4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
11 #include <sys/param.h>
12 #include <sys/socket.h>
13 #if defined(BSD) && (BSD >= 199306)
14 # include <sys/cdefs.h>
16 #include <sys/ioctl.h>
19 #if __FreeBSD_version >= 300000
20 # include <net/if_var.h>
22 #include <netinet/in.h>
24 #include <arpa/inet.h>
35 #include "netinet/ip_lookup.h"
36 #include "netinet/ip_pool.h"
37 #include "netinet/ip_htable.h"
38 #include "netinet/ip_dstlist.h"
43 #define YYSTACKSIZE 0x00ffffff
45 extern int yyparse __P((void));
49 static iphtable_t ipht;
50 static iphtent_t iphte;
51 static ip_pool_t iplo;
52 static ippool_dst_t ipld;
53 static ioctlfunc_t poolioctl = NULL;
54 static char poolname[FR_GROUPLEN];
56 static iphtent_t *add_htablehosts __P((char *));
57 static ip_pool_node_t *add_poolhosts __P((char *));
58 static ip_pool_node_t *read_whoisfile __P((char *));
59 static void setadflen __P((addrfamily_t *));
67 struct alist_s *alist;
68 addrfamily_t adrmsk[2];
76 %token <num> YY_NUMBER YY_HEX
80 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
81 %token YY_RANGE_OUT YY_RANGE_IN
82 %token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT IPT_ALL
83 %token IPT_TABLE IPT_GROUPMAP IPT_HASH IPT_SRCHASH IPT_DSTHASH
84 %token IPT_ROLE IPT_TYPE IPT_TREE
85 %token IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME IPT_POLICY
86 %token IPT_POOL IPT_DSTLIST IPT_ROUNDROBIN
87 %token IPT_WEIGHTED IPT_RANDOM IPT_CONNECTION
88 %token IPT_WHOIS IPT_FILE
89 %type <num> role table inout unit dstopts weighting
90 %type <ipp> ipftree range addrlist
91 %type <adrmsk> addrmask
92 %type <ipe> ipfgroup ipfhash hashlist hashentry
93 %type <ipe> groupentry setgrouplist grouplist
94 %type <ipa> ipaddr mask
96 %type <str> number setgroup name
97 %type <ipd> dstentry dstentries dstlist
106 line: table role ipftree eol { ip_pool_node_t *n;
109 load_pool(&iplo, poolioctl);
110 while ((n = $3) != NULL) {
117 | table role ipfhash eol { iphtent_t *h;
119 ipht.iph_type = IPHASH_LOOKUP;
120 load_hash(&ipht, $3, poolioctl);
121 while ((h = $3) != NULL) {
128 | groupmap role number ipfgroup eol
131 strncpy(ipht.iph_name, $3,
132 sizeof(ipht.iph_name));
133 ipht.iph_type = IPHASH_GROUPMAP;
134 load_hash(&ipht, $4, poolioctl);
135 while ((h = $4) != NULL) {
149 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
158 '=' { yyvarnext = 1; }
161 table: IPT_TABLE { bzero((char *)&ipht, sizeof(ipht));
162 bzero((char *)&iphte, sizeof(iphte));
163 bzero((char *)&iplo, sizeof(iplo));
164 bzero((char *)&ipld, sizeof(ipld));
165 *ipht.iph_name = '\0';
166 iplo.ipo_flags = IPHASH_ANON;
167 iplo.ipo_name[0] = '\0';
172 IPT_GROUPMAP inout { bzero((char *)&ipht, sizeof(ipht));
173 bzero((char *)&iphte, sizeof(iphte));
174 *ipht.iph_name = '\0';
175 ipht.iph_unit = IPHASH_GROUPMAP;
180 inout: IPT_IN { $$ = FR_INQUE; }
181 | IPT_OUT { $$ = FR_OUTQUE; }
184 role: IPT_ROLE '=' unit { $$ = $3; }
187 unit: IPT_IPF { $$ = IPL_LOGIPF; }
