1 /* $NetBSD: ipf_y.y,v 1.1.1.2 2012/07/22 13:44:52 darrenr Exp $ */ 2 3 /* 4 * Copyright (C) 2012 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 */ 8 %{ 9 #include "ipf.h" 10 #include <sys/ioctl.h> 11 #include <syslog.h> 12 #ifdef IPFILTER_BPF 13 # include "pcap-bpf.h" 14 # define _NET_BPF_H_ 15 # include <pcap.h> 16 #endif 17 #include "netinet/ip_pool.h" 18 #include "netinet/ip_htable.h" 19 #include "netinet/ipl.h" 20 #include "ipf_l.h" 21 22 #define YYDEBUG 1 23 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 24 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 25 26 extern void yyerror __P((char *)); 27 extern int yyparse __P((void)); 28 extern int yylex __P((void)); 29 extern int yydebug; 30 extern FILE *yyin; 31 extern int yylineNum; 32 33 static int addname __P((frentry_t **, char *)); 34 static frentry_t *addrule __P((void)); 35 static frentry_t *allocfr __P((void)); 36 static void build_dstaddr_af __P((frentry_t *, void *)); 37 static void build_srcaddr_af __P((frentry_t *, void *)); 38 static void dobpf __P((int, char *)); 39 static void doipfexpr __P((char *)); 40 static void do_tuneint __P((char *, int)); 41 static void do_tunestr __P((char *, char *)); 42 static void fillgroup __P((frentry_t *)); 43 static int lookuphost __P((char *, i6addr_t *)); 44 static u_int makehash __P((struct alist_s *)); 45 static int makepool __P((struct alist_s *)); 46 static struct alist_s *newalist __P((struct alist_s *)); 47 static void newrule __P((void)); 48 static void resetaddr __P((void)); 49 static void setgroup __P((frentry_t **, char *)); 50 static void setgrhead __P((frentry_t **, char *)); 51 static void seticmphead __P((frentry_t **, char *)); 52 static void setifname __P((frentry_t **, int, char *)); 53 static void setipftype __P((void)); 54 static void setsyslog __P((void)); 55 static void unsetsyslog __P((void)); 56 57 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 58 59 static int ifpflag = 0; 60 static int nowith = 0; 61 static int dynamic = -1; 62 static int pooled = 0; 63 static int hashed = 0; 64 static int nrules = 0; 65 static int newlist = 0; 66 static int added = 0; 67 static int ipffd = -1; 68 static int *yycont = NULL; 69 static ioctlfunc_t ipfioctls[IPL_LOGSIZE]; 70 static addfunc_t ipfaddfunc = NULL; 71 72 %} 73 %union { 74 char *str; 75 u_32_t num; 76 frentry_t fr; 77 frtuc_t *frt; 78 struct alist_s *alist; 79 u_short port; 80 struct in_addr ip4; 81 struct { 82 u_short p1; 83 u_short p2; 84 int pc; 85 } pc; 86 struct ipp_s { 87 int type; 88 int ifpos; 89 int f; 90 int v; 91 int lif; 92 union i6addr a; 93 union i6addr m; 94 char *name; 95 } ipp; 96 struct { 97 i6addr_t adr; 98 int f; 99 } adr; 100 i6addr_t ip6; 101 struct { 102 char *if1; 103 char *if2; 104 } ifs; 105 char gname[FR_GROUPLEN]; 106 }; 107 108 %type <port> portnum 109 %type <num> facility priority icmpcode seclevel secname icmptype 110 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 111 %type <num> portc porteq ipmask maskopts 112 %type <ip4> ipv4 ipv4_16 ipv4_24 113 %type <adr> hostname 114 %type <ipp> addr ipaddr 115 %type <str> servicename name interfacename groupname 116 %type <pc> portrange portcomp 117 %type <alist> addrlist poollist 118 %type <ifs> onname 119 120 %token <num> YY_NUMBER YY_HEX 121 %token <str> YY_STR 122 %token YY_COMMENT 123 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 124 %token YY_RANGE_OUT YY_RANGE_IN 125 %token <ip6> YY_IPV6 126 127 %token IPFY_SET 128 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH 129 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 130 %token IPFY_IN IPFY_OUT 131 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 132 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO 133 %token IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6 134 %token IPFY_HEAD IPFY_GROUP 135 %token IPFY_AUTH IPFY_PREAUTH 136 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS 137 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS 138 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH 139 %token IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST 140 %token IPFY_ESP IPFY_AH 141 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 142 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 143 %token IPFY_FLAGS IPFY_MULTICAST 144 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 145 %token IPFY_RPC IPFY_PORT 146 %token IPFY_NOW IPFY_COMMENT IPFY_RULETTL 147 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 148 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 149 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 150 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 151 %token IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE 152 %token IPFY_MAX_SRCS IPFY_MAX_PER_SRC 153 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 154 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 155 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 156 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 157 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 158 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 159 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 160 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI 161 162 %token IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 163 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR 164 %token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG 165 166 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 167 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 168 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 169 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 170 %token IPFY_ICMPT_ROUTERSOL 171 172 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 173 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 174 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 175 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 176 %token IPFY_ICMPC_CUTPRE 177 178 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 179 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 180 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 181 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 182 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 183 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 184 185 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 186 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 187 %% 188 file: settings rules 189 | rules 190 ; 191 192 settings: 193 YY_COMMENT 194 | setting 195 | settings setting 196 ; 197 198 rules: line 199 | assign 200 | rules line 201 | rules assign 202 ; 203 204 setting: 205 IPFY_SET YY_STR YY_NUMBER ';' { do_tuneint($2, $3); } 206 | IPFY_SET YY_STR YY_HEX ';' { do_tuneint($2, $3); } 207 | IPFY_SET YY_STR YY_STR ';' { do_tunestr($2, $3); } 208 ; 209 210 line: rule { while ((fr = frtop) != NULL) { 211 frtop = fr->fr_next; 212 fr->fr_next = NULL; 213 if ((fr->fr_type == FR_T_IPF) && 214 (fr->fr_ip.fi_v == 0)) 215 fr->fr_mip.fi_v = 0; 216 /* XXX validate ? */ 217 (*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr); 218 fr->fr_next = frold; 219 frold = fr; 220 } 221 resetlexer(); 222 } 223 | YY_COMMENT 224 ; 225 226 xx: { newrule(); } 227 ; 228 229 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 230 resetlexer(); 231 free($1); 232 free($3); 233 yyvarnext = 0; 234 } 235 ; 236 237 assigning: 238 '=' { yyvarnext = 1; } 239 ; 240 241 rule: inrule eol 242 | outrule eol 243 ; 244 245 eol: | ';' 246 ; 247 248 inrule: 249 rulehead markin inopts rulemain ruletail intag ruletail2 250 ; 251 252 outrule: 253 rulehead markout outopts rulemain ruletail outtag ruletail2 254 ; 255 256 rulehead: 257 xx collection action 258 | xx insert collection action 259 ; 260 261 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 262 ; 263 264 markout: 265 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 266 ; 267 268 rulemain: 269 ipfrule 270 | bpfrule 271 | exprrule 272 ; 273 274 ipfrule: 275 family tos ttl proto ip 276 ; 277 278 family: | IPFY_FAMILY IPFY_INET { if (use_inet6 == 1) { 279 YYERROR; 280 } else { 281 frc->fr_family = AF_INET; 282 } 283 } 284 | IPFY_INET { if (use_inet6 == 1) { 285 YYERROR; 286 } else { 287 frc->fr_family = AF_INET; 288 } 289 } 290 | IPFY_FAMILY IPFY_INET6 { if (use_inet6 == -1) { 291 YYERROR; 292 } else { 293 frc->fr_family = AF_INET6; 294 } 295 } 296 | IPFY_INET6 { if (use_inet6 == -1) { 297 YYERROR; 298 } else { 299 frc->fr_family = AF_INET6; 300 } 301 } 302 ; 303 304 bpfrule: 305 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 306 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } 