1 /* $OpenBSD: parse.y,v 1.482 2005/03/07 13:20:03 henning Exp $ */
4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
5 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved.
6 * Copyright (c) 2001 Theo de Raadt. All rights reserved.
7 * Copyright (c) 2002,2003 Henning Brauer. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
33 #include <sys/types.h>
34 #include <sys/socket.h>
36 #include <netinet/in.h>
37 #include <netinet/in_systm.h>
38 #include <netinet/ip.h>
39 #include <netinet/ip_icmp.h>
40 #include <netinet/icmp6.h>
41 #include <net/pfvar.h>
42 #include <arpa/inet.h>
43 #include <altq/altq.h>
44 #include <altq/altq_cbq.h>
45 #include <altq/altq_priq.h>
46 #include <altq/altq_hfsc.h>
62 #include "pfctl_parser.h"
66 #define HTONL(x) (x) = htonl((__uint32_t)(x))
69 static struct pfctl *pf = NULL;
70 static FILE *fin = NULL;
72 static int lineno = 1;
73 static int errors = 0;
74 static int rulestate = 0;
75 static u_int16_t returnicmpdefault =
76 (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
77 static u_int16_t returnicmp6default =
78 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
79 static int blockpolicy = PFRULE_DROP;
80 static int require_order = 1;
81 static int default_statelock;
94 struct node_proto *next;
95 struct node_proto *tail;
101 struct node_port *next;
102 struct node_port *tail;
108 struct node_uid *next;
109 struct node_uid *tail;
115 struct node_gid *next;
116 struct node_gid *tail;
123 struct node_icmp *next;
124 struct node_icmp *tail;
127 enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
128 PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
129 PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
130 PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
131 PF_STATE_OPT_TIMEOUT };
133 enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
135 struct node_state_opt {
138 u_int32_t max_states;
139 u_int32_t max_src_states;
140 u_int32_t max_src_conn;
147 char tblname[PF_TABLE_NAME_SIZE];
149 u_int32_t max_src_nodes;
157 struct node_state_opt *next;
158 struct node_state_opt *tail;
162 struct node_host *host;
163 struct node_port *port;
167 char queue[PF_QNAME_SIZE];
168 char parent[PF_QNAME_SIZE];
169 char ifname[IFNAMSIZ];
171 struct node_queue *next;
172 struct node_queue *tail;
175 struct node_qassign {
182 #define FOM_FLAGS 0x01
183 #define FOM_ICMP 0x02
185 #define FOM_KEEP 0x08
186 #define FOM_SRCTRACK 0x10
187 struct node_uid *uid;
188 struct node_gid *gid;
195 struct node_icmp *icmpspec;
200 struct node_state_opt *options;
205 struct node_qassign queues;
208 u_int8_t match_tag_not;
211 struct antispoof_opts {
217 #define SOM_MINTTL 0x01
218 #define SOM_MAXMSS 0x02
219 #define SOM_FRAGCACHE 0x04
230 #define QOM_BWSPEC 0x01
231 #define QOM_SCHEDULER 0x02
232 #define QOM_PRIORITY 0x04
233 #define QOM_TBRSIZE 0x08
234 #define QOM_QLIMIT 0x10
235 struct node_queue_bw queue_bwspec;
236 struct node_queue_opt scheduler;
245 struct node_tinithead init_nodes;
250 #define POM_TYPE 0x01
251 #define POM_STICKYADDRESS 0x02
255 struct pf_poolhashkey *key;
260 struct node_hfsc_opts hfsc_opts;
262 int yyerror(const char *, ...);
263 int disallow_table(struct node_host *, const char *);
264 int disallow_alias(struct node_host *, const char *);
265 int rule_consistent(struct pf_rule *);
266 int filter_consistent(struct pf_rule *);
267 int nat_consistent(struct pf_rule *);
268 int rdr_consistent(struct pf_rule *);
269 int process_tabledef(char *, struct table_opts *);
271 void expand_label_str(char *, size_t, const char *, const char *);
272 void expand_label_if(const char *, char *, size_t, const char *);
273 void expand_label_addr(const char *, char *, size_t, u_int8_t,
275 void expand_label_port(const char *, char *, size_t, struct node_port *);
276 void expand_label_proto(const char *, char *, size_t, u_int8_t);
277 void expand_label_nr(const char *, char *, size_t);
278 void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *,
279 struct node_port *, struct node_host *, struct node_port *,
281 void expand_rule(struct pf_rule *, struct node_if *, struct node_host *,
282 struct node_proto *, struct node_os*, struct node_host *,
283 struct node_port *, struct node_host *, struct node_port *,
284 struct node_uid *, struct node_gid *, struct node_icmp *,
286 int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,
287 struct node_queue_bw bwspec, struct node_queue_opt *);
288 int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,
289 struct node_queue_bw, struct node_queue_opt *);
290 int expand_skip_interface(struct node_if *);
292 int check_rulestate(int);
293 int kw_cmp(const void *, const void *);
299 int atoul(char *, u_long *);
300 int getservice(char *);
301 int rule_label(struct pf_rule *, char *);
303 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
305 TAILQ_ENTRY(sym) entries;
313 int symset(const char *, const char *, int);
314 char *symget(const char *);
316 void decide_address_family(struct node_host *, sa_family_t *);
317 void remove_invalid_hosts(struct node_host **, sa_family_t *);
318 int invalid_redirect(struct node_host *, sa_family_t);
319 u_int16_t parseicmpspec(char *, sa_family_t);
321 TAILQ_HEAD(loadanchorshead, loadanchors)
322 loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
325 TAILQ_ENTRY(loadanchors) entries;
346 struct node_if *interface;
347 struct node_proto *proto;
348 struct node_icmp *icmp;
349 struct node_host *host;
351 struct node_port *port;
352 struct node_uid *uid;
353 struct node_gid *gid;
354 struct node_state_opt *state_opt;
357 struct peer src, dst;
358 struct node_os *src_os;
361 struct node_host *host;
365 struct pf_poolhashkey *key;
368 struct node_host *host;
373 struct node_state_opt *options;
383 struct pf_poolhashkey *hashkey;
384 struct node_queue *queue;
385 struct node_queue_opt queue_options;
386 struct node_queue_bw queue_bwspec;
387 struct node_qassign qassign;
388 struct filter_opts filter_opts;
389 struct antispoof_opts antispoof_opts;
390 struct queue_opts queue_opts;
391 struct scrub_opts scrub_opts;
392 struct table_opts table_opts;
393 struct pool_opts pool_opts;
394 struct node_hfsc_opts hfsc_opts;
399 #define DYNIF_MULTIADDR(addr) ((addr).type == PF_ADDR_DYNIFTL && \
400 (!((addr).iflags & PFI_AFLAG_NOALIAS) || \
401 !isdigit((addr).v.ifname[strlen((addr).v.ifname)-1])))
405 %token PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO FLAGS
406 %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
407 %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
408 %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
409 %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
410 %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
411 %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
412 %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
414 %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
415 %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
416 %token QUEUE PRIORITY QLIMIT
418 %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
419 %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH
420 %token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY ROUTE
421 %token <v.string> STRING
422 %token <v.i> PORTBINARY
423 %type <v.interface> interface if_list if_item_not if_item
424 %type <v.number> number icmptype icmp6type uid gid
425 %type <v.number> tos not yesno natpass
426 %type <v.i> no dir log af fragcache sourcetrack flush
427 %type <v.i> unaryop statelock
428 %type <v.b> action nataction scrubaction
429 %type <v.b> flags flag blockspec
430 %type <v.range> port rport
431 %type <v.hashkey> hashkey
432 %type <v.proto> proto proto_list proto_item
433 %type <v.icmp> icmpspec
434 %type <v.icmp> icmp_list icmp_item
435 %type <v.icmp> icmp6_list icmp6_item
436 %type <v.fromto> fromto
437 %type <v.peer> ipportspec from to
438 %type <v.host> ipspec xhost host dynaddr host_list
439 %type <v.host> redir_host_list redirspec
440 %type <v.host> route_host route_host_list routespec
441 %type <v.os> os xos os_list
442 %type <v.port> portspec port_list port_item
443 %type <v.uid> uids uid_list uid_item
444 %type <v.gid> gids gid_list gid_item
445 %type <v.route> route
446 %type <v.redirection> redirection redirpool
447 %type <v.string> label string tag
448 %type <v.keep_state> keep
449 %type <v.state_opt> state_opt_spec state_opt_list state_opt_item
450 %type <v.logquick> logquick
451 %type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if
452 %type <v.qassign> qname
453 %type <v.queue> qassign qassign_list qassign_item
454 %type <v.queue_options> scheduler
455 %type <v.number> cbqflags_list cbqflags_item
456 %type <v.number> priqflags_list priqflags_item
457 %type <v.hfsc_opts> hfscopts_list hfscopts_item hfsc_opts
458 %type <v.queue_bwspec> bandwidth
459 %type <v.filter_opts> filter_opts filter_opt filter_opts_l
460 %type <v.antispoof_opts> antispoof_opts antispoof_opt antispoof_opts_l
461 %type <v.queue_opts> queue_opts queue_opt queue_opts_l
462 %type <v.scrub_opts> scrub_opts scrub_opt scrub_opts_l
463 %type <v.table_opts> table_opts table_opt table_opts_l
464 %type <v.pool_opts> pool_opts pool_opt pool_opts_l
465 %type <v.tagged> tagged
468 ruleset : /* empty */
470 | ruleset option '\n'
471 | ruleset scrubrule '\n'
472 | ruleset natrule '\n'
473 | ruleset binatrule '\n'
474 | ruleset pfrule '\n'
475 | ruleset anchorrule '\n'
476 | ruleset loadrule '\n'
477 | ruleset altqif '\n'
478 | ruleset queuespec '\n'
479 | ruleset varset '\n'
480 | ruleset antispoof '\n'
481 | ruleset tabledef '\n'
482 | ruleset error '\n' { errors++; }
485 option : SET OPTIMIZATION STRING {
486 if (check_rulestate(PFCTL_STATE_OPTION)) {
490 if (pfctl_set_optimization(pf, $3) != 0) {
491 yyerror("unknown optimization %s", $3);
497 | SET TIMEOUT timeout_spec
498 | SET TIMEOUT '{' timeout_list '}'
499 | SET LIMIT limit_spec
500 | SET LIMIT '{' limit_list '}'
501 | SET LOGINTERFACE STRING {
502 if (check_rulestate(PFCTL_STATE_OPTION)) {
506 if (pfctl_set_logif(pf, $3) != 0) {
507 yyerror("error setting loginterface %s", $3);
513 | SET HOSTID number {
515 yyerror("hostid must be non-zero");
518 if (pfctl_set_hostid(pf, $3) != 0) {
519 yyerror("error setting hostid %08x", $3);
523 | SET BLOCKPOLICY DROP {
524 if (pf->opts & PF_OPT_VERBOSE)
525 printf("set block-policy drop\n");
526 if (check_rulestate(PFCTL_STATE_OPTION))
528 blockpolicy = PFRULE_DROP;
530 | SET BLOCKPOLICY RETURN {
531 if (pf->opts & PF_OPT_VERBOSE)
532 printf("set block-policy return\n");
533 if (check_rulestate(PFCTL_STATE_OPTION))
535 blockpolicy = PFRULE_RETURN;
537 | SET REQUIREORDER yesno {
538 if (pf->opts & PF_OPT_VERBOSE)
539 printf("set require-order %s\n",
540 $3 == 1 ? "yes" : "no");
543 | SET FINGERPRINTS STRING {
544 if (pf->opts & PF_OPT_VERBOSE)
545 printf("set fingerprints %s\n", $3);
546 if (check_rulestate(PFCTL_STATE_OPTION)) {
550 if (!pf->anchor[0]) {
551 if (pfctl_file_fingerprints(pf->dev,
553 yyerror("error loading "
554 "fingerprints %s", $3);
561 | SET STATEPOLICY statelock {
562 if (pf->opts & PF_OPT_VERBOSE)
565 printf("set state-policy floating\n");
