10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * Copyright (C) 1993-2001 by Darren Reed. 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing. 50Sstevel@tonic-gate */ 60Sstevel@tonic-gate #if !defined(lint) 70Sstevel@tonic-gate static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; 8*2393Syz155240 static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $"; 90Sstevel@tonic-gate #endif 100Sstevel@tonic-gate 110Sstevel@tonic-gate #include "ipf.h" 120Sstevel@tonic-gate 130Sstevel@tonic-gate 140Sstevel@tonic-gate typedef struct { 150Sstevel@tonic-gate int c; 160Sstevel@tonic-gate int e; 170Sstevel@tonic-gate int n; 180Sstevel@tonic-gate int p; 190Sstevel@tonic-gate int s; 200Sstevel@tonic-gate } mc_t; 210Sstevel@tonic-gate 220Sstevel@tonic-gate 230Sstevel@tonic-gate static char *portcmp[] = { "*", "==", "!=", "<", ">", "<=", ">=", "**", "***" }; 240Sstevel@tonic-gate static int count = 0; 250Sstevel@tonic-gate 260Sstevel@tonic-gate int intcmp __P((const void *, const void *)); 270Sstevel@tonic-gate static void indent __P((FILE *, int)); 280Sstevel@tonic-gate static void printeq __P((FILE *, char *, int, int, int)); 290Sstevel@tonic-gate static void printipeq __P((FILE *, char *, int, int, int)); 300Sstevel@tonic-gate static void addrule __P((FILE *, frentry_t *)); 310Sstevel@tonic-gate static void printhooks __P((FILE *, int, int, frgroup_t *)); 320Sstevel@tonic-gate static void emitheader __P((frgroup_t *, u_int, u_int)); 330Sstevel@tonic-gate static void emitGroup __P((int, int, void *, frentry_t *, char *, 340Sstevel@tonic-gate u_int, u_int)); 350Sstevel@tonic-gate static void emittail __P((void)); 360Sstevel@tonic-gate static void printCgroup __P((int, frentry_t *, mc_t *, char *)); 370Sstevel@tonic-gate 380Sstevel@tonic-gate #define FRC_IFN 0 390Sstevel@tonic-gate #define FRC_V 1 400Sstevel@tonic-gate #define FRC_P 2 410Sstevel@tonic-gate #define FRC_FL 3 420Sstevel@tonic-gate #define FRC_TOS 4 430Sstevel@tonic-gate #define FRC_TTL 5 440Sstevel@tonic-gate #define FRC_SRC 6 450Sstevel@tonic-gate #define FRC_DST 7 460Sstevel@tonic-gate #define FRC_TCP 8 470Sstevel@tonic-gate #define FRC_SP 9 480Sstevel@tonic-gate #define FRC_DP 10 490Sstevel@tonic-gate #define FRC_OPT 11 500Sstevel@tonic-gate #define FRC_SEC 12 510Sstevel@tonic-gate #define FRC_ATH 13 520Sstevel@tonic-gate #define FRC_ICT 14 530Sstevel@tonic-gate #define FRC_ICC 15 540Sstevel@tonic-gate #define FRC_MAX 16 550Sstevel@tonic-gate 560Sstevel@tonic-gate 570Sstevel@tonic-gate static FILE *cfile = NULL; 580Sstevel@tonic-gate 590Sstevel@tonic-gate /* 600Sstevel@tonic-gate * This is called once per filter rule being loaded to emit data structures 610Sstevel@tonic-gate * required. 