4 * Copyright (C) 2001-2006 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
15 #include "netinet/ip_pool.h"
16 #include "netinet/ip_htable.h"
17 #include "netinet/ipl.h"
21 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
22 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
24 extern void yyerror __P((char *));
25 extern int yyparse __P((void));
26 extern int yylex __P((void));
31 static void newrule __P((void));
32 static void setipftype __P((void));
33 static u_32_t lookuphost __P((char *));
34 static void dobpf __P((int, char *));
35 static void resetaddr __P((void));
36 static struct alist_s *newalist __P((struct alist_s *));
37 static u_int makehash __P((struct alist_s *));
38 static int makepool __P((struct alist_s *));
39 static frentry_t *addrule __P((void));
40 static void setsyslog __P((void));
41 static void unsetsyslog __P((void));
42 static void fillgroup __P((frentry_t *));
44 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
46 static int ifpflag = 0;
47 static int nowith = 0;
48 static int dynamic = -1;
49 static int pooled = 0;
50 static int hashed = 0;
51 static int nrules = 0;
52 static int newlist = 0;
54 static int ipffd = -1;
55 static int *yycont = 0;
56 static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
57 static addfunc_t ipfaddfunc = NULL;
58 static struct wordtab ipfwords[95];
59 static struct wordtab addrwords[4];
60 static struct wordtab maskwords[5];
61 static struct wordtab icmpcodewords[17];
62 static struct wordtab icmptypewords[16];
63 static struct wordtab ipv4optwords[25];
64 static struct wordtab ipv4secwords[9];
65 static struct wordtab ipv6optwords[9];
66 static struct wordtab logwords[33];
75 struct alist_s *alist;
94 %type <num> facility priority icmpcode seclevel secname icmptype
95 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
96 %type <num> portc porteq
97 %type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
99 %type <ipp> addr ipaddr
100 %type <str> servicename name interfacename
101 %type <pc> portrange portcomp
102 %type <alist> addrlist poollist
105 %token <num> YY_NUMBER YY_HEX
108 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
109 %token YY_RANGE_OUT YY_RANGE_IN
112 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
113 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
114 %token IPFY_IN IPFY_OUT
115 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
116 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
117 %token IPFY_TOS IPFY_TTL IPFY_PROTO
118 %token IPFY_HEAD IPFY_GROUP
119 %token IPFY_AUTH IPFY_PREAUTH
120 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
121 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
122 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
124 %token IPFY_ESP IPFY_AH
125 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
126 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
127 %token IPFY_FLAGS IPFY_MULTICAST
128 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
131 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
132 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
133 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
134 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
135 %token IPFY_SYNC IPFY_FRAGBODY
136 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
137 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
138 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
139 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
140 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
141 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
142 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
143 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
145 %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
146 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
147 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
149 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
150 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
151 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
152 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
153 %token IPFY_ICMPT_ROUTERSOL
155 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
156 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
157 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
158 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
159 %token IPFY_ICMPC_CUTPRE
161 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
162 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
163 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
164 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
165 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
166 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
168 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
169 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
177 line: rule { while ((fr = frtop) != NULL) {
180 (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
192 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
201 '=' { yyvarnext = 1; }
212 rulehead markin inopts rulemain ruletail intag ruletail2
216 rulehead markout outopts rulemain ruletail outtag ruletail2
221 | xx insert collection action
224 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
228 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
241 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
242 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
253 intag: settagin matchtagin
256 outtag: settagout matchtagout
260 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
264 | YY_NUMBER { fr->fr_collect = $1; }
268 | IPFY_PASS { fr->fr_flags |= FR_PASS; }
