[apple/network_cmds.git] / ipsec / policy_parse.y

/*	$FreeBSD: src/lib/libipsec/policy_parse.y,v 1.1.2.1 2000/07/15 07:24:04 kris Exp $	*/
/*	$KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * IN/OUT bound policy configuration take place such below:
 *	in <policy>
 *	out <policy>
 *
 * <policy> is one of following:
 *	"discard", "none", "ipsec <requests>", "entrust", "bypass",
 *
 * The following requests are accepted as <requests>:
 *
 *	protocol/mode/src-dst/level
 *	protocol/mode/src-dst		parsed as protocol/mode/src-dst/default
 *	protocol/mode/src-dst/		parsed as protocol/mode/src-dst/default
 *	protocol/transport		parsed as protocol/mode/any-any/default
 *	protocol/transport//level	parsed as protocol/mode/any-any/level
 *
 * You can concatenate these requests with either ' '(single space) or '\n'.
 */

%{
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>

#include <netinet/in.h>
#include <netinet6/ipsec.h>

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>

#include "ipsec_strerror.h"

#define ATOX(c) \
  (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))

static caddr_t pbuf = NULL;		/* sadb_x_policy buffer */
static int tlen = 0;			/* total length of pbuf */
static int offset = 0;			/* offset of pbuf */
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static struct sockaddr *p_src = NULL;
static struct sockaddr *p_dst = NULL;

struct _val;
extern void yyerror __P((char *msg));
static struct sockaddr *parse_sockaddr __P((struct _val *buf));
static int rule_check __P((void));
static int init_x_policy __P((void));
static int set_x_request __P((struct sockaddr *src, struct sockaddr *dst));
static int set_sockaddr __P((struct sockaddr *addr));
static void policy_parse_request_init __P((void));
static caddr_t policy_parse __P((char *msg, int msglen));

extern void __policy__strbuffer__init__ __P((char *msg));
extern int yyparse __P((void));
extern int yylex __P((void));

%}

%union {
	u_int num;
	struct _val {
		int len;
		char *buf;
	} val;
}

%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
%token IPADDRESS
%token ME ANY
%token SLASH HYPHEN
%type <num> DIR ACTION PROTOCOL MODE LEVEL
%type <val> IPADDRESS LEVEL_SPECIFY

%%
policy_spec
	:	DIR ACTION
		{
			p_dir = $1;
			p_type = $2;

			if (init_x_policy())
				return -1;
		}
		rules
	|	DIR
		{
			p_dir = $1;
			p_type = 0;	/* ignored it by kernel */

			if (init_x_policy())
				return -1;
		}
	;

rules
	:	/*NOTHING*/
	|	rules rule {
			if (rule_check() < 0)
				return -1;

			if (set_x_request(p_src, p_dst) < 0)
				return -1;

			policy_parse_request_init();
		}
	;

rule
	:	protocol SLASH mode SLASH addresses SLASH level
	|	protocol SLASH mode SLASH addresses SLASH
	|	protocol SLASH mode SLASH addresses
	|	protocol SLASH mode SLASH
	|	protocol SLASH mode SLASH SLASH level
	|	protocol SLASH mode
	|	protocol SLASH {
			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
			return -1;
		}
	|	protocol {
			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
			return -1;
		}
	;

protocol
	:	PROTOCOL { p_protocol = $1; }
	;

mode
	:	MODE { p_mode = $1; }
	;

level
	:	LEVEL {
			p_level = $1;
			p_reqid = 0;
		}
	|	LEVEL_SPECIFY {
			p_level = IPSEC_LEVEL_UNIQUE;
			p_reqid = atol($1.buf);	/* atol() is good. */
		}
	;

addresses
	:	IPADDRESS {
			p_src = parse_sockaddr(&$1);
			if (p_src == NULL)
				return -1;
		}
		HYPHEN
		IPADDRESS {
			p_dst = parse_sockaddr(&$4);
			if (p_dst == NULL)
				return -1;
		}
	|	ME HYPHEN ANY {
			if (p_dir != IPSEC_DIR_OUTBOUND) {
				__ipsec_errcode = EIPSEC_INVAL_DIR;
				return -1;
			}
		}
	|	ANY HYPHEN ME {
			if (p_dir != IPSEC_DIR_INBOUND) {
				__ipsec_errcode = EIPSEC_INVAL_DIR;
				return -1;
			}
		}
		/*
	|	ME HYPHEN ME
		*/
	;

