search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / ipf / tools / ipf_y.y
blob31606b3887b8949a5e3ffd494abc86dea83c65e4
1 /* $NetBSD$ */
2
3 /*
4 * Copyright (C) 2001-2006 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 %{
9 #include "ipf.h"
10 #include <sys/ioctl.h>
11 #include <syslog.h>
12 #ifdef IPFILTER_BPF
13 # include "pcap-bpf.h"
14 # define _NET_BPF_H_
15 # include <pcap.h>
16 #endif
17 #include "netinet/ip_pool.h"
18 #include "netinet/ip_htable.h"
19 #include "netinet/ipl.h"
20 #include "ipf_l.h"
21
22 #define YYDEBUG 1
23 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
24 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
25
26 extern void yyerror __P((char *));
27 extern int yyparse __P((void));
28 extern int yylex __P((void));
29 extern int yydebug;
30 extern FILE *yyin;
31 extern int yylineNum;
32
33 static void newrule __P((void));
34 static void setipftype __P((void));
35 static u_32_t lookuphost __P((char *));
36 static void dobpf __P((int, char *));
37 static void resetaddr __P((void));
38 static struct alist_s *newalist __P((struct alist_s *));
39 static u_int makehash __P((struct alist_s *));
40 static int makepool __P((struct alist_s *));
41 static frentry_t *addrule __P((void));
42 static void setsyslog __P((void));
43 static void unsetsyslog __P((void));
44 static void fillgroup __P((frentry_t *));
45
46 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
47
48 static int ifpflag = 0;
49 static int nowith = 0;
50 static int dynamic = -1;
51 static int pooled = 0;
52 static int hashed = 0;
53 static int nrules = 0;
54 static int newlist = 0;
55 static int added = 0;
56 static int ipffd = -1;
57 static int *yycont = 0;
58 static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
59 static addfunc_t ipfaddfunc = NULL;
60 static struct wordtab ipfwords[95];
61 static struct wordtab addrwords[4];
62 static struct wordtab maskwords[5];
63 static struct wordtab icmpcodewords[17];
64 static struct wordtab icmptypewords[16];
65 static struct wordtab ipv4optwords[25];
66 static struct wordtab ipv4secwords[9];
67 static struct wordtab ipv6optwords[9];
68 static struct wordtab logwords[33];
69
70 %}
71 %union {
72 char *str;
73 u_32_t num;
74 struct in_addr ipa;
75 frentry_t fr;
76 frtuc_t *frt;
77 struct alist_s *alist;
78 u_short port;
79 struct {
80 u_short p1;
81 u_short p2;
82 int pc;
83 } pc;
84 struct {
85 union i6addr a;
86 union i6addr m;
87 } ipp;
88 union i6addr ip6;
89 struct {
90 char *if1;
91 char *if2;
92 } ifs;
93 };
94
95 %type <port> portnum
96 %type <num> facility priority icmpcode seclevel secname icmptype
97 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
98 %type <num> portc porteq
99 %type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
100 %type <ip6> ipv6mask
101 %type <ipp> addr ipaddr
102 %type <str> servicename name interfacename
103 %type <pc> portrange portcomp
104 %type <alist> addrlist poollist
105 %type <ifs> onname
106
107 %token <num> YY_NUMBER YY_HEX
108 %token <str> YY_STR
109 %token YY_COMMENT
110 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
111 %token YY_RANGE_OUT YY_RANGE_IN
112 %token <ip6> YY_IPV6
113
114 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
115 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
116 %token IPFY_IN IPFY_OUT
117 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
118 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
119 %token IPFY_TOS IPFY_TTL IPFY_PROTO
120 %token IPFY_HEAD IPFY_GROUP
121 %token IPFY_AUTH IPFY_PREAUTH
122 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
123 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
124 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
125 %token IPFY_PPS
126 %token IPFY_ESP IPFY_AH
127 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
128 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
129 %token IPFY_FLAGS IPFY_MULTICAST
130 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
131 %token IPFY_PORT
132 %token IPFY_NOW
133 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
134 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
135 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
136 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
137 %token IPFY_SYNC IPFY_FRAGBODY
138 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
139 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
140 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
141 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
142 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
143 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
144 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
145 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
146
147 %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
148 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
149 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
150
151 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
152 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
153 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
154 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
155 %token IPFY_ICMPT_ROUTERSOL
156
157 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
158 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
159 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
160 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
161 %token IPFY_ICMPC_CUTPRE
162
163 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
164 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
165 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
166 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
167 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
168 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
169
170 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
171 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
172 %%
173 file: line
174 | assign
175 | file line
176 | file assign
177 ;
178
179 line: rule { while ((fr = frtop) != NULL) {
180 frtop = fr->fr_next;
181 fr->fr_next = NULL;
182 (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
183 fr->fr_next = frold;
184 frold = fr;
185 }
186 resetlexer();
187 }
188 | YY_COMMENT
189 ;
190
191 xx: { newrule(); }
192 ;
193
194 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
195 resetlexer();
196 free($1);
197 free($3);
198 yyvarnext = 0;
199 }
200 ;
201
202 assigning:
203 '=' { yyvarnext = 1; }
204 ;
205
206 rule: inrule eol
207 | outrule eol
208 ;
209
210 eol: | ';'
211 ;
212
213 inrule:
214 rulehead markin inopts rulemain ruletail intag ruletail2
215 ;
216
217 outrule:
218 rulehead markout outopts rulemain ruletail outtag ruletail2
219 ;
220
221 rulehead:
222 xx collection action
223 | xx insert collection action
224 ;
225
226 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
227 ;
228
229 markout:
230 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
231 ;
232
233 rulemain:
234 ipfrule
235 | bpfrule
236 ;
237
238 ipfrule:
239 tos ttl proto ip
240 ;
241
242 bpfrule:
243 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
244 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
245 ;
246
247 ruletail:
248 with keep head group
249 ;
250
251 ruletail2:
252 pps age new
253 ;
254
255 intag: settagin matchtagin
256 ;
257
