4 * Copyright (C) 2001-2006 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
13 # include "pcap-bpf.h"
17 #include "netinet/ip_pool.h"
18 #include "netinet/ip_htable.h"
19 #include "netinet/ipl.h"
23 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
24 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
26 extern void yyerror __P((char *));
27 extern int yyparse __P((void));
28 extern int yylex __P((void));
33 static void newrule __P((void));
34 static void setipftype __P((void));
35 static u_32_t lookuphost __P((char *));
36 static void dobpf __P((int, char *));
37 static void resetaddr __P((void));
38 static struct alist_s *newalist __P((struct alist_s *));
39 static u_int makehash __P((struct alist_s *));
40 static int makepool __P((struct alist_s *));
41 static frentry_t *addrule __P((void));
42 static void setsyslog __P((void));
43 static void unsetsyslog __P((void));
44 static void fillgroup __P((frentry_t *));
46 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
48 static int ifpflag = 0;
49 static int nowith = 0;
50 static int dynamic = -1;
51 static int pooled = 0;
52 static int hashed = 0;
53 static int nrules = 0;
54 static int newlist = 0;
56 static int ipffd = -1;
57 static int *yycont = 0;
58 static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
59 static addfunc_t ipfaddfunc = NULL;
60 static struct wordtab ipfwords[95];
61 static struct wordtab addrwords[4];
62 static struct wordtab maskwords[5];
63 static struct wordtab icmpcodewords[17];
64 static struct wordtab icmptypewords[16];
65 static struct wordtab ipv4optwords[25];
66 static struct wordtab ipv4secwords[9];
67 static struct wordtab ipv6optwords[9];
68 static struct wordtab logwords[33];
77 struct alist_s *alist;
96 %type <num> facility priority icmpcode seclevel secname icmptype
97 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
98 %type <num> portc porteq
99 %type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
101 %type <ipp> addr ipaddr
102 %type <str> servicename name interfacename
103 %type <pc> portrange portcomp
104 %type <alist> addrlist poollist
107 %token <num> YY_NUMBER YY_HEX
110 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
111 %token YY_RANGE_OUT YY_RANGE_IN
114 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
115 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
116 %token IPFY_IN IPFY_OUT
117 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
118 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
119 %token IPFY_TOS IPFY_TTL IPFY_PROTO
120 %token IPFY_HEAD IPFY_GROUP
121 %token IPFY_AUTH IPFY_PREAUTH
122 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
123 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
124 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
126 %token IPFY_ESP IPFY_AH
127 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
128 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
129 %token IPFY_FLAGS IPFY_MULTICAST
130 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
133 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
134 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
135 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
136 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
137 %token IPFY_SYNC IPFY_FRAGBODY
138 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
139 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
140 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
141 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
142 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
143 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
144 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
145 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
147 %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
148 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
149 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
151 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
152 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
153 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
154 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
155 %token IPFY_ICMPT_ROUTERSOL
157 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
158 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
159 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
160 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
161 %token IPFY_ICMPC_CUTPRE
163 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
164 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
165 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
166 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
167 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
168 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
170 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
171 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
179 line: rule { while ((fr = frtop) != NULL) {
182 (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
194 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
203 '=' { yyvarnext = 1; }
214 rulehead markin inopts rulemain ruletail intag ruletail2
218 rulehead markout outopts rulemain ruletail outtag ruletail2
223 | xx insert collection action
226 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
230 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
243 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
244 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
255 intag: settagin matchtagin
258 outtag: settagout matchtagout
262 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