307 ; 308 309 exprrule: 310 IPFY_IPFEXPR '{' YY_STR '}' { doipfexpr($3); } 311 ; 312 313 ruletail: 314 with keep head group 315 ; 316 317 ruletail2: 318 pps age new rulettl comment 319 ; 320 321 intag: settagin matchtagin 322 ; 323 324 outtag: settagout matchtagout 325 ; 326 327 insert: 328 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } 329 ; 330 331 collection: 332 | YY_NUMBER { fr->fr_collect = $1; } 333 ; 334 335 action: block 336 | IPFY_PASS { fr->fr_flags |= FR_PASS; } 337 | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } 338 | log 339 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 340 | decaps { fr->fr_flags |= FR_DECAPSULATE; } 341 | auth 342 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 343 fr->fr_arg = $2; } 344 | IPFY_CALL func 345 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 346 ; 347 348 block: blocked 349 | blocked blockreturn 350 ; 351 352 blocked: 353 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 354 ; 355 blockreturn: 356 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 357 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 358 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 359 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 360 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 361 ; 362 363 decaps: IPFY_DECAPS 364 | IPFY_DECAPS IPFY_L5AS '(' YY_STR ')' 365 { fr->fr_icode = atoi($4); } 366 ; 367 368 log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 369 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 370 ; 371 372 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 373 | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;} 374 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 375 ; 376 377 func: YY_STR '/' YY_NUMBER 378 { fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]); 379 fr->fr_arg = $3; 380 free($1); 381 } 382 ; 383 384 inopts: 385 | inopts inopt 386 ; 387 388 inopt: 389 logopt 390 | quick 391 | on 392 | dup 393 | froute 394 | proute 395 | replyto 396 ; 397 398 outopts: 399 | outopts outopt 400 ; 401 402 outopt: 403 logopt 404 | quick 405 | on 406 | dup 407 | proute 408 | froute 409 | replyto 410 ; 411 412 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 413 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 414 | settos lstart toslist lend 415 ; 416 417 settos: IPFY_TOS { setipftype(); } 418 ; 419 420 toslist: 421 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 422 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 423 | toslist lmore YY_NUMBER 424 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 425 | toslist lmore YY_HEX 426 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 427 ; 428 429 ttl: | setttl YY_NUMBER 430 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 431 | setttl lstart ttllist lend 432 ; 433 434 lstart: '{' { newlist = 1; fr = frc; added = 0; } 435 ; 436 437 lend: '}' { nrules += added; } 438 ; 439 440 lmore: lanother { if (newlist == 1) { 441 newlist = 0; 442 } 443 fr = addrule(); 444 if (yycont != NULL) 445 *yycont = 1; 446 } 447 ; 448 449 lanother: 450 | ',' 451 ; 452 453 setttl: IPFY_TTL { setipftype(); } 454 ; 455 456 ttllist: 457 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 458 | ttllist lmore YY_NUMBER 459 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 460 ; 461 462 proto: | protox protocol { yyresetdict(); } 463 ; 464 465 protox: IPFY_PROTO { setipftype(); 466 fr = frc; 467 yysetdict(NULL); } 468 ; 469 470 ip: srcdst flags icmp 471 ; 472 473 group: | IPFY_GROUP groupname { DOALL(setgroup(&fr, $2); \ 474 fillgroup(fr);); 475 free($2); 476 } 477 ; 478 479 head: | IPFY_HEAD groupname { DOALL(setgrhead(&fr, $2);); 480 free($2); 481 } 482 ; 483 484 groupname: 485 YY_STR { $$ = $1; 486 if (strlen($$) >= FR_GROUPLEN) 487 $$[FR_GROUPLEN - 1] = '\0'; 488 } 489 | YY_NUMBER { $$ = malloc(16); 490 sprintf($$, "%d", $1); 491 } 492 ; 493 494 settagin: 495 | IPFY_SETTAG '(' taginlist ')' 496 ; 497 498 taginlist: 499 taginspec 500 | taginlist ',' taginspec 501 ; 502 503 taginspec: 504 logtag 505 ; 506 507 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 508 $3, IPFTAG_LEN);); 509 free($3); } 510 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 511 "%d", $3 & 0xffffffff);) } 512 ; 513 514 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 515 ; 516 517 settagout: 518 | IPFY_SETTAG '(' tagoutlist ')' 519 ; 520 521 tagoutlist: 522 tagoutspec 523 | tagoutlist ',' tagoutspec 524 ; 525 526 tagoutspec: 527 logtag 528 | nattag 529 ; 530 531 matchtagin: 532 | IPFY_MATCHTAG '(' tagoutlist ')' 533 ; 534 535 matchtagout: 536 | IPFY_MATCHTAG '(' taginlist ')' 537 ; 538 539 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 540 ; 541 542 new: | savegroup file restoregroup 543 ; 544 545 rulettl: 546 | IPFY_RULETTL YY_NUMBER { DOALL(fr->fr_die = $2;) } 547 ; 548 549 comment: 550 | IPFY_COMMENT YY_STR { DOALL(fr->fr_comment = addname(&fr, \ 551 $2);) } 552 ; 553 554 savegroup: 555 '{' 556 ; 557 558 restoregroup: 559 '}' 560 ; 561 562 logopt: log 563 ; 564 565 quick: IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 566 ; 567 568 on: IPFY_ON onname { setifname(&fr, 0, $2.if1); 569 free($2.if1); 570 if ($2.if2 != NULL) { 571 setifname(&fr, 1, 572 $2.if2); 573 free($2.if2); 574 } 575 } 576 | IPFY_ON lstart onlist lend 577 | IPFY_ON onname IPFY_INVIA vianame { setifname(&fr, 0, $2.if1); 578 free($2.if1); 579 if ($2.if2 != NULL) { 580 setifname(&fr, 1, 581 $2.if2); 582 free($2.if2); 583 } 584 } 585 | IPFY_ON onname IPFY_OUTVIA vianame { setifname(&fr, 0, $2.if1); 586 free($2.if1); 587 if ($2.if2 != NULL) { 588 setifname(&fr, 1, 589 $2.if2); 590 free($2.if2); 591 } 592 } 593 ; 594 595 onlist: onname { DOREM(setifname(&fr, 0, $1.if1); \ 596 if ($1.if2 != NULL) \ 597 setifname(&fr, 1, $1.if2); \ 598 ) 599 free($1.if1); 600 if ($1.if2 != NULL) 601 free($1.if2); 602 } 603 | onlist lmore onname { DOREM(setifname(&fr, 0, $3.if1); \ 604 if ($3.if2 != NULL) \ 605 setifname(&fr, 1, $3.if2); \ 606 ) 607 free($3.if1); 608 if ($3.if2 != NULL) 609 free($3.if2); 610 } 611 ; 612 613 onname: interfacename { $$.if1 = $1; 614 $$.if2 = NULL; 615 } 616 | interfacename ',' interfacename 617 { $$.if1 = $1; 618 $$.if2 = $3; 619 } 620 ; 621 622 vianame: 623 name { setifname(&fr, 2, $1); 624 free($1); 625 } 626 | name ',' name { setifname(&fr, 2, $1); 627 free($1); 628 setifname(&fr, 3, $3); 629 free($3); 630 } 631 ; 632 633 dup: IPFY_DUPTO name 634 { int idx = addname(&fr, $2); 635 fr->fr_dif.fd_name = idx; 636 free($2); 637 } 638 | IPFY_DUPTO IPFY_DSTLIST '/' name 639 { int idx = addname(&fr, $4); 640 fr->fr_dif.fd_name = idx; 641 fr->fr_dif.fd_type = FRD_DSTLIST; 642 free($4); 643 } 644 | IPFY_DUPTO name duptoseparator hostname 645 { int idx = addname(&fr, $2); 646 fr->fr_dif.fd_name = idx; 647 fr->fr_dif.fd_ptr = (void *)-1; 648 fr->fr_dif.fd_ip6 = $4.adr; 649 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) 650 fr->fr_family = $4.f; 651 yyexpectaddr = 0; 652 free($2); 653 } 654 ; 655 656 duptoseparator: 657 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 658 ; 659 660 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 661 ; 662 663 proute: routeto name 664 { int idx = addname(&fr, $2); 665 fr->fr_tif.fd_name = idx; 666 free($2); 667 } 668 | routeto IPFY_DSTLIST '/' name 669 { int idx = addname(&fr, $4); 670 fr->fr_tif.fd_name = idx; 671 fr->fr_tif.fd_type = FRD_DSTLIST; 672 free($4); 673 } 674 | routeto name duptoseparator hostname 675 { int idx = addname(&fr, $2); 676 fr->fr_tif.fd_name = idx; 677 fr->fr_tif.fd_ptr = (void *)-1; 678 fr->fr_tif.fd_ip6 = $4.adr; 679 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) 680 fr->fr_family = $4.f; 681 yyexpectaddr = 0; 682 free($2); 683 } 684 ; 685 686 routeto: 687 IPFY_TO 688 | IPFY_ROUTETO 689 ; 690 691 replyto: 692 IPFY_REPLY_TO name 693 { int idx = addname(&fr, $2); 694 fr->fr_rif.fd_name = idx; 695 free($2); 696 } 697 | IPFY_REPLY_TO IPFY_DSTLIST '/' name 698 { fr->fr_rif.fd_name = addname(&fr, $4); 699 fr->fr_rif.fd_type = FRD_DSTLIST; 700 free($4); 701 } 702 | IPFY_REPLY_TO name duptoseparator hostname 703 { int idx = addname(&fr, $2); 704 fr->fr_rif.fd_name = idx; 705 fr->fr_rif.fd_ptr = (void *)-1; 706 fr->fr_rif.fd_ip6 = $4.adr; 707 if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) 708 fr->fr_family = $4.f; 709 free($2); 710 } 711 ; 712 713 logoptions: 714 logoption 715 | logoptions logoption 716 ; 717 718 logoption: 719 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 720 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 721 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 722 | level loglevel { unsetsyslog(); } 