258 outtag: settagout matchtagout
259 ;
260
261 insert:
262 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
263 ;
264
265 collection:
266 | YY_NUMBER { fr->fr_collect = $1; }
267 ;
268
269 action: block
270 | IPFY_PASS { fr->fr_flags |= FR_PASS; }
271 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
272 | log
273 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
274 | auth
275 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
276 fr->fr_arg = $2; }
277 | IPFY_CALL func
278 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
279 ;
280
281 block: blocked
282 | blocked blockreturn
283 ;
284
285 blocked:
286 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
287 ;
288 blockreturn:
289 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
290 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
291 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
292 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
293 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
294 ;
295
296 log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
297 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
298 ;
299
300 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
301 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
302 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
303 ;
304
305 func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
306 ipfioctl[IPL_LOGIPF]);
307 fr->fr_arg = $3;
308 free($1); }
309 ;
310
311 inopts:
312 | inopts inopt
313 ;
314
315 inopt:
316 logopt
317 | quick
318 | on
319 | dup
320 | froute
321 | proute
322 | replyto
323 ;
324
325 outopts:
326 | outopts outopt
327 ;
328
329 outopt:
330 logopt
331 | quick
332 | on
333 | dup
334 | proute
335 | replyto
336 ;
337
338 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
339 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
340 | settos lstart toslist lend
341 ;
342
343 settos: IPFY_TOS { setipftype(); }
344 ;
345
346 toslist:
347 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
348 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
349 | toslist lmore YY_NUMBER
350 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
351 | toslist lmore YY_HEX
352 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
353 ;
354
355 ttl: | setttl YY_NUMBER
356 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
357 | setttl lstart ttllist lend
358 ;
359
360 lstart: '(' { newlist = 1; fr = frc; added = 0; }
361 ;
362
363 lend: ')' { nrules += added; }
364 ;
365
366 lmore: lanother { if (newlist == 1) {
367 newlist = 0;
368 }
369 fr = addrule();
370 if (yycont != NULL)
371 *yycont = 1;
372 }
373 ;
374
375 lanother:
376 | ','
377 ;
378
379 setttl: IPFY_TTL { setipftype(); }
380 ;
381
382 ttllist:
383 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
384 | ttllist lmore YY_NUMBER
385 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
386 ;
387
388 proto: | protox protocol { yyresetdict(); }
389 ;
390
391 protox: IPFY_PROTO { setipftype();
392 fr = frc;
393 yysetdict(NULL); }
394 ;
395
396 ip: srcdst flags icmp
397 ;
398
399 group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
400 FR_GROUPLEN); \
401 fillgroup(fr););
402 free($2); }
403 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
404 $2); \
405 fillgroup(fr);) }
406 ;
407
408 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
409 FR_GROUPLEN););
410 free($2); }
411 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
412 $2);) }
413 ;
414
415 settagin:
416 | IPFY_SETTAG '(' taginlist ')'
417 ;
418
419 taginlist:
420 taginspec
421 | taginlist ',' taginspec
422 ;
423
424 taginspec:
425 logtag
426 ;
427
428 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
429 $3, IPFTAG_LEN););
430 free($3); }
431 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
432 "%d", $3 & 0xffffffff);) }
433 ;
434
435 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
436 ;
437
438 settagout:
439 | IPFY_SETTAG '(' tagoutlist ')'
440 ;
441
442 tagoutlist:
443 tagoutspec
444 | tagoutlist ',' tagoutspec
445 ;
446
447 tagoutspec:
448 logtag
449 | nattag
450 ;
451
452 matchtagin:
453 | IPFY_MATCHTAG '(' tagoutlist ')'
454 ;
455
456 matchtagout:
457 | IPFY_MATCHTAG '(' taginlist ')'
458 ;
459
460 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
461 ;
462
463 new: | savegroup file restoregroup
464 ;
465
466 savegroup:
467 '{'
468 ;
469
470 restoregroup:
471 '}'
472 ;
473
474 logopt: log
475 ;
476
477 quick:
478 IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
479 ;
480
481 on: IPFY_ON onname
482 | IPFY_ON lstart onlist lend
483 | IPFY_ON onname IPFY_INVIA vianame
484 | IPFY_ON onname IPFY_OUTVIA vianame
485 ;
486
487 onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
488 sizeof(fr->fr_ifnames[0])); \
489 if ($1.if2 != NULL) { \
490 strncpy(fr->fr_ifnames[1], \
491 $1.if2, \
492 sizeof(fr->fr_ifnames[1]));\
493 } \
494 ) }
495 | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
496 sizeof(fr->fr_ifnames[0])); \
497 if ($3.if2 != NULL) { \
498 strncpy(fr->fr_ifnames[1], \
499 $3.if2, \
500 sizeof(fr->fr_ifnames[1]));\
501 } \
502 ) }
503 ;
504
505 onname: interfacename
506 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
507 $$.if1 = fr->fr_ifnames[0];
508 $$.if2 = NULL;
509 free($1);
510 }
511 | interfacename ',' interfacename
512 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
513 $$.if1 = fr->fr_ifnames[0];
514 free($1);
515 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
516 $$.if1 = fr->fr_ifnames[1];
517 free($3);
518 }
519 ;
520
521 vianame:
522 name
523 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
524 free($1);
525 }
526 | name ',' name
527 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
528 free($1);
529 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
530 free($3);
531 }
532 ;
533
534 dup: IPFY_DUPTO name
535 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
536 fr->fr_flags |= FR_DUP;
537 free($2);
538 }
539 | IPFY_DUPTO name duptoseparator hostname
540 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
541 fr->fr_flags |= FR_DUP;
542 fr->fr_dif.fd_ip = $4;
543 yyexpectaddr = 0;
544 free($2);
545 }
546 | IPFY_DUPTO name duptoseparator YY_IPV6
547 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
548 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
549 fr->fr_flags |= FR_DUP;
550 yyexpectaddr = 0;
551 free($2);
552 }
553 ;
554
555 duptoseparator:
556 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
557 ;
558
559 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
560 ;
561
562 proute: routeto name
563 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
564 free($2);
565 }
566 | routeto name duptoseparator hostname
567 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
568 fr->fr_tif.fd_ip = $4;
569 yyexpectaddr = 0;
570 free($2);
571 }
572 | routeto name duptoseparator YY_IPV6
573 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
574 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
575 yyexpectaddr = 0;
576 free($2);
577 }
578 ;
579
580 routeto:
581 IPFY_TO
582 | IPFY_ROUTETO
583 ;
584
585 replyto:
586 IPFY_REPLY_TO name
587 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
588 free($2);
589 }
590 | IPFY_REPLY_TO name duptoseparator hostname
591 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
592 fr->fr_rif.fd_ip = $4;
593 free($2);
594 }
595 ;