%%

void
yyerror(msg)
	char *msg;
{
	extern char *__libipsecyytext;	/*XXX*/

	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
		msg, __libipsecyytext);

	return;
}

static struct sockaddr *
parse_sockaddr(buf)
	struct _val *buf;
{
	struct addrinfo hints, *res;
	char *serv = NULL;
	int error;
	struct sockaddr *newaddr = NULL;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_flags = AI_NUMERICHOST;
	error = getaddrinfo(buf->buf, serv, &hints, &res);
	if (error != 0) {
		yyerror("invalid IP address");
		__ipsec_set_strerror(gai_strerror(error));
		return NULL;
	}

	if (res->ai_addr == NULL) {
		yyerror("invalid IP address");
		__ipsec_set_strerror(gai_strerror(error));
		return NULL;
	}

	newaddr = malloc(res->ai_addr->sa_len);
	if (newaddr == NULL) {
		__ipsec_errcode = EIPSEC_NO_BUFS;
		freeaddrinfo(res);
		return NULL;
	}
	memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);

	freeaddrinfo(res);

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return newaddr;
}

static int
rule_check()
{
	if (p_type == IPSEC_POLICY_IPSEC) {
		if (p_protocol == IPPROTO_IP) {
			__ipsec_errcode = EIPSEC_NO_PROTO;
			return -1;
		}

		if (p_mode != IPSEC_MODE_TRANSPORT
		 && p_mode != IPSEC_MODE_TUNNEL) {
			__ipsec_errcode = EIPSEC_INVAL_MODE;
			return -1;
		}

		if (p_src == NULL && p_dst == NULL) {
			 if (p_mode != IPSEC_MODE_TRANSPORT) {
				__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
				return -1;
			}
		}
		else if (p_src->sa_family != p_dst->sa_family) {
			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
			return -1;
		}
	}

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return 0;
}

static int
init_x_policy()
{
	struct sadb_x_policy *p;

	tlen = sizeof(struct sadb_x_policy);

	pbuf = malloc(tlen);
	if (pbuf == NULL) {
		__ipsec_errcode = EIPSEC_NO_BUFS;
		return -1;
	}
	p = (struct sadb_x_policy *)pbuf;
	p->sadb_x_policy_len = 0;	/* must update later */
	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
	p->sadb_x_policy_type = p_type;
	p->sadb_x_policy_dir = p_dir;
	p->sadb_x_policy_reserved = 0;
	offset = tlen;

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return 0;
}

static int
set_x_request(src, dst)
	struct sockaddr *src, *dst;
{
	struct sadb_x_ipsecrequest *p;
	int reqlen;

	reqlen = sizeof(*p)
		+ (src ? src->sa_len : 0)
		+ (dst ? dst->sa_len : 0);
	tlen += reqlen;		/* increment to total length */

	pbuf = realloc(pbuf, tlen);
	if (pbuf == NULL) {
		__ipsec_errcode = EIPSEC_NO_BUFS;
		return -1;
	}
	p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
	p->sadb_x_ipsecrequest_len = reqlen;
	p->sadb_x_ipsecrequest_proto = p_protocol;
	p->sadb_x_ipsecrequest_mode = p_mode;
	p->sadb_x_ipsecrequest_level = p_level;
	p->sadb_x_ipsecrequest_reqid = p_reqid;
	offset += sizeof(*p);

	if (set_sockaddr(src) || set_sockaddr(dst))
		return -1;

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return 0;
}

static int
set_sockaddr(addr)
	struct sockaddr *addr;
{
	if (addr == NULL) {
		__ipsec_errcode = EIPSEC_NO_ERROR;
		return 0;
	}

	/* tlen has already incremented */

	memcpy(&pbuf[offset], addr, addr->sa_len);

	offset += addr->sa_len;

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return 0;
}

static void
policy_parse_request_init()
{
	p_protocol = IPPROTO_IP;
	p_mode = IPSEC_MODE_ANY;
	p_level = IPSEC_LEVEL_DEFAULT;
	p_reqid = 0;
	if (p_src != NULL) {
		free(p_src);
		p_src = NULL;
	}
	if (p_dst != NULL) {
		free(p_dst);
		p_dst = NULL;
	}

	return;
}

static caddr_t
policy_parse(msg, msglen)
	char *msg;
	int msglen;
{
	int error;
	pbuf = NULL;
	tlen = 0;