269 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
271 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
273 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
276 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
280 | blocked blockreturn
284 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
287 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
288 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
289 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
290 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
291 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
294 log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
295 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
298 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
299 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
300 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
303 func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
304 ipfioctl[IPL_LOGIPF]);
336 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
337 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
338 | settos lstart toslist lend
341 settos: IPFY_TOS { setipftype(); }
345 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
346 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
347 | toslist lmore YY_NUMBER
348 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
349 | toslist lmore YY_HEX
350 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
353 ttl: | setttl YY_NUMBER
354 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
355 | setttl lstart ttllist lend
358 lstart: '(' { newlist = 1; fr = frc; added = 0; }
361 lend: ')' { nrules += added; }
364 lmore: lanother { if (newlist == 1) {
377 setttl: IPFY_TTL { setipftype(); }
381 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
382 | ttllist lmore YY_NUMBER
383 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
386 proto: | protox protocol { yyresetdict(); }
389 protox: IPFY_PROTO { setipftype();
394 ip: srcdst flags icmp
397 group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
401 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
406 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
409 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
414 | IPFY_SETTAG '(' taginlist ')'
419 | taginlist ',' taginspec
426 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
429 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
430 "%d", $3 & 0xffffffff);) }
433 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
437 | IPFY_SETTAG '(' tagoutlist ')'
442 | tagoutlist ',' tagoutspec
451 | IPFY_MATCHTAG '(' tagoutlist ')'
455 | IPFY_MATCHTAG '(' taginlist ')'
458 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
461 new: | savegroup file restoregroup
476 IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
480 | IPFY_ON lstart onlist lend
481 | IPFY_ON onname IPFY_INVIA vianame
482 | IPFY_ON onname IPFY_OUTVIA vianame
485 onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
486 sizeof(fr->fr_ifnames[0])); \
487 if ($1.if2 != NULL) { \
488 strncpy(fr->fr_ifnames[1], \
490 sizeof(fr->fr_ifnames[1]));\
493 | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
494 sizeof(fr->fr_ifnames[0])); \
495 if ($3.if2 != NULL) { \
496 strncpy(fr->fr_ifnames[1], \
498 sizeof(fr->fr_ifnames[1]));\
503 onname: interfacename
504 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
505 $$.if1 = fr->fr_ifnames[0];
509 | interfacename ',' interfacename
510 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
511 $$.if1 = fr->fr_ifnames[0];
513 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
514 $$.if1 = fr->fr_ifnames[1];
521 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
525 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
527 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
533 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
536 | IPFY_DUPTO name duptoseparator hostname
537 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
538 fr->fr_dif.fd_ip = $4;
542 | IPFY_DUPTO name duptoseparator YY_IPV6
543 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
544 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
551 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
554 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
558 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
561 | routeto name duptoseparator hostname
562 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
563 fr->fr_tif.fd_ip = $4;
567 | routeto name duptoseparator YY_IPV6
568 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
569 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
582 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
585 | IPFY_REPLY_TO name duptoseparator hostname
586 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
587 fr->fr_rif.fd_ip = $4;
594 | logoptions logoption
598 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
599 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
600 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
601 | level loglevel { unsetsyslog(); }
605 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
609 '(' { yysetdict(icmpcodewords); }
617 YY_NUMBER { DOREM(fr->fr_proto = $1; \
618 fr->fr_mproto = 0xff;) }
619 | YY_STR { if (!strcmp($1, "tcp-udp")) {
620 DOREM(fr->fr_flx |= FI_TCPUDP; \
621 fr->fr_mflx |= FI_TCPUDP;)
623 int p = getproto($1);
625 yyerror("protocol unknown");
626 DOREM(fr->fr_proto = p; \
627 fr->fr_mproto = 0xff;)
631 | YY_STR nextstring YY_STR
632 { if (!strcmp($1, "tcp") &&
633 !strcmp($3, "udp")) {
634 DOREM(fr->fr_flx |= FI_TCPUDP; \
635 fr->fr_mflx |= FI_TCPUDP;)
644 '/' { yysetdict(NULL); }
647 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