596
597 logoptions:
598 logoption
599 | logoptions logoption
600 ;
601
602 logoption:
603 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
604 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
605 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
606 | level loglevel { unsetsyslog(); }
607 ;
608
609 returncode:
610 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
611 ;
612
613 starticmpcode:
614 '(' { yysetdict(icmpcodewords); }
615 ;
616
617 srcdst: | IPFY_ALL
618 | fromto
619 ;
620
621 protocol:
622 YY_NUMBER { DOREM(fr->fr_proto = $1; \
623 fr->fr_mproto = 0xff;) }
624 | YY_STR { if (!strcmp($1, "tcp-udp")) {
625 DOREM(fr->fr_flx |= FI_TCPUDP; \
626 fr->fr_mflx |= FI_TCPUDP;)
627 } else {
628 int p = getproto($1);
629 if (p == -1)
630 yyerror("protocol unknown");
631 DOREM(fr->fr_proto = p; \
632 fr->fr_mproto = 0xff;)
633 }
634 free($1);
635 }
636 | YY_STR nextstring YY_STR
637 { if (!strcmp($1, "tcp") &&
638 !strcmp($3, "udp")) {
639 DOREM(fr->fr_flx |= FI_TCPUDP; \
640 fr->fr_mflx |= FI_TCPUDP;)
641 } else
642 YYERROR;
643 free($1);
644 free($3);
645 }
646 ;
647
648 nextstring:
649 '/' { yysetdict(NULL); }
650 ;
651
652 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
653 | to dstobject { yyexpectaddr = 0; yycont = NULL; }
654 | from srcobject { yyexpectaddr = 0; yycont = NULL; }
655 ;
656
657 from: IPFY_FROM { setipftype();
658 if (fr == NULL)
659 fr = frc;
660 yyexpectaddr = 1;
661 if (yydebug)
662 printf("set yyexpectaddr\n");
663 yycont = &yyexpectaddr;
664 yysetdict(addrwords);
665 resetaddr(); }
666 ;
667
668 to: IPFY_TO { if (fr == NULL)
669 fr = frc;
670 yyexpectaddr = 1;
671 if (yydebug)
672 printf("set yyexpectaddr\n");
673 yycont = &yyexpectaddr;
674 yysetdict(addrwords);
675 resetaddr(); }
676 ;
677
678 with: | andwith withlist
679 ;
680
681 andwith:
682 IPFY_WITH { nowith = 0; setipftype(); }
683 | IPFY_AND { nowith = 0; setipftype(); }
684 ;
685
686 flags: | startflags flagset
687 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
688 | startflags flagset '/' flagset
689 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
690 | startflags '/' flagset
691 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
692 | startflags YY_NUMBER
693 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
694 | startflags '/' YY_NUMBER
695 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
696 | startflags YY_NUMBER '/' YY_NUMBER
697 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
698 | startflags flagset '/' YY_NUMBER
699 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
700 | startflags YY_NUMBER '/' flagset
701 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
702 ;
703
704 startflags:
705 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
706 yyerror("flags with non-ipf type rule");
707 if (frc->fr_proto != IPPROTO_TCP)
708 yyerror("flags with non-TCP rule");
709 }
710 ;
711
712 flagset:
713 YY_STR { $$ = tcpflags($1); free($1); }
714 | YY_HEX { $$ = $1; }
715 ;
716
717 srcobject:
718 { yyresetdict(); } fromport
719 | srcaddr srcport
720 | '!' srcaddr srcport
721 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
722 ;
723
724 srcaddr:
725 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
726 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
727 if (dynamic != -1) { \
728 fr->fr_satype = ifpflag; \
729 fr->fr_ipf->fri_sifpidx = dynamic; \
730 } else if (pooled || hashed) \
731 fr->fr_satype = FRI_LOOKUP;)
732 }
733 | lstart srcaddrlist lend
734 ;
735
736 srcaddrlist:
737 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
738 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
739 if (dynamic != -1) { \
740 fr->fr_satype = ifpflag; \
741 fr->fr_ipf->fri_sifpidx = dynamic; \
742 } else if (pooled || hashed) \
743 fr->fr_satype = FRI_LOOKUP;)
744 }
745 | srcaddrlist lmore addr
746 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
747 bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
748 if (dynamic != -1) { \
749 fr->fr_satype = ifpflag; \
750 fr->fr_ipf->fri_sifpidx = dynamic; \
751 } else if (pooled || hashed) \
752 fr->fr_satype = FRI_LOOKUP;)
753 }
754 ;
755
756 srcport:
757 | portcomp
758 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
759 | portrange
760 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
761 fr->fr_stop = $1.p2;) }
762 | porteq lstart srcportlist lend
763 { yyresetdict(); }
764 ;
765
766 fromport:
767 portcomp
768 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
769 | portrange
770 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
771 fr->fr_stop = $1.p2;) }
772 | porteq lstart srcportlist lend
773 { yyresetdict(); }
774 ;
775
776 srcportlist:
777 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
778 | portnum ':' portnum
779 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
780 fr->fr_stop = $3;) }
781 | portnum YY_RANGE_IN portnum
782 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
783 fr->fr_stop = $3;) }
784 | srcportlist lmore portnum
785 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
786 | srcportlist lmore portnum ':' portnum
787 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
788 fr->fr_stop = $5;) }
789 | srcportlist lmore portnum YY_RANGE_IN portnum
790 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
791 fr->fr_stop = $5;) }
792 ;
793
794 dstobject:
795 { yyresetdict(); } toport
796 | dstaddr dstport
797 | '!' dstaddr dstport
798 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
799 ;
800
801 dstaddr:
802 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
803 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
804 if (dynamic != -1) { \
805 fr->fr_datype = ifpflag; \
806 fr->fr_ipf->fri_difpidx = dynamic; \
807 } else if (pooled || hashed) \
808 fr->fr_datype = FRI_LOOKUP;)
809 }
810 | lstart dstaddrlist lend
811 ;
812
813 dstaddrlist:
814 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
815 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
816 if (dynamic != -1) { \
817 fr->fr_datype = ifpflag; \
818 fr->fr_ipf->fri_difpidx = dynamic; \
819 } else if (pooled || hashed) \
820 fr->fr_datype = FRI_LOOKUP;)
821 }
822 | dstaddrlist lmore addr
823 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
824 bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
825 if (dynamic != -1) { \
826 fr->fr_datype = ifpflag; \
827 fr->fr_ipf->fri_difpidx = dynamic; \
828 } else if (pooled || hashed) \
829 fr->fr_datype = FRI_LOOKUP;)
830 }
831 ;
832
833
834 dstport:
835 | portcomp
836 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
837 | portrange
838 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
839 fr->fr_dtop = $1.p2;) }
840 | porteq lstart dstportlist lend
841 { yyresetdict(); }
842 ;
843
844 toport:
845 portcomp
846 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
847 | portrange
848 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
849 fr->fr_dtop = $1.p2;) }
850 | porteq lstart dstportlist lend
851 { yyresetdict(); }
852 ;
853
854 dstportlist:
855 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
856 | portnum ':' portnum
857 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
858 fr->fr_dtop = $3;) }
859 | portnum YY_RANGE_IN portnum
860 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
861 fr->fr_dtop = $3;) }
862 | dstportlist lmore portnum
863 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
