ZeroTierOne/rule-compiler/rule-compiler.js

/*
 * Copyright (c)2019 ZeroTier, Inc.
 *
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2025-01-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
/****/

'use strict';

// Names for bits in characteristics -- 0==LSB, 63==MSB
const CHARACTERISTIC_BITS = {
	'inbound': 63,
	'multicast': 62,
	'broadcast': 61,
	'ipauth': 60,
	'macauth': 59,
	'tcp_fin': 0,
	'tcp_syn': 1,
	'tcp_rst': 2,
	'tcp_psh': 3,
	'tcp_ack': 4,
	'tcp_urg': 5,
	'tcp_ece': 6,
	'tcp_cwr': 7,
	'tcp_ns': 8,
	'tcp_rs2': 9,
	'tcp_rs1': 10,
	'tcp_rs0': 11
};

// Shorthand names for common ethernet types
const ETHERTYPES = {
	'ipv4': 0x0800,
	'arp': 0x0806,
	'wol': 0x0842,
	'rarp': 0x8035,
	'ipv6': 0x86dd,
	'atalk': 0x809b,
	'aarp': 0x80f3,
	'ipx_a': 0x8137,
	'ipx_b': 0x8138
};

// Shorthand names for common IP protocols
const IP_PROTOCOLS = {
	'icmp': 0x01,
	'icmp4': 0x01,
	'icmpv4': 0x01,
	'igmp': 0x02,
	'ipip': 0x04,
	'tcp': 0x06,
	'egp': 0x08,
	'igp': 0x09,
	'udp': 0x11,
	'rdp': 0x1b,
	'esp': 0x32,
	'ah': 0x33,
	'icmp6': 0x3a,
	'icmpv6': 0x3a,
	'l2tp': 0x73,
	'sctp': 0x84,
	'udplite': 0x88
};

// Keywords that open new blocks that must be terminated by a semicolon
const OPEN_BLOCK_KEYWORDS = {
	'macro': true,
	'tag': true,
	'cap': true,
	'drop': true,
	'accept': true,
	'tee': true,
	'watch': true,
	'redirect': true,
	'break': true,
	'priority': true
};

// Reserved words that can't be used as tag, capability, or rule set names
const RESERVED_WORDS = {
	'macro': true,
	'tag': true,
	'cap': true,
	'default': true,

	'drop': true,
	'accept': true,
	'tee': true,
	'watch': true,
	'redirect': true,
	'break': true,
	'priority': true,

	'ztsrc': true,
	'ztdest': true,
	'vlan': true,
	'vlanpcp': true,
	'vlandei': true,
	'ethertype': true,
	'macsrc': true,
	'macdest': true,
	'ipsrc': true,
	'ipdest': true,
	'iptos': true,
	'ipprotocol': true,
	'icmp': true,
	'sport': true,
	'dport': true,
	'chr': true,
	'framesize': true,
	'random': true,
	'tand': true,
	'tor': true,
	'txor': true,
	'tdiff': true,
	'teq': true,
	'tseq': true,
	'treq': true,

	'type': true,
	'enum': true,
	'class': true,
	'define': true,
	'import': true,
	'include': true,
	'log': true,
	'not': true,
	'xor': true,
	'or': true,
	'and': true,
	'set': true,
	'var': true,
	'let': true
};

const KEYWORD_TO_API_MAP = {
	'drop': 'ACTION_DROP',
	'accept': 'ACTION_ACCEPT',
	'tee': 'ACTION_TEE',
	'watch': 'ACTION_WATCH',
	'redirect': 'ACTION_REDIRECT',
	'break': 'ACTION_BREAK',
	'priority': 'ACTION_PRIORITY',