648 | to dstobject { yyexpectaddr = 0; yycont = NULL; }
649 | from srcobject { yyexpectaddr = 0; yycont = NULL; }
652 from: IPFY_FROM { setipftype();
657 printf("set yyexpectaddr\n");
658 yycont = &yyexpectaddr;
659 yysetdict(addrwords);
663 to: IPFY_TO { if (fr == NULL)
667 printf("set yyexpectaddr\n");
668 yycont = &yyexpectaddr;
669 yysetdict(addrwords);
673 with: | andwith withlist
677 IPFY_WITH { nowith = 0; setipftype(); }
678 | IPFY_AND { nowith = 0; setipftype(); }
681 flags: | startflags flagset
682 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
683 | startflags flagset '/' flagset
684 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
685 | startflags '/' flagset
686 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
687 | startflags YY_NUMBER
688 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
689 | startflags '/' YY_NUMBER
690 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
691 | startflags YY_NUMBER '/' YY_NUMBER
692 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
693 | startflags flagset '/' YY_NUMBER
694 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
695 | startflags YY_NUMBER '/' flagset
696 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
700 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
701 yyerror("flags with non-ipf type rule");
702 if (frc->fr_proto != IPPROTO_TCP)
703 yyerror("flags with non-TCP rule");
708 YY_STR { $$ = tcpflags($1); free($1); }
709 | YY_HEX { $$ = $1; }
713 { yyresetdict(); } fromport
715 | '!' srcaddr srcport
716 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
720 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
721 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
722 if (dynamic != -1) { \
723 fr->fr_satype = ifpflag; \
724 fr->fr_ipf->fri_sifpidx = dynamic; \
725 } else if (pooled || hashed) \
726 fr->fr_satype = FRI_LOOKUP;)
728 | lstart srcaddrlist lend
732 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
733 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
734 if (dynamic != -1) { \
735 fr->fr_satype = ifpflag; \
736 fr->fr_ipf->fri_sifpidx = dynamic; \
737 } else if (pooled || hashed) \
738 fr->fr_satype = FRI_LOOKUP;)
740 | srcaddrlist lmore addr
741 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
742 bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
743 if (dynamic != -1) { \
744 fr->fr_satype = ifpflag; \
745 fr->fr_ipf->fri_sifpidx = dynamic; \
746 } else if (pooled || hashed) \
747 fr->fr_satype = FRI_LOOKUP;)
753 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
755 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
756 fr->fr_stop = $1.p2;) }
757 | porteq lstart srcportlist lend
763 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
765 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
766 fr->fr_stop = $1.p2;) }
767 | porteq lstart srcportlist lend
772 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
773 | portnum ':' portnum
774 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
776 | portnum YY_RANGE_IN portnum
777 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
779 | srcportlist lmore portnum
780 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
781 | srcportlist lmore portnum ':' portnum
782 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
784 | srcportlist lmore portnum YY_RANGE_IN portnum
785 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
790 { yyresetdict(); } toport
792 | '!' dstaddr dstport
793 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
797 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
798 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
799 if (dynamic != -1) { \
800 fr->fr_datype = ifpflag; \
801 fr->fr_ipf->fri_difpidx = dynamic; \
802 } else if (pooled || hashed) \
803 fr->fr_datype = FRI_LOOKUP;)
805 | lstart dstaddrlist lend
809 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
810 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
811 if (dynamic != -1) { \
812 fr->fr_datype = ifpflag; \
813 fr->fr_ipf->fri_difpidx = dynamic; \
814 } else if (pooled || hashed) \
815 fr->fr_datype = FRI_LOOKUP;)
817 | dstaddrlist lmore addr
818 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
819 bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
820 if (dynamic != -1) { \
821 fr->fr_datype = ifpflag; \
822 fr->fr_ipf->fri_difpidx = dynamic; \
823 } else if (pooled || hashed) \
824 fr->fr_datype = FRI_LOOKUP;)
831 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
833 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
834 fr->fr_dtop = $1.p2;) }
835 | porteq lstart dstportlist lend
841 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
843 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
844 fr->fr_dtop = $1.p2;) }
845 | porteq lstart dstportlist lend
850 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
851 | portnum ':' portnum
852 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
854 | portnum YY_RANGE_IN portnum
855 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
857 | dstportlist lmore portnum
858 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
859 | dstportlist lmore portnum ':' portnum
860 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
862 | dstportlist lmore portnum YY_RANGE_IN portnum
863 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
867 addr: pool '/' YY_NUMBER { pooled = 1;
868 $$.a.iplookuptype = IPLT_POOL;
869 $$.a.iplookupsubtype = 0;
870 $$.a.iplookupnum = $3; }
871 | pool '/' YY_STR { pooled = 1;
872 $$.a.iplookuptype = IPLT_POOL;
873 $$.a.iplookupsubtype = 1;
874 strncpy($$.a.iplookupname, $3,
875 sizeof($$.a.iplookupname));
877 | pool '=' '(' poollist ')' { pooled = 1;
