4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
14 #if !defined(__SVR4) && !defined(__GNUC__)
17 #include <sys/types.h>
18 #include <sys/param.h>
22 #include <sys/socket.h>
23 #include <sys/ioctl.h>
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
30 #include <arpa/nameser.h>
33 #include "netinet/ipl.h"
38 extern void yyerror __P((char *));
39 extern int yyparse __P((void));
40 extern int yylex __P((void));
45 static ipnat_t *nattop = NULL;
46 static ipnat_t *nat = NULL;
47 static int natfd = -1;
48 static ioctlfunc_t natioctlfunc = NULL;
49 static addfunc_t nataddfunc = NULL;
50 static int suggest_port = 0;
51 static proxyrule_t *prules = NULL;
52 static int parser_error = 0;
54 static void newnatrule __P((void));
55 static void setnatproto __P((int));
56 static void setmapifnames __P((void));
57 static void setrdrifnames __P((void));
58 static void proxy_setconfig __P((int));
59 static void proxy_unsetconfig __P((void));
60 static namelist_t *proxy_dns_add_pass __P((char *, char *));
61 static namelist_t *proxy_dns_add_block __P((char *, char *));
62 static void proxy_addconfig __P((char *, int, char *, namelist_t *));
63 static void proxy_loadconfig __P((int, ioctlfunc_t, char *, int,
64 char *, namelist_t *));
65 static void proxy_loadrules __P((int, ioctlfunc_t, proxyrule_t *));
66 static void setmapifnames __P((void));
67 static void setrdrifnames __P((void));
68 static void setifname __P((ipnat_t **, int, char *));
69 static int addname __P((ipnat_t **, char *));
89 int t; /* Address type */
92 int v; /* IP version */
93 int s; /* 0 = number, 1 = text */
100 %token <num> YY_NUMBER YY_HEX
103 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
104 %token YY_RANGE_OUT YY_RANGE_IN
107 %token IPNY_MAPBLOCK IPNY_RDR IPNY_PORT IPNY_PORTS IPNY_AUTO IPNY_RANGE
108 %token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
109 %token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
110 %token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
111 %token IPNY_TLATE IPNY_POOL IPNY_HASH IPNY_NO IPNY_REWRITE IPNY_PROTO
112 %token IPNY_ON IPNY_SRC IPNY_DST IPNY_IN IPNY_OUT IPNY_DIVERT
113 %token IPNY_CONFIG IPNY_ALLOW IPNY_DENY IPNY_DNS IPNY_INET IPNY_INET6
114 %token IPNY_SEQUENTIAL IPNY_DSTLIST IPNY_PURGE
115 %type <port> portspec
116 %type <num> hexnumber compare range proto
117 %type <num> saddr daddr sobject dobject mapfrom rdrfrom dip
118 %type <ipa> hostname ipv4 ipaddr
119 %type <ipp> addr rhsaddr rhdaddr erhdaddr
120 %type <pc> portstuff portpair comaports srcports dstports
121 %type <names> dnslines dnsline
130 line: xx rule { int err;
131 while ((nat = nattop) != NULL) {
132 if (nat->in_v[0] == 0)
134 if (nat->in_v[1] == 0)
135 nat->in_v[1] = nat->in_v[0];
136 nattop = nat->in_next;
137 err = (*nataddfunc)(natfd, natioctlfunc, nat);
144 if (parser_error == 0 && prules != NULL) {
145 proxy_loadrules(natfd, natioctlfunc, prules);
153 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
162 '=' { yyvarnext = 1; }
165 xx: { newnatrule(); }
175 no: IPNY_NO { nat->in_flags |= IPN_NO; }
181 map: mapit ifnames addr tlate rhsaddr proxy mapoptions
182 { if ($3.f != 0 && $3.f != $5.f && $5.f != 0)
183 yyerror("3.address family mismatch");
184 if (nat->in_v[0] == 0 && $5.v != 0)
186 else if (nat->in_v[0] == 0 && $3.v != 0)
188 if (nat->in_v[1] == 0 && $5.v != 0)
190 else if (nat->in_v[1] == 0 && $3.v != 0)
192 nat->in_osrcatype = $3.t;
193 bcopy(&$3.a, &nat->in_osrc.na_addr[0],
195 bcopy(&$3.m, &nat->in_osrc.na_addr[1],
197 nat->in_nsrcatype = $5.t;
198 nat->in_nsrcafunc = $5.u;
199 bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
201 bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
