4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
16 #include "netinet/ip_pool.h"
17 #include "netinet/ip_htable.h"
18 #include "netinet/ipl.h"
22 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
23 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
25 extern void yyerror __P((char *));
26 extern int yyparse __P((void));
27 extern int yylex __P((void));
32 static int addname __P((frentry_t **, char *));
33 static frentry_t *addrule __P((void));
34 static frentry_t *allocfr __P((void));
35 static void build_dstaddr_af __P((frentry_t *, void *));
36 static void build_srcaddr_af __P((frentry_t *, void *));
37 static void dobpf __P((int, char *));
38 static void doipfexpr __P((char *));
39 static void do_tuneint __P((char *, int));
40 static void do_tunestr __P((char *, char *));
41 static void fillgroup __P((frentry_t *));
42 static int lookuphost __P((char *, i6addr_t *));
43 static u_int makehash __P((struct alist_s *));
44 static int makepool __P((struct alist_s *));
45 static struct alist_s *newalist __P((struct alist_s *));
46 static void newrule __P((void));
47 static void resetaddr __P((void));
48 static void setgroup __P((frentry_t **, char *));
49 static void setgrhead __P((frentry_t **, char *));
50 static void seticmphead __P((frentry_t **, char *));
51 static void setifname __P((frentry_t **, int, char *));
52 static void setipftype __P((void));
53 static void setsyslog __P((void));
54 static void unsetsyslog __P((void));
56 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
58 static int ifpflag = 0;
59 static int nowith = 0;
60 static int dynamic = -1;
61 static int pooled = 0;
62 static int hashed = 0;
63 static int nrules = 0;
64 static int newlist = 0;
66 static int ipffd = -1;
67 static int *yycont = NULL;
68 static ioctlfunc_t ipfioctls[IPL_LOGSIZE];
69 static addfunc_t ipfaddfunc = NULL;
77 struct alist_s *alist;
104 char gname[FR_GROUPLEN];
108 %type <num> facility priority icmpcode seclevel secname icmptype
109 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
110 %type <num> portc porteq ipmask maskopts
111 %type <ip4> ipv4 ipv4_16 ipv4_24
113 %type <ipp> addr ipaddr
114 %type <str> servicename name interfacename groupname
115 %type <pc> portrange portcomp
116 %type <alist> addrlist poollist
119 %token <num> YY_NUMBER YY_HEX
122 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
123 %token YY_RANGE_OUT YY_RANGE_IN
127 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
128 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
129 %token IPFY_IN IPFY_OUT
130 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
131 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
132 %token IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6
133 %token IPFY_HEAD IPFY_GROUP
134 %token IPFY_AUTH IPFY_PREAUTH
135 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS
136 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS
137 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
138 %token IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST
139 %token IPFY_ESP IPFY_AH
140 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
141 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
142 %token IPFY_FLAGS IPFY_MULTICAST
143 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
144 %token IPFY_RPC IPFY_PORT
145 %token IPFY_NOW IPFY_COMMENT IPFY_RULETTL
146 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
147 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
148 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
149 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
150 %token IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE
151 %token IPFY_MAX_SRCS IPFY_MAX_PER_SRC
152 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
153 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
154 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
155 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
156 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
157 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
158 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
159 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI
161 %token IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
162 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR
163 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
165 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
166 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
167 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
168 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
169 %token IPFY_ICMPT_ROUTERSOL
171 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
172 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
173 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
174 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
175 %token IPFY_ICMPC_CUTPRE
177 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
178 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
179 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
180 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
181 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
182 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
184 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
185 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
204 IPFY_SET YY_STR YY_NUMBER ';' { do_tuneint($2, $3); }
205 | IPFY_SET YY_STR YY_HEX ';' { do_tuneint($2, $3); }
206 | IPFY_SET YY_STR YY_STR ';' { do_tunestr($2, $3); }
209 line: rule { while ((fr = frtop) != NULL) {
212 if ((fr->fr_type == FR_T_IPF) &&
213 (fr->fr_ip.fi_v == 0))
216 (*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr);
228 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
237 '=' { yyvarnext = 1; }
248 rulehead markin inopts rulemain ruletail intag ruletail2
252 rulehead markout outopts rulemain ruletail outtag ruletail2
257 | xx insert collection action
260 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
264 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
274 family tos ttl proto ip
277 family: | IPFY_FAMILY IPFY_INET { if (use_inet6 == 1) {
280 frc->fr_family = AF_INET;
283 | IPFY_INET { if (use_inet6 == 1) {
286 frc->fr_family = AF_INET;
289 | IPFY_FAMILY IPFY_INET6 { if (use_inet6 == -1) {
292 frc->fr_family = AF_INET6;
295 | IPFY_INET6 { if (use_inet6 == -1) {
298 frc->fr_family = AF_INET6;
304 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
305 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
