    fprintf(stderr, "invalid direction: %d\n", ent->direction);
+    return -1;
   }
 
   if (ent->iface && strcmp(ent->iface, "*")) {
@@ -187,7 +187,8 @@ static int cb_ipchains_rule(const struct filterent *ent,
       forrevtarget = strdup("forw_out");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   case DROP:
@@ -221,11 +222,13 @@ static int cb_ipchains_rule(const struct filterent *ent,
       forrevtarget = strdup("forward");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   default:
-    abort();
+    fprintf(stderr, "invalid target: %d\n", ent->target);
+    return -1;
   }
 
   if (ent->oneway)
@@ -266,7 +269,6 @@ int fg_ipchains(struct filter *filter, int flags) {
   };
 
   filter_unroll(&filter);
-  filter_apply_flags(filter, flags);
   if (!(flags & FF_NOSKEL)) {
     oputs("for f in INPUT OUTPUT FORWARD; do " IPCHAINS " -P $f DENY; done");
     oputs(IPCHAINS " -F; " IPCHAINS " -X");
@@ -300,8 +302,8 @@ int flush_ipchains(enum filtertype policy) {
     ostr = strdup("REJECT");
     break;
   default:
-    fprintf(stderr, "invalid filtertype %d\n", policy);
-    abort();
+    fprintf(stderr, "invalid filtertype: %d\n", policy);
+    return -1;
   }
   oprintf("for f in $CHAINS; do " IPCHAINS " -P $f %s; done\n", ostr);
   oputs(IPCHAINS " -F; " IPCHAINS " -X");

fg-ipfilter.c

@@ -80,7 +80,8 @@ static int cb_ipfilter_rule(const struct filterent *ent,
       APP(rule, "block return-icmp-as-dest(port-unr)");
     break;
   default:
-    abort();
+    fprintf(stderr, "invalid target: %d\n", ent->target);
+    return -1;
   }
 
   /* in or out? */
@@ -92,8 +93,8 @@ static int cb_ipfilter_rule(const struct filterent *ent,
     APPS(rule, "out");
     break;
   default:
-    fprintf(stderr, "unknown direction\n");
-    abort();
+    fprintf(stderr, "invalid direction: %d\n", ent->direction);
+    return -1;
   }
 
   if (ESET(ent, LOG))
@@ -136,6 +137,5 @@ int fg_ipfilter(struct filter *filter, int flags) {
 
   filter_nogroup(filter);
   filter_unroll(&filter);
-  filter_apply_flags(filter, flags);
   return filtergen_cprod(filter, &cb_ipfilter, &misc);
 }

fg-iptables.c

@@ -157,8 +157,8 @@ static int cb_iptables_rule_common(const struct filterent *ent,
     }
     break;
   default:
-    fprintf(stderr, "unknown direction: %d\n", ent->direction);
-    abort();
+    fprintf(stderr, "invalid direction: %d\n", ent->direction);
+    return -1;
   }
 
   /* state and reverse rules here */
@@ -280,7 +280,8 @@ static int cb_iptables_rule_common(const struct filterent *ent,
       nattarget = strdup("REDIRECT");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid target: %d\n", target);
+      return -1;
     }
   }
 
@@ -297,7 +298,8 @@ static int cb_iptables_rule_common(const struct filterent *ent,
       forrevtarget = strdup("FORW_OUT");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   case DROP:
@@ -324,11 +326,13 @@ static int cb_iptables_rule_common(const struct filterent *ent,
       forrevtarget = strdup("FORWARD");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   default:
-    abort();
+    fprintf(stderr, "invalid target: %d\n", target);
+    return -1;
   }
 
   if ((misc->flags & FF_LSTATE) && (target != T_REJECT))
@@ -397,7 +401,6 @@ static int fg_iptables_common(struct filter *filter, int flags,
   const int nchains = 3;
 
   filter_unroll(&filter);
-  filter_apply_flags(filter, flags);
 
   if (!(flags & FF_NOSKEL)) {
     oputs("CHAINS=\"INPUT OUTPUT FORWARD\"");
@@ -481,7 +484,7 @@ static int flush_iptables_common(enum filtertype policy, sa_family_t family,
     break;
   default:
     fprintf(stderr, "invalid filtertype %d\n", policy);
-    abort();
+    return -1;
   }
   oprintf("for f in $CHAINS; do %s -P $f %s; done\n", iptables, ostr);
   oprintf("%s -F; %s -X\n", iptables, iptables);

fg-iptrestore.c

@@ -154,8 +154,8 @@ static int cb_iptrestore_rule_common(const struct filterent *ent,
     }
     break;
   default:
-    fprintf(stderr, "unknown direction\n");
-    abort();
+    fprintf(stderr, "invalid direction: %d\n", ent->direction);
+    return -1;
   }
 
   /* state and reverse rules here */
@@ -276,7 +276,8 @@ static int cb_iptrestore_rule_common(const struct filterent *ent,
       nattarget = strdup("REDIRECT");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid target: %d\n", target);
+      return -1;
     }
   }
 
