4 * Copyright (C) 2001-2006 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
13 # include "pcap-bpf.h"
17 #include "netinet/ip_pool.h"
18 #include "netinet/ip_htable.h"
19 #include "netinet/ipl.h"
23 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
24 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
26 extern void yyerror __P((char *));
27 extern int yyparse __P((void));
28 extern int yylex __P((void));
33 static void newrule __P((void));
34 static void setipftype __P((void));
35 static u_32_t lookuphost __P((char *));
36 static void dobpf __P((int, char *));
37 static void resetaddr __P((void));
38 static struct alist_s *newalist __P((struct alist_s *));
39 static u_int makehash __P((struct alist_s *));
40 static int makepool __P((struct alist_s *));
41 static frentry_t *addrule __P((void));
42 static void setsyslog __P((void));
43 static void unsetsyslog __P((void));
44 static void fillgroup __P((frentry_t *));
46 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
48 static int ifpflag = 0;
49 static int nowith = 0;
50 static int dynamic = -1;
51 static int pooled = 0;
52 static int hashed = 0;
53 static int nrules = 0;
54 static int newlist = 0;
56 static int ipffd = -1;
57 static int *yycont = 0;
58 static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
59 static addfunc_t ipfaddfunc = NULL;
60 static struct wordtab ipfwords[95];
61 static struct wordtab addrwords[4];
62 static struct wordtab maskwords[5];
63 static struct wordtab icmpcodewords[17];
64 static struct wordtab icmptypewords[16];
65 static struct wordtab ipv4optwords[25];
66 static struct wordtab ipv4secwords[9];
67 static struct wordtab ipv6optwords[9];
68 static struct wordtab logwords[33];
77 struct alist_s *alist;
96 %type <num> facility priority icmpcode seclevel secname icmptype
97 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
98 %type <num> portc porteq
99 %type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
101 %type <ipp> addr ipaddr
102 %type <str> servicename name interfacename
103 %type <pc> portrange portcomp
104 %type <alist> addrlist poollist
107 %token <num> YY_NUMBER YY_HEX
110 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
111 %token YY_RANGE_OUT YY_RANGE_IN
114 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
115 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
116 %token IPFY_IN IPFY_OUT
117 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
118 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
119 %token IPFY_TOS IPFY_TTL IPFY_PROTO
120 %token IPFY_HEAD IPFY_GROUP
121 %token IPFY_AUTH IPFY_PREAUTH
122 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
123 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
124 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
126 %token IPFY_ESP IPFY_AH
127 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
128 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
129 %token IPFY_FLAGS IPFY_MULTICAST
130 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
133 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
134 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
135 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
136 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
137 %token IPFY_SYNC IPFY_FRAGBODY
138 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
139 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
140 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
141 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
142 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
143 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
144 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
145 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
147 %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
148 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
149 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
151 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
152 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
153 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
154 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
155 %token IPFY_ICMPT_ROUTERSOL
157 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
158 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
159 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
160 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
161 %token IPFY_ICMPC_CUTPRE
163 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
164 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
165 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
166 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
167 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
168 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
170 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
171 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
179 line: rule { while ((fr = frtop) != NULL) {
182 (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
194 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
203 '=' { yyvarnext = 1; }
214 rulehead markin inopts rulemain ruletail intag ruletail2
218 rulehead markout outopts rulemain ruletail outtag ruletail2
223 | xx insert collection action
226 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
230 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
243 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
244 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
255 intag: settagin matchtagin
258 outtag: settagout matchtagout
262 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
266 | YY_NUMBER { fr->fr_collect = $1; }
270 | IPFY_PASS { fr->fr_flags |= FR_PASS; }
