4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
11 #include <sys/param.h>
12 #include <sys/socket.h>
13 # include <sys/cdefs.h>
14 #include <sys/ioctl.h>
17 #include <netinet/in.h>
19 #include <arpa/inet.h>
30 #include "netinet/ip_lookup.h"
31 #include "netinet/ip_pool.h"
32 #include "netinet/ip_htable.h"
33 #include "netinet/ip_dstlist.h"
38 #define YYSTACKSIZE 0x00ffffff
40 extern int yyparse __P((void));
44 static iphtable_t ipht;
45 static iphtent_t iphte;
46 static ip_pool_t iplo;
47 static ippool_dst_t ipld;
48 static ioctlfunc_t poolioctl = NULL;
49 static char poolname[FR_GROUPLEN];
51 static iphtent_t *add_htablehosts __P((char *));
52 static ip_pool_node_t *add_poolhosts __P((char *));
53 static ip_pool_node_t *read_whoisfile __P((char *));
54 static void setadflen __P((addrfamily_t *));
62 struct alist_s *alist;
63 addrfamily_t adrmsk[2];
71 %token <num> YY_NUMBER YY_HEX
75 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
76 %token YY_RANGE_OUT YY_RANGE_IN
77 %token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT IPT_ALL
78 %token IPT_TABLE IPT_GROUPMAP IPT_HASH IPT_SRCHASH IPT_DSTHASH
79 %token IPT_ROLE IPT_TYPE IPT_TREE
80 %token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME IPT_POLICY
81 %token IPT_POOL IPT_DSTLIST IPT_ROUNDROBIN
82 %token IPT_WEIGHTED IPT_RANDOM IPT_CONNECTION
83 %token IPT_WHOIS IPT_FILE
84 %type <num> role table inout unit dstopts weighting
85 %type <ipp> ipftree range addrlist
86 %type <adrmsk> addrmask
87 %type <ipe> ipfgroup ipfhash hashlist hashentry
88 %type <ipe> groupentry setgrouplist grouplist
89 %type <ipa> ipaddr mask
91 %type <str> number setgroup name
92 %type <ipd> dstentry dstentries dstlist
101 line: table role ipftree eol { ip_pool_node_t *n;
104 load_pool(&iplo, poolioctl);
105 while ((n = $3) != NULL) {
112 | table role ipfhash eol { iphtent_t *h;
114 ipht.iph_type = IPHASH_LOOKUP;
115 load_hash(&ipht, $3, poolioctl);
116 while ((h = $3) != NULL) {
123 | groupmap role number ipfgroup eol
126 strncpy(ipht.iph_name, $3,
127 sizeof(ipht.iph_name));
128 ipht.iph_type = IPHASH_GROUPMAP;
129 load_hash(&ipht, $4, poolioctl);
130 while ((h = $4) != NULL) {
144 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
153 '=' { yyvarnext = 1; }
156 table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht));
157 bzero((char *)&iphte, sizeof(iphte));
158 bzero((char *)&iplo, sizeof(iplo));
159 bzero((char *)&ipld, sizeof(ipld));
160 *ipht.iph_name = '\0';
161 iplo.ipo_flags = IPHASH_ANON;
162 iplo.ipo_name[0] = '\0';
167 IPT_GROUPMAP inout { bzero((char *)&ipht, sizeof(ipht));
168 bzero((char *)&iphte, sizeof(iphte));
169 *ipht.iph_name = '\0';
170 ipht.iph_unit = IPHASH_GROUPMAP;
175 inout: IPT_IN { $$ = FR_INQUE; }
176 | IPT_OUT { $$ = FR_OUTQUE; }
179 role: IPT_ROLE '=' unit { $$ = $3; }
182 unit: IPT_IPF { $$ = IPL_LOGIPF; }
183 | IPT_NAT { $$ = IPL_LOGNAT; }
184 | IPT_AUTH { $$ = IPL_LOGAUTH; }
