Add default tag values and default set capabilities for new members.

9 years ago · 32f5a0ab18
3 changed files with 144 additions and 45 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -969,6 +969,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 									json ncap = json::object();
 									const uint64_t capId = OSUtils::jsonInt(cap["id"],0ULL);
 									ncap["id"] = capId;
+									ncap["default"] = OSUtils::jsonBool(cap["default"],false);

 									json &rules = cap["rules"];
 									json nrules = json::array();
@ -994,6 +995,31 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 							network["capabilities"] = ncapsa;
 						}
 					}
+
+					if (b.count("tags")) {
+						json &tags = b["tags"];
+						if (tags.is_array()) {
+							std::map< uint64_t,json > ntags;
+							for(unsigned long i=0;i<tags.size();++i) {
+								json &tag = tags[i];
+								if (tag.is_object()) {
+									json ntag = json::object();
+									const uint64_t tagId = OSUtils::jsonInt(tag["id"],0ULL);
+									ntag["id"] = tagId;
+									if (tag.find("default") == tag.end())
+										ntag["default"] = json();
+									else ntag["default"] = OSUtils::jsonInt(tag["default"],0ULL);
+									ntags[tagId] = ntag;
+								}
+							}
+
+							json ntagsa = json::array();
+							for(std::map< uint64_t,json >::iterator t(ntags.begin());t!=ntags.end();++t)
+								ntagsa.push_back(t->second);
+							network["tags"] = ntagsa;
+						}
+					}
+
 				} catch ( ... ) {
 					responseBody = "{ \"message\": \"exception occurred while parsing body variables\" }";
 					responseContentType = "application/json";
@ -1207,6 +1233,8 @@ void EmbeddedNetworkController::_request(
 		return;
 	}

+	const bool newMember = (member.size() == 0);
+
 	json origMember(member); // for detecting modification later
 	_initMember(member);

@ -1392,6 +1420,7 @@ void EmbeddedNetworkController::_request(
 	json &routes = network["routes"];
 	json &rules = network["rules"];
 	json &capabilities = network["capabilities"];
+	json &tags = network["tags"];
 	json &memberCapabilities = member["capabilities"];
 	json &memberTags = member["tags"];