620Sstevel@tonic-gate */ 630Sstevel@tonic-gate void printc(fr) 640Sstevel@tonic-gate frentry_t *fr; 650Sstevel@tonic-gate { 660Sstevel@tonic-gate fripf_t *ipf; 670Sstevel@tonic-gate u_long *ulp; 680Sstevel@tonic-gate char *and; 690Sstevel@tonic-gate FILE *fp; 700Sstevel@tonic-gate int i; 710Sstevel@tonic-gate 720Sstevel@tonic-gate if (fr->fr_v != 4) 730Sstevel@tonic-gate return; 740Sstevel@tonic-gate if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE)) 750Sstevel@tonic-gate return; 760Sstevel@tonic-gate if ((fr->fr_type == FR_T_IPF) && 770Sstevel@tonic-gate ((fr->fr_datype != FRI_NORMAL) || (fr->fr_satype != FRI_NORMAL))) 780Sstevel@tonic-gate return; 790Sstevel@tonic-gate ipf = fr->fr_ipf; 800Sstevel@tonic-gate 810Sstevel@tonic-gate if (cfile == NULL) 820Sstevel@tonic-gate cfile = fopen("ip_rules.c", "w"); 830Sstevel@tonic-gate if (cfile == NULL) 840Sstevel@tonic-gate return; 850Sstevel@tonic-gate fp = cfile; 860Sstevel@tonic-gate if (count == 0) { 870Sstevel@tonic-gate fprintf(fp, "/*\n"); 880Sstevel@tonic-gate fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n"); 890Sstevel@tonic-gate fprintf(fp, "*\n"); 900Sstevel@tonic-gate fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n"); 910Sstevel@tonic-gate fprintf(fp, "* provided that this notice is preserved and due credit is given\n"); 920Sstevel@tonic-gate fprintf(fp, "* to the original author and the contributors.\n"); 930Sstevel@tonic-gate fprintf(fp, "*/\n\n"); 940Sstevel@tonic-gate 950Sstevel@tonic-gate fprintf(fp, "#include <sys/types.h>\n"); 960Sstevel@tonic-gate fprintf(fp, "#include <sys/time.h>\n"); 970Sstevel@tonic-gate fprintf(fp, "#include <sys/socket.h>\n"); 98*2393Syz155240 fprintf(fp, "#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n"); 99*2393Syz155240 fprintf(fp, "# include <sys/systm.h>\n"); 100*2393Syz155240 fprintf(fp, "#endif\n"); 1010Sstevel@tonic-gate fprintf(fp, "#include <sys/errno.h>\n"); 1020Sstevel@tonic-gate fprintf(fp, "#include <sys/param.h>\n"); 1030Sstevel@tonic-gate fprintf(fp, 1040Sstevel@tonic-gate "#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux)\n"); 1050Sstevel@tonic-gate fprintf(fp, "# include <sys/mbuf.h>\n"); 1060Sstevel@tonic-gate fprintf(fp, "#endif\n"); 1070Sstevel@tonic-gate fprintf(fp, 1080Sstevel@tonic-gate "#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n"); 1090Sstevel@tonic-gate fprintf(fp, "# include <sys/sockio.h>\n"); 1100Sstevel@tonic-gate fprintf(fp, "#else\n"); 1110Sstevel@tonic-gate fprintf(fp, "# include <sys/ioctl.h>\n"); 1120Sstevel@tonic-gate fprintf(fp, "#endif /* FreeBSD */\n"); 1130Sstevel@tonic-gate fprintf(fp, "#include <net/if.h>\n"); 1140Sstevel@tonic-gate fprintf(fp, "#include <netinet/in.h>\n"); 1150Sstevel@tonic-gate fprintf(fp, "#include <netinet/in_systm.h>\n"); 1160Sstevel@tonic-gate fprintf(fp, "#include <netinet/ip.h>\n"); 1170Sstevel@tonic-gate fprintf(fp, "#include <netinet/tcp.h>\n"); 118*2393Syz155240 fprintf(fp, "#include \"netinet/ip_compat.h\"\n"); 