206 | mapit ifnames addr tlate rhsaddr mapport mapoptions
207 { if ($3.f != $5.f && $3.f != 0 && $5.f != 0)
208 yyerror("4.address family mismatch");
209 if (nat->in_v[1] == 0 && $5.v != 0)
211 else if (nat->in_v[0] == 0 && $3.v != 0)
213 if (nat->in_v[0] == 0 && $5.v != 0)
215 else if (nat->in_v[1] == 0 && $3.v != 0)
217 nat->in_osrcatype = $3.t;
218 bcopy(&$3.a, &nat->in_osrc.na_addr[0],
220 bcopy(&$3.m, &nat->in_osrc.na_addr[1],
222 nat->in_nsrcatype = $5.t;
223 nat->in_nsrcafunc = $5.u;
224 bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
226 bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
231 | no mapit ifnames addr setproto ';'
232 { if (nat->in_v[0] == 0)
234 nat->in_osrcatype = $4.t;
235 bcopy(&$4.a, &nat->in_osrc.na_addr[0],
237 bcopy(&$4.m, &nat->in_osrc.na_addr[1],
242 | mapit ifnames mapfrom tlate rhsaddr proxy mapoptions
243 { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
244 yyerror("5.address family mismatch");
245 if (nat->in_v[0] == 0 && $5.v != 0)
247 else if (nat->in_v[0] == 0 && $3 != 0)
248 nat->in_v[0] = ftov($3);
249 if (nat->in_v[1] == 0 && $5.v != 0)
251 else if (nat->in_v[1] == 0 && $3 != 0)
252 nat->in_v[1] = ftov($3);
253 nat->in_nsrcatype = $5.t;
254 nat->in_nsrcafunc = $5.u;
255 bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
257 bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
262 | no mapit ifnames mapfrom setproto ';'
263 { nat->in_v[0] = ftov($4);
266 | mapit ifnames mapfrom tlate rhsaddr mapport mapoptions
267 { if ($3 != 0 && $5.f != 0 && $3 != $5.f)
268 yyerror("6.address family mismatch");
269 if (nat->in_v[0] == 0 && $5.v != 0)
271 else if (nat->in_v[0] == 0 && $3 != 0)
272 nat->in_v[0] = ftov($3);
273 if (nat->in_v[1] == 0 && $5.v != 0)
275 else if (nat->in_v[1] == 0 && $3 != 0)
276 nat->in_v[1] = ftov($3);
277 nat->in_nsrcatype = $5.t;
278 nat->in_nsrcafunc = $5.u;
279 bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
281 bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
289 mapblockit ifnames addr tlate addr ports mapoptions
290 { if ($3.f != 0 && $5.f != 0 && $3.f != $5.f)
291 yyerror("7.address family mismatch");
292 if (nat->in_v[0] == 0 && $5.v != 0)
294 else if (nat->in_v[0] == 0 && $3.v != 0)
296 if (nat->in_v[1] == 0 && $5.v != 0)
298 else if (nat->in_v[1] == 0 && $3.v != 0)
300 nat->in_osrcatype = $3.t;
301 bcopy(&$3.a, &nat->in_osrc.na_addr[0],
303 bcopy(&$3.m, &nat->in_osrc.na_addr[1],
305 nat->in_nsrcatype = $5.t;
306 nat->in_nsrcafunc = $5.u;
307 bcopy(&$5.a, &nat->in_nsrc.na_addr[0],
309 bcopy(&$5.m, &nat->in_nsrc.na_addr[1],
314 | no mapblockit ifnames { yyexpectaddr = 1; } addr setproto ';'
315 { if (nat->in_v[0] == 0)
317 if (nat->in_v[1] == 0)
319 nat->in_osrcatype = $5.t;
320 bcopy(&$5.a, &nat->in_osrc.na_addr[0],
322 bcopy(&$5.m, &nat->in_osrc.na_addr[1],
329 redir: rdrit ifnames addr dport tlate dip nport setproto rdroptions
330 { if ($6 != 0 && $3.f != 0 && $6 != $3.f)
331 yyerror("21.address family mismatch");
332 if (nat->in_v[0] == 0) {
333 if ($3.v != AF_UNSPEC)
334 nat->in_v[0] = ftov($3.f);
336 nat->in_v[0] = ftov($6);
338 nat->in_odstatype = $3.t;
339 bcopy(&$3.a, &nat->in_odst.na_addr[0],
341 bcopy(&$3.m, &nat->in_odst.na_addr[1],
346 | no rdrit ifnames addr dport setproto ';'
347 { if (nat->in_v[0] == 0)
348 nat->in_v[0] = ftov($4.f);
349 nat->in_odstatype = $4.t;
350 bcopy(&$4.a, &nat->in_odst.na_addr[0],
352 bcopy(&$4.m, &nat->in_odst.na_addr[1],
357 | rdrit ifnames rdrfrom tlate dip nport setproto rdroptions
358 { if ($5 != 0 && $3 != 0 && $5 != $3)
359 yyerror("20.address family mismatch");
360 if (nat->in_v[0] == 0) {
362 nat->in_v[0] = ftov($3);