864 | dstportlist lmore portnum ':' portnum
865 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
866 fr->fr_dtop = $5;) }
867 | dstportlist lmore portnum YY_RANGE_IN portnum
868 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
869 fr->fr_dtop = $5;) }
870 ;
871
872 addr: pool '/' YY_NUMBER { pooled = 1;
873 $$.a.iplookuptype = IPLT_POOL;
874 $$.a.iplookupsubtype = 0;
875 $$.a.iplookupnum = $3; }
876 | pool '/' YY_STR { pooled = 1;
877 $$.a.iplookuptype = IPLT_POOL;
878 $$.a.iplookupsubtype = 1;
879 strncpy($$.a.iplookupname, $3,
880 sizeof($$.a.iplookupname));
881 }
882 | pool '=' '(' poollist ')' { pooled = 1;
883 $$.a.iplookuptype = IPLT_POOL;
884 $$.a.iplookupsubtype = 0;
885 $$.a.iplookupnum = makepool($4); }
886 | hash '/' YY_NUMBER { hashed = 1;
887 $$.a.iplookuptype = IPLT_HASH;
888 $$.a.iplookupsubtype = 0;
889 $$.a.iplookupnum = $3; }
890 | hash '/' YY_STR { hashed = 1;
891 $$.a.iplookuptype = IPLT_HASH;
892 $$.a.iplookupsubtype = 1;
893 strncpy($$.a.iplookupname, $3,
894 sizeof($$.a.iplookupname));
895 }
896 | hash '=' '(' addrlist ')' { hashed = 1;
897 $$.a.iplookuptype = IPLT_HASH;
898 $$.a.iplookupsubtype = 0;
899 $$.a.iplookupnum = makehash($4); }
900 | ipaddr { bcopy(&$1, &$$, sizeof($$));
901 yyexpectaddr = 0; }
902 ;
903
904 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
905 yyresetdict();
906 yyexpectaddr = 0; }
907 | hostname { $$.a.in4 = $1;
908 $$.m.in4_addr = 0xffffffff;
909 yyexpectaddr = 0; }
910 | hostname { yyresetdict();
911 $$.a.in4_addr = $1.s_addr; }
912 maskspace { yysetdict(maskwords); }
913 ipv4mask { $$.m.in4_addr = $5.s_addr;
914 $$.a.in4_addr &= $5.s_addr;
915 yyresetdict();
916 yyexpectaddr = 0; }
917 | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a));
918 fill6bits(128, (u_32_t *)&$$.m);
919 yyresetdict();
920 yyexpectaddr = 0; }
921 | YY_IPV6 { yyresetdict();
922 bcopy(&$1, &$$.a, sizeof($$.a)); }
923 maskspace { yysetdict(maskwords); }
924 ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m));
925 yyresetdict();
926 yyexpectaddr = 0; }
927 ;
928 maskspace:
929 '/'
930 | IPFY_MASK
931 ;
932
933 ipv4mask:
934 ipv4 { $$ = $1; }
935 | YY_HEX { $$.s_addr = htonl($1); }
936 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }
937 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
938 $$.s_addr = 0;
939 ifpflag = FRI_BROADCAST;
940 } else
941 YYERROR;
942 }
943 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
944 $$.s_addr = 0;
945 ifpflag = FRI_NETWORK;
946 } else
947 YYERROR;
948 }
949 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
950 $$.s_addr = 0;
951 ifpflag = FRI_NETMASKED;
952 } else
953 YYERROR;
954 }
955 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
956 $$.s_addr = 0;
957 ifpflag = FRI_PEERADDR;
958 } else
959 YYERROR;
960 }
961 ;
962
963 ipv6mask:
964 YY_NUMBER { ntomask(6, $1, $$.i6); }
965 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
966 bzero(&$$, sizeof($$));
967 ifpflag = FRI_BROADCAST;
968 } else
969 YYERROR;
970 }
971 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
972 bzero(&$$, sizeof($$));
973 ifpflag = FRI_BROADCAST;
974 } else
975 YYERROR;
976 }
977 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
978 bzero(&$$, sizeof($$));
979 ifpflag = FRI_BROADCAST;
980 } else
981 YYERROR;
982 }
983 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
984 bzero(&$$, sizeof($$));
985 ifpflag = FRI_BROADCAST;
986 } else
987 YYERROR;
988 }
989 ;
990
991 hostname:
992 ipv4 { $$ = $1; }
993 | YY_NUMBER { $$.s_addr = $1; }
994 | YY_HEX { $$.s_addr = $1; }
995 | YY_STR { $$.s_addr = lookuphost($1);
996 free($1);
997 }
998 ;
999
1000 addrlist:
1001 ipaddr { $$ = newalist(NULL);
1002 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1003 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1004 | addrlist ',' ipaddr
1005 { $$ = newalist($1);
1006 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1007 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1008 ;
1009
1010 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1011 ;
1012
1013 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1014 ;
1015
1016 poollist:
1017 ipaddr { $$ = newalist(NULL);
1018 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1019 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1020 | '!' ipaddr { $$ = newalist(NULL);
1021 $$->al_not = 1;
1022 bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
1023 bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
1024 | poollist ',' ipaddr
1025 { $$ = newalist($1);
1026 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1027 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1028 | poollist ',' '!' ipaddr
1029 { $$ = newalist($1);
1030 $$->al_not = 1;
1031 bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1032 bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1033 ;
1034
1035 port: IPFY_PORT { yyexpectaddr = 0;
1036 yycont = NULL;
1037 }
1038 ;
1039
1040 portc: port compare { $$ = $2;
1041 yysetdict(NULL); }
1042 | porteq { $$ = $1; }
1043 ;
1044
1045 porteq: port '=' { $$ = FR_EQUAL;
1046 yysetdict(NULL); }
1047 ;
1048
1049 portr: IPFY_PORT { yyexpectaddr = 0;
1050 yycont = NULL;
1051 yysetdict(NULL); }
1052 ;
1053
1054 portcomp:
1055 portc portnum { $$.pc = $1;
1056 $$.p1 = $2;
1057 yyresetdict(); }
1058 ;
1059
1060 portrange:
1061 portr portnum range portnum { $$.p1 = $2;
1062 $$.pc = $3;
1063 $$.p2 = $4;
1064 yyresetdict(); }
1065 ;
1066
1067 icmp: | itype icode
1068 ;
1069
1070 itype: seticmptype icmptype
1071 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1072 yyresetdict();
1073 }
1074 | seticmptype lstart typelist lend { yyresetdict(); }
1075 ;
1076
1077 seticmptype:
1078 IPFY_ICMPTYPE { setipftype();
1079 yysetdict(icmptypewords); }
1080 ;
1081
1082 icode: | seticmpcode icmpcode
1083 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1084 yyresetdict();
1085 }
1086 | seticmpcode lstart codelist lend { yyresetdict(); }
1087 ;
1088
1089 seticmpcode:
1090 IPFY_ICMPCODE { yysetdict(icmpcodewords); }
1091 ;
1092
1093 typelist:
1094 icmptype
1095 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1096 | typelist lmore icmptype
1097 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1098 ;
1099
1100 codelist:
1101 icmpcode
1102 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1103 | codelist lmore icmpcode
1104 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1105 fr->fr_icmpm |= htons(0xff);) }
1106 ;
1107
1108 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1109 fr->fr_age[1] = $2;) }
1110 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1111 { DOALL(fr->fr_age[0] = $2; \
1112 fr->fr_age[1] = $4;) }
1113 ;
1114
1115 keep: | IPFY_KEEP keepstate keep
1116 | IPFY_KEEP keepfrag keep
1117 ;
1118
1119 keepstate:
1120 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1121 ;
1122
1123 keepfrag:
1124 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1125 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1126 ;
1127
1128 fragoptlist:
1129 | '(' fragopts ')'
1130 ;
1131
1132 fragopts:
1133 fragopt lanother fragopts
1134 | fragopt
1135 ;
1136
1137 fragopt:
1138 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1139 ;
1140
1141 stateoptlist:
1142 | '(' stateopts ')'
1143 ;
1144
1145 stateopts:
1146 stateopt lanother stateopts
1147 | stateopt
1148 ;
1149
1150 stateopt:
1151 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
1152 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1153 YYERROR; \
1154 } else \
1155 fr->fr_flags |= FR_STSTRICT;)
1156 }
1157 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1158 YYERROR; \
1159 } else \
1160 fr->fr_flags |= FR_NEWISN;)
1161 }
1162 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1163
1164 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
1165 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1166 fr->fr_age[1] = $2;) }
1167 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1168 { DOALL(fr->fr_age[0] = $2; \
1169 fr->fr_age[1] = $4;) }
1170 ;
1171
1172 portnum:
1173 servicename { if (getport(frc, $1, &($$)) == -1)
1174 yyerror("service unknown");
1175 $$ = ntohs($$);
1176 free($1);
1177 }
1178 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1179 yyerror("invalid port number");
1180 else
1181 $$ = $1;
1182 }
1183 ;
1184
1185 withlist:
1186 withopt { nowith = 0; }
1187 | withlist withopt { nowith = 0; }
1188 | withlist ',' withopt { nowith = 0; }
1189 ;
1190
1191 withopt:
1192 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1193 | notwith opttype { DOALL(fr->fr_mflx |= $2;) }
1194 | ipopt ipopts { yyresetdict(); }
1195 | notwith ipopt ipopts { yyresetdict(); }
1196 | startv6hdrs ipv6hdrs { yyresetdict(); }
1197 ;
1198
1199 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
1200 ;
1201
1202 startv6hdrs:
1203 IPF6_V6HDRS { if (use_inet6 == 0)
1204 yyerror("only available with IPv6");
1205 yysetdict(ipv6optwords);
1206 }
1207 ;
1208
1209 notwith:
1210 IPFY_NOT { nowith = 1; }
1211 | IPFY_NO { nowith = 1; }
1212 ;
1213
1214 opttype:
1215 IPFY_IPOPTS { $$ = FI_OPTIONS; }
1216 | IPFY_SHORT { $$ = FI_SHORT; }
1217 | IPFY_NAT { $$ = FI_NATED; }
1218 | IPFY_BAD { $$ = FI_BAD; }
1219 | IPFY_BADNAT { $$ = FI_BADNAT; }
1220 | IPFY_BADSRC { $$ = FI_BADSRC; }
1221 | IPFY_LOWTTL { $$ = FI_LOWTTL; }
1222 | IPFY_FRAG { $$ = FI_FRAG; }
1223 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1224 | IPFY_FRAGS { $$ = FI_FRAG; }
1225 | IPFY_MBCAST { $$ = FI_MBCAST; }
1226 | IPFY_MULTICAST { $$ = FI_MULTICAST; }
1227 | IPFY_BROADCAST { $$ = FI_BROADCAST; }
1228 | IPFY_STATE { $$ = FI_STATE; }
1229 | IPFY_OOW { $$ = FI_OOW; }
1230 ;
1231
1232 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1233 if (!nowith)
1234 fr->fr_ip.fi_optmsk |= $1;)
1235 }
1236 ;
1237
1238 optlist:
1239 opt { $$ |= $1; }
1240 | optlist ',' opt { $$ |= $1 | $3; }
1241 ;
1242
1243 ipv6hdrs:
1244 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1245 if (!nowith)
1246 fr->fr_ip.fi_optmsk |= $1;)
1247 }
1248 ;
1249
1250 ipv6hdrlist:
1251 ipv6hdr { $$ |= $1; }
1252 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
1253 ;
1254
1255 secname:
1256 seclevel { $$ |= $1; }
1257 | secname ',' seclevel { $$ |= $1 | $3; }
1258 ;
1259
1260 seclevel:
1261 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
1262 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
1263 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
1264 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
1265 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
1266 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
1267 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
1268 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
1269 ;
1270
1271 icmptype:
1272 YY_NUMBER { $$ = $1; }
1273 | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
1274 | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
1275 | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
1276 | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
1277 | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
1278 | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
1279 | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
1280 | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
1281 | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
1282 | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
1283 | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
1284 | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
1285 | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
1286 | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
1287 | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
1288 ;
1289
1290 icmpcode:
1291 YY_NUMBER { $$ = $1; }
1292 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
1293 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
1294 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
1295 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
1296 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
1297 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
1298 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
1299 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1300 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
1301 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
1302 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
1303 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
1304 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
1305 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1306 | IPFY_ICMPC_HSTPRE { $$ = 14; }
1307 | IPFY_ICMPC_CUTPRE { $$ = 15; }
1308 ;
1309
1310 opt:
1311 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
1312 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
1313 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
1314 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
1315 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
1316 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
1317 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
1318 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
1319 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
1320 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
1321 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
1322 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
1323 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
1324 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
1325 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
1326 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
1327 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
1328 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
1329 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
1330 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
1331 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
1332 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
1333 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
1334 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1335 | setsecclass secname
1336 { DOALL(fr->fr_mip.fi_secmsk |= $2;
1337 if (!nowith)
1338 fr->fr_ip.fi_secmsk |= $2;)
1339 $$ = 0;
1340 yyresetdict();
1341 }
1342 ;
1343
1344 setsecclass:
1345 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1346 ;
1347
1348 ipv6hdr:
1349 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
1350 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1351 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
1352 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1353 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
1354 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