878 $$.a.iplookuptype = IPLT_POOL;
879 $$.a.iplookupsubtype = 0;
880 $$.a.iplookupnum = makepool($4); }
881 | hash '/' YY_NUMBER { hashed = 1;
882 $$.a.iplookuptype = IPLT_HASH;
883 $$.a.iplookupsubtype = 0;
884 $$.a.iplookupnum = $3; }
885 | hash '/' YY_STR { pooled = 1;
886 $$.a.iplookuptype = IPLT_HASH;
887 $$.a.iplookupsubtype = 1;
888 strncpy($$.a.iplookupname, $3,
889 sizeof($$.a.iplookupname));
891 | hash '=' '(' addrlist ')' { hashed = 1;
892 $$.a.iplookuptype = IPLT_HASH;
893 $$.a.iplookupsubtype = 0;
894 $$.a.iplookupnum = makehash($4); }
895 | ipaddr { bcopy(&$1, &$$, sizeof($$));
899 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
902 | hostname { $$.a.in4 = $1;
903 $$.m.in4_addr = 0xffffffff;
905 | hostname { yyresetdict();
906 $$.a.in4_addr = $1.s_addr; }
907 maskspace { yysetdict(maskwords); }
908 ipv4mask { $$.m.in4_addr = $5.s_addr;
909 $$.a.in4_addr &= $5.s_addr;
912 | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a));
913 fill6bits(128, (u_32_t *)&$$.m);
916 | YY_IPV6 { yyresetdict();
917 bcopy(&$1, &$$.a, sizeof($$.a)); }
918 maskspace { yysetdict(maskwords); }
919 ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m));
930 | YY_HEX { $$.s_addr = htonl($1); }
931 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }
932 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
934 ifpflag = FRI_BROADCAST;
938 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
940 ifpflag = FRI_NETWORK;
944 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
946 ifpflag = FRI_NETMASKED;
950 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
952 ifpflag = FRI_PEERADDR;
959 YY_NUMBER { ntomask(6, $1, $$.i6); }
960 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
961 bzero(&$$, sizeof($$));
962 ifpflag = FRI_BROADCAST;
966 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
967 bzero(&$$, sizeof($$));
968 ifpflag = FRI_BROADCAST;
972 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
973 bzero(&$$, sizeof($$));
974 ifpflag = FRI_BROADCAST;
978 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
979 bzero(&$$, sizeof($$));
980 ifpflag = FRI_BROADCAST;
988 | YY_NUMBER { $$.s_addr = $1; }
989 | YY_HEX { $$.s_addr = $1; }
990 | YY_STR { $$.s_addr = lookuphost($1);
996 ipaddr { $$ = newalist(NULL);
997 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
998 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
999 | addrlist ',' ipaddr
1000 { $$ = newalist($1);
1001 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1002 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1005 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1008 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1012 ipaddr { $$ = newalist(NULL);
1013 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1014 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1015 | '!' ipaddr { $$ = newalist(NULL);
1017 bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
1018 bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
1019 | poollist ',' ipaddr
1020 { $$ = newalist($1);
1021 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1022 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1023 | poollist ',' '!' ipaddr
1024 { $$ = newalist($1);
1026 bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1027 bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1030 port: IPFY_PORT { yyexpectaddr = 0;
1035 portc: port compare { $$ = $2;
1037 | porteq { $$ = $1; }
1040 porteq: port '=' { $$ = FR_EQUAL;
1044 portr: IPFY_PORT { yyexpectaddr = 0;
1050 portc portnum { $$.pc = $1;
1056 portr portnum range portnum { $$.p1 = $2;
1065 itype: seticmptype icmptype
1066 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1069 | seticmptype lstart typelist lend { yyresetdict(); }
1073 IPFY_ICMPTYPE { setipftype();
1074 yysetdict(icmptypewords); }
1077 icode: | seticmpcode icmpcode
1078 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1081 | seticmpcode lstart codelist lend { yyresetdict(); }
1085 IPFY_ICMPCODE { yysetdict(icmpcodewords); }
1090 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1091 | typelist lmore icmptype
1092 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1097 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1098 | codelist lmore icmpcode
1099 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1100 fr->fr_icmpm |= htons(0xff);) }
1103 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1104 fr->fr_age[1] = $2;) }
1105 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1106 { DOALL(fr->fr_age[0] = $2; \
1107 fr->fr_age[1] = $4;) }
1110 keep: | IPFY_KEEP keepstate keep
1111 | IPFY_KEEP keepfrag keep
1115 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1119 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1120 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1128 fragopt lanother fragopts
1133 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1141 stateopt lanother stateopts
1146 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
1147 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1150 fr->fr_flags |= FR_STSTRICT;)
1152 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1155 fr->fr_flags |= FR_NEWISN;)
1157 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1159 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
1160 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1161 fr->fr_age[1] = $2;) }
1162 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1163 { DOALL(fr->fr_age[0] = $2; \
1164 fr->fr_age[1] = $4;) }
1168 servicename { if (getport(frc, $1, &($$)) == -1)
1169 yyerror("service unknown");
1173 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1174 yyerror("invalid port number");
1181 withopt { nowith = 0; }