271 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
273 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
275 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
278 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
282 | blocked blockreturn
286 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
289 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
290 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
291 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
292 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
293 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
296 log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
297 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
300 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
301 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
302 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
305 func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
306 ipfioctl[IPL_LOGIPF]);
338 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
339 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
340 | settos lstart toslist lend
343 settos: IPFY_TOS { setipftype(); }
347 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
348 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
349 | toslist lmore YY_NUMBER
350 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
351 | toslist lmore YY_HEX
352 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
355 ttl: | setttl YY_NUMBER
356 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
357 | setttl lstart ttllist lend
360 lstart: '(' { newlist = 1; fr = frc; added = 0; }
363 lend: ')' { nrules += added; }
366 lmore: lanother { if (newlist == 1) {
379 setttl: IPFY_TTL { setipftype(); }
383 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
384 | ttllist lmore YY_NUMBER
385 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
388 proto: | protox protocol { yyresetdict(); }
391 protox: IPFY_PROTO { setipftype();
396 ip: srcdst flags icmp
399 group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
403 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
408 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
411 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
416 | IPFY_SETTAG '(' taginlist ')'
421 | taginlist ',' taginspec
428 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
431 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
432 "%d", $3 & 0xffffffff);) }
435 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
439 | IPFY_SETTAG '(' tagoutlist ')'
444 | tagoutlist ',' tagoutspec
453 | IPFY_MATCHTAG '(' tagoutlist ')'
457 | IPFY_MATCHTAG '(' taginlist ')'
460 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
463 new: | savegroup file restoregroup
478 IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
482 | IPFY_ON lstart onlist lend
483 | IPFY_ON onname IPFY_INVIA vianame
484 | IPFY_ON onname IPFY_OUTVIA vianame
487 onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
488 sizeof(fr->fr_ifnames[0])); \
489 if ($1.if2 != NULL) { \
490 strncpy(fr->fr_ifnames[1], \
492 sizeof(fr->fr_ifnames[1]));\
495 | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
496 sizeof(fr->fr_ifnames[0])); \
497 if ($3.if2 != NULL) { \
498 strncpy(fr->fr_ifnames[1], \
500 sizeof(fr->fr_ifnames[1]));\
505 onname: interfacename
506 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
507 $$.if1 = fr->fr_ifnames[0];
511 | interfacename ',' interfacename
512 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
513 $$.if1 = fr->fr_ifnames[0];
515 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
516 $$.if1 = fr->fr_ifnames[1];
523 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
527 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
529 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
535 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
538 | IPFY_DUPTO name duptoseparator hostname
539 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
540 fr->fr_dif.fd_ip = $4;
544 | IPFY_DUPTO name duptoseparator YY_IPV6
545 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
546 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
553 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
556 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
560 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
563 | routeto name duptoseparator hostname
564 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
565 fr->fr_tif.fd_ip = $4;
569 | routeto name duptoseparator YY_IPV6
570 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
571 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
584 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
587 | IPFY_REPLY_TO name duptoseparator hostname
588 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
589 fr->fr_rif.fd_ip = $4;
596 | logoptions logoption
600 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
601 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
602 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
603 | level loglevel { unsetsyslog(); }
607 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
611 '(' { yysetdict(icmpcodewords); }
619 YY_NUMBER { DOREM(fr->fr_proto = $1; \
620 fr->fr_mproto = 0xff;) }
621 | YY_STR { if (!strcmp($1, "tcp-udp")) {
622 DOREM(fr->fr_flx |= FI_TCPUDP; \
623 fr->fr_mflx |= FI_TCPUDP;)
625 int p = getproto($1);
627 yyerror("protocol unknown");
628 DOREM(fr->fr_proto = p; \
629 fr->fr_mproto = 0xff;)
633 | YY_STR nextstring YY_STR
634 { if (!strcmp($1, "tcp") &&
635 !strcmp($3, "udp")) {
636 DOREM(fr->fr_flx |= FI_TCPUDP; \
637 fr->fr_mflx |= FI_TCPUDP;)
646 '/' { yysetdict(NULL); }
649 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