364 nat->in_v[0] = ftov($5);
368 | no rdrit ifnames rdrfrom setproto ';'
369 { nat->in_v[0] = ftov($4);
376 IPNY_REWRITE oninout rwrproto mapfrom tlate newdst newopts
377 { if (nat->in_v[0] == 0)
378 nat->in_v[0] = ftov($4);
379 if (nat->in_redir & NAT_MAP)
383 nat->in_redir |= NAT_REWRITE;
387 divert: IPNY_DIVERT oninout rwrproto mapfrom tlate divdst newopts
388 { if (nat->in_v[0] == 0)
389 nat->in_v[0] = ftov($4);
390 if (nat->in_redir & NAT_MAP) {
392 nat->in_pr[0] = IPPROTO_UDP;
395 nat->in_pr[1] = IPPROTO_UDP;
397 nat->in_flags &= ~IPN_TCP;
401 tlate: IPNY_TLATE { yyexpectaddr = 1; }
404 pconf: IPNY_PROXY { yysetdict(proxies); }
405 IPNY_DNS '/' proto IPNY_CONFIG YY_STR '{'
406 { proxy_setconfig(IPNY_DNS); }
408 { proxy_addconfig("dns", $5, $7, $10);
415 | dnslines ';' dnsline { $$ = $1; $1->na_next = $3; }
419 IPNY_ALLOW YY_STR { $$ = proxy_dns_add_pass(NULL, $2); }
420 | IPNY_DENY YY_STR { $$ = proxy_dns_add_block(NULL, $2); }
421 | IPNY_ALLOW '.' YY_STR { $$ = proxy_dns_add_pass(".", $3); }
422 | IPNY_DENY '.' YY_STR { $$ = proxy_dns_add_block(".", $3); }
426 inout IPNY_ON ifnames { ; }
429 inout: IPNY_IN { nat->in_redir = NAT_REDIRECT; }
430 | IPNY_OUT { nat->in_redir = NAT_MAP; }
434 | IPNY_PROTO setproto
437 newdst: src rhsaddr srcports dst erhdaddr dstports
438 { nat->in_nsrc.na_addr[0] = $2.a;
439 nat->in_nsrc.na_addr[1] = $2.m;
440 nat->in_nsrc.na_atype = $2.t;
441 if ($2.t == FRI_LOOKUP) {
442 nat->in_nsrc.na_type = $2.u;
443 nat->in_nsrc.na_subtype = $2.s;
444 nat->in_nsrc.na_num = $2.n;
446 nat->in_nsports[0] = $3.p1;
447 nat->in_nsports[1] = $3.p2;
448 nat->in_ndst.na_addr[0] = $5.a;
449 nat->in_ndst.na_addr[1] = $5.m;
450 nat->in_ndst.na_atype = $5.t;
451 if ($5.t == FRI_LOOKUP) {
452 nat->in_ndst.na_type = $5.u;
453 nat->in_ndst.na_subtype = $5.s;
454 nat->in_ndst.na_num = $5.n;
456 nat->in_ndports[0] = $6.p1;
457 nat->in_ndports[1] = $6.p2;
461 divdst: src addr ',' portspec dst addr ',' portspec IPNY_UDP
462 { nat->in_nsrc.na_addr[0] = $2.a;
463 if ($2.m.in4.s_addr != 0xffffffff)
464 yyerror("divert must have /32 dest");
465 nat->in_nsrc.na_addr[1] = $2.m;
466 nat->in_nsports[0] = $4;
467 nat->in_nsports[1] = $4;
469 nat->in_ndst.na_addr[0] = $6.a;
470 nat->in_ndst.na_addr[1] = $6.m;
471 if ($6.m.in4.s_addr != 0xffffffff)
472 yyerror("divert must have /32 dest");
473 nat->in_ndports[0] = $8;
474 nat->in_ndports[1] = $8;
476 nat->in_redir |= NAT_DIVERTUDP;
480 src: IPNY_SRC { yyexpectaddr = 1; }
483 dst: IPNY_DST { yyexpectaddr = 1; }
487 comaports { $$.p1 = $1.p1;
490 | IPNY_PORT '=' portspec
493 nat->in_flags |= IPN_FIXEDSPORT;
498 comaports { $$.p1 = $1.p1;
501 | IPNY_PORT '=' portspec
504 nat->in_flags |= IPN_FIXEDDPORT;
512 | ',' { if (!(nat->in_flags & IPN_TCPUDP))
513 yyerror("must be TCP/UDP for ports");
515 portpair { $$.p1 = $3.p1;
520 proxy: | IPNY_PROXY port portspec YY_STR '/' proto
522 pos = addname(&nat, $4);
523 nat->in_plabel = pos;
524 if (nat->in_dcmp == 0) {
526 } else if ($3 != nat->in_odport) {
527 yyerror("proxy port numbers not consistant");
533 | IPNY_PROXY port YY_STR YY_STR '/' proto
535 pos = addname(&nat, $4);
536 nat->in_plabel = pos;
537 pnum = getportproto($3, $6);
539 yyerror("invalid port number");
540 nat->in_odport = ntohs(pnum);
541 nat->in_ndport = ntohs(pnum);
546 | IPNY_PROXY port portspec YY_STR '/' proto IPNY_CONFIG YY_STR
548 pos = addname(&nat, $4);
549 nat->in_plabel = pos;
550 if (nat->in_dcmp == 0) {
552 } else if ($3 != nat->in_odport) {
553 yyerror("proxy port numbers not consistant");
557 nat->in_pconfig = addname(&nat, $8);
561 | IPNY_PROXY port YY_STR YY_STR '/' proto IPNY_CONFIG YY_STR
563 pos = addname(&nat, $4);