1182 | withlist withopt { nowith = 0; }
1183 | withlist ',' withopt { nowith = 0; }
1187 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1188 | notwith opttype { DOALL(fr->fr_mflx |= $2;) }
1189 | ipopt ipopts { yyresetdict(); }
1190 | notwith ipopt ipopts { yyresetdict(); }
1191 | startv6hdrs ipv6hdrs { yyresetdict(); }
1194 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
1198 IPF6_V6HDRS { if (use_inet6 == 0)
1199 yyerror("only available with IPv6");
1200 yysetdict(ipv6optwords);
1205 IPFY_NOT { nowith = 1; }
1206 | IPFY_NO { nowith = 1; }
1210 IPFY_IPOPTS { $$ = FI_OPTIONS; }
1211 | IPFY_SHORT { $$ = FI_SHORT; }
1212 | IPFY_NAT { $$ = FI_NATED; }
1213 | IPFY_BAD { $$ = FI_BAD; }
1214 | IPFY_BADNAT { $$ = FI_BADNAT; }
1215 | IPFY_BADSRC { $$ = FI_BADSRC; }
1216 | IPFY_LOWTTL { $$ = FI_LOWTTL; }
1217 | IPFY_FRAG { $$ = FI_FRAG; }
1218 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1219 | IPFY_FRAGS { $$ = FI_FRAG; }
1220 | IPFY_MBCAST { $$ = FI_MBCAST; }
1221 | IPFY_MULTICAST { $$ = FI_MULTICAST; }
1222 | IPFY_BROADCAST { $$ = FI_BROADCAST; }
1223 | IPFY_STATE { $$ = FI_STATE; }
1224 | IPFY_OOW { $$ = FI_OOW; }
1227 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1229 fr->fr_ip.fi_optmsk |= $1;)
1235 | optlist ',' opt { $$ |= $1 | $3; }
1239 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1241 fr->fr_ip.fi_optmsk |= $1;)
1246 ipv6hdr { $$ |= $1; }
1247 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
1251 seclevel { $$ |= $1; }
1252 | secname ',' seclevel { $$ |= $1 | $3; }
1256 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
1257 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
1258 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
1259 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
1260 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
1261 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
1262 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
1263 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
1267 YY_NUMBER { $$ = $1; }
1268 | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
1269 | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
1270 | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
1271 | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
1272 | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
1273 | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
1274 | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
1275 | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
1276 | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
1277 | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
1278 | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
1279 | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
1280 | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
1281 | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
1282 | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
1286 YY_NUMBER { $$ = $1; }
1287 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
1288 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
1289 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
1290 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
1291 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
1292 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
1293 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
1294 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1295 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
1296 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
1297 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
1298 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
1299 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
1300 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1301 | IPFY_ICMPC_HSTPRE { $$ = 14; }
1302 | IPFY_ICMPC_CUTPRE { $$ = 15; }
1306 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
1307 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
1308 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
1309 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
1310 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
1311 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
1312 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
1313 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
1314 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
1315 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
1316 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
1317 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
1318 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
1319 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
1320 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
1321 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
1322 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
1323 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
1324 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
1325 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
1326 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
1327 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
1328 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
1329 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1330 | setsecclass secname
1331 { DOALL(fr->fr_mip.fi_secmsk |= $2;
1333 fr->fr_ip.fi_secmsk |= $2;)
1340 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1344 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
1345 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1346 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
1347 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1348 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