309 IPFY_IPFEXPR '{' YY_STR '}' { doipfexpr($3); }
317 pps age new rulettl comment
320 intag: settagin matchtagin
323 outtag: settagout matchtagout
327 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
331 | YY_NUMBER { fr->fr_collect = $1; }
335 | IPFY_PASS { fr->fr_flags |= FR_PASS; }
336 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; }
338 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
339 | decaps { fr->fr_flags |= FR_DECAPSULATE; }
341 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
344 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
348 | blocked blockreturn
352 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
355 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
356 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
357 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
358 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
359 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
363 | IPFY_DECAPS IPFY_L5AS '(' YY_STR ')'
364 { fr->fr_icode = atoi($4); }
367 log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
368 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
371 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
372 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;}
373 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
376 func: YY_STR '/' YY_NUMBER
377 { fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]);
411 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
412 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
413 | settos lstart toslist lend
416 settos: IPFY_TOS { setipftype(); }
420 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
421 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
422 | toslist lmore YY_NUMBER
423 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
424 | toslist lmore YY_HEX
425 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
428 ttl: | setttl YY_NUMBER
429 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
430 | setttl lstart ttllist lend
433 lstart: '{' { newlist = 1; fr = frc; added = 0; }
436 lend: '}' { nrules += added; }
439 lmore: lanother { if (newlist == 1) {
452 setttl: IPFY_TTL { setipftype(); }
456 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
457 | ttllist lmore YY_NUMBER
458 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
461 proto: | protox protocol { yyresetdict(); }
464 protox: IPFY_PROTO { setipftype();
469 ip: srcdst flags icmp
472 group: | IPFY_GROUP groupname { DOALL(setgroup(&fr, $2); \
478 head: | IPFY_HEAD groupname { DOALL(setgrhead(&fr, $2););
485 if (strlen($$) >= FR_GROUPLEN)
486 $$[FR_GROUPLEN - 1] = '\0';
488 | YY_NUMBER { $$ = malloc(16);
489 sprintf($$, "%d", $1);
494 | IPFY_SETTAG '(' taginlist ')'
499 | taginlist ',' taginspec
506 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
509 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
510 "%d", $3 & 0xffffffff);) }
513 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
517 | IPFY_SETTAG '(' tagoutlist ')'
522 | tagoutlist ',' tagoutspec
531 | IPFY_MATCHTAG '(' tagoutlist ')'
535 | IPFY_MATCHTAG '(' taginlist ')'
538 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
541 new: | savegroup file restoregroup
545 | IPFY_RULETTL YY_NUMBER { DOALL(fr->fr_die = $2;) }
549 | IPFY_COMMENT YY_STR { DOALL(fr->fr_comment = addname(&fr, \
564 quick: IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
567 on: IPFY_ON onname { setifname(&fr, 0, $2.if1);
569 if ($2.if2 != NULL) {
575 | IPFY_ON lstart onlist lend
576 | IPFY_ON onname IPFY_INVIA vianame { setifname(&fr, 0, $2.if1);
578 if ($2.if2 != NULL) {
584 | IPFY_ON onname IPFY_OUTVIA vianame { setifname(&fr, 0, $2.if1);
586 if ($2.if2 != NULL) {
594 onlist: onname { DOREM(setifname(&fr, 0, $1.if1); \
595 if ($1.if2 != NULL) \
596 setifname(&fr, 1, $1.if2); \
602 | onlist lmore onname { DOREM(setifname(&fr, 0, $3.if1); \
603 if ($3.if2 != NULL) \
604 setifname(&fr, 1, $3.if2); \
612 onname: interfacename { $$.if1 = $1;
615 | interfacename ',' interfacename
622 name { setifname(&fr, 2, $1);
625 | name ',' name { setifname(&fr, 2, $1);
627 setifname(&fr, 3, $3);
633 { int idx = addname(&fr, $2);
634 fr->fr_dif.fd_name = idx;
637 | IPFY_DUPTO IPFY_DSTLIST '/' name
638 { int idx = addname(&fr, $4);
639 fr->fr_dif.fd_name = idx;
640 fr->fr_dif.fd_type = FRD_DSTLIST;
643 | IPFY_DUPTO name duptoseparator hostname
644 { int idx = addname(&fr, $2);
645 fr->fr_dif.fd_name = idx;
646 fr->fr_dif.fd_ptr = (void *)-1;
647 fr->fr_dif.fd_ip6 = $4.adr;
648 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
649 fr->fr_family = $4.f;
656 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
659 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
663 { int idx = addname(&fr, $2);
664 fr->fr_tif.fd_name = idx;
667 | routeto IPFY_DSTLIST '/' name
668 { int idx = addname(&fr, $4);
669 fr->fr_tif.fd_name = idx;
670 fr->fr_tif.fd_type = FRD_DSTLIST;
673 | routeto name duptoseparator hostname
674 { int idx = addname(&fr, $2);
675 fr->fr_tif.fd_name = idx;
676 fr->fr_tif.fd_ptr = (void *)-1;
677 fr->fr_tif.fd_ip6 = $4.adr;
678 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
679 fr->fr_family = $4.f;
692 { int idx = addname(&fr, $2);
693 fr->fr_rif.fd_name = idx;
696 | IPFY_REPLY_TO IPFY_DSTLIST '/' name
697 { fr->fr_rif.fd_name = addname(&fr, $4);
698 fr->fr_rif.fd_type = FRD_DSTLIST;
701 | IPFY_REPLY_TO name duptoseparator hostname
702 { int idx = addname(&fr, $2);
703 fr->fr_rif.fd_name = idx;
704 fr->fr_rif.fd_ptr = (void *)-1;
705 fr->fr_rif.fd_ip6 = $4.adr;
706 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
707 fr->fr_family = $4.f;
714 | logoptions logoption
718 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
719 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
720 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
721 | level loglevel { unsetsyslog(); }
725 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
729 '(' { yysetdict(icmpcodewords); }
737 YY_NUMBER { DOALL(fr->fr_proto = $1; \
738 fr->fr_mproto = 0xff;)
740 | YY_STR { if (!strcmp($1, "tcp-udp")) {
741 DOALL(fr->fr_flx |= FI_TCPUDP; \
742 fr->fr_mflx |= FI_TCPUDP;)
744 int p = getproto($1);
746 yyerror("protocol unknown");
747 DOALL(fr->fr_proto = p; \
748 fr->fr_mproto = 0xff;)
752 | YY_STR nextstring YY_STR
753 { if (!strcmp($1, "tcp") &&
754 !strcmp($3, "udp")) {
755 DOREM(fr->fr_flx |= FI_TCPUDP; \
756 fr->fr_mflx |= FI_TCPUDP;)
766 '/' { yysetdict(NULL); }
769 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