266 | YY_NUMBER { fr->fr_collect = $1; }
270 | IPFY_PASS { fr->fr_flags |= FR_PASS; }
271 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
273 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
275 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
278 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
282 | blocked blockreturn
286 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
289 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
290 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
291 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
292 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
293 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
296 log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
297 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
300 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
301 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
302 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
305 func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
306 ipfioctl[IPL_LOGIPF]);
338 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
339 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
340 | settos lstart toslist lend
343 settos: IPFY_TOS { setipftype(); }
347 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
348 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
349 | toslist lmore YY_NUMBER
350 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
351 | toslist lmore YY_HEX
352 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
355 ttl: | setttl YY_NUMBER
356 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
357 | setttl lstart ttllist lend
360 lstart: '(' { newlist = 1; fr = frc; added = 0; }
363 lend: ')' { nrules += added; }
366 lmore: lanother { if (newlist == 1) {
379 setttl: IPFY_TTL { setipftype(); }
383 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
384 | ttllist lmore YY_NUMBER
385 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
388 proto: | protox protocol { yyresetdict(); }
391 protox: IPFY_PROTO { setipftype();
396 ip: srcdst flags icmp
399 group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
403 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
408 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
411 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
416 | IPFY_SETTAG '(' taginlist ')'
421 | taginlist ',' taginspec
428 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
431 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
432 "%d", $3 & 0xffffffff);) }
435 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
439 | IPFY_SETTAG '(' tagoutlist ')'
444 | tagoutlist ',' tagoutspec
453 | IPFY_MATCHTAG '(' tagoutlist ')'
457 | IPFY_MATCHTAG '(' taginlist ')'
460 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
463 new: | savegroup file restoregroup
478 IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
482 | IPFY_ON lstart onlist lend
483 | IPFY_ON onname IPFY_INVIA vianame
484 | IPFY_ON onname IPFY_OUTVIA vianame
487 onlist: onname { DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
488 sizeof(fr->fr_ifnames[0])); \
489 if ($1.if2 != NULL) { \
490 strncpy(fr->fr_ifnames[1], \
492 sizeof(fr->fr_ifnames[1]));\
495 | onlist lmore onname { DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
496 sizeof(fr->fr_ifnames[0])); \
497 if ($3.if2 != NULL) { \
498 strncpy(fr->fr_ifnames[1], \
500 sizeof(fr->fr_ifnames[1]));\
505 onname: interfacename
506 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
507 $$.if1 = fr->fr_ifnames[0];
511 | interfacename ',' interfacename
512 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
513 $$.if1 = fr->fr_ifnames[0];
515 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
516 $$.if1 = fr->fr_ifnames[1];
523 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
527 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
529 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
535 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
538 | IPFY_DUPTO name duptoseparator hostname
539 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
540 fr->fr_dif.fd_ip = $4;
544 | IPFY_DUPTO name duptoseparator YY_IPV6
545 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
546 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
553 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
556 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
560 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
563 | routeto name duptoseparator hostname
564 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
565 fr->fr_tif.fd_ip = $4;
569 | routeto name duptoseparator YY_IPV6
570 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
571 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
584 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
587 | IPFY_REPLY_TO name duptoseparator hostname
588 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
589 fr->fr_rif.fd_ip = $4;
596 | logoptions logoption
600 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
601 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
602 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
603 | level loglevel { unsetsyslog(); }
607 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
611 '(' { yysetdict(icmpcodewords); }
619 YY_NUMBER { DOREM(fr->fr_proto = $1; \
620 fr->fr_mproto = 0xff;) }
621 | YY_STR { if (!strcmp($1, "tcp-udp")) {
622 DOREM(fr->fr_flx |= FI_TCPUDP; \
623 fr->fr_mflx |= FI_TCPUDP;)
625 int p = getproto($1);
627 yyerror("protocol unknown");
628 DOREM(fr->fr_proto = p; \