119*2393Syz155240 fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n"); 120*2393Syz155240 fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n"); 121*2393Syz155240 fprintf(fp, "#ifndef _KERNEL\n"); 122*2393Syz155240 fprintf(fp, "# include <string.h>\n"); 123*2393Syz155240 fprintf(fp, "#endif /* _KERNEL */\n"); 124*2393Syz155240 fprintf(fp, "\n"); 125*2393Syz155240 fprintf(fp, "#ifdef IPFILTER_COMPILED\n"); 1260Sstevel@tonic-gate } 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate addrule(fp, fr); 1290Sstevel@tonic-gate fr->fr_type |= FR_T_BUILTIN; 1300Sstevel@tonic-gate and = ""; 1310Sstevel@tonic-gate fr->fr_ref = 1; 1320Sstevel@tonic-gate i = sizeof(*fr); 1330Sstevel@tonic-gate if (i & -(1 - sizeof(*ulp))) 1340Sstevel@tonic-gate i += sizeof(u_long); 1350Sstevel@tonic-gate for (i /= sizeof(u_long), ulp = (u_long *)fr; i > 0; i--) { 1360Sstevel@tonic-gate fprintf(fp, "%s%#lx", and, *ulp++); 1370Sstevel@tonic-gate and = ", "; 1380Sstevel@tonic-gate } 1390Sstevel@tonic-gate fprintf(fp, "\n};\n"); 1400Sstevel@tonic-gate fr->fr_type &= ~FR_T_BUILTIN; 1410Sstevel@tonic-gate 1420Sstevel@tonic-gate count++; 1430Sstevel@tonic-gate 1440Sstevel@tonic-gate fflush(fp); 1450Sstevel@tonic-gate } 1460Sstevel@tonic-gate 1470Sstevel@tonic-gate 1480Sstevel@tonic-gate static frgroup_t *groups = NULL; 1490Sstevel@tonic-gate 1500Sstevel@tonic-gate 1510Sstevel@tonic-gate static void addrule(fp, fr) 1520Sstevel@tonic-gate FILE *fp; 1530Sstevel@tonic-gate frentry_t *fr; 1540Sstevel@tonic-gate { 1550Sstevel@tonic-gate frentry_t *f, **fpp; 1560Sstevel@tonic-gate frgroup_t *g; 1570Sstevel@tonic-gate u_long *ulp; 1580Sstevel@tonic-gate char *and; 1590Sstevel@tonic-gate int i; 1600Sstevel@tonic-gate 1610Sstevel@tonic-gate f = (frentry_t *)malloc(sizeof(*f)); 1620Sstevel@tonic-gate bcopy((char *)fr, (char *)f, sizeof(*fr)); 1630Sstevel@tonic-gate if (fr->fr_ipf) { 1640Sstevel@tonic-gate f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf)); 1650Sstevel@tonic-gate bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf, 1660Sstevel@tonic-gate sizeof(*fr->fr_ipf)); 1670Sstevel@tonic-gate } 1680Sstevel@tonic-gate 1690Sstevel@tonic-gate f->fr_next = NULL; 1700Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) 1710Sstevel@tonic-gate if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) && 1720Sstevel@tonic-gate (g->fg_flags == (f->fr_flags & FR_INOUT))) 1730Sstevel@tonic-gate break; 1740Sstevel@tonic-gate 1750Sstevel@tonic-gate if (g == NULL) { 1760Sstevel@tonic-gate g = (frgroup_t *)calloc(1, sizeof(*g)); 1770Sstevel@tonic-gate g->fg_next = groups; 1780Sstevel@tonic-gate groups = g; 1790Sstevel@tonic-gate g->fg_head = f; 1800Sstevel@tonic-gate bcopy(f->fr_group, g->fg_name, FR_GROUPLEN); 1810Sstevel@tonic-gate g->fg_ref = 0; 1820Sstevel@tonic-gate g->fg_flags = f->fr_flags & FR_INOUT; 