770 | to dstobject { yyexpectaddr = 0; yycont = NULL; }
771 | from srcobject { yyexpectaddr = 0; yycont = NULL; }
774 from: IPFY_FROM { setipftype();
779 printf("set yyexpectaddr\n");
780 yycont = &yyexpectaddr;
781 yysetdict(addrwords);
785 to: IPFY_TO { if (fr == NULL)
789 printf("set yyexpectaddr\n");
790 yycont = &yyexpectaddr;
791 yysetdict(addrwords);
796 with: | andwith withlist
800 IPFY_WITH { nowith = 0; setipftype(); }
801 | IPFY_AND { nowith = 0; setipftype(); }
804 flags: | startflags flagset
805 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
806 | startflags flagset '/' flagset
807 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
808 | startflags '/' flagset
809 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
810 | startflags YY_NUMBER
811 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
812 | startflags '/' YY_NUMBER
813 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
814 | startflags YY_NUMBER '/' YY_NUMBER
815 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
816 | startflags flagset '/' YY_NUMBER
817 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
818 | startflags YY_NUMBER '/' flagset
819 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
823 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
824 yyerror("flags with non-ipf type rule");
825 if (frc->fr_proto != IPPROTO_TCP)
826 yyerror("flags with non-TCP rule");
831 YY_STR { $$ = tcpflags($1); free($1); }
832 | YY_HEX { $$ = $1; }
836 { yyresetdict(); } fromport
838 | '!' srcaddr srcport
839 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
843 addr { build_srcaddr_af(fr, &$1); }
844 | lstart srcaddrlist lend
848 addr { build_srcaddr_af(fr, &$1); }
849 | srcaddrlist lmore addr
850 { build_srcaddr_af(fr, &$3); }
855 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
857 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
858 fr->fr_stop = $1.p2;) }
859 | porteq lstart srcportlist lend
865 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
867 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
868 fr->fr_stop = $1.p2;) }
869 | porteq lstart srcportlist lend
874 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
875 | portnum ':' portnum
876 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
878 | portnum YY_RANGE_IN portnum
879 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
881 | srcportlist lmore portnum
882 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
883 | srcportlist lmore portnum ':' portnum
884 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
886 | srcportlist lmore portnum YY_RANGE_IN portnum
887 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
892 { yyresetdict(); } toport
894 | '!' dstaddr dstport
895 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
899 addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
900 ($1.f != frc->fr_family))
901 yyerror("1.src/dst address family mismatch");
902 build_dstaddr_af(fr, &$1);
904 | lstart dstaddrlist lend
908 addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
909 ($1.f != frc->fr_family))
910 yyerror("2.src/dst address family mismatch");
911 build_dstaddr_af(fr, &$1);
913 | dstaddrlist lmore addr
914 { if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
915 ($3.f != frc->fr_family))
916 yyerror("3.src/dst address family mismatch");
917 build_dstaddr_af(fr, &$3);
924 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
926 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
927 fr->fr_dtop = $1.p2;) }
928 | porteq lstart dstportlist lend
934 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
936 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
937 fr->fr_dtop = $1.p2;) }
938 | porteq lstart dstportlist lend
943 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
944 | portnum ':' portnum
945 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
947 | portnum YY_RANGE_IN portnum
948 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
950 | dstportlist lmore portnum
951 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
952 | dstportlist lmore portnum ':' portnum
953 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
955 | dstportlist lmore portnum YY_RANGE_IN portnum
956 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
960 addr: pool '/' YY_NUMBER { pooled = 1;
962 $$.type = FRI_LOOKUP;
966 $$.a.iplookuptype = IPLT_POOL;
967 $$.a.iplookupsubtype = 0;
968 $$.a.iplookupnum = $3; }
969 | pool '/' YY_STR { pooled = 1;
972 $$.type = FRI_LOOKUP;
973 $$.a.iplookuptype = IPLT_POOL;
974 $$.a.iplookupsubtype = 1;
975 $$.a.iplookupname = addname(&fr, $3);
977 | pool '=' '(' { yyexpectaddr = 1;
980 poollist ')' { yyexpectaddr = 0;
984 $$.type = FRI_LOOKUP;
985 $$.a.iplookuptype = IPLT_POOL;
986 $$.a.iplookupsubtype = 0;
987 $$.a.iplookupnum = makepool($5);
989 | hash '/' YY_NUMBER { hashed = 1;
994 $$.type = FRI_LOOKUP;
995 $$.a.iplookuptype = IPLT_HASH;
996 $$.a.iplookupsubtype = 0;
997 $$.a.iplookupnum = $3;
999 | hash '/' YY_STR { hashed = 1;
1000 $$.type = FRI_LOOKUP;
1004 $$.a.iplookuptype = IPLT_HASH;
1005 $$.a.iplookupsubtype = 1;
1006 $$.a.iplookupname = addname(&fr, $3);
1008 | hash '=' '(' { hashed = 1;
1011 addrlist ')' { yyexpectaddr = 0;
1015 $$.type = FRI_LOOKUP;
1016 $$.a.iplookuptype = IPLT_HASH;
1017 $$.a.iplookupsubtype = 0;
1018 $$.a.iplookupnum = makehash($5);
1024 ipaddr: IPFY_ANY { memset(&($$), 0, sizeof($$));
1025 $$.type = FRI_NORMAL;
1029 | hostname { memset(&($$), 0, sizeof($$));
1032 if ($1.f == AF_INET6)
1033 fill6bits(128, $$.m.i6);
1034 else if ($1.f == AF_INET)
1035 fill6bits(32, $$.m.i6);
1038 $$.type = FRI_NORMAL;
1040 | hostname { yyresetdict(); }
1041 maskspace { yysetdict(maskwords);
1043 ipmask { memset(&($$), 0, sizeof($$));
1044 ntomask($1.f, $5, $$.m.i6);
1046 $$.a.i6[0] &= $$.m.i6[0];
1047 $$.a.i6[1] &= $$.m.i6[1];
1048 $$.a.i6[2] &= $$.m.i6[2];
1049 $$.a.i6[3] &= $$.m.i6[3];
1054 if (ifpflag != 0 && $$.v == 0) {
1055 if (frc->fr_family == AF_INET6){
1066 | '(' YY_STR ')' { memset(&($$), 0, sizeof($$));
1067 $$.type = FRI_DYNAMIC;
1068 ifpflag = FRI_DYNAMIC;
1069 $$.ifpos = addname(&fr, $2);
1072 | '(' YY_STR ')' '/'
1073 { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
1075 { memset(&($$), 0, sizeof($$));
1077 $$.ifpos = addname(&fr, $2);
1079 if (frc->fr_family == AF_UNSPEC)
1080 frc->fr_family = AF_INET;
1081 if (ifpflag == FRI_DYNAMIC) {
1082 ntomask(frc->fr_family,
1088 | '(' YY_STR ':' YY_NUMBER ')' '/'
1089 { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