188 | IPT_NAT { $$ = IPL_LOGNAT; }
189 | IPT_AUTH { $$ = IPL_LOGAUTH; }
190 | IPT_COUNT { $$ = IPL_LOGCOUNT; }
191 | IPT_ALL { $$ = IPL_LOGALL; }
195 IPT_TYPE '=' IPT_TREE number start addrlist end
196 { strncpy(iplo.ipo_name, $4,
197 sizeof(iplo.ipo_name));
203 IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
204 { strncpy(ipht.iph_name, $4,
205 sizeof(ipht.iph_name));
211 setgroup hashopts start grouplist end
213 for (e = $4; e != NULL;
215 if (e->ipe_group[0] == '\0')
216 strncpy(e->ipe_group,
222 | hashopts start setgrouplist end
226 number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3);
229 | IPT_NAME '=' YY_STR { strncpy(poolname, $3,
231 poolname[FR_GROUPLEN-1]='\0';
239 IPT_GROUP '=' YY_STR { char tmp[FR_GROUPLEN+1];
240 strncpy(tmp, $3, FR_GROUPLEN);
244 | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1];
245 sprintf(tmp, "%u", $3);
258 | range next addrlist { $$ = $1;
259 while ($1->ipn_next != NULL)
263 | range next { $$ = $1; }
268 | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; }
269 | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t));
270 $$->ipe_addr = $1[0].adf_addr;
271 $$->ipe_mask = $1[1].adf_addr;
272 $$->ipe_family = $1[0].adf_family;
275 | groupentry next { $$ = $1; }
276 | addrmask next { $$ = calloc(1, sizeof(iphtent_t));
277 $$->ipe_addr = $1[0].adf_addr;
278 $$->ipe_mask = $1[1].adf_addr;
281 $$->ipe_family = AF_INET6;
284 $$->ipe_family = AF_INET;
286 | YY_STR { $$ = add_htablehosts($1);
293 | groupentry next { $$ = $1; }
294 | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; }
298 addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t));
299 $$->ipe_addr = $1[0].adf_addr;
300 $$->ipe_mask = $1[1].adf_addr;
301 strncpy($$->ipe_group, $3,
305 $$->ipe_family = AF_INET6;
308 $$->ipe_family = AF_INET;
313 range: addrmask { $$ = calloc(1, sizeof(*$$));
315 $$->ipn_addr = $1[0];
316 $$->ipn_mask = $1[1];
318 | '!' addrmask { $$ = calloc(1, sizeof(*$$));
320 $$->ipn_addr = $2[0];
321 $$->ipn_mask = $2[1];
323 | YY_STR { $$ = add_poolhosts($1);
326 | IPT_WHOIS IPT_FILE YY_STR { $$ = read_whoisfile($3);
333 | hashentry next { $$ = $1; }
334 | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; }
338 addrmask { $$ = calloc(1, sizeof(iphtent_t));
339 $$->ipe_addr = $1[0].adf_addr;
340 $$->ipe_mask = $1[1].adf_addr;
343 $$->ipe_family = AF_INET6;
346 $$->ipe_family = AF_INET;
348 | YY_STR { $$ = add_htablehosts($1);
354 ipaddr '/' mask { $$[0] = $1;
357 $$[1].adf_len = $$[0].adf_len;
359 | ipaddr { $$[0] = $1;
361 $$[1].adf_len = $$[0].adf_len;
364 memset(&$$[1].adf_addr, 0xff,
365 sizeof($$[1].adf_addr.in6));
368 memset(&$$[1].adf_addr, 0xff,
369 sizeof($$[1].adf_addr.in4));
373 ipaddr: ipv4 { $$.adf_addr.in4 = $1;
374 $$.adf_family = AF_INET;
378 | YY_NUMBER { $$.adf_addr.in4.s_addr = htonl($1);
379 $$.adf_family = AF_INET;
383 | YY_IPV6 { $$.adf_addr = $1;
384 $$.adf_family = AF_INET6;
390 mask: YY_NUMBER { bzero(&$$, sizeof($$));