650 | to dstobject { yyexpectaddr = 0; yycont = NULL; }
651 | from srcobject { yyexpectaddr = 0; yycont = NULL; }
654 from: IPFY_FROM { setipftype();
659 printf("set yyexpectaddr\n");
660 yycont = &yyexpectaddr;
661 yysetdict(addrwords);
665 to: IPFY_TO { if (fr == NULL)
669 printf("set yyexpectaddr\n");
670 yycont = &yyexpectaddr;
671 yysetdict(addrwords);
675 with: | andwith withlist
679 IPFY_WITH { nowith = 0; setipftype(); }
680 | IPFY_AND { nowith = 0; setipftype(); }
683 flags: | startflags flagset
684 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
685 | startflags flagset '/' flagset
686 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
687 | startflags '/' flagset
688 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
689 | startflags YY_NUMBER
690 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
691 | startflags '/' YY_NUMBER
692 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
693 | startflags YY_NUMBER '/' YY_NUMBER
694 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
695 | startflags flagset '/' YY_NUMBER
696 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
697 | startflags YY_NUMBER '/' flagset
698 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
702 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
703 yyerror("flags with non-ipf type rule");
704 if (frc->fr_proto != IPPROTO_TCP)
705 yyerror("flags with non-TCP rule");
710 YY_STR { $$ = tcpflags($1); free($1); }
711 | YY_HEX { $$ = $1; }
715 { yyresetdict(); } fromport
717 | '!' srcaddr srcport
718 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
722 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
723 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
724 if (dynamic != -1) { \
725 fr->fr_satype = ifpflag; \
726 fr->fr_ipf->fri_sifpidx = dynamic; \
727 } else if (pooled || hashed) \
728 fr->fr_satype = FRI_LOOKUP;)
730 | lstart srcaddrlist lend
734 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
735 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
736 if (dynamic != -1) { \
737 fr->fr_satype = ifpflag; \
738 fr->fr_ipf->fri_sifpidx = dynamic; \
739 } else if (pooled || hashed) \
740 fr->fr_satype = FRI_LOOKUP;)
742 | srcaddrlist lmore addr
743 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
744 bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
745 if (dynamic != -1) { \
746 fr->fr_satype = ifpflag; \
747 fr->fr_ipf->fri_sifpidx = dynamic; \
748 } else if (pooled || hashed) \
749 fr->fr_satype = FRI_LOOKUP;)
755 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
757 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
758 fr->fr_stop = $1.p2;) }
759 | porteq lstart srcportlist lend
765 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
767 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
768 fr->fr_stop = $1.p2;) }
769 | porteq lstart srcportlist lend
774 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
775 | portnum ':' portnum
776 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
778 | portnum YY_RANGE_IN portnum
779 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
781 | srcportlist lmore portnum
782 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
783 | srcportlist lmore portnum ':' portnum
784 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
786 | srcportlist lmore portnum YY_RANGE_IN portnum
787 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
792 { yyresetdict(); } toport
794 | '!' dstaddr dstport
795 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
799 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
800 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
801 if (dynamic != -1) { \
802 fr->fr_datype = ifpflag; \
803 fr->fr_ipf->fri_difpidx = dynamic; \
804 } else if (pooled || hashed) \
805 fr->fr_datype = FRI_LOOKUP;)
807 | lstart dstaddrlist lend
811 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
812 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
813 if (dynamic != -1) { \
814 fr->fr_datype = ifpflag; \
815 fr->fr_ipf->fri_difpidx = dynamic; \
816 } else if (pooled || hashed) \
817 fr->fr_datype = FRI_LOOKUP;)
819 | dstaddrlist lmore addr
820 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
821 bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
822 if (dynamic != -1) { \
823 fr->fr_datype = ifpflag; \
824 fr->fr_ipf->fri_difpidx = dynamic; \
825 } else if (pooled || hashed) \
826 fr->fr_datype = FRI_LOOKUP;)
833 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
835 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
836 fr->fr_dtop = $1.p2;) }
837 | porteq lstart dstportlist lend
843 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
845 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
846 fr->fr_dtop = $1.p2;) }
847 | porteq lstart dstportlist lend
852 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
853 | portnum ':' portnum
854 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
856 | portnum YY_RANGE_IN portnum
857 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
859 | dstportlist lmore portnum
860 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
861 | dstportlist lmore portnum ':' portnum
862 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
864 | dstportlist lmore portnum YY_RANGE_IN portnum
865 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
869 addr: pool '/' YY_NUMBER { pooled = 1;
870 $$.a.iplookuptype = IPLT_POOL;
871 $$.a.iplookupsubtype = 0;
872 $$.a.iplookupnum = $3; }
873 | pool '/' YY_STR { pooled = 1;
874 $$.a.iplookuptype = IPLT_POOL;
875 $$.a.iplookupsubtype = 1;
876 strncpy($$.a.iplookupname, $3,
877 sizeof($$.a.iplookupname));
879 | pool '=' '(' poollist ')' { pooled = 1;
