4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
11 #include <sys/param.h>
12 #include <sys/socket.h>
13 # include <sys/cdefs.h>
14 #include <sys/ioctl.h>
17 #include <netinet/in.h>
19 #include <arpa/inet.h>
30 #include "netinet/ip_lookup.h"
31 #include "netinet/ip_pool.h"
32 #include "netinet/ip_htable.h"
33 #include "netinet/ip_dstlist.h"
38 #define YYSTACKSIZE 0x00ffffff
40 extern int yyparse __P((void));
44 static iphtable_t ipht;
45 static iphtent_t iphte;
46 static ip_pool_t iplo;
47 static ippool_dst_t ipld;
48 static ioctlfunc_t poolioctl = NULL;
49 static char poolname[FR_GROUPLEN];
51 static iphtent_t *add_htablehosts __P((char *));
52 static ip_pool_node_t *add_poolhosts __P((char *));
53 static ip_pool_node_t *read_whoisfile __P((char *));
54 static void setadflen __P((addrfamily_t *));
62 struct alist_s *alist;
63 addrfamily_t adrmsk[2];
71 %token <num> YY_NUMBER YY_HEX
75 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
76 %token YY_RANGE_OUT YY_RANGE_IN
77 %token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT IPT_ALL
78 %token IPT_TABLE IPT_GROUPMAP IPT_HASH IPT_SRCHASH IPT_DSTHASH
79 %token IPT_ROLE IPT_TYPE IPT_TREE
80 %token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME IPT_POLICY
81 %token IPT_POOL IPT_DSTLIST IPT_ROUNDROBIN
82 %token IPT_WEIGHTED IPT_RANDOM IPT_CONNECTION
83 %token IPT_WHOIS IPT_FILE
84 %type <num> role table inout unit dstopts weighting
85 %type <ipp> ipftree range addrlist
86 %type <adrmsk> addrmask
87 %type <ipe> ipfgroup ipfhash hashlist hashentry
88 %type <ipe> groupentry setgrouplist grouplist
89 %type <ipa> ipaddr mask
91 %type <str> number setgroup name
92 %type <ipd> dstentry dstentries dstlist
101 line: table role ipftree eol { ip_pool_node_t *n;
104 load_pool(&iplo, poolioctl);
105 while ((n = $3) != NULL) {
112 | table role ipfhash eol { iphtent_t *h;
114 ipht.iph_type = IPHASH_LOOKUP;
115 load_hash(&ipht, $3, poolioctl);
116 while ((h = $3) != NULL) {
123 | groupmap role number ipfgroup eol
126 strncpy(ipht.iph_name, $3,
127 sizeof(ipht.iph_name));
128 ipht.iph_type = IPHASH_GROUPMAP;
129 load_hash(&ipht, $4, poolioctl);
130 while ((h = $4) != NULL) {
144 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
153 '=' { yyvarnext = 1; }
156 table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht));
157 bzero((char *)&iphte, sizeof(iphte));
158 bzero((char *)&iplo, sizeof(iplo));
159 bzero((char *)&ipld, sizeof(ipld));
160 *ipht.iph_name = '\0';
161 iplo.ipo_flags = IPHASH_ANON;
162 iplo.ipo_name[0] = '\0';
167 IPT_GROUPMAP inout { bzero((char *)&ipht, sizeof(ipht));
168 bzero((char *)&iphte, sizeof(iphte));
169 *ipht.iph_name = '\0';
170 ipht.iph_unit = IPHASH_GROUPMAP;
175 inout: IPT_IN { $$ = FR_INQUE; }
176 | IPT_OUT { $$ = FR_OUTQUE; }
179 role: IPT_ROLE '=' unit { $$ = $3; }
182 unit: IPT_IPF { $$ = IPL_LOGIPF; }
183 | IPT_NAT { $$ = IPL_LOGNAT; }
184 | IPT_AUTH { $$ = IPL_LOGAUTH; }
185 | IPT_COUNT { $$ = IPL_LOGCOUNT; }