	'ztsrc': 'MATCH_SOURCE_ZEROTIER_ADDRESS',
	'ztdest': 'MATCH_DEST_ZEROTIER_ADDRESS',
	'vlan': 'MATCH_VLAN_ID',
	'vlanpcp': 'MATCH_VLAN_PCP',
	'vlandei': 'MATCH_VLAN_DEI',
	'ethertype': 'MATCH_ETHERTYPE',
	'macsrc': 'MATCH_MAC_SOURCE',
	'macdest': 'MATCH_MAC_DEST',
	//'ipsrc': '', // special handling since we programmatically differentiate between V4 and V6
	//'ipdest': '', // special handling
	'iptos': 'MATCH_IP_TOS',
	'ipprotocol': 'MATCH_IP_PROTOCOL',
	'icmp': 'MATCH_ICMP',
	'sport': 'MATCH_IP_SOURCE_PORT_RANGE',
	'dport': 'MATCH_IP_DEST_PORT_RANGE',
	'chr': 'MATCH_CHARACTERISTICS',
	'framesize': 'MATCH_FRAME_SIZE_RANGE',
	'random': 'MATCH_RANDOM',
	'tand': 'MATCH_TAGS_BITWISE_AND',
	'tor': 'MATCH_TAGS_BITWISE_OR',
	'txor': 'MATCH_TAGS_BITWISE_XOR',
	'tdiff': 'MATCH_TAGS_DIFFERENCE',
	'teq': 'MATCH_TAGS_EQUAL',
	'tseq': 'MATCH_TAG_SENDER',
	'treq': 'MATCH_TAG_RECEIVER'
};

// Number of args for each match
const MATCH_ARG_COUNTS = {
	'ztsrc': 1,
	'ztdest': 1,
	'vlan': 1,
	'vlanpcp': 1,
	'vlandei': 1,
	'ethertype': 1,
	'macsrc': 1,
	'macdest': 1,
	'ipsrc': 1,
	'ipdest': 1,
	'iptos': 2,
	'ipprotocol': 1,
	'icmp': 2,
	'sport': 1,
	'dport': 1,
	'chr': 1,
	'framesize': 1,
	'random': 1,
	'tand': 2,
	'tor': 2,
	'txor': 2,
	'tdiff': 2,
	'teq': 2,
	'tseq': 2,
	'treq': 2
};

// Regex of all alphanumeric characters in Unicode
const INTL_ALPHANUM_REGEX = new RegExp('[0-9A-Za-z\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0370-\u0374\u0376\u0377\u037A-\u037D\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u048A-\u0527\u0531-\u0556\u0559\u0561-\u0587\u05D0-\u05EA\u05F0-\u05F2\u0620-\u064A\u066E\u066F\u0671-\u06D3\u06D5\u06E5\u06E6\u06EE\u06EF\u06FA-\u06FC\u06FF\u0710\u0712-\u072F\u074D-\u07A5\u07B1\u07CA-\u07EA\u07F4\u07F5\u07FA\u0800-\u0815\u081A\u0824\u0828\u0840-\u0858\u08A0\u08A2-\u08AC\u0904-\u0939\u093D\u0950\u0958-\u0961\u0971-\u0977\u0979-\u097F\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BD\u09CE\u09DC\u09DD\u09DF-\u09E1\u09F0\u09F1\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A59-\u0A5C\u0A5E\u0A72-\u0A74\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABD\u0AD0\u0AE0\u0AE1\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3D\u0B5C\u0B5D\u0B5F-\u0B61\u0B71\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BD0\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C33\u0C35-\u0C39\u0C3D\u0C58\u0C59\u0C60\u0C61\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBD\u0CDE\u0CE0\u0CE1\u0CF1\u0CF2\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D\u0D4E\u0D60\u0D61\u0D7A-\u0D7F\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0E01-\u0E30\u0E32\u0E33\u0E40-\u0E46\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB0\u0EB2\u0EB3\u0EBD\u0EC0-\u0EC4\u0EC6\u0EDC-\u0EDF\u0F00\u0F40-\u0F47\u0F49-\u0F6C\u0F88-\u0F8C\u1000-\u102A\u103F\u1050-\u1055\u105A-\u105D\u1061\u1065\u1066\u106E-\u1070\u1075-\u1081\u108E\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u1380-\u138F\u13A0-\u13F4\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u1700-\u170C\u170E-\u1711\u1720-\u1731\u1740-\u1751\u1760-\u176C\u176E-\u1770\u1780-\u17B3\u17D7\u17DC\u1820-\u1877\u1880-\u18A8\u18AA\u18B0-\u18F5\u1900-\u191C\u1950-\u196D\u1970-\u1974\u1980-\u19AB\u19C1-\u19C7\u1A00-\u1A16\u1A20-\u1A54\u1AA7\u1B05-\u1B33\u1B45-\u1B4B\u1B83-\u1BA0\u1BAE\u1BAF\u1BBA-\u1BE5\u1C00-\u1C23\u1C4D-\u1C4F\u1C5A-\u1C7D\u1CE9-\u1CEC\u1CEE-\u1CF1\u1CF5\u1CF6\u1D00-\u1DBF\u1E00-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u2071\u207F\u2090-\u209C\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2183\u2184\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CEE\u2CF2\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D80-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2E2F\u3005\u3006\u3031-\u3035\u303B\u303C\u3041-\u3096\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FCC\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA61F\uA62A\uA62B\uA640-\uA66E\uA67F-\uA697\uA6A0-\uA6E5\uA717-\uA71F\uA722-\uA788\uA78B-\uA78E\uA790-\uA793\uA7A0-\uA7AA\uA7F8-\uA801\uA803-\uA805\uA807-\uA80A\uA80C-\uA822\uA840-\uA873\uA882-\uA8B3\uA8F2-\uA8F7\uA8FB\uA90A-\uA925\uA930-\uA946\uA960-\uA97C\uA984-\uA9B2\uA9CF\uAA00-\uAA28\uAA40-\uAA42\uAA44-\uAA4B\uAA60-\uAA76\uAA7A\uAA80-\uAAAF\uAAB1\uAAB5\uAAB6\uAAB9-\uAABD\uAAC0\uAAC2\uAADB-\uAADD\uAAE0-\uAAEA\uAAF2-\uAAF4\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uABC0-\uABE2\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D\uFB1F-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE70-\uFE74\uFE76-\uFEFC\uFF21-\uFF3A\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]');