723 ; 724 725 returncode: 726 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 727 ; 728 729 starticmpcode: 730 '(' { yysetdict(icmpcodewords); } 731 ; 732 733 srcdst: | IPFY_ALL 734 | fromto 735 ; 736 737 protocol: 738 YY_NUMBER { DOALL(fr->fr_proto = $1; \ 739 fr->fr_mproto = 0xff;) 740 } 741 | YY_STR { if (!strcmp($1, "tcp-udp")) { 742 DOALL(fr->fr_flx |= FI_TCPUDP; \ 743 fr->fr_mflx |= FI_TCPUDP;) 744 } else { 745 int p = getproto($1); 746 if (p == -1) 747 yyerror("protocol unknown"); 748 DOALL(fr->fr_proto = p; \ 749 fr->fr_mproto = 0xff;) 750 } 751 free($1); 752 } 753 | YY_STR nextstring YY_STR 754 { if (!strcmp($1, "tcp") && 755 !strcmp($3, "udp")) { 756 DOREM(fr->fr_flx |= FI_TCPUDP; \ 757 fr->fr_mflx |= FI_TCPUDP;) 758 } else { 759 YYERROR; 760 } 761 free($1); 762 free($3); 763 } 764 ; 765 766 nextstring: 767 '/' { yysetdict(NULL); } 768 ; 769 770 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 771 | to dstobject { yyexpectaddr = 0; yycont = NULL; } 772 | from srcobject { yyexpectaddr = 0; yycont = NULL; } 773 ; 774 775 from: IPFY_FROM { setipftype(); 776 if (fr == NULL) 777 fr = frc; 778 yyexpectaddr = 1; 779 if (yydebug) 780 printf("set yyexpectaddr\n"); 781 yycont = &yyexpectaddr; 782 yysetdict(addrwords); 783 resetaddr(); } 784 ; 785 786 to: IPFY_TO { if (fr == NULL) 787 fr = frc; 788 yyexpectaddr = 1; 789 if (yydebug) 790 printf("set yyexpectaddr\n"); 791 yycont = &yyexpectaddr; 792 yysetdict(addrwords); 793 resetaddr(); 794 } 795 ; 796 797 with: | andwith withlist 798 ; 799 800 andwith: 801 IPFY_WITH { nowith = 0; setipftype(); } 802 | IPFY_AND { nowith = 0; setipftype(); } 803 ; 804 805 flags: | startflags flagset 806 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 807 | startflags flagset '/' flagset 808 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 809 | startflags '/' flagset 810 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 811 | startflags YY_NUMBER 812 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 813 | startflags '/' YY_NUMBER 814 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 815 | startflags YY_NUMBER '/' YY_NUMBER 816 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 817 | startflags flagset '/' YY_NUMBER 818 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 819 | startflags YY_NUMBER '/' flagset 820 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 821 ; 822 823 startflags: 824 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 825 yyerror("flags with non-ipf type rule"); 826 if (frc->fr_proto != IPPROTO_TCP) 827 yyerror("flags with non-TCP rule"); 828 } 829 ; 830 831 flagset: 832 YY_STR { $$ = tcpflags($1); free($1); } 833 | YY_HEX { $$ = $1; } 834 ; 835 836 srcobject: 837 { yyresetdict(); } fromport 838 | srcaddr srcport 839 | '!' srcaddr srcport 840 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 841 ; 842 843 srcaddr: 844 addr { build_srcaddr_af(fr, &$1); } 845 | lstart srcaddrlist lend 846 ; 847 848 srcaddrlist: 849 addr { build_srcaddr_af(fr, &$1); } 850 | srcaddrlist lmore addr 851 { build_srcaddr_af(fr, &$3); } 852 ; 853 854 srcport: 855 | portcomp 856 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 857 | portrange 858 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 859 fr->fr_stop = $1.p2;) } 860 | porteq lstart srcportlist lend 861 { yyresetdict(); } 862 ; 863 864 fromport: 865 portcomp 866 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 867 | portrange 868 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 869 fr->fr_stop = $1.p2;) } 870 | porteq lstart srcportlist lend 871 { yyresetdict(); } 872 ; 873 874 srcportlist: 875 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 876 | portnum ':' portnum 877 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ 878 fr->fr_stop = $3;) } 879 | portnum YY_RANGE_IN portnum 880 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ 881 fr->fr_stop = $3;) } 882 | srcportlist lmore portnum 883 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 884 | srcportlist lmore portnum ':' portnum 885 { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ 886 fr->fr_stop = $5;) } 887 | srcportlist lmore portnum YY_RANGE_IN portnum 888 { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ 889 fr->fr_stop = $5;) } 890 ; 891 892 dstobject: 893 { yyresetdict(); } toport 894 | dstaddr dstport 895 | '!' dstaddr dstport 896 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 897 ; 898 899 dstaddr: 900 addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && 901 ($1.f != frc->fr_family)) 902 yyerror("1.src/dst address family mismatch"); 903 build_dstaddr_af(fr, &$1); 904 } 905 | lstart dstaddrlist lend 906 ; 907 908 dstaddrlist: 909 addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && 910 ($1.f != frc->fr_family)) 911 yyerror("2.src/dst address family mismatch"); 912 build_dstaddr_af(fr, &$1); 913 } 914 | dstaddrlist lmore addr 915 { if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && 916 ($3.f != frc->fr_family)) 917 yyerror("3.src/dst address family mismatch"); 918 build_dstaddr_af(fr, &$3); 919 } 920 ; 921 922 923 dstport: 924 | portcomp 925 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 926 | portrange 927 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 928 fr->fr_dtop = $1.p2;) } 929 | porteq lstart dstportlist lend 930 { yyresetdict(); } 931 ; 932 933 toport: 934 portcomp 935 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 936 | portrange 937 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 938 fr->fr_dtop = $1.p2;) } 939 | porteq lstart dstportlist lend 940 { yyresetdict(); } 941 ; 942 943 dstportlist: 944 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 945 | portnum ':' portnum 946 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ 947 fr->fr_dtop = $3;) } 948 | portnum YY_RANGE_IN portnum 949 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ 950 fr->fr_dtop = $3;) } 951 | dstportlist lmore portnum 952 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 953 | dstportlist lmore portnum ':' portnum 954 { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ 955 fr->fr_dtop = $5;) } 956 | dstportlist lmore portnum YY_RANGE_IN portnum 957 { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ 958 fr->fr_dtop = $5;) } 959 ; 960 961 addr: pool '/' YY_NUMBER { pooled = 1; 962 yyexpectaddr = 0; 963 $$.type = FRI_LOOKUP; 964 $$.v = 0; 965 $$.ifpos = -1; 966 $$.f = AF_UNSPEC; 967 $$.a.iplookuptype = IPLT_POOL; 968 $$.a.iplookupsubtype = 0; 969 $$.a.iplookupnum = $3; } 970 | pool '/' YY_STR { pooled = 1; 971 $$.ifpos = -1; 972 $$.f = AF_UNSPEC; 973 $$.type = FRI_LOOKUP; 974 $$.a.iplookuptype = IPLT_POOL; 975 $$.a.iplookupsubtype = 1; 976 $$.a.iplookupname = addname(&fr, $3); 977 } 978 | pool '=' '(' { yyexpectaddr = 1; 979 pooled = 1; 980 } 981 poollist ')' { yyexpectaddr = 0; 982 $$.v = 0; 983 $$.ifpos = -1; 984 $$.f = AF_UNSPEC; 985 $$.type = FRI_LOOKUP; 986 $$.a.iplookuptype = IPLT_POOL; 987 $$.a.iplookupsubtype = 0; 988 $$.a.iplookupnum = makepool($5); 989 } 990 | hash '/' YY_NUMBER { hashed = 1; 991 yyexpectaddr = 0; 992 $$.v = 0; 993 $$.ifpos = -1; 994 $$.f = AF_UNSPEC; 995 $$.type = FRI_LOOKUP; 996 $$.a.iplookuptype = IPLT_HASH; 997 $$.a.iplookupsubtype = 0; 998 $$.a.iplookupnum = $3; 999 } 1000 | hash '/' YY_STR { hashed = 1; 1001 $$.type = FRI_LOOKUP; 1002 $$.v = 0; 1003 $$.ifpos = -1; 1004 $$.f = AF_UNSPEC; 1005 $$.a.iplookuptype = IPLT_HASH; 1006 $$.a.iplookupsubtype = 1; 1007 $$.a.iplookupname = addname(&fr, $3); 1008 } 1009 | hash '=' '(' { hashed = 1; 1010 yyexpectaddr = 1; 1011 } 1012 addrlist ')' { yyexpectaddr = 0; 1013 $$.v = 0; 1014 $$.ifpos = -1; 1015 $$.f = AF_UNSPEC; 1016 $$.type = FRI_LOOKUP; 1017 $$.a.iplookuptype = IPLT_HASH; 1018 $$.a.iplookupsubtype = 0; 1019 $$.a.iplookupnum = makehash($5); 1020 } 1021 | ipaddr { $$ = $1; 1022 yyexpectaddr = 0; } 1023 ; 1024 1025 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 1026 $$.type = FRI_NORMAL; 1027 $$.ifpos = -1; 1028 yyexpectaddr = 0; 1029 } 1030 | hostname { $$.a = $1.adr; 1031 $$.f = $1.f; 1032 if ($1.f == AF_INET6) 1033 fill6bits(128, $$.m.i6); 1034 else if ($1.f == AF_INET) 1035 fill6bits(32, $$.m.i6); 1036 $$.v = ftov($1.f); 1037 $$.ifpos = dynamic; 1038 $$.type = FRI_NORMAL; 1039 } 1040 | hostname { yyresetdict(); } 1041 maskspace { yysetdict(maskwords); 1042 yyexpectaddr = 2; } 1043 ipmask { ntomask($1.f, $5, $$.m.i6); 1044 $$.a = $1.adr; 1045 $$.a.i6[0] &= $$.m.i6[0]; 1046 $$.a.i6[1] &= $$.m.i6[1]; 1047 $$.a.i6[2] &= $$.m.i6[2]; 1048 $$.a.i6[3] &= $$.m.i6[3]; 1049 $$.f = $1.f; 1050 $$.v = ftov($1.f); 1051 $$.type = ifpflag; 1052 $$.ifpos = dynamic; 1053 if (ifpflag != 0 && $$.v == 0) { 1054 if (frc->fr_family == AF_INET6){ 1055 $$.v = 6; 1056 $$.f = AF_INET6; 1057 } else { 1058 $$.v = 4; 1059 $$.f = AF_INET; 1060 } 1061 } 1062 yyresetdict(); 1063 yyexpectaddr = 0; 1064 } 1065 | '(' YY_STR ')' { $$.type = FRI_DYNAMIC; 1066 ifpflag = FRI_DYNAMIC; 1067 $$.ifpos = addname(&fr, $2); 1068 $$.lif = 0; 1069 } 1070 | '(' YY_STR ')' '/' 1071 { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } 1072 maskopts 1073 { $$.type = ifpflag; 1074 $$.ifpos = addname(&fr, $2); 1075 $$.lif = 0; 1076 if (frc->fr_family == AF_UNSPEC) 1077 frc->fr_family = AF_INET; 1078 if (ifpflag == FRI_DYNAMIC) { 1079 ntomask(frc->fr_family, 1080 $6, $$.m.i6); 1081 } 1082 yyresetdict(); 1083 yyexpectaddr = 0; 1084 } 1085 | '(' YY_STR ':' YY_NUMBER ')' '/' 1086 { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } 1087 maskopts 1088 { $$.type = ifpflag; 1089 $$.ifpos = addname(&fr, $2); 1090 $$.lif = $4; 1091 if (frc->fr_family == AF_UNSPEC) 1092 frc->fr_family = AF_INET; 1093 if (ifpflag == FRI_DYNAMIC) { 1094 ntomask(frc->fr_family, 1095 $8, $$.m.i6); 1096 } 1097 yyresetdict(); 1098 yyexpectaddr = 0; 1099 } 1100 ; 1101 1102 maskspace: 1103 '/' 1104 | IPFY_MASK 1105 ; 1106 1107 ipmask: ipv4 { $$ = count4bits($1.s_addr); } 1108 | YY_HEX { $$ = count4bits(htonl($1)); } 1109 | YY_NUMBER { $$ = $1; } 1110 | YY_IPV6 { $$ = count6bits($1.i6); } 1111 | maskopts { $$ = $1; } 1112 ; 1113 1114 maskopts: 1115 IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 1116 ifpflag = FRI_BROADCAST; 1117 } else { 1118 YYERROR; 1119 } 1120 $$ = 0; 1121 } 1122 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 1123 ifpflag = FRI_NETWORK; 1124 } else { 1125 YYERROR; 1126 } 1127 $$ = 0; 1128 } 1129 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 1130 ifpflag = FRI_NETMASKED; 1131 } else { 1132 YYERROR; 1133 } 1134 $$ = 0; 1135 } 1136 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 1137 ifpflag = FRI_PEERADDR; 1138 } else { 1139 YYERROR; 1140 } 1141 $$ = 0; 1142 } 1143 | YY_NUMBER { $$ = $1; } 1144 ; 1145 1146 hostname: 1147 ipv4 { $$.adr.in4 = $1; 1148 if (frc->fr_family == AF_INET6) 1149 YYERROR; 1150 $$.f = AF_INET; 1151 yyexpectaddr = 2; 1152 } 1153 | YY_NUMBER { if (frc->fr_family == AF_INET6) 1154 YYERROR; 1155 $$.adr.in4_addr = $1; 1156 $$.f = AF_INET; 1157 yyexpectaddr = 2; 1158 } 1159 | YY_HEX { if (frc->fr_family == AF_INET6) 1160 YYERROR; 1161 $$.adr.in4_addr = $1; 1162 $$.f = AF_INET; 1163 yyexpectaddr = 2; 1164 } 1165 | YY_STR { if (lookuphost($1, &$$.adr) == 0) 1166 $$.f = AF_INET; 1167 free($1); 1168 yyexpectaddr = 2; 1169 } 1170 | YY_IPV6 { if (frc->fr_family == AF_INET) 1171 YYERROR; 1172 $$.adr = $1; 1173 $$.f = AF_INET6; 1174 yyexpectaddr = 2; 1175 } 1176 ; 1177 1178 addrlist: 1179 ipaddr { $$ = newalist(NULL); 1180 $$->al_family = $1.f; 1181 $$->al_i6addr = $1.a; 1182 $$->al_i6mask = $1.m; 1183 } 1184 | ipaddr ',' { yyexpectaddr = 1; } addrlist 1185 { $$ = newalist($4); 1186 $$->al_family = $1.f; 1187 $$->al_i6addr = $1.a; 1188 $$->al_i6mask = $1.m; 1189 } 1190 ; 1191 1192 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1193 ; 1194 1195 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1196 ; 1197 1198 poollist: 1199 ipaddr { $$ = newalist(NULL); 1200 $$->al_family = $1.f; 1201 $$->al_i6addr = $1.a; 1202 $$->al_i6mask = $1.m; 1203 } 1204 | '!' ipaddr { $$ = newalist(NULL); 1205 $$->al_not = 1; 1206 $$->al_family = $2.f; 1207 $$->al_i6addr = $2.a; 1208 $$->al_i6mask = $2.m; 1209 } 1210 | poollist ',' ipaddr 1211 { $$ = newalist($1); 1212 $$->al_family = $3.f; 1213 $$->al_i6addr = $3.a; 1214 $$->al_i6mask = $3.m; 1215 } 1216 | poollist ',' '!' ipaddr 1217 { $$ = newalist($1); 1218 $$->al_not = 1; 1219 $$->al_family = $4.f; 1220 $$->al_i6addr = $4.a; 1221 $$->al_i6mask = $4.m; 1222 } 1223 ; 1224 1225 port: IPFY_PORT { yyexpectaddr = 0; 1226 yycont = NULL; 1227 if (frc->fr_proto != 0 && 1228 frc->fr_proto != IPPROTO_UDP && 1229 frc->fr_proto != IPPROTO_TCP) 1230 yyerror("port use incorrect"); 1231 } 1232 ; 1233 1234 portc: port compare { $$ = $2; 1235 yysetdict(NULL); 1236 } 1237 | porteq { $$ = $1; } 1238 ; 1239 1240 porteq: port '=' { $$ = FR_EQUAL; 1241 yysetdict(NULL); 1242 } 1243 ; 1244 1245 portr: IPFY_PORT { yyexpectaddr = 0; 1246 yycont = NULL; 1247 yysetdict(NULL); 1248 } 1249 ; 1250 1251 portcomp: 1252 portc portnum { $$.pc = $1; 1253 $$.p1 = $2; 1254 yyresetdict(); 1255 } 1256 ; 1257 1258 portrange: 1259 portr portnum range portnum { $$.p1 = $2; 1260 $$.pc = $3; 1261 $$.p2 = $4; 1262 yyresetdict(); 1263 } 1264 ; 1265 1266 icmp: | itype icode 1267 ; 1268 1269 itype: seticmptype icmptype 1270 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 1271 yyresetdict(); 1272 } 1273 | seticmptype lstart typelist lend { yyresetdict(); } 1274 ; 1275 1276 seticmptype: 1277 IPFY_ICMPTYPE { if (frc->fr_family == AF_UNSPEC) 1278 frc->fr_family = AF_INET; 1279 if (frc->fr_family == AF_INET && 1280 frc->fr_type == FR_T_IPF && 1281 frc->fr_proto != IPPROTO_ICMP) { 1282 yyerror("proto not icmp"); 1283 } 1284 if (frc->fr_family == AF_INET6 && 1285 frc->fr_type == FR_T_IPF && 1286 frc->fr_proto != IPPROTO_ICMPV6) { 1287 yyerror("proto not ipv6-icmp"); 1288 } 1289 setipftype(); 1290 DOALL(if (fr->fr_family == AF_INET) { \ 1291 fr->fr_ip.fi_v = 4; \ 1292 fr->fr_mip.fi_v = 0xf; \ 1293 } 1294 if (fr->fr_family == AF_INET6) { \ 1295 fr->fr_ip.fi_v = 6; \ 1296 fr->fr_mip.fi_v = 0xf; \ 1297 } 1298 ) 1299 yysetdict(NULL); 1300 } 1301 ; 1302 1303 icode: | seticmpcode icmpcode 1304 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 1305 yyresetdict(); 1306 } 1307 | seticmpcode lstart codelist lend { yyresetdict(); } 1308 ; 1309 1310 seticmpcode: 1311 IPFY_ICMPCODE { yysetdict(icmpcodewords); } 1312 ; 1313 1314 typelist: 1315 icmptype 1316 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 1317 | typelist lmore icmptype 1318 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 1319 ; 1320 1321 codelist: 1322 icmpcode 1323 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 1324 | codelist lmore icmpcode 1325 { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \ 1326 fr->fr_icmpm |= htons(0xff);) } 1327 ; 1328 1329 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 1330 fr->fr_age[1] = $2;) } 1331 | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1332 { DOALL(fr->fr_age[0] = $2; \ 1333 fr->fr_age[1] = $4;) } 1334 ; 1335 1336 keep: | IPFY_KEEP keepstate keep 1337 | IPFY_KEEP keepfrag keep 1338 ; 1339 1340 keepstate: 1341 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 1342 ; 1343 1344 keepfrag: 1345 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1346 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1347 ; 1348 1349 fragoptlist: 1350 | '(' fragopts ')' 1351 ; 1352 1353 fragopts: 1354 fragopt lanother fragopts 1355 | fragopt 1356 ; 1357 1358 fragopt: 1359 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 1360 ; 1361 1362 stateoptlist: 1363 | '(' stateopts ')' 1364 ; 1365 1366 stateopts: 1367 stateopt lanother stateopts 1368 | stateopt 1369 ; 1370 1371 stateopt: 1372 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 1373 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1374 YYERROR; \ 1375 } else if (fr->fr_flags & FR_STLOOSE) {\ 1376 YYERROR; \ 1377 } else \ 1378 fr->fr_flags |= FR_STSTRICT;) 1379 } 1380 | IPFY_LOOSE { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1381 YYERROR; \ 1382 } else if (fr->fr_flags & FR_STSTRICT){\ 1383 YYERROR; \ 1384 } else \ 1385 fr->fr_flags |= FR_STLOOSE;) 1386 } 1387 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1388 YYERROR; \ 1389 } else \ 1390 fr->fr_flags |= FR_NEWISN;) 1391 } 1392 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1393 1394 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } 1395 | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 1396 fr->fr_age[1] = $2;) } 1397 | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1398 { DOALL(fr->fr_age[0] = $2; \ 1399 fr->fr_age[1] = $4;) } 1400 | IPFY_ICMPHEAD groupname 1401 { DOALL(seticmphead(&fr, $2);) 1402 free($2); 1403 } 1404 | IPFY_NOLOG 1405 { DOALL(fr->fr_nostatelog = 1;) } 1406 | IPFY_RPC 1407 { DOALL(fr->fr_rpc = 1;) } 1408 | IPFY_RPC IPFY_IN YY_STR 1409 { DOALL(fr->fr_rpc = 1;) } 1410 | IPFY_MAX_SRCS YY_NUMBER 1411 { DOALL(fr->fr_srctrack.ht_max_nodes = $2;) } 1412 | IPFY_MAX_PER_SRC YY_NUMBER 1413 { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ 1414 fr->fr_srctrack.ht_netmask = \ 1415 fr->fr_family == AF_INET ? 