568 printf("set state-policy if-bound\n");
571 printf("set state-policy "
575 default_statelock = $3;
578 if (check_rulestate(PFCTL_STATE_OPTION)) {
582 if (pfctl_set_debug(pf, $3) != 0) {
583 yyerror("error setting debuglevel %s", $3);
589 | SET SKIP interface {
590 if (expand_skip_interface($3) != 0) {
591 yyerror("error setting skip interface(s)");
597 string : string STRING {
598 if (asprintf(&$$, "%s %s", $1, $2) == -1)
599 err(1, "string: asprintf");
606 varset : STRING '=' string {
607 if (pf->opts & PF_OPT_VERBOSE)
608 printf("%s = \"%s\"\n", $1, $3);
609 if (symset($1, $3, 0) == -1)
610 err(1, "cannot store variable %s", $1);
616 anchorrule : ANCHOR string dir interface af proto fromto filter_opts {
619 if (check_rulestate(PFCTL_STATE_FILTER)) {
624 memset(&r, 0, sizeof(r));
630 if (strlcpy(r.match_tagname, $8.match_tag,
631 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
632 yyerror("tag too long, max %u chars",
633 PF_TAG_NAME_SIZE - 1);
636 r.match_tag_not = $8.match_tag_not;
638 decide_address_family($7.src.host, &r.af);
639 decide_address_family($7.dst.host, &r.af);
641 expand_rule(&r, $4, NULL, $6, $7.src_os,
642 $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
646 | NATANCHOR string interface af proto fromto {
649 if (check_rulestate(PFCTL_STATE_NAT)) {
654 memset(&r, 0, sizeof(r));
658 decide_address_family($6.src.host, &r.af);
659 decide_address_family($6.dst.host, &r.af);
661 expand_rule(&r, $3, NULL, $5, $6.src_os,
662 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
666 | RDRANCHOR string interface af proto fromto {
669 if (check_rulestate(PFCTL_STATE_NAT)) {
674 memset(&r, 0, sizeof(r));
678 decide_address_family($6.src.host, &r.af);
679 decide_address_family($6.dst.host, &r.af);
681 if ($6.src.port != NULL) {
682 yyerror("source port parameter not supported"
686 if ($6.dst.port != NULL) {
687 if ($6.dst.port->next != NULL) {
688 yyerror("destination port list "
689 "expansion not supported in "
692 } else if ($6.dst.port->op != PF_OP_EQ) {
693 yyerror("destination port operators"
694 " not supported in rdr-anchor");
697 r.dst.port[0] = $6.dst.port->port[0];
698 r.dst.port[1] = $6.dst.port->port[1];
699 r.dst.port_op = $6.dst.port->op;
702 expand_rule(&r, $3, NULL, $5, $6.src_os,
703 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
707 | BINATANCHOR string interface af proto fromto {
710 if (check_rulestate(PFCTL_STATE_NAT)) {
715 memset(&r, 0, sizeof(r));
719 if ($5->next != NULL) {
720 yyerror("proto list expansion"
721 " not supported in binat-anchor");
728 if ($6.src.host != NULL || $6.src.port != NULL ||
729 $6.dst.host != NULL || $6.dst.port != NULL) {
730 yyerror("fromto parameter not supported"
735 decide_address_family($6.src.host, &r.af);
736 decide_address_family($6.dst.host, &r.af);
738 pfctl_add_rule(pf, &r, $2);
743 loadrule : LOAD ANCHOR string FROM string {
744 struct loadanchors *loadanchor;
746 if (strlen($3) >= MAXPATHLEN) {
747 yyerror("anchorname %s too long, max %u\n",
752 loadanchor = calloc(1, sizeof(struct loadanchors));
753 if (loadanchor == NULL)
754 err(1, "loadrule: calloc");
755 if ((loadanchor->anchorname = strdup($3)) == NULL)
756 err(1, "loadrule: strdup");
757 if ((loadanchor->filename = strdup($5)) == NULL)
758 err(1, "loadrule: strdup");
760 TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
767 scrubaction : no SCRUB {
776 scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
780 if (check_rulestate(PFCTL_STATE_SCRUB))
783 memset(&r, 0, sizeof(r));
790 yyerror("scrub rules do not support 'quick'");
796 r.rule_flag |= PFRULE_NODF;
798 r.rule_flag |= PFRULE_RANDOMID;
799 if ($8.reassemble_tcp) {
800 if (r.direction != PF_INOUT) {
801 yyerror("reassemble tcp rules can not "
802 "specify direction");
805 r.rule_flag |= PFRULE_REASSEMBLE_TCP;
808 r.min_ttl = $8.minttl;
810 r.max_mss = $8.maxmss;
812 r.rule_flag |= $8.fragcache;
814 expand_rule(&r, $4, NULL, $6, $7.src_os,
815 $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
816 NULL, NULL, NULL, "");
821 bzero(&scrub_opts, sizeof scrub_opts);
826 bzero(&scrub_opts, sizeof scrub_opts);
831 scrub_opts_l : scrub_opts_l scrub_opt
836 if (scrub_opts.nodf) {
837 yyerror("no-df cannot be respecified");
843 if (scrub_opts.marker & SOM_MINTTL) {
844 yyerror("min-ttl cannot be respecified");
848 yyerror("illegal min-ttl value %d", $2);
851 scrub_opts.marker |= SOM_MINTTL;
852 scrub_opts.minttl = $2;
855 if (scrub_opts.marker & SOM_MAXMSS) {
856 yyerror("max-mss cannot be respecified");
860 yyerror("illegal max-mss value %d", $2);
863 scrub_opts.marker |= SOM_MAXMSS;
864 scrub_opts.maxmss = $2;
867 if (scrub_opts.marker & SOM_FRAGCACHE) {
868 yyerror("fragcache cannot be respecified");
871 scrub_opts.marker |= SOM_FRAGCACHE;
872 scrub_opts.fragcache = $1;
874 | REASSEMBLE STRING {
875 if (strcasecmp($2, "tcp") != 0) {
876 yyerror("scrub reassemble supports only tcp, "
882 if (scrub_opts.reassemble_tcp) {
883 yyerror("reassemble tcp cannot be respecified");
886 scrub_opts.reassemble_tcp = 1;
889 if (scrub_opts.randomid) {
890 yyerror("random-id cannot be respecified");
893 scrub_opts.randomid = 1;
897 fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
898 | FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; }
899 | FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; }
902 antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
904 struct node_host *h = NULL, *hh;
905 struct node_if *i, *j;
907 if (check_rulestate(PFCTL_STATE_FILTER))
910 for (i = $3; i; i = i->next) {
911 bzero(&r, sizeof(r));
918 if (rule_label(&r, $5.label))
920 j = calloc(1, sizeof(struct node_if));
922 err(1, "antispoof: calloc");
923 if (strlcpy(j->ifname, i->ifname,
924 sizeof(j->ifname)) >= sizeof(j->ifname)) {
926 yyerror("interface name too long");
931 h = calloc(1, sizeof(*h));
933 err(1, "address: calloc");
934 h->addr.type = PF_ADDR_DYNIFTL;
936 if (strlcpy(h->addr.v.ifname, i->ifname,
937 sizeof(h->addr.v.ifname)) >=
938 sizeof(h->addr.v.ifname)) {
941 "interface name too long");
944 hh = malloc(sizeof(*hh));
946 err(1, "address: malloc");
947 bcopy(h, hh, sizeof(*hh));
948 h->addr.iflags = PFI_AFLAG_NETWORK;
950 h = ifa_lookup(j->ifname,
956 expand_rule(&r, j, NULL, NULL, NULL, h,
957 NULL, NULL, NULL, NULL, NULL,
960 if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
961 bzero(&r, sizeof(r));
968 if (rule_label(&r, $5.label))
973 h = ifa_lookup(i->ifname, 0);
975 expand_rule(&r, NULL, NULL,
976 NULL, NULL, h, NULL, NULL,
977 NULL, NULL, NULL, NULL, "");
985 antispoof_ifspc : FOR antispoof_if { $$ = $2; }
986 | FOR '{' antispoof_iflst '}' { $$ = $3; }
989 antispoof_iflst : antispoof_if { $$ = $1; }
990 | antispoof_iflst comma antispoof_if {
997 antispoof_if : if_item { $$ = $1; }
1004 antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); }
1006 { $$ = antispoof_opts; }
1008 bzero(&antispoof_opts, sizeof antispoof_opts);
1009 $$ = antispoof_opts;
1013 antispoof_opts_l : antispoof_opts_l antispoof_opt
1017 antispoof_opt : label {
1018 if (antispoof_opts.label) {
1019 yyerror("label cannot be redefined");
1022 antispoof_opts.label = $1;
1026 not : '!' { $$ = 1; }
1027 | /* empty */ { $$ = 0; }
1030 tabledef : TABLE '<' STRING '>' table_opts {
1031 struct node_host *h, *nh;
1032 struct node_tinit *ti, *nti;
1034 if (strlen($3) >= PF_TABLE_NAME_SIZE) {
1035 yyerror("table name too long, max %d chars",
1036 PF_TABLE_NAME_SIZE - 1);
1040 if (pf->loadopt & PFCTL_FLAG_TABLE)
1041 if (process_tabledef($3, &$5)) {
1046 for (ti = SIMPLEQ_FIRST(&$5.init_nodes);
1047 ti != SIMPLEQ_END(&$5.init_nodes); ti = nti) {
1050 for (h = ti->host; h != NULL; h = nh) {
1054 nti = SIMPLEQ_NEXT(ti, entries);
1061 bzero(&table_opts, sizeof table_opts);
1062 SIMPLEQ_INIT(&table_opts.init_nodes);
1065 { $$ = table_opts; }
1068 bzero(&table_opts, sizeof table_opts);
1069 SIMPLEQ_INIT(&table_opts.init_nodes);
1074 table_opts_l : table_opts_l table_opt
1078 table_opt : STRING {
1079 if (!strcmp($1, "const"))
1080 table_opts.flags |= PFR_TFLAG_CONST;
1081 else if (!strcmp($1, "persist"))
1082 table_opts.flags |= PFR_TFLAG_PERSIST;
1084 yyerror("invalid table option '%s'", $1);
1090 | '{' '}' { table_opts.init_addr = 1; }
1091 | '{' host_list '}' {
1092 struct node_host *n;
1093 struct node_tinit *ti;
1095 for (n = $2; n != NULL; n = n->next) {
1096 switch (n->addr.type) {
1097 case PF_ADDR_ADDRMASK:
1099 case PF_ADDR_DYNIFTL:
1100 yyerror("dynamic addresses are not "
1101 "permitted inside tables");
1104 yyerror("tables cannot contain tables");
1106 case PF_ADDR_NOROUTE:
1107 yyerror("\"no-route\" is not permitted "
1111 yyerror("unknown address type %d",
1116 if (!(ti = calloc(1, sizeof(*ti))))
1117 err(1, "table_opt: calloc");
1119 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1121 table_opts.init_addr = 1;
1124 struct node_tinit *ti;
1126 if (!(ti = calloc(1, sizeof(*ti))))
1127 err(1, "table_opt: calloc");
1129 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1131 table_opts.init_addr = 1;
1135 altqif : ALTQ interface queue_opts QUEUE qassign {
1138 if (check_rulestate(PFCTL_STATE_QUEUE))
1141 memset(&a, 0, sizeof(a));
1142 if ($3.scheduler.qtype == ALTQT_NONE) {
1143 yyerror("no scheduler specified!");
1146 a.scheduler = $3.scheduler.qtype;
1147 a.qlimit = $3.qlimit;
1148 a.tbrsize = $3.tbrsize;
1150 yyerror("no child queues specified");
1153 if (expand_altq(&a, $2, $5, $3.queue_bwspec,
1159 queuespec : QUEUE STRING interface queue_opts qassign {
1162 if (check_rulestate(PFCTL_STATE_QUEUE)) {
1167 memset(&a, 0, sizeof(a));
1169 if (strlcpy(a.qname, $2, sizeof(a.qname)) >=
1171 yyerror("queue name too long (max "
1172 "%d chars)", PF_QNAME_SIZE-1);
1178 yyerror("cannot specify tbrsize for queue");
1181 if ($4.priority > 255) {
1182 yyerror("priority out of range: max 255");
1185 a.priority = $4.priority;
1186 a.qlimit = $4.qlimit;
1187 a.scheduler = $4.scheduler.qtype;
1188 if (expand_queue(&a, $3, $5, $4.queue_bwspec,
1190 yyerror("errors in queue definition");
1197 bzero(&queue_opts, sizeof queue_opts);
1198 queue_opts.priority = DEFAULT_PRIORITY;
1199 queue_opts.qlimit = DEFAULT_QLIMIT;
1200 queue_opts.scheduler.qtype = ALTQT_NONE;
1201 queue_opts.queue_bwspec.bw_percent = 100;
1204 { $$ = queue_opts; }
1206 bzero(&queue_opts, sizeof queue_opts);
1207 queue_opts.priority = DEFAULT_PRIORITY;
1208 queue_opts.qlimit = DEFAULT_QLIMIT;
1209 queue_opts.scheduler.qtype = ALTQT_NONE;
1210 queue_opts.queue_bwspec.bw_percent = 100;
1215 queue_opts_l : queue_opts_l queue_opt
1219 queue_opt : BANDWIDTH bandwidth {
1220 if (queue_opts.marker & QOM_BWSPEC) {
1221 yyerror("bandwidth cannot be respecified");
1224 queue_opts.marker |= QOM_BWSPEC;
1225 queue_opts.queue_bwspec = $2;
1228 if (queue_opts.marker & QOM_PRIORITY) {
1229 yyerror("priority cannot be respecified");
1233 yyerror("priority out of range: max 255");
1236 queue_opts.marker |= QOM_PRIORITY;
1237 queue_opts.priority = $2;
1240 if (queue_opts.marker & QOM_QLIMIT) {
1241 yyerror("qlimit cannot be respecified");
1245 yyerror("qlimit out of range: max 65535");
1248 queue_opts.marker |= QOM_QLIMIT;