392 if (ntomask(AF_INET6, $1,
393 (u_32_t *)&$$.adf_addr) == -1)
394 yyerror("bad bitmask");
396 if (ntomask(AF_INET, $1,
397 (u_32_t *)&$$.adf_addr.in4) == -1)
398 yyerror("bad bitmask");
401 | ipv4 { bzero(&$$, sizeof($$));
402 $$.adf_addr.in4 = $1;
404 | YY_IPV6 { bzero(&$$, sizeof($$));
409 size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; }
412 seed: IPT_SEED '=' YY_NUMBER { ipht.iph_seed = $3; }
415 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
416 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
417 yyerror("Invalid octet string for IP address");
420 $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
421 $$.s_addr = htonl($$.s_addr);
425 next: ';' { yyexpectaddr = 1; }
428 start: '{' { yyexpectaddr = 1; }
431 end: '}' { yyexpectaddr = 0; }
435 IPT_POOL unit '/' IPT_DSTLIST '(' name ';' dstopts ')'
437 { bzero((char *)&ipld, sizeof(ipld));
438 strncpy(ipld.ipld_name, $6,
439 sizeof(ipld.ipld_name));
441 ipld.ipld_policy = $8;
442 load_dstlist(&ipld, poolioctl, $11);
447 | IPT_POOL unit '/' IPT_TREE '(' name ';' ')'
449 { bzero((char *)&iplo, sizeof(iplo));
450 strncpy(iplo.ipo_name, $6,
451 sizeof(iplo.ipo_name));
454 load_pool(&iplo, poolioctl);
459 | IPT_POOL '(' name ';' ')' start addrlist end
460 { bzero((char *)&iplo, sizeof(iplo));
461 strncpy(iplo.ipo_name, $3,
462 sizeof(iplo.ipo_name));
464 iplo.ipo_unit = IPL_LOGALL;
465 load_pool(&iplo, poolioctl);
470 | IPT_POOL unit '/' IPT_HASH '(' name ';' hashoptlist ')'
473 bzero((char *)&ipht, sizeof(ipht));
474 strncpy(ipht.iph_name, $6,
475 sizeof(ipht.iph_name));
477 load_hash(&ipht, $11, poolioctl);
478 while ((h = ipht.iph_list) != NULL) {
479 ipht.iph_list = h->ipe_next;
486 | IPT_GROUPMAP '(' name ';' inout ';' ')'
487 start setgrouplist end
489 bzero((char *)&ipht, sizeof(ipht));
490 strncpy(ipht.iph_name, $3,
491 sizeof(ipht.iph_name));
492 ipht.iph_type = IPHASH_GROUPMAP;
493 ipht.iph_unit = IPL_LOGIPF;
495 load_hash(&ipht, $9, poolioctl);
496 while ((h = ipht.iph_list) != NULL) {
497 ipht.iph_list = h->ipe_next;
506 name: IPT_NAME YY_STR { $$ = $2; }
507 | IPT_NUM YY_NUMBER { char name[80];
508 sprintf(name, "%d", $2);
515 | hashoptlist ';' hashopt ';'
523 dstentries { $$ = $1; }
528 dstentry next { $$ = $1; }
529 | dstentry next dstentries { $1->ipfd_next = $3; $$ = $1; }
533 YY_STR ':' ipaddr { int size = sizeof(*$$) + strlen($1) + 1;
534 $$ = calloc(1, size);
536 $$->ipfd_dest.fd_name = strlen($1) + 1;
537 bcopy($1, $$->ipfd_names,
538 $$->ipfd_dest.fd_name);
539 $$->ipfd_dest.fd_addr = $3;
540 $$->ipfd_size = size;
544 | ipaddr { $$ = calloc(1, sizeof(*$$));
546 $$->ipfd_dest.fd_name = -1;
547 $$->ipfd_dest.fd_addr = $1;
548 $$->ipfd_size = sizeof(*$$);
555 | IPT_POLICY IPT_ROUNDROBIN ';' { $$ = IPLDP_ROUNDROBIN; }
556 | IPT_POLICY IPT_WEIGHTED weighting ';' { $$ = $3; }
557 | IPT_POLICY IPT_RANDOM ';' { $$ = IPLDP_RANDOM; }
558 | IPT_POLICY IPT_HASH ';' { $$ = IPLDP_HASHED; }