1355 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1356 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1357 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1358 ;
1359
1360 level: IPFY_LEVEL { setsyslog(); }
1361 ;
1362
1363 loglevel:
1364 priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
1365 | facility '.' priority { fr->fr_loglevel = $1 | $3; }
1366 ;
1367
1368 facility:
1369 IPFY_FAC_KERN { $$ = LOG_KERN; }
1370 | IPFY_FAC_USER { $$ = LOG_USER; }
1371 | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
1372 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
1373 | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
1374 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
1375 | IPFY_FAC_LPR { $$ = LOG_LPR; }
1376 | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
1377 | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
1378 | IPFY_FAC_CRON { $$ = LOG_CRON; }
1379 | IPFY_FAC_FTP { $$ = LOG_FTP; }
1380 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
1381 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
1382 | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
1383 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
1384 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
1385 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
1386 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
1387 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
1388 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
1389 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
1390 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
1391 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
1392 ;
1393
1394 priority:
1395 IPFY_PRI_EMERG { $$ = LOG_EMERG; }
1396 | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
1397 | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
1398 | IPFY_PRI_ERR { $$ = LOG_ERR; }
1399 | IPFY_PRI_WARN { $$ = LOG_WARNING; }
1400 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
1401 | IPFY_PRI_INFO { $$ = LOG_INFO; }
1402 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
1403 ;
1404
1405 compare:
1406 YY_CMP_EQ { $$ = FR_EQUAL; }
1407 | YY_CMP_NE { $$ = FR_NEQUAL; }
1408 | YY_CMP_LT { $$ = FR_LESST; }
1409 | YY_CMP_LE { $$ = FR_LESSTE; }
1410 | YY_CMP_GT { $$ = FR_GREATERT; }
1411 | YY_CMP_GE { $$ = FR_GREATERTE; }
1412 ;
1413
1414 range: YY_RANGE_IN { $$ = FR_INRANGE; }
1415 | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1416 | ':' { $$ = FR_INCRANGE; }
1417 ;
1418
1419 servicename:
1420 YY_STR { $$ = $1; }
1421 ;
1422
1423 interfacename: name { $$ = $1; }
1424 | name ':' YY_NUMBER
1425 { $$ = $1;
1426 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1427 "use the physical interface %s instead.\n",
1428 yylineNum, $1, $3, $1);
1429 }
1430 ;
1431
1432 name: YY_STR { $$ = $1; }
1433 | '-' { $$ = strdup("-"); }
1434 ;
1435
1436 ipv4_16:
1437 YY_NUMBER '.' YY_NUMBER
1438 { if ($1 > 255 || $3 > 255) {
1439 yyerror("Invalid octet string for IP address");
1440 return 0;
1441 }
1442 $$.s_addr = ($1 << 24) | ($3 << 16);
1443 $$.s_addr = htonl($$.s_addr);
1444 }
1445 ;
1446
1447 ipv4_24:
1448 ipv4_16 '.' YY_NUMBER
1449 { if ($3 > 255) {
1450 yyerror("Invalid octet string for IP address");
1451 return 0;
1452 }
1453 $$.s_addr |= htonl($3 << 8);
1454 }
1455 ;
1456
1457 ipv4: ipv4_24 '.' YY_NUMBER
1458 { if ($3 > 255) {
1459 yyerror("Invalid octet string for IP address");
1460 return 0;
1461 }
1462 $$.s_addr |= htonl($3);
1463 }
1464 | ipv4_24
1465 | ipv4_16
1466 ;
1467
1468 %%
1469
1470
1471 static struct wordtab ipfwords[95] = {
1472 { "age", IPFY_AGE },
1473 { "ah", IPFY_AH },
1474 { "all", IPFY_ALL },
1475 { "and", IPFY_AND },
1476 { "auth", IPFY_AUTH },
1477 { "bad", IPFY_BAD },
1478 { "bad-nat", IPFY_BADNAT },
1479 { "bad-src", IPFY_BADSRC },
1480 { "bcast", IPFY_BROADCAST },
1481 { "block", IPFY_BLOCK },
1482 { "body", IPFY_BODY },
1483 { "bpf-v4", IPFY_BPFV4 },
1484 #ifdef USE_INET6
1485 { "bpf-v6", IPFY_BPFV6 },
1486 #endif
1487 { "call", IPFY_CALL },
1488 { "code", IPFY_ICMPCODE },
1489 { "count", IPFY_COUNT },
1490 { "dup-to", IPFY_DUPTO },
1491 { "eq", YY_CMP_EQ },
1492 { "esp", IPFY_ESP },
1493 { "fastroute", IPFY_FROUTE },
1494 { "first", IPFY_FIRST },
1495 { "flags", IPFY_FLAGS },
1496 { "frag", IPFY_FRAG },
1497 { "frag-body", IPFY_FRAGBODY },
1498 { "frags", IPFY_FRAGS },
1499 { "from", IPFY_FROM },
1500 { "ge", YY_CMP_GE },
1501 { "group", IPFY_GROUP },
1502 { "gt", YY_CMP_GT },
1503 { "head", IPFY_HEAD },
1504 { "icmp", IPFY_ICMP },
1505 { "icmp-type", IPFY_ICMPTYPE },
1506 { "in", IPFY_IN },
1507 { "in-via", IPFY_INVIA },
1508 { "ipopt", IPFY_IPOPTS },
1509 { "ipopts", IPFY_IPOPTS },
1510 { "keep", IPFY_KEEP },
1511 { "le", YY_CMP_LE },
1512 { "level", IPFY_LEVEL },
1513 { "limit", IPFY_LIMIT },
1514 { "log", IPFY_LOG },
1515 { "lowttl", IPFY_LOWTTL },
1516 { "lt", YY_CMP_LT },
1517 { "mask", IPFY_MASK },
1518 { "match-tag", IPFY_MATCHTAG },
1519 { "mbcast", IPFY_MBCAST },
1520 { "mcast", IPFY_MULTICAST },
1521 { "multicast", IPFY_MULTICAST },
1522 { "nat", IPFY_NAT },
1523 { "ne", YY_CMP_NE },
1524 { "net", IPFY_NETWORK },
1525 { "newisn", IPFY_NEWISN },
1526 { "no", IPFY_NO },
1527 { "no-icmp-err", IPFY_NOICMPERR },
1528 { "nomatch", IPFY_NOMATCH },
1529 { "now", IPFY_NOW },
1530 { "not", IPFY_NOT },
1531 { "oow", IPFY_OOW },
1532 { "on", IPFY_ON },
1533 { "opt", IPFY_OPT },
1534 { "or-block", IPFY_ORBLOCK },
1535 { "out", IPFY_OUT },
1536 { "out-via", IPFY_OUTVIA },
1537 { "pass", IPFY_PASS },
1538 { "port", IPFY_PORT },
1539 { "pps", IPFY_PPS },
1540 { "preauth", IPFY_PREAUTH },
1541 { "proto", IPFY_PROTO },
1542 { "quick", IPFY_QUICK },
1543 { "reply-to", IPFY_REPLY_TO },
1544 { "return-icmp", IPFY_RETICMP },
1545 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1546 { "return-rst", IPFY_RETRST },
1547 { "route-to", IPFY_ROUTETO },
1548 { "sec-class", IPFY_SECCLASS },
1549 { "set-tag", IPFY_SETTAG },
1550 { "skip", IPFY_SKIP },
1551 { "short", IPFY_SHORT },
1552 { "state", IPFY_STATE },
1553 { "state-age", IPFY_AGE },
1554 { "strict", IPFY_STRICT },
1555 { "sync", IPFY_SYNC },
1556 { "tcp", IPFY_TCP },
1557 { "tcp-udp", IPFY_TCPUDP },
1558 { "tos", IPFY_TOS },
1559 { "to", IPFY_TO },
1560 { "ttl", IPFY_TTL },
1561 { "udp", IPFY_UDP },
1562 { "v6hdrs", IPF6_V6HDRS },
1563 { "with", IPFY_WITH },
1564 { NULL, 0 }
1565 };
1566
1567 static struct wordtab addrwords[4] = {
1568 { "any", IPFY_ANY },
1569 { "hash", IPFY_HASH },
1570 { "pool", IPFY_POOL },
1571 { NULL, 0 }
1572 };
1573
1574 static struct wordtab maskwords[5] = {
1575 { "broadcast", IPFY_BROADCAST },
1576 { "netmasked", IPFY_NETMASKED },
1577 { "network", IPFY_NETWORK },
1578 { "peer", IPFY_PEER },
1579 { NULL, 0 }
1580 };
1581
1582 static struct wordtab icmptypewords[16] = {
1583 { "echo", IPFY_ICMPT_ECHO },
1584 { "echorep", IPFY_ICMPT_ECHOR },
1585 { "inforeq", IPFY_ICMPT_INFOREQ },
1586 { "inforep", IPFY_ICMPT_INFOREP },
1587 { "maskrep", IPFY_ICMPT_MASKREP },
1588 { "maskreq", IPFY_ICMPT_MASKREQ },
1589 { "paramprob", IPFY_ICMPT_PARAMP },
1590 { "redir", IPFY_ICMPT_REDIR },
1591 { "unreach", IPFY_ICMPT_UNR },
1592 { "routerad", IPFY_ICMPT_ROUTERAD },
1593 { "routersol", IPFY_ICMPT_ROUTERSOL },
1594 { "squench", IPFY_ICMPT_SQUENCH },
1595 { "timest", IPFY_ICMPT_TIMEST },
1596 { "timestrep", IPFY_ICMPT_TIMESTREP },