1249 queue_opts.qlimit = $2;
1252 if (queue_opts.marker & QOM_SCHEDULER) {
1253 yyerror("scheduler cannot be respecified");
1256 queue_opts.marker |= QOM_SCHEDULER;
1257 queue_opts.scheduler = $1;
1260 if (queue_opts.marker & QOM_TBRSIZE) {
1261 yyerror("tbrsize cannot be respecified");
1265 yyerror("tbrsize too big: max 65535");
1268 queue_opts.marker |= QOM_TBRSIZE;
1269 queue_opts.tbrsize = $2;
1273 bandwidth : STRING {
1279 bps = strtod($1, &cp);
1281 if (!strcmp(cp, "b"))
1283 else if (!strcmp(cp, "Kb"))
1285 else if (!strcmp(cp, "Mb"))
1287 else if (!strcmp(cp, "Gb"))
1288 bps *= 1000 * 1000 * 1000;
1289 else if (!strcmp(cp, "%")) {
1290 if (bps < 0 || bps > 100) {
1291 yyerror("bandwidth spec "
1296 $$.bw_percent = bps;
1299 yyerror("unknown unit %s", cp);
1305 $$.bw_absolute = (u_int32_t)bps;
1310 $$.qtype = ALTQT_CBQ;
1311 $$.data.cbq_opts.flags = 0;
1313 | CBQ '(' cbqflags_list ')' {
1314 $$.qtype = ALTQT_CBQ;
1315 $$.data.cbq_opts.flags = $3;
1318 $$.qtype = ALTQT_PRIQ;
1319 $$.data.priq_opts.flags = 0;
1321 | PRIQ '(' priqflags_list ')' {
1322 $$.qtype = ALTQT_PRIQ;
1323 $$.data.priq_opts.flags = $3;
1326 $$.qtype = ALTQT_HFSC;
1327 bzero(&$$.data.hfsc_opts,
1328 sizeof(struct node_hfsc_opts));
1330 | HFSC '(' hfsc_opts ')' {
1331 $$.qtype = ALTQT_HFSC;
1332 $$.data.hfsc_opts = $3;
1336 cbqflags_list : cbqflags_item { $$ |= $1; }
1337 | cbqflags_list comma cbqflags_item { $$ |= $3; }
1340 cbqflags_item : STRING {
1341 if (!strcmp($1, "default"))
1342 $$ = CBQCLF_DEFCLASS;
1343 else if (!strcmp($1, "borrow"))
1345 else if (!strcmp($1, "red"))
1347 else if (!strcmp($1, "ecn"))
1348 $$ = CBQCLF_RED|CBQCLF_ECN;
1349 else if (!strcmp($1, "rio"))
1352 yyerror("unknown cbq flag \"%s\"", $1);
1360 priqflags_list : priqflags_item { $$ |= $1; }
1361 | priqflags_list comma priqflags_item { $$ |= $3; }
1364 priqflags_item : STRING {
1365 if (!strcmp($1, "default"))
1366 $$ = PRCF_DEFAULTCLASS;
1367 else if (!strcmp($1, "red"))
1369 else if (!strcmp($1, "ecn"))
1370 $$ = PRCF_RED|PRCF_ECN;
1371 else if (!strcmp($1, "rio"))
1374 yyerror("unknown priq flag \"%s\"", $1);
1384 sizeof(struct node_hfsc_opts));
1391 hfscopts_list : hfscopts_item
1392 | hfscopts_list comma hfscopts_item
1395 hfscopts_item : LINKSHARE bandwidth {
1396 if (hfsc_opts.linkshare.used) {
1397 yyerror("linkshare already specified");
1400 hfsc_opts.linkshare.m2 = $2;
1401 hfsc_opts.linkshare.used = 1;
1403 | LINKSHARE '(' bandwidth comma number comma bandwidth ')'
1405 if (hfsc_opts.linkshare.used) {
1406 yyerror("linkshare already specified");
1409 hfsc_opts.linkshare.m1 = $3;
1410 hfsc_opts.linkshare.d = $5;
1411 hfsc_opts.linkshare.m2 = $7;
1412 hfsc_opts.linkshare.used = 1;
1414 | REALTIME bandwidth {
1415 if (hfsc_opts.realtime.used) {
1416 yyerror("realtime already specified");
1419 hfsc_opts.realtime.m2 = $2;
1420 hfsc_opts.realtime.used = 1;
1422 | REALTIME '(' bandwidth comma number comma bandwidth ')'
1424 if (hfsc_opts.realtime.used) {
1425 yyerror("realtime already specified");
1428 hfsc_opts.realtime.m1 = $3;
1429 hfsc_opts.realtime.d = $5;
1430 hfsc_opts.realtime.m2 = $7;
1431 hfsc_opts.realtime.used = 1;
1433 | UPPERLIMIT bandwidth {
1434 if (hfsc_opts.upperlimit.used) {
1435 yyerror("upperlimit already specified");
1438 hfsc_opts.upperlimit.m2 = $2;
1439 hfsc_opts.upperlimit.used = 1;
1441 | UPPERLIMIT '(' bandwidth comma number comma bandwidth ')'
1443 if (hfsc_opts.upperlimit.used) {
1444 yyerror("upperlimit already specified");
1447 hfsc_opts.upperlimit.m1 = $3;
1448 hfsc_opts.upperlimit.d = $5;
1449 hfsc_opts.upperlimit.m2 = $7;
1450 hfsc_opts.upperlimit.used = 1;
1453 if (!strcmp($1, "default"))
1454 hfsc_opts.flags |= HFCF_DEFAULTCLASS;
1455 else if (!strcmp($1, "red"))
1456 hfsc_opts.flags |= HFCF_RED;
1457 else if (!strcmp($1, "ecn"))
1458 hfsc_opts.flags |= HFCF_RED|HFCF_ECN;
1459 else if (!strcmp($1, "rio"))
1460 hfsc_opts.flags |= HFCF_RIO;
1462 yyerror("unknown hfsc flag \"%s\"", $1);
1470 qassign : /* empty */ { $$ = NULL; }
1471 | qassign_item { $$ = $1; }
1472 | '{' qassign_list '}' { $$ = $2; }
1475 qassign_list : qassign_item { $$ = $1; }
1476 | qassign_list comma qassign_item {
1477 $1->tail->next = $3;
1483 qassign_item : STRING {
1484 $$ = calloc(1, sizeof(struct node_queue));
1486 err(1, "qassign_item: calloc");
1487 if (strlcpy($$->queue, $1, sizeof($$->queue)) >=
1488 sizeof($$->queue)) {
1489 yyerror("queue name '%s' too long (max "
1490 "%d chars)", $1, sizeof($$->queue)-1);
1501 pfrule : action dir logquick interface route af proto fromto
1505 struct node_state_opt *o;
1506 struct node_proto *proto;
1510 if (check_rulestate(PFCTL_STATE_FILTER))
1513 memset(&r, 0, sizeof(r));
1517 case PFRULE_RETURNRST:
1518 r.rule_flag |= PFRULE_RETURNRST;
1519 r.return_ttl = $1.w;
1521 case PFRULE_RETURNICMP:
1522 r.rule_flag |= PFRULE_RETURNICMP;
1523 r.return_icmp = $1.w;
1524 r.return_icmp6 = $1.w2;
1527 r.rule_flag |= PFRULE_RETURN;
1528 r.return_icmp = $1.w;
1529 r.return_icmp6 = $1.w2;
1539 if (strlcpy(r.tagname, $9.tag,
1540 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1541 yyerror("tag too long, max %u chars",
1542 PF_TAG_NAME_SIZE - 1);
1546 if (strlcpy(r.match_tagname, $9.match_tag,
1547 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1548 yyerror("tag too long, max %u chars",
1549 PF_TAG_NAME_SIZE - 1);
1552 r.match_tag_not = $9.match_tag_not;
1553 r.flags = $9.flags.b1;
1554 r.flagset = $9.flags.b2;
1555 if (rule_label(&r, $9.label))
1558 if ($9.flags.b1 || $9.flags.b2 || $8.src_os) {
1559 for (proto = $7; proto != NULL &&
1560 proto->proto != IPPROTO_TCP;
1561 proto = proto->next)
1563 if (proto == NULL && $7 != NULL) {
1564 if ($9.flags.b1 || $9.flags.b2)
1566 "flags only apply to tcp");
1569 "OS fingerprinting only "
1574 if (($9.flags.b1 & parse_flags("S")) == 0 &&
1576 yyerror("OS fingerprinting requires "
1577 "the SYN TCP flag (flags S/SA)");
1584 r.keep_state = $9.keep.action;
1585 o = $9.keep.options;
1587 struct node_state_opt *p = o;
1590 case PF_STATE_OPT_MAX:
1592 yyerror("state option 'max' "
1593 "multiple definitions");
1596 r.max_states = o->data.max_states;
1598 case PF_STATE_OPT_NOSYNC:
1599 if (r.rule_flag & PFRULE_NOSYNC) {
1600 yyerror("state option 'sync' "
1601 "multiple definitions");
1604 r.rule_flag |= PFRULE_NOSYNC;
1606 case PF_STATE_OPT_SRCTRACK:
1608 yyerror("state option "
1610 "multiple definitions");
1613 srctrack = o->data.src_track;
1614 r.rule_flag |= PFRULE_SRCTRACK;
1616 case PF_STATE_OPT_MAX_SRC_STATES:
1617 if (r.max_src_states) {
1618 yyerror("state option "
1620 "multiple definitions");
1623 if (o->data.max_src_states == 0) {
1624 yyerror("'max-src-states' must "
1629 o->data.max_src_states;
1630 r.rule_flag |= PFRULE_SRCTRACK;
1632 case PF_STATE_OPT_OVERLOAD:
1633 if (r.overload_tblname[0]) {
1634 yyerror("multiple 'overload' "
1635 "table definitions");
1638 if (strlcpy(r.overload_tblname,
1639 o->data.overload.tblname,
1640 PF_TABLE_NAME_SIZE) >=
1641 PF_TABLE_NAME_SIZE) {
1642 yyerror("state option: "
1646 r.flush = o->data.overload.flush;
1648 case PF_STATE_OPT_MAX_SRC_CONN:
1649 if (r.max_src_conn) {
1650 yyerror("state option "
1652 "multiple definitions");
1655 if (o->data.max_src_conn == 0) {
1656 yyerror("'max-src-conn' "
1661 o->data.max_src_conn;
1662 r.rule_flag |= PFRULE_SRCTRACK |
1663 PFRULE_RULESRCTRACK;
1665 case PF_STATE_OPT_MAX_SRC_CONN_RATE:
1666 if (r.max_src_conn_rate.limit) {
1667 yyerror("state option "
1668 "'max-src-conn-rate' "
1669 "multiple definitions");
1672 if (!o->data.max_src_conn_rate.limit ||
1673 !o->data.max_src_conn_rate.seconds) {
1674 yyerror("'max-src-conn-rate' "
1675 "values must be > 0");
1678 if (o->data.max_src_conn_rate.limit >
1680 yyerror("'max-src-conn-rate' "
1681 "maximum rate must be < %u",
1685 r.max_src_conn_rate.limit =
1686 o->data.max_src_conn_rate.limit;
1687 r.max_src_conn_rate.seconds =
1688 o->data.max_src_conn_rate.seconds;
1689 r.rule_flag |= PFRULE_SRCTRACK |
1690 PFRULE_RULESRCTRACK;
1692 case PF_STATE_OPT_MAX_SRC_NODES:
1693 if (r.max_src_nodes) {
1694 yyerror("state option "
1696 "multiple definitions");
1699 if (o->data.max_src_nodes == 0) {
1700 yyerror("'max-src-nodes' must "
1705 o->data.max_src_nodes;
1706 r.rule_flag |= PFRULE_SRCTRACK |
1707 PFRULE_RULESRCTRACK;
1709 case PF_STATE_OPT_STATELOCK:
1711 yyerror("state locking option: "
1712 "multiple definitions");
1716 r.rule_flag |= o->data.statelock;
1718 case PF_STATE_OPT_TIMEOUT:
1719 if (r.timeout[o->data.timeout.number]) {
1720 yyerror("state timeout %s "
1721 "multiple definitions",
1722 pf_timeouts[o->data.
1723 timeout.number].name);
1726 r.timeout[o->data.timeout.number] =
1727 o->data.timeout.seconds;
1732 if (r.rule_flag & PFRULE_SRCTRACK) {
1733 if (srctrack == PF_SRCTRACK_GLOBAL &&
1735 yyerror("'max-src-nodes' is "
1736 "incompatible with "
1737 "'source-track global'");
1740 if (srctrack == PF_SRCTRACK_GLOBAL &&
1742 yyerror("'max-src-conn' is "
1743 "incompatible with "
1744 "'source-track global'");
1747 if (srctrack == PF_SRCTRACK_GLOBAL &&
1748 r.max_src_conn_rate.seconds) {
1749 yyerror("'max-src-conn-rate' is "
1750 "incompatible with "
1751 "'source-track global'");
1754 if (r.timeout[PFTM_SRC_NODE] <
1755 r.max_src_conn_rate.seconds)
1756 r.timeout[PFTM_SRC_NODE] =
1757 r.max_src_conn_rate.seconds;
1758 r.rule_flag |= PFRULE_SRCTRACK;
1759 if (srctrack == PF_SRCTRACK_RULE)
1760 r.rule_flag |= PFRULE_RULESRCTRACK;
1762 if (r.keep_state && !statelock)
1763 r.rule_flag |= default_statelock;
1766 r.rule_flag |= PFRULE_FRAGMENT;
1767 r.allow_opts = $9.allowopts;
1769 decide_address_family($8.src.host, &r.af);
1770 decide_address_family($8.dst.host, &r.af);
1774 yyerror("direction must be explicit "
1775 "with rules that specify routing");
1779 r.rpool.opts = $5.pool_opts;
1781 memcpy(&r.rpool.key, $5.key,
1782 sizeof(struct pf_poolhashkey));
1784 if (r.rt && r.rt != PF_FASTROUTE) {
1785 decide_address_family($5.host, &r.af);
1786 remove_invalid_hosts(&$5.host, &r.af);
1787 if ($5.host == NULL) {
1788 yyerror("no routing address with "
1789 "matching address family found.");
1792 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
1793 PF_POOL_NONE && ($5.host->next != NULL ||
1794 $5.host->addr.type == PF_ADDR_TABLE ||
1795 DYNIF_MULTIADDR($5.host->addr)))
1796 r.rpool.opts |= PF_POOL_ROUNDROBIN;
1797 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1798 PF_POOL_ROUNDROBIN &&
1799 disallow_table($5.host, "tables are only "
1800 "supported in round-robin routing pools"))
1802 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1803 PF_POOL_ROUNDROBIN &&
1804 disallow_alias($5.host, "interface (%s) "
1805 "is only supported in round-robin "
1808 if ($5.host->next != NULL) {
1809 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1810 PF_POOL_ROUNDROBIN) {
1811 yyerror("r.rpool.opts must "
1812 "be PF_POOL_ROUNDROBIN");
1817 if ($9.queues.qname != NULL) {
1818 if (strlcpy(r.qname, $9.queues.qname,
1819 sizeof(r.qname)) >= sizeof(r.qname)) {
1820 yyerror("rule qname too long (max "
1821 "%d chars)", sizeof(r.qname)-1);
1824 free($9.queues.qname);