// Checks whether something is a valid capability, tag, or macro name
function _isValidName(n)
{
	if ((typeof n !== 'string')||(n.length === 0)) return false;
	if ("0123456789".indexOf(n.charAt(0)) >= 0) return false;
	for(let i=0;i<n.length;++i) {
		let c = n.charAt(i);
		if ((c !== '_')&&(!INTL_ALPHANUM_REGEX.test(c))) return false;
	}
	return true;
}

// Regexes for checking the basic syntactic validity of IP addresses
const IPV6_REGEX = new RegExp('(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))');
const IPV4_REGEX = new RegExp('((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])');

function _parseNum(n)
{
	try {
		if ((typeof n !== 'string')||(n.length === 0))
			return -1;
		n = n.toLowerCase();
		if ((n.length > 2)&&(n.substr(0,2) === '0x'))
			n = parseInt(n.substr(2),16);
		else n = parseInt(n,10);
		return (((typeof n === 'number')&&(n !== null)&&(!isNaN(n))) ? n : -1);
	} catch (e) {
		return -1;
	}
}

function _cleanMac(m)
{
	m = m.toLowerCase();
	var m2 = '';
	let charcount = 0;
	for(let i=0;((i<m.length)&&(m2.length<17));++i) {
		let c = m.charAt(i);
		if ("0123456789abcdef".indexOf(c) >= 0) {
			m2 += c;
			charcount++;
			if ((m2.length > 0)&&(m2.length !== 17)&&(charcount >= 2) ) {
				m2 += ':';
				charcount=0;
			}
		}
	}
	return m2;
}

function _cleanHex(m)
{
	m = m.toLowerCase();
	var m2 = '';
	for(let i=0;i<m.length;++i) {
		let c = m.charAt(i);
		if ("0123456789abcdef".indexOf(c) >= 0)
			m2 += c;
	}
	return m2;
}

function _renderMatches(mtree,rules,macros,caps,tags,params)
{
	let not = false;
	let or = false;
	for(let k=0;k<mtree.length;++k) {
		let match = (typeof mtree[k][0] === 'string') ? mtree[k][0].toLowerCase() : '';
		if ((match.length === 0)||(match === 'and')) { // AND is the default
			continue;
		} else if (match === 'not') {
			not = true;
		} else if (match === 'or') {
			or = true;
		} else {
			let args = [];
			let argCount = MATCH_ARG_COUNTS[match];
			if (!argCount)
				return [ mtree[k][1],mtree[k][2],'Unrecognized match type "'+match+'".' ];
			for(let i=0;i<argCount;++i) {
				if (++k >= mtree.length)
					return [ mtree[k - 1][1],mtree[k - 1][2],'Missing argument(s) to match.' ];
				let arg = mtree[k][0];
				if ((typeof arg !== 'string')||(arg in RESERVED_WORDS)||(arg.length === 0))
					return [ mtree[k - 1][1],mtree[k - 1][2],'Missing argument(s) to match (invalid argument or argument is reserved word).' ];
				if (arg.charAt(0) === '$') {
					let tmp = params[arg];
					if (typeof tmp === 'undefined')
						return [ mtree[k][1],mtree[k][2],'Undefined variable name.' ];
					args.push([ tmp,mtree[k][1],mtree[k][2] ]);
				} else {
					args.push(mtree[k]);
				}
			}