629 fr->fr_mproto = 0xff;)
633 | YY_STR nextstring YY_STR
634 { if (!strcmp($1, "tcp") &&
635 !strcmp($3, "udp")) {
636 DOREM(fr->fr_flx |= FI_TCPUDP; \
637 fr->fr_mflx |= FI_TCPUDP;)
646 '/' { yysetdict(NULL); }
649 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
650 | to dstobject { yyexpectaddr = 0; yycont = NULL; }
651 | from srcobject { yyexpectaddr = 0; yycont = NULL; }
654 from: IPFY_FROM { setipftype();
659 printf("set yyexpectaddr\n");
660 yycont = &yyexpectaddr;
661 yysetdict(addrwords);
665 to: IPFY_TO { if (fr == NULL)
669 printf("set yyexpectaddr\n");
670 yycont = &yyexpectaddr;
671 yysetdict(addrwords);
675 with: | andwith withlist
679 IPFY_WITH { nowith = 0; setipftype(); }
680 | IPFY_AND { nowith = 0; setipftype(); }
683 flags: | startflags flagset
684 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
685 | startflags flagset '/' flagset
686 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
687 | startflags '/' flagset
688 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
689 | startflags YY_NUMBER
690 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
691 | startflags '/' YY_NUMBER
692 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
693 | startflags YY_NUMBER '/' YY_NUMBER
694 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
695 | startflags flagset '/' YY_NUMBER
696 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
697 | startflags YY_NUMBER '/' flagset
698 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
702 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
703 yyerror("flags with non-ipf type rule");
704 if (frc->fr_proto != IPPROTO_TCP)
705 yyerror("flags with non-TCP rule");
710 YY_STR { $$ = tcpflags($1); free($1); }
711 | YY_HEX { $$ = $1; }
715 { yyresetdict(); } fromport
717 | '!' srcaddr srcport
718 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
722 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
723 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
724 if (dynamic != -1) { \
725 fr->fr_satype = ifpflag; \
726 fr->fr_ipf->fri_sifpidx = dynamic; \
727 } else if (pooled || hashed) \
728 fr->fr_satype = FRI_LOOKUP;)
730 | lstart srcaddrlist lend
734 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
735 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
736 if (dynamic != -1) { \
737 fr->fr_satype = ifpflag; \
738 fr->fr_ipf->fri_sifpidx = dynamic; \
739 } else if (pooled || hashed) \
740 fr->fr_satype = FRI_LOOKUP;)
742 | srcaddrlist lmore addr
743 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
744 bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
745 if (dynamic != -1) { \
746 fr->fr_satype = ifpflag; \
747 fr->fr_ipf->fri_sifpidx = dynamic; \
748 } else if (pooled || hashed) \
749 fr->fr_satype = FRI_LOOKUP;)
755 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
757 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
758 fr->fr_stop = $1.p2;) }
759 | porteq lstart srcportlist lend
765 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
767 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
768 fr->fr_stop = $1.p2;) }
769 | porteq lstart srcportlist lend
774 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
775 | srcportlist lmore portnum
776 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
780 { yyresetdict(); } toport
782 | '!' dstaddr dstport
783 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
787 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
788 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
789 if (dynamic != -1) { \
790 fr->fr_datype = ifpflag; \
791 fr->fr_ipf->fri_difpidx = dynamic; \
792 } else if (pooled || hashed) \
793 fr->fr_datype = FRI_LOOKUP;)
795 | lstart dstaddrlist lend
799 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
800 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
801 if (dynamic != -1) { \
802 fr->fr_datype = ifpflag; \
803 fr->fr_ipf->fri_difpidx = dynamic; \
804 } else if (pooled || hashed) \
805 fr->fr_datype = FRI_LOOKUP;)
807 | dstaddrlist lmore addr
808 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
809 bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
810 if (dynamic != -1) { \
811 fr->fr_datype = ifpflag; \
812 fr->fr_ipf->fri_difpidx = dynamic; \
813 } else if (pooled || hashed) \
814 fr->fr_datype = FRI_LOOKUP;)
821 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
823 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
824 fr->fr_dtop = $1.p2;) }
825 | porteq lstart dstportlist lend
831 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
833 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
834 fr->fr_dtop = $1.p2;) }
835 | porteq lstart dstportlist lend
840 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
841 | dstportlist lmore portnum
842 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
845 addr: pool '/' YY_NUMBER { pooled = 1;
846 $$.a.iplookuptype = IPLT_POOL;
847 $$.a.iplookupsubtype = 0;
848 $$.a.iplookupnum = $3; }
849 | pool '/' YY_STR { pooled = 1;
850 $$.a.iplookuptype = IPLT_POOL;
851 $$.a.iplookupsubtype = 1;
852 strncpy($$.a.iplookupname, $3,
853 sizeof($$.a.iplookupname));
855 | pool '=' '(' poollist ')' { pooled = 1;
856 $$.a.iplookuptype = IPLT_POOL;
857 $$.a.iplookupsubtype = 0;
858 $$.a.iplookupnum = makepool($4); }
859 | hash '/' YY_NUMBER { hashed = 1;
860 $$.a.iplookuptype = IPLT_HASH;
861 $$.a.iplookupsubtype = 0;
862 $$.a.iplookupnum = $3; }
863 | hash '/' YY_STR { pooled = 1;
864 $$.a.iplookuptype = IPLT_HASH;
865 $$.a.iplookupsubtype = 1;
866 strncpy($$.a.iplookupname, $3,
867 sizeof($$.a.iplookupname));
869 | hash '=' '(' addrlist ')' { hashed = 1;