@ -1411,53 +1440,83 @@ void EmbeddedNetworkController::_request(
 			}
 		}

-		if ((memberCapabilities.is_array())&&(memberCapabilities.size() > 0)&&(capabilities.is_array())) {
-			std::map< uint64_t,json * > capsById;
+		std::map< uint64_t,json * > capsById;
+		if (!memberCapabilities.is_array())
+			memberCapabilities = json::array();
+		if (capabilities.is_array()) {
 			for(unsigned long i=0;i<capabilities.size();++i) {
 				json &cap = capabilities[i];
-				if (cap.is_object())
-					capsById[OSUtils::jsonInt(cap["id"],0ULL) & 0xffffffffULL] = &cap;
-			}
-
-			for(unsigned long i=0;i<memberCapabilities.size();++i) {
-				const uint64_t capId = OSUtils::jsonInt(memberCapabilities[i],0ULL) & 0xffffffffULL;
-				json *cap = capsById[capId];
-				if ((cap->is_object())&&(cap->size() > 0)) {
-					ZT_VirtualNetworkRule capr[ZT_MAX_CAPABILITY_RULES];
-					unsigned int caprc = 0;
-					json &caprj = (*cap)["rules"];
-					if ((caprj.is_array())&&(caprj.size() > 0)) {
-						for(unsigned long j=0;j<caprj.size();++j) {
-							if (caprc >= ZT_MAX_CAPABILITY_RULES)
+				if (cap.is_object()) {
+					const uint64_t id = OSUtils::jsonInt(cap["id"],0ULL) & 0xffffffffULL;
+					capsById[id] = &cap;
+					if ((newMember)&&(OSUtils::jsonBool(cap["default"],false))) {
+						bool have = false;
+						for(unsigned long i=0;i<memberCapabilities.size();++i) {
+							if (id == (OSUtils::jsonInt(memberCapabilities[i],0ULL) & 0xffffffffULL)) {
+								have = true;
 								break;
-							if (_parseRule(caprj[j],capr[caprc]))
-								++caprc;
+							}
 						}
+						if (!have)
+							memberCapabilities.push_back(id);
 					}
-					nc.capabilities[nc.capabilityCount] = Capability((uint32_t)capId,nwid,now,1,capr,caprc);
-					if (nc.capabilities[nc.capabilityCount].sign(_signingId,identity.address()))
-						++nc.capabilityCount;
-					if (nc.capabilityCount >= ZT_MAX_NETWORK_CAPABILITIES)
-						break;
 				}
 			}
 		}
+		for(unsigned long i=0;i<memberCapabilities.size();++i) {
+			const uint64_t capId = OSUtils::jsonInt(memberCapabilities[i],0ULL) & 0xffffffffULL;
+			json *cap = capsById[capId];
+			if ((cap->is_object())&&(cap->size() > 0)) {
+				ZT_VirtualNetworkRule capr[ZT_MAX_CAPABILITY_RULES];
+				unsigned int caprc = 0;
+				json &caprj = (*cap)["rules"];
+				if ((caprj.is_array())&&(caprj.size() > 0)) {
+					for(unsigned long j=0;j<caprj.size();++j) {
+						if (caprc >= ZT_MAX_CAPABILITY_RULES)
+							break;
+						if (_parseRule(caprj[j],capr[caprc]))
+							++caprc;
+					}
+				}
+				nc.capabilities[nc.capabilityCount] = Capability((uint32_t)capId,nwid,now,1,capr,caprc);
+				if (nc.capabilities[nc.capabilityCount].sign(_signingId,identity.address()))
+					++nc.capabilityCount;
+				if (nc.capabilityCount >= ZT_MAX_NETWORK_CAPABILITIES)
+					break;
+			}
+		}

+		std::map< uint32_t,uint32_t > memberTagsById;
 		if (memberTags.is_array()) {
-			std::map< uint32_t,uint32_t > tagsById;
 			for(unsigned long i=0;i<memberTags.size();++i) {
 				json &t = memberTags[i];
 				if ((t.is_array())&&(t.size() == 2))
-					tagsById[(uint32_t)(OSUtils::jsonInt(t[0],0ULL) & 0xffffffffULL)] = (uint32_t)(OSUtils::jsonInt(t[1],0ULL) & 0xffffffffULL);
+					memberTagsById[(uint32_t)(OSUtils::jsonInt(t[0],0ULL) & 0xffffffffULL)] = (uint32_t)(OSUtils::jsonInt(t[1],0ULL) & 0xffffffffULL);
 			}
-			for(std::map< uint32_t,uint32_t >::const_iterator t(tagsById.begin());t!=tagsById.end();++t) {
-				if (nc.tagCount >= ZT_MAX_NETWORK_TAGS)
-					break;
-				nc.tags[nc.tagCount] = Tag(nwid,now,identity.address(),t->first,t->second);
-				if (nc.tags[nc.tagCount].sign(_signingId))
-					++nc.tagCount;
+		}
+		if (tags.is_array()) { // check network tags array for defaults that are not present in member tags
+			for(unsigned long i=0;i<tags.size();++i) {
+				json &t = tags[i];
+				if (t.is_object()) {
+					const uint32_t id = (uint32_t)(OSUtils::jsonInt(t["id"],0) & 0xffffffffULL);
+					json &dfl = t["default"];
+					if ((dfl.is_number())&&(memberTagsById.find(id) == memberTagsById.end())) {
+						memberTagsById[id] = (uint32_t)(OSUtils::jsonInt(dfl,0) & 0xffffffffULL);
+						json mt = json::array();
+						mt.push_back(id);
+						mt.push_back(dfl);
+						memberTags.push_back(mt); // add default to member tags if not present
+					}
+				}
 			}
 		}
+		for(std::map< uint32_t,uint32_t >::const_iterator t(memberTagsById.begin());t!=memberTagsById.end();++t) {
+			if (nc.tagCount >= ZT_MAX_NETWORK_TAGS)
+				break;
+			nc.tags[nc.tagCount] = Tag(nwid,now,identity.address(),t->first,t->second);
+			if (nc.tags[nc.tagCount].sign(_signingId))
+				++nc.tagCount;
+		}
 	}