			switch(match) {
				case 'ztsrc':
				case 'ztdest': {
					let zt = _cleanHex(args[0][0]);
					if (zt.length !== 10)
						return [ args[0][1],args[0][2],'Invalid ZeroTier address.' ];
					rules.push({
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or,
						'zt': zt
					});
				}	break;

				case 'vlan':
				case 'vlanpcp':
				case 'vlandei':
				case 'ethertype':
				case 'ipprotocol': {
					let num = null;
					switch (match) {
						case 'ethertype': num = ETHERTYPES[args[0][0]]; break;
						case 'ipprotocol': num = IP_PROTOCOLS[args[0][0]]; break;
					}
					if (typeof num !== 'number')
						num = _parseNum(args[0][0]);
					if ((typeof num !== 'number')||(num < 0)||(num > 0xffffffff)||(num === null))
						return [ args[0][1],args[0][2],'Invalid numeric value.' ];
					let r = {
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or
					};
					switch(match) {
						case 'vlan': r['vlanId'] = num; break;
						case 'vlanpcp': r['vlanPcp'] = num; break;
						case 'vlandei': r['vlanDei'] = num; break;
						case 'ethertype': r['etherType'] = num; break;
						case 'ipprotocol': r['ipProtocol'] = num; break;
					}
					rules.push(r);
				}	break;

				case 'random': {
					let num = parseFloat(args[0][0])||0.0;
					if (num < 0.0) num = 0.0;
					if (num > 1.0) num = 1.0;
					rules.push({
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or,
						'probability': Math.floor(4294967295 * num)
					});
				}	break;

				case 'macsrc':
				case 'macdest': {
					let mac = _cleanMac(args[0][0]);
					if (mac.length !== 17)
						return [ args[0][1],args[0][2],'Invalid MAC address.' ];
					rules.push({
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or,
						'mac': mac
					});
				}	break;

				case 'ipsrc':
				case 'ipdest': {
					let ip = args[0][0];
					let slashIdx = ip.indexOf('/');
					if (slashIdx <= 0)
						return [ args[0][1],args[0][2],'Missing /bits netmask length designation in IP.' ];
					let ipOnly = ip.substr(0,slashIdx);
					if (IPV6_REGEX.test(ipOnly)) {
						rules.push({
							'type': ((match === 'ipsrc') ? 'MATCH_IPV6_SOURCE' : 'MATCH_IPV6_DEST'),
							'not': not,
							'or': or,
							'ip': ip
						});
					} else if (IPV4_REGEX.test(ipOnly)) {
						rules.push({
							'type': ((match === 'ipsrc') ? 'MATCH_IPV4_SOURCE' : 'MATCH_IPV4_DEST'),
							'not': not,
							'or': or,
							'ip': ip
						});
					} else {
						return [ args[0][1],args[0][2],'Invalid IP address (not valid IPv4 or IPv6).' ];
					}
				}	break;

				case 'icmp': {
					let icmpType = _parseNum(args[0][0]);
					if ((icmpType < 0)||(icmpType > 0xff))
						return [ args[0][1],args[0][2],'Missing or invalid ICMP type.' ];
					let icmpCode = _parseNum(args[1][0]); // -1 okay, indicates don't match code
					if (icmpCode > 0xff)
						return [ args[1][1],args[1][2],'Invalid ICMP code (use -1 for none).' ];
					rules.push({
						'type': 'MATCH_ICMP',
						'not': not,
						'or': or,
						'icmpType': icmpType,
						'icmpCode': ((icmpCode < 0) ? null : icmpCode)
					});
				}	break;

				case 'sport':
				case 'dport':
				case 'framesize': {
					let arg = args[0][0];
					let fn = null;
					let tn = null;
					if (arg.indexOf('-') > 0) {
						let asplit = arg.split('-');
						if (asplit.length !== 2) {
							return [ args[0][1],args[0][2],'Invalid numeric range.' ];
						} else {
							fn = _parseNum(asplit[0]);
							tn = _parseNum(asplit[1]);
						}
					} else {
						fn = _parseNum(arg);
						tn = fn;
					}
					if ((fn < 0)||(fn > 0xffff)||(tn < 0)||(tn > 0xffff)||(tn < fn))
						return [ args[0][1],args[0][2],'Invalid numeric range.' ];
					rules.push({
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or,
						'start': fn,
						'end': tn
					});
				}	break;