185 | IPT_COUNT { $$ = IPL_LOGCOUNT; }
186 | IPT_ALL { $$ = IPL_LOGALL; }
190 IPT_TYPE '=' IPT_TREE number start addrlist end
191 { strncpy(iplo.ipo_name, $4,
192 sizeof(iplo.ipo_name));
198 IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
199 { strncpy(ipht.iph_name, $4,
200 sizeof(ipht.iph_name));
206 setgroup hashopts start grouplist end
208 for (e = $4; e != NULL;
210 if (e->ipe_group[0] == '\0')
211 strncpy(e->ipe_group,
217 | hashopts start setgrouplist end
221 number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3);
224 | IPT_NAME '=' YY_STR { strncpy(poolname, $3,
226 poolname[FR_GROUPLEN-1]='\0';
234 IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1];
235 strncpy(tmp, $3, FR_GROUPLEN);
239 | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1];
240 sprintf(tmp, "%u", $3);
253 | range next addrlist { $$ = $1;
254 while ($1->ipn_next != NULL)
258 | range next { $$ = $1; }
263 | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; }
264 | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t));
265 $$->ipe_addr = $1[0].adf_addr;
266 $$->ipe_mask = $1[1].adf_addr;
267 $$->ipe_family = $1[0].adf_family;
270 | groupentry next { $$ = $1; }
271 | addrmask next { $$ = calloc(1, sizeof(iphtent_t));
272 $$->ipe_addr = $1[0].adf_addr;
273 $$->ipe_mask = $1[1].adf_addr;
276 $$->ipe_family = AF_INET6;
279 $$->ipe_family = AF_INET;
281 | YY_STR { $$ = add_htablehosts($1);
288 | groupentry next { $$ = $1; }
289 | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; }
293 addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t));
294 $$->ipe_addr = $1[0].adf_addr;
295 $$->ipe_mask = $1[1].adf_addr;
296 strncpy($$->ipe_group, $3,
300 $$->ipe_family = AF_INET6;
303 $$->ipe_family = AF_INET;
308 range: addrmask { $$ = calloc(1, sizeof(*$$));
310 $$->ipn_addr = $1[0];
311 $$->ipn_mask = $1[1];
313 | '!' addrmask { $$ = calloc(1, sizeof(*$$));
315 $$->ipn_addr = $2[0];
316 $$->ipn_mask = $2[1];
318 | YY_STR { $$ = add_poolhosts($1);
321 | IPT_WHOIS IPT_FILE YY_STR { $$ = read_whoisfile($3);
328 | hashentry next { $$ = $1; }
329 | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; }
333 addrmask { $$ = calloc(1, sizeof(iphtent_t));
334 $$->ipe_addr = $1[0].adf_addr;
335 $$->ipe_mask = $1[1].adf_addr;
338 $$->ipe_family = AF_INET6;
341 $$->ipe_family = AF_INET;
343 | YY_STR { $$ = add_htablehosts($1);
349 ipaddr '/' mask { $$[0] = $1;
352 $$[1].adf_len = $$[0].adf_len;
354 | ipaddr { $$[0] = $1;
356 $$[1].adf_len = $$[0].adf_len;
359 memset(&$$[1].adf_addr, 0xff,
360 sizeof($$[1].adf_addr.in6));
363 memset(&$$[1].adf_addr, 0xff,
364 sizeof($$[1].adf_addr.in4));
368 ipaddr: ipv4 { $$.adf_addr.in4 = $1;
369 $$.adf_family = AF_INET;
373 | YY_NUMBER { $$.adf_addr.in4.s_addr = htonl($1);
374 $$.adf_family = AF_INET;
378 | YY_IPV6 { $$.adf_addr = $1;
379 $$.adf_family = AF_INET6;
385 mask: YY_NUMBER { bzero(&$$, sizeof($$));
387 if (ntomask(AF_INET6, $1,