870 $$.a.iplookuptype = IPLT_HASH;
871 $$.a.iplookupsubtype = 0;
872 $$.a.iplookupnum = makehash($4); }
873 | ipaddr { bcopy(&$1, &$$, sizeof($$));
877 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
880 | hostname { $$.a.in4 = $1;
881 $$.m.in4_addr = 0xffffffff;
883 | hostname { yyresetdict();
884 $$.a.in4_addr = $1.s_addr; }
885 maskspace { yysetdict(maskwords); }
886 ipv4mask { $$.m.in4_addr = $5.s_addr;
887 $$.a.in4_addr &= $5.s_addr;
890 | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a));
891 fill6bits(128, (u_32_t *)&$$.m);
894 | YY_IPV6 { yyresetdict();
895 bcopy(&$1, &$$.a, sizeof($$.a)); }
896 maskspace { yysetdict(maskwords); }
897 ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m));
908 | YY_HEX { $$.s_addr = htonl($1); }
909 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }
910 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
912 ifpflag = FRI_BROADCAST;
916 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
918 ifpflag = FRI_NETWORK;
922 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
924 ifpflag = FRI_NETMASKED;
928 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
930 ifpflag = FRI_PEERADDR;
937 YY_NUMBER { ntomask(6, $1, $$.i6); }
938 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
939 bzero(&$$, sizeof($$));
940 ifpflag = FRI_BROADCAST;
944 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
945 bzero(&$$, sizeof($$));
946 ifpflag = FRI_BROADCAST;
950 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
951 bzero(&$$, sizeof($$));
952 ifpflag = FRI_BROADCAST;
956 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
957 bzero(&$$, sizeof($$));
958 ifpflag = FRI_BROADCAST;
966 | YY_NUMBER { $$.s_addr = $1; }
967 | YY_HEX { $$.s_addr = $1; }
968 | YY_STR { $$.s_addr = lookuphost($1);
974 ipaddr { $$ = newalist(NULL);
975 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
976 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
977 | addrlist ',' ipaddr
979 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
980 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
983 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
986 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
990 ipaddr { $$ = newalist(NULL);
991 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
992 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
993 | '!' ipaddr { $$ = newalist(NULL);
995 bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
996 bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
997 | poollist ',' ipaddr
999 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1000 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1001 | poollist ',' '!' ipaddr
1002 { $$ = newalist($1);
1004 bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1005 bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1008 port: IPFY_PORT { yyexpectaddr = 0;
1013 portc: port compare { $$ = $2;
1015 | porteq { $$ = $1; }
1018 porteq: port '=' { $$ = FR_EQUAL;
1022 portr: IPFY_PORT { yyexpectaddr = 0;
1028 portc portnum { $$.pc = $1;
1034 portr portnum range portnum { $$.p1 = $2;
1043 itype: seticmptype icmptype
1044 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1047 | seticmptype lstart typelist lend { yyresetdict(); }
1051 IPFY_ICMPTYPE { setipftype();
1052 yysetdict(icmptypewords); }
1055 icode: | seticmpcode icmpcode
1056 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1059 | seticmpcode lstart codelist lend { yyresetdict(); }
1063 IPFY_ICMPCODE { yysetdict(icmpcodewords); }
1068 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1069 | typelist lmore icmptype
1070 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1075 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1076 | codelist lmore icmpcode
1077 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1078 fr->fr_icmpm |= htons(0xff);) }
1081 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1082 fr->fr_age[1] = $2;) }
1083 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1084 { DOALL(fr->fr_age[0] = $2; \
1085 fr->fr_age[1] = $4;) }
1088 keep: | IPFY_KEEP keepstate keep
1089 | IPFY_KEEP keepfrag keep
1093 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1097 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1098 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1106 fragopt lanother fragopts
1111 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1119 stateopt lanother stateopts
1124 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
1125 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1128 fr->fr_flags |= FR_STSTRICT;)
1130 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1133 fr->fr_flags |= FR_NEWISN;)
1135 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1137 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
1138 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1139 fr->fr_age[1] = $2;) }
1140 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1141 { DOALL(fr->fr_age[0] = $2; \
1142 fr->fr_age[1] = $4;) }
1146 servicename { if (getport(frc, $1, &($$)) == -1)
1147 yyerror("service unknown");
1151 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1152 yyerror("invalid port number");
1159 withopt { nowith = 0; }
1160 | withlist withopt { nowith = 0; }
1161 | withlist ',' withopt { nowith = 0; }
1165 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1166 | notwith opttype { DOALL(fr->fr_mflx |= $2;) }
1167 | ipopt ipopts { yyresetdict(); }
1168 | notwith ipopt ipopts { yyresetdict(); }
1169 | startv6hdrs ipv6hdrs { yyresetdict(); }
1172 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