				case 'iptos': {
					let mask = _parseNum(args[0][0]);
					if ((typeof mask !== 'number')||(mask < 0)||(mask > 0xff)||(mask === null))
						return [ args[0][1],args[0][2],'Invalid mask.' ];
					let arg = args[1][0];
					let fn = null;
					let tn = null;
					if (arg.indexOf('-') > 0) {
						let asplit = arg.split('-');
						if (asplit.length !== 2) {
							return [ args[1][1],args[1][2],'Invalid value range.' ];
						} else {
							fn = _parseNum(asplit[0]);
							tn = _parseNum(asplit[1]);
						}
					} else {
						fn = _parseNum(arg);
						tn = fn;
					}
					if ((fn < 0)||(fn > 0xff)||(tn < 0)||(tn > 0xff)||(tn < fn))
						return [ args[1][1],args[1][2],'Invalid value range.' ];
					rules.push({
						'type': 'MATCH_IP_TOS',
						'not': not,
						'or': or,
						'mask': mask,
						'start': fn,
						'end': tn
					});
				}	break;

				case 'chr': {
					let chrb = args[0][0].split(/[,]+/);
					let maskhi = 0;
					let masklo = 0;
					for(let i=0;i<chrb.length;++i) {
						if (chrb[i].length > 0) {
							let tmp = CHARACTERISTIC_BITS[chrb[i]];
							let bit = (typeof tmp === 'number') ? tmp : _parseNum(chrb[i]);
							if ((bit < 0)||(bit > 63))
								return [ args[0][1],args[0][2],'Invalid bit index (range 0-63) or unrecognized name.' ];
							if (bit >= 32)
								maskhi |= Math.abs(1 << (bit - 32));
							else masklo |= Math.abs(1 << bit);
						}
					}
					maskhi = Math.abs(maskhi).toString(16);
					while (maskhi.length < 8) maskhi = '0' + maskhi;
					masklo = Math.abs(masklo).toString(16);
					while (masklo.length < 8) masklo = '0' + masklo;
					rules.push({
						'type': 'MATCH_CHARACTERISTICS',
						'not': not,
						'or': or,
						'mask': (maskhi + masklo)
					});
				}	break;

				case 'tand':
				case 'tor':
				case 'txor':
				case 'tdiff':
				case 'teq':
				case 'tseq':
				case 'treq': {
					let tag = tags[args[0][0]];
					let tagId = -1;
					let tagValue = -1;
					if (tag) {
						tagId = tag.id;
						tagValue = args[1][0];
						if (tagValue in tag.flags)
							tagValue = tag.flags[tagValue];
						else if (tagValue in tag.enums)
							tagValue = tag.enums[tagValue];
						else tagValue = _parseNum(tagValue);
					} else {
						tagId = _parseNum(args[0][0]);
						tagValue = _parseNum(args[1][0]);
					}
					if ((tagId < 0)||(tagId > 0xffffffff))
						return [ args[0][1],args[0][2],'Undefined tag name and invalid tag value.' ];
					if ((tagValue < 0)||(tagValue > 0xffffffff))
						return [ args[1][1],args[1][2],'Invalid tag value or unrecognized flag/enum name.' ];
					rules.push({
						'type': KEYWORD_TO_API_MAP[match],
						'not': not,
						'or': or,
						'id': tagId,
						'value': tagValue
					});
				}	break;
			}

			not = false;
			or = false;
		}
	}
	return null;
}

function _renderActions(rtree,rules,macros,caps,tags,params)
{
	for(let k=0;k<rtree.length;++k) {
		let action = (typeof rtree[k][0] === 'string') ? rtree[k][0].toLowerCase() : '';
		if (action.length === 0) {
			continue;
		} else if (action === 'include') {
			if ((k + 1) >= rtree.length)
				return [ rtree[k][1],rtree[k][2],'Include directive is missing a macro name.' ];
			let macroName = rtree[k + 1][0];
			++k;

			let macroParamArray = [];
			let parenIdx = macroName.indexOf('(');
			if (parenIdx > 0) {
				let pns = macroName.substr(parenIdx + 1).split(/[,)]+/);
				for(let k=0;k<pns.length;++k) {
					if (pns[k].length > 0)
						macroParamArray.push(pns[k]);
				}
				macroName = macroName.substr(0,parenIdx);
			}