32: 128;) 1416 } 1417 | IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER 1418 { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ 1419 fr->fr_srctrack.ht_netmask = $4;) 1420 } 1421 ; 1422 1423 portnum: 1424 servicename { if (getport(frc, $1, 1425 &($$), NULL) == -1) 1426 yyerror("service unknown"); 1427 $$ = ntohs($$); 1428 free($1); 1429 } 1430 | YY_NUMBER { if ($1 > 65535) /* Unsigned */ 1431 yyerror("invalid port number"); 1432 else 1433 $$ = $1; 1434 } 1435 ; 1436 1437 withlist: 1438 withopt { nowith = 0; } 1439 | withlist withopt { nowith = 0; } 1440 | withlist ',' withopt { nowith = 0; } 1441 ; 1442 1443 withopt: 1444 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 1445 | notwith opttype { DOALL(fr->fr_mflx |= $2;) } 1446 | ipopt ipopts { yyresetdict(); } 1447 | notwith ipopt ipopts { yyresetdict(); } 1448 | startv6hdr ipv6hdrs { yyresetdict(); } 1449 ; 1450 1451 ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 1452 ; 1453 1454 startv6hdr: 1455 IPFY_V6HDR { if (frc->fr_family != AF_INET6) 1456 yyerror("only available with IPv6"); 1457 yysetdict(ipv6optwords); 1458 } 1459 ; 1460 1461 notwith: 1462 IPFY_NOT { nowith = 1; } 1463 | IPFY_NO { nowith = 1; } 1464 ; 1465 1466 opttype: 1467 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1468 | IPFY_SHORT { $$ = FI_SHORT; } 1469 | IPFY_NAT { $$ = FI_NATED; } 1470 | IPFY_BAD { $$ = FI_BAD; } 1471 | IPFY_BADNAT { $$ = FI_BADNAT; } 1472 | IPFY_BADSRC { $$ = FI_BADSRC; } 1473 | IPFY_LOWTTL { $$ = FI_LOWTTL; } 1474 | IPFY_FRAG { $$ = FI_FRAG; } 1475 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1476 | IPFY_FRAGS { $$ = FI_FRAG; } 1477 | IPFY_MBCAST { $$ = FI_MBCAST; } 1478 | IPFY_MULTICAST { $$ = FI_MULTICAST; } 1479 | IPFY_BROADCAST { $$ = FI_BROADCAST; } 1480 | IPFY_STATE { $$ = FI_STATE; } 1481 | IPFY_OOW { $$ = FI_OOW; } 1482 | IPFY_AH { $$ = FI_AH; } 1483 | IPFY_V6HDRS { $$ = FI_V6EXTHDR; } 1484 ; 1485 1486 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1487 if (fr->fr_family == AF_UNSPEC) { 1488 fr->fr_family = AF_INET; 1489 fr->fr_ip.fi_v = 4; 1490 fr->fr_mip.fi_v = 0xf; 1491 } else if (fr->fr_family != AF_INET) { 1492 YYERROR; 1493 } 1494 if (!nowith) 1495 fr->fr_ip.fi_optmsk |= $1;) 1496 } 1497 ; 1498 1499 optlist: 1500 opt { $$ |= $1; } 1501 | optlist ',' opt { $$ |= $1 | $3; } 1502 ; 1503 1504 ipv6hdrs: 1505 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1506 if (!nowith) 1507 fr->fr_ip.fi_optmsk |= $1;) 1508 } 1509 ; 1510 1511 ipv6hdrlist: 1512 ipv6hdr { $$ |= $1; } 1513 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 1514 ; 1515 1516 secname: 1517 seclevel { $$ |= $1; } 1518 | secname ',' seclevel { $$ |= $1 | $3; } 1519 ; 1520 1521 seclevel: 1522 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 1523 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 1524 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 1525 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 1526 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 1527 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 1528 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 1529 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 1530 ; 1531 1532 icmptype: 1533 YY_NUMBER { $$ = $1; } 1534 | YY_STR { $$ = geticmptype(frc->fr_family, $1); 1535 if ($$ == -1) 1536 yyerror("unrecognised icmp type"); 1537 } 1538 ; 1539 1540 icmpcode: 1541 YY_NUMBER { $$ = $1; } 1542 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 1543 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 1544 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 1545 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 1546 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 1547 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 1548 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 1549 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 1550 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 1551 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 1552 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 1553 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 1554 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 1555 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 1556 | IPFY_ICMPC_HSTPRE { $$ = 14; } 1557 | IPFY_ICMPC_CUTPRE { $$ = 15; } 1558 ; 1559 1560 opt: 1561 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 1562 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 1563 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 1564 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 1565 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 1566 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 1567 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 1568 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 1569 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 1570 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 1571 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 1572 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 1573 | IPFY_IPOPT_CIPSO doi { $$ = getoptbyvalue(IPOPT_CIPSO); } 1574 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 1575 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 1576 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 1577 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 1578 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1579 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1580 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1581 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1582 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1583 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1584 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1585 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1586 | setsecclass secname 1587 { DOALL(fr->fr_mip.fi_secmsk |= $2; 1588 if (fr->fr_family == AF_UNSPEC) { 1589 fr->fr_family = AF_INET; 1590 fr->fr_ip.fi_v = 4; 1591 fr->fr_mip.fi_v = 0xf; 1592 } else if (fr->fr_family != AF_INET) { 1593 YYERROR; 1594 } 1595 if (!nowith) 1596 fr->fr_ip.fi_secmsk |= $2;) 1597 $$ = 0; 1598 yyresetdict(); 1599 } 1600 ; 1601 1602 setsecclass: 1603 IPFY_SECCLASS { yysetdict(ipv4secwords); } 1604 ; 1605 1606 doi: IPFY_DOI YY_NUMBER { DOALL(fr->fr_doimask = 0xffffffff; \ 1607 if (!nowith) \ 1608 fr->fr_doi = $2;) } 1609 | IPFY_DOI YY_HEX { DOALL(fr->fr_doimask = 0xffffffff; \ 1610 if (!nowith) \ 1611 fr->fr_doi = $2;) } 1612 ; 1613 1614 ipv6hdr: 1615 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1616 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1617 | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1618 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1619 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1620 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1621 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 1622 | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 1623 | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); } 1624 ; 1625 1626 level: IPFY_LEVEL { setsyslog(); } 1627 ; 1628 1629 loglevel: 1630 priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 1631 | facility '.' priority { fr->fr_loglevel = $1 | $3; } 1632 ; 1633 1634 facility: 1635 IPFY_FAC_KERN { $$ = LOG_KERN; } 1636 | IPFY_FAC_USER { $$ = LOG_USER; } 1637 | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 1638 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 1639 | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 1640 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 1641 | IPFY_FAC_LPR { $$ = LOG_LPR; } 1642 | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 1643 | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 1644 | IPFY_FAC_CRON { $$ = LOG_CRON; } 1645 | IPFY_FAC_FTP { $$ = LOG_FTP; } 1646 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 1647 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 1648 | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 1649 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 1650 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 1651 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 1652 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 1653 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 1654 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 1655 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 1656 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 1657 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 1658 ; 1659 1660 priority: 1661 IPFY_PRI_EMERG { $$ = LOG_EMERG; } 1662 | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 1663 | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 1664 | IPFY_PRI_ERR { $$ = LOG_ERR; } 1665 | IPFY_PRI_WARN { $$ = LOG_WARNING; } 1666 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1667 | IPFY_PRI_INFO { $$ = LOG_INFO; } 1668 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1669 ; 1670 1671 compare: 1672 YY_CMP_EQ { $$ = FR_EQUAL; } 1673 | YY_CMP_NE { $$ = FR_NEQUAL; } 1674 | YY_CMP_LT { $$ = FR_LESST; } 1675 | YY_CMP_LE { $$ = FR_LESSTE; } 1676 | YY_CMP_GT { $$ = FR_GREATERT; } 1677 | YY_CMP_GE { $$ = FR_GREATERTE; } 1678 ; 1679 1680 range: YY_RANGE_IN { $$ = FR_INRANGE; } 1681 | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1682 | ':' { $$ = FR_INCRANGE; } 1683 ; 1684 1685 servicename: 1686 YY_STR { $$ = $1; } 1687 ; 1688 1689 interfacename: name { $$ = $1; } 1690 | name ':' YY_NUMBER 1691 { $$ = $1; 1692 fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 1693 "use the physical interface %s instead.