880 $$.a.iplookuptype = IPLT_POOL;
881 $$.a.iplookupsubtype = 0;
882 $$.a.iplookupnum = makepool($4); }
883 | hash '/' YY_NUMBER { hashed = 1;
884 $$.a.iplookuptype = IPLT_HASH;
885 $$.a.iplookupsubtype = 0;
886 $$.a.iplookupnum = $3; }
887 | hash '/' YY_STR { pooled = 1;
888 $$.a.iplookuptype = IPLT_HASH;
889 $$.a.iplookupsubtype = 1;
890 strncpy($$.a.iplookupname, $3,
891 sizeof($$.a.iplookupname));
893 | hash '=' '(' addrlist ')' { hashed = 1;
894 $$.a.iplookuptype = IPLT_HASH;
895 $$.a.iplookupsubtype = 0;
896 $$.a.iplookupnum = makehash($4); }
897 | ipaddr { bcopy(&$1, &$$, sizeof($$));
901 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
904 | hostname { $$.a.in4 = $1;
905 $$.m.in4_addr = 0xffffffff;
907 | hostname { yyresetdict();
908 $$.a.in4_addr = $1.s_addr; }
909 maskspace { yysetdict(maskwords); }
910 ipv4mask { $$.m.in4_addr = $5.s_addr;
911 $$.a.in4_addr &= $5.s_addr;
914 | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a));
915 fill6bits(128, (u_32_t *)&$$.m);
918 | YY_IPV6 { yyresetdict();
919 bcopy(&$1, &$$.a, sizeof($$.a)); }
920 maskspace { yysetdict(maskwords); }
921 ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m));
932 | YY_HEX { $$.s_addr = htonl($1); }
933 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }
934 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
936 ifpflag = FRI_BROADCAST;
940 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
942 ifpflag = FRI_NETWORK;
946 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
948 ifpflag = FRI_NETMASKED;
952 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
954 ifpflag = FRI_PEERADDR;
961 YY_NUMBER { ntomask(6, $1, $$.i6); }
962 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
963 bzero(&$$, sizeof($$));
964 ifpflag = FRI_BROADCAST;
968 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
969 bzero(&$$, sizeof($$));
970 ifpflag = FRI_BROADCAST;
974 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
975 bzero(&$$, sizeof($$));
976 ifpflag = FRI_BROADCAST;
980 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
981 bzero(&$$, sizeof($$));
982 ifpflag = FRI_BROADCAST;
990 | YY_NUMBER { $$.s_addr = $1; }
991 | YY_HEX { $$.s_addr = $1; }
992 | YY_STR { $$.s_addr = lookuphost($1);
998 ipaddr { $$ = newalist(NULL);
999 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1000 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1001 | addrlist ',' ipaddr
1002 { $$ = newalist($1);
1003 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1004 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1007 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1010 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1014 ipaddr { $$ = newalist(NULL);
1015 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1016 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1017 | '!' ipaddr { $$ = newalist(NULL);
1019 bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
1020 bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
1021 | poollist ',' ipaddr
1022 { $$ = newalist($1);
1023 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1024 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1025 | poollist ',' '!' ipaddr
1026 { $$ = newalist($1);
1028 bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1029 bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1032 port: IPFY_PORT { yyexpectaddr = 0;
1037 portc: port compare { $$ = $2;
1039 | porteq { $$ = $1; }
1042 porteq: port '=' { $$ = FR_EQUAL;
1046 portr: IPFY_PORT { yyexpectaddr = 0;
1052 portc portnum { $$.pc = $1;
1058 portr portnum range portnum { $$.p1 = $2;
1067 itype: seticmptype icmptype
1068 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1071 | seticmptype lstart typelist lend { yyresetdict(); }
1075 IPFY_ICMPTYPE { setipftype();
1076 yysetdict(icmptypewords); }
1079 icode: | seticmpcode icmpcode
1080 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1083 | seticmpcode lstart codelist lend { yyresetdict(); }
1087 IPFY_ICMPCODE { yysetdict(icmpcodewords); }
1092 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1093 | typelist lmore icmptype
1094 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1099 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1100 | codelist lmore icmpcode
1101 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1102 fr->fr_icmpm |= htons(0xff);) }
1105 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1106 fr->fr_age[1] = $2;) }
1107 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1108 { DOALL(fr->fr_age[0] = $2; \
1109 fr->fr_age[1] = $4;) }
1112 keep: | IPFY_KEEP keepstate keep
1113 | IPFY_KEEP keepfrag keep
1117 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1121 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1122 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1130 fragopt lanother fragopts
1135 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1143 stateopt lanother stateopts
1148 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
1149 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1152 fr->fr_flags |= FR_STSTRICT;)
1154 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1157 fr->fr_flags |= FR_NEWISN;)
1159 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1161 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
1162 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1163 fr->fr_age[1] = $2;) }
1164 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1165 { DOALL(fr->fr_age[0] = $2; \
1166 fr->fr_age[1] = $4;) }
1170 servicename { if (getport(frc, $1, &($$)) == -1)
1171 yyerror("service unknown");
1175 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1176 yyerror("invalid port number");
1183 withopt { nowith = 0; }