			let macro = macros[macroName];
			if (!macro)
				return [ rtree[k][1],rtree[k][2],'Macro name not found.' ];
			let macroParams = {};
			for(let param in macro.params) {
				let pidx = macro.params[param];
				if (pidx >= macroParamArray.length)
					return [ rtree[k][1],rtree[k][2],'Missing one or more required macro parameter.' ];
				macroParams[param] = macroParamArray[pidx];
			}

			let err = _renderActions(macro.rules,rules,macros,caps,tags,macroParams);
			if (err !== null)
				return err;
		} else if ((action === 'drop')||(action === 'accept')||(action === 'break')) { // actions without arguments
			if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))) {
				let mtree = rtree[k + 1]; ++k;
				let err = _renderMatches(mtree,rules,macros,caps,tags,params);
				if (err !== null)
					return err;
			}
			rules.push({
				'type': KEYWORD_TO_API_MAP[action]
			});
		} else if ((action === 'tee')||(action === 'watch')) { // actions with arguments (ZeroTier address)
			if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))&&(rtree[k + 1][0].length >= 2)) {
				let mtree = rtree[k + 1]; ++k;
				let maxLength = _parseNum(mtree[0][0]);
				if ((maxLength < -1)||(maxLength > 0xffff))
					return [ mtree[0][1],mtree[1][2],'Tee/watch max packet length to forward invalid or out of range.' ];
				let target = mtree[1][0];
				if ((typeof target !== 'string')||(target.length !== 10))
					return [ mtree[1][1],mtree[1][2],'Missing or invalid ZeroTier address target for tee/watch.' ];
				let err = _renderMatches(mtree.slice(2),rules,macros,caps,tags,params);
				if (err !== null)
					return err;
				rules.push({
					'type': KEYWORD_TO_API_MAP[action],
					'address': target,
					'length': maxLength
				});
			} else {
				return [ rtree[k][1],rtree[k][2],'The tee and watch actions require two paremters (max length or 0 for all, target).' ];
			}
		} else if (action === 'redirect') {
			if (((k + 1) < rtree.length)&&(Array.isArray(rtree[k + 1][0]))&&(rtree[k + 1][0].length >= 1)) {
				let mtree = rtree[k + 1]; ++k;
				let target = mtree[0][0];
				if ((typeof target !== 'string')||(target.length !== 10))
					return [ mtree[0][1],mtree[0][2],'Missing or invalid ZeroTier address target for redirect.' ];
				let err = _renderMatches(mtree.slice(1),rules,macros,caps,tags,params);
				if (err !== null)
					return err;
				rules.push({
					'type': KEYWORD_TO_API_MAP[action],
					'address': target
				});
			} else {
				return [ rtree[k][1],rtree[k][2],'The redirect action requires a target parameter.' ];
			}
		} else {
			return [ rtree[k][1],rtree[k][2],'Unrecognized action or directive in rule set.' ];
		}
	}

	return null;
}

function compile(src,rules,caps,tags)
{
	try {
		if (typeof src !== 'string')
			return [ 0,0,'"src" parameter must be a string.' ];

		// Pass 1: parse source into a tree of arrays of elements. Each element is a 3-item
		// tuple consisting of string, line number, and character index in line to enable
		// informative error messages to be returned.

		var blockStack = [ [] ];
		var curr = [ '',-1,-1 ];
		var skipRestOfLine = false;
		for(let idx=0,lineNo=1,lineIdx=0;idx<src.length;++idx,++lineIdx) {
			let ch = src.charAt(idx);
			if (skipRestOfLine) {
				if ((ch === '\r')||(ch === '\n')) {
					skipRestOfLine = false;
					++lineNo;
					lineIdx = 0;
				}
			} else {
				switch(ch) {
					case '\n':
						++lineNo;
						lineIdx = 0;
					case '\r':
					case '\t':
					case ' ':
						if (curr[0].length > 0) {
							let endOfBlock = false;
							if (curr[0].charAt(curr[0].length - 1) === ';') {
								endOfBlock = true;
								curr[0] = curr[0].substr(0,curr[0].length - 1);
							}

							if (curr[0].length > 0) {
								blockStack[blockStack.length - 1].push(curr);
							}
							if ((endOfBlock)&&(blockStack.length > 1)&&(blockStack[blockStack.length - 1].length > 0)) {
								blockStack[blockStack.length - 2].push(blockStack[blockStack.length - 1]);
								blockStack.pop();
							} else if (curr[0] in OPEN_BLOCK_KEYWORDS) {
								blockStack.push([]);
							}