 	if (routes.is_array()) {
--- a/controller/EmbeddedNetworkController.hpp
+++ b/controller/EmbeddedNetworkController.hpp
@ -165,6 +165,7 @@ private:
 		if (!network.count("v6AssignMode")) network["v6AssignMode"] = {{"rfc4193",false},{"zt",false},{"6plane",false}};
 		if (!network.count("authTokens")) network["authTokens"] = nlohmann::json::array();
 		if (!network.count("capabilities")) network["capabilities"] = nlohmann::json::array();
+		if (!network.count("tags")) network["tags"] = nlohmann::json::array();
 		if (!network.count("routes")) network["routes"] = nlohmann::json::array();
 		if (!network.count("ipAssignmentPools")) network["ipAssignmentPools"] = nlohmann::json::array();
 		if (!network.count("rules")) {
--- a/rule-compiler/rule-compiler.js
+++ b/rule-compiler/rule-compiler.js
@ -19,7 +19,7 @@ const CHARACTERISTIC_BITS = {
 	'tcp_rs0': 11
 };

-// Shorthand names for ethernet types
+// Shorthand names for common ethernet types
 const ETHERTYPES = {
 	'ipv4': 0x0800,
 	'arp': 0x0806,
@ -31,9 +31,11 @@ const ETHERTYPES = {
 	'ipx_b': 0x8138
 };

-// Shorthand names for IP protocols
+// Shorthand names for common IP protocols
 const IP_PROTOCOLS = {
 	'icmp': 0x01,
+	'icmp4': 0x01,
+	'icmpv4': 0x01,
 	'igmp': 0x02,
 	'ipip': 0x04,
 	'tcp': 0x06,
@ -68,6 +70,7 @@ const RESERVED_WORDS = {
 	'macro': true,
 	'tag': true,
 	'cap': true,
+	'default': true,

 	'drop': true,
 	'accept': true,
@ -176,21 +179,22 @@ const MATCH_ARG_COUNTS = {
 	'teq': 2
 };