1184 | withlist withopt { nowith = 0; }
1185 | withlist ',' withopt { nowith = 0; }
1189 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1190 | notwith opttype { DOALL(fr->fr_mflx |= $2;) }
1191 | ipopt ipopts { yyresetdict(); }
1192 | notwith ipopt ipopts { yyresetdict(); }
1193 | startv6hdrs ipv6hdrs { yyresetdict(); }
1196 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
1200 IPF6_V6HDRS { if (use_inet6 == 0)
1201 yyerror("only available with IPv6");
1202 yysetdict(ipv6optwords);
1207 IPFY_NOT { nowith = 1; }
1208 | IPFY_NO { nowith = 1; }
1212 IPFY_IPOPTS { $$ = FI_OPTIONS; }
1213 | IPFY_SHORT { $$ = FI_SHORT; }
1214 | IPFY_NAT { $$ = FI_NATED; }
1215 | IPFY_BAD { $$ = FI_BAD; }
1216 | IPFY_BADNAT { $$ = FI_BADNAT; }
1217 | IPFY_BADSRC { $$ = FI_BADSRC; }
1218 | IPFY_LOWTTL { $$ = FI_LOWTTL; }
1219 | IPFY_FRAG { $$ = FI_FRAG; }
1220 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1221 | IPFY_FRAGS { $$ = FI_FRAG; }
1222 | IPFY_MBCAST { $$ = FI_MBCAST; }
1223 | IPFY_MULTICAST { $$ = FI_MULTICAST; }
1224 | IPFY_BROADCAST { $$ = FI_BROADCAST; }
1225 | IPFY_STATE { $$ = FI_STATE; }
1226 | IPFY_OOW { $$ = FI_OOW; }
1229 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1231 fr->fr_ip.fi_optmsk |= $1;)
1237 | optlist ',' opt { $$ |= $1 | $3; }
1241 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1243 fr->fr_ip.fi_optmsk |= $1;)
1248 ipv6hdr { $$ |= $1; }
1249 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
1253 seclevel { $$ |= $1; }
1254 | secname ',' seclevel { $$ |= $1 | $3; }
1258 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
1259 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
1260 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
1261 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
1262 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
1263 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
1264 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
1265 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
1269 YY_NUMBER { $$ = $1; }
1270 | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
1271 | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
1272 | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
1273 | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
1274 | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
1275 | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
1276 | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
1277 | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
1278 | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
1279 | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
1280 | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
1281 | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
1282 | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
1283 | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
1284 | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
1288 YY_NUMBER { $$ = $1; }
1289 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
1290 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
1291 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
1292 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
1293 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
1294 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
1295 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
1296 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1297 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
1298 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
1299 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
1300 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
1301 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
1302 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1303 | IPFY_ICMPC_HSTPRE { $$ = 14; }
1304 | IPFY_ICMPC_CUTPRE { $$ = 15; }
1308 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
1309 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
1310 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
1311 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
1312 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
1313 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
1314 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
1315 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
1316 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
1317 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
1318 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
1319 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
1320 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
1321 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
1322 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
1323 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
1324 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
1325 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
1326 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
1327 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
1328 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
1329 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
1330 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
1331 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1332 | setsecclass secname
1333 { DOALL(fr->fr_mip.fi_secmsk |= $2;
1335 fr->fr_ip.fi_secmsk |= $2;)
1342 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1346 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
1347 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1348 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
1349 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1350 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