1091 { memset(&($$), 0, sizeof($$));
1093 $$.ifpos = addname(&fr, $2);
1095 if (frc->fr_family == AF_UNSPEC)
1096 frc->fr_family = AF_INET;
1097 if (ifpflag == FRI_DYNAMIC) {
1098 ntomask(frc->fr_family,
1111 ipmask: ipv4 { $$ = count4bits($1.s_addr); }
1112 | YY_HEX { $$ = count4bits(htonl($1)); }
1113 | YY_NUMBER { $$ = $1; }
1114 | YY_IPV6 { $$ = count6bits($1.i6); }
1115 | maskopts { $$ = $1; }
1119 IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
1120 ifpflag = FRI_BROADCAST;
1126 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
1127 ifpflag = FRI_NETWORK;
1133 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
1134 ifpflag = FRI_NETMASKED;
1140 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
1141 ifpflag = FRI_PEERADDR;
1147 | YY_NUMBER { $$ = $1; }
1151 ipv4 { memset(&($$), 0, sizeof($$));
1153 if (frc->fr_family == AF_INET6)
1158 | YY_NUMBER { memset(&($$), 0, sizeof($$));
1159 if (frc->fr_family == AF_INET6)
1161 $$.adr.in4_addr = $1;
1165 | YY_HEX { memset(&($$), 0, sizeof($$));
1166 if (frc->fr_family == AF_INET6)
1168 $$.adr.in4_addr = $1;
1172 | YY_STR { memset(&($$), 0, sizeof($$));
1173 if (lookuphost($1, &$$.adr) == 0)
1178 | YY_IPV6 { memset(&($$), 0, sizeof($$));
1179 if (frc->fr_family == AF_INET)
1188 ipaddr { $$ = newalist(NULL);
1189 $$->al_family = $1.f;
1190 $$->al_i6addr = $1.a;
1191 $$->al_i6mask = $1.m;
1193 | ipaddr ',' { yyexpectaddr = 1; } addrlist
1194 { $$ = newalist($4);
1195 $$->al_family = $1.f;
1196 $$->al_i6addr = $1.a;
1197 $$->al_i6mask = $1.m;
1201 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1204 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1208 ipaddr { $$ = newalist(NULL);
1209 $$->al_family = $1.f;
1210 $$->al_i6addr = $1.a;
1211 $$->al_i6mask = $1.m;
1213 | '!' ipaddr { $$ = newalist(NULL);
1215 $$->al_family = $2.f;
1216 $$->al_i6addr = $2.a;
1217 $$->al_i6mask = $2.m;
1219 | poollist ',' ipaddr
1220 { $$ = newalist($1);
1221 $$->al_family = $3.f;
1222 $$->al_i6addr = $3.a;
1223 $$->al_i6mask = $3.m;
1225 | poollist ',' '!' ipaddr
1226 { $$ = newalist($1);
1228 $$->al_family = $4.f;
1229 $$->al_i6addr = $4.a;
1230 $$->al_i6mask = $4.m;
1234 port: IPFY_PORT { yyexpectaddr = 0;
1236 if (frc->fr_proto != 0 &&
1237 frc->fr_proto != IPPROTO_UDP &&
1238 frc->fr_proto != IPPROTO_TCP)
1239 yyerror("port use incorrect");
1243 portc: port compare { $$ = $2;
1246 | porteq { $$ = $1; }
1249 porteq: port '=' { $$ = FR_EQUAL;
1254 portr: IPFY_PORT { yyexpectaddr = 0;
1261 portc portnum { $$.pc = $1;
1268 portr portnum range portnum { $$.p1 = $2;
1278 itype: seticmptype icmptype
1279 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1282 | seticmptype lstart typelist lend { yyresetdict(); }
1286 IPFY_ICMPTYPE { if (frc->fr_family == AF_UNSPEC)
1287 frc->fr_family = AF_INET;
1288 if (frc->fr_family == AF_INET &&
1289 frc->fr_type == FR_T_IPF &&
1290 frc->fr_proto != IPPROTO_ICMP) {
1291 yyerror("proto not icmp");
1293 if (frc->fr_family == AF_INET6 &&
1294 frc->fr_type == FR_T_IPF &&
1295 frc->fr_proto != IPPROTO_ICMPV6) {
1296 yyerror("proto not ipv6-icmp");
1299 DOALL(if (fr->fr_family == AF_INET) { \
1300 fr->fr_ip.fi_v = 4; \
1301 fr->fr_mip.fi_v = 0xf; \
1303 if (fr->fr_family == AF_INET6) { \
1304 fr->fr_ip.fi_v = 6; \
1305 fr->fr_mip.fi_v = 0xf; \
1312 icode: | seticmpcode icmpcode
1313 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1316 | seticmpcode lstart codelist lend { yyresetdict(); }
1320 IPFY_ICMPCODE { yysetdict(icmpcodewords); }
1325 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1326 | typelist lmore icmptype
1327 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1332 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1333 | codelist lmore icmpcode
1334 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1335 fr->fr_icmpm |= htons(0xff);) }
1338 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1339 fr->fr_age[1] = $2;) }
1340 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1341 { DOALL(fr->fr_age[0] = $2; \
1342 fr->fr_age[1] = $4;) }
1345 keep: | IPFY_KEEP keepstate keep
1346 | IPFY_KEEP keepfrag keep
1350 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1354 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1355 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1363 fragopt lanother fragopts
1368 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1376 stateopt lanother stateopts
1381 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
1382 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1384 } else if (fr->fr_flags & FR_STLOOSE) {\
1387 fr->fr_flags |= FR_STSTRICT;)
1389 | IPFY_LOOSE { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1391 } else if (fr->fr_flags & FR_STSTRICT){\
1394 fr->fr_flags |= FR_STLOOSE;)
1396 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1399 fr->fr_flags |= FR_NEWISN;)
1401 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1403 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
1404 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
1405 fr->fr_age[1] = $2;) }
1406 | IPFY_AGE YY_NUMBER '/' YY_NUMBER
1407 { DOALL(fr->fr_age[0] = $2; \
1408 fr->fr_age[1] = $4;) }
1409 | IPFY_ICMPHEAD groupname
1410 { DOALL(seticmphead(&fr, $2);)
1414 { DOALL(fr->fr_nostatelog = 1;) }
1416 { DOALL(fr->fr_rpc = 1;) }
1417 | IPFY_RPC IPFY_IN YY_STR
1418 { DOALL(fr->fr_rpc = 1;) }
1419 | IPFY_MAX_SRCS YY_NUMBER
1420 { DOALL(fr->fr_srctrack.ht_max_nodes = $2;) }
1421 | IPFY_MAX_PER_SRC YY_NUMBER
1422 { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
1423 fr->fr_srctrack.ht_netmask = \
1424 fr->fr_family == AF_INET ? 32: 128;)
1426 | IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER
1427 { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
1428 fr->fr_srctrack.ht_netmask = $4;)
1433 servicename { if (getport(frc, $1,
1435 yyerror("service unknown");
1439 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1440 yyerror("invalid port number");
1447 withopt { nowith = 0; }
1448 | withlist withopt { nowith = 0; }
1449 | withlist ',' withopt { nowith = 0; }
1453 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1454 | notwith opttype { DOALL(fr->fr_mflx |= $2;) }
1455 | ipopt ipopts { yyresetdict(); }
1456 | notwith ipopt ipopts { yyresetdict(); }
1457 | startv6hdr ipv6hdrs { yyresetdict(); }
1460 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
1464 IPFY_V6HDR { if (frc->fr_family != AF_INET6)
1465 yyerror("only available with IPv6");
1466 yysetdict(ipv6optwords);
1471 IPFY_NOT { nowith = 1; }