\n", 1694 yylineNum, $1, $3, $1); 1695 } 1696 ; 1697 1698 name: YY_STR { $$ = $1; } 1699 | '-' { $$ = strdup("-"); } 1700 ; 1701 1702 ipv4_16: 1703 YY_NUMBER '.' YY_NUMBER 1704 { if ($1 > 255 || $3 > 255) { 1705 yyerror("Invalid octet string for IP address"); 1706 return 0; 1707 } 1708 $$.s_addr = ($1 << 24) | ($3 << 16); 1709 $$.s_addr = htonl($$.s_addr); 1710 } 1711 ; 1712 1713 ipv4_24: 1714 ipv4_16 '.' YY_NUMBER 1715 { if ($3 > 255) { 1716 yyerror("Invalid octet string for IP address"); 1717 return 0; 1718 } 1719 $$.s_addr |= htonl($3 << 8); 1720 } 1721 ; 1722 1723 ipv4: ipv4_24 '.' YY_NUMBER 1724 { if ($3 > 255) { 1725 yyerror("Invalid octet string for IP address"); 1726 return 0; 1727 } 1728 $$.s_addr |= htonl($3); 1729 } 1730 | ipv4_24 1731 | ipv4_16 1732 ; 1733 1734 %% 1735 1736 1737 static struct wordtab ipfwords[] = { 1738 { "age", IPFY_AGE }, 1739 { "ah", IPFY_AH }, 1740 { "all", IPFY_ALL }, 1741 { "and", IPFY_AND }, 1742 { "auth", IPFY_AUTH }, 1743 { "bad", IPFY_BAD }, 1744 { "bad-nat", IPFY_BADNAT }, 1745 { "bad-src", IPFY_BADSRC }, 1746 { "bcast", IPFY_BROADCAST }, 1747 { "block", IPFY_BLOCK }, 1748 { "body", IPFY_BODY }, 1749 { "bpf-v4", IPFY_BPFV4 }, 1750 #ifdef USE_INET6 1751 { "bpf-v6", IPFY_BPFV6 }, 1752 #endif 1753 { "call", IPFY_CALL }, 1754 { "code", IPFY_ICMPCODE }, 1755 { "comment", IPFY_COMMENT }, 1756 { "count", IPFY_COUNT }, 1757 { "decapsulate", IPFY_DECAPS }, 1758 { "dstlist", IPFY_DSTLIST }, 1759 { "doi", IPFY_DOI }, 1760 { "dup-to", IPFY_DUPTO }, 1761 { "eq", YY_CMP_EQ }, 1762 { "esp", IPFY_ESP }, 1763 { "exp", IPFY_IPFEXPR }, 1764 { "family", IPFY_FAMILY }, 1765 { "fastroute", IPFY_FROUTE }, 1766 { "first", IPFY_FIRST }, 1767 { "flags", IPFY_FLAGS }, 1768 { "frag", IPFY_FRAG }, 1769 { "frag-body", IPFY_FRAGBODY }, 1770 { "frags", IPFY_FRAGS }, 1771 { "from", IPFY_FROM }, 1772 { "ge", YY_CMP_GE }, 1773 { "group", IPFY_GROUP }, 1774 { "gt", YY_CMP_GT }, 1775 { "head", IPFY_HEAD }, 1776 { "icmp", IPFY_ICMP }, 1777 { "icmp-head", IPFY_ICMPHEAD }, 1778 { "icmp-type", IPFY_ICMPTYPE }, 1779 { "in", IPFY_IN }, 1780 { "in-via", IPFY_INVIA }, 1781 { "inet", IPFY_INET }, 1782 { "inet6", IPFY_INET6 }, 1783 { "ipopt", IPFY_IPOPTS }, 1784 { "ipopts", IPFY_IPOPTS }, 1785 { "keep", IPFY_KEEP }, 1786 { "l5-as", IPFY_L5AS }, 1787 { "le", YY_CMP_LE }, 1788 { "level", IPFY_LEVEL }, 1789 { "limit", IPFY_LIMIT }, 1790 { "log", IPFY_LOG }, 1791 { "loose", IPFY_LOOSE }, 1792 { "lowttl", IPFY_LOWTTL }, 1793 { "lt", YY_CMP_LT }, 1794 { "mask", IPFY_MASK }, 1795 { "match-tag", IPFY_MATCHTAG }, 1796 { "max-per-src", IPFY_MAX_PER_SRC }, 1797 { "max-srcs", IPFY_MAX_SRCS }, 1798 { "mbcast", IPFY_MBCAST }, 1799 { "mcast", IPFY_MULTICAST }, 1800 { "multicast", IPFY_MULTICAST }, 1801 { "nat", IPFY_NAT }, 1802 { "ne", YY_CMP_NE }, 1803 { "net", IPFY_NETWORK }, 1804 { "newisn", IPFY_NEWISN }, 1805 { "no", IPFY_NO }, 1806 { "no-icmp-err", IPFY_NOICMPERR }, 1807 { "nolog", IPFY_NOLOG }, 1808 { "nomatch", IPFY_NOMATCH }, 1809 { "now", IPFY_NOW }, 1810 { "not", IPFY_NOT }, 1811 { "oow", IPFY_OOW }, 1812 { "on", IPFY_ON }, 1813 { "opt", IPFY_OPT }, 1814 { "or-block", IPFY_ORBLOCK }, 1815 { "out", IPFY_OUT }, 1816 { "out-via", IPFY_OUTVIA }, 1817 { "pass", IPFY_PASS }, 1818 { "port", IPFY_PORT }, 1819 { "pps", IPFY_PPS }, 1820 { "preauth", IPFY_PREAUTH }, 1821 { "proto", IPFY_PROTO }, 1822 { "quick", IPFY_QUICK }, 1823 { "reply-to", IPFY_REPLY_TO }, 1824 { "return-icmp", IPFY_RETICMP }, 1825 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1826 { "return-rst", IPFY_RETRST }, 1827 { "route-to", IPFY_ROUTETO }, 1828 { "rule-ttl", IPFY_RULETTL }, 1829 { "rpc", IPFY_RPC }, 1830 { "sec-class", IPFY_SECCLASS }, 1831 { "set", IPFY_SET }, 1832 { "set-tag", IPFY_SETTAG }, 1833 { "skip", IPFY_SKIP }, 1834 { "short", IPFY_SHORT }, 1835 { "state", IPFY_STATE }, 1836 { "state-age", IPFY_AGE }, 1837 { "strict", IPFY_STRICT }, 1838 { "sync", IPFY_SYNC }, 1839 { "tcp", IPFY_TCP }, 1840 { "tcp-udp", IPFY_TCPUDP }, 1841 { "tos", IPFY_TOS }, 1842 { "to", IPFY_TO }, 1843 { "ttl", IPFY_TTL }, 1844 { "udp", IPFY_UDP }, 1845 { "v6hdr", IPFY_V6HDR }, 1846 { "v6hdrs", IPFY_V6HDRS }, 1847 { "with", IPFY_WITH }, 1848 { NULL, 0 } 1849 }; 1850 1851 static struct wordtab addrwords[] = { 1852 { "any", IPFY_ANY }, 1853 { "hash", IPFY_HASH }, 1854 { "pool", IPFY_POOL }, 1855 { NULL, 0 } 1856 }; 1857 1858 static struct wordtab maskwords[] = { 1859 { "broadcast", IPFY_BROADCAST }, 1860 { "netmasked", IPFY_NETMASKED }, 1861 { "network", IPFY_NETWORK }, 1862 { "peer", IPFY_PEER }, 1863 { NULL, 0 } 1864 }; 1865 1866 static struct wordtab icmpcodewords[] = { 1867 { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 1868 { "filter-prohib", IPFY_ICMPC_FLTPRO }, 1869 { "isolate", IPFY_ICMPC_ISOLATE }, 1870 { "needfrag", IPFY_ICMPC_NEEDF }, 1871 { "net-prohib", IPFY_ICMPC_NETPRO }, 1872 { "net-tos", IPFY_ICMPC_NETTOS }, 1873 { "host-preced", IPFY_ICMPC_HSTPRE }, 1874 { "host-prohib", IPFY_ICMPC_HSTPRO }, 1875 { "host-tos", IPFY_ICMPC_HSTTOS }, 1876 { "host-unk", IPFY_ICMPC_HSTUNK }, 1877 { "host-unr", IPFY_ICMPC_HSTUNR }, 1878 { "net-unk", IPFY_ICMPC_NETUNK }, 1879 { "net-unr", IPFY_ICMPC_NETUNR }, 1880 { "port-unr", IPFY_ICMPC_PORUNR }, 1881 { "proto-unr", IPFY_ICMPC_PROUNR }, 1882 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1883 { NULL, 0 }, 1884 }; 1885 1886 static struct wordtab ipv4optwords[] = { 1887 { "addext", IPFY_IPOPT_ADDEXT }, 1888 { "cipso", IPFY_IPOPT_CIPSO }, 1889 { "dps", IPFY_IPOPT_DPS }, 1890 { "e-sec", IPFY_IPOPT_ESEC }, 1891 { "eip", IPFY_IPOPT_EIP }, 1892 { "encode", IPFY_IPOPT_ENCODE }, 1893 { "finn", IPFY_IPOPT_FINN }, 1894 { "imitd", IPFY_IPOPT_IMITD }, 1895 { "lsrr", IPFY_IPOPT_LSRR }, 1896 { "mtup", IPFY_IPOPT_MTUP }, 1897 { "mtur", IPFY_IPOPT_MTUR }, 1898 { "nop", IPFY_IPOPT_NOP }, 1899 { "nsapa", IPFY_IPOPT_NSAPA }, 1900 { "rr", IPFY_IPOPT_RR }, 1901 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1902 { "satid", IPFY_IPOPT_SATID }, 1903 { "sdb", IPFY_IPOPT_SDB }, 1904 { "sec", IPFY_IPOPT_SEC }, 1905 { "ssrr", IPFY_IPOPT_SSRR }, 1906 { "tr", IPFY_IPOPT_TR }, 1907 { "ts", IPFY_IPOPT_TS }, 1908 { "ump", IPFY_IPOPT_UMP }, 1909 { "visa", IPFY_IPOPT_VISA }, 1910 { "zsu", IPFY_IPOPT_ZSU }, 1911 { NULL, 0 }, 1912 }; 1913 1914 static struct wordtab ipv4secwords[] = { 1915 { "confid", IPFY_SEC_CONF }, 1916 { "reserv-1", IPFY_SEC_RSV1 }, 1917 { "reserv-2", IPFY_SEC_RSV2 }, 1918 { "reserv-3", IPFY_SEC_RSV3 }, 1919 { "reserv-4", IPFY_SEC_RSV4 }, 1920 { "secret", IPFY_SEC_SEC }, 1921 { "topsecret", IPFY_SEC_TS }, 1922 { "unclass", IPFY_SEC_UNC }, 1923 { NULL, 0 }, 1924 }; 1925 1926 static struct wordtab ipv6optwords[] = { 1927 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1928 { "esp", IPFY_IPV6OPT_ESP }, 1929 { "frag", IPFY_IPV6OPT_FRAG }, 1930 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1931 { "ipv6", IPFY_IPV6OPT_IPV6 }, 1932 { "mobility", IPFY_IPV6OPT_MOBILITY }, 1933 { "none", IPFY_IPV6OPT_NONE }, 1934 { "routing", IPFY_IPV6OPT_ROUTING }, 1935 { NULL, 0 }, 1936 }; 1937 1938 static struct wordtab logwords[] = { 1939 { "kern", IPFY_FAC_KERN }, 1940 { "user", IPFY_FAC_USER }, 1941 { "mail", IPFY_FAC_MAIL }, 1942 { "daemon", IPFY_FAC_DAEMON }, 1943 { "auth", IPFY_FAC_AUTH }, 1944 { "syslog", IPFY_FAC_SYSLOG }, 1945 { "lpr", IPFY_FAC_LPR }, 1946 { "news", IPFY_FAC_NEWS }, 1947 { "uucp", IPFY_FAC_UUCP }, 1948 { "cron", IPFY_FAC_CRON }, 1949 { "ftp", IPFY_FAC_FTP }, 1950 { "authpriv", IPFY_FAC_AUTHPRIV }, 1951 { "audit", IPFY_FAC_AUDIT }, 1952 { "logalert", IPFY_FAC_LFMT }, 1953 { "console", IPFY_FAC_CONSOLE }, 1954 { "security", IPFY_FAC_SECURITY }, 1955 { "local0", IPFY_FAC_LOCAL0 }, 1956 { "local1", IPFY_FAC_LOCAL1 }, 1957 { "local2", IPFY_FAC_LOCAL2 }, 1958 { "local3", IPFY_FAC_LOCAL3 }, 1959 { "local4", IPFY_FAC_LOCAL4 }, 1960 { "local5", IPFY_FAC_LOCAL5 }, 1961 { "local6", IPFY_FAC_LOCAL6 }, 1962 { "local7", IPFY_FAC_LOCAL7 }, 1963 { "emerg", IPFY_PRI_EMERG }, 1964 { "alert", IPFY_PRI_ALERT }, 1965 { "crit", IPFY_PRI_CRIT }, 1966 { "err", IPFY_PRI_ERR }, 1967 { "warn", IPFY_PRI_WARN }, 1968 { "notice", IPFY_PRI_NOTICE }, 1969 { "info", IPFY_PRI_INFO }, 1970 { "debug", IPFY_PRI_DEBUG }, 1971 { NULL, 0 }, 1972 }; 1973 1974 1975 1976 1977 int ipf_parsefile(fd, addfunc, iocfuncs, filename) 1978 int fd; 1979 addfunc_t addfunc; 1980 ioctlfunc_t *iocfuncs; 1981 char *filename; 1982 { 1983 FILE *fp = NULL; 1984 char *s; 1985 1986 yylineNum = 1; 1987 yysettab(ipfwords); 1988 1989 s = getenv("YYDEBUG"); 1990 if (s != NULL) 1991 yydebug = atoi(s); 1992 else 1993 yydebug = 0; 1994 1995 if (strcmp(filename, "-")) { 1996 fp = fopen(filename, "r"); 1997 if (fp == NULL) { 1998 fprintf(stderr, "fopen(%s) failed: %s\n", filename, 1999 STRERROR(errno)); 2000 return -1; 2001 } 2002 } else 2003 fp = stdin; 2004 2005 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 2006 ; 2007 if (fp != NULL) 2008 fclose(fp); 2009 return 0; 2010 } 2011 2012 2013 int ipf_parsesome(fd, addfunc, iocfuncs, fp) 2014 int fd; 2015 addfunc_t addfunc; 2016 ioctlfunc_t *iocfuncs; 2017 FILE *fp; 2018 { 2019 char *s; 2020 int i; 2021 2022 ipffd = fd; 2023 for (i = 0; i <= IPL_LOGMAX; i++) 2024 ipfioctls[i] = iocfuncs[i]; 2025 ipfaddfunc = addfunc; 2026 2027 if (feof(fp)) 2028 return 0; 2029 i = fgetc(fp); 2030 if (i == EOF) 2031 return 0; 2032 if (ungetc(i, fp) == 0) 2033 return 0; 2034 if (feof(fp)) 2035 return 0; 2036 s = getenv("YYDEBUG"); 2037 if (s != NULL) 2038 yydebug = atoi(s); 2039 else 2040 yydebug = 0; 2041 2042 yyin = fp; 2043 yyparse(); 2044 return 1; 2045 } 2046 2047 2048 static void newrule() 2049 { 2050 frentry_t *frn; 2051 2052 frn = allocfr(); 2053 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 2054 ; 2055 if (fr != NULL) { 2056 fr->fr_next = frn; 2057 frn->fr_pnext = &fr->fr_next; 2058 } 2059 if (frtop == NULL) { 2060 frtop = frn; 2061 frn->fr_pnext = &frtop; 2062 } 2063 fr = frn; 2064 frc = frn; 2065 fr->fr_loglevel = 0xffff; 2066 fr->fr_isc = (void *)-1; 2067 fr->fr_logtag = FR_NOLOGTAG; 2068 fr->fr_type = FR_T_NONE; 2069 fr->fr_flineno = yylineNum; 2070 2071 if (use_inet6 == 1) 2072 fr->fr_family = AF_INET6; 2073 else if (use_inet6 == -1) 2074 fr->fr_family = AF_INET; 2075 2076 nrules = 1; 2077 } 2078 2079 2080 static void setipftype() 2081 { 2082 for (fr = frc; fr != NULL; fr = fr->fr_next) { 2083 if (fr->fr_type == FR_T_NONE) { 2084 fr->fr_type = FR_T_IPF; 2085 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 2086 fr->fr_dsize = sizeof(fripf_t); 2087 fr->fr_family = frc->fr_family; 2088 if (fr->fr_family == AF_INET) { 2089 fr->fr_ip.fi_v = 4; 2090 } 2091 else if (fr->fr_family == AF_INET6) { 2092 fr->fr_ip.fi_v = 6; 2093 } 2094 fr->fr_mip.fi_v = 0xf; 2095 fr->fr_ipf->fri_sifpidx = -1; 2096 fr->fr_ipf->fri_difpidx = -1; 2097 } 2098 if (fr->fr_type != FR_T_IPF) { 2099 fprintf(stderr, "IPF Type not set\n"); 2100 } 2101 } 2102 } 2103 2104 2105 static frentry_t *addrule() 2106 { 2107 frentry_t *f, *f1, *f2; 2108 int count; 2109 2110 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 2111 ; 2112 2113 count = nrules; 2114 f = f2; 2115 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 2116 f->fr_next = allocfr(); 2117 if (f->fr_next == NULL) 2118 return NULL; 2119 f->fr_next->fr_pnext = &f->fr_next; 2120 added++; 2121 f = f->fr_next; 2122 *f = *f1; 2123 f->fr_next = NULL; 2124 if (f->fr_caddr != NULL) { 2125 f->fr_caddr = malloc(f->fr_dsize); 2126 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 2127 } 2128 } 2129 2130 return f2->fr_next; 2131 } 2132 2133 2134 static int 2135 lookuphost(name, addrp) 2136 char *name; 2137 i6addr_t *addrp; 2138 { 2139 int i; 2140 2141 hashed = 0; 2142 pooled = 0; 2143 dynamic = -1; 2144 2145 for (i = 0; i < 4; i++) { 2146 if (fr->fr_ifnames[i] == -1) 2147 continue; 2148 if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) { 2149 ifpflag = FRI_DYNAMIC; 2150 dynamic = addname(&fr, name); 2151 return 1; 2152 } 2153 } 2154 2155 if (gethost(AF_INET, name, addrp) == -1) { 2156 fprintf(stderr, "unknown name \"%s\"\n", name); 2157 return -1; 2158 } 2159 return 0; 2160 } 2161 2162 2163 static void dobpf(v, phrase) 2164 int v; 2165 char *phrase; 2166 { 2167 #ifdef IPFILTER_BPF 2168 struct bpf_program bpf; 2169 struct pcap *p; 2170 #endif 2171 fakebpf_t *fb; 2172 u_32_t l; 2173 char *s; 2174 int i; 2175 2176 for (fr = frc; fr != NULL; fr = fr->fr_next) { 2177 if (fr->fr_type != FR_T_NONE) { 2178 fprintf(stderr, "cannot mix IPF and BPF matching\n"); 2179 return; 2180 } 2181 fr->fr_family = vtof(v); 2182 fr->fr_type = FR_T_BPFOPC; 2183 2184 if (!strncmp(phrase, "0x", 2)) { 2185 fb = malloc(sizeof(fakebpf_t)); 2186 2187 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; 2188 s = strtok(NULL, " \r\n\t"), i++) { 2189 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); 2190 l = (u_32_t)strtol(s, NULL, 0); 2191 switch (i & 3) 2192 { 2193 case 0 : 2194 fb[i / 4].fb_c = l & 0xffff; 2195 break; 2196 case 1 : 2197 fb[i / 4].fb_t = l & 0xff; 2198 break; 2199 case 2 : 2200 fb[i / 4].fb_f = l & 0xff; 2201 break; 2202 case 3 : 2203 fb[i / 4].fb_k = l; 2204 break; 2205 } 2206 } 2207 if ((i & 3) != 0) { 2208 fprintf(stderr, 2209 "Odd number of bytes in BPF code\n"); 2210 exit(1); 2211 } 2212 i--; 2213 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); 2214 fr->fr_data = fb; 2215 return; 2216 } 2217 2218 #ifdef IPFILTER_BPF 2219 bzero((char *)&bpf, sizeof(bpf)); 2220 p = pcap_open_dead(DLT_RAW, 1); 2221 if (!p) { 2222 fprintf(stderr, "pcap_open_dead failed\n"); 2223 return; 2224 } 2225 2226 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { 2227 pcap_perror(p, "ipf"); 2228 pcap_close(p); 2229 fprintf(stderr, "pcap parsing failed (%s)\n", phrase); 2230 return; 2231 } 2232 pcap_close(p); 2233 2234 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 2235 fr->fr_data = malloc(fr->fr_dsize); 2236 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); 2237 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 2238 fprintf(stderr, "BPF validation failed\n"); 2239 return; 2240 } 2241 #endif 2242 } 2243 2244 #ifdef IPFILTER_BPF 2245 if (opts & OPT_DEBUG) 2246 bpf_dump(&bpf, 0); 2247 #else 2248 fprintf(stderr, "BPF filter expressions not supported\n"); 2249 exit(1); 2250 #endif 2251 } 2252 2253 2254 static void resetaddr() 2255 { 2256 hashed = 0; 2257 pooled = 0; 2258 dynamic = -1; 2259 } 2260 2261 2262 static alist_t *newalist(ptr) 2263 alist_t *ptr; 2264 { 2265 alist_t *al; 2266 2267 al = malloc(sizeof(*al)); 2268 if (al == NULL) 2269 return NULL; 2270 al->al_not = 0; 2271 al->al_next = ptr; 2272 return al; 2273 } 2274 2275 2276 static int 2277 makepool(list) 2278 alist_t *list; 2279 { 2280 ip_pool_node_t *n, *top; 2281 ip_pool_t pool; 2282 alist_t *a; 2283 int num; 2284 2285 if (list == NULL) 2286 return 0; 2287 top = calloc(1, sizeof(*top)); 2288 if (top == NULL) 2289 return 0; 2290 2291 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 2292 if (use_inet6 == 1) { 2293 #ifdef AF_INET6 2294 n->ipn_addr.adf_family = AF_INET6; 2295 n->ipn_addr.adf_addr = a->al_i6addr; 2296 n->ipn_addr.adf_len = offsetof(addrfamily_t, 2297 adf_addr) + 16; 2298 n->ipn_mask.adf_family = AF_INET6; 2299 n->ipn_mask.adf_addr = a->al_i6mask; 2300 n->ipn_mask.adf_len = offsetof(addrfamily_t, 2301 adf_addr) + 16; 2302 2303 #endif 2304 } else { 2305 n->ipn_addr.adf_family = AF_INET; 2306 n->ipn_addr.adf_addr.in4.s_addr = a->al_1; 2307 n->ipn_addr.adf_len = offsetof(addrfamily_t, 2308 adf_addr) + 4; 2309 n->ipn_mask.adf_family = AF_INET; 2310 n->ipn_mask.adf_addr.in4.s_addr = a->al_2; 2311 n->ipn_mask.adf_len = offsetof(addrfamily_t, 2312 adf_addr) + 4; 2313 } 2314 n->ipn_info = a->al_not; 2315 if (a->al_next != NULL) { 2316 n->ipn_next = calloc(1, sizeof(*n)); 2317 n = n->ipn_next; 2318 } 2319 } 2320 2321 bzero((char *)&pool, sizeof(pool)); 2322 pool.ipo_unit = IPL_LOGIPF; 2323 pool.ipo_list = top; 2324 num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]); 2325 2326 while ((n = top) != NULL) { 2327 top = n->ipn_next; 2328 free(n); 2329 } 2330 return num; 2331 } 2332 2333 2334 static u_int makehash(list) 2335 alist_t *list; 2336 { 2337 iphtent_t *n, *top; 2338 iphtable_t iph; 2339 alist_t *a; 2340 int num; 2341 2342 if (list == NULL) 2343 return 0; 2344 top = calloc(1, sizeof(*top)); 2345 if (top == NULL) 2346 return 0; 2347 2348 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 2349 if (a->al_family == AF_INET6) { 2350 n->ipe_family = AF_INET6; 2351 n->ipe_addr = a->al_i6addr; 2352 n->ipe_mask = a->al_i6mask; 2353 } else { 2354 n->ipe_family = AF_INET; 2355 n->ipe_addr.in4_addr = a->al_1; 2356 n->ipe_mask.in4_addr = a->al_2; 2357 } 2358 n->ipe_value = 0; 2359 if (a->al_next != NULL) { 2360 n->ipe_next = calloc(1, sizeof(*n)); 2361 n = n->ipe_next; 2362 } 2363 } 2364 2365 bzero((char *)&iph, sizeof(iph)); 2366 iph.iph_unit = IPL_LOGIPF; 2367 iph.iph_type = IPHASH_LOOKUP; 2368 *iph.iph_name = '\0'; 2369 2370 if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0) 2371 sscanf(iph.iph_name, "%u", &num); 2372 else 2373 num = 0; 2374 2375 while ((n = top) != NULL) { 2376 top = n->ipe_next; 2377 free(n); 2378 } 2379 return num; 2380 } 2381 2382 2383 int ipf_addrule(fd, ioctlfunc, ptr) 2384 int fd; 2385 ioctlfunc_t ioctlfunc; 2386 void *ptr; 2387 { 2388 ioctlcmd_t add, del; 2389 frentry_t *fr; 2390 ipfobj_t obj; 2391 2392 if (ptr == NULL) 2393 return 0; 2394 2395 fr = ptr; 2396 add = 0; 2397 del = 0; 2398 2399 bzero((char *)&obj, sizeof(obj)); 2400 obj.ipfo_rev = IPFILTER_VERSION; 2401 obj.ipfo_size = fr->fr_size; 2402 obj.ipfo_type = IPFOBJ_FRENTRY; 2403 obj.ipfo_ptr = ptr; 2404 2405 if ((opts & OPT_DONOTHING) != 0) 2406 fd = -1; 2407 2408 if (opts & OPT_ZERORULEST) { 2409 add = SIOCZRLST; 2410 } else if (opts & OPT_INACTIVE) { 2411 add = (u_int)fr->fr_hits ? SIOCINIFR : 2412 SIOCADIFR; 2413 del = SIOCRMIFR; 2414 } else { 2415 add = (u_int)fr->fr_hits ? SIOCINAFR : 2416 SIOCADAFR; 2417 del = SIOCRMAFR; 2418 } 2419 2420 if ((opts & OPT_OUTQUE) != 0) 2421 fr->fr_flags |= FR_OUTQUE; 2422 if (fr->fr_hits) 2423 fr->fr_hits--; 2424 if ((opts & OPT_VERBOSE) != 0) 2425 printfr(fr, ioctlfunc); 2426 2427 if ((opts & OPT_DEBUG) != 0) { 2428 binprint(fr, sizeof(*fr)); 2429 if (fr->fr_data != NULL) 2430 binprint(fr->fr_data, fr->fr_dsize); 2431 } 2432 2433 if ((opts & OPT_ZERORULEST) != 0) { 2434 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2435 if ((opts & OPT_DONOTHING) == 0) { 2436 char msg[80]; 2437 2438 sprintf(msg, "%d:ioctl(zero rule)", 2439 fr->fr_flineno); 2440 return ipf_perror_fd(fd, ioctlfunc, msg); 2441 } 2442 } else { 2443 #ifdef USE_QUAD_T 2444 printf("hits %qd bytes %qd ", 2445 (long long)fr->fr_hits, 2446 (long long)fr->fr_bytes); 2447 #else 2448 printf("hits %ld bytes %ld ", 2449 fr->fr_hits, fr->fr_bytes); 2450 #endif 2451 printfr(fr, ioctlfunc); 2452 } 2453 } else if ((opts & OPT_REMOVE) != 0) { 2454 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2455 if ((opts & OPT_DONOTHING) == 0) { 2456 char msg[80]; 2457 2458 sprintf(msg, "%d:ioctl(delete rule)", 2459 fr->fr_flineno); 2460 return ipf_perror_fd(fd, ioctlfunc, msg); 2461 } 2462 } 2463 } else { 2464 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2465 if ((opts & OPT_DONOTHING) == 0) { 2466 char msg[80]; 2467 2468 sprintf(msg, "%d:ioctl(add/insert rule)", 2469 fr->fr_flineno); 2470 return ipf_perror_fd(fd, ioctlfunc, msg); 2471 } 2472 } 2473 } 2474 return 0; 2475 } 2476 2477 static void setsyslog() 2478 { 2479 yysetdict(logwords); 2480 yybreakondot = 1; 2481 } 2482 2483 2484 static void unsetsyslog() 2485 { 2486 yyresetdict(); 2487 yybreakondot = 0; 2488 } 2489 2490 2491 static void fillgroup(fr) 2492 frentry_t *fr; 2493 { 2494 frentry_t *f; 2495 2496 for (f = frold; f != NULL; f = f->fr_next) { 2497 if (f->fr_grhead == -1 && fr->fr_group == -1) 2498 break; 2499 if (f->fr_grhead == -1 || fr->fr_group == -1) 2500 continue; 2501 if (strcmp(f->fr_names + f->fr_grhead, 2502 fr->fr_names + fr->fr_group) == 0) 2503 break; 2504 } 2505 2506 if (f == NULL) 2507 return; 2508 2509 /* 2510 * Only copy down matching fields if the rules are of the same type 2511 * and are of ipf type. The only fields that are copied are those 2512 * that impact the rule parsing itself, eg. need for knowing what the 2513 * protocol should be for rules with port comparisons in them. 2514 */ 2515 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 2516 return; 2517 2518 if (fr->fr_family == 0 && f->fr_family != 0) 2519 fr->fr_family = f->fr_family; 2520 2521 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2522 fr->fr_mproto = f->fr_mproto; 2523 if (fr->fr_proto == 0 && f->fr_proto != 0) 2524 fr->fr_proto = f->fr_proto; 2525 2526 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2527 ((f->fr_flx & FI_TCPUDP) != 0)) { 2528 fr->fr_flx |= FI_TCPUDP; 2529 fr->fr_mflx |= FI_TCPUDP; 2530 } 2531 } 2532 2533 2534 static void doipfexpr(line) 2535 char *line; 2536 { 2537 int *array; 2538 char *error; 2539 2540 array = parseipfexpr(line, &error); 2541 if (array == NULL) { 2542 fprintf(stderr, "%s:", error); 2543 yyerror("error parsing ipf matching expression"); 2544 return; 2545 } 2546 2547 fr->fr_type = FR_T_IPFEXPR; 2548 fr->fr_data = array; 2549 fr->fr_dsize = array[0] * sizeof(*array); 2550 } 2551 2552 2553 static void do_tuneint(varname, value) 2554 char *varname; 2555 int value; 2556 { 2557 char buffer[80]; 2558 2559 strncpy(buffer, varname, 60); 2560 buffer[59] = '\0'; 2561 strcat(buffer, "="); 2562 sprintf(buffer, "%u", value); 2563 ipf_dotuning(ipffd, buffer, ioctl); 2564 } 2565 2566 2567 static void do_tunestr(varname, value) 2568 char *varname, *value; 2569 { 2570 2571 if (!strcasecmp(value, "true")) { 2572 do_tuneint(varname, 1); 2573 } else if (!strcasecmp(value, "false")) { 2574 do_tuneint(varname, 0); 2575 } else { 2576 yyerror("did not find true/false where expected"); 2577 } 2578 } 2579 2580 2581 static void setifname(frp, idx, name) 2582 frentry_t **frp; 2583 int idx; 2584 char *name; 2585 { 2586 int pos; 2587 2588 pos = addname(frp, name); 2589 if (pos == -1) 2590 return; 2591 (*frp)->fr_ifnames[idx] = pos; 2592 } 2593 2594 2595 static int addname(frp, name) 2596 frentry_t **frp; 2597 char *name; 2598 { 2599 frentry_t *f; 2600 int nlen; 2601 int pos; 2602 2603 nlen = strlen(name) + 1; 2604 f = realloc(*frp, (*frp)->fr_size + nlen); 2605 if (*frp == frc) 2606 frc = f; 2607 *frp = f; 2608 if (f == NULL) 2609 return -1; 2610 if (f->fr_pnext != NULL) 2611 *f->fr_pnext = f; 2612 f->fr_size += nlen; 2613 pos = f->fr_namelen; 2614 f->fr_namelen += nlen; 2615 strcpy(f->fr_names + pos, name); 2616 f->fr_names[f->fr_namelen] = '\0'; 2617 return pos; 2618 } 2619 2620 2621 static frentry_t *allocfr() 2622 { 2623 frentry_t *fr; 2624 2625 fr = calloc(1, sizeof(*fr)); 2626 if (fr != NULL) { 2627 fr->fr_size = sizeof(*fr); 2628 fr->fr_comment = -1; 2629 fr->fr_group = -1; 2630 fr->fr_grhead = -1; 2631 fr->fr_icmphead = -1; 2632 fr->fr_ifnames[0] = -1; 2633 fr->fr_ifnames[1] = -1; 2634 fr->fr_ifnames[2] = -1; 2635 fr->fr_ifnames[3] = -1; 2636 fr->fr_tif.fd_name = -1; 2637 fr->fr_rif.fd_name = -1; 2638 fr->fr_dif.fd_name = -1; 2639 } 2640 return fr; 2641 } 2642 2643 2644 static void setgroup(frp, name) 2645 frentry_t **frp; 2646 char *name; 2647 { 2648 int pos; 2649 2650 pos = addname(frp, name); 2651 if (pos == -1) 2652 return; 2653 (*frp)->fr_group = pos; 2654 } 2655 2656 2657 static void setgrhead(frp, name) 2658 frentry_t **frp; 2659 char *name; 2660 { 2661 int pos; 2662 2663 pos = addname(frp, name); 2664 if (pos == -1) 2665 return; 2666 (*frp)->fr_grhead = pos; 2667 } 2668 2669 2670 static void seticmphead(frp, name) 2671 frentry_t **frp; 2672 char *name; 2673 { 2674 int pos; 2675 2676 pos = addname(frp, name); 2677 if (pos == -1) 2678 return; 2679 (*frp)->fr_icmphead = pos; 2680 } 2681 2682 2683 static void 2684 build_dstaddr_af(fp, ptr) 2685 frentry_t *fp; 2686 void *ptr; 2687 { 2688 struct ipp_s *ipp = ptr; 2689 frentry_t *f = fp; 2690 2691 if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { 2692 ipp->f = f->fr_family; 2693 ipp->v = f->fr_ip.fi_v; 2694 } 2695 if (ipp->f == AF_INET) 2696 ipp->v = 4; 2697 else if (ipp->f == AF_INET6) 2698 ipp->v = 6; 2699 2700 for (; f != NULL; f = f->fr_next) { 2701 f->fr_ip.fi_dst = ipp->a; 2702 f->fr_mip.fi_dst = ipp->m; 2703 f->fr_family = ipp->f; 2704 f->fr_ip.fi_v = ipp->v; 2705 f->fr_mip.fi_v = 0xf; 2706 f->fr_datype = ipp->type; 2707 if (ipp->ifpos != -1) 2708 f->fr_ipf->fri_difpidx = ipp->ifpos; 2709 } 2710 fr = NULL; 2711 } 2712 2713 2714 static void 2715 build_srcaddr_af(fp, ptr) 2716 frentry_t *fp; 2717 void *ptr; 2718 { 2719 struct ipp_s *ipp = ptr; 2720 frentry_t *f = fp; 2721 2722 if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { 2723 ipp->f = f->fr_family; 2724 ipp->v = f->fr_ip.fi_v; 2725 } 2726 if (ipp->f == AF_INET) 2727 ipp->v = 4; 2728 else if (ipp->f == AF_INET6) 2729 ipp->v = 6; 2730 2731 for (; f != NULL; f = f->fr_next) { 2732 f->fr_ip.fi_src = ipp->a; 2733 f->fr_mip.fi_src = ipp->m; 2734 f->fr_family = ipp->f; 2735 f->fr_ip.fi_v = ipp->v; 2736 f->fr_mip.fi_v = 0xf; 2737 f->fr_satype = ipp->type; 2738 f->fr_ipf->fri_sifpidx = ipp->ifpos; 2739 } 2740 fr = NULL; 2741 } 2742