186 | IPT_ALL { $$ = IPL_LOGALL; }
190 IPT_TYPE '=' IPT_TREE number start addrlist end
191 { strncpy(iplo.ipo_name, $4,
192 sizeof(iplo.ipo_name));
198 IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
199 { strncpy(ipht.iph_name, $4,
200 sizeof(ipht.iph_name));
206 setgroup hashopts start grouplist end
208 for (e = $4; e != NULL;
210 if (e->ipe_group[0] == '\0')
211 strncpy(e->ipe_group,
217 | hashopts start setgrouplist end
221 number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3);
224 | IPT_NAME '=' YY_STR { strncpy(poolname, $3,
226 poolname[FR_GROUPLEN-1]='\0';
234 IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1];
235 strncpy(tmp, $3, FR_GROUPLEN);
239 | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1];
240 sprintf(tmp, "%u", $3);
253 | range next addrlist { $$ = $1;
254 while ($1->ipn_next != NULL)
258 | range next { $$ = $1; }
263 | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; }
264 | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t));
265 $$->ipe_addr = $1[0].adf_addr;
266 $$->ipe_mask = $1[1].adf_addr;
267 $$->ipe_family = $1[0].adf_family;
270 | groupentry next { $$ = $1; }
271 | addrmask next { $$ = calloc(1, sizeof(iphtent_t));
272 $$->ipe_addr = $1[0].adf_addr;
273 $$->ipe_mask = $1[1].adf_addr;
276 $$->ipe_family = AF_INET6;
279 $$->ipe_family = AF_INET;
281 | YY_STR { $$ = add_htablehosts($1);
288 | groupentry next { $$ = $1; }
289 | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; }
293 addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t));
294 $$->ipe_addr = $1[0].adf_addr;
295 $$->ipe_mask = $1[1].adf_addr;
296 strncpy($$->ipe_group, $3,
300 $$->ipe_family = AF_INET6;
303 $$->ipe_family = AF_INET;
308 range: addrmask { $$ = calloc(1, sizeof(*$$));
310 $$->ipn_addr = $1[0];
311 $$->ipn_mask = $1[1];
314 $$->ipn_addr.adf_family =
318 $$->ipn_addr.adf_family =
321 | '!' addrmask { $$ = calloc(1, sizeof(*$$));
323 $$->ipn_addr = $2[0];
324 $$->ipn_mask = $2[1];
327 $$->ipn_addr.adf_family =
331 $$->ipn_addr.adf_family =
334 | YY_STR { $$ = add_poolhosts($1);
337 | IPT_WHOIS IPT_FILE YY_STR { $$ = read_whoisfile($3);
344 | hashentry next { $$ = $1; }
345 | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; }
349 addrmask { $$ = calloc(1, sizeof(iphtent_t));
350 $$->ipe_addr = $1[0].adf_addr;
351 $$->ipe_mask = $1[1].adf_addr;
354 $$->ipe_family = AF_INET6;
357 $$->ipe_family = AF_INET;
359 | YY_STR { $$ = add_htablehosts($1);
365 ipaddr '/' mask { $$[0] = $1;
368 $$[1].adf_len = $$[0].adf_len;
370 | ipaddr { $$[0] = $1;
372 $$[1].adf_len = $$[0].adf_len;
375 memset(&$$[1].adf_addr, 0xff,
376 sizeof($$[1].adf_addr.in6));
379 memset(&$$[1].adf_addr, 0xff,
380 sizeof($$[1].adf_addr.in4));
384 ipaddr: ipv4 { $$.adf_addr.in4 = $1;
385 $$.adf_family = AF_INET;
389 | YY_NUMBER { $$.adf_addr.in4.s_addr = htonl($1);
390 $$.adf_family = AF_INET;
394 | YY_IPV6 { $$.adf_addr = $1;
395 $$.adf_family = AF_INET6;