1472 | IPFY_NO { nowith = 1; }
1476 IPFY_IPOPTS { $$ = FI_OPTIONS; }
1477 | IPFY_SHORT { $$ = FI_SHORT; }
1478 | IPFY_NAT { $$ = FI_NATED; }
1479 | IPFY_BAD { $$ = FI_BAD; }
1480 | IPFY_BADNAT { $$ = FI_BADNAT; }
1481 | IPFY_BADSRC { $$ = FI_BADSRC; }
1482 | IPFY_LOWTTL { $$ = FI_LOWTTL; }
1483 | IPFY_FRAG { $$ = FI_FRAG; }
1484 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1485 | IPFY_FRAGS { $$ = FI_FRAG; }
1486 | IPFY_MBCAST { $$ = FI_MBCAST; }
1487 | IPFY_MULTICAST { $$ = FI_MULTICAST; }
1488 | IPFY_BROADCAST { $$ = FI_BROADCAST; }
1489 | IPFY_STATE { $$ = FI_STATE; }
1490 | IPFY_OOW { $$ = FI_OOW; }
1491 | IPFY_AH { $$ = FI_AH; }
1492 | IPFY_V6HDRS { $$ = FI_V6EXTHDR; }
1495 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1496 if (fr->fr_family == AF_UNSPEC) {
1497 fr->fr_family = AF_INET;
1499 fr->fr_mip.fi_v = 0xf;
1500 } else if (fr->fr_family != AF_INET) {
1504 fr->fr_ip.fi_optmsk |= $1;)
1510 | optlist ',' opt { $$ |= $1 | $3; }
1514 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
1516 fr->fr_ip.fi_optmsk |= $1;)
1521 ipv6hdr { $$ |= $1; }
1522 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
1526 seclevel { $$ |= $1; }
1527 | secname ',' seclevel { $$ |= $1 | $3; }
1531 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
1532 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
1533 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
1534 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
1535 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
1536 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
1537 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
1538 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
1542 YY_NUMBER { $$ = $1; }
1543 | YY_STR { $$ = geticmptype(frc->fr_family, $1);
1545 yyerror("unrecognised icmp type");
1550 YY_NUMBER { $$ = $1; }
1551 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
1552 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
1553 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
1554 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
1555 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
1556 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
1557 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
1558 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1559 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
1560 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
1561 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
1562 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
1563 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
1564 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1565 | IPFY_ICMPC_HSTPRE { $$ = 14; }
1566 | IPFY_ICMPC_CUTPRE { $$ = 15; }
1570 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
1571 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
1572 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
1573 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
1574 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
1575 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
1576 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
1577 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
1578 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
1579 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
1580 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
1581 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
1582 | IPFY_IPOPT_CIPSO doi { $$ = getoptbyvalue(IPOPT_CIPSO); }
1583 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
1584 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
1585 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
1586 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
1587 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
1588 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
1589 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
1590 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
1591 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
1592 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
1593 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
1594 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1595 | setsecclass secname
1596 { DOALL(fr->fr_mip.fi_secmsk |= $2;
1597 if (fr->fr_family == AF_UNSPEC) {
1598 fr->fr_family = AF_INET;
1600 fr->fr_mip.fi_v = 0xf;
1601 } else if (fr->fr_family != AF_INET) {
1605 fr->fr_ip.fi_secmsk |= $2;)
1612 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1615 doi: IPFY_DOI YY_NUMBER { DOALL(fr->fr_doimask = 0xffffffff; \
1618 | IPFY_DOI YY_HEX { DOALL(fr->fr_doimask = 0xffffffff; \
1624 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
1625 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1626 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
1627 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1628 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
1629 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
1630 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1631 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1632 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1635 level: IPFY_LEVEL { setsyslog(); }
1639 priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
1640 | facility '.' priority { fr->fr_loglevel = $1 | $3; }
1644 IPFY_FAC_KERN { $$ = LOG_KERN; }
1645 | IPFY_FAC_USER { $$ = LOG_USER; }
1646 | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
1647 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
1648 | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
1649 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
1650 | IPFY_FAC_LPR { $$ = LOG_LPR; }
1651 | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
1652 | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
1653 | IPFY_FAC_CRON { $$ = LOG_CRON; }
1654 | IPFY_FAC_FTP { $$ = LOG_FTP; }
1655 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
1656 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
1657 | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
1658 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
1659 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
1660 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
1661 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
1662 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
1663 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
1664 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