1830Sstevel@tonic-gate } 1840Sstevel@tonic-gate 1850Sstevel@tonic-gate for (fpp = &g->fg_start; *fpp != NULL; ) 1860Sstevel@tonic-gate fpp = &((*fpp)->fr_next); 1870Sstevel@tonic-gate *fpp = f; 1880Sstevel@tonic-gate 1890Sstevel@tonic-gate if (fr->fr_dsize > 0) { 1900Sstevel@tonic-gate fprintf(fp, "\ 1910Sstevel@tonic-gate static u_long ipf%s_rule_data_%s_%u[] = {\n", 1920Sstevel@tonic-gate f->fr_flags & FR_INQUE ? "in" : "out", 1930Sstevel@tonic-gate g->fg_name, g->fg_ref); 1940Sstevel@tonic-gate and = ""; 1950Sstevel@tonic-gate i = fr->fr_dsize; 1960Sstevel@tonic-gate ulp = fr->fr_data; 1970Sstevel@tonic-gate for (i /= sizeof(u_long); i > 0; i--) { 1980Sstevel@tonic-gate fprintf(fp, "%s%#lx", and, *ulp++); 1990Sstevel@tonic-gate and = ", "; 2000Sstevel@tonic-gate } 2010Sstevel@tonic-gate fprintf(fp, "\n};\n"); 2020Sstevel@tonic-gate } 2030Sstevel@tonic-gate 2040Sstevel@tonic-gate fprintf(fp, "\nstatic u_long %s_rule_%s_%d[] = {\n", 2050Sstevel@tonic-gate f->fr_flags & FR_INQUE ? "in" : "out", g->fg_name, g->fg_ref); 2060Sstevel@tonic-gate 2070Sstevel@tonic-gate g->fg_ref++; 2080Sstevel@tonic-gate 2090Sstevel@tonic-gate if (f->fr_grhead != 0) { 2100Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) 2110Sstevel@tonic-gate if ((strncmp(g->fg_name, f->fr_grhead, 2120Sstevel@tonic-gate FR_GROUPLEN) == 0) && 2130Sstevel@tonic-gate g->fg_flags == (f->fr_flags & FR_INOUT)) 2140Sstevel@tonic-gate break; 2150Sstevel@tonic-gate if (g == NULL) { 2160Sstevel@tonic-gate g = (frgroup_t *)calloc(1, sizeof(*g)); 2170Sstevel@tonic-gate g->fg_next = groups; 2180Sstevel@tonic-gate groups = g; 2190Sstevel@tonic-gate g->fg_head = f; 2200Sstevel@tonic-gate bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN); 2210Sstevel@tonic-gate g->fg_ref = 0; 2220Sstevel@tonic-gate g->fg_flags = f->fr_flags & FR_INOUT; 2230Sstevel@tonic-gate } 2240Sstevel@tonic-gate } 2250Sstevel@tonic-gate } 2260Sstevel@tonic-gate 2270Sstevel@tonic-gate 2280Sstevel@tonic-gate int intcmp(c1, c2) 2290Sstevel@tonic-gate const void *c1, *c2; 2300Sstevel@tonic-gate { 2310Sstevel@tonic-gate const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2; 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate if (i1->n == i2->n) { 2340Sstevel@tonic-gate return i1->c - i2->c; 2350Sstevel@tonic-gate } 2360Sstevel@tonic-gate return i2->n - i1->n; 2370Sstevel@tonic-gate } 2380Sstevel@tonic-gate 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate static void indent(fp, in) 2410Sstevel@tonic-gate FILE *fp; 2420Sstevel@tonic-gate int in; 2430Sstevel@tonic-gate { 2440Sstevel@tonic-gate for (; in; in--) 2450Sstevel@tonic-gate fputc('\t', fp); 2460Sstevel@tonic-gate } 2470Sstevel@tonic-gate 2480Sstevel@tonic-gate static void printeq(fp, var, m, max, v) 2490Sstevel@tonic-gate FILE *fp; 2500Sstevel@tonic-gate char *var; 2510Sstevel@tonic-gate int m, max, v; 