+// Regex of all alphanumeric characters in Unicode
 const INTL_ALPHANUM_REGEX = new RegExp('[0-9A-Za-z\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0370-\u0374\u0376\u0377\u037A-\u037D\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u048A-\u0527\u0531-\u0556\u0559\u0561-\u0587\u05D0-\u05EA\u05F0-\u05F2\u0620-\u064A\u066E\u066F\u0671-\u06D3\u06D5\u06E5\u06E6\u06EE\u06EF\u06FA-\u06FC\u06FF\u0710\u0712-\u072F\u074D-\u07A5\u07B1\u07CA-\u07EA\u07F4\u07F5\u07FA\u0800-\u0815\u081A\u0824\u0828\u0840-\u0858\u08A0\u08A2-\u08AC\u0904-\u0939\u093D\u0950\u0958-\u0961\u0971-\u0977\u0979-\u097F\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BD\u09CE\u09DC\u09DD\u09DF-\u09E1\u09F0\u09F1\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A59-\u0A5C\u0A5E\u0A72-\u0A74\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABD\u0AD0\u0AE0\u0AE1\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3D\u0B5C\u0B5D\u0B5F-\u0B61\u0B71\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BD0\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C33\u0C35-\u0C39\u0C3D\u0C58\u0C59\u0C60\u0C61\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBD\u0CDE\u0CE0\u0CE1\u0CF1\u0CF2\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D\u0D4E\u0D60\u0D61\u0D7A-\u0D7F\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0E01-\u0E30\u0E32\u0E33\u0E40-\u0E46\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB0\u0EB2\u0EB3\u0EBD\u0EC0-\u0EC4\u0EC6\u0EDC-\u0EDF\u0F00\u0F40-\u0F47\u0F49-\u0F6C\u0F88-\u0F8C\u1000-\u102A\u103F\u1050-\u1055\u105A-\u105D\u1061\u1065\u1066\u106E-\u1070\u1075-\u1081\u108E\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u1380-\u138F\u13A0-\u13F4\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u1700-\u170C\u170E-\u1711\u1720-\u1731\u1740-\u1751\u1760-\u176C\u176E-\u1770\u1780-\u17B3\u17D7\u17DC\u1820-\u1877\u1880-\u18A8\u18AA\u18B0-\u18F5\u1900-\u191C\u1950-\u196D\u1970-\u1974\u1980-\u19AB\u19C1-\u19C7\u1A00-\u1A16\u1A20-\u1A54\u1AA7\u1B05-\u1B33\u1B45-\u1B4B\u1B83-\u1BA0\u1BAE\u1BAF\u1BBA-\u1BE5\u1C00-\u1C23\u1C4D-\u1C4F\u1C5A-\u1C7D\u1CE9-\u1CEC\u1CEE-\u1CF1\u1CF5\u1CF6\u1D00-\u1DBF\u1E00-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u2071\u207F\u2090-\u209C\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2183\u2184\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CEE\u2CF2\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D80-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2E2F\u3005\u3006\u3031-\u3035\u303B\u303C\u3041-\u3096\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FCC\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA61F\uA62A\uA62B\uA640-\uA66E\uA67F-\uA697\uA6A0-\uA6E5\uA717-\uA71F\uA722-\uA788\uA78B-\uA78E\uA790-\uA793\uA7A0-\uA7AA\uA7F8-\uA801\uA803-\uA805\uA807-\uA80A\uA80C-\uA822\uA840-\uA873\uA882-\uA8B3\uA8F2-\uA8F7\uA8FB\uA90A-\uA925\uA930-\uA946\uA960-\uA97C\uA984-\uA9B2\uA9CF\uAA00-\uAA28\uAA40-\uAA42\uAA44-\uAA4B\uAA60-\uAA76\uAA7A\uAA80-\uAAAF\uAAB1\uAAB5\uAAB6\uAAB9-\uAABD\uAAC0\uAAC2\uAADB-\uAADD\uAAE0-\uAAEA\uAAF2-\uAAF4\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uABC0-\uABE2\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D\uFB1F-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE70-\uFE74\uFE76-\uFEFC\uFF21-\uFF3A\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]');
+
+// Checks whether something is a valid capability, tag, or macro name
 function _isValidName(n)
 {
-	if ((typeof n !== 'string')||(n.length === 0))
-		return false;
-	if ("0123456789".indexOf(n.charAt(0)) >= 0)
-		return false;
+	if ((typeof n !== 'string')||(n.length === 0)) return false;
+	if ("0123456789".indexOf(n.charAt(0)) >= 0) return false;
 	for(let i=0;i<n.length;++i) {
 		let c = n.charAt(i);
-		if ((c !== '_')&&(!INTL_ALPHANUM_REGEX.test(c)))
-			return false;
+		if ((c !== '_')&&(!INTL_ALPHANUM_REGEX.test(c))) return false;
 	}
 	return true;
 }

+// Regexes for checking the basic syntactic validity of IP addresses
 const IPV6_REGEX = new RegExp('(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))');
 const IPV4_REGEX = new RegExp('((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])');