559 | IPT_POLICY IPT_SRCHASH ';' { $$ = IPLDP_SRCHASH; }
560 | IPT_POLICY IPT_DSTHASH ';' { $$ = IPLDP_DSTHASH; }
564 IPT_CONNECTION { $$ = IPLDP_CONNECTION; }
567 static wordtab_t yywords[] = {
569 { "auth", IPT_AUTH },
570 { "connection", IPT_CONNECTION },
571 { "count", IPT_COUNT },
572 { "dst-hash", IPT_DSTHASH },
573 { "dstlist", IPT_DSTLIST },
574 { "file", IPT_FILE },
575 { "group", IPT_GROUP },
576 { "group-map", IPT_GROUPMAP },
577 { "hash", IPT_HASH },
580 { "name", IPT_NAME },
582 { "number", IPT_NUM },
584 { "policy", IPT_POLICY },
585 { "pool", IPT_POOL },
586 { "random", IPT_RANDOM },
587 { "round-robin", IPT_ROUNDROBIN },
588 { "role", IPT_ROLE },
589 { "seed", IPT_SEED },
590 { "size", IPT_SIZE },
591 { "src-hash", IPT_SRCHASH },
592 { "table", IPT_TABLE },
593 { "tree", IPT_TREE },
594 { "type", IPT_TYPE },
595 { "weighted", IPT_WEIGHTED },
596 { "whois", IPT_WHOIS },
601 int ippool_parsefile(fd, filename, iocfunc)
610 (void) yysettab(yywords);
612 s = getenv("YYDEBUG");
618 if (strcmp(filename, "-")) {
619 fp = fopen(filename, "r");
621 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
628 while (ippool_parsesome(fd, fp, iocfunc) == 1)
636 int ippool_parsesome(fd, fp, iocfunc)
651 if (ungetc(i, fp) == EOF)
655 s = getenv("YYDEBUG");
671 iphtent_t *htop, *hbot, *h;
674 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
675 hlist = load_url(url);
679 hlist = calloc(1, sizeof(*hlist));
683 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
684 yyerror("Unknown hostname");
691 for (a = hlist; a != NULL; a = a->al_next) {
692 h = calloc(1, sizeof(*h));
696 h->ipe_family = a->al_family;
697 h->ipe_addr = a->al_i6addr;
698 h->ipe_mask = a->al_i6mask;
713 static ip_pool_node_t *
717 ip_pool_node_t *ptop, *pbot, *p;
720 if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
721 hlist = load_url(url);
725 hlist = calloc(1, sizeof(*hlist));
729 if (gethost(hlist->al_family, url, &hlist->al_i6addr) == -1) {
730 yyerror("Unknown hostname");
737 for (a = hlist; a != NULL; a = a->al_next) {
738 p = calloc(1, sizeof(*p));
741 p->ipn_mask.adf_addr = a->al_i6mask;
743 if (a->al_family == AF_INET) {
744 p->ipn_addr.adf_family = AF_INET;
746 } else if (a->al_family == AF_INET6) {
747 p->ipn_addr.adf_family = AF_INET6;
750 setadflen(&p->ipn_addr);
751 p->ipn_addr.adf_addr = a->al_i6addr;
752 p->ipn_info = a->al_not;
753 p->ipn_mask.adf_len = p->ipn_addr.adf_len;
772 ip_pool_node_t *ntop, *ipn, node, *last;
776 fp = fopen(file, "r");
782 while (fgets(line, sizeof(line) - 1, fp) != NULL) {
783 line[sizeof(line) - 1] = '\0';
785 if (parsewhoisline(line, &node.ipn_addr, &node.ipn_mask))
787 ipn = calloc(1, sizeof(*ipn));
790 ipn->ipn_addr = node.ipn_addr;
791 ipn->ipn_mask = node.ipn_mask;
795 last->ipn_next = ipn;
807 afp->adf_len = offsetof(addrfamily_t, adf_addr);
808 switch (afp->adf_family)
811 afp->adf_len += sizeof(struct in_addr);
815 afp->adf_len += sizeof(struct in6_addr);