							curr = [ '',-1,-1 ];
						}
						break;
					default:
						if (curr[0].length === 0) {
							if (ch === '#') {
								skipRestOfLine = true;
								continue;
							} else {
								curr[1] = lineNo;
								curr[2] = lineIdx;
							}
						}
						curr[0] += ch;
						break;
				}
			}
		}

		if (curr[0].length > 0) {
			if (curr[0].charAt(curr[0].length - 1) === ';')
				curr[0] = curr[0].substr(0,curr[0].length - 1);
			if (curr[0].length > 0)
				blockStack[blockStack.length - 1].push(curr);
		}
		while ((blockStack.length > 1)&&(blockStack[blockStack.length - 1].length > 0)) {
			blockStack[blockStack.length - 2].push(blockStack[blockStack.length - 1]);
			blockStack.pop();
		}
		var parsed = blockStack[0];

		// Pass 2: parse tree into capabilities, tags, rule sets, and document-level rules.

		let baseRuleTree = [];
		let macros = {};
		for(let i=0;i<parsed.length;++i) {
			let keyword = (typeof parsed[i][0] === 'string') ? parsed[i][0].toLowerCase() : null;
			if (keyword === 'macro') {
				// Define macros

				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
					return [ parsed[i][1],parsed[i][2],'Macro definition is missing name.' ];
				let macro = parsed[++i];
				let macroName = macro[0][0].toLowerCase();

				let params = {};
				let parenIdx = macroName.indexOf('(');
				if (parenIdx > 0) {
					let pns = macroName.substr(parenIdx + 1).split(/[,)]+/);
					for(let k=0;k<pns.length;++k) {
						if (pns[k].length > 0)
							params[pns[k]] = k;
					}
					macroName = macroName.substr(0,parenIdx);
				}

				if (!_isValidName(macroName))
					return [ macro[0][1],macro[0][2],'Invalid macro name.' ];
				if (macroName in RESERVED_WORDS)
					return [ macro[0][1],macro[0][2],'Macro name is a reserved word.' ];

				if (macroName in macros)
					return [ macro[0][1],macro[0][2],'Multiple definition of macro name.' ];

				macros[macroName] = {
					params: params,
					rules: macro.slice(1)
				};
			} else if (keyword === 'tag') {
				// Define tags

				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
					return [ parsed[i][1],parsed[i][2],'Tag definition is missing name.' ];
				let tag = parsed[++i];
				let tagName = tag[0][0].toLowerCase();

				if (!_isValidName(tagName))
					return [ tag[0][1],tag[0][2],'Invalid tag name.' ];
				if (tagName in RESERVED_WORDS)
					return [ tag[0][1],tag[0][2],'Tag name is a reserved word.' ];

				if (tagName in tags)
					return [ tag[0][1],tag[0][2],'Multiple definition of tag name.' ];

				let flags = {};
				let enums = {};
				let id = -1;
				let dfl = null;
				for(let k=1;k<tag.length;++k) {
					let tkeyword = tag[k][0].toLowerCase();
					if (tkeyword === 'id') {
						if (id >= 0)
							return [ tag[k][1],tag[k][2],'Duplicate tag id definition.' ];
						if ((k + 1) >= tag.length)
							return [ tag[k][1],tag[k][2],'Missing numeric value for ID.' ];
						id = _parseNum(tag[++k][0]);
						if ((id < 0)||(id > 0xffffffff))
							return [ tag[k][1],tag[k][2],'Invalid or out of range tag ID.' ];
					} else if (tkeyword === 'default') {
						if (dfl !== null)
							return [ tag[k][1],tag[k][2],'Duplicate tag default directive.' ];
						if ((k + 1) >= tag.length)
							return [ tag[k][1],tag[k][2],'Missing value for default.' ];
						dfl = tag[++k][0];
					} else if (tkeyword === 'flag') {
						if ((k + 2) >= tag.length)
							return [ tag[k][1],tag[k][2],'Missing tag flag name or bit index.' ];
						++k;
						let bits = tag[k][0].split(/[,]+/);
						let mask = 0;
						for(let j=0;j<bits.length;++j) {
							let b = bits[j].toLowerCase();
							if (b in flags) {
								mask |= flags[b];
							} else {
								b = _parseNum(b);
								if ((b < 0)||(b > 31))
									return [ tag[k][1],tag[k][2],'Bit index invalid, out of range, or references an undefined flag name.' ];
								mask |= (1 << b);
							}
						}
						let flagName = tag[++k][0].toLowerCase();
						if (!_isValidName(flagName))
							return [ tag[k][1],tag[k][2],'Invalid or reserved flag name.' ];
						if (flagName in flags)
							return [ tag[k][1],tag[k][2],'Duplicate flag name in tag definition.' ];
						flags[flagName] = mask;
					} else if (tkeyword === 'enum') {
						if ((k + 2) >= tag.length)
							return [ tag[k][1],tag[k][2],'Missing tag enum name or value.' ];
						++k;
						let value = _parseNum(tag[k][0]);
						if ((value < 0)||(value > 0xffffffff))
							return [ tag[k][1],tag[k][2],'Tag enum value invalid or out of range.' ];
						let enumName = tag[++k][0].toLowerCase();
						if (!_isValidName(enumName))
							return [ tag[k][1],tag[k][2],'Invalid or reserved tag enum name.' ];
						if (enumName in enums)
							return [ tag[k][1],tag[k][2],'Duplicate enum name in tag definition.' ];
						enums[enumName] = value;
					} else {
						return [ tag[k][1],tag[k][2],'Unrecognized keyword in tag definition.' ];
					}
				}
				if (id < 0)
					return [ tag[0][1],tag[0][2],'Tag definition is missing a numeric ID.' ];