1665 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
1666 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
1670 IPFY_PRI_EMERG { $$ = LOG_EMERG; }
1671 | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
1672 | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
1673 | IPFY_PRI_ERR { $$ = LOG_ERR; }
1674 | IPFY_PRI_WARN { $$ = LOG_WARNING; }
1675 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
1676 | IPFY_PRI_INFO { $$ = LOG_INFO; }
1677 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
1681 YY_CMP_EQ { $$ = FR_EQUAL; }
1682 | YY_CMP_NE { $$ = FR_NEQUAL; }
1683 | YY_CMP_LT { $$ = FR_LESST; }
1684 | YY_CMP_LE { $$ = FR_LESSTE; }
1685 | YY_CMP_GT { $$ = FR_GREATERT; }
1686 | YY_CMP_GE { $$ = FR_GREATERTE; }
1689 range: YY_RANGE_IN { $$ = FR_INRANGE; }
1690 | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
1691 | ':' { $$ = FR_INCRANGE; }
1698 interfacename: name { $$ = $1; }
1699 | name ':' YY_NUMBER
1701 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1702 "use the physical interface %s instead.\n",
1703 yylineNum, $1, $3, $1);
1707 name: YY_STR { $$ = $1; }
1708 | '-' { $$ = strdup("-"); }
1712 YY_NUMBER '.' YY_NUMBER
1713 { if ($1 > 255 || $3 > 255) {
1714 yyerror("Invalid octet string for IP address");
1717 $$.s_addr = ($1 << 24) | ($3 << 16);
1718 $$.s_addr = htonl($$.s_addr);
1723 ipv4_16 '.' YY_NUMBER
1725 yyerror("Invalid octet string for IP address");
1728 $$.s_addr |= htonl($3 << 8);
1732 ipv4: ipv4_24 '.' YY_NUMBER
1734 yyerror("Invalid octet string for IP address");
1737 $$.s_addr |= htonl($3);
1746 static struct wordtab ipfwords[] = {
1747 { "age", IPFY_AGE },
1749 { "all", IPFY_ALL },
1750 { "and", IPFY_AND },
1751 { "auth", IPFY_AUTH },
1752 { "bad", IPFY_BAD },
1753 { "bad-nat", IPFY_BADNAT },
1754 { "bad-src", IPFY_BADSRC },
1755 { "bcast", IPFY_BROADCAST },
1756 { "block", IPFY_BLOCK },
1757 { "body", IPFY_BODY },
1758 { "bpf-v4", IPFY_BPFV4 },
1760 { "bpf-v6", IPFY_BPFV6 },
1762 { "call", IPFY_CALL },
1763 { "code", IPFY_ICMPCODE },
1764 { "comment", IPFY_COMMENT },
1765 { "count", IPFY_COUNT },
1766 { "decapsulate", IPFY_DECAPS },
1767 { "dstlist", IPFY_DSTLIST },
1768 { "doi", IPFY_DOI },
1769 { "dup-to", IPFY_DUPTO },
1770 { "eq", YY_CMP_EQ },
1771 { "esp", IPFY_ESP },
1772 { "exp", IPFY_IPFEXPR },
1773 { "family", IPFY_FAMILY },
1774 { "fastroute", IPFY_FROUTE },
1775 { "first", IPFY_FIRST },
1776 { "flags", IPFY_FLAGS },
1777 { "frag", IPFY_FRAG },
1778 { "frag-body", IPFY_FRAGBODY },
1779 { "frags", IPFY_FRAGS },
1780 { "from", IPFY_FROM },
1781 { "ge", YY_CMP_GE },
1782 { "group", IPFY_GROUP },
1783 { "gt", YY_CMP_GT },
1784 { "head", IPFY_HEAD },
1785 { "icmp", IPFY_ICMP },
1786 { "icmp-head", IPFY_ICMPHEAD },
1787 { "icmp-type", IPFY_ICMPTYPE },
1789 { "in-via", IPFY_INVIA },
1790 { "inet", IPFY_INET },
1791 { "inet6", IPFY_INET6 },
1792 { "ipopt", IPFY_IPOPTS },
1793 { "ipopts", IPFY_IPOPTS },
1794 { "keep", IPFY_KEEP },
1795 { "l5-as", IPFY_L5AS },
1796 { "le", YY_CMP_LE },
1797 { "level", IPFY_LEVEL },
1798 { "limit", IPFY_LIMIT },
1799 { "log", IPFY_LOG },
1800 { "loose", IPFY_LOOSE },
1801 { "lowttl", IPFY_LOWTTL },
1802 { "lt", YY_CMP_LT },
1803 { "mask", IPFY_MASK },
1804 { "match-tag", IPFY_MATCHTAG },
1805 { "max-per-src", IPFY_MAX_PER_SRC },
1806 { "max-srcs", IPFY_MAX_SRCS },
1807 { "mbcast", IPFY_MBCAST },
1808 { "mcast", IPFY_MULTICAST },
1809 { "multicast", IPFY_MULTICAST },
1810 { "nat", IPFY_NAT },
1811 { "ne", YY_CMP_NE },
1812 { "net", IPFY_NETWORK },
1813 { "newisn", IPFY_NEWISN },
1815 { "no-icmp-err", IPFY_NOICMPERR },
1816 { "nolog", IPFY_NOLOG },
1817 { "nomatch", IPFY_NOMATCH },
1818 { "now", IPFY_NOW },
1819 { "not", IPFY_NOT },
1820 { "oow", IPFY_OOW },
1822 { "opt", IPFY_OPT },
1823 { "or-block", IPFY_ORBLOCK },
1824 { "out", IPFY_OUT },
1825 { "out-via", IPFY_OUTVIA },
1826 { "pass", IPFY_PASS },
1827 { "port", IPFY_PORT },
1828 { "pps", IPFY_PPS },
1829 { "preauth", IPFY_PREAUTH },
1830 { "proto", IPFY_PROTO },
1831 { "quick", IPFY_QUICK },
1832 { "reply-to", IPFY_REPLY_TO },
1833 { "return-icmp", IPFY_RETICMP },
1834 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1835 { "return-rst", IPFY_RETRST },
1836 { "route-to", IPFY_ROUTETO },
1837 { "rule-ttl", IPFY_RULETTL },
1838 { "rpc", IPFY_RPC },
1839 { "sec-class", IPFY_SECCLASS },
1840 { "set", IPFY_SET },
1841 { "set-tag", IPFY_SETTAG },
1842 { "skip", IPFY_SKIP },
1843 { "short", IPFY_SHORT },
1844 { "state", IPFY_STATE },
1845 { "state-age", IPFY_AGE },
1846 { "strict", IPFY_STRICT },
1847 { "sync", IPFY_SYNC },
1848 { "tcp", IPFY_TCP },
1849 { "tcp-udp", IPFY_TCPUDP },
1850 { "tos", IPFY_TOS },
1852 { "ttl", IPFY_TTL },
1853 { "udp", IPFY_UDP },
1854 { "v6hdr", IPFY_V6HDR },
1855 { "v6hdrs", IPFY_V6HDRS },
1856 { "with", IPFY_WITH },
1860 static struct wordtab addrwords[] = {
1861 { "any", IPFY_ANY },
1862 { "hash", IPFY_HASH },
1863 { "pool", IPFY_POOL },
1867 static struct wordtab maskwords[] = {
1868 { "broadcast", IPFY_BROADCAST },
1869 { "netmasked", IPFY_NETMASKED },
1870 { "network", IPFY_NETWORK },
1871 { "peer", IPFY_PEER },
1875 static struct wordtab icmpcodewords[] = {
1876 { "cutoff-preced", IPFY_ICMPC_CUTPRE },
1877 { "filter-prohib", IPFY_ICMPC_FLTPRO },
1878 { "isolate", IPFY_ICMPC_ISOLATE },
1879 { "needfrag", IPFY_ICMPC_NEEDF },
1880 { "net-prohib", IPFY_ICMPC_NETPRO },
1881 { "net-tos", IPFY_ICMPC_NETTOS },
1882 { "host-preced", IPFY_ICMPC_HSTPRE },
1883 { "host-prohib", IPFY_ICMPC_HSTPRO },
1884 { "host-tos", IPFY_ICMPC_HSTTOS },
1885 { "host-unk", IPFY_ICMPC_HSTUNK },
1886 { "host-unr", IPFY_ICMPC_HSTUNR },
1887 { "net-unk", IPFY_ICMPC_NETUNK },
1888 { "net-unr", IPFY_ICMPC_NETUNR },
1889 { "port-unr", IPFY_ICMPC_PORUNR },
1890 { "proto-unr", IPFY_ICMPC_PROUNR },
1891 { "srcfail", IPFY_ICMPC_SRCFAIL },
1895 static struct wordtab ipv4optwords[] = {
1896 { "addext", IPFY_IPOPT_ADDEXT },
1897 { "cipso", IPFY_IPOPT_CIPSO },
1898 { "dps", IPFY_IPOPT_DPS },
1899 { "e-sec", IPFY_IPOPT_ESEC },
1900 { "eip", IPFY_IPOPT_EIP },
1901 { "encode", IPFY_IPOPT_ENCODE },
1902 { "finn", IPFY_IPOPT_FINN },
1903 { "imitd", IPFY_IPOPT_IMITD },
1904 { "lsrr", IPFY_IPOPT_LSRR },
1905 { "mtup", IPFY_IPOPT_MTUP },
1906 { "mtur", IPFY_IPOPT_MTUR },
1907 { "nop", IPFY_IPOPT_NOP },
1908 { "nsapa", IPFY_IPOPT_NSAPA },
1909 { "rr", IPFY_IPOPT_RR },
1910 { "rtralrt", IPFY_IPOPT_RTRALRT },
1911 { "satid", IPFY_IPOPT_SATID },
1912 { "sdb", IPFY_IPOPT_SDB },
1913 { "sec", IPFY_IPOPT_SEC },
1914 { "ssrr", IPFY_IPOPT_SSRR },
1915 { "tr", IPFY_IPOPT_TR },