2520Sstevel@tonic-gate { 2530Sstevel@tonic-gate if (m == max) 2540Sstevel@tonic-gate fprintf(fp, "%s == %#x) {\n", var, v); 2550Sstevel@tonic-gate else 2560Sstevel@tonic-gate fprintf(fp, "(%s & %#x) == %#x) {\n", var, m, v); 2570Sstevel@tonic-gate } 2580Sstevel@tonic-gate 2590Sstevel@tonic-gate /* 2600Sstevel@tonic-gate * Parameters: var - IP# being compared 2610Sstevel@tonic-gate * fl - 0 for positive match, 1 for negative match 2620Sstevel@tonic-gate * m - netmask 2630Sstevel@tonic-gate * v - required address 2640Sstevel@tonic-gate */ 2650Sstevel@tonic-gate static void printipeq(fp, var, fl, m, v) 2660Sstevel@tonic-gate FILE *fp; 2670Sstevel@tonic-gate char *var; 2680Sstevel@tonic-gate int fl, m, v; 2690Sstevel@tonic-gate { 2700Sstevel@tonic-gate if (m == 0xffffffff) 2710Sstevel@tonic-gate fprintf(fp, "%s ", var); 2720Sstevel@tonic-gate else 2730Sstevel@tonic-gate fprintf(fp, "(%s & %#x) ", var, m); 2740Sstevel@tonic-gate fprintf(fp, "%c", fl ? '!' : '='); 2750Sstevel@tonic-gate fprintf(fp, "= %#x) {\n", v); 2760Sstevel@tonic-gate } 2770Sstevel@tonic-gate 2780Sstevel@tonic-gate 2790Sstevel@tonic-gate void emit(num, dir, v, fr) 2800Sstevel@tonic-gate int num, dir; 2810Sstevel@tonic-gate void *v; 2820Sstevel@tonic-gate frentry_t *fr; 2830Sstevel@tonic-gate { 2840Sstevel@tonic-gate u_int incnt, outcnt; 2850Sstevel@tonic-gate frgroup_t *g; 2860Sstevel@tonic-gate frentry_t *f; 2870Sstevel@tonic-gate 2880Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) { 2890Sstevel@tonic-gate if (dir == 0 || dir == -1) { 2900Sstevel@tonic-gate if ((g->fg_flags & FR_INQUE) == 0) 2910Sstevel@tonic-gate continue; 2920Sstevel@tonic-gate for (incnt = 0, f = g->fg_start; f != NULL; 2930Sstevel@tonic-gate f = f->fr_next) 2940Sstevel@tonic-gate incnt++; 2950Sstevel@tonic-gate emitGroup(num, dir, v, fr, g->fg_name, incnt, 0); 2960Sstevel@tonic-gate } 2970Sstevel@tonic-gate if (dir == 1 || dir == -1) { 2980Sstevel@tonic-gate if ((g->fg_flags & FR_OUTQUE) == 0) 2990Sstevel@tonic-gate continue; 3000Sstevel@tonic-gate for (outcnt = 0, f = g->fg_start; f != NULL; 3010Sstevel@tonic-gate f = f->fr_next) 3020Sstevel@tonic-gate outcnt++; 3030Sstevel@tonic-gate emitGroup(num, dir, v, fr, g->fg_name, 0, outcnt); 3040Sstevel@tonic-gate } 3050Sstevel@tonic-gate } 3060Sstevel@tonic-gate 3070Sstevel@tonic-gate if (num == -1 && dir == -1) { 3080Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) { 3090Sstevel@tonic-gate if ((g->fg_flags & FR_INQUE) != 0) { 3100Sstevel@tonic-gate for (incnt = 0, f = g->fg_start; f != NULL; 3110Sstevel@tonic-gate f = f->fr_next) 3120Sstevel@tonic-gate incnt++; 3130Sstevel@tonic-gate if (incnt > 0) 3140Sstevel@tonic-gate emitheader(g, incnt, 0); 3150Sstevel@tonic-gate } 3160Sstevel@tonic-gate if ((g->fg_flags & FR_OUTQUE) != 0) { 3170Sstevel@tonic-gate for (outcnt = 0, f = g->fg_start; f != NULL; 3180Sstevel@tonic-gate f = f->fr_next) 3190Sstevel@tonic-gate outcnt++; 3200Sstevel@tonic-gate if (outcnt > 0) 3210Sstevel@tonic-gate emitheader(g, 0, outcnt); 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate } 3240Sstevel@tonic-gate emittail(); 325*2393Syz155240 fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n"); 3260Sstevel@tonic-gate } 327*2393Syz155240 3280Sstevel@tonic-gate } 3290Sstevel@tonic-gate 3300Sstevel@tonic-gate 3310Sstevel@tonic-gate static void emitheader(grp, incount, outcount) 3320Sstevel@tonic-gate frgroup_t *grp; 3330Sstevel@tonic-gate u_int incount, outcount; 3340Sstevel@tonic-gate { 3350Sstevel@tonic-gate static FILE *fph = NULL; 3360Sstevel@tonic-gate frgroup_t *g; 3370Sstevel@tonic-gate 3380Sstevel@tonic-gate if (fph == NULL) { 3390Sstevel@tonic-gate fph = fopen("ip_rules.h", "w"); 3400Sstevel@tonic-gate if (fph == NULL) 3410Sstevel@tonic-gate return; 3420Sstevel@tonic-gate 3430Sstevel@tonic-gate fprintf(fph, "extern int ipfrule_add __P((void));\n"); 3440Sstevel@tonic-gate fprintf(fph, "extern int ipfrule_remove __P((void));\n"); 3450Sstevel@tonic-gate } 3460Sstevel@tonic-gate 3470Sstevel@tonic-gate printhooks(cfile, incount, outcount, grp); 3480Sstevel@tonic-gate 3490Sstevel@tonic-gate if (incount) { 3500Sstevel@tonic-gate fprintf(fph, "\n\ 3510Sstevel@tonic-gate extern frentry_t *ipfrule_match_in_%s __P((fr_info_t *, u_32_t *));\n\ 3520Sstevel@tonic-gate extern frentry_t *ipf_rules_in_%s[%d];\n", 3530Sstevel@tonic-gate grp->fg_name, grp->fg_name, incount); 3540Sstevel@tonic-gate 3550Sstevel@tonic-gate for (g = groups; g != grp; g = g->fg_next) 3560Sstevel@tonic-gate if ((strncmp(g->fg_name, grp->fg_name, 3570Sstevel@tonic-gate FR_GROUPLEN) == 0) && 3580Sstevel@tonic-gate g->fg_flags == grp->fg_flags) 3590Sstevel@tonic-gate break; 3600Sstevel@tonic-gate if (g == grp) { 3610Sstevel@tonic-gate fprintf(fph, "\n\ 3620Sstevel@tonic-gate extern int ipfrule_add_in_%s __P((void));\n\ 3630Sstevel@tonic-gate extern int ipfrule_remove_in_%s __P((void));\n", grp->fg_name, grp->fg_name); 3640Sstevel@tonic-gate } 3650Sstevel@tonic-gate } 3660Sstevel@tonic-gate if (outcount) { 3670Sstevel@tonic-gate fprintf(fph, "\n\ 3680Sstevel@tonic-gate extern frentry_t *ipfrule_match_out_%s __P((fr_info_t *, u_32_t *));\n\ 3690Sstevel@tonic-gate extern frentry_t *ipf_rules_out_%s[%d];\n", 3700Sstevel@tonic-gate grp->fg_name, grp->fg_name, outcount); 3710Sstevel@tonic-gate 3720Sstevel@tonic-gate for (g = groups; g != g; g = g->fg_next) 3730Sstevel@tonic-gate if ((strncmp(g->fg_name, grp->fg_name, 3740Sstevel@tonic-gate FR_GROUPLEN) == 0) && 3750Sstevel@tonic-gate g->fg_flags == grp->fg_flags) 3760Sstevel@tonic-gate break; 3770Sstevel@tonic-gate if (g == grp) { 3780Sstevel@tonic-gate fprintf(fph, "\n\ 3790Sstevel@tonic-gate extern int ipfrule_add_out_%s __P((void));\n\ 3800