@@ -293,7 +294,8 @@ static int cb_iptrestore_rule_common(const struct filterent *ent,
       forrevtarget = strdup("FORW_OUT");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   case DROP:
@@ -320,11 +322,13 @@ static int cb_iptrestore_rule_common(const struct filterent *ent,
       forrevtarget = strdup("FORWARD");
       break;
     default:
-      abort();
+      fprintf(stderr, "invalid direction: %d\n", ent->direction);
+      return -1;
     }
     break;
   default:
-    abort();
+    fprintf(stderr, "invalid target: %d\n", target);
+    return -1;
   }
 
   if ((misc->flags & FF_LSTATE) && (target != T_REJECT))
@@ -403,7 +407,6 @@ static int fg_iptrestore_common(struct filter *filter, int flags,
   const int nchains = 3;
 
   filter_unroll(&filter);
-  filter_apply_flags(filter, flags);
 
   if (!(flags & FF_NOSKEL)) {
     oprintf("%s <<EOF\n", iptables_restore);
@@ -477,7 +480,7 @@ static int flush_iptrestore_common(enum filtertype policy) {
     break;
   default:
     fprintf(stderr, "invalid filtertype %d\n", policy);
-    abort();
+    return -1;
   }
   oprintf(":INPUT %s [0:0]\n", ostr);
   oprintf(":OUTPUT %s [0:0]\n", ostr);

filter.c

@@ -190,8 +190,9 @@ struct filter *new_filter_host(enum filtertype type, const char *matchstr,
       }
       break;
     default:
-      fprintf(stderr, "can't parse netmask \"%s\" for unknown address family\n",
-              mask);
+      fprintf(stderr,
+              "can't parse netmask \"%s\" for invalid address family %d\n",
+              mask, family);
       return NULL;
     }
   }
@@ -409,72 +410,3 @@ void filter_nogroup(struct filter *f) {
 void filter_noneg(struct filter **f) { if (f) { };
   return;
 }
-
-/*
- * Apply flags to the tree
- */
-void filter_apply_flags(struct filter *f, long flags) {
-  struct filter *s;
-  if (!f)
-    return;
-  switch (f->type) {
-  /* Structural things */
-  case F_SIBLIST:
-    for (s = f->u.sib; s; s = s->next)
-      filter_apply_flags(s, flags);
-    break;
-  case F_SUBGROUP:
-    filter_apply_flags(f->u.sub.list, flags);
-    break;
-  case F_NEG:
-    filter_apply_flags(f->u.neg, flags);
-    break;
-  /* Real things */
-  case F_SPORT:
-  case F_DPORT:
-    if (flags & FF_LOOKUP) {
-      struct port_spec *p = &f->u.ports;
-      if (p->min == -1) {
-        fprintf(stderr, "warning: couldn't lookup service \"%s\"\n", p->minstr);
-        break;
-      }
-      free(p->minstr);
-      p->minstr = int_to_str_dup(p->min);
-      if (p->maxstr) {
-        if (p->max == -1) {
-          fprintf(stderr, "warning: couldn't lookup service \"%s\"\n",
-                  p->minstr);
-          break;
-        }
-        free(p->maxstr);
-        p->maxstr = int_to_str_dup(p->max);
-      }
-    }
-    break;
-  case F_SOURCE:
-  case F_DEST:
-    if (flags & FF_LOOKUP) {
-      struct addr_spec *a = &f->u.addrs;
-      struct addrinfo hints;
-      struct addrinfo *info = NULL;
-      memset(&hints, 0, sizeof(struct addrinfo));
-      hints.ai_family = a->family;
-      if (getaddrinfo(a->addrstr, NULL, &hints, &info) == 0) {
-        free(a->addrstr);
-        a->addrstr = malloc(NI_MAXHOST + 1);
-        if (getnameinfo(info->ai_addr, info->ai_addrlen, a->addrstr, NI_MAXHOST,
-                        NULL, 0, NI_NUMERICHOST)) {
-          fprintf(stderr, "warning: can't stringify IP: %s\n", strerror(errno));
-        }
-        freeaddrinfo(info);
-      } else {
-        fprintf(stderr, "warning: can't lookup name \"%s\"\n", a->addrstr);
-      }
-    }
-    break;
-  default:
-    break;
-  }
-  filter_apply_flags(f->child, flags);
-  filter_apply_flags(f->next, flags);
-}

filter.h

@@ -145,7 +145,6 @@ struct filter *new_filter_oneway(void);
 void filter_unroll(struct filter **f);
 void filter_nogroup(struct filter *f);
 void filter_noneg(struct filter **f);
-void filter_apply_flags(struct filter *f, long flags);
 
 /* from generated lexer and parer in filterlex.l */
 int filter_fopen(const char *filename);
@@ -215,10 +214,8 @@ enum flags {
   FF_LSTATE = (1 << 1),    /* lightweight state matching */
   FF_LOCAL = (1 << 2),     /* assume packets are local only */
   FF_ROUTE = (1 << 3),     /* assume packets are forwarded */
-  FF_LOOKUP = (1 << 4),    /* translate host and service names into IP addresses
-                              and port numbers */
+  FF_NORESOLVE = (1 << 4), /* don't resolve hostnames, ports, or services */
   FF_FLUSH = (1 << 5),     /* just flush the ruleset instead */
-  FF_NORESOLVE = (1 << 6), /* don't resolve hostnames, ports, or services */
 };
 
 /* filtergen.c */