	/* initialize */
	p_dir = IPSEC_DIR_INVALID;
	p_type = IPSEC_POLICY_DISCARD;
	policy_parse_request_init();
	__policy__strbuffer__init__(msg);

	error = yyparse();	/* it must be set errcode. */
	if (error) {
		if (pbuf != NULL)
			free(pbuf);
		return NULL;
	}

	/* update total length */
	((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);

	__ipsec_errcode = EIPSEC_NO_ERROR;

	return pbuf;
}

caddr_t
ipsec_set_policy(msg, msglen)
	char *msg;
	int msglen;
{
	caddr_t policy;

	policy = policy_parse(msg, msglen);
	if (policy == NULL) {
		if (__ipsec_errcode == EIPSEC_NO_ERROR)
			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
		return NULL;
	}

	__ipsec_errcode = EIPSEC_NO_ERROR;
	return policy;
}
Commit	Line	Data
7ba0088d A	1	/* $FreeBSD: src/lib/libipsec/policy_parse.y,v 1.1.2.1 2000/07/15 07:24:04 kris Exp $ */
	2	/* $KAME: policy_parse.y,v 1.10 2000/05/07 05:25:03 itojun Exp $ */
	3
	4	/*
	5	* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
	6	* All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	* 1. Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* 2. Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in the
	15	* documentation and/or other materials provided with the distribution.
	16	* 3. Neither the name of the project nor the names of its contributors
	17	* may be used to endorse or promote products derived from this software
	18	* without specific prior written permission.
	19	*
	20	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	21	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	22	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	23	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	24	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	25	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	26	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	27	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	28	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	29	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	30	* SUCH DAMAGE.
	31	*/
	32
	33	/*
	34	* IN/OUT bound policy configuration take place such below:
	35	* in <policy>
	36	* out <policy>
	37	*
	38	* <policy> is one of following:
	39	* "discard", "none", "ipsec <requests>", "entrust", "bypass",
	40	*
	41	* The following requests are accepted as <requests>:
	42	*
	43	* protocol/mode/src-dst/level
	44	* protocol/mode/src-dst parsed as protocol/mode/src-dst/default
	45	* protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default
	46	* protocol/transport parsed as protocol/mode/any-any/default
	47	* protocol/transport//level parsed as protocol/mode/any-any/level
	48	*
	49	* You can concatenate these requests with either ' '(single space) or '\n'.
	50	*/
	51
	52	%{
	53	#include <sys/types.h>
	54	#include <sys/param.h>
	55	#include <sys/socket.h>
	56
	57	#include <netinet/in.h>
	58	#include <netinet6/ipsec.h>
	59
	60	#include <stdlib.h>
	61	#include <stdio.h>
	62	#include <string.h>
	63	#include <netdb.h>
	64
65	#include "ipsec_strerror.h"
66
67	#define ATOX(c) \
68	(isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
69
70	static caddr_t pbuf = NULL; /* sadb_x_policy buffer */
71	static int tlen = 0; /* total length of pbuf */
72	static int offset = 0; /* offset of pbuf */
73	static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
74	static struct sockaddr *p_src = NULL;
75	static struct sockaddr *p_dst = NULL;
76
77	struct _val;
78	extern void yyerror __P((char *msg));
79	static struct sockaddr parse_sockaddr __P((struct _val buf));
80	static int rule_check __P((void));
81	static int init_x_policy __P((void));
82	static int set_x_request __P((struct sockaddr src, struct sockaddr dst));