1349 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
1350 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1351 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1352 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1355 level: IPFY_LEVEL { setsyslog(); }
1359 priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
1360 | facility '.' priority { fr->fr_loglevel = $1 | $3; }
1364 IPFY_FAC_KERN { $$ = LOG_KERN; }
1365 | IPFY_FAC_USER { $$ = LOG_USER; }
1366 | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
1367 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
1368 | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
1369 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
1370 | IPFY_FAC_LPR { $$ = LOG_LPR; }
1371 | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
1372 | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
1373 | IPFY_FAC_CRON { $$ = LOG_CRON; }
1374 | IPFY_FAC_FTP { $$ = LOG_FTP; }
1375 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
1376 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
1377 | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
1378 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
1379 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
1380 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
1381 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
1382 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
1383 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
1384 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
1385 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
1386 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
1390 IPFY_PRI_EMERG { $$ = LOG_EMERG; }
1391 | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
1392 | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
1393 | IPFY_PRI_ERR { $$ = LOG_ERR; }
1394 | IPFY_PRI_WARN { $$ = LOG_WARNING; }
1395 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
1396 | IPFY_PRI_INFO { $$ = LOG_INFO; }
1397 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
1401 YY_CMP_EQ { $$ = FR_EQUAL; }
1402 | YY_CMP_NE { $$ = FR_NEQUAL; }
1403 | YY_CMP_LT { $$ = FR_LESST; }
1404 | YY_CMP_LE { $$ = FR_LESSTE; }
1405 | YY_CMP_GT { $$ = FR_GREATERT; }
1406 | YY_CMP_GE { $$ = FR_GREATERTE; }
1409 range: YY_RANGE_IN { $$ = FR_INRANGE; }
1410 | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1411 | ':' { $$ = FR_INCRANGE; }
1418 interfacename: name { $$ = $1; }
1419 | name ':' YY_NUMBER
1421 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1422 "use the physical interface %s instead.\n",
1423 yylineNum, $1, $3, $1);
1427 name: YY_STR { $$ = $1; }
1428 | '-' { $$ = strdup("-"); }
1432 YY_NUMBER '.' YY_NUMBER
1433 { if ($1 > 255 || $3 > 255) {
1434 yyerror("Invalid octet string for IP address");
1437 $$.s_addr = ($1 << 24) | ($3 << 16);
1438 $$.s_addr = htonl($$.s_addr);
1443 ipv4_16 '.' YY_NUMBER
1445 yyerror("Invalid octet string for IP address");
1448 $$.s_addr |= htonl($3 << 8);
1452 ipv4: ipv4_24 '.' YY_NUMBER
1454 yyerror("Invalid octet string for IP address");
1457 $$.s_addr |= htonl($3);
1466 static struct wordtab ipfwords[95] = {
1467 { "age", IPFY_AGE },
1469 { "all", IPFY_ALL },
1470 { "and", IPFY_AND },
1471 { "auth", IPFY_AUTH },
1472 { "bad", IPFY_BAD },
1473 { "bad-nat", IPFY_BADNAT },
1474 { "bad-src", IPFY_BADSRC },
1475 { "bcast", IPFY_BROADCAST },
1476 { "block", IPFY_BLOCK },
1477 { "body", IPFY_BODY },
1478 { "bpf-v4", IPFY_BPFV4 },
1480 { "bpf-v6", IPFY_BPFV6 },
1482 { "call", IPFY_CALL },
1483 { "code", IPFY_ICMPCODE },
1484 { "count", IPFY_COUNT },
1485 { "dup-to", IPFY_DUPTO },
1486 { "eq", YY_CMP_EQ },
1487 { "esp", IPFY_ESP },
1488 { "fastroute", IPFY_FROUTE },
1489 { "first", IPFY_FIRST },
1490 { "flags", IPFY_FLAGS },
1491 { "frag", IPFY_FRAG },
1492 { "frag-body", IPFY_FRAGBODY },
1493 { "frags", IPFY_FRAGS },
1494 { "from", IPFY_FROM },
1495 { "ge", YY_CMP_GE },
1496 { "group", IPFY_GROUP },
1497 { "gt", YY_CMP_GT },
1498 { "head", IPFY_HEAD },
1499 { "icmp", IPFY_ICMP },
1500 { "icmp-type", IPFY_ICMPTYPE },
1502 { "in-via", IPFY_INVIA },
1503 { "ipopt", IPFY_IPOPTS },
1504 { "ipopts", IPFY_IPOPTS },
1505 { "keep", IPFY_KEEP },
1506 { "le", YY_CMP_LE },
1507 { "level", IPFY_LEVEL },
1508 { "limit", IPFY_LIMIT },
1509 { "log", IPFY_LOG },
1510 { "lowttl", IPFY_LOWTTL },
1511 { "lt", YY_CMP_LT },
1512 { "mask", IPFY_MASK },
1513 { "match-tag", IPFY_MATCHTAG },
1514 { "mbcast", IPFY_MBCAST },
1515 { "mcast", IPFY_MULTICAST },
1516 { "multicast", IPFY_MULTICAST },
1517 { "nat", IPFY_NAT },
1518 { "ne", YY_CMP_NE },
1519 { "net", IPFY_NETWORK },
1520 { "newisn", IPFY_NEWISN },
1522 { "no-icmp-err", IPFY_NOICMPERR },
1523 { "nomatch", IPFY_NOMATCH },
1524 { "now", IPFY_NOW },
1525 { "not", IPFY_NOT },
1526 { "oow", IPFY_OOW },
1528 { "opt", IPFY_OPT },
1529 { "or-block", IPFY_ORBLOCK },
1530 { "out", IPFY_OUT },
1531 { "out-via", IPFY_OUTVIA },
1532 { "pass", IPFY_PASS },
1533 { "port", IPFY_PORT },
1534 { "pps", IPFY_PPS },
1535 { "preauth", IPFY_PREAUTH },
1536 { "proto", IPFY_PROTO },
1537 { "quick", IPFY_QUICK },
1538 { "reply-to", IPFY_REPLY_TO },
1539 { "return-icmp", IPFY_RETICMP },
1540 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1541 { "return-rst", IPFY_RETRST },
1542 { "route-to", IPFY_ROUTETO },
1543 { "sec-class", IPFY_SECCLASS },
1544 { "set-tag", IPFY_SETTAG },
1545 { "skip", IPFY_SKIP },
1546 { "short", IPFY_SHORT },
1547 { "state", IPFY_STATE },
1548 { "state-age", IPFY_AGE },
1549 { "strict", IPFY_STRICT },
1550 { "sync", IPFY_SYNC },
1551 { "tcp", IPFY_TCP },
1552 { "tcp-udp", IPFY_TCPUDP },
1553 { "tos", IPFY_TOS },
1555 { "ttl", IPFY_TTL },