@ -682,6 +686,8 @@ function compile(src,rules,caps,tags)
 		for(let i=0;i<parsed.length;++i) {
 			let keyword = (typeof parsed[i][0] === 'string') ? parsed[i][0].toLowerCase() : null;
 			if (keyword === 'macro') {
+				// Define macros
+
 				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
 					return [ parsed[i][1],parsed[i][2],'Macro definition is missing name.' ];
 				let macro = parsed[++i];
@ -711,6 +717,8 @@ function compile(src,rules,caps,tags)
 					rules: macro.slice(1)
 				};
 			} else if (keyword === 'tag') {
+				// Define tags
+
 				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
 					return [ parsed[i][1],parsed[i][2],'Tag definition is missing name.' ];
 				let tag = parsed[++i];
@ -727,6 +735,7 @@ function compile(src,rules,caps,tags)
 				let flags = {};
 				let enums = {};
 				let id = -1;
+				let dfl = null;
 				for(let k=1;k<tag.length;++k) {
 					let tkeyword = tag[k][0].toLowerCase();
 					if (tkeyword === 'id') {
@ -737,6 +746,12 @@ function compile(src,rules,caps,tags)
 						id = _parseNum(tag[++k][0]);
 						if ((id < 0)||(id > 0xffffffff))
 							return [ tag[k][1],tag[k][2],'Invalid or out of range tag ID.' ];
+					} else if (tkeyword === 'default') {
+						if (id >= 0)
+							return [ tag[k][1],tag[k][2],'Duplicate tag id definition.' ];
+						if ((k + 1) >= tag.length)
+							return [ tag[k][1],tag[k][2],'Missing value for default.' ];
+						dfl = tag[++k][0]||null;
 					} else if (tkeyword === 'flag') {
 						if ((k + 2) >= tag.length)
 							return [ tag[k][1],tag[k][2],'Missing tag flag name or bit index.' ];
@ -780,12 +795,32 @@ function compile(src,rules,caps,tags)
 				if (id < 0)
 					return [ tag[0][1],tag[0][2],'Tag definition is missing a numeric ID.' ];

+				if (dfl) {
+					let dfl2 = enums[dfl];
+					if (typeof dfl2 === 'number') {
+						dfl = dfl2;
+					} else {
+						dfl2 = flags[dfl];
+						if (typeof dfl2 === 'number') {
+							dfl = dfl2;
+						} else {
+							dfl = _parseNum(dfl)||0;
+							if (dfl < 0)
+								dfl = 0;
+							else dfl &= 0xffffffff;
+						}
+					}
+				}
+
 				tags[tagName] = {
-					id: id,
-					enums: enums,
-					flags: flags
+					'id': id,
+					'default': dfl,
+					'enums': enums,
+					'flags': flags
 				};
 			} else if (keyword === 'cap') {
+				// Define capabilities
+
 				if ( ((i + 1) >= parsed.length) || (!Array.isArray(parsed[i + 1])) || (parsed[i + 1].length < 1) || (!Array.isArray(parsed[i + 1][0])) )
 					return [ parsed[i][1],parsed[i][2],'Capability definition is missing name.' ];
 				let cap = parsed[++i];
@ -801,8 +836,9 @@ function compile(src,rules,caps,tags)

 				let capRules = [];
 				let id = -1;
+				let dfl = false;
 				for(let k=1;k<cap.length;++k) {
-					if ((typeof cap[k][0] === 'string')&&(cap[k][0].toLowerCase() === 'id')) {
+					if (cap[k][0].toLowerCase() === 'id') {
 						if (id >= 0)
 							return [ cap[k][1],cap[k][2],'Duplicate id directive in capability definition.' ];
 						if ((k + 1) >= cap.length)
@ -814,6 +850,8 @@ function compile(src,rules,caps,tags)
 							if (caps[cn].id === id)
 								return [ cap[k - 1][1],cap[k - 1][2],'Duplicate capability ID.' ];
 						}
+					} else if (cap[k][0].toLowerCase() === 'default') {
+						dfl = true;
 					} else {
 						capRules.push(cap[k]);
 					}
@ -822,8 +860,9 @@ function compile(src,rules,caps,tags)
 					return [ cap[0][1],cap[0][2],'Capability definition is missing a numeric ID.' ];

 				caps[capName] = {
-					id: id,
-					rules: capRules
+					'id': id,
+					'default': dfl,
+					'rules': capRules
 				};
 			} else {
 				baseRuleTree.push(parsed[i]);