				if (typeof dfl === 'string') {
					let dfl2 = enums[dfl];
					if (typeof dfl2 === 'number') {
						dfl = dfl2;
					} else {
						dfl2 = flags[dfl];
						if (typeof dfl2 === 'number') {
							dfl = dfl2;
						} else {
							dfl = Math.abs(parseInt(dfl)||0) & 0xffffffff;
						}
					}
				} else if (typeof dfl === 'number') {
					dfl = Math.abs(dfl) & 0xffffffff;
				}

				tags[tagName] = {
					'id': id,
					'default': dfl,
					'enums': enums,
					'flags': flags
				};
			} else if (keyword === 'cap') {
				// Define capabilities

				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
					return [ parsed[i][1],parsed[i][2],'Capability definition is missing name.' ];
				let cap = parsed[++i];
				let capName = cap[0][0].toLowerCase();

				if (!_isValidName(capName))
					return [ cap[0][1],cap[0][2],'Invalid capability name.' ];
				if (capName in RESERVED_WORDS)
					return [ cap[0][1],cap[0][2],'Capability name is a reserved word.' ];

				if (capName in caps)
					return [ cap[0][1],cap[0][2],'Multiple definition of capability name.' ];

				let capRules = [];
				let id = -1;
				let dfl = false;
				for(let k=1;k<cap.length;++k) {
					let dn = (typeof cap[k][0] === 'string') ? cap[k][0].toLowerCase() : null;
					if (dn === 'id') {
						if (id >= 0)
							return [ cap[k][1],cap[k][2],'Duplicate id directive in capability definition.' ];
						if ((k + 1) >= cap.length)
							return [ cap[k][1],cap[k][2],'Missing value for ID.' ];
						id = _parseNum(cap[++k][0]);
						if ((id < 0)||(id > 0xffffffff))
							return [ cap[k - 1][1],cap[k - 1][2],'Invalid or out of range capability ID.' ];
						for(let cn in caps) {
							if (caps[cn].id === id)
								return [ cap[k - 1][1],cap[k - 1][2],'Duplicate capability ID.' ];
						}
					} else if (dn === 'default') {
						dfl = true;
					} else {
						capRules.push(cap[k]);
					}
				}
				if (id < 0)
					return [ cap[0][1],cap[0][2],'Capability definition is missing a numeric ID.' ];

				caps[capName] = {
					'id': id,
					'default': dfl,
					'rules': capRules
				};
			} else {
				baseRuleTree.push(parsed[i]);
			}
		}

		// Pass 3: render low-level ZeroTier rules arrays for capabilities and base.

		for(let capName in caps) {
			let r = [];
			let err = _renderActions(caps[capName].rules,r,macros,caps,tags,{});
			if (err !== null)
				return err;
			caps[capName].rules = r;
		}

		let err = _renderActions(baseRuleTree,rules,macros,caps,tags,{});
		if (err !== null)
			return err;

		return null;
	} catch (e) {
		console.log(e.stack);
		return [ 0,0,'Unexpected exception: '+e.toString() ];
	}
}

exports.compile = compile;