1826 if ($9.queues.pqname != NULL) {
1827 if (strlcpy(r.pqname, $9.queues.pqname,
1828 sizeof(r.pqname)) >= sizeof(r.pqname)) {
1829 yyerror("rule pqname too long (max "
1830 "%d chars)", sizeof(r.pqname)-1);
1833 free($9.queues.pqname);
1836 expand_rule(&r, $4, $5.host, $7, $8.src_os,
1837 $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
1838 $9.uid, $9.gid, $9.icmpspec, "");
1842 filter_opts : { bzero(&filter_opts, sizeof filter_opts); }
1844 { $$ = filter_opts; }
1846 bzero(&filter_opts, sizeof filter_opts);
1851 filter_opts_l : filter_opts_l filter_opt
1855 filter_opt : USER uids {
1856 if (filter_opts.uid)
1857 $2->tail->next = filter_opts.uid;
1858 filter_opts.uid = $2;
1861 if (filter_opts.gid)
1862 $2->tail->next = filter_opts.gid;
1863 filter_opts.gid = $2;
1866 if (filter_opts.marker & FOM_FLAGS) {
1867 yyerror("flags cannot be redefined");
1870 filter_opts.marker |= FOM_FLAGS;
1871 filter_opts.flags.b1 |= $1.b1;
1872 filter_opts.flags.b2 |= $1.b2;
1873 filter_opts.flags.w |= $1.w;
1874 filter_opts.flags.w2 |= $1.w2;
1877 if (filter_opts.marker & FOM_ICMP) {
1878 yyerror("icmp-type cannot be redefined");
1881 filter_opts.marker |= FOM_ICMP;
1882 filter_opts.icmpspec = $1;
1885 if (filter_opts.marker & FOM_TOS) {
1886 yyerror("tos cannot be redefined");
1889 filter_opts.marker |= FOM_TOS;
1890 filter_opts.tos = $1;
1893 if (filter_opts.marker & FOM_KEEP) {
1894 yyerror("modulate or keep cannot be redefined");
1897 filter_opts.marker |= FOM_KEEP;
1898 filter_opts.keep.action = $1.action;
1899 filter_opts.keep.options = $1.options;
1902 filter_opts.fragment = 1;
1905 filter_opts.allowopts = 1;
1908 if (filter_opts.label) {
1909 yyerror("label cannot be redefined");
1912 filter_opts.label = $1;
1915 if (filter_opts.queues.qname) {
1916 yyerror("queue cannot be redefined");
1919 filter_opts.queues = $1;
1922 filter_opts.tag = $2;
1924 | not TAGGED string {
1925 filter_opts.match_tag = $3;
1926 filter_opts.match_tag_not = $1;
1928 | PROBABILITY STRING {
1930 double p = strtod($2, &e);
1937 yyerror("invalid probability: %s", $2);
1941 p = floor(p * (UINT_MAX+1.0) + 0.5);
1942 if (p < 1.0 || p >= (UINT_MAX+1.0)) {
1943 yyerror("invalid probability: %s", $2);
1947 filter_opts.prob = (u_int32_t)p;
1952 action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; }
1953 | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; }
1956 blockspec : /* empty */ {
1957 $$.b2 = blockpolicy;
1958 $$.w = returnicmpdefault;
1959 $$.w2 = returnicmp6default;
1962 $$.b2 = PFRULE_DROP;
1967 $$.b2 = PFRULE_RETURNRST;
1971 | RETURNRST '(' TTL number ')' {
1973 yyerror("illegal ttl value %d", $4);
1976 $$.b2 = PFRULE_RETURNRST;
1981 $$.b2 = PFRULE_RETURNICMP;
1982 $$.w = returnicmpdefault;
1983 $$.w2 = returnicmp6default;
1986 $$.b2 = PFRULE_RETURNICMP;
1987 $$.w = returnicmpdefault;
1988 $$.w2 = returnicmp6default;
1990 | RETURNICMP '(' STRING ')' {
1991 $$.b2 = PFRULE_RETURNICMP;
1992 if (!($$.w = parseicmpspec($3, AF_INET))) {
1997 $$.w2 = returnicmp6default;
1999 | RETURNICMP6 '(' STRING ')' {
2000 $$.b2 = PFRULE_RETURNICMP;
2001 $$.w = returnicmpdefault;
2002 if (!($$.w2 = parseicmpspec($3, AF_INET6))) {
2008 | RETURNICMP '(' STRING comma STRING ')' {
2009 $$.b2 = PFRULE_RETURNICMP;
2010 if (!($$.w = parseicmpspec($3, AF_INET)) ||
2011 !($$.w2 = parseicmpspec($5, AF_INET6))) {
2020 $$.b2 = PFRULE_RETURN;
2021 $$.w = returnicmpdefault;
2022 $$.w2 = returnicmp6default;
2026 dir : /* empty */ { $$ = 0; }
2027 | IN { $$ = PF_IN; }
2028 | OUT { $$ = PF_OUT; }
2031 logquick : /* empty */ { $$.log = 0; $$.quick = 0; }
2032 | log { $$.log = $1; $$.quick = 0; }
2033 | QUICK { $$.log = 0; $$.quick = 1; }
2034 | log QUICK { $$.log = $1; $$.quick = 1; }
2035 | QUICK log { $$.log = $2; $$.quick = 1; }
2038 log : LOG { $$ = 1; }
2039 | LOGALL { $$ = 2; }
2042 interface : /* empty */ { $$ = NULL; }
2043 | ON if_item_not { $$ = $2; }
2044 | ON '{' if_list '}' { $$ = $3; }
2047 if_list : if_item_not { $$ = $1; }
2048 | if_list comma if_item_not {
2049 $1->tail->next = $3;
2055 if_item_not : not if_item { $$ = $2; $$->not = $1; }
2059 struct node_host *n;
2061 $$ = calloc(1, sizeof(struct node_if));
2063 err(1, "if_item: calloc");
2064 if (strlcpy($$->ifname, $1, sizeof($$->ifname)) >=
2065 sizeof($$->ifname)) {
2068 yyerror("interface name too long");
2072 if ((n = ifa_exists($1, 1)) != NULL)
2073 $$->ifa_flags = n->ifa_flags;
2082 af : /* empty */ { $$ = 0; }
2083 | INET { $$ = AF_INET; }
2084 | INET6 { $$ = AF_INET6; }
2087 proto : /* empty */ { $$ = NULL; }
2088 | PROTO proto_item { $$ = $2; }
2089 | PROTO '{' proto_list '}' { $$ = $3; }
2092 proto_list : proto_item { $$ = $1; }
2093 | proto_list comma proto_item {
2094 $1->tail->next = $3;
2100 proto_item : STRING {
2104 if (atoul($1, &ulval) == 0) {
2106 yyerror("protocol outside range");
2110 pr = (u_int8_t)ulval;
2114 p = getprotobyname($1);
2116 yyerror("unknown protocol %s", $1);
2124 yyerror("proto 0 cannot be used");
2127 $$ = calloc(1, sizeof(struct node_proto));
2129 err(1, "proto_item: calloc");
2150 os : /* empty */ { $$ = NULL; }
2151 | OS xos { $$ = $2; }
2152 | OS '{' os_list '}' { $$ = $3; }
2156 $$ = calloc(1, sizeof(struct node_os));
2158 err(1, "os: calloc");
2164 os_list : xos { $$ = $1; }
2165 | os_list comma xos {
2166 $1->tail->next = $3;
2172 from : /* empty */ {
2190 ipportspec : ipspec {
2194 | ipspec PORT portspec {
2204 ipspec : ANY { $$ = NULL; }
2205 | xhost { $$ = $1; }
2206 | '{' host_list '}' { $$ = $2; }
2209 host_list : xhost { $$ = $1; }
2210 | host_list comma xhost {
2213 else if ($1 == NULL)
2216 $1->tail->next = $3;
2217 $1->tail = $3->tail;
2224 struct node_host *n;
2226 for (n = $2; n != NULL; n = n->next)
2231 $$ = calloc(1, sizeof(struct node_host));
2233 err(1, "xhost: calloc");
2234 $$->addr.type = PF_ADDR_NOROUTE;
2241 if (($$ = host($1)) == NULL) {
2242 /* error. "any" is handled elsewhere */
2244 yyerror("could not parse host specification");
2250 | STRING '/' number {
2253 if (asprintf(&buf, "%s/%u", $1, $3) == -1)
2254 err(1, "host: asprintf");
2256 if (($$ = host(buf)) == NULL) {
2257 /* error. "any" is handled elsewhere */
2259 yyerror("could not parse host specification");
2265 | dynaddr '/' number {
2266 struct node_host *n;
2269 for (n = $1; n != NULL; n = n->next)
2273 if (strlen($2) >= PF_TABLE_NAME_SIZE) {
2274 yyerror("table name '%s' too long", $2);
2278 $$ = calloc(1, sizeof(struct node_host));
2280 err(1, "host: calloc");
2281 $$->addr.type = PF_ADDR_TABLE;
2282 if (strlcpy($$->addr.v.tblname, $2,
2283 sizeof($$->addr.v.tblname)) >=
2284 sizeof($$->addr.v.tblname))
2285 errx(1, "host: strlcpy");
2291 $$ = calloc(1, sizeof(struct node_host));
2294 err(1, "host: calloc");
2296 $$->addr.type = PF_ADDR_RTLABEL;
2297 if (strlcpy($$->addr.v.rtlabelname, $2,
2298 sizeof($$->addr.v.rtlabelname)) >=
2299 sizeof($$->addr.v.rtlabelname)) {
2300 yyerror("route label too long, max %u chars",
2301 sizeof($$->addr.v.rtlabelname) - 1);
2315 if (atoul($1, &ulval) == -1) {
2316 yyerror("%s is not a number", $1);
2325 dynaddr : '(' STRING ')' {
2330 if (!isalpha(op[0])) {
2331 yyerror("invalid interface name '%s'", op);
2335 while ((p = strrchr($2, ':')) != NULL) {
2336 if (!strcmp(p+1, "network"))
2337 flags |= PFI_AFLAG_NETWORK;
2338 else if (!strcmp(p+1, "broadcast"))
2339 flags |= PFI_AFLAG_BROADCAST;
2340 else if (!strcmp(p+1, "peer"))
2341 flags |= PFI_AFLAG_PEER;
2342 else if (!strcmp(p+1, "0"))
2343 flags |= PFI_AFLAG_NOALIAS;
2345 yyerror("interface %s has bad modifier",
2352 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) {
2354 yyerror("illegal combination of "
2355 "interface modifiers");
2358 $$ = calloc(1, sizeof(struct node_host));
2360 err(1, "address: calloc");
2362 set_ipmask($$, 128);
2363 $$->addr.type = PF_ADDR_DYNIFTL;
2364 $$->addr.iflags = flags;
2365 if (strlcpy($$->addr.v.ifname, $2,
2366 sizeof($$->addr.v.ifname)) >=
2367 sizeof($$->addr.v.ifname)) {
2370 yyerror("interface name too long");
2379 portspec : port_item { $$ = $1; }
2380 | '{' port_list '}' { $$ = $2; }
2383 port_list : port_item { $$ = $1; }
2384 | port_list comma port_item {
2385 $1->tail->next = $3;
2392 $$ = calloc(1, sizeof(struct node_port));
2394 err(1, "port_item: calloc");
2406 yyerror("':' cannot be used with an other "
2410 $$ = calloc(1, sizeof(struct node_port));
2412 err(1, "port_item: calloc");
2419 | port PORTBINARY port {
2421 yyerror("':' cannot be used with an other "
2425 $$ = calloc(1, sizeof(struct node_port));
2427 err(1, "port_item: calloc");
2437 char *p = strchr($1, ':');
2438 struct servent *s = NULL;
2442 if (atoul($1, &ulval) == 0) {
2443 if (ulval > 65535) {
2445 yyerror("illegal port value %lu",
2449 $$.a = htons(ulval);
2451 s = getservbyname($1, "tcp");
2453 s = getservbyname($1, "udp");
2455 yyerror("unknown port %s", $1);
2467 if ((port[0] = getservice($1)) == -1 ||
2468 (port[1] = getservice(p)) == -1) {
2480 uids : uid_item { $$ = $1; }
2481 | '{' uid_list '}' { $$ = $2; }
2484 uid_list : uid_item { $$ = $1; }
2485 | uid_list comma uid_item {
2486 $1->tail->next = $3;
2493 $$ = calloc(1, sizeof(struct node_uid));
2495 err(1, "uid_item: calloc");
2503 if ($2 == UID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
2504 yyerror("user unknown requires operator = or "
2508 $$ = calloc(1, sizeof(struct node_uid));
2510 err(1, "uid_item: calloc");
2517 | uid PORTBINARY uid {
2518 if ($1 == UID_MAX || $3 == UID_MAX) {
2519 yyerror("user unknown requires operator = or "
2523 $$ = calloc(1, sizeof(struct node_uid));
2525 err(1, "uid_item: calloc");
2537 if (atoul($1, &ulval) == -1) {
2538 if (!strcmp($1, "unknown"))
2543 if ((pw = getpwnam($1)) == NULL) {
2544 yyerror("unknown user %s", $1);
2551 if (ulval >= UID_MAX) {
2553 yyerror("illegal uid value %lu", ulval);
2562 gids : gid_item { $$ = $1; }
2563 | '{' gid_list '}' { $$ = $2; }
2566 gid_list : gid_item { $$ = $1; }
2567 | gid_list comma gid_item {
2568 $1->tail->next = $3;
2575 $$ = calloc(1, sizeof(struct node_gid));
2577 err(1, "gid_item: calloc");
2585 if ($2 == GID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
2586 yyerror("group unknown requires operator = or "
2590 $$ = calloc(1, sizeof(struct node_gid));
2592 err(1, "gid_item: calloc");
2599 | gid PORTBINARY gid {
2600 if ($1 == GID_MAX || $3 == GID_MAX) {
2601 yyerror("group unknown requires operator = or "
2605 $$ = calloc(1, sizeof(struct node_gid));
2607 err(1, "gid_item: calloc");
2619 if (atoul($1, &ulval) == -1) {
2620 if (!strcmp($1, "unknown"))
2625 if ((grp = getgrnam($1)) == NULL) {
2626 yyerror("unknown group %s", $1);
2633 if (ulval >= GID_MAX) {
2634 yyerror("illegal gid value %lu", ulval);
2647 if ((f = parse_flags($1)) < 0) {
2648 yyerror("bad flags %s", $1);
2657 flags : FLAGS flag '/' flag { $$.b1 = $2.b1; $$.b2 = $4.b1; }
2658 | FLAGS '/' flag { $$.b1 = 0; $$.b2 = $3.b1; }
2661 icmpspec : ICMPTYPE icmp_item { $$ = $2; }
2662 | ICMPTYPE '{' icmp_list '}' { $$ = $3; }
2663 | ICMP6TYPE icmp6_item { $$ = $2; }
2664 | ICMP6TYPE '{' icmp6_list '}' { $$ = $3; }
2667 icmp_list : icmp_item { $$ = $1; }
2668 | icmp_list comma icmp_item {