564 nat->in_plabel = pos;
565 pnum = getportproto($3, $6);
567 yyerror("invalid port number");
568 nat->in_odport = ntohs(pnum);
569 nat->in_ndport = ntohs(pnum);
571 pos = addname(&nat, $8);
572 nat->in_pconfig = pos;
579 | proto { if (nat->in_pr[0] != 0 ||
580 nat->in_pr[1] != 0 ||
581 nat->in_flags & IPN_TCPUDP)
582 yyerror("protocol set twice");
585 | IPNY_TCPUDP { if (nat->in_pr[0] != 0 ||
586 nat->in_pr[1] != 0 ||
587 nat->in_flags & IPN_TCPUDP)
588 yyerror("protocol set twice");
589 nat->in_flags |= IPN_TCPUDP;
593 | IPNY_TCP '/' IPNY_UDP { if (nat->in_pr[0] != 0 ||
594 nat->in_pr[1] != 0 ||
595 nat->in_flags & IPN_TCPUDP)
596 yyerror("protocol set twice");
597 nat->in_flags |= IPN_TCPUDP;
607 | hostname '-' { yyexpectaddr = 1; } hostname
610 yyerror("8.address family "
616 nat->in_flags |= IPN_SIPRANGE;
619 | IPNY_RANGE hostname '-' { yyexpectaddr = 1; } hostname
622 yyerror("9.address family "
628 nat->in_flags |= IPN_SIPRANGE;
634 hostname ',' { yyexpectaddr = 1; } hostname
635 { nat->in_flags |= IPN_SPLIT;
637 yyerror("10.address family "
640 nat->in_ndstip6 = $1.a;
641 nat->in_ndstmsk6 = $4.a;
642 nat->in_ndstatype = FRI_SPLIT;
645 | rhdaddr { int bits;
646 nat->in_ndstip6 = $1.a;
647 nat->in_ndstmsk6 = $1.m;
648 nat->in_ndst.na_atype = $1.t;
651 bits = count4bits($1.m.in4.s_addr);
653 bits = count6bits($1.m.i6);
654 if (($1.f == AF_INET) && (bits != 0) &&
656 yyerror("dest ip bitmask not /32");
657 } else if (($1.f == AF_INET6) &&
658 (bits != 0) && (bits != 128)) {
659 yyerror("dest ip bitmask not /128");
669 | hostname '-' hostname { bzero(&$$, sizeof($$));
671 if ($1.f != 0 && $3.f != 0 &&
673 yyerror("11.address family "
677 nat->in_flags |= IPN_DIPRANGE;
680 | IPNY_RANGE hostname '-' hostname
681 { bzero(&$$, sizeof($$));
683 if ($2.f != 0 && $4.f != 0 &&
685 yyerror("12.address family "
689 nat->in_flags |= IPN_DIPRANGE;
696 | IPNY_DSTLIST '/' YY_NUMBER { $$.t = FRI_LOOKUP;
701 | IPNY_DSTLIST '/' YY_STR { $$.t = FRI_LOOKUP;
704 $$.n = addname(&nat, $3);
708 port: IPNY_PORT { suggest_port = 1; }
712 YY_NUMBER { if ($1 > 65535) /* Unsigned */
713 yyerror("invalid port number");
717 | YY_STR { if (getport(NULL, $1,
719 yyerror("invalid port number");
725 portspec { $$.p1 = $1; $$.p2 = $1; }
726 | portspec '-' portspec { $$.p1 = $1; $$.p2 = $3; }
727 | portspec ':' portspec { $$.p1 = $1; $$.p2 = $3; }
730 dport: | port portpair { nat->in_odport = $2.p1;
732 nat->in_dtop = $2.p1;
734 nat->in_dtop = $2.p2;
738 nport: | port portpair { nat->in_dpmin = $2.p1;
739 nat->in_dpnext = $2.p1;
740 nat->in_dpmax = $2.p2;
741 nat->in_ndport = $2.p1;
742 if (nat->in_dtop == 0)
743 nat->in_dtop = $2.p2;
745 | port '=' portspec { nat->in_dpmin = $3;
748 if (nat->in_dtop == 0)
749 nat->in_dtop = nat->in_odport;
750 nat->in_flags |= IPN_FIXEDDPORT;
754 ports: | IPNY_PORTS YY_NUMBER { nat->in_spmin = $2; }
755 | IPNY_PORTS IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; }
758 mapit: IPNY_MAP { nat->in_redir = NAT_MAP; }
759 | IPNY_BIMAP { nat->in_redir = NAT_BIMAP; }
762 rdrit: IPNY_RDR { nat->in_redir = NAT_REDIRECT; }
766 IPNY_MAPBLOCK { nat->in_redir = NAT_MAPBLK; }
770 from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4)
771 yyerror("13.address family "
775 | from sobject '!' to dobject
776 { if ($2 != 0 && $5 != 0 && $2 != $5)
777 yyerror("14.address family "
779 nat->in_flags |= IPN_NOTDST;
782 | from sobject to '!' dobject
783 { if ($2 != 0 && $5 != 0 && $2 != $5)
784 yyerror("15.address family "
786 nat->in_flags |= IPN_NOTDST;
792 from sobject to dobject { if ($2 != 0 && $4 != 0 && $2 != $4)
793 yyerror("16.address family "
797 | '!' from sobject to dobject