83	static int set_sockaddr __P((struct sockaddr *addr));
84	static void policy_parse_request_init __P((void));
85	static caddr_t policy_parse __P((char *msg, int msglen));
86
87	extern void __policy__strbuffer__init__ __P((char *msg));
88	extern int yyparse __P((void));
89	extern int yylex __P((void));
90
91	%}
92
93	%union {
94	u_int num;
95	struct _val {
96	int len;
97	char *buf;
98	} val;
99	}
100
101	%token DIR ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY
102	%token IPADDRESS
103	%token ME ANY
104	%token SLASH HYPHEN
105	%type <num> DIR ACTION PROTOCOL MODE LEVEL
106	%type <val> IPADDRESS LEVEL_SPECIFY
107
108	%%
109	policy_spec
110	: DIR ACTION
111	{
112	p_dir = $1;
113	p_type = $2;
114
115	if (init_x_policy())
116	return -1;
117	}
118	rules
119	\| DIR
120	{
121	p_dir = $1;
122	p_type = 0; /* ignored it by kernel */
123
124	if (init_x_policy())
125	return -1;
126	}
127	;
128
129	rules
130	: /NOTHING/
131	\| rules rule {
132	if (rule_check() < 0)
133	return -1;
134
135	if (set_x_request(p_src, p_dst) < 0)
136	return -1;
137
138	policy_parse_request_init();
139	}
140	;
141
142	rule
143	: protocol SLASH mode SLASH addresses SLASH level
144	\| protocol SLASH mode SLASH addresses SLASH
145	\| protocol SLASH mode SLASH addresses
146	\| protocol SLASH mode SLASH
147	\| protocol SLASH mode SLASH SLASH level
148	\| protocol SLASH mode
149	\| protocol SLASH {
150	__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
151	return -1;
152	}
153	\| protocol {
154	__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
155	return -1;
156	}
157	;
158
159	protocol
160	: PROTOCOL { p_protocol = $1; }
161	;
162
163	mode
164	: MODE { p_mode = $1; }
165	;
166
167	level
168	: LEVEL {
169	p_level = $1;
170	p_reqid = 0;
171	}
172	\| LEVEL_SPECIFY {
173	p_level = IPSEC_LEVEL_UNIQUE;
174	p_reqid = atol($1.buf); /* atol() is good. */
175	}
176	;
177
178	addresses
179	: IPADDRESS {
180	p_src = parse_sockaddr(&$1);
181	if (p_src == NULL)
182	return -1;
183	}
184	HYPHEN
185	IPADDRESS {
186	p_dst = parse_sockaddr(&$4);
187	if (p_dst == NULL)
188	return -1;
189	}
190	\| ME HYPHEN ANY {
191	if (p_dir != IPSEC_DIR_OUTBOUND) {
192	__ipsec_errcode = EIPSEC_INVAL_DIR;
193	return -1;
194	}
195	}
196	\| ANY HYPHEN ME {
197	if (p_dir != IPSEC_DIR_INBOUND) {
198	__ipsec_errcode = EIPSEC_INVAL_DIR;
199	return -1;
200	}
201	}
202	/*
203	\| ME HYPHEN ME
204	*/
205	;
206
207	%%
208
209	void
210	yyerror(msg)
211	char *msg;
212	{
213	extern char __libipsecyytext; /XXX*/
214
215	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
216	msg, __libipsecyytext);
217
218	return;
219	}
220
221	static struct sockaddr *
222	parse_sockaddr(buf)
223	struct _val *buf;
224	{
225	struct addrinfo hints, *res;
226	char *serv = NULL;
227	int error;
228	struct sockaddr *newaddr = NULL;
229
230	memset(&hints, 0, sizeof(hints));
231	hints.ai_family = PF_UNSPEC;
232	hints.ai_flags = AI_NUMERICHOST;
233	error = getaddrinfo(buf->buf, serv, &hints, &res);
234	if (error != 0) {
235	yyerror("invalid IP address");
236	__ipsec_set_strerror(gai_strerror(error));
237	return NULL;
238	}
239
240	if (res->ai_addr == NULL) {
241	yyerror("invalid IP address");
242	__ipsec_set_strerror(gai_strerror(error));
243	return NULL;
244	}
245
246	newaddr = malloc(res->ai_addr->sa_len);
247	if (newaddr == NULL) {
248	__ipsec_errcode = EIPSEC_NO_BUFS;
249	freeaddrinfo(res);
250	return NULL;
251	}
252	memcpy(newaddr, res->ai_addr, res->ai_addr->sa_len);
253
254	freeaddrinfo(res);
255
256	__ipsec_errcode = EIPSEC_NO_ERROR;
257	return newaddr;
258	}
259
260	static int
261	rule_check()
262	{
263	if (p_type == IPSEC_POLICY_IPSEC) {