2669 $1->tail->next = $3;
2675 icmp6_list : icmp6_item { $$ = $1; }
2676 | icmp6_list comma icmp6_item {
2677 $1->tail->next = $3;
2683 icmp_item : icmptype {
2684 $$ = calloc(1, sizeof(struct node_icmp));
2686 err(1, "icmp_item: calloc");
2689 $$->proto = IPPROTO_ICMP;
2693 | icmptype CODE STRING {
2694 const struct icmpcodeent *p;
2697 if (atoul($3, &ulval) == 0) {
2700 yyerror("illegal icmp-code %lu", ulval);
2704 if ((p = geticmpcodebyname($1-1, $3,
2705 AF_INET)) == NULL) {
2706 yyerror("unknown icmp-code %s", $3);
2713 $$ = calloc(1, sizeof(struct node_icmp));
2715 err(1, "icmp_item: calloc");
2717 $$->code = ulval + 1;
2718 $$->proto = IPPROTO_ICMP;
2724 icmp6_item : icmp6type {
2725 $$ = calloc(1, sizeof(struct node_icmp));
2727 err(1, "icmp_item: calloc");
2730 $$->proto = IPPROTO_ICMPV6;
2734 | icmp6type CODE STRING {
2735 const struct icmpcodeent *p;
2738 if (atoul($3, &ulval) == 0) {
2740 yyerror("illegal icmp6-code %lu",
2746 if ((p = geticmpcodebyname($1-1, $3,
2747 AF_INET6)) == NULL) {
2748 yyerror("unknown icmp6-code %s", $3);
2755 $$ = calloc(1, sizeof(struct node_icmp));
2757 err(1, "icmp_item: calloc");
2759 $$->code = ulval + 1;
2760 $$->proto = IPPROTO_ICMPV6;
2767 const struct icmptypeent *p;
2770 if (atoul($1, &ulval) == 0) {
2772 yyerror("illegal icmp-type %lu", ulval);
2778 if ((p = geticmptypebyname($1, AF_INET)) ==
2780 yyerror("unknown icmp-type %s", $1);
2790 icmp6type : STRING {
2791 const struct icmptypeent *p;
2794 if (atoul($1, &ulval) == 0) {
2796 yyerror("illegal icmp6-type %lu", ulval);
2802 if ((p = geticmptypebyname($1, AF_INET6)) ==
2804 yyerror("unknown icmp6-type %s", $1);
2815 if (!strcmp($2, "lowdelay"))
2816 $$ = IPTOS_LOWDELAY;
2817 else if (!strcmp($2, "throughput"))
2818 $$ = IPTOS_THROUGHPUT;
2819 else if (!strcmp($2, "reliability"))
2820 $$ = IPTOS_RELIABILITY;
2821 else if ($2[0] == '0' && $2[1] == 'x')
2822 $$ = strtoul($2, NULL, 16);
2824 $$ = strtoul($2, NULL, 10);
2825 if (!$$ || $$ > 255) {
2826 yyerror("illegal tos value %s", $2);
2834 sourcetrack : SOURCETRACK { $$ = PF_SRCTRACK; }
2835 | SOURCETRACK GLOBAL { $$ = PF_SRCTRACK_GLOBAL; }
2836 | SOURCETRACK RULE { $$ = PF_SRCTRACK_RULE; }
2839 statelock : IFBOUND {
2840 $$ = PFRULE_IFBOUND;
2843 $$ = PFRULE_GRBOUND;
2850 keep : KEEP STATE state_opt_spec {
2851 $$.action = PF_STATE_NORMAL;
2854 | MODULATE STATE state_opt_spec {
2855 $$.action = PF_STATE_MODULATE;
2858 | SYNPROXY STATE state_opt_spec {
2859 $$.action = PF_STATE_SYNPROXY;
2864 flush : /* empty */ { $$ = 0; }
2865 | FLUSH { $$ = PF_FLUSH; }
2867 $$ = PF_FLUSH | PF_FLUSH_GLOBAL;
2871 state_opt_spec : '(' state_opt_list ')' { $$ = $2; }
2872 | /* empty */ { $$ = NULL; }
2875 state_opt_list : state_opt_item { $$ = $1; }
2876 | state_opt_list comma state_opt_item {
2877 $1->tail->next = $3;
2883 state_opt_item : MAXIMUM number {
2884 $$ = calloc(1, sizeof(struct node_state_opt));
2886 err(1, "state_opt_item: calloc");
2887 $$->type = PF_STATE_OPT_MAX;
2888 $$->data.max_states = $2;
2893 $$ = calloc(1, sizeof(struct node_state_opt));
2895 err(1, "state_opt_item: calloc");
2896 $$->type = PF_STATE_OPT_NOSYNC;
2900 | MAXSRCSTATES number {
2901 $$ = calloc(1, sizeof(struct node_state_opt));
2903 err(1, "state_opt_item: calloc");
2904 $$->type = PF_STATE_OPT_MAX_SRC_STATES;
2905 $$->data.max_src_states = $2;
2909 | MAXSRCCONN number {
2910 $$ = calloc(1, sizeof(struct node_state_opt));
2912 err(1, "state_opt_item: calloc");
2913 $$->type = PF_STATE_OPT_MAX_SRC_CONN;
2914 $$->data.max_src_conn = $2;
2918 | MAXSRCCONNRATE number '/' number {
2919 $$ = calloc(1, sizeof(struct node_state_opt));
2921 err(1, "state_opt_item: calloc");
2922 $$->type = PF_STATE_OPT_MAX_SRC_CONN_RATE;
2923 $$->data.max_src_conn_rate.limit = $2;
2924 $$->data.max_src_conn_rate.seconds = $4;
2928 | OVERLOAD '<' STRING '>' flush {
2929 if (strlen($3) >= PF_TABLE_NAME_SIZE) {
2930 yyerror("table name '%s' too long", $3);
2934 $$ = calloc(1, sizeof(struct node_state_opt));
2936 err(1, "state_opt_item: calloc");
2937 if (strlcpy($$->data.overload.tblname, $3,
2938 PF_TABLE_NAME_SIZE) >= PF_TABLE_NAME_SIZE)
2939 errx(1, "state_opt_item: strlcpy");
2941 $$->type = PF_STATE_OPT_OVERLOAD;
2942 $$->data.overload.flush = $5;
2946 | MAXSRCNODES number {
2947 $$ = calloc(1, sizeof(struct node_state_opt));
2949 err(1, "state_opt_item: calloc");
2950 $$->type = PF_STATE_OPT_MAX_SRC_NODES;
2951 $$->data.max_src_nodes = $2;
2956 $$ = calloc(1, sizeof(struct node_state_opt));
2958 err(1, "state_opt_item: calloc");
2959 $$->type = PF_STATE_OPT_SRCTRACK;
2960 $$->data.src_track = $1;
2965 $$ = calloc(1, sizeof(struct node_state_opt));
2967 err(1, "state_opt_item: calloc");
2968 $$->type = PF_STATE_OPT_STATELOCK;
2969 $$->data.statelock = $1;
2976 for (i = 0; pf_timeouts[i].name &&
2977 strcmp(pf_timeouts[i].name, $1); ++i)
2979 if (!pf_timeouts[i].name) {
2980 yyerror("illegal timeout name %s", $1);
2984 if (strchr(pf_timeouts[i].name, '.') == NULL) {
2985 yyerror("illegal state timeout %s", $1);
2990 $$ = calloc(1, sizeof(struct node_state_opt));
2992 err(1, "state_opt_item: calloc");
2993 $$->type = PF_STATE_OPT_TIMEOUT;
2994 $$->data.timeout.number = pf_timeouts[i].timeout;
2995 $$->data.timeout.seconds = $2;
3001 label : LABEL STRING {
3006 qname : QUEUE STRING {
3009 | QUEUE '(' STRING ')' {
3012 | QUEUE '(' STRING comma STRING ')' {
3018 no : /* empty */ { $$ = 0; }
3023 char *p = strchr($1, ':');
3026 if (($$.a = getservice($1)) == -1) {
3031 } else if (!strcmp(p+1, "*")) {
3033 if (($$.a = getservice($1)) == -1) {
3041 if (($$.a = getservice($1)) == -1 ||
3042 ($$.b = getservice(p)) == -1) {
3054 redirspec : host { $$ = $1; }
3055 | '{' redir_host_list '}' { $$ = $2; }
3058 redir_host_list : host { $$ = $1; }
3059 | redir_host_list comma host {
3060 $1->tail->next = $3;
3061 $1->tail = $3->tail;
3066 redirpool : /* empty */ { $$ = NULL; }
3068 $$ = calloc(1, sizeof(struct redirection));
3070 err(1, "redirection: calloc");
3072 $$->rport.a = $$->rport.b = $$->rport.t = 0;
3074 | ARROW redirspec PORT rport {
3075 $$ = calloc(1, sizeof(struct redirection));
3077 err(1, "redirection: calloc");
3083 hashkey : /* empty */
3085 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3087 err(1, "hashkey: calloc");
3088 $$->key32[0] = arc4random();
3089 $$->key32[1] = arc4random();
3090 $$->key32[2] = arc4random();
3091 $$->key32[3] = arc4random();
3095 if (!strncmp($1, "0x", 2)) {
3096 if (strlen($1) != 34) {
3098 yyerror("hex key must be 128 bits "
3099 "(32 hex digits) long");
3102 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3104 err(1, "hashkey: calloc");
3106 if (sscanf($1, "0x%8x%8x%8x%8x",
3107 &$$->key32[0], &$$->key32[1],
3108 &$$->key32[2], &$$->key32[3]) != 4) {
3111 yyerror("invalid hex key");
3117 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3119 err(1, "hashkey: calloc");
3121 MD5Update(&context, (unsigned char *)$1,
3123 MD5Final((unsigned char *)$$, &context);
3124 HTONL($$->key32[0]);
3125 HTONL($$->key32[1]);
3126 HTONL($$->key32[2]);
3127 HTONL($$->key32[3]);
3133 pool_opts : { bzero(&pool_opts, sizeof pool_opts); }
3137 bzero(&pool_opts, sizeof pool_opts);
3142 pool_opts_l : pool_opts_l pool_opt
3146 pool_opt : BITMASK {
3147 if (pool_opts.type) {
3148 yyerror("pool type cannot be redefined");
3151 pool_opts.type = PF_POOL_BITMASK;
3154 if (pool_opts.type) {
3155 yyerror("pool type cannot be redefined");
3158 pool_opts.type = PF_POOL_RANDOM;
3160 | SOURCEHASH hashkey {
3161 if (pool_opts.type) {
3162 yyerror("pool type cannot be redefined");
3165 pool_opts.type = PF_POOL_SRCHASH;
3169 if (pool_opts.type) {
3170 yyerror("pool type cannot be redefined");
3173 pool_opts.type = PF_POOL_ROUNDROBIN;
3176 if (pool_opts.staticport) {
3177 yyerror("static-port cannot be redefined");
3180 pool_opts.staticport = 1;
3183 if (filter_opts.marker & POM_STICKYADDRESS) {
3184 yyerror("sticky-address cannot be redefined");
3187 pool_opts.marker |= POM_STICKYADDRESS;
3188 pool_opts.opts |= PF_POOL_STICKYADDR;
3192 redirection : /* empty */ { $$ = NULL; }
3194 $$ = calloc(1, sizeof(struct redirection));
3196 err(1, "redirection: calloc");
3198 $$->rport.a = $$->rport.b = $$->rport.t = 0;
3200 | ARROW host PORT rport {
3201 $$ = calloc(1, sizeof(struct redirection));
3203 err(1, "redirection: calloc");
3209 natpass : /* empty */ { $$ = 0; }
3213 nataction : no NAT natpass {
3231 natrule : nataction interface af proto fromto tag tagged redirpool pool_opts
3235 if (check_rulestate(PFCTL_STATE_NAT))
3238 memset(&r, 0, sizeof(r));
3245 if ($5.src.host && $5.src.host->af &&
3246 !$5.src.host->ifindex)
3247 r.af = $5.src.host->af;
3248 else if ($5.dst.host && $5.dst.host->af &&
3249 !$5.dst.host->ifindex)
3250 r.af = $5.dst.host->af;
3254 if (strlcpy(r.tagname, $6, PF_TAG_NAME_SIZE) >=
3256 yyerror("tag too long, max %u chars",
3257 PF_TAG_NAME_SIZE - 1);
3262 if (strlcpy(r.match_tagname, $7.name,
3263 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
3264 yyerror("tag too long, max %u chars",
3265 PF_TAG_NAME_SIZE - 1);
3268 r.match_tag_not = $7.neg;
3270 if (r.action == PF_NONAT || r.action == PF_NORDR) {
3272 yyerror("translation rule with 'no' "
3273 "does not need '->'");
3277 if ($8 == NULL || $8->host == NULL) {
3278 yyerror("translation rule requires '-> "
3282 if (!r.af && ! $8->host->ifindex)
3283 r.af = $8->host->af;
3285 remove_invalid_hosts(&$8->host, &r.af);
3286 if (invalid_redirect($8->host, r.af))
3288 if (check_netmask($8->host, r.af))
3291 r.rpool.proxy_port[0] = ntohs($8->rport.a);
3295 if (!$8->rport.b && $8->rport.t &&
3296 $5.dst.port != NULL) {
3297 r.rpool.proxy_port[1] =
3298 ntohs($8->rport.a) +
3300 $5.dst.port->port[1]) -
3302 $5.dst.port->port[0]));
3304 r.rpool.proxy_port[1] =
3308 r.rpool.proxy_port[1] =
3310 if (!r.rpool.proxy_port[0] &&
3311 !r.rpool.proxy_port[1]) {
3312 r.rpool.proxy_port[0] =
3313 PF_NAT_PROXY_PORT_LOW;
3314 r.rpool.proxy_port[1] =
3315 PF_NAT_PROXY_PORT_HIGH;
3316 } else if (!r.rpool.proxy_port[1])
3317 r.rpool.proxy_port[1] =
3318 r.rpool.proxy_port[0];
3324 r.rpool.opts = $9.type;
3325 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
3326 PF_POOL_NONE && ($8->host->next != NULL ||
3327 $8->host->addr.type == PF_ADDR_TABLE ||
3328 DYNIF_MULTIADDR($8->host->addr)))
3329 r.rpool.opts = PF_POOL_ROUNDROBIN;
3330 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3331 PF_POOL_ROUNDROBIN &&
3332 disallow_table($8->host, "tables are only "
3333 "supported in round-robin redirection "
3336 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3337 PF_POOL_ROUNDROBIN &&
3338 disallow_alias($8->host, "interface (%s) "
3339 "is only supported in round-robin "
3340 "redirection pools"))
3342 if ($8->host->next != NULL) {
3343 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3344 PF_POOL_ROUNDROBIN) {
3345 yyerror("only round-robin "
3346 "valid for multiple "
3347 "redirection addresses");
3354 memcpy(&r.rpool.key, $9.key,
3355 sizeof(struct pf_poolhashkey));
3358 r.rpool.opts |= $9.opts;
3360 if ($9.staticport) {
3361 if (r.action != PF_NAT) {
3362 yyerror("the 'static-port' option is "