401 mask: YY_NUMBER { bzero(&$$, sizeof($$));
403 if (ntomask(AF_INET6, $1,
404 (u_32_t *)&$$.adf_addr) == -1)
405 yyerror("bad bitmask");
407 if (ntomask(AF_INET, $1,
408 (u_32_t *)&$$.adf_addr.in4) == -1)
409 yyerror("bad bitmask");
412 | ipv4 { bzero(&$$, sizeof($$));
413 $$.adf_addr.in4 = $1;
415 | YY_IPV6 { bzero(&$$, sizeof($$));
420 size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
423 seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
426 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
427 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
428 yyerror("Invalid octet string for IP address");
431 $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
432 $$.s_addr = htonl($$.s_addr);
436 next: ';' { yyexpectaddr = 1; }
439 start: '{' { yyexpectaddr = 1; }
442 end: '}' { yyexpectaddr = 0; }
446 IPT_POOL unit '/' IPT_DSTLIST '(' name ';' dstopts ')'
448 { bzero((char *)&ipld, sizeof(ipld));
449 strncpy(ipld.ipld_name, $6,
450 sizeof(ipld.ipld_name));
452 ipld.ipld_policy = $8;
453 load_dstlist(&ipld, poolioctl, $11);
458 | IPT_POOL unit '/' IPT_TREE '(' name ';' ')'
460 { bzero((char *)&iplo, sizeof(iplo));
461 strncpy(iplo.ipo_name, $6,
462 sizeof(iplo.ipo_name));
465 load_pool(&iplo, poolioctl);
470 | IPT_POOL '(' name ';' ')' start addrlist end
471 { bzero((char *)&iplo, sizeof(iplo));
472 strncpy(iplo.ipo_name, $3,
473 sizeof(iplo.ipo_name));
475 iplo.ipo_unit = IPL_LOGALL;
476 load_pool(&iplo, poolioctl);
481 | IPT_POOL unit '/' IPT_HASH '(' name ';' hashoptlist ')'
484 bzero((char *)&ipht, sizeof(ipht));
485 strncpy(ipht.iph_name, $6,
486 sizeof(ipht.iph_name));
488 load_hash(&ipht, $11, poolioctl);
489 while ((h = ipht.iph_list) != NULL) {
490 ipht.iph_list = h->ipe_next;
497 | IPT_GROUPMAP '(' name ';' inout ';' ')'
498 start setgrouplist end
500 bzero((char *)&ipht, sizeof(ipht));
501 strncpy(ipht.iph_name, $3,
502 sizeof(ipht.iph_name));
503 ipht.iph_type = IPHASH_GROUPMAP;
504 ipht.iph_unit = IPL_LOGIPF;
506 load_hash(&ipht, $9, poolioctl);
507 while ((h = ipht.iph_list) != NULL) {
508 ipht.iph_list = h->ipe_next;
517 name: IPT_NAME YY_STR { $$ = $2; }
518 | IPT_NUM YY_NUMBER { char name[80];
519 sprintf(name, "%d", $2);
526 | hashoptlist ';' hashopt ';'
534 dstentries { $$ = $1; }
539 dstentry next { $$ = $1; }
540 | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
544 YY_STR ':' ipaddr { int size = sizeof(*$$) + strlen($1) + 1;
545 $$ = calloc(1, size);
547 $$->ipfd_dest.fd_name = strlen($1) + 1;
548 bcopy($1, $$->ipfd_names,
549 $$->ipfd_dest.fd_name);
550 $$->ipfd_dest.fd_addr = $3;
551 $$->ipfd_size = size;
555 | ipaddr { $$ = calloc(1, sizeof(*$$));
557 $$->ipfd_dest.fd_name = -1;
558 $$->ipfd_dest.fd_addr = $1;
559 $$->ipfd_size = sizeof(*$$);
566 | IPT_POLICY IPT_ROUNDROBIN ';' { $$ = IPLDP_ROUNDROBIN; }
567 | IPT_POLICY IPT_WEIGHTED weighting ';' { $$ = $3; }
568 | IPT_POLICY IPT_RANDOM ';' { $$ = IPLDP_RANDOM; }
569 | IPT_POLICY IPT_HASH ';' { $$ = IPLDP_HASHED; }