388 (u_32_t *)&$$.adf_addr) == -1)
389 yyerror("bad bitmask");
391 if (ntomask(AF_INET, $1,
392 (u_32_t *)&$$.adf_addr.in4) == -1)
393 yyerror("bad bitmask");
396 | ipv4 { bzero(&$$, sizeof($$));
397 $$.adf_addr.in4 = $1;
399 | YY_IPV6 { bzero(&$$, sizeof($$));
404 size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
407 seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
410 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
411 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
412 yyerror("Invalid octet string for IP address");
415 $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
416 $$.s_addr = htonl($$.s_addr);
420 next: ';' { yyexpectaddr = 1; }
423 start: '{' { yyexpectaddr = 1; }
426 end: '}' { yyexpectaddr = 0; }
430 IPT_POOL unit '/' IPT_DSTLIST '(' name ';' dstopts ')'
432 { bzero((char *)&ipld, sizeof(ipld));
433 strncpy(ipld.ipld_name, $6,
434 sizeof(ipld.ipld_name));
436 ipld.ipld_policy = $8;
437 load_dstlist(&ipld, poolioctl, $11);
442 | IPT_POOL unit '/' IPT_TREE '(' name ';' ')'
444 { bzero((char *)&iplo, sizeof(iplo));
445 strncpy(iplo.ipo_name, $6,
446 sizeof(iplo.ipo_name));
449 load_pool(&iplo, poolioctl);
454 | IPT_POOL '(' name ';' ')' start addrlist end
455 { bzero((char *)&iplo, sizeof(iplo));
456 strncpy(iplo.ipo_name, $3,
457 sizeof(iplo.ipo_name));
459 iplo.ipo_unit = IPL_LOGALL;
460 load_pool(&iplo, poolioctl);
465 | IPT_POOL unit '/' IPT_HASH '(' name ';' hashoptlist ')'
468 bzero((char *)&ipht, sizeof(ipht));
469 strncpy(ipht.iph_name, $6,
470 sizeof(ipht.iph_name));
472 load_hash(&ipht, $11, poolioctl);
473 while ((h = ipht.iph_list) != NULL) {
474 ipht.iph_list = h->ipe_next;
481 | IPT_GROUPMAP '(' name ';' inout ';' ')'
482 start setgrouplist end
484 bzero((char *)&ipht, sizeof(ipht));
485 strncpy(ipht.iph_name, $3,
486 sizeof(ipht.iph_name));
487 ipht.iph_type = IPHASH_GROUPMAP;
488 ipht.iph_unit = IPL_LOGIPF;
490 load_hash(&ipht, $9, poolioctl);
491 while ((h = ipht.iph_list) != NULL) {
492 ipht.iph_list = h->ipe_next;
501 name: IPT_NAME YY_STR { $$ = $2; }
502 | IPT_NUM YY_NUMBER { char name[80];
503 sprintf(name, "%d", $2);
510 | hashoptlist ';' hashopt ';'
518 dstentries { $$ = $1; }
523 dstentry next { $$ = $1; }
524 | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
528 YY_STR ':' ipaddr { int size = sizeof(*$$) + strlen($1) + 1;
529 $$ = calloc(1, size);
531 $$->ipfd_dest.fd_name = strlen($1) + 1;
532 bcopy($1, $$->ipfd_names,
533 $$->ipfd_dest.fd_name);
534 $$->ipfd_dest.fd_addr = $3;
535 $$->ipfd_size = size;
539 | ipaddr { $$ = calloc(1, sizeof(*$$));
541 $$->ipfd_dest.fd_name = -1;
542 $$->ipfd_dest.fd_addr = $1;
543 $$->ipfd_size = sizeof(*$$);
550 | IPT_POLICY IPT_ROUNDROBIN ';' { $$ = IPLDP_ROUNDROBIN; }
551 | IPT_POLICY IPT_WEIGHTED weighting ';' { $$ = $3; }
552 | IPT_POLICY IPT_RANDOM ';' { $$ = IPLDP_RANDOM; }
553 | IPT_POLICY IPT_HASH ';' { $$ = IPLDP_HASHED; }