798 { if ($3 != 0 && $5 != 0 && $3 != $5)
799 yyerror("17.address family "
801 nat->in_flags |= IPN_NOTSRC;
804 | from '!' sobject to dobject
805 { if ($3 != 0 && $5 != 0 && $3 != $5)
806 yyerror("18.address family "
808 nat->in_flags |= IPN_NOTSRC;
813 from: IPNY_FROM { nat->in_flags |= IPN_FILTER;
818 to: IPNY_TO { yyexpectaddr = 1; }
822 ifname family { yyexpectaddr = 1; }
823 | ifname ',' otherifname family { yyexpectaddr = 1; }
826 ifname: YY_STR { setifname(&nat, 0, $1);
831 family: | IPNY_INET { nat->in_v[0] = 4; nat->in_v[1] = 4; }
832 | IPNY_INET6 { nat->in_v[0] = 6; nat->in_v[1] = 6; }
836 YY_STR { setifname(&nat, 1, $1);
842 IPNY_PORTMAP tcpudp portpair sequential
843 { nat->in_spmin = $3.p1;
844 nat->in_spmax = $3.p2;
846 | IPNY_PORTMAP portpair tcpudp sequential
847 { nat->in_spmin = $2.p1;
848 nat->in_spmax = $2.p2;
850 | IPNY_PORTMAP tcpudp IPNY_AUTO sequential
851 { nat->in_flags |= IPN_AUTOPORTMAP;
852 nat->in_spmin = 1024;
853 nat->in_spmax = 65535;
855 | IPNY_ICMPIDMAP YY_STR portpair sequential
856 { if (strcmp($2, "icmp") != 0 &&
857 strcmp($2, "ipv6-icmp") != 0) {
858 yyerror("icmpidmap not followed by icmp");
861 if ($3.p1 < 0 || $3.p1 > 65535)
862 yyerror("invalid 1st ICMP Id number");
863 if ($3.p2 < 0 || $3.p2 > 65535)
864 yyerror("invalid 2nd ICMP Id number");
865 if (strcmp($2, "ipv6-icmp") == 0) {
866 nat->in_pr[0] = IPPROTO_ICMPV6;
867 nat->in_pr[1] = IPPROTO_ICMPV6;
869 nat->in_pr[0] = IPPROTO_ICMP;
870 nat->in_pr[1] = IPPROTO_ICMP;
872 nat->in_flags = IPN_ICMPQUERY;
873 nat->in_spmin = $3.p1;
874 nat->in_spmax = $3.p2;
880 | saddr port portstuff { nat->in_osport = $3.p1;
881 nat->in_stop = $3.p2;
882 nat->in_scmp = $3.pc;
887 saddr: addr { nat->in_osrcatype = $1.t;
889 &nat->in_osrc.na_addr[0],
892 &nat->in_osrc.na_addr[1],
900 | daddr port portstuff { nat->in_odport = $3.p1;
901 nat->in_dtop = $3.p2;
902 nat->in_dcmp = $3.pc;
907 daddr: addr { nat->in_odstatype = $1.t;
909 &nat->in_odst.na_addr[0],
912 &nat->in_odst.na_addr[1],
918 addr: IPNY_ANY { yyexpectaddr = 0;
919 bzero(&$$, sizeof($$));
922 | hostname { bzero(&$$, sizeof($$));
927 if ($$.f == AF_INET) {
928 $$.m.in4.s_addr = 0xffffffff;
929 } else if ($$.f == AF_INET6) {
930 $$.m.i6[0] = 0xffffffff;
931 $$.m.i6[1] = 0xffffffff;
932 $$.m.i6[2] = 0xffffffff;
933 $$.m.i6[3] = 0xffffffff;
937 | hostname slash YY_NUMBER
938 { bzero(&$$, sizeof($$));
943 ntomask($$.f, $3, (u_32_t *)&$$.m);
944 $$.a.i6[0] &= $$.m.i6[0];
945 $$.a.i6[1] &= $$.m.i6[1];
946 $$.a.i6[2] &= $$.m.i6[2];
947 $$.a.i6[3] &= $$.m.i6[3];
950 | hostname slash ipaddr { bzero(&$$, sizeof($$));
952 yyerror("1.address family "
958 $$.a.i6[0] &= $$.m.i6[0];
959 $$.a.i6[1] &= $$.m.i6[1];
960 $$.a.i6[2] &= $$.m.i6[2];
961 $$.a.i6[3] &= $$.m.i6[3];
966 | hostname slash hexnumber { bzero(&$$, sizeof($$));
968 $$.m.in4.s_addr = htonl($3);
970 $$.a.in4.s_addr &= $$.m.in4.s_addr;
973 if ($$.f == AF_INET6)
974 yyerror("incorrect inet6 mask");
976 | hostname mask ipaddr { bzero(&$$, sizeof($$));
978 yyerror("2.address family "
984 $$.a.i6[0] &= $$.m.i6[0];
985 $$.a.i6[1] &= $$.m.i6[1];
986 $$.a.i6[2] &= $$.m.i6[2];
987 $$.a.i6[3] &= $$.m.i6[3];
992 | hostname mask hexnumber { bzero(&$$, sizeof($$));
994 $$.m.in4.s_addr = htonl($3);
996 $$.a.in4.s_addr &= $$.m.in4.s_addr;
1000 | pool slash YY_NUMBER { bzero(&$$, sizeof($$));
1001 $$.a.iplookupnum = $3;
1002 $$.a.iplookuptype = IPLT_POOL;
1003 $$.a.iplookupsubtype = 0;
1006 | pool slash YY_STR { bzero(&$$, sizeof($$));
1007 $$.a.iplookupname = addname(&nat,$3);
1008 $$.a.iplookuptype = IPLT_POOL;
1009 $$.a.iplookupsubtype = 1;
1012 | hash slash YY_NUMBER { bzero(&$$, sizeof($$));
1013 $$.a.iplookupnum = $3;