1556 { "udp", IPFY_UDP },
1557 { "v6hdrs", IPF6_V6HDRS },
1558 { "with", IPFY_WITH },
1562 static struct wordtab addrwords[4] = {
1563 { "any", IPFY_ANY },
1564 { "hash", IPFY_HASH },
1565 { "pool", IPFY_POOL },
1569 static struct wordtab maskwords[5] = {
1570 { "broadcast", IPFY_BROADCAST },
1571 { "netmasked", IPFY_NETMASKED },
1572 { "network", IPFY_NETWORK },
1573 { "peer", IPFY_PEER },
1577 static struct wordtab icmptypewords[16] = {
1578 { "echo", IPFY_ICMPT_ECHO },
1579 { "echorep", IPFY_ICMPT_ECHOR },
1580 { "inforeq", IPFY_ICMPT_INFOREQ },
1581 { "inforep", IPFY_ICMPT_INFOREP },
1582 { "maskrep", IPFY_ICMPT_MASKREP },
1583 { "maskreq", IPFY_ICMPT_MASKREQ },
1584 { "paramprob", IPFY_ICMPT_PARAMP },
1585 { "redir", IPFY_ICMPT_REDIR },
1586 { "unreach", IPFY_ICMPT_UNR },
1587 { "routerad", IPFY_ICMPT_ROUTERAD },
1588 { "routersol", IPFY_ICMPT_ROUTERSOL },
1589 { "squench", IPFY_ICMPT_SQUENCH },
1590 { "timest", IPFY_ICMPT_TIMEST },
1591 { "timestrep", IPFY_ICMPT_TIMESTREP },
1592 { "timex", IPFY_ICMPT_TIMEX },
1596 static struct wordtab icmpcodewords[17] = {
1597 { "cutoff-preced", IPFY_ICMPC_CUTPRE },
1598 { "filter-prohib", IPFY_ICMPC_FLTPRO },
1599 { "isolate", IPFY_ICMPC_ISOLATE },
1600 { "needfrag", IPFY_ICMPC_NEEDF },
1601 { "net-prohib", IPFY_ICMPC_NETPRO },
1602 { "net-tos", IPFY_ICMPC_NETTOS },
1603 { "host-preced", IPFY_ICMPC_HSTPRE },
1604 { "host-prohib", IPFY_ICMPC_HSTPRO },
1605 { "host-tos", IPFY_ICMPC_HSTTOS },
1606 { "host-unk", IPFY_ICMPC_HSTUNK },
1607 { "host-unr", IPFY_ICMPC_HSTUNR },
1608 { "net-unk", IPFY_ICMPC_NETUNK },
1609 { "net-unr", IPFY_ICMPC_NETUNR },
1610 { "port-unr", IPFY_ICMPC_PORUNR },
1611 { "proto-unr", IPFY_ICMPC_PROUNR },
1612 { "srcfail", IPFY_ICMPC_SRCFAIL },
1616 static struct wordtab ipv4optwords[25] = {
1617 { "addext", IPFY_IPOPT_ADDEXT },
1618 { "cipso", IPFY_IPOPT_CIPSO },
1619 { "dps", IPFY_IPOPT_DPS },
1620 { "e-sec", IPFY_IPOPT_ESEC },
1621 { "eip", IPFY_IPOPT_EIP },
1622 { "encode", IPFY_IPOPT_ENCODE },
1623 { "finn", IPFY_IPOPT_FINN },
1624 { "imitd", IPFY_IPOPT_IMITD },
1625 { "lsrr", IPFY_IPOPT_LSRR },
1626 { "mtup", IPFY_IPOPT_MTUP },
1627 { "mtur", IPFY_IPOPT_MTUR },
1628 { "nop", IPFY_IPOPT_NOP },
1629 { "nsapa", IPFY_IPOPT_NSAPA },
1630 { "rr", IPFY_IPOPT_RR },
1631 { "rtralrt", IPFY_IPOPT_RTRALRT },
1632 { "satid", IPFY_IPOPT_SATID },
1633 { "sdb", IPFY_IPOPT_SDB },
1634 { "sec", IPFY_IPOPT_SEC },
1635 { "ssrr", IPFY_IPOPT_SSRR },
1636 { "tr", IPFY_IPOPT_TR },
1637 { "ts", IPFY_IPOPT_TS },
1638 { "ump", IPFY_IPOPT_UMP },
1639 { "visa", IPFY_IPOPT_VISA },
1640 { "zsu", IPFY_IPOPT_ZSU },
1644 static struct wordtab ipv4secwords[9] = {
1645 { "confid", IPFY_SEC_CONF },
1646 { "reserv-1", IPFY_SEC_RSV1 },
1647 { "reserv-2", IPFY_SEC_RSV2 },
1648 { "reserv-3", IPFY_SEC_RSV3 },
1649 { "reserv-4", IPFY_SEC_RSV4 },
1650 { "secret", IPFY_SEC_SEC },
1651 { "topsecret", IPFY_SEC_TS },
1652 { "unclass", IPFY_SEC_UNC },
1656 static struct wordtab ipv6optwords[9] = {
1657 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1658 { "esp", IPFY_IPV6OPT_ESP },
1659 { "frag", IPFY_IPV6OPT_FRAG },
1660 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1661 { "ipv6", IPFY_IPV6OPT_IPV6 },
1662 { "mobility", IPFY_IPV6OPT_MOBILITY },
1663 { "none", IPFY_IPV6OPT_NONE },
1664 { "routing", IPFY_IPV6OPT_ROUTING },
1668 static struct wordtab logwords[33] = {
1669 { "kern", IPFY_FAC_KERN },
1670 { "user", IPFY_FAC_USER },
1671 { "mail", IPFY_FAC_MAIL },
1672 { "daemon", IPFY_FAC_DAEMON },
1673 { "auth", IPFY_FAC_AUTH },
1674 { "syslog", IPFY_FAC_SYSLOG },
1675 { "lpr", IPFY_FAC_LPR },
1676 { "news", IPFY_FAC_NEWS },
1677 { "uucp", IPFY_FAC_UUCP },
1678 { "cron", IPFY_FAC_CRON },
1679 { "ftp", IPFY_FAC_FTP },
1680 { "authpriv", IPFY_FAC_AUTHPRIV },
1681 { "audit", IPFY_FAC_AUDIT },
1682 { "logalert", IPFY_FAC_LFMT },
1683 { "console", IPFY_FAC_CONSOLE },
1684 { "security", IPFY_FAC_SECURITY },
1685 { "local0", IPFY_FAC_LOCAL0 },
1686 { "local1", IPFY_FAC_LOCAL1 },
1687 { "local2", IPFY_FAC_LOCAL2 },
1688 { "local3", IPFY_FAC_LOCAL3 },
1689 { "local4", IPFY_FAC_LOCAL4 },
1690 { "local5", IPFY_FAC_LOCAL5 },
1691 { "local6", IPFY_FAC_LOCAL6 },
1692 { "local7", IPFY_FAC_LOCAL7 },
1693 { "emerg", IPFY_PRI_EMERG },
1694 { "alert", IPFY_PRI_ALERT },
1695 { "crit", IPFY_PRI_CRIT },
1696 { "err", IPFY_PRI_ERR },
1697 { "warn", IPFY_PRI_WARN },
1698 { "notice", IPFY_PRI_NOTICE },
1699 { "info", IPFY_PRI_INFO },
1700 { "debug", IPFY_PRI_DEBUG },
1707 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1710 ioctlfunc_t *iocfuncs;
1719 s = getenv("YYDEBUG");
1725 if (strcmp(filename, "-")) {
1726 fp = fopen(filename, "r");
1728 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1735 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1743 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1746 ioctlfunc_t *iocfuncs;
1753 for (i = 0; i <= IPL_LOGMAX; i++)
1754 ipfioctl[i] = iocfuncs[i];
1755 ipfaddfunc = addfunc;
1762 if (ungetc(i, fp) == 0)
1766 s = getenv("YYDEBUG");
1778 static void newrule()
1782 frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1783 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1791 fr->fr_loglevel = 0xffff;
1792 fr->fr_isc = (void *)-1;
1793 fr->fr_logtag = FR_NOLOGTAG;
1794 fr->fr_type = FR_T_NONE;
1804 static void setipftype()
1806 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1807 if (fr->fr_type == FR_T_NONE) {
1808 fr->fr_type = FR_T_IPF;
1809 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1810 fr->fr_dsize = sizeof(fripf_t);
1811 fr->fr_ip.fi_v = frc->fr_v;
1812 fr->fr_mip.fi_v = 0xf;
1813 fr->fr_ipf->fri_sifpidx = -1;
1814 fr->fr_ipf->fri_difpidx = -1;
1816 if (fr->fr_type != FR_T_IPF) {