1597 { "timex", IPFY_ICMPT_TIMEX },
1598 { NULL, 0 },
1599 };
1600
1601 static struct wordtab icmpcodewords[17] = {
1602 { "cutoff-preced", IPFY_ICMPC_CUTPRE },
1603 { "filter-prohib", IPFY_ICMPC_FLTPRO },
1604 { "isolate", IPFY_ICMPC_ISOLATE },
1605 { "needfrag", IPFY_ICMPC_NEEDF },
1606 { "net-prohib", IPFY_ICMPC_NETPRO },
1607 { "net-tos", IPFY_ICMPC_NETTOS },
1608 { "host-preced", IPFY_ICMPC_HSTPRE },
1609 { "host-prohib", IPFY_ICMPC_HSTPRO },
1610 { "host-tos", IPFY_ICMPC_HSTTOS },
1611 { "host-unk", IPFY_ICMPC_HSTUNK },
1612 { "host-unr", IPFY_ICMPC_HSTUNR },
1613 { "net-unk", IPFY_ICMPC_NETUNK },
1614 { "net-unr", IPFY_ICMPC_NETUNR },
1615 { "port-unr", IPFY_ICMPC_PORUNR },
1616 { "proto-unr", IPFY_ICMPC_PROUNR },
1617 { "srcfail", IPFY_ICMPC_SRCFAIL },
1618 { NULL, 0 },
1619 };
1620
1621 static struct wordtab ipv4optwords[25] = {
1622 { "addext", IPFY_IPOPT_ADDEXT },
1623 { "cipso", IPFY_IPOPT_CIPSO },
1624 { "dps", IPFY_IPOPT_DPS },
1625 { "e-sec", IPFY_IPOPT_ESEC },
1626 { "eip", IPFY_IPOPT_EIP },
1627 { "encode", IPFY_IPOPT_ENCODE },
1628 { "finn", IPFY_IPOPT_FINN },
1629 { "imitd", IPFY_IPOPT_IMITD },
1630 { "lsrr", IPFY_IPOPT_LSRR },
1631 { "mtup", IPFY_IPOPT_MTUP },
1632 { "mtur", IPFY_IPOPT_MTUR },
1633 { "nop", IPFY_IPOPT_NOP },
1634 { "nsapa", IPFY_IPOPT_NSAPA },
1635 { "rr", IPFY_IPOPT_RR },
1636 { "rtralrt", IPFY_IPOPT_RTRALRT },
1637 { "satid", IPFY_IPOPT_SATID },
1638 { "sdb", IPFY_IPOPT_SDB },
1639 { "sec", IPFY_IPOPT_SEC },
1640 { "ssrr", IPFY_IPOPT_SSRR },
1641 { "tr", IPFY_IPOPT_TR },
1642 { "ts", IPFY_IPOPT_TS },
1643 { "ump", IPFY_IPOPT_UMP },
1644 { "visa", IPFY_IPOPT_VISA },
1645 { "zsu", IPFY_IPOPT_ZSU },
1646 { NULL, 0 },
1647 };
1648
1649 static struct wordtab ipv4secwords[9] = {
1650 { "confid", IPFY_SEC_CONF },
1651 { "reserv-1", IPFY_SEC_RSV1 },
1652 { "reserv-2", IPFY_SEC_RSV2 },
1653 { "reserv-3", IPFY_SEC_RSV3 },
1654 { "reserv-4", IPFY_SEC_RSV4 },
1655 { "secret", IPFY_SEC_SEC },
1656 { "topsecret", IPFY_SEC_TS },
1657 { "unclass", IPFY_SEC_UNC },
1658 { NULL, 0 },
1659 };
1660
1661 static struct wordtab ipv6optwords[9] = {
1662 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1663 { "esp", IPFY_IPV6OPT_ESP },
1664 { "frag", IPFY_IPV6OPT_FRAG },
1665 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1666 { "ipv6", IPFY_IPV6OPT_IPV6 },
1667 { "mobility", IPFY_IPV6OPT_MOBILITY },
1668 { "none", IPFY_IPV6OPT_NONE },
1669 { "routing", IPFY_IPV6OPT_ROUTING },
1670 { NULL, 0 },
1671 };
1672
1673 static struct wordtab logwords[33] = {
1674 { "kern", IPFY_FAC_KERN },
1675 { "user", IPFY_FAC_USER },
1676 { "mail", IPFY_FAC_MAIL },
1677 { "daemon", IPFY_FAC_DAEMON },
1678 { "auth", IPFY_FAC_AUTH },
1679 { "syslog", IPFY_FAC_SYSLOG },
1680 { "lpr", IPFY_FAC_LPR },
1681 { "news", IPFY_FAC_NEWS },
1682 { "uucp", IPFY_FAC_UUCP },
1683 { "cron", IPFY_FAC_CRON },
1684 { "ftp", IPFY_FAC_FTP },
1685 { "authpriv", IPFY_FAC_AUTHPRIV },
1686 { "audit", IPFY_FAC_AUDIT },
1687 { "logalert", IPFY_FAC_LFMT },
1688 { "console", IPFY_FAC_CONSOLE },
1689 { "security", IPFY_FAC_SECURITY },
1690 { "local0", IPFY_FAC_LOCAL0 },
1691 { "local1", IPFY_FAC_LOCAL1 },
1692 { "local2", IPFY_FAC_LOCAL2 },
1693 { "local3", IPFY_FAC_LOCAL3 },
1694 { "local4", IPFY_FAC_LOCAL4 },
1695 { "local5", IPFY_FAC_LOCAL5 },
1696 { "local6", IPFY_FAC_LOCAL6 },
1697 { "local7", IPFY_FAC_LOCAL7 },
1698 { "emerg", IPFY_PRI_EMERG },
1699 { "alert", IPFY_PRI_ALERT },
1700 { "crit", IPFY_PRI_CRIT },
1701 { "err", IPFY_PRI_ERR },
1702 { "warn", IPFY_PRI_WARN },
1703 { "notice", IPFY_PRI_NOTICE },
1704 { "info", IPFY_PRI_INFO },
1705 { "debug", IPFY_PRI_DEBUG },
1706 { NULL, 0 },
1707 };
1708
1709
1710
1711
1712 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1713 int fd;
1714 addfunc_t addfunc;
1715 ioctlfunc_t *iocfuncs;
1716 char *filename;
1717 {
1718 FILE *fp = NULL;
1719 char *s;
1720
1721 yylineNum = 1;
1722 yysettab(ipfwords);
1723
1724 s = getenv("YYDEBUG");
1725 if (s != NULL)
1726 yydebug = atoi(s);
1727 else
1728 yydebug = 0;
1729
1730 if (strcmp(filename, "-")) {
1731 fp = fopen(filename, "r");
1732 if (fp == NULL) {
1733 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1734 STRERROR(errno));
1735 return -1;
1736 }
1737 } else
1738 fp = stdin;
1739
1740 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1741 ;
1742 if (fp != NULL)
1743 fclose(fp);
1744 return 0;
1745 }
1746
1747
1748 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1749 int fd;
1750 addfunc_t addfunc;
1751 ioctlfunc_t *iocfuncs;
1752 FILE *fp;
1753 {
1754 char *s;
1755 int i;
1756
1757 ipffd = fd;
1758 for (i = 0; i <= IPL_LOGMAX; i++)
1759 ipfioctl[i] = iocfuncs[i];
1760 ipfaddfunc = addfunc;
1761
1762 if (feof(fp))
1763 return 0;
1764 i = fgetc(fp);
1765 if (i == EOF)
1766 return 0;
1767 if (ungetc(i, fp) == 0)
1768 return 0;
1769 if (feof(fp))
1770 return 0;
1771 s = getenv("YYDEBUG");
1772 if (s != NULL)
1773 yydebug = atoi(s);
1774 else
1775 yydebug = 0;
1776
1777 yyin = fp;
1778 yyparse();
1779 return 1;
1780 }
1781
1782
1783 static void newrule()
1784 {
1785 frentry_t *frn;
1786
1787 frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1788 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1789 ;
1790 if (fr != NULL)
1791 fr->fr_next = frn;
1792 if (frtop == NULL)
1793 frtop = frn;
1794 fr = frn;
1795 frc = frn;
1796 fr->fr_loglevel = 0xffff;
1797 fr->fr_isc = (void *)-1;
1798 fr->fr_logtag = FR_NOLOGTAG;
1799 fr->fr_type = FR_T_NONE;
1800 if (use_inet6 != 0)
1801 fr->fr_v = 6;
1802 else
1803 fr->fr_v = 4;
1804
1805 nrules = 1;
1806 }
1807
1808
1809 static void setipftype()
1810 {
1811 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1812 if (fr->fr_type == FR_T_NONE) {
1813 fr->fr_type = FR_T_IPF;
1814 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1815 fr->fr_dsize = sizeof(fripf_t);
1816 fr->fr_ip.fi_v = frc->fr_v;
1817 fr->fr_mip.fi_v = 0xf;
1818 fr->fr_ipf->fri_sifpidx = -1;
1819 fr->fr_ipf->fri_difpidx = -1;
1820 }
1821 if (fr->fr_type != FR_T_IPF) {
1822 fprintf(stderr, "IPF Type not set\n");
1823 }
1824 }
1825 }
1826
1827
1828 static frentry_t *addrule()
1829 {
1830 frentry_t *f, *f1, *f2;
1831 int count;
1832
1833 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1834 ;
1835
1836 count = nrules;
1837 f = f2;
1838 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1839 f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1840 added++;
1841 f = f->fr_next;
1842 bcopy(f1, f, sizeof(*f));
1843 f->fr_next = NULL;
1844 if (f->fr_caddr != NULL) {
1845 f->fr_caddr = malloc(f->fr_dsize);
1846 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1847 }
1848 }
1849
1850 return f2->fr_next;
1851 }
1852
1853
1854 static u_32_t lookuphost(name)
1855 char *name;
1856 {
1857 u_32_t addr;
1858 int i;
1859
1860 hashed = 0;
1861 pooled = 0;
1862 dynamic = -1;
1863
1864 for (i = 0; i < 4; i++) {
1865 if (strncmp(name, frc->fr_ifnames[i],
1866 sizeof(frc->fr_ifnames[i])) == 0) {
1867 ifpflag = FRI_DYNAMIC;
1868 dynamic = i;
1869 return 0;
1870 }
1871 }
1872
1873 if (gethost(name, &addr) == -1) {
1874 fprintf(stderr, "unknown name \"%s\"\n", name);
1875 return 0;
1876 }
1877 return addr;
1878 }
1879
1880
1881 static void dobpf(v, phrase)
1882 int v;
1883 char *phrase;
1884 {
1885 #ifdef IPFILTER_BPF
1886 struct bpf_program bpf;
1887 struct pcap *p;
1888 #endif
1889 fakebpf_t *fb;
1890 u_32_t l;