554 | IPT_POLICY IPT_SRCHASH ';' { $$ = IPLDP_SRCHASH; }
555 | IPT_POLICY IPT_DSTHASH ';' { $$ = IPLDP_DSTHASH; }
559 IPT_CONNECTION { $$ = IPLDP_CONNECTION; }
562 static wordtab_t yywords[] = {
564 { "auth", IPT_AUTH },
565 { "connection", IPT_CONNECTION },
566 { "count", IPT_COUNT },
567 { "dst-hash", IPT_DSTHASH },
568 { "dstlist", IPT_DSTLIST },
569 { "file", IPT_FILE },
570 { "group", IPT_GROUP },
571 { "group-map", IPT_GROUPMAP },
572 { "hash", IPT_HASH },
575 { "name", IPT_NAME },
577 { "number", IPT_NUM },
579 { "policy", IPT_POLICY },
580 { "pool", IPT_POOL },
581 { "random", IPT_RANDOM },
582 { "round-robin", IPT_ROUNDROBIN },
583 { "role", IPT_ROLE },
584 { "seed", IPT_SEED },
585 { "size", IPT_SIZE },
586 { "src-hash", IPT_SRCHASH },
587 { "table", IPT_TABLE },
588 { "tree", IPT_TREE },
589 { "type", IPT_TYPE },
590 { "weighted", IPT_WEIGHTED },
591 { "whois", IPT_WHOIS },
596 int ippool_parsefile(fd, filename, iocfunc)
605 (void) yysettab(yywords);
607 s = getenv("YYDEBUG");
613 if (strcmp(filename, "-")) {
614 fp = fopen(filename, "r");
616 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
623 while (ippool_parsesome(fd, fp, iocfunc) == 1)
631 int ippool_parsesome(fd, fp, iocfunc)
646 if (ungetc(i, fp) == EOF)
650 s = getenv("YYDEBUG");
666 iphtent_t *htop, *hbot, *h;
669 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
670 hlist = load_url(url);
674 hlist = calloc(1, sizeof(*hlist));
678 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
679 yyerror("Unknown hostname");
686 for (a = hlist; a != NULL; a = a->al_next) {
687 h = calloc(1, sizeof(*h));
691 h->ipe_family = a->al_family;
692 h->ipe_addr = a->al_i6addr;
693 h->ipe_mask = a->al_i6mask;
708 static ip_pool_node_t *
712 ip_pool_node_t *ptop, *pbot, *p;
715 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
716 hlist = load_url(url);
720 hlist = calloc(1, sizeof(*hlist));
724 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
725 yyerror("Unknown hostname");
732 for (a = hlist; a != NULL; a = a->al_next) {
733 p = calloc(1, sizeof(*p));
736 p->ipn_mask.adf_addr = a->al_i6mask;
738 if (a->al_family == AF_INET) {
739 p->ipn_addr.adf_family = AF_INET;
741 } else if (a->al_family == AF_INET6) {
742 p->ipn_addr.adf_family = AF_INET6;
745 setadflen(&p->ipn_addr);
746 p->ipn_addr.adf_addr = a->al_i6addr;
747 p->ipn_info = a->al_not;
748 p->ipn_mask.adf_len = p->ipn_addr.adf_len;
767 ip_pool_node_t *ntop, *ipn, node, *last;
771 fp = fopen(file, "r");
777 while (fgets(line, sizeof(line) - 1, fp) != NULL) {
778 line[sizeof(line) - 1] = '\0';
780 if (parsewhoisline(line, &node.ipn_addr, &node.ipn_mask))
782 ipn = calloc(1, sizeof(*ipn));
785 ipn->ipn_addr = node.ipn_addr;
786 ipn->ipn_mask = node.ipn_mask;
790 last->ipn_next = ipn;
802 afp->adf_len = offsetof(addrfamily_t, adf_addr);
803 switch (afp->adf_family)
806 afp->adf_len += sizeof(struct in_addr);
810 afp->adf_len += sizeof(struct in6_addr);