1014 $$.a.iplookuptype = IPLT_HASH;
1015 $$.a.iplookupsubtype = 0;
1018 | hash slash YY_STR { bzero(&$$, sizeof($$));
1019 $$.a.iplookupname = addname(&nat,$3);
1020 $$.a.iplookuptype = IPLT_HASH;
1021 $$.a.iplookupsubtype = 1;
1026 slash: '/' { yyexpectaddr = 0; }
1029 mask: IPNY_MASK { yyexpectaddr = 0; }
1032 pool: IPNY_POOL { if (!(nat->in_flags & IPN_FILTER)) {
1033 yyerror("Can only use pool with from/to rules\n");
1040 hash: IPNY_HASH { if (!(nat->in_flags & IPN_FILTER)) {
1041 yyerror("Can only use hash with from/to rules\n");
1049 compare portspec { $$.pc = $1; $$.p1 = $2; $$.p2 = 0; }
1050 | portspec range portspec { $$.pc = $2; $$.p1 = $1; $$.p2 = $3; }
1054 rr frag age mssclamp nattag setproto purge
1058 rr frag age sticky mssclamp rdrproxy nattag purge
1061 nattag: | IPNY_TAG YY_STR { strncpy(nat->in_tag.ipt_tag, $2,
1062 sizeof(nat->in_tag.ipt_tag));
1064 rr: | IPNY_ROUNDROBIN { nat->in_flags |= IPN_ROUNDR; }
1067 frag: | IPNY_FRAG { nat->in_flags |= IPN_FRAG; }
1070 age: | IPNY_AGE YY_NUMBER { nat->in_age[0] = $2;
1071 nat->in_age[1] = $2; }
1072 | IPNY_AGE YY_NUMBER '/' YY_NUMBER { nat->in_age[0] = $2;
1073 nat->in_age[1] = $4; }
1076 sticky: | IPNY_STICKY { if (!(nat->in_flags & IPN_ROUNDR) &&
1077 !(nat->in_flags & IPN_SPLIT)) {
1079 "'sticky' for use with round-robin/IP splitting only\n");
1081 nat->in_flags |= IPN_STICKY;
1086 | IPNY_MSSCLAMP YY_NUMBER { nat->in_mssclamp = $2; }
1089 tcpudp: IPNY_TCP { setnatproto(IPPROTO_TCP); }
1090 | IPNY_UDP { setnatproto(IPPROTO_UDP); }
1091 | IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP;
1095 | IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP;
1102 | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; }
1106 | IPNY_PURGE { nat->in_flags |= IPN_PURGE; }
1112 pos = addname(&nat, $2);
1113 nat->in_plabel = pos;
1114 nat->in_odport = nat->in_dpnext;
1115 nat->in_dtop = nat->in_odport;
1118 | proxy { if (nat->in_plabel != -1) {
1119 nat->in_ndport = nat->in_odport;
1120 nat->in_dpmin = nat->in_odport;
1121 nat->in_dpmax = nat->in_dpmin;
1122 nat->in_dtop = nat->in_dpmin;
1123 nat->in_dpnext = nat->in_dpmin;
1129 | IPNY_PURGE { nat->in_flags |= IPN_PURGE; }
1132 proto: YY_NUMBER { $$ = $1;
1133 if ($$ != IPPROTO_TCP &&
1137 | IPNY_TCP { $$ = IPPROTO_TCP; }
1138 | IPNY_UDP { $$ = IPPROTO_UDP; }
1139 | YY_STR { $$ = getproto($1);
1142 yyerror("unknown protocol");
1143 if ($$ != IPPROTO_TCP &&
1154 YY_STR { i6addr_t addr;
1158 if (nat->in_v[0] == 6)
1163 memset(&($$), 0, sizeof($$));
1164 memset(&addr, 0, sizeof(addr));
1166 if (gethost(family, $1,
1171 "Unknown host '%s'\n",
1176 | YY_NUMBER { memset(&($$), 0, sizeof($$));
1177 $$.a.in4.s_addr = htonl($1);
1178 if ($$.a.in4.s_addr != 0)
1182 | YY_IPV6 { memset(&($$), 0, sizeof($$));
1186 | YY_NUMBER YY_IPV6 { memset(&($$), 0, sizeof($$));
1193 '=' { $$ = FR_EQUAL; }
1194 | YY_CMP_EQ { $$ = FR_EQUAL; }
1195 | YY_CMP_NE { $$ = FR_NEQUAL; }
1196 | YY_CMP_LT { $$ = FR_LESST; }
1197 | YY_CMP_LE { $$ = FR_LESSTE; }
1198 | YY_CMP_GT { $$ = FR_GREATERT; }
1199 | YY_CMP_GE { $$ = FR_GREATERTE; }
1202 YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1203 | YY_RANGE_IN { $$ = FR_INRANGE; }
1204 | ':' { $$ = FR_INCRANGE; }
1207 ipaddr: ipv4 { $$ = $1; }
1208 | YY_IPV6 { $$.a = $1;
1213 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
1214 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
1215 yyerror("Invalid octet string for IP address");
1218 bzero((char *)&$$, sizeof($$));
1219 $$.a.in4.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
1220 $$.a.in4.s_addr = htonl($$.a.in4.s_addr);
1228 static wordtab_t proxies[] = {
1232 static wordtab_t dnswords[] = {