1176 IPF6_V6HDRS { if (use_inet6 == 0)
1177 yyerror("only available with IPv6");
1178 yysetdict(ipv6optwords);
1183 IPFY_NOT { nowith = 1; }
1184 | IPFY_NO { nowith = 1; }
1188 IPFY_IPOPTS { $$ = FI_OPTIONS; }
1189 | IPFY_SHORT { $$ = FI_SHORT; }
1190 | IPFY_NAT { $$ = FI_NATED; }
1191 | IPFY_BAD { $$ = FI_BAD; }
1192 | IPFY_BADNAT { $$ = FI_BADNAT; }
1193 | IPFY_BADSRC { $$ = FI_BADSRC; }
1194 | IPFY_LOWTTL { $$ = FI_LOWTTL; }
1195 | IPFY_FRAG { $$ = FI_FRAG; }
1196 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1197 | IPFY_FRAGS { $$ = FI_FRAG; }
1198 | IPFY_MBCAST { $$ = FI_MBCAST; }
1199 | IPFY_MULTICAST { $$ = FI_MULTICAST; }
1200 | IPFY_BROADCAST { $$ = FI_BROADCAST; }
1201 | IPFY_STATE { $$ = FI_STATE; }
1202 | IPFY_OOW { $$ = FI_OOW; }
1205 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1207 fr->fr_ip.fi_optmsk |= $1;)
1213 | optlist ',' opt { $$ |= $1 | $3; }
1217 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1219 fr->fr_ip.fi_optmsk |= $1;)
1224 ipv6hdr { $$ |= $1; }
1225 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
1229 seclevel { $$ |= $1; }
1230 | secname ',' seclevel { $$ |= $1 | $3; }
1234 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
1235 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
1236 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
1237 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
1238 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
1239 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
1240 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
1241 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
1245 YY_NUMBER { $$ = $1; }
1246 | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
1247 | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
1248 | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
1249 | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
1250 | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
1251 | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
1252 | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
1253 | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
1254 | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
1255 | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
1256 | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
1257 | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
1258 | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
1259 | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
1260 | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
1264 YY_NUMBER { $$ = $1; }
1265 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
1266 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
1267 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
1268 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
1269 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
1270 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
1271 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
1272 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1273 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
1274 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
1275 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
1276 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
1277 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
1278 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1279 | IPFY_ICMPC_HSTPRE { $$ = 14; }
1280 | IPFY_ICMPC_CUTPRE { $$ = 15; }
1284 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
1285 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
1286 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
1287 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
1288 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
1289 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
1290 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
1291 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
1292 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
1293 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
1294 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
1295 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
1296 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
1297 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
1298 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
1299 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
1300 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
1301 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
1302 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
1303 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
1304 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
1305 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
1306 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
1307 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1308 | setsecclass secname
1309 { DOALL(fr->fr_mip.fi_secmsk |= $2;
1311 fr->fr_ip.fi_secmsk |= $2;)
1318 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1322 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
1323 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1324 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
1325 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1326 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
1327 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
1328 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1329 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1330 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1333 level: IPFY_LEVEL { setsyslog(); }