1351 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
1352 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1353 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1354 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1357 level: IPFY_LEVEL { setsyslog(); }
1361 priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
1362 | facility '.' priority { fr->fr_loglevel = $1 | $3; }
1366 IPFY_FAC_KERN { $$ = LOG_KERN; }
1367 | IPFY_FAC_USER { $$ = LOG_USER; }
1368 | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
1369 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
1370 | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
1371 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
1372 | IPFY_FAC_LPR { $$ = LOG_LPR; }
1373 | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
1374 | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
1375 | IPFY_FAC_CRON { $$ = LOG_CRON; }
1376 | IPFY_FAC_FTP { $$ = LOG_FTP; }
1377 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
1378 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
1379 | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
1380 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
1381 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
1382 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
1383 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
1384 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
1385 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
1386 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
1387 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
1388 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
1392 IPFY_PRI_EMERG { $$ = LOG_EMERG; }
1393 | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
1394 | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
1395 | IPFY_PRI_ERR { $$ = LOG_ERR; }
1396 | IPFY_PRI_WARN { $$ = LOG_WARNING; }
1397 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
1398 | IPFY_PRI_INFO { $$ = LOG_INFO; }
1399 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
1403 YY_CMP_EQ { $$ = FR_EQUAL; }
1404 | YY_CMP_NE { $$ = FR_NEQUAL; }
1405 | YY_CMP_LT { $$ = FR_LESST; }
1406 | YY_CMP_LE { $$ = FR_LESSTE; }
1407 | YY_CMP_GT { $$ = FR_GREATERT; }
1408 | YY_CMP_GE { $$ = FR_GREATERTE; }
1411 range: YY_RANGE_IN { $$ = FR_INRANGE; }
1412 | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1413 | ':' { $$ = FR_INCRANGE; }
1420 interfacename: name { $$ = $1; }
1421 | name ':' YY_NUMBER
1423 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1424 "use the physical interface %s instead.\n",
1425 yylineNum, $1, $3, $1);
1429 name: YY_STR { $$ = $1; }
1430 | '-' { $$ = strdup("-"); }
1434 YY_NUMBER '.' YY_NUMBER
1435 { if ($1 > 255 || $3 > 255) {
1436 yyerror("Invalid octet string for IP address");
1439 $$.s_addr = ($1 << 24) | ($3 << 16);
1440 $$.s_addr = htonl($$.s_addr);
1445 ipv4_16 '.' YY_NUMBER
1447 yyerror("Invalid octet string for IP address");
1450 $$.s_addr |= htonl($3 << 8);
1454 ipv4: ipv4_24 '.' YY_NUMBER
1456 yyerror("Invalid octet string for IP address");
1459 $$.s_addr |= htonl($3);
1468 static struct wordtab ipfwords[95] = {
1469 { "age", IPFY_AGE },
1471 { "all", IPFY_ALL },
1472 { "and", IPFY_AND },
1473 { "auth", IPFY_AUTH },
1474 { "bad", IPFY_BAD },
1475 { "bad-nat", IPFY_BADNAT },
1476 { "bad-src", IPFY_BADSRC },
1477 { "bcast", IPFY_BROADCAST },
1478 { "block", IPFY_BLOCK },
1479 { "body", IPFY_BODY },
1480 { "bpf-v4", IPFY_BPFV4 },
1482 { "bpf-v6", IPFY_BPFV6 },
1484 { "call", IPFY_CALL },
1485 { "code", IPFY_ICMPCODE },
1486 { "count", IPFY_COUNT },
1487 { "dup-to", IPFY_DUPTO },
1488 { "eq", YY_CMP_EQ },
1489 { "esp", IPFY_ESP },
1490 { "fastroute", IPFY_FROUTE },
1491 { "first", IPFY_FIRST },
1492 { "flags", IPFY_FLAGS },
1493 { "frag", IPFY_FRAG },
1494 { "frag-body", IPFY_FRAGBODY },
1495 { "frags", IPFY_FRAGS },
1496 { "from", IPFY_FROM },
1497 { "ge", YY_CMP_GE },
1498 { "group", IPFY_GROUP },
1499 { "gt", YY_CMP_GT },
1500 { "head", IPFY_HEAD },
1501 { "icmp", IPFY_ICMP },
1502 { "icmp-type", IPFY_ICMPTYPE },
1504 { "in-via", IPFY_INVIA },
1505 { "ipopt", IPFY_IPOPTS },
1506 { "ipopts", IPFY_IPOPTS },
1507 { "keep", IPFY_KEEP },
1508 { "le", YY_CMP_LE },
1509 { "level", IPFY_LEVEL },
1510 { "limit", IPFY_LIMIT },
1511 { "log", IPFY_LOG },
1512 { "lowttl", IPFY_LOWTTL },
1513 { "lt", YY_CMP_LT },
1514 { "mask", IPFY_MASK },
1515 { "match-tag", IPFY_MATCHTAG },
1516 { "mbcast", IPFY_MBCAST },
1517 { "mcast", IPFY_MULTICAST },
1518 { "multicast", IPFY_MULTICAST },
1519 { "nat", IPFY_NAT },
1520 { "ne", YY_CMP_NE },
1521 { "net", IPFY_NETWORK },
1522 { "newisn", IPFY_NEWISN },
1524 { "no-icmp-err", IPFY_NOICMPERR },
1525 { "nomatch", IPFY_NOMATCH },
1526 { "now", IPFY_NOW },
1527 { "not", IPFY_NOT },
1528 { "oow", IPFY_OOW },
1530 { "opt", IPFY_OPT },
1531 { "or-block", IPFY_ORBLOCK },
1532 { "out", IPFY_OUT },
1533 { "out-via", IPFY_OUTVIA },
1534 { "pass", IPFY_PASS },
1535 { "port", IPFY_PORT },
1536 { "pps", IPFY_PPS },
1537 { "preauth", IPFY_PREAUTH },
1538 { "proto", IPFY_PROTO },
1539 { "quick", IPFY_QUICK },
1540 { "reply-to", IPFY_REPLY_TO },
1541 { "return-icmp", IPFY_RETICMP },
1542 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1543 { "return-rst", IPFY_RETRST },
1544 { "route-to", IPFY_ROUTETO },
1545 { "sec-class", IPFY_SECCLASS },
1546 { "set-tag", IPFY_SETTAG },
1547 { "skip", IPFY_SKIP },
1548 { "short", IPFY_SHORT },
1549 { "state", IPFY_STATE },
1550 { "state-age", IPFY_AGE },
1551 { "strict", IPFY_STRICT },
1552 { "sync", IPFY_SYNC },
1553 { "tcp", IPFY_TCP },
1554 { "tcp-udp", IPFY_TCPUDP },
1555 { "tos", IPFY_TOS },
1557 { "ttl", IPFY_TTL },