1817 fprintf(stderr, "IPF Type not set\n");
1823 static frentry_t *addrule()
1825 frentry_t *f, *f1, *f2;
1828 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1833 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1834 f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1837 bcopy(f1, f, sizeof(*f));
1839 if (f->fr_caddr != NULL) {
1840 f->fr_caddr = malloc(f->fr_dsize);
1841 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1849 static u_32_t lookuphost(name)
1859 for (i = 0; i < 4; i++) {
1860 if (strncmp(name, frc->fr_ifnames[i],
1861 sizeof(frc->fr_ifnames[i])) == 0) {
1862 ifpflag = FRI_DYNAMIC;
1868 if (gethost(name, &addr) == -1) {
1869 fprintf(stderr, "unknown name \"%s\"\n", name);
1876 static void dobpf(v, phrase)
1881 struct bpf_program bpf;
1889 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1890 if (fr->fr_type != FR_T_NONE) {
1891 fprintf(stderr, "cannot mix IPF and BPF matching\n");
1895 fr->fr_type = FR_T_BPFOPC;
1897 if (!strncmp(phrase, "0x", 2)) {
1898 fb = malloc(sizeof(fakebpf_t));
1900 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1901 s = strtok(NULL, " \r\n\t"), i++) {
1902 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
1903 l = (u_32_t)strtol(s, NULL, 0);
1907 fb[i / 4].fb_c = l & 0xffff;
1910 fb[i / 4].fb_t = l & 0xff;
1913 fb[i / 4].fb_f = l & 0xff;
1922 "Odd number of bytes in BPF code\n");
1926 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
1932 bzero((char *)&bpf, sizeof(bpf));
1933 p = pcap_open_dead(DLT_RAW, 1);
1935 fprintf(stderr, "pcap_open_dead failed\n");
1939 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
1940 pcap_perror(p, "ipf");
1942 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
1947 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
1948 fr->fr_data = malloc(fr->fr_dsize);
1949 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
1950 if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
1951 fprintf(stderr, "BPF validation failed\n");
1958 if (opts & OPT_DEBUG)
1961 fprintf(stderr, "BPF filter expressions not supported\n");
1967 static void resetaddr()
1975 static alist_t *newalist(ptr)
1980 al = malloc(sizeof(*al));
1989 static int makepool(list)
1992 ip_pool_node_t *n, *top;
1999 top = calloc(1, sizeof(*top));
2003 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2004 n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
2005 n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
2006 n->ipn_info = a->al_not;
2007 if (a->al_next != NULL) {
2008 n->ipn_next = calloc(1, sizeof(*n));
2013 bzero((char *)&pool, sizeof(pool));
2014 pool.ipo_unit = IPL_LOGIPF;
2015 pool.ipo_list = top;
2016 num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
2018 while ((n = top) != NULL) {
2026 static u_int makehash(list)
2036 top = calloc(1, sizeof(*top));
2040 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2041 n->ipe_addr.in4_addr = a->al_1;
2042 n->ipe_mask.in4_addr = a->al_2;
2044 if (a->al_next != NULL) {
2045 n->ipe_next = calloc(1, sizeof(*n));
2050 bzero((char *)&iph, sizeof(iph));
2051 iph.iph_unit = IPL_LOGIPF;
2052 iph.iph_type = IPHASH_LOOKUP;
2053 *iph.iph_name = '\0';
2055 if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2056 sscanf(iph.iph_name, "%u", &num);
2060 while ((n = top) != NULL) {
2068 void ipf_addrule(fd, ioctlfunc, ptr)
2070 ioctlfunc_t ioctlfunc;
2073 ioctlcmd_t add, del;
2084 bzero((char *)&obj, sizeof(obj));
2085 obj.ipfo_rev = IPFILTER_VERSION;
2086 obj.ipfo_size = sizeof(*fr);
2087 obj.ipfo_type = IPFOBJ_FRENTRY;
2090 if ((opts & OPT_DONOTHING) != 0)
2093 if (opts & OPT_ZERORULEST) {
2095 } else if (opts & OPT_INACTIVE) {
2096 add = (u_int)fr->fr_hits ? SIOCINIFR :
2100 add = (u_int)fr->fr_hits ? SIOCINAFR :
2105 if ((opts & OPT_OUTQUE) != 0)
2106 fr->fr_flags |= FR_OUTQUE;
2109 if ((opts & OPT_VERBOSE) != 0)
2110 printfr(fr, ioctlfunc);
2112 if ((opts & OPT_DEBUG) != 0) {
2113 binprint(fr, sizeof(*fr));
2114 if (fr->fr_data != NULL)
2115 binprint(fr->fr_data, fr->fr_dsize);
2118 if ((opts & OPT_ZERORULEST) != 0) {
2119 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2120 if ((opts & OPT_DONOTHING) == 0) {
2121 fprintf(stderr, "%d:", yylineNum);
2122 perror("ioctl(SIOCZRLST)");
2126 printf("hits %qd bytes %qd ",
2127 (long long)fr->fr_hits,
2128 (long long)fr->fr_bytes);
2130 printf("hits %ld bytes %ld ",
2131 fr->fr_hits, fr->fr_bytes);
2133 printfr(fr, ioctlfunc);
2135 } else if ((opts & OPT_REMOVE) != 0) {
2136 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2137 if ((opts & OPT_DONOTHING) != 0) {
2138 fprintf(stderr, "%d:", yylineNum);
2139 perror("ioctl(delete rule)");
2143 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2144 if (!(opts & OPT_DONOTHING)) {
2145 fprintf(stderr, "%d:", yylineNum);
2146 perror("ioctl(add/insert rule)");
2152 static void setsyslog()
2154 yysetdict(logwords);
2159 static void unsetsyslog()
2166 static void fillgroup(fr)
2171 for (f = frold; f != NULL; f = f->fr_next)
2172 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2178 * Only copy down matching fields if the rules are of the same type
2179 * and are of ipf type. The only fields that are copied are those
2180 * that impact the rule parsing itself, eg. need for knowing what the
2181 * protocol should be for rules with port comparisons in them.
2183 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2186 if (fr->fr_v == 0 && f->fr_v != 0)
2189 if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2190 fr->fr_mproto = f->fr_mproto;
2191 if (fr->fr_proto == 0 && f->fr_proto != 0)
2192 fr->fr_proto = f->fr_proto;
2194 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2195 ((f->fr_flx & FI_TCPUDP) != 0))
2196 fr->fr_flx |= FI_TCPUDP;