1337 priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
1338 | facility '.' priority { fr->fr_loglevel = $1 | $3; }
1342 IPFY_FAC_KERN { $$ = LOG_KERN; }
1343 | IPFY_FAC_USER { $$ = LOG_USER; }
1344 | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
1345 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
1346 | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
1347 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
1348 | IPFY_FAC_LPR { $$ = LOG_LPR; }
1349 | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
1350 | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
1351 | IPFY_FAC_CRON { $$ = LOG_CRON; }
1352 | IPFY_FAC_FTP { $$ = LOG_FTP; }
1353 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
1354 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
1355 | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
1356 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
1357 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
1358 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
1359 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
1360 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
1361 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
1362 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
1363 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
1364 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
1368 IPFY_PRI_EMERG { $$ = LOG_EMERG; }
1369 | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
1370 | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
1371 | IPFY_PRI_ERR { $$ = LOG_ERR; }
1372 | IPFY_PRI_WARN { $$ = LOG_WARNING; }
1373 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
1374 | IPFY_PRI_INFO { $$ = LOG_INFO; }
1375 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
1379 YY_CMP_EQ { $$ = FR_EQUAL; }
1380 | YY_CMP_NE { $$ = FR_NEQUAL; }
1381 | YY_CMP_LT { $$ = FR_LESST; }
1382 | YY_CMP_LE { $$ = FR_LESSTE; }
1383 | YY_CMP_GT { $$ = FR_GREATERT; }
1384 | YY_CMP_GE { $$ = FR_GREATERTE; }
1387 range: YY_RANGE_IN { $$ = FR_INRANGE; }
1388 | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1389 | ':' { $$ = FR_INCRANGE; }
1396 interfacename: name { $$ = $1; }
1397 | name ':' YY_NUMBER
1399 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1400 "use the physical interface %s instead.\n",
1401 yylineNum, $1, $3, $1);
1405 name: YY_STR { $$ = $1; }
1406 | '-' { $$ = strdup("-"); }
1410 YY_NUMBER '.' YY_NUMBER
1411 { if ($1 > 255 || $3 > 255) {
1412 yyerror("Invalid octet string for IP address");
1415 $$.s_addr = ($1 << 24) | ($3 << 16);
1416 $$.s_addr = htonl($$.s_addr);
1421 ipv4_16 '.' YY_NUMBER
1423 yyerror("Invalid octet string for IP address");
1426 $$.s_addr |= htonl($3 << 8);
1430 ipv4: ipv4_24 '.' YY_NUMBER
1432 yyerror("Invalid octet string for IP address");
1435 $$.s_addr |= htonl($3);
1444 static struct wordtab ipfwords[95] = {
1445 { "age", IPFY_AGE },
1447 { "all", IPFY_ALL },
1448 { "and", IPFY_AND },
1449 { "auth", IPFY_AUTH },
1450 { "bad", IPFY_BAD },
1451 { "bad-nat", IPFY_BADNAT },
1452 { "bad-src", IPFY_BADSRC },
1453 { "bcast", IPFY_BROADCAST },
1454 { "block", IPFY_BLOCK },
1455 { "body", IPFY_BODY },
1456 { "bpf-v4", IPFY_BPFV4 },
1458 { "bpf-v6", IPFY_BPFV6 },
1460 { "call", IPFY_CALL },
1461 { "code", IPFY_ICMPCODE },
1462 { "count", IPFY_COUNT },
1463 { "dup-to", IPFY_DUPTO },
1464 { "eq", YY_CMP_EQ },
1465 { "esp", IPFY_ESP },
1466 { "fastroute", IPFY_FROUTE },
1467 { "first", IPFY_FIRST },
1468 { "flags", IPFY_FLAGS },
1469 { "frag", IPFY_FRAG },
1470 { "frag-body", IPFY_FRAGBODY },
1471 { "frags", IPFY_FRAGS },
1472 { "from", IPFY_FROM },
1473 { "ge", YY_CMP_GE },
1474 { "group", IPFY_GROUP },
1475 { "gt", YY_CMP_GT },
1476 { "head", IPFY_HEAD },
1477 { "icmp", IPFY_ICMP },
1478 { "icmp-type", IPFY_ICMPTYPE },
1480 { "in-via", IPFY_INVIA },
1481 { "ipopt", IPFY_IPOPTS },
1482 { "ipopts", IPFY_IPOPTS },
1483 { "keep", IPFY_KEEP },
1484 { "le", YY_CMP_LE },
1485 { "level", IPFY_LEVEL },
1486 { "limit", IPFY_LIMIT },
1487 { "log", IPFY_LOG },
1488 { "lowttl", IPFY_LOWTTL },
1489 { "lt", YY_CMP_LT },
1490 { "mask", IPFY_MASK },
1491 { "match-tag", IPFY_MATCHTAG },
1492 { "mbcast", IPFY_MBCAST },
1493 { "mcast", IPFY_MULTICAST },
1494 { "multicast", IPFY_MULTICAST },
1495 { "nat", IPFY_NAT },
1496 { "ne", YY_CMP_NE },
1497 { "net", IPFY_NETWORK },
1498 { "newisn", IPFY_NEWISN },
1500 { "no-icmp-err", IPFY_NOICMPERR },
1501 { "nomatch", IPFY_NOMATCH },
1502 { "now", IPFY_NOW },
1503 { "not", IPFY_NOT },
1504 { "oow", IPFY_OOW },
1506 { "opt", IPFY_OPT },
1507 { "or-block", IPFY_ORBLOCK },
1508 { "out", IPFY_OUT },
1509 { "out-via", IPFY_OUTVIA },
1510 { "pass", IPFY_PASS },
1511 { "port", IPFY_PORT },
1512 { "pps", IPFY_PPS },
1513 { "preauth", IPFY_PREAUTH },
1514 { "proto", IPFY_PROTO },
1515 { "quick", IPFY_QUICK },
1516 { "reply-to", IPFY_REPLY_TO },
1517 { "return-icmp", IPFY_RETICMP },
1518 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1519 { "return-rst", IPFY_RETRST },
1520 { "route-to", IPFY_ROUTETO },
1521 { "sec-class", IPFY_SECCLASS },
1522 { "set-tag", IPFY_SETTAG },
1523 { "skip", IPFY_SKIP },
1524 { "short", IPFY_SHORT },
1525 { "state", IPFY_STATE },
1526 { "state-age", IPFY_AGE },
1527 { "strict", IPFY_STRICT },
1528 { "sync", IPFY_SYNC },
1529 { "tcp", IPFY_TCP },
1530 { "tcp-udp", IPFY_TCPUDP },
1531 { "tos", IPFY_TOS },
1533 { "ttl", IPFY_TTL },
1534 { "udp", IPFY_UDP },
1535 { "v6hdrs", IPF6_V6HDRS },
1536 { "with", IPFY_WITH },
1540 static struct wordtab addrwords[4] = {
1541 { "any", IPFY_ANY },
1542 { "hash", IPFY_HASH },