1558 { "udp", IPFY_UDP },
1559 { "v6hdrs", IPF6_V6HDRS },
1560 { "with", IPFY_WITH },
1564 static struct wordtab addrwords[4] = {
1565 { "any", IPFY_ANY },
1566 { "hash", IPFY_HASH },
1567 { "pool", IPFY_POOL },
1571 static struct wordtab maskwords[5] = {
1572 { "broadcast", IPFY_BROADCAST },
1573 { "netmasked", IPFY_NETMASKED },
1574 { "network", IPFY_NETWORK },
1575 { "peer", IPFY_PEER },
1579 static struct wordtab icmptypewords[16] = {
1580 { "echo", IPFY_ICMPT_ECHO },
1581 { "echorep", IPFY_ICMPT_ECHOR },
1582 { "inforeq", IPFY_ICMPT_INFOREQ },
1583 { "inforep", IPFY_ICMPT_INFOREP },
1584 { "maskrep", IPFY_ICMPT_MASKREP },
1585 { "maskreq", IPFY_ICMPT_MASKREQ },
1586 { "paramprob", IPFY_ICMPT_PARAMP },
1587 { "redir", IPFY_ICMPT_REDIR },
1588 { "unreach", IPFY_ICMPT_UNR },
1589 { "routerad", IPFY_ICMPT_ROUTERAD },
1590 { "routersol", IPFY_ICMPT_ROUTERSOL },
1591 { "squench", IPFY_ICMPT_SQUENCH },
1592 { "timest", IPFY_ICMPT_TIMEST },
1593 { "timestrep", IPFY_ICMPT_TIMESTREP },
1594 { "timex", IPFY_ICMPT_TIMEX },
1598 static struct wordtab icmpcodewords[17] = {
1599 { "cutoff-preced", IPFY_ICMPC_CUTPRE },
1600 { "filter-prohib", IPFY_ICMPC_FLTPRO },
1601 { "isolate", IPFY_ICMPC_ISOLATE },
1602 { "needfrag", IPFY_ICMPC_NEEDF },
1603 { "net-prohib", IPFY_ICMPC_NETPRO },
1604 { "net-tos", IPFY_ICMPC_NETTOS },
1605 { "host-preced", IPFY_ICMPC_HSTPRE },
1606 { "host-prohib", IPFY_ICMPC_HSTPRO },
1607 { "host-tos", IPFY_ICMPC_HSTTOS },
1608 { "host-unk", IPFY_ICMPC_HSTUNK },
1609 { "host-unr", IPFY_ICMPC_HSTUNR },
1610 { "net-unk", IPFY_ICMPC_NETUNK },
1611 { "net-unr", IPFY_ICMPC_NETUNR },
1612 { "port-unr", IPFY_ICMPC_PORUNR },
1613 { "proto-unr", IPFY_ICMPC_PROUNR },
1614 { "srcfail", IPFY_ICMPC_SRCFAIL },
1618 static struct wordtab ipv4optwords[25] = {
1619 { "addext", IPFY_IPOPT_ADDEXT },
1620 { "cipso", IPFY_IPOPT_CIPSO },
1621 { "dps", IPFY_IPOPT_DPS },
1622 { "e-sec", IPFY_IPOPT_ESEC },
1623 { "eip", IPFY_IPOPT_EIP },
1624 { "encode", IPFY_IPOPT_ENCODE },
1625 { "finn", IPFY_IPOPT_FINN },
1626 { "imitd", IPFY_IPOPT_IMITD },
1627 { "lsrr", IPFY_IPOPT_LSRR },
1628 { "mtup", IPFY_IPOPT_MTUP },
1629 { "mtur", IPFY_IPOPT_MTUR },
1630 { "nop", IPFY_IPOPT_NOP },
1631 { "nsapa", IPFY_IPOPT_NSAPA },
1632 { "rr", IPFY_IPOPT_RR },
1633 { "rtralrt", IPFY_IPOPT_RTRALRT },
1634 { "satid", IPFY_IPOPT_SATID },
1635 { "sdb", IPFY_IPOPT_SDB },
1636 { "sec", IPFY_IPOPT_SEC },
1637 { "ssrr", IPFY_IPOPT_SSRR },
1638 { "tr", IPFY_IPOPT_TR },
1639 { "ts", IPFY_IPOPT_TS },
1640 { "ump", IPFY_IPOPT_UMP },
1641 { "visa", IPFY_IPOPT_VISA },
1642 { "zsu", IPFY_IPOPT_ZSU },
1646 static struct wordtab ipv4secwords[9] = {
1647 { "confid", IPFY_SEC_CONF },
1648 { "reserv-1", IPFY_SEC_RSV1 },
1649 { "reserv-2", IPFY_SEC_RSV2 },
1650 { "reserv-3", IPFY_SEC_RSV3 },
1651 { "reserv-4", IPFY_SEC_RSV4 },
1652 { "secret", IPFY_SEC_SEC },
1653 { "topsecret", IPFY_SEC_TS },
1654 { "unclass", IPFY_SEC_UNC },
1658 static struct wordtab ipv6optwords[9] = {
1659 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1660 { "esp", IPFY_IPV6OPT_ESP },
1661 { "frag", IPFY_IPV6OPT_FRAG },
1662 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1663 { "ipv6", IPFY_IPV6OPT_IPV6 },
1664 { "mobility", IPFY_IPV6OPT_MOBILITY },
1665 { "none", IPFY_IPV6OPT_NONE },
1666 { "routing", IPFY_IPV6OPT_ROUTING },
1670 static struct wordtab logwords[33] = {
1671 { "kern", IPFY_FAC_KERN },
1672 { "user", IPFY_FAC_USER },
1673 { "mail", IPFY_FAC_MAIL },
1674 { "daemon", IPFY_FAC_DAEMON },
1675 { "auth", IPFY_FAC_AUTH },
1676 { "syslog", IPFY_FAC_SYSLOG },
1677 { "lpr", IPFY_FAC_LPR },
1678 { "news", IPFY_FAC_NEWS },
1679 { "uucp", IPFY_FAC_UUCP },
1680 { "cron", IPFY_FAC_CRON },
1681 { "ftp", IPFY_FAC_FTP },
1682 { "authpriv", IPFY_FAC_AUTHPRIV },
1683 { "audit", IPFY_FAC_AUDIT },
1684 { "logalert", IPFY_FAC_LFMT },
1685 { "console", IPFY_FAC_CONSOLE },
1686 { "security", IPFY_FAC_SECURITY },
1687 { "local0", IPFY_FAC_LOCAL0 },
1688 { "local1", IPFY_FAC_LOCAL1 },
1689 { "local2", IPFY_FAC_LOCAL2 },
1690 { "local3", IPFY_FAC_LOCAL3 },
1691 { "local4", IPFY_FAC_LOCAL4 },
1692 { "local5", IPFY_FAC_LOCAL5 },
1693 { "local6", IPFY_FAC_LOCAL6 },
1694 { "local7", IPFY_FAC_LOCAL7 },
1695 { "emerg", IPFY_PRI_EMERG },
1696 { "alert", IPFY_PRI_ALERT },
1697 { "crit", IPFY_PRI_CRIT },
1698 { "err", IPFY_PRI_ERR },
1699 { "warn", IPFY_PRI_WARN },
1700 { "notice", IPFY_PRI_NOTICE },
1701 { "info", IPFY_PRI_INFO },
1702 { "debug", IPFY_PRI_DEBUG },
1709 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1712 ioctlfunc_t *iocfuncs;
1721 s = getenv("YYDEBUG");
1727 if (strcmp(filename, "-")) {
1728 fp = fopen(filename, "r");
1730 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1737 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1745 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1748 ioctlfunc_t *iocfuncs;
1755 for (i = 0; i <= IPL_LOGMAX; i++)
1756 ipfioctl[i] = iocfuncs[i];
1757 ipfaddfunc = addfunc;
1764 if (ungetc(i, fp) == 0)
1768 s = getenv("YYDEBUG");
1780 static void newrule()
1784 frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1785 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1793 fr->fr_loglevel = 0xffff;
1794 fr->fr_isc = (void *)-1;
1795 fr->fr_logtag = FR_NOLOGTAG;
1796 fr->fr_type = FR_T_NONE;
1806 static void setipftype()
1808 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1809 if (fr->fr_type == FR_T_NONE) {
1810 fr->fr_type = FR_T_IPF;
1811 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1812 fr->fr_dsize = sizeof(fripf_t);
1813 fr->fr_ip.fi_v = frc->fr_v;
1814 fr->fr_mip.fi_v = 0xf;
1815 fr->fr_ipf->fri_sifpidx = -1;
1816 fr->fr_ipf->fri_difpidx = -1;
1818 if (fr->fr_type != FR_T_IPF) {