3363 "only valid with nat rules");
3366 if (r.rpool.proxy_port[0] !=
3367 PF_NAT_PROXY_PORT_LOW &&
3368 r.rpool.proxy_port[1] !=
3369 PF_NAT_PROXY_PORT_HIGH) {
3370 yyerror("the 'static-port' option can't"
3371 " be used when specifying a port"
3375 r.rpool.proxy_port[0] = 0;
3376 r.rpool.proxy_port[1] = 0;
3379 expand_rule(&r, $2, $8 == NULL ? NULL : $8->host, $4,
3380 $5.src_os, $5.src.host, $5.src.port, $5.dst.host,
3381 $5.dst.port, 0, 0, 0, "");
3386 binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag tagged
3389 struct pf_rule binat;
3390 struct pf_pooladdr *pa;
3392 if (check_rulestate(PFCTL_STATE_NAT))
3395 memset(&binat, 0, sizeof(binat));
3398 binat.action = PF_NOBINAT;
3400 binat.action = PF_BINAT;
3403 if (!binat.af && $8 != NULL && $8->af)
3405 if (!binat.af && $10 != NULL && $10->af)
3408 if (!binat.af && $13 != NULL && $13->host)
3409 binat.af = $13->host->af;
3411 yyerror("address family (inet/inet6) "
3417 memcpy(binat.ifname, $4->ifname,
3418 sizeof(binat.ifname));
3419 binat.ifnot = $4->not;
3424 if (strlcpy(binat.tagname, $11,
3425 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
3426 yyerror("tag too long, max %u chars",
3427 PF_TAG_NAME_SIZE - 1);
3431 if (strlcpy(binat.match_tagname, $12.name,
3432 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
3433 yyerror("tag too long, max %u chars",
3434 PF_TAG_NAME_SIZE - 1);
3437 binat.match_tag_not = $12.neg;
3440 binat.proto = $6->proto;
3444 if ($8 != NULL && disallow_table($8, "invalid use of "
3445 "table <%s> as the source address of a binat rule"))
3447 if ($8 != NULL && disallow_alias($8, "invalid use of "
3448 "interface (%s) as the source address of a binat "
3451 if ($13 != NULL && $13->host != NULL && disallow_table(
3452 $13->host, "invalid use of table <%s> as the "
3453 "redirect address of a binat rule"))
3455 if ($13 != NULL && $13->host != NULL && disallow_alias(
3456 $13->host, "invalid use of interface (%s) as the "
3457 "redirect address of a binat rule"))
3462 yyerror("multiple binat ip addresses");
3465 if ($8->addr.type == PF_ADDR_DYNIFTL)
3467 if ($8->af != binat.af) {
3468 yyerror("binat ip versions must match");
3471 if (check_netmask($8, binat.af))
3473 memcpy(&binat.src.addr, &$8->addr,
3474 sizeof(binat.src.addr));
3479 yyerror("multiple binat ip addresses");
3482 if ($10->af != binat.af && $10->af) {
3483 yyerror("binat ip versions must match");
3486 if (check_netmask($10, binat.af))
3488 memcpy(&binat.dst.addr, &$10->addr,
3489 sizeof(binat.dst.addr));
3490 binat.dst.neg = $10->not;
3494 if (binat.action == PF_NOBINAT) {
3496 yyerror("'no binat' rule does not need"
3501 if ($13 == NULL || $13->host == NULL) {
3502 yyerror("'binat' rule requires"
3507 remove_invalid_hosts(&$13->host, &binat.af);
3508 if (invalid_redirect($13->host, binat.af))
3510 if ($13->host->next != NULL) {
3511 yyerror("binat rule must redirect to "
3512 "a single address");
3515 if (check_netmask($13->host, binat.af))
3518 if (!PF_AZERO(&binat.src.addr.v.a.mask,
3520 !PF_AEQ(&binat.src.addr.v.a.mask,
3521 &$13->host->addr.v.a.mask, binat.af)) {
3522 yyerror("'binat' source mask and "
3523 "redirect mask must be the same");
3527 TAILQ_INIT(&binat.rpool.list);
3528 pa = calloc(1, sizeof(struct pf_pooladdr));
3530 err(1, "binat: calloc");
3531 pa->addr = $13->host->addr;
3533 TAILQ_INSERT_TAIL(&binat.rpool.list,
3539 pfctl_add_rule(pf, &binat, "");
3543 tag : /* empty */ { $$ = NULL; }
3544 | TAG STRING { $$ = $2; }
3547 tagged : /* empty */ { $$.neg = 0; $$.name = NULL; }
3548 | not TAGGED string { $$.neg = $1; $$.name = $3; }
3551 route_host : STRING {
3552 $$ = calloc(1, sizeof(struct node_host));
3554 err(1, "route_host: calloc");
3556 set_ipmask($$, 128);
3560 | '(' STRING host ')' {
3566 route_host_list : route_host { $$ = $1; }
3567 | route_host_list comma route_host {
3570 if ($1->af != $3->af) {
3571 yyerror("all pool addresses must be in the "
3572 "same address family");
3575 $1->tail->next = $3;
3576 $1->tail = $3->tail;
3581 routespec : route_host { $$ = $1; }
3582 | '{' route_host_list '}' { $$ = $2; }
3585 route : /* empty */ {
3592 $$.rt = PF_FASTROUTE;
3595 | ROUTETO routespec pool_opts {
3598 $$.pool_opts = $3.type | $3.opts;
3602 | REPLYTO routespec pool_opts {
3605 $$.pool_opts = $3.type | $3.opts;
3609 | DUPTO routespec pool_opts {
3612 $$.pool_opts = $3.type | $3.opts;
3618 timeout_spec : STRING number
3620 if (check_rulestate(PFCTL_STATE_OPTION)) {
3624 if (pfctl_set_timeout(pf, $1, $2, 0) != 0) {
3625 yyerror("unknown timeout %s", $1);
3633 timeout_list : timeout_list comma timeout_spec
3637 limit_spec : STRING number
3639 if (check_rulestate(PFCTL_STATE_OPTION)) {
3643 if (pfctl_set_limit(pf, $1, $2) != 0) {
3644 yyerror("unable to set limit %s %u", $1, $2);
3652 limit_list : limit_list comma limit_spec
3660 yesno : NO { $$ = 0; }
3662 if (!strcmp($1, "yes"))
3665 yyerror("invalid value '%s', expected 'yes' "
3674 unaryop : '=' { $$ = PF_OP_EQ; }
3675 | '!' '=' { $$ = PF_OP_NE; }
3676 | '<' '=' { $$ = PF_OP_LE; }
3677 | '<' { $$ = PF_OP_LT; }
3678 | '>' '=' { $$ = PF_OP_GE; }
3679 | '>' { $$ = PF_OP_GT; }
3685 yyerror(const char *fmt, ...)
3688 extern char *infile;
3692 fprintf(stderr, "%s:%d: ", infile, yylval.lineno);
3693 vfprintf(stderr, fmt, ap);
3694 fprintf(stderr, "\n");
3700 disallow_table(struct node_host *h, const char *fmt)
3702 for (; h != NULL; h = h->next)
3703 if (h->addr.type == PF_ADDR_TABLE) {
3704 yyerror(fmt, h->addr.v.tblname);
3711 disallow_alias(struct node_host *h, const char *fmt)
3713 for (; h != NULL; h = h->next)
3714 if (DYNIF_MULTIADDR(h->addr)) {
3715 yyerror(fmt, h->addr.v.tblname);
3722 rule_consistent(struct pf_rule *r)
3726 switch (r->action) {
3731 problems = filter_consistent(r);
3735 problems = nat_consistent(r);
3739 problems = rdr_consistent(r);
3750 filter_consistent(struct pf_rule *r)
3754 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
3755 (r->src.port_op || r->dst.port_op)) {
3756 yyerror("port only applies to tcp/udp");
3759 if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 &&
3760 (r->type || r->code)) {
3761 yyerror("icmp-type/code only applies to icmp");
3764 if (!r->af && (r->type || r->code)) {
3765 yyerror("must indicate address family with icmp-type/code");
3768 if (r->overload_tblname[0] &&
3769 r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) {
3770 yyerror("'overload' requires 'max-src-conn' "
3771 "or 'max-src-conn-rate'");
3774 if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) ||
3775 (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) {
3776 yyerror("proto %s doesn't match address family %s",
3777 r->proto == IPPROTO_ICMP ? "icmp" : "icmp6",
3778 r->af == AF_INET ? "inet" : "inet6");
3781 if (r->allow_opts && r->action != PF_PASS) {
3782 yyerror("allow-opts can only be specified for pass rules");
3785 if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op ||
3786 r->dst.port_op || r->flagset || r->type || r->code)) {
3787 yyerror("fragments can be filtered only on IP header fields");
3790 if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) {
3791 yyerror("return-rst can only be applied to TCP rules");
3794 if (r->max_src_nodes && !(r->rule_flag & PFRULE_RULESRCTRACK)) {
3795 yyerror("max-src-nodes requires 'source-track rule'");
3798 if (r->action == PF_DROP && r->keep_state) {
3799 yyerror("keep state on block rules doesn't make sense");
3802 if ((r->tagname[0] || r->match_tagname[0]) && !r->keep_state &&
3803 r->action == PF_PASS) {
3804 yyerror("tags cannot be used without keep state");
3811 nat_consistent(struct pf_rule *r)
3813 return (0); /* yeah! */
3817 rdr_consistent(struct pf_rule *r)
3821 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP) {
3822 if (r->src.port_op) {
3823 yyerror("src port only applies to tcp/udp");
3826 if (r->dst.port_op) {
3827 yyerror("dst port only applies to tcp/udp");
3830 if (r->rpool.proxy_port[0]) {
3831 yyerror("rpool port only applies to tcp/udp");
3835 if (r->dst.port_op &&
3836 r->dst.port_op != PF_OP_EQ && r->dst.port_op != PF_OP_RRG) {
3837 yyerror("invalid port operator for rdr destination port");
3844 process_tabledef(char *name, struct table_opts *opts)
3846 struct pfr_buffer ab;
3847 struct node_tinit *ti;
3849 bzero(&ab, sizeof(ab));
3850 ab.pfrb_type = PFRB_ADDRS;
3851 SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) {
3853 if (pfr_buf_load(&ab, ti->file, 0, append_addr)) {
3855 yyerror("cannot load \"%s\": %s",
3856 ti->file, strerror(errno));
3858 yyerror("file \"%s\" contains bad data",
3863 if (append_addr_host(&ab, ti->host, 0, 0)) {
3864 yyerror("cannot create address buffer: %s",
3869 if (pf->opts & PF_OPT_VERBOSE)
3870 print_tabledef(name, opts->flags, opts->init_addr,
3872 if (!(pf->opts & PF_OPT_NOACTION) &&
3873 pfctl_define_table(name, opts->flags, opts->init_addr,
3874 pf->anchor, &ab, pf->tticket)) {
3875 yyerror("cannot define table %s: %s", name,
3876 pfr_strerror(errno));
3892 /* macro gore, but you should've seen the prior indentation nightmare... */
3894 #define FREE_LIST(T,r) \
3897 while (node != NULL) { \
3899 node = node->next; \
3904 #define LOOP_THROUGH(T,n,r,C) \
3908 r = calloc(1, sizeof(T)); \
3910 err(1, "LOOP: calloc"); \
3914 while (n != NULL) { \
3923 expand_label_str(char *label, size_t len, const char *srch, const char *repl)
3928 if ((tmp = calloc(1, len)) == NULL)
3929 err(1, "expand_label_str: calloc");
3931 while ((q = strstr(p, srch)) != NULL) {
3933 if ((strlcat(tmp, p, len) >= len) ||
3934 (strlcat(tmp, repl, len) >= len))
3935 errx(1, "expand_label: label too long");
3939 if (strlcat(tmp, p, len) >= len)
3940 errx(1, "expand_label: label too long");
3941 strlcpy(label, tmp, len); /* always fits */
3946 expand_label_if(const char *name, char *label, size_t len, const char *ifname)
3948 if (strstr(label, name) != NULL) {
3950 expand_label_str(label, len, name, "any");
3952 expand_label_str(label, len, name, ifname);
3957 expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
3958 struct node_host *h)
3960 char tmp[64], tmp_not[66];
3962 if (strstr(label, name) != NULL) {
3963 switch (h->addr.type) {
3964 case PF_ADDR_DYNIFTL:
3965 snprintf(tmp, sizeof(tmp), "(%s)", h->addr.v.ifname);
3968 snprintf(tmp, sizeof(tmp), "<%s>", h->addr.v.tblname);
3970 case PF_ADDR_NOROUTE:
3971 snprintf(tmp, sizeof(tmp), "no-route");
3973 case PF_ADDR_ADDRMASK:
3974 if (!af || (PF_AZERO(&h->addr.v.a.addr, af) &&
3975 PF_AZERO(&h->addr.v.a.mask, af)))
3976 snprintf(tmp, sizeof(tmp), "any");
3981 if (inet_ntop(af, &h->addr.v.a.addr, a,
3983 snprintf(tmp, sizeof(tmp), "?");
3985 bits = unmask(&h->addr.v.a.mask, af);
3986 if ((af == AF_INET && bits < 32) ||
3987 (af == AF_INET6 && bits < 128))
3988 snprintf(tmp, sizeof(tmp),
3991 snprintf(tmp, sizeof(tmp),
3997 snprintf(tmp, sizeof(tmp), "?");
4002 snprintf(tmp_not, sizeof(tmp_not), "! %s", tmp);
4003 expand_label_str(label, len, name, tmp_not);
4005 expand_label_str(label, len, name, tmp);
4010 expand_label_port(const char *name, char *label, size_t len,
4011 struct node_port *port)
4013 char a1[6], a2[6], op[13] = "";