1543 { "pool", IPFY_POOL },
1547 static struct wordtab maskwords[5] = {
1548 { "broadcast", IPFY_BROADCAST },
1549 { "netmasked", IPFY_NETMASKED },
1550 { "network", IPFY_NETWORK },
1551 { "peer", IPFY_PEER },
1555 static struct wordtab icmptypewords[16] = {
1556 { "echo", IPFY_ICMPT_ECHO },
1557 { "echorep", IPFY_ICMPT_ECHOR },
1558 { "inforeq", IPFY_ICMPT_INFOREQ },
1559 { "inforep", IPFY_ICMPT_INFOREP },
1560 { "maskrep", IPFY_ICMPT_MASKREP },
1561 { "maskreq", IPFY_ICMPT_MASKREQ },
1562 { "paramprob", IPFY_ICMPT_PARAMP },
1563 { "redir", IPFY_ICMPT_REDIR },
1564 { "unreach", IPFY_ICMPT_UNR },
1565 { "routerad", IPFY_ICMPT_ROUTERAD },
1566 { "routersol", IPFY_ICMPT_ROUTERSOL },
1567 { "squench", IPFY_ICMPT_SQUENCH },
1568 { "timest", IPFY_ICMPT_TIMEST },
1569 { "timestrep", IPFY_ICMPT_TIMESTREP },
1570 { "timex", IPFY_ICMPT_TIMEX },
1574 static struct wordtab icmpcodewords[17] = {
1575 { "cutoff-preced", IPFY_ICMPC_CUTPRE },
1576 { "filter-prohib", IPFY_ICMPC_FLTPRO },
1577 { "isolate", IPFY_ICMPC_ISOLATE },
1578 { "needfrag", IPFY_ICMPC_NEEDF },
1579 { "net-prohib", IPFY_ICMPC_NETPRO },
1580 { "net-tos", IPFY_ICMPC_NETTOS },
1581 { "host-preced", IPFY_ICMPC_HSTPRE },
1582 { "host-prohib", IPFY_ICMPC_HSTPRO },
1583 { "host-tos", IPFY_ICMPC_HSTTOS },
1584 { "host-unk", IPFY_ICMPC_HSTUNK },
1585 { "host-unr", IPFY_ICMPC_HSTUNR },
1586 { "net-unk", IPFY_ICMPC_NETUNK },
1587 { "net-unr", IPFY_ICMPC_NETUNR },
1588 { "port-unr", IPFY_ICMPC_PORUNR },
1589 { "proto-unr", IPFY_ICMPC_PROUNR },
1590 { "srcfail", IPFY_ICMPC_SRCFAIL },
1594 static struct wordtab ipv4optwords[25] = {
1595 { "addext", IPFY_IPOPT_ADDEXT },
1596 { "cipso", IPFY_IPOPT_CIPSO },
1597 { "dps", IPFY_IPOPT_DPS },
1598 { "e-sec", IPFY_IPOPT_ESEC },
1599 { "eip", IPFY_IPOPT_EIP },
1600 { "encode", IPFY_IPOPT_ENCODE },
1601 { "finn", IPFY_IPOPT_FINN },
1602 { "imitd", IPFY_IPOPT_IMITD },
1603 { "lsrr", IPFY_IPOPT_LSRR },
1604 { "mtup", IPFY_IPOPT_MTUP },
1605 { "mtur", IPFY_IPOPT_MTUR },
1606 { "nop", IPFY_IPOPT_NOP },
1607 { "nsapa", IPFY_IPOPT_NSAPA },
1608 { "rr", IPFY_IPOPT_RR },
1609 { "rtralrt", IPFY_IPOPT_RTRALRT },
1610 { "satid", IPFY_IPOPT_SATID },
1611 { "sdb", IPFY_IPOPT_SDB },
1612 { "sec", IPFY_IPOPT_SEC },
1613 { "ssrr", IPFY_IPOPT_SSRR },
1614 { "tr", IPFY_IPOPT_TR },
1615 { "ts", IPFY_IPOPT_TS },
1616 { "ump", IPFY_IPOPT_UMP },
1617 { "visa", IPFY_IPOPT_VISA },
1618 { "zsu", IPFY_IPOPT_ZSU },
1622 static struct wordtab ipv4secwords[9] = {
1623 { "confid", IPFY_SEC_CONF },
1624 { "reserv-1", IPFY_SEC_RSV1 },
1625 { "reserv-2", IPFY_SEC_RSV2 },
1626 { "reserv-3", IPFY_SEC_RSV3 },
1627 { "reserv-4", IPFY_SEC_RSV4 },
1628 { "secret", IPFY_SEC_SEC },
1629 { "topsecret", IPFY_SEC_TS },
1630 { "unclass", IPFY_SEC_UNC },
1634 static struct wordtab ipv6optwords[9] = {
1635 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1636 { "esp", IPFY_IPV6OPT_ESP },
1637 { "frag", IPFY_IPV6OPT_FRAG },
1638 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1639 { "ipv6", IPFY_IPV6OPT_IPV6 },
1640 { "mobility", IPFY_IPV6OPT_MOBILITY },
1641 { "none", IPFY_IPV6OPT_NONE },
1642 { "routing", IPFY_IPV6OPT_ROUTING },
1646 static struct wordtab logwords[33] = {
1647 { "kern", IPFY_FAC_KERN },
1648 { "user", IPFY_FAC_USER },
1649 { "mail", IPFY_FAC_MAIL },
1650 { "daemon", IPFY_FAC_DAEMON },
1651 { "auth", IPFY_FAC_AUTH },
1652 { "syslog", IPFY_FAC_SYSLOG },
1653 { "lpr", IPFY_FAC_LPR },
1654 { "news", IPFY_FAC_NEWS },
1655 { "uucp", IPFY_FAC_UUCP },
1656 { "cron", IPFY_FAC_CRON },
1657 { "ftp", IPFY_FAC_FTP },
1658 { "authpriv", IPFY_FAC_AUTHPRIV },
1659 { "audit", IPFY_FAC_AUDIT },
1660 { "logalert", IPFY_FAC_LFMT },
1661 { "console", IPFY_FAC_CONSOLE },
1662 { "security", IPFY_FAC_SECURITY },
1663 { "local0", IPFY_FAC_LOCAL0 },
1664 { "local1", IPFY_FAC_LOCAL1 },
1665 { "local2", IPFY_FAC_LOCAL2 },
1666 { "local3", IPFY_FAC_LOCAL3 },
1667 { "local4", IPFY_FAC_LOCAL4 },
1668 { "local5", IPFY_FAC_LOCAL5 },
1669 { "local6", IPFY_FAC_LOCAL6 },
1670 { "local7", IPFY_FAC_LOCAL7 },
1671 { "emerg", IPFY_PRI_EMERG },
1672 { "alert", IPFY_PRI_ALERT },
1673 { "crit", IPFY_PRI_CRIT },
1674 { "err", IPFY_PRI_ERR },
1675 { "warn", IPFY_PRI_WARN },
1676 { "notice", IPFY_PRI_NOTICE },
1677 { "info", IPFY_PRI_INFO },
1678 { "debug", IPFY_PRI_DEBUG },
1685 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1688 ioctlfunc_t *iocfuncs;
1697 s = getenv("YYDEBUG");
1703 if (strcmp(filename, "-")) {
1704 fp = fopen(filename, "r");
1706 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1713 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1721 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1724 ioctlfunc_t *iocfuncs;
1731 for (i = 0; i <= IPL_LOGMAX; i++)
1732 ipfioctl[i] = iocfuncs[i];
1733 ipfaddfunc = addfunc;
1740 if (ungetc(i, fp) == 0)
1744 s = getenv("YYDEBUG");
1756 static void newrule()
1760 frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1761 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1769 fr->fr_loglevel = 0xffff;
1770 fr->fr_isc = (void *)-1;
1771 fr->fr_logtag = FR_NOLOGTAG;
1772 fr->fr_type = FR_T_NONE;
1782 static void setipftype()
1784 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1785 if (fr->fr_type == FR_T_NONE) {
1786 fr->fr_type = FR_T_IPF;
1787 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1788 fr->fr_dsize = sizeof(fripf_t);
1789 fr->fr_ip.fi_v = frc->fr_v;
1790 fr->fr_mip.fi_v = 0xf;
1791 fr->fr_ipf->fri_sifpidx = -1;
1792 fr->fr_ipf->fri_difpidx = -1;
1794 if (fr->fr_type != FR_T_IPF) {
1795 fprintf(stderr, "IPF Type not set\n");
1801 static frentry_t *addrule()
1803 frentry_t *f, *f1, *f2;