264	if (p_protocol == IPPROTO_IP) {
265	__ipsec_errcode = EIPSEC_NO_PROTO;
266	return -1;
267	}
268
269	if (p_mode != IPSEC_MODE_TRANSPORT
270	&& p_mode != IPSEC_MODE_TUNNEL) {
271	__ipsec_errcode = EIPSEC_INVAL_MODE;
272	return -1;
273	}
274
275	if (p_src == NULL && p_dst == NULL) {
276	if (p_mode != IPSEC_MODE_TRANSPORT) {
277	__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
278	return -1;
279	}
280	}
281	else if (p_src->sa_family != p_dst->sa_family) {
282	__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
283	return -1;
284	}
285	}
286
287	__ipsec_errcode = EIPSEC_NO_ERROR;
288	return 0;
289	}
290
291	static int
292	init_x_policy()
293	{
294	struct sadb_x_policy *p;
295
296	tlen = sizeof(struct sadb_x_policy);
297
298	pbuf = malloc(tlen);
299	if (pbuf == NULL) {
300	__ipsec_errcode = EIPSEC_NO_BUFS;
301	return -1;
302	}
303	p = (struct sadb_x_policy *)pbuf;
304	p->sadb_x_policy_len = 0; /* must update later */
305	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
306	p->sadb_x_policy_type = p_type;
307	p->sadb_x_policy_dir = p_dir;
308	p->sadb_x_policy_reserved = 0;
309	offset = tlen;
310
311	__ipsec_errcode = EIPSEC_NO_ERROR;
312	return 0;
313	}
314
315	static int
316	set_x_request(src, dst)
317	struct sockaddr src, dst;
318	{
319	struct sadb_x_ipsecrequest *p;
320	int reqlen;
321
322	reqlen = sizeof(*p)
323	+ (src ? src->sa_len : 0)
324	+ (dst ? dst->sa_len : 0);
325	tlen += reqlen; /* increment to total length */
326
327	pbuf = realloc(pbuf, tlen);
328	if (pbuf == NULL) {
329	__ipsec_errcode = EIPSEC_NO_BUFS;
330	return -1;
331	}
332	p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
333	p->sadb_x_ipsecrequest_len = reqlen;
334	p->sadb_x_ipsecrequest_proto = p_protocol;
335	p->sadb_x_ipsecrequest_mode = p_mode;
336	p->sadb_x_ipsecrequest_level = p_level;
337	p->sadb_x_ipsecrequest_reqid = p_reqid;
338	offset += sizeof(*p);
339
340	if (set_sockaddr(src) \|\| set_sockaddr(dst))
341	return -1;
342
343	__ipsec_errcode = EIPSEC_NO_ERROR;
344	return 0;
345	}
346
347	static int
348	set_sockaddr(addr)
349	struct sockaddr *addr;
350	{
351	if (addr == NULL) {
352	__ipsec_errcode = EIPSEC_NO_ERROR;
353	return 0;
354	}
355
356	/* tlen has already incremented */
357
358	memcpy(&pbuf[offset], addr, addr->sa_len);
359
360	offset += addr->sa_len;
361
362	__ipsec_errcode = EIPSEC_NO_ERROR;
363	return 0;
364	}
365
366	static void
367	policy_parse_request_init()
368	{
369	p_protocol = IPPROTO_IP;
370	p_mode = IPSEC_MODE_ANY;
371	p_level = IPSEC_LEVEL_DEFAULT;
372	p_reqid = 0;
373	if (p_src != NULL) {
374	free(p_src);
375	p_src = NULL;
376	}
377	if (p_dst != NULL) {
378	free(p_dst);
379	p_dst = NULL;
380	}
381
382	return;
383	}
384
385	static caddr_t
386	policy_parse(msg, msglen)
387	char *msg;
388	int msglen;
389	{
390	int error;
391	pbuf = NULL;
392	tlen = 0;
393
394	/* initialize */
395	p_dir = IPSEC_DIR_INVALID;
396	p_type = IPSEC_POLICY_DISCARD;
397	policy_parse_request_init();
398	__policy__strbuffer__init__(msg);
399
400	error = yyparse(); /* it must be set errcode. */
401	if (error) {
402	if (pbuf != NULL)
403	free(pbuf);
404	return NULL;
405	}
406
407	/* update total length */
408	((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
409
410	__ipsec_errcode = EIPSEC_NO_ERROR;
411
412	return pbuf;
413	}
414
415	caddr_t
416	ipsec_set_policy(msg, msglen)
417	char *msg;
418	int msglen;
419	{
420	caddr_t policy;
421
422	policy = policy_parse(msg, msglen);
423	if (policy == NULL) {
424	if (__ipsec_errcode == EIPSEC_NO_ERROR)
425	__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
426	return NULL;
427	}
428
429	__ipsec_errcode = EIPSEC_NO_ERROR;
430	return policy;
431	}
432