1916 { "ts", IPFY_IPOPT_TS },
1917 { "ump", IPFY_IPOPT_UMP },
1918 { "visa", IPFY_IPOPT_VISA },
1919 { "zsu", IPFY_IPOPT_ZSU },
1923 static struct wordtab ipv4secwords[] = {
1924 { "confid", IPFY_SEC_CONF },
1925 { "reserv-1", IPFY_SEC_RSV1 },
1926 { "reserv-2", IPFY_SEC_RSV2 },
1927 { "reserv-3", IPFY_SEC_RSV3 },
1928 { "reserv-4", IPFY_SEC_RSV4 },
1929 { "secret", IPFY_SEC_SEC },
1930 { "topsecret", IPFY_SEC_TS },
1931 { "unclass", IPFY_SEC_UNC },
1935 static struct wordtab ipv6optwords[] = {
1936 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1937 { "esp", IPFY_IPV6OPT_ESP },
1938 { "frag", IPFY_IPV6OPT_FRAG },
1939 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1940 { "ipv6", IPFY_IPV6OPT_IPV6 },
1941 { "mobility", IPFY_IPV6OPT_MOBILITY },
1942 { "none", IPFY_IPV6OPT_NONE },
1943 { "routing", IPFY_IPV6OPT_ROUTING },
1947 static struct wordtab logwords[] = {
1948 { "kern", IPFY_FAC_KERN },
1949 { "user", IPFY_FAC_USER },
1950 { "mail", IPFY_FAC_MAIL },
1951 { "daemon", IPFY_FAC_DAEMON },
1952 { "auth", IPFY_FAC_AUTH },
1953 { "syslog", IPFY_FAC_SYSLOG },
1954 { "lpr", IPFY_FAC_LPR },
1955 { "news", IPFY_FAC_NEWS },
1956 { "uucp", IPFY_FAC_UUCP },
1957 { "cron", IPFY_FAC_CRON },
1958 { "ftp", IPFY_FAC_FTP },
1959 { "authpriv", IPFY_FAC_AUTHPRIV },
1960 { "audit", IPFY_FAC_AUDIT },
1961 { "logalert", IPFY_FAC_LFMT },
1962 { "console", IPFY_FAC_CONSOLE },
1963 { "security", IPFY_FAC_SECURITY },
1964 { "local0", IPFY_FAC_LOCAL0 },
1965 { "local1", IPFY_FAC_LOCAL1 },
1966 { "local2", IPFY_FAC_LOCAL2 },
1967 { "local3", IPFY_FAC_LOCAL3 },
1968 { "local4", IPFY_FAC_LOCAL4 },
1969 { "local5", IPFY_FAC_LOCAL5 },
1970 { "local6", IPFY_FAC_LOCAL6 },
1971 { "local7", IPFY_FAC_LOCAL7 },
1972 { "emerg", IPFY_PRI_EMERG },
1973 { "alert", IPFY_PRI_ALERT },
1974 { "crit", IPFY_PRI_CRIT },
1975 { "err", IPFY_PRI_ERR },
1976 { "warn", IPFY_PRI_WARN },
1977 { "notice", IPFY_PRI_NOTICE },
1978 { "info", IPFY_PRI_INFO },
1979 { "debug", IPFY_PRI_DEBUG },
1986 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1989 ioctlfunc_t *iocfuncs;
1998 s = getenv("YYDEBUG");
2004 if (strcmp(filename, "-")) {
2005 fp = fopen(filename, "r");
2007 fprintf(stderr, "fopen(%s) failed: %s\n", filename,
2014 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
2022 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
2025 ioctlfunc_t *iocfuncs;
2032 for (i = 0; i <= IPL_LOGMAX; i++)
2033 ipfioctls[i] = iocfuncs[i];
2034 ipfaddfunc = addfunc;
2041 if (ungetc(i, fp) == 0)
2045 s = getenv("YYDEBUG");
2057 static void newrule()
2062 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
2066 frn->fr_pnext = &fr->fr_next;
2068 if (frtop == NULL) {
2070 frn->fr_pnext = &frtop;
2074 fr->fr_loglevel = 0xffff;
2075 fr->fr_isc = (void *)-1;
2076 fr->fr_logtag = FR_NOLOGTAG;
2077 fr->fr_type = FR_T_NONE;
2078 fr->fr_flineno = yylineNum;
2081 fr->fr_family = AF_INET6;
2082 else if (use_inet6 == -1)
2083 fr->fr_family = AF_INET;
2089 static void setipftype()
2091 for (fr = frc; fr != NULL; fr = fr->fr_next) {
2092 if (fr->fr_type == FR_T_NONE) {
2093 fr->fr_type = FR_T_IPF;
2094 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
2095 fr->fr_dsize = sizeof(fripf_t);
2096 fr->fr_family = frc->fr_family;
2097 if (fr->fr_family == AF_INET) {
2100 else if (fr->fr_family == AF_INET6) {
2103 fr->fr_mip.fi_v = 0xf;
2104 fr->fr_ipf->fri_sifpidx = -1;
2105 fr->fr_ipf->fri_difpidx = -1;
2107 if (fr->fr_type != FR_T_IPF) {
2108 fprintf(stderr, "IPF Type not set\n");
2114 static frentry_t *addrule()
2116 frentry_t *f, *f1, *f2;
2119 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
2124 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
2125 f->fr_next = allocfr();
2126 if (f->fr_next == NULL)
2128 f->fr_next->fr_pnext = &f->fr_next;
2133 if (f->fr_caddr != NULL) {
2134 f->fr_caddr = malloc(f->fr_dsize);
2135 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
2144 lookuphost(name, addrp)
2154 for (i = 0; i < 4; i++) {
2155 if (fr->fr_ifnames[i] == -1)
2157 if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) {
2158 ifpflag = FRI_DYNAMIC;
2159 dynamic = addname(&fr, name);
2164 if (gethost(AF_INET, name, addrp) == -1) {
2165 fprintf(stderr, "unknown name \"%s\"\n", name);
2172 static void dobpf(v, phrase)
2177 struct bpf_program bpf;
2185 for (fr = frc; fr != NULL; fr = fr->fr_next) {
2186 if (fr->fr_type != FR_T_NONE) {
2187 fprintf(stderr, "cannot mix IPF and BPF matching\n");
2190 fr->fr_family = vtof(v);
2191 fr->fr_type = FR_T_BPFOPC;
2193 if (!strncmp(phrase, "0x", 2)) {
2194 fb = malloc(sizeof(fakebpf_t));
2196 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
2197 s = strtok(NULL, " \r\n\t"), i++) {
2198 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
2200 warnx("memory allocation error at %d in %s in %s", __LINE__, __FUNCTION__, __FILE__);
2203 l = (u_32_t)strtol(s, NULL, 0);
2207 fb[i / 4].fb_c = l & 0xffff;
2210 fb[i / 4].fb_t = l & 0xff;
2213 fb[i / 4].fb_f = l & 0xff;
2222 "Odd number of bytes in BPF code\n");
2226 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
2232 bzero((char *)&bpf, sizeof(bpf));
2233 p = pcap_open_dead(DLT_RAW, 1);
2235 fprintf(stderr, "pcap_open_dead failed\n");
2239 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
2240 pcap_perror(p, "ipf");
2242 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
2247 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
2248 fr->fr_data = malloc(fr->fr_dsize);
2249 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
2250 if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
2251 fprintf(stderr, "BPF validation failed\n");
2258 if (opts & OPT_DEBUG)
2261 fprintf(stderr, "BPF filter expressions not supported\n");
2267 static void resetaddr()
2275 static alist_t *newalist(ptr)
2280 al = malloc(sizeof(*al));
2293 ip_pool_node_t *n, *top;
2300 top = calloc(1, sizeof(*top));
2304 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2305 if (use_inet6 == 1) {
2307 n->ipn_addr.adf_family = AF_INET6;
2308 n->ipn_addr.adf_addr = a->al_i6addr;
2309 n->ipn_addr.adf_len = offsetof(addrfamily_t,
2311 n->ipn_mask.adf_family = AF_INET6;
2312 n->ipn_mask.adf_addr = a->al_i6mask;
2313 n->ipn_mask.adf_len = offsetof(addrfamily_t,
2318 n->ipn_addr.adf_family = AF_INET;
2319 n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
2320 n->ipn_addr.adf_len = offsetof(addrfamily_t,
2322 n->ipn_mask.adf_family = AF_INET;
2323 n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
2324 n->ipn_mask.adf_len = offsetof(addrfamily_t,