1806 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1811 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1812 f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1815 bcopy(f1, f, sizeof(*f));
1817 if (f->fr_caddr != NULL) {
1818 f->fr_caddr = malloc(f->fr_dsize);
1819 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1827 static u_32_t lookuphost(name)
1837 for (i = 0; i < 4; i++) {
1838 if (strncmp(name, frc->fr_ifnames[i],
1839 sizeof(frc->fr_ifnames[i])) == 0) {
1840 ifpflag = FRI_DYNAMIC;
1846 if (gethost(name, &addr) == -1) {
1847 fprintf(stderr, "unknown name \"%s\"\n", name);
1854 static void dobpf(v, phrase)
1859 struct bpf_program bpf;
1867 for (fr = frc; fr != NULL; fr = fr->fr_next) {
1868 if (fr->fr_type != FR_T_NONE) {
1869 fprintf(stderr, "cannot mix IPF and BPF matching\n");
1873 fr->fr_type = FR_T_BPFOPC;
1875 if (!strncmp(phrase, "0x", 2)) {
1876 fb = malloc(sizeof(fakebpf_t));
1878 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1879 s = strtok(NULL, " \r\n\t"), i++) {
1880 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
1881 l = (u_32_t)strtol(s, NULL, 0);
1885 fb[i / 4].fb_c = l & 0xffff;
1888 fb[i / 4].fb_t = l & 0xff;
1891 fb[i / 4].fb_f = l & 0xff;
1900 "Odd number of bytes in BPF code\n");
1904 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
1910 bzero((char *)&bpf, sizeof(bpf));
1911 p = pcap_open_dead(DLT_RAW, 1);
1913 fprintf(stderr, "pcap_open_dead failed\n");
1917 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
1918 pcap_perror(p, "ipf");
1920 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
1925 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
1926 fr->fr_data = malloc(fr->fr_dsize);
1927 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
1928 if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
1929 fprintf(stderr, "BPF validation failed\n");
1936 if (opts & OPT_DEBUG)
1939 fprintf(stderr, "BPF filter expressions not supported\n");
1945 static void resetaddr()
1953 static alist_t *newalist(ptr)
1958 al = malloc(sizeof(*al));
1967 static int makepool(list)
1970 ip_pool_node_t *n, *top;
1977 top = calloc(1, sizeof(*top));
1981 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
1982 n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
1983 n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
1984 n->ipn_info = a->al_not;
1985 if (a->al_next != NULL) {
1986 n->ipn_next = calloc(1, sizeof(*n));
1991 bzero((char *)&pool, sizeof(pool));
1992 pool.ipo_unit = IPL_LOGIPF;
1993 pool.ipo_list = top;
1994 num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
1996 while ((n = top) != NULL) {
2004 static u_int makehash(list)
2014 top = calloc(1, sizeof(*top));
2018 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2019 n->ipe_addr.in4_addr = a->al_1;
2020 n->ipe_mask.in4_addr = a->al_2;
2022 if (a->al_next != NULL) {
2023 n->ipe_next = calloc(1, sizeof(*n));
2028 bzero((char *)&iph, sizeof(iph));
2029 iph.iph_unit = IPL_LOGIPF;
2030 iph.iph_type = IPHASH_LOOKUP;
2031 *iph.iph_name = '\0';
2033 if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2034 sscanf(iph.iph_name, "%u", &num);
2038 while ((n = top) != NULL) {
2046 void ipf_addrule(fd, ioctlfunc, ptr)
2048 ioctlfunc_t ioctlfunc;
2051 ioctlcmd_t add, del;
2062 bzero((char *)&obj, sizeof(obj));
2063 obj.ipfo_rev = IPFILTER_VERSION;
2064 obj.ipfo_size = sizeof(*fr);
2065 obj.ipfo_type = IPFOBJ_FRENTRY;
2068 if ((opts & OPT_DONOTHING) != 0)
2071 if (opts & OPT_ZERORULEST) {
2073 } else if (opts & OPT_INACTIVE) {
2074 add = (u_int)fr->fr_hits ? SIOCINIFR :
2078 add = (u_int)fr->fr_hits ? SIOCINAFR :
2083 if ((opts & OPT_OUTQUE) != 0)
2084 fr->fr_flags |= FR_OUTQUE;
2087 if ((opts & OPT_VERBOSE) != 0)
2088 printfr(fr, ioctlfunc);
2090 if ((opts & OPT_DEBUG) != 0) {
2091 binprint(fr, sizeof(*fr));
2092 if (fr->fr_data != NULL)
2093 binprint(fr->fr_data, fr->fr_dsize);
2096 if ((opts & OPT_ZERORULEST) != 0) {
2097 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2098 if ((opts & OPT_DONOTHING) == 0) {
2099 fprintf(stderr, "%d:", yylineNum);
2100 perror("ioctl(SIOCZRLST)");
2104 printf("hits %qd bytes %qd ",
2105 (long long)fr->fr_hits,
2106 (long long)fr->fr_bytes);
2108 printf("hits %ld bytes %ld ",
2109 fr->fr_hits, fr->fr_bytes);
2111 printfr(fr, ioctlfunc);
2113 } else if ((opts & OPT_REMOVE) != 0) {
2114 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2115 if ((opts & OPT_DONOTHING) != 0) {
2116 fprintf(stderr, "%d:", yylineNum);
2117 perror("ioctl(delete rule)");
2121 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2122 if (!(opts & OPT_DONOTHING)) {
2123 fprintf(stderr, "%d:", yylineNum);
2124 perror("ioctl(add/insert rule)");
2130 static void setsyslog()
2132 yysetdict(logwords);
2137 static void unsetsyslog()
2144 static void fillgroup(fr)
2149 for (f = frold; f != NULL; f = f->fr_next)
2150 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2156 * Only copy down matching fields if the rules are of the same type
2157 * and are of ipf type. The only fields that are copied are those
2158 * that impact the rule parsing itself, eg. need for knowing what the
2159 * protocol should be for rules with port comparisons in them.
2161 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2164 if (fr->fr_v == 0 && f->fr_v != 0)
2167 if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2168 fr->fr_mproto = f->fr_mproto;
2169 if (fr->fr_proto == 0 && f->fr_proto != 0)
2170 fr->fr_proto = f->fr_proto;
2172 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2173 ((f->fr_flx & FI_TCPUDP) != 0))
2174 fr->fr_flx |= FI_TCPUDP;