4015 if (strstr(label, name) != NULL) {
4016 snprintf(a1, sizeof(a1), "%u", ntohs(port->port[0]));
4017 snprintf(a2, sizeof(a2), "%u", ntohs(port->port[1]));
4020 else if (port->op == PF_OP_IRG)
4021 snprintf(op, sizeof(op), "%s><%s", a1, a2);
4022 else if (port->op == PF_OP_XRG)
4023 snprintf(op, sizeof(op), "%s<>%s", a1, a2);
4024 else if (port->op == PF_OP_EQ)
4025 snprintf(op, sizeof(op), "%s", a1);
4026 else if (port->op == PF_OP_NE)
4027 snprintf(op, sizeof(op), "!=%s", a1);
4028 else if (port->op == PF_OP_LT)
4029 snprintf(op, sizeof(op), "<%s", a1);
4030 else if (port->op == PF_OP_LE)
4031 snprintf(op, sizeof(op), "<=%s", a1);
4032 else if (port->op == PF_OP_GT)
4033 snprintf(op, sizeof(op), ">%s", a1);
4034 else if (port->op == PF_OP_GE)
4035 snprintf(op, sizeof(op), ">=%s", a1);
4036 expand_label_str(label, len, name, op);
4041 expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto)
4043 struct protoent *pe;
4046 if (strstr(label, name) != NULL) {
4047 pe = getprotobynumber(proto);
4049 expand_label_str(label, len, name, pe->p_name);
4051 snprintf(n, sizeof(n), "%u", proto);
4052 expand_label_str(label, len, name, n);
4058 expand_label_nr(const char *name, char *label, size_t len)
4062 if (strstr(label, name) != NULL) {
4063 snprintf(n, sizeof(n), "%u", pf->rule_nr);
4064 expand_label_str(label, len, name, n);
4069 expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
4070 struct node_host *src_host, struct node_port *src_port,
4071 struct node_host *dst_host, struct node_port *dst_port,
4074 expand_label_if("$if", label, len, ifname);
4075 expand_label_addr("$srcaddr", label, len, af, src_host);
4076 expand_label_addr("$dstaddr", label, len, af, dst_host);
4077 expand_label_port("$srcport", label, len, src_port);
4078 expand_label_port("$dstport", label, len, dst_port);
4079 expand_label_proto("$proto", label, len, proto);
4080 expand_label_nr("$nr", label, len);
4084 expand_altq(struct pf_altq *a, struct node_if *interfaces,
4085 struct node_queue *nqueues, struct node_queue_bw bwspec,
4086 struct node_queue_opt *opts)
4088 struct pf_altq pa, pb;
4089 char qname[PF_QNAME_SIZE];
4090 struct node_queue *n;
4091 struct node_queue_bw bw;
4094 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
4095 FREE_LIST(struct node_if, interfaces);
4096 FREE_LIST(struct node_queue, nqueues);
4100 LOOP_THROUGH(struct node_if, interface, interfaces,
4101 memcpy(&pa, a, sizeof(struct pf_altq));
4102 if (strlcpy(pa.ifname, interface->ifname,
4103 sizeof(pa.ifname)) >= sizeof(pa.ifname))
4104 errx(1, "expand_altq: strlcpy");
4106 if (interface->not) {
4107 yyerror("altq on ! <interface> is not supported");
4110 if (eval_pfaltq(pf, &pa, &bwspec, opts))
4113 if (pfctl_add_altq(pf, &pa))
4116 if (pf->opts & PF_OPT_VERBOSE) {
4117 print_altq(&pf->paltq->altq, 0,
4119 if (nqueues && nqueues->tail) {
4121 LOOP_THROUGH(struct node_queue, queue,
4131 if (pa.scheduler == ALTQT_CBQ ||
4132 pa.scheduler == ALTQT_HFSC) {
4133 /* now create a root queue */
4134 memset(&pb, 0, sizeof(struct pf_altq));
4135 if (strlcpy(qname, "root_", sizeof(qname)) >=
4137 errx(1, "expand_altq: strlcpy");
4138 if (strlcat(qname, interface->ifname,
4139 sizeof(qname)) >= sizeof(qname))
4140 errx(1, "expand_altq: strlcat");
4141 if (strlcpy(pb.qname, qname,
4142 sizeof(pb.qname)) >= sizeof(pb.qname))
4143 errx(1, "expand_altq: strlcpy");
4144 if (strlcpy(pb.ifname, interface->ifname,
4145 sizeof(pb.ifname)) >= sizeof(pb.ifname))
4146 errx(1, "expand_altq: strlcpy");
4147 pb.qlimit = pa.qlimit;
4148 pb.scheduler = pa.scheduler;
4149 bw.bw_absolute = pa.ifbandwidth;
4151 if (eval_pfqueue(pf, &pb, &bw, opts))
4154 if (pfctl_add_altq(pf, &pb))
4158 LOOP_THROUGH(struct node_queue, queue, nqueues,
4159 n = calloc(1, sizeof(struct node_queue));
4161 err(1, "expand_altq: calloc");
4162 if (pa.scheduler == ALTQT_CBQ ||
4163 pa.scheduler == ALTQT_HFSC)
4164 if (strlcpy(n->parent, qname,
4165 sizeof(n->parent)) >=
4167 errx(1, "expand_altq: strlcpy");
4168 if (strlcpy(n->queue, queue->queue,
4169 sizeof(n->queue)) >= sizeof(n->queue))
4170 errx(1, "expand_altq: strlcpy");
4171 if (strlcpy(n->ifname, interface->ifname,
4172 sizeof(n->ifname)) >= sizeof(n->ifname))
4173 errx(1, "expand_altq: strlcpy");
4174 n->scheduler = pa.scheduler;
4180 queues->tail->next = n;
4186 FREE_LIST(struct node_if, interfaces);
4187 FREE_LIST(struct node_queue, nqueues);
4193 expand_queue(struct pf_altq *a, struct node_if *interfaces,
4194 struct node_queue *nqueues, struct node_queue_bw bwspec,
4195 struct node_queue_opt *opts)
4197 struct node_queue *n, *nq;
4202 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
4203 FREE_LIST(struct node_queue, nqueues);
4207 if (queues == NULL) {
4208 yyerror("queue %s has no parent", a->qname);
4209 FREE_LIST(struct node_queue, nqueues);
4213 LOOP_THROUGH(struct node_if, interface, interfaces,
4214 LOOP_THROUGH(struct node_queue, tqueue, queues,
4215 if (!strncmp(a->qname, tqueue->queue, PF_QNAME_SIZE) &&
4216 (interface->ifname[0] == 0 ||
4217 (!interface->not && !strncmp(interface->ifname,
4218 tqueue->ifname, IFNAMSIZ)) ||
4219 (interface->not && strncmp(interface->ifname,
4220 tqueue->ifname, IFNAMSIZ)))) {
4221 /* found ourself in queues */
4224 memcpy(&pa, a, sizeof(struct pf_altq));
4226 if (pa.scheduler != ALTQT_NONE &&
4227 pa.scheduler != tqueue->scheduler) {
4228 yyerror("exactly one scheduler type "
4229 "per interface allowed");
4232 pa.scheduler = tqueue->scheduler;
4234 /* scheduler dependent error checking */
4235 switch (pa.scheduler) {
4237 if (nqueues != NULL) {
4238 yyerror("priq queues cannot "
4239 "have child queues");
4242 if (bwspec.bw_absolute > 0 ||
4243 bwspec.bw_percent < 100) {
4244 yyerror("priq doesn't take "
4253 if (strlcpy(pa.ifname, tqueue->ifname,
4254 sizeof(pa.ifname)) >= sizeof(pa.ifname))
4255 errx(1, "expand_queue: strlcpy");
4256 if (strlcpy(pa.parent, tqueue->parent,
4257 sizeof(pa.parent)) >= sizeof(pa.parent))
4258 errx(1, "expand_queue: strlcpy");
4260 if (eval_pfqueue(pf, &pa, &bwspec, opts))
4263 if (pfctl_add_altq(pf, &pa))
4266 for (nq = nqueues; nq != NULL; nq = nq->next) {
4267 if (!strcmp(a->qname, nq->queue)) {
4268 yyerror("queue cannot have "
4274 sizeof(struct node_queue));
4276 err(1, "expand_queue: calloc");
4277 if (strlcpy(n->parent, a->qname,
4278 sizeof(n->parent)) >=
4280 errx(1, "expand_queue strlcpy");
4281 if (strlcpy(n->queue, nq->queue,
4282 sizeof(n->queue)) >=
4284 errx(1, "expand_queue strlcpy");
4285 if (strlcpy(n->ifname, tqueue->ifname,
4286 sizeof(n->ifname)) >=
4288 errx(1, "expand_queue strlcpy");
4289 n->scheduler = tqueue->scheduler;
4295 queues->tail->next = n;
4299 if ((pf->opts & PF_OPT_VERBOSE) && (
4300 (found == 1 && interface->ifname[0] == 0) ||
4301 (found > 0 && interface->ifname[0] != 0))) {
4302 print_queue(&pf->paltq->altq, 0,
4303 &bwspec, interface->ifname[0] != 0,
4305 if (nqueues && nqueues->tail) {
4307 LOOP_THROUGH(struct node_queue,
4320 FREE_LIST(struct node_queue, nqueues);
4321 FREE_LIST(struct node_if, interfaces);
4324 yyerror("queue %s has no parent", a->qname);
4335 expand_rule(struct pf_rule *r,
4336 struct node_if *interfaces, struct node_host *rpool_hosts,
4337 struct node_proto *protos, struct node_os *src_oses,
4338 struct node_host *src_hosts, struct node_port *src_ports,
4339 struct node_host *dst_hosts, struct node_port *dst_ports,
4340 struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types,
4341 const char *anchor_call)
4343 sa_family_t af = r->af;
4344 int added = 0, error = 0;
4345 char ifname[IF_NAMESIZE];
4346 char label[PF_RULE_LABEL_SIZE];
4347 char tagname[PF_TAG_NAME_SIZE];
4348 char match_tagname[PF_TAG_NAME_SIZE];
4349 struct pf_pooladdr *pa;
4350 struct node_host *h;
4351 u_int8_t flags, flagset, keep_state;
4353 if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label))
4354 errx(1, "expand_rule: strlcpy");
4355 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname))
4356 errx(1, "expand_rule: strlcpy");
4357 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >=
4358 sizeof(match_tagname))
4359 errx(1, "expand_rule: strlcpy");
4361 flagset = r->flagset;
4362 keep_state = r->keep_state;
4364 LOOP_THROUGH(struct node_if, interface, interfaces,
4365 LOOP_THROUGH(struct node_proto, proto, protos,
4366 LOOP_THROUGH(struct node_icmp, icmp_type, icmp_types,
4367 LOOP_THROUGH(struct node_host, src_host, src_hosts,
4368 LOOP_THROUGH(struct node_port, src_port, src_ports,
4369 LOOP_THROUGH(struct node_os, src_os, src_oses,
4370 LOOP_THROUGH(struct node_host, dst_host, dst_hosts,
4371 LOOP_THROUGH(struct node_port, dst_port, dst_ports,
4372 LOOP_THROUGH(struct node_uid, uid, uids,
4373 LOOP_THROUGH(struct node_gid, gid, gids,
4376 /* for link-local IPv6 address, interface must match up */
4377 if ((r->af && src_host->af && r->af != src_host->af) ||
4378 (r->af && dst_host->af && r->af != dst_host->af) ||
4379 (src_host->af && dst_host->af &&
4380 src_host->af != dst_host->af) ||
4381 (src_host->ifindex && dst_host->ifindex &&
4382 src_host->ifindex != dst_host->ifindex) ||
4383 (src_host->ifindex && *interface->ifname &&
4384 src_host->ifindex != if_nametoindex(interface->ifname)) ||
4385 (dst_host->ifindex && *interface->ifname &&
4386 dst_host->ifindex != if_nametoindex(interface->ifname)))
4388 if (!r->af && src_host->af)
4389 r->af = src_host->af;
4390 else if (!r->af && dst_host->af)
4391 r->af = dst_host->af;
4393 if (*interface->ifname)
4394 strlcpy(r->ifname, interface->ifname,
4396 else if (if_indextoname(src_host->ifindex, ifname))
4397 strlcpy(r->ifname, ifname, sizeof(r->ifname));
4398 else if (if_indextoname(dst_host->ifindex, ifname))
4399 strlcpy(r->ifname, ifname, sizeof(r->ifname));
4401 memset(r->ifname, '\0', sizeof(r->ifname));
4403 if (strlcpy(r->label, label, sizeof(r->label)) >=
4405 errx(1, "expand_rule: strlcpy");
4406 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >=
4408 errx(1, "expand_rule: strlcpy");
4409 if (strlcpy(r->match_tagname, match_tagname,
4410 sizeof(r->match_tagname)) >= sizeof(r->match_tagname))
4411 errx(1, "expand_rule: strlcpy");
4412 expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af,
4413 src_host, src_port, dst_host, dst_port, proto->proto);
4414 expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af,
4415 src_host, src_port, dst_host, dst_port, proto->proto);
4416 expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname,
4417 r->af, src_host, src_port, dst_host, dst_port,
4420 error += check_netmask(src_host, r->af);
4421 error += check_netmask(dst_host, r->af);
4423 r->ifnot = interface->not;
4424 r->proto = proto->proto;
4425 r->src.addr = src_host->addr;
4426 r->src.neg = src_host->not;
4427 r->src.port[0] = src_port->port[0];
4428 r->src.port[1] = src_port->port[1];
4429 r->src.port_op = src_port->op;
4430 r->dst.addr = dst_host->addr;
4431 r->dst.neg = dst_host->not;
4432 r->dst.port[0] = dst_port->port[0];
4433 r->dst.port[1] = dst_port->port[1];
4434 r->dst.port_op = dst_port->op;
4435 r->uid.op = uid->op;
4436 r->uid.uid[0] = uid->uid[0];
4437 r->uid.uid[1] = uid->uid[1];