2327 n->ipn_info = a->al_not;
2328 if (a->al_next != NULL) {
2329 n->ipn_next = calloc(1, sizeof(*n));
2334 bzero((char *)&pool, sizeof(pool));
2335 pool.ipo_unit = IPL_LOGIPF;
2336 pool.ipo_list = top;
2337 num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]);
2339 while ((n = top) != NULL) {
2347 static u_int makehash(list)
2357 top = calloc(1, sizeof(*top));
2361 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2362 if (a->al_family == AF_INET6) {
2363 n->ipe_family = AF_INET6;
2364 n->ipe_addr = a->al_i6addr;
2365 n->ipe_mask = a->al_i6mask;
2367 n->ipe_family = AF_INET;
2368 n->ipe_addr.in4_addr = a->al_1;
2369 n->ipe_mask.in4_addr = a->al_2;
2372 if (a->al_next != NULL) {
2373 n->ipe_next = calloc(1, sizeof(*n));
2378 bzero((char *)&iph, sizeof(iph));
2379 iph.iph_unit = IPL_LOGIPF;
2380 iph.iph_type = IPHASH_LOOKUP;
2381 *iph.iph_name = '\0';
2383 if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0)
2384 sscanf(iph.iph_name, "%u", &num);
2388 while ((n = top) != NULL) {
2396 int ipf_addrule(fd, ioctlfunc, ptr)
2398 ioctlfunc_t ioctlfunc;
2401 ioctlcmd_t add, del;
2412 bzero((char *)&obj, sizeof(obj));
2413 obj.ipfo_rev = IPFILTER_VERSION;
2414 obj.ipfo_size = fr->fr_size;
2415 obj.ipfo_type = IPFOBJ_FRENTRY;
2418 if ((opts & OPT_DONOTHING) != 0)
2421 if (opts & OPT_ZERORULEST) {
2423 } else if (opts & OPT_INACTIVE) {
2424 add = (u_int)fr->fr_hits ? SIOCINIFR :
2428 add = (u_int)fr->fr_hits ? SIOCINAFR :
2433 if ((opts & OPT_OUTQUE) != 0)
2434 fr->fr_flags |= FR_OUTQUE;
2437 if ((opts & OPT_VERBOSE) != 0)
2438 printfr(fr, ioctlfunc);
2440 if ((opts & OPT_DEBUG) != 0) {
2441 binprint(fr, sizeof(*fr));
2442 if (fr->fr_data != NULL)
2443 binprint(fr->fr_data, fr->fr_dsize);
2446 if ((opts & OPT_ZERORULEST) != 0) {
2447 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2448 if ((opts & OPT_DONOTHING) == 0) {
2451 sprintf(msg, "%d:ioctl(zero rule)",
2453 return ipf_perror_fd(fd, ioctlfunc, msg);
2457 printf("hits %qd bytes %qd ",
2458 (long long)fr->fr_hits,
2459 (long long)fr->fr_bytes);
2461 printf("hits %ld bytes %ld ",
2462 fr->fr_hits, fr->fr_bytes);
2464 printfr(fr, ioctlfunc);
2466 } else if ((opts & OPT_REMOVE) != 0) {
2467 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2468 if ((opts & OPT_DONOTHING) == 0) {
2471 sprintf(msg, "%d:ioctl(delete rule)",
2473 return ipf_perror_fd(fd, ioctlfunc, msg);
2477 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2478 if ((opts & OPT_DONOTHING) == 0) {
2481 sprintf(msg, "%d:ioctl(add/insert rule)",
2483 return ipf_perror_fd(fd, ioctlfunc, msg);
2490 static void setsyslog()
2492 yysetdict(logwords);
2497 static void unsetsyslog()
2504 static void fillgroup(fr)
2509 for (f = frold; f != NULL; f = f->fr_next) {
2510 if (f->fr_grhead == -1 && fr->fr_group == -1)
2512 if (f->fr_grhead == -1 || fr->fr_group == -1)
2514 if (strcmp(f->fr_names + f->fr_grhead,
2515 fr->fr_names + fr->fr_group) == 0)
2523 * Only copy down matching fields if the rules are of the same type
2524 * and are of ipf type. The only fields that are copied are those
2525 * that impact the rule parsing itself, eg. need for knowing what the
2526 * protocol should be for rules with port comparisons in them.
2528 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2531 if (fr->fr_family == 0 && f->fr_family != 0)
2532 fr->fr_family = f->fr_family;
2534 if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2535 fr->fr_mproto = f->fr_mproto;
2536 if (fr->fr_proto == 0 && f->fr_proto != 0)
2537 fr->fr_proto = f->fr_proto;
2539 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2540 ((f->fr_flx & FI_TCPUDP) != 0)) {
2541 fr->fr_flx |= FI_TCPUDP;
2542 fr->fr_mflx |= FI_TCPUDP;
2547 static void doipfexpr(line)
2553 array = parseipfexpr(line, &error);
2554 if (array == NULL) {
2555 fprintf(stderr, "%s:", error);
2556 yyerror("error parsing ipf matching expression");
2560 fr->fr_type = FR_T_IPFEXPR;
2561 fr->fr_data = array;
2562 fr->fr_dsize = array[0] * sizeof(*array);
2566 static void do_tuneint(varname, value)
2572 strncpy(buffer, varname, 60);
2574 strcat(buffer, "=");
2575 sprintf(buffer, "%u", value);
2576 ipf_dotuning(ipffd, buffer, ioctl);
2580 static void do_tunestr(varname, value)
2581 char *varname, *value;
2584 if (!strcasecmp(value, "true")) {
2585 do_tuneint(varname, 1);
2586 } else if (!strcasecmp(value, "false")) {
2587 do_tuneint(varname, 0);
2589 yyerror("did not find true/false where expected");
2594 static void setifname(frp, idx, name)
2601 pos = addname(frp, name);
2604 (*frp)->fr_ifnames[idx] = pos;
2608 static int addname(frp, name)
2616 nlen = strlen(name) + 1;
2617 f = realloc(*frp, (*frp)->fr_size + nlen);
2623 if (f->fr_pnext != NULL)
2626 pos = f->fr_namelen;
2627 f->fr_namelen += nlen;
2628 strcpy(f->fr_names + pos, name);
2629 f->fr_names[f->fr_namelen] = '\0';
2634 static frentry_t *allocfr()
2638 fr = calloc(1, sizeof(*fr));
2640 fr->fr_size = sizeof(*fr);
2641 fr->fr_comment = -1;
2644 fr->fr_icmphead = -1;
2645 fr->fr_ifnames[0] = -1;
2646 fr->fr_ifnames[1] = -1;
2647 fr->fr_ifnames[2] = -1;
2648 fr->fr_ifnames[3] = -1;
2649 fr->fr_tif.fd_name = -1;
2650 fr->fr_rif.fd_name = -1;
2651 fr->fr_dif.fd_name = -1;
2657 static void setgroup(frp, name)
2663 pos = addname(frp, name);
2666 (*frp)->fr_group = pos;
2670 static void setgrhead(frp, name)
2676 pos = addname(frp, name);
2679 (*frp)->fr_grhead = pos;
2683 static void seticmphead(frp, name)
2689 pos = addname(frp, name);
2692 (*frp)->fr_icmphead = pos;
2697 build_dstaddr_af(fp, ptr)
2701 struct ipp_s *ipp = ptr;
2704 if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
2705 ipp->f = f->fr_family;
2706 ipp->v = f->fr_ip.fi_v;
2708 if (ipp->f == AF_INET)
2710 else if (ipp->f == AF_INET6)
2713 for (; f != NULL; f = f->fr_next) {
2714 f->fr_ip.fi_dst = ipp->a;
2715 f->fr_mip.fi_dst = ipp->m;
2716 f->fr_family = ipp->f;
2717 f->fr_ip.fi_v = ipp->v;
2718 f->fr_mip.fi_v = 0xf;
2719 f->fr_datype = ipp->type;
2720 if (ipp->ifpos != -1)
2721 f->fr_ipf->fri_difpidx = ipp->ifpos;
2728 build_srcaddr_af(fp, ptr)
2732 struct ipp_s *ipp = ptr;
2735 if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
2736 ipp->f = f->fr_family;
2737 ipp->v = f->fr_ip.fi_v;
2739 if (ipp->f == AF_INET)
2741 else if (ipp->f == AF_INET6)
2744 for (; f != NULL; f = f->fr_next) {
2745 f->fr_ip.fi_src = ipp->a;
2746 f->fr_mip.fi_src = ipp->m;
2747 f->fr_family = ipp->f;
2748 f->fr_ip.fi_v = ipp->v;
2749 f->fr_mip.fi_v = 0xf;
2750 f->fr_satype = ipp->type;
2751 f->fr_ipf->fri_sifpidx = ipp->ifpos;