570 | IPT_POLICY IPT_SRCHASH ';' { $$ = IPLDP_SRCHASH; }
571 | IPT_POLICY IPT_DSTHASH ';' { $$ = IPLDP_DSTHASH; }
575 IPT_CONNECTION { $$ = IPLDP_CONNECTION; }
578 static wordtab_t yywords[] = {
580 { "auth", IPT_AUTH },
581 { "connection", IPT_CONNECTION },
582 { "count", IPT_COUNT },
583 { "dst-hash", IPT_DSTHASH },
584 { "dstlist", IPT_DSTLIST },
585 { "file", IPT_FILE },
586 { "group", IPT_GROUP },
587 { "group-map", IPT_GROUPMAP },
588 { "hash", IPT_HASH },
591 { "name", IPT_NAME },
593 { "number", IPT_NUM },
595 { "policy", IPT_POLICY },
596 { "pool", IPT_POOL },
597 { "random", IPT_RANDOM },
598 { "round-robin", IPT_ROUNDROBIN },
599 { "role", IPT_ROLE },
600 { "seed", IPT_SEED },
601 { "size", IPT_SIZE },
602 { "src-hash", IPT_SRCHASH },
603 { "table", IPT_TABLE },
604 { "tree", IPT_TREE },
605 { "type", IPT_TYPE },
606 { "weighted", IPT_WEIGHTED },
607 { "whois", IPT_WHOIS },
612 int ippool_parsefile(fd, filename, iocfunc)
621 (void) yysettab(yywords);
623 s = getenv("YYDEBUG");
629 if (strcmp(filename, "-")) {
630 fp = fopen(filename, "r");
632 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
639 while (ippool_parsesome(fd, fp, iocfunc) == 1)
647 int ippool_parsesome(fd, fp, iocfunc)
662 if (ungetc(i, fp) == EOF)
666 s = getenv("YYDEBUG");
682 iphtent_t *htop, *hbot, *h;
685 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
686 hlist = load_url(url);
690 hlist = calloc(1, sizeof(*hlist));
694 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
695 yyerror("Unknown hostname");
702 for (a = hlist; a != NULL; a = a->al_next) {
703 h = calloc(1, sizeof(*h));
707 h->ipe_family = a->al_family;
708 h->ipe_addr = a->al_i6addr;
709 h->ipe_mask = a->al_i6mask;
724 static ip_pool_node_t *
728 ip_pool_node_t *ptop, *pbot, *p;
731 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
732 hlist = load_url(url);
736 hlist = calloc(1, sizeof(*hlist));
740 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
741 yyerror("Unknown hostname");
748 for (a = hlist; a != NULL; a = a->al_next) {
749 p = calloc(1, sizeof(*p));
752 p->ipn_mask.adf_addr = a->al_i6mask;
754 if (a->al_family == AF_INET) {
755 p->ipn_addr.adf_family = AF_INET;
757 } else if (a->al_family == AF_INET6) {
758 p->ipn_addr.adf_family = AF_INET6;
761 setadflen(&p->ipn_addr);
762 p->ipn_addr.adf_addr = a->al_i6addr;
763 p->ipn_info = a->al_not;
764 p->ipn_mask.adf_len = p->ipn_addr.adf_len;
783 ip_pool_node_t *ntop, *ipn, node, *last;
787 fp = fopen(file, "r");
793 while (fgets(line, sizeof(line) - 1, fp) != NULL) {
794 line[sizeof(line) - 1] = '\0';
796 if (parsewhoisline(line, &node.ipn_addr, &node.ipn_mask))
798 ipn = calloc(1, sizeof(*ipn));
801 ipn->ipn_addr = node.ipn_addr;
802 ipn->ipn_mask = node.ipn_mask;
806 last->ipn_next = ipn;
818 afp->adf_len = offsetof(addrfamily_t, adf_addr);
819 switch (afp->adf_family)
822 afp->adf_len += sizeof(struct in_addr);
826 afp->adf_len += sizeof(struct in6_addr);