4438 r->gid.op = gid->op;
4439 r->gid.gid[0] = gid->gid[0];
4440 r->gid.gid[1] = gid->gid[1];
4441 r->type = icmp_type->type;
4442 r->code = icmp_type->code;
4444 if ((keep_state == PF_STATE_MODULATE ||
4445 keep_state == PF_STATE_SYNPROXY) &&
4446 r->proto && r->proto != IPPROTO_TCP)
4447 r->keep_state = PF_STATE_NORMAL;
4449 r->keep_state = keep_state;
4451 if (r->proto && r->proto != IPPROTO_TCP) {
4456 r->flagset = flagset;
4458 if (icmp_type->proto && r->proto != icmp_type->proto) {
4459 yyerror("icmp-type mismatch");
4463 if (src_os && src_os->os) {
4464 r->os_fingerprint = pfctl_get_fingerprint(src_os->os);
4465 if ((pf->opts & PF_OPT_VERBOSE2) &&
4466 r->os_fingerprint == PF_OSFP_NOMATCH)
4468 "warning: unknown '%s' OS fingerprint\n",
4471 r->os_fingerprint = PF_OSFP_ANY;
4474 TAILQ_INIT(&r->rpool.list);
4475 for (h = rpool_hosts; h != NULL; h = h->next) {
4476 pa = calloc(1, sizeof(struct pf_pooladdr));
4478 err(1, "expand_rule: calloc");
4480 if (h->ifname != NULL) {
4481 if (strlcpy(pa->ifname, h->ifname,
4482 sizeof(pa->ifname)) >=
4484 errx(1, "expand_rule: strlcpy");
4487 TAILQ_INSERT_TAIL(&r->rpool.list, pa, entries);
4490 if (rule_consistent(r) < 0 || error)
4491 yyerror("skipping rule due to errors");
4493 r->nr = pf->rule_nr++;
4494 pfctl_add_rule(pf, r, anchor_call);
4500 FREE_LIST(struct node_if, interfaces);
4501 FREE_LIST(struct node_proto, protos);
4502 FREE_LIST(struct node_host, src_hosts);
4503 FREE_LIST(struct node_port, src_ports);
4504 FREE_LIST(struct node_os, src_oses);
4505 FREE_LIST(struct node_host, dst_hosts);
4506 FREE_LIST(struct node_port, dst_ports);
4507 FREE_LIST(struct node_uid, uids);
4508 FREE_LIST(struct node_gid, gids);
4509 FREE_LIST(struct node_icmp, icmp_types);
4510 FREE_LIST(struct node_host, rpool_hosts);
4513 yyerror("rule expands to no valid combination");
4517 expand_skip_interface(struct node_if *interfaces)
4521 if (!interfaces || (!interfaces->next && !interfaces->not &&
4522 !strcmp(interfaces->ifname, "none"))) {
4523 if (pf->opts & PF_OPT_VERBOSE)
4524 printf("set skip on none\n");
4525 errs = pfctl_set_interface_flags(pf, "", PFI_IFLAG_SKIP, 0);
4529 if (pf->opts & PF_OPT_VERBOSE)
4530 printf("set skip on {");
4531 LOOP_THROUGH(struct node_if, interface, interfaces,
4532 if (pf->opts & PF_OPT_VERBOSE)
4533 printf(" %s", interface->ifname);
4534 if (interface->not) {
4535 yyerror("skip on ! <interface> is not supported");
4538 errs += pfctl_set_interface_flags(pf,
4539 interface->ifname, PFI_IFLAG_SKIP, 1);
4541 if (pf->opts & PF_OPT_VERBOSE)
4544 FREE_LIST(struct node_if, interfaces);
4556 check_rulestate(int desired_state)
4558 if (require_order && (rulestate > desired_state)) {
4559 yyerror("Rules must be in order: options, normalization, "
4560 "queueing, translation, filtering");
4563 rulestate = desired_state;
4568 kw_cmp(const void *k, const void *e)
4570 return (strcmp(k, ((const struct keywords *)e)->k_name));
4576 /* this has to be sorted always */
4577 static const struct keywords keywords[] = {
4579 { "allow-opts", ALLOWOPTS},
4581 { "anchor", ANCHOR},
4582 { "antispoof", ANTISPOOF},
4584 { "bandwidth", BANDWIDTH},
4586 { "binat-anchor", BINATANCHOR},
4587 { "bitmask", BITMASK},
4589 { "block-policy", BLOCKPOLICY},
4592 { "crop", FRAGCROP},
4595 { "drop-ovl", FRAGDROP},
4597 { "fastroute", FASTROUTE},
4598 { "file", FILENAME},
4599 { "fingerprints", FINGERPRINTS},
4601 { "floating", FLOATING},
4604 { "fragment", FRAGMENT},
4606 { "global", GLOBAL},
4608 { "group-bound", GRBOUND},
4610 { "hostid", HOSTID},
4611 { "icmp-type", ICMPTYPE},
4612 { "icmp6-type", ICMP6TYPE},
4613 { "if-bound", IFBOUND},
4620 { "linkshare", LINKSHARE},
4623 { "log-all", LOGALL},
4624 { "loginterface", LOGINTERFACE},
4626 { "max-mss", MAXMSS},
4627 { "max-src-conn", MAXSRCCONN},
4628 { "max-src-conn-rate", MAXSRCCONNRATE},
4629 { "max-src-nodes", MAXSRCNODES},
4630 { "max-src-states", MAXSRCSTATES},
4631 { "min-ttl", MINTTL},
4632 { "modulate", MODULATE},
4634 { "nat-anchor", NATANCHOR},
4637 { "no-route", NOROUTE},
4638 { "no-sync", NOSYNC},
4640 { "optimization", OPTIMIZATION},
4643 { "overload", OVERLOAD},
4646 { "priority", PRIORITY},
4648 { "probability", PROBABILITY},
4650 { "qlimit", QLIMIT},
4653 { "random", RANDOM},
4654 { "random-id", RANDOMID},
4656 { "rdr-anchor", RDRANCHOR},
4657 { "realtime", REALTIME},
4658 { "reassemble", REASSEMBLE},
4659 { "reply-to", REPLYTO},
4660 { "require-order", REQUIREORDER},
4661 { "return", RETURN},
4662 { "return-icmp", RETURNICMP},
4663 { "return-icmp6", RETURNICMP6},
4664 { "return-rst", RETURNRST},
4665 { "round-robin", ROUNDROBIN},
4667 { "route-to", ROUTETO},
4672 { "source-hash", SOURCEHASH},
4673 { "source-track", SOURCETRACK},
4675 { "state-policy", STATEPOLICY},
4676 { "static-port", STATICPORT},
4677 { "sticky-address", STICKYADDRESS},
4678 { "synproxy", SYNPROXY},
4681 { "tagged", TAGGED},
4682 { "tbrsize", TBRSIZE},
4683 { "timeout", TIMEOUT},
4687 { "upperlimit", UPPERLIMIT},
4690 const struct keywords *p;
4692 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
4693 sizeof(keywords[0]), kw_cmp);
4697 fprintf(stderr, "%s: %d\n", s, p->k_val);
4701 fprintf(stderr, "string: %s\n", s);
4706 #define MAXPUSHBACK 128
4710 char pushback_buffer[MAXPUSHBACK];
4711 int pushback_index = 0;
4719 /* Read character from the parsebuffer instead of input. */
4720 if (parseindex >= 0) {
4721 c = parsebuf[parseindex++];
4730 return (pushback_buffer[--pushback_index]);
4732 while ((c = getc(f)) == '\\') {
4736 yyerror("whitespace after \\");
4740 yylval.lineno = lineno;
4743 if (c == '\t' || c == ' ') {
4744 /* Compress blanks to a single space. */
4747 } while (c == '\t' || c == ' ');
4762 if (parseindex >= 0)
4765 if (pushback_index < MAXPUSHBACK-1)
4766 return (pushback_buffer[pushback_index++] = c);
4779 /* skip to either EOF or the first real EOL */
4802 while ((c = lgetc(fin)) == ' ')
4805 yylval.lineno = lineno;
4807 while ((c = lgetc(fin)) != '\n' && c != EOF)
4809 if (c == '$' && parsebuf == NULL) {
4811 if ((c = lgetc(fin)) == EOF)
4814 if (p + 1 >= buf + sizeof(buf) - 1) {
4815 yyerror("string too long");
4818 if (isalnum(c) || c == '_') {
4828 yyerror("macro '%s' not defined", buf);
4841 if ((c = lgetc(fin)) == EOF)
4851 if (p + 1 >= buf + sizeof(buf) - 1) {
4852 yyerror("string too long");
4857 yylval.v.string = strdup(buf);
4858 if (yylval.v.string == NULL)
4859 err(1, "yylex: strdup");
4864 yylval.v.i = PF_OP_XRG;
4865 return (PORTBINARY);
4872 yylval.v.i = PF_OP_IRG;
4873 return (PORTBINARY);
4885 #define allowed_in_string(x) \
4886 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
4887 x != '{' && x != '}' && x != '<' && x != '>' && \
4888 x != '!' && x != '=' && x != '/' && x != '#' && \
4891 if (isalnum(c) || c == ':' || c == '_') {
4894 if ((unsigned)(p-buf) >= sizeof(buf)) {
4895 yyerror("string too long");
4898 } while ((c = lgetc(fin)) != EOF && (allowed_in_string(c)));
4901 if ((token = lookup(buf)) == STRING)
4902 if ((yylval.v.string = strdup(buf)) == NULL)
4903 err(1, "yylex: strdup");
4907 yylval.lineno = lineno;
4916 parse_rules(FILE *input, struct pfctl *xpf)
4918 struct sym *sym, *next;
4924 rulestate = PFCTL_STATE_NONE;
4925 returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
4926 returnicmp6default =
4927 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
4928 blockpolicy = PFRULE_DROP;
4933 /* Free macros and check which have not been used. */
4934 for (sym = TAILQ_FIRST(&symhead); sym != NULL; sym = next) {
4935 next = TAILQ_NEXT(sym, entries);
4936 if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used)
4937 fprintf(stderr, "warning: macro '%s' not "
4938 "used\n", sym->nam);
4941 TAILQ_REMOVE(&symhead, sym, entries);
4945 return (errors ? -1 : 0);
4949 * Over-designed efficiency is a French and German concept, so how about
4950 * we wait until they discover this ugliness and make it all fancy.
4953 symset(const char *nam, const char *val, int persist)
4957 for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam);
4958 sym = TAILQ_NEXT(sym, entries))
4962 if (sym->persist == 1)
4967 TAILQ_REMOVE(&symhead, sym, entries);
4971 if ((sym = calloc(1, sizeof(*sym))) == NULL)
4974 sym->nam = strdup(nam);
4975 if (sym->nam == NULL) {
4979 sym->val = strdup(val);
4980 if (sym->val == NULL) {
4986 sym->persist = persist;
4987 TAILQ_INSERT_TAIL(&symhead, sym, entries);
4992 pfctl_cmdline_symset(char *s)
4997 if ((val = strrchr(s, '=')) == NULL)
5000 if ((sym = malloc(strlen(s) - strlen(val) + 1)) == NULL)
5001 err(1, "pfctl_cmdline_symset: malloc");
5003 strlcpy(sym, s, strlen(s) - strlen(val) + 1);
5005 ret = symset(sym, val + 1, 1);
5012 symget(const char *nam)
5016 TAILQ_FOREACH(sym, &symhead, entries)
5017 if (strcmp(nam, sym->nam) == 0) {
5025 decide_address_family(struct node_host *n, sa_family_t *af)
5027 sa_family_t target_af = 0;
5029 while (!*af && n != NULL) {
5033 if (target_af != n->af)
5038 if (!*af && target_af)
5043 remove_invalid_hosts(struct node_host **nh, sa_family_t *af)
5045 struct node_host *n = *nh, *prev = NULL;
5048 if (*af && n->af && n->af != *af) {
5049 /* unlink and free n */
5050 struct node_host *next = n->next;
5052 /* adjust tail pointer */
5053 if (n == (*nh)->tail)
5055 /* adjust previous node's next pointer */
5061 if (n->ifname != NULL)
5075 invalid_redirect(struct node_host *nh, sa_family_t af)
5078 struct node_host *n;
5080 /* tables and dyniftl are ok without an address family */
5081 for (n = nh; n != NULL; n = n->next) {
5082 if (n->addr.type != PF_ADDR_TABLE &&
5083 n->addr.type != PF_ADDR_DYNIFTL) {
5084 yyerror("address family not given and "
5085 "translation address expands to multiple "
5086 "address families");
5092 yyerror("no translation address with matching address family "
5100 atoul(char *s, u_long *ulvalp)
5106 ulval = strtoul(s, &ep, 0);
5107 if (s[0] == '\0' || *ep != '\0')
5109 if (errno == ERANGE && ulval == ULONG_MAX)
5121 if (atoul(n, &ulval) == 0) {
5122 if (ulval > 65535) {
5123 yyerror("illegal port value %lu", ulval);
5126 return (htons(ulval));
5128 s = getservbyname(n, "tcp");
5130 s = getservbyname(n, "udp");
5132 yyerror("unknown port %s", n);
5140 rule_label(struct pf_rule *r, char *s)
5143 if (strlcpy(r->label, s, sizeof(r->label)) >=
5145 yyerror("rule label too long (max %d chars)",
5146 sizeof(r->label)-1);
5154 parseicmpspec(char *w, sa_family_t af)
5156 const struct icmpcodeent *p;
5161 icmptype = returnicmpdefault >> 8;
5163 icmptype = returnicmp6default >> 8;
5165 if (atoul(w, &ulval) == -1) {
5166 if ((p = geticmpcodebyname(icmptype, w, af)) == NULL) {
5167 yyerror("unknown icmp code %s", w);
5173 yyerror("invalid icmp code %lu", ulval);
5176 return (icmptype << 8 | ulval);
5180 pfctl_load_anchors(int dev, int opts, struct pfr_buffer *trans)
5182 struct loadanchors *la;
5184 TAILQ_FOREACH(la, &loadanchorshead, entries) {
5185 if (opts & PF_OPT_VERBOSE)
5186 fprintf(stderr, "\nLoading anchor %s from %s\n",
5187 la->anchorname, la->filename);
5188 if (pfctl_rules(dev, la->filename, opts, la->anchorname,
projects / FreeBSD / FreeBSD.git / blob