1233 { "allow", IPNY_ALLOW },
1234 { "block", IPNY_DENY },
1235 { "deny", IPNY_DENY },
1236 { "drop", IPNY_DENY },
1237 { "pass", IPNY_ALLOW },
1241 static wordtab_t yywords[] = {
1242 { "age", IPNY_AGE },
1243 { "any", IPNY_ANY },
1244 { "auto", IPNY_AUTO },
1245 { "bimap", IPNY_BIMAP },
1246 { "config", IPNY_CONFIG },
1247 { "divert", IPNY_DIVERT },
1248 { "dst", IPNY_DST },
1249 { "dstlist", IPNY_DSTLIST },
1250 { "frag", IPNY_FRAG },
1251 { "from", IPNY_FROM },
1252 { "hash", IPNY_HASH },
1253 { "icmpidmap", IPNY_ICMPIDMAP },
1255 { "inet", IPNY_INET },
1256 { "inet6", IPNY_INET6 },
1257 { "mask", IPNY_MASK },
1258 { "map", IPNY_MAP },
1259 { "map-block", IPNY_MAPBLOCK },
1260 { "mssclamp", IPNY_MSSCLAMP },
1261 { "netmask", IPNY_MASK },
1264 { "out", IPNY_OUT },
1265 { "pool", IPNY_POOL },
1266 { "port", IPNY_PORT },
1267 { "portmap", IPNY_PORTMAP },
1268 { "ports", IPNY_PORTS },
1269 { "proto", IPNY_PROTO },
1270 { "proxy", IPNY_PROXY },
1271 { "purge", IPNY_PURGE },
1272 { "range", IPNY_RANGE },
1273 { "rewrite", IPNY_REWRITE },
1274 { "rdr", IPNY_RDR },
1275 { "round-robin",IPNY_ROUNDROBIN },
1276 { "sequential", IPNY_SEQUENTIAL },
1277 { "src", IPNY_SRC },
1278 { "sticky", IPNY_STICKY },
1279 { "tag", IPNY_TAG },
1280 { "tcp", IPNY_TCP },
1281 { "tcpudp", IPNY_TCPUDP },
1283 { "udp", IPNY_UDP },
1285 { "->", IPNY_TLATE },
1286 { "eq", YY_CMP_EQ },
1287 { "ne", YY_CMP_NE },
1288 { "lt", YY_CMP_LT },
1289 { "gt", YY_CMP_GT },
1290 { "le", YY_CMP_LE },
1291 { "ge", YY_CMP_GE },
1297 ipnat_parsefile(fd, addfunc, ioctlfunc, filename)
1300 ioctlfunc_t ioctlfunc;
1309 (void) yysettab(yywords);
1311 s = getenv("YYDEBUG");
1317 if (strcmp(filename, "-")) {
1318 fp = fopen(filename, "r");
1320 FPRINTF(stderr, "fopen(%s) failed: %s\n", filename,
1327 while ((rval = ipnat_parsesome(fd, addfunc, ioctlfunc, fp)) == 0)
1340 ipnat_parsesome(fd, addfunc, ioctlfunc, fp)
1343 ioctlfunc_t ioctlfunc;
1351 nataddfunc = addfunc;
1352 natioctlfunc = ioctlfunc;
1359 if (ungetc(i, fp) == EOF)
1363 s = getenv("YYDEBUG");
1371 return parser_error;
1380 n = calloc(1, sizeof(*n));
1386 n->in_pnext = &nattop;
1389 n->in_pnext = &nat->in_next;
1393 n->in_flineno = yylineNum;
1394 n->in_ifnames[0] = -1;
1395 n->in_ifnames[1] = -1;
1398 n->in_size = sizeof(*n);
1414 nat->in_flags |= IPN_TCP;
1415 nat->in_flags &= ~IPN_UDP;
1418 nat->in_flags |= IPN_UDP;
1419 nat->in_flags &= ~IPN_TCP;
1422 case IPPROTO_ICMPV6 :
1425 nat->in_flags &= ~IPN_TCPUDP;
1426 if (!(nat->in_flags & IPN_ICMPQUERY) &&
1427 !(nat->in_redir & NAT_DIVERTUDP)) {
1439 if ((nat->in_redir & NAT_MAPBLK) == 0) {
1440 nat->in_flags &= ~IPN_TCPUDP;
1453 if ((nat->in_flags & (IPN_TCP|IPN_UDP)) == 0) {
1463 if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT)
1464 nat->in_flags &= ~IPN_FIXEDDPORT;
1469 ipnat_addrule(fd, ioctlfunc, ptr)
1471 ioctlfunc_t ioctlfunc;
1474 ioctlcmd_t add, del;
1479 bzero((char *)&obj, sizeof(obj));
1480 obj.ipfo_rev = IPFILTER_VERSION;
1481 obj.ipfo_size = ipn->in_size;
1482 obj.ipfo_type = IPFOBJ_IPNAT;
1485 if ((opts & OPT_DONOTHING) != 0)
1488 if (opts & OPT_ZERORULEST) {
1491 } else if (opts & OPT_PURGE) {
1499 if ((opts & OPT_VERBOSE) != 0)
1500 printnat(ipn, opts);
1502 if (opts & OPT_DEBUG)
1503 binprint(ipn, ipn->in_size);
1505 if ((opts & OPT_ZERORULEST) != 0) {
1506 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
1507 if ((opts & OPT_DONOTHING) == 0) {
1510 sprintf(msg, "%d:ioctl(zero nat rule)",
1512 return ipf_perror_fd(fd, ioctlfunc, msg);
1515 PRINTF("hits %lu ", ipn->in_hits);
1517 PRINTF("bytes %"PRIu64" ",
1518 ipn->in_bytes[0] + ipn->in_bytes[1]);
1520 PRINTF("bytes %lu ",
1521 ipn->in_bytes[0] + ipn->in_bytes[1]);