1891 char *s;
1892 int i;
1893
1894 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1895 if (fr->fr_type != FR_T_NONE) {
1896 fprintf(stderr, "cannot mix IPF and BPF matching\n");
1897 return;
1898 }
1899 fr->fr_v = v;
1900 fr->fr_type = FR_T_BPFOPC;
1901
1902 if (!strncmp(phrase, "0x", 2)) {
1903 fb = malloc(sizeof(fakebpf_t));
1904
1905 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1906 s = strtok(NULL, " \r\n\t"), i++) {
1907 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
1908 l = (u_32_t)strtol(s, NULL, 0);
1909 switch (i & 3)
1910 {
1911 case 0 :
1912 fb[i / 4].fb_c = l & 0xffff;
1913 break;
1914 case 1 :
1915 fb[i / 4].fb_t = l & 0xff;
1916 break;
1917 case 2 :
1918 fb[i / 4].fb_f = l & 0xff;
1919 break;
1920 case 3 :
1921 fb[i / 4].fb_k = l;
1922 break;
1923 }
1924 }
1925 if ((i & 3) != 0) {
1926 fprintf(stderr,
1927 "Odd number of bytes in BPF code\n");
1928 exit(1);
1929 }
1930 i--;
1931 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
1932 fr->fr_data = fb;
1933 return;
1934 }
1935
1936 #ifdef IPFILTER_BPF
1937 bzero((char *)&bpf, sizeof(bpf));
1938 p = pcap_open_dead(DLT_RAW, 1);
1939 if (!p) {
1940 fprintf(stderr, "pcap_open_dead failed\n");
1941 return;
1942 }
1943
1944 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
1945 pcap_perror(p, "ipf");
1946 pcap_close(p);
1947 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
1948 return;
1949 }
1950 pcap_close(p);
1951
1952 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
1953 fr->fr_data = malloc(fr->fr_dsize);
1954 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
1955 if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
1956 fprintf(stderr, "BPF validation failed\n");
1957 return;
1958 }
1959 #endif
1960 }
1961
1962 #ifdef IPFILTER_BPF
1963 if (opts & OPT_DEBUG)
1964 bpf_dump(&bpf, 0);
1965 #else
1966 fprintf(stderr, "BPF filter expressions not supported\n");
1967 exit(1);
1968 #endif
1969 }
1970
1971
1972 static void resetaddr()
1973 {
1974 hashed = 0;
1975 pooled = 0;
1976 dynamic = -1;
1977 }
1978
1979
1980 static alist_t *newalist(ptr)
1981 alist_t *ptr;
1982 {
1983 alist_t *al;
1984
1985 al = malloc(sizeof(*al));
1986 if (al == NULL)
1987 return NULL;
1988 al->al_not = 0;
1989 al->al_next = ptr;
1990 return al;
1991 }
1992
1993
1994 static int makepool(list)
1995 alist_t *list;
1996 {
1997 ip_pool_node_t *n, *top;
1998 ip_pool_t pool;
1999 alist_t *a;
2000 int num;
2001
2002 if (list == NULL)
2003 return 0;
2004 top = calloc(1, sizeof(*top));
2005 if (top == NULL)
2006 return 0;
2007
2008 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2009 n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
2010 n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
2011 n->ipn_info = a->al_not;
2012 if (a->al_next != NULL) {
2013 n->ipn_next = calloc(1, sizeof(*n));
2014 n = n->ipn_next;
2015 }
2016 }
2017
2018 bzero((char *)&pool, sizeof(pool));
2019 pool.ipo_unit = IPL_LOGIPF;
2020 pool.ipo_list = top;
2021 num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
2022
2023 while ((n = top) != NULL) {
2024 top = n->ipn_next;
2025 free(n);
2026 }
2027 return num;
2028 }
2029
2030
2031 static u_int makehash(list)
2032 alist_t *list;
2033 {
2034 iphtent_t *n, *top;
2035 iphtable_t iph;
2036 alist_t *a;
2037 int num;
2038
2039 if (list == NULL)
2040 return 0;
2041 top = calloc(1, sizeof(*top));
2042 if (top == NULL)
2043 return 0;
2044
2045 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2046 n->ipe_addr.in4_addr = a->al_1;
2047 n->ipe_mask.in4_addr = a->al_2;
2048 n->ipe_value = 0;
2049 if (a->al_next != NULL) {
2050 n->ipe_next = calloc(1, sizeof(*n));
2051 n = n->ipe_next;
2052 }
2053 }
2054
2055 bzero((char *)&iph, sizeof(iph));
2056 iph.iph_unit = IPL_LOGIPF;
2057 iph.iph_type = IPHASH_LOOKUP;
2058 *iph.iph_name = '\0';
2059
2060 if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2061 sscanf(iph.iph_name, "%u", &num);
2062 else
2063 num = 0;
2064
2065 while ((n = top) != NULL) {
2066 top = n->ipe_next;
2067 free(n);
2068 }
2069 return num;
2070 }
2071
2072
2073 void ipf_addrule(fd, ioctlfunc, ptr)
2074 int fd;
2075 ioctlfunc_t ioctlfunc;
2076 void *ptr;
2077 {
2078 ioctlcmd_t add, del;
2079 frentry_t *fr;
2080 ipfobj_t obj;
2081
2082 if (ptr == NULL)
2083 return;
2084
2085 fr = ptr;
2086 add = 0;
2087 del = 0;
2088
2089 bzero((char *)&obj, sizeof(obj));
2090 obj.ipfo_rev = IPFILTER_VERSION;
2091 obj.ipfo_size = sizeof(*fr);
2092 obj.ipfo_type = IPFOBJ_FRENTRY;
2093 obj.ipfo_ptr = ptr;
2094
2095 if ((opts & OPT_DONOTHING) != 0)
2096 fd = -1;
2097
2098 if (opts & OPT_ZERORULEST) {
2099 add = SIOCZRLST;
2100 } else if (opts & OPT_INACTIVE) {
2101 add = (u_int)fr->fr_hits ? SIOCINIFR :
2102 SIOCADIFR;
2103 del = SIOCRMIFR;
2104 } else {
2105 add = (u_int)fr->fr_hits ? SIOCINAFR :
2106 SIOCADAFR;
2107 del = SIOCRMAFR;
2108 }
2109
2110 if ((opts & OPT_OUTQUE) != 0)
2111 fr->fr_flags |= FR_OUTQUE;
2112 if (fr->fr_hits)
2113 fr->fr_hits--;
2114 if ((opts & OPT_VERBOSE) != 0)
2115 printfr(fr, ioctlfunc);
2116
2117 if ((opts & OPT_DEBUG) != 0) {
2118 binprint(fr, sizeof(*fr));
2119 if (fr->fr_data != NULL)
2120 binprint(fr->fr_data, fr->fr_dsize);
2121 }
2122
2123 if ((opts & OPT_ZERORULEST) != 0) {
2124 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2125 if ((opts & OPT_DONOTHING) == 0) {
2126 fprintf(stderr, "%d:", yylineNum);
2127 perror("ioctl(SIOCZRLST)");
2128 }
2129 } else {
2130 #ifdef USE_QUAD_T
2131 printf("hits %qd bytes %qd ",
2132 (long long)fr->fr_hits,
2133 (long long)fr->fr_bytes);
2134 #else
2135 printf("hits %ld bytes %ld ",
2136 fr->fr_hits, fr->fr_bytes);
2137 #endif
2138 printfr(fr, ioctlfunc);
2139 }
2140 } else if ((opts & OPT_REMOVE) != 0) {
2141 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2142 if ((opts & OPT_DONOTHING) != 0) {
2143 fprintf(stderr, "%d:", yylineNum);
2144 perror("ioctl(delete rule)");
2145 }
2146 }
2147 } else {
2148 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2149 if (!(opts & OPT_DONOTHING)) {
2150 fprintf(stderr, "%d:", yylineNum);
2151 perror("ioctl(add/insert rule)");
2152 }
2153 }
2154 }
2155 }
2156
2157 static void setsyslog()
2158 {
2159 yysetdict(logwords);
2160 yybreakondot = 1;
2161 }
2162
2163
2164 static void unsetsyslog()
2165 {
2166 yyresetdict();
2167 yybreakondot = 0;
2168 }
2169
2170
2171 static void fillgroup(fr)
2172 frentry_t *fr;
2173 {
2174 frentry_t *f;
2175
2176 for (f = frold; f != NULL; f = f->fr_next)
2177 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2178 break;
2179 if (f == NULL)
2180 return;
2181
2182 /*
2183 * Only copy down matching fields if the rules are of the same type
2184 * and are of ipf type. The only fields that are copied are those
2185 * that impact the rule parsing itself, eg. need for knowing what the
2186 * protocol should be for rules with port comparisons in them.
2187 */
2188 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2189 return;
2190
2191 if (fr->fr_v == 0 && f->fr_v != 0)
2192 fr->fr_v = f->fr_v;
2193
2194 if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2195 fr->fr_mproto = f->fr_mproto;
2196 if (fr->fr_proto == 0 && f->fr_proto != 0)
2197 fr->fr_proto = f->fr_proto;
2198
2199 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2200 ((f->fr_flx & FI_TCPUDP) != 0))
2201 fr->fr_flx |= FI_TCPUDP;
2202 }
NetBSD on the FriendlyARM MINI2440