1819 fprintf(stderr, "IPF Type not set\n");
1825 static frentry_t *addrule()
1827 frentry_t *f, *f1, *f2;
1830 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1835 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1836 f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1839 bcopy(f1, f, sizeof(*f));
1841 if (f->fr_caddr != NULL) {
1842 f->fr_caddr = malloc(f->fr_dsize);
1843 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1851 static u_32_t lookuphost(name)
1861 for (i = 0; i < 4; i++) {
1862 if (strncmp(name, frc->fr_ifnames[i],
1863 sizeof(frc->fr_ifnames[i])) == 0) {
1864 ifpflag = FRI_DYNAMIC;
1870 if (gethost(name, &addr) == -1) {
1871 fprintf(stderr, "unknown name \"%s\"\n", name);
1878 static void dobpf(v, phrase)
1883 struct bpf_program bpf;
1891 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1892 if (fr->fr_type != FR_T_NONE) {
1893 fprintf(stderr, "cannot mix IPF and BPF matching\n");
1897 fr->fr_type = FR_T_BPFOPC;
1899 if (!strncmp(phrase, "0x", 2)) {
1900 fb = malloc(sizeof(fakebpf_t));
1902 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1903 s = strtok(NULL, " \r\n\t"), i++) {
1904 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
1905 l = (u_32_t)strtol(s, NULL, 0);
1909 fb[i / 4].fb_c = l & 0xffff;
1912 fb[i / 4].fb_t = l & 0xff;
1915 fb[i / 4].fb_f = l & 0xff;
1924 "Odd number of bytes in BPF code\n");
1928 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
1934 bzero((char *)&bpf, sizeof(bpf));
1935 p = pcap_open_dead(DLT_RAW, 1);
1937 fprintf(stderr, "pcap_open_dead failed\n");
1941 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
1942 pcap_perror(p, "ipf");
1944 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
1949 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
1950 fr->fr_data = malloc(fr->fr_dsize);
1951 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
1952 if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
1953 fprintf(stderr, "BPF validation failed\n");
1960 if (opts & OPT_DEBUG)
1963 fprintf(stderr, "BPF filter expressions not supported\n");
1969 static void resetaddr()
1977 static alist_t *newalist(ptr)
1982 al = malloc(sizeof(*al));
1991 static int makepool(list)
1994 ip_pool_node_t *n, *top;
2001 top = calloc(1, sizeof(*top));
2005 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2006 n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
2007 n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
2008 n->ipn_info = a->al_not;
2009 if (a->al_next != NULL) {
2010 n->ipn_next = calloc(1, sizeof(*n));
2015 bzero((char *)&pool, sizeof(pool));
2016 pool.ipo_unit = IPL_LOGIPF;
2017 pool.ipo_list = top;
2018 num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
2020 while ((n = top) != NULL) {
2028 static u_int makehash(list)
2038 top = calloc(1, sizeof(*top));
2042 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2043 n->ipe_addr.in4_addr = a->al_1;
2044 n->ipe_mask.in4_addr = a->al_2;
2046 if (a->al_next != NULL) {
2047 n->ipe_next = calloc(1, sizeof(*n));
2052 bzero((char *)&iph, sizeof(iph));
2053 iph.iph_unit = IPL_LOGIPF;
2054 iph.iph_type = IPHASH_LOOKUP;
2055 *iph.iph_name = '\0';
2057 if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2058 sscanf(iph.iph_name, "%u", &num);
2062 while ((n = top) != NULL) {
2070 void ipf_addrule(fd, ioctlfunc, ptr)
2072 ioctlfunc_t ioctlfunc;
2075 ioctlcmd_t add, del;
2086 bzero((char *)&obj, sizeof(obj));
2087 obj.ipfo_rev = IPFILTER_VERSION;
2088 obj.ipfo_size = sizeof(*fr);
2089 obj.ipfo_type = IPFOBJ_FRENTRY;
2092 if ((opts & OPT_DONOTHING) != 0)
2095 if (opts & OPT_ZERORULEST) {
2097 } else if (opts & OPT_INACTIVE) {
2098 add = (u_int)fr->fr_hits ? SIOCINIFR :
2102 add = (u_int)fr->fr_hits ? SIOCINAFR :
2107 if ((opts & OPT_OUTQUE) != 0)
2108 fr->fr_flags |= FR_OUTQUE;
2111 if ((opts & OPT_VERBOSE) != 0)
2112 printfr(fr, ioctlfunc);
2114 if ((opts & OPT_DEBUG) != 0) {
2115 binprint(fr, sizeof(*fr));
2116 if (fr->fr_data != NULL)
2117 binprint(fr->fr_data, fr->fr_dsize);
2120 if ((opts & OPT_ZERORULEST) != 0) {
2121 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2122 if ((opts & OPT_DONOTHING) == 0) {
2123 fprintf(stderr, "%d:", yylineNum);
2124 perror("ioctl(SIOCZRLST)");
2128 printf("hits %qd bytes %qd ",
2129 (long long)fr->fr_hits,
2130 (long long)fr->fr_bytes);
2132 printf("hits %ld bytes %ld ",
2133 fr->fr_hits, fr->fr_bytes);
2135 printfr(fr, ioctlfunc);
2137 } else if ((opts & OPT_REMOVE) != 0) {
2138 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2139 if ((opts & OPT_DONOTHING) != 0) {
2140 fprintf(stderr, "%d:", yylineNum);
2141 perror("ioctl(delete rule)");
2145 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2146 if (!(opts & OPT_DONOTHING)) {
2147 fprintf(stderr, "%d:", yylineNum);
2148 perror("ioctl(add/insert rule)");
2154 static void setsyslog()
2156 yysetdict(logwords);
2161 static void unsetsyslog()
2168 static void fillgroup(fr)
2173 for (f = frold; f != NULL; f = f->fr_next)
2174 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2180 * Only copy down matching fields if the rules are of the same type
2181 * and are of ipf type. The only fields that are copied are those
2182 * that impact the rule parsing itself, eg. need for knowing what the
2183 * protocol should be for rules with port comparisons in them.
2185 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2188 if (fr->fr_v == 0 && f->fr_v != 0)
2191 if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2192 fr->fr_mproto = f->fr_mproto;
2193 if (fr->fr_proto == 0 && f->fr_proto != 0)
2194 fr->fr_proto = f->fr_proto;
2196 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2197 ((f->fr_flx & FI_TCPUDP) != 0))
2198 fr->fr_flx |= FI_TCPUDP;