1523 printnat(ipn, opts);
1525 } else if ((opts & OPT_REMOVE) != 0) {
1526 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
1527 if ((opts & OPT_DONOTHING) == 0) {
1530 sprintf(msg, "%d:ioctl(delete nat rule)",
1532 return ipf_perror_fd(fd, ioctlfunc, msg);
1536 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
1537 if ((opts & OPT_DONOTHING) == 0) {
1540 sprintf(msg, "%d:ioctl(add/insert nat rule)",
1542 if (errno == EEXIST) {
1543 sprintf(msg + strlen(msg), "(line %d)",
1546 return ipf_perror_fd(fd, ioctlfunc, msg);
1557 if (nat->in_ifnames[1] == -1)
1558 nat->in_ifnames[1] = nat->in_ifnames[0];
1560 if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0)
1561 nat->in_flags |= IPN_TCPUDP;
1563 if ((nat->in_flags & IPN_TCPUDP) == 0)
1564 setnatproto(nat->in_pr[1]);
1566 if (((nat->in_redir & NAT_MAPBLK) != 0) ||
1567 ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
1568 nat_setgroupmap(nat);
1575 if ((suggest_port == 1) && (nat->in_flags & IPN_TCPUDP) == 0)
1576 nat->in_flags |= IPN_TCPUDP;
1578 if ((nat->in_pr[0] == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) &&
1579 (nat->in_dpmin != 0 || nat->in_dpmax != 0 || nat->in_dpnext != 0))
1580 setnatproto(IPPROTO_TCP);
1582 if (nat->in_ifnames[1] == -1)
1583 nat->in_ifnames[1] = nat->in_ifnames[0];
1588 proxy_setconfig(proxy)
1591 if (proxy == IPNY_DNS) {
1592 yysetfixeddict(dnswords);
1605 proxy_dns_add_pass(prefix, name)
1606 char *prefix, *name;
1610 n = calloc(1, sizeof(*n));
1612 if (prefix == NULL || *prefix == '\0') {
1613 n->na_name = strdup(name);
1615 n->na_name = malloc(strlen(name) + strlen(prefix) + 1);
1616 strcpy(n->na_name, prefix);
1617 strcat(n->na_name, name);
1625 proxy_dns_add_block(prefix, name)
1626 char *prefix, *name;
1630 n = calloc(1, sizeof(*n));
1632 if (prefix == NULL || *prefix == '\0') {
1633 n->na_name = strdup(name);
1635 n->na_name = malloc(strlen(name) + strlen(prefix) + 1);
1636 strcpy(n->na_name, prefix);
1637 strcat(n->na_name, name);
1646 proxy_addconfig(proxy, proto, conf, list)
1653 pr = calloc(1, sizeof(*pr));
1655 pr->pr_proto = proto;
1656 pr->pr_proxy = proxy;
1658 pr->pr_names = list;
1659 pr->pr_next = prules;
1666 proxy_loadrules(fd, ioctlfunc, rules)
1668 ioctlfunc_t ioctlfunc;
1673 while ((pr = rules) != NULL) {
1674 proxy_loadconfig(fd, ioctlfunc, pr->pr_proxy, pr->pr_proto,
1675 pr->pr_conf, pr->pr_names);
1676 rules = pr->pr_next;
1684 proxy_loadconfig(fd, ioctlfunc, proxy, proto, conf, list)
1686 ioctlfunc_t ioctlfunc;
1695 obj.ipfo_rev = IPFILTER_VERSION;
1696 obj.ipfo_type = IPFOBJ_PROXYCTL;
1697 obj.ipfo_size = sizeof(pcmd);
1698 obj.ipfo_ptr = &pcmd;
1700 while ((na = list) != NULL) {
1701 if ((opts & OPT_REMOVE) != 0)
1702 pcmd.apc_cmd = APC_CMD_DEL;
1704 pcmd.apc_cmd = APC_CMD_ADD;
1705 pcmd.apc_dsize = strlen(na->na_name) + 1;
1706 pcmd.apc_data = na->na_name;
1707 pcmd.apc_arg = na->na_value;
1710 strncpy(pcmd.apc_label, proxy, APR_LABELLEN);
1711 pcmd.apc_label[APR_LABELLEN - 1] = '\0';
1713 strncpy(pcmd.apc_config, conf, APR_LABELLEN);
1714 pcmd.apc_config[APR_LABELLEN - 1] = '\0';
1716 if ((*ioctlfunc)(fd, SIOCPROXY, (void *)&obj) == -1) {
1717 if ((opts & OPT_DONOTHING) == 0) {
1720 sprintf(msg, "%d:ioctl(add/remove proxy rule)",
1722 ipf_perror_fd(fd, ioctlfunc, msg);
1735 setifname(np, idx, name)
1742 pos = addname(np, name);
1745 (*np)->in_ifnames[idx] = pos;
1758 nlen = strlen(name) + 1;
1759 n = realloc(*np, (*np)->in_size + nlen);
1765 if (n->in_pnext != NULL)
1768 pos = n->in_namelen;
1769 n->in_namelen += nlen;
1770 strcpy(n->in_names + pos, name);
1771 n->in_names[n->in_namelen] = '\0';
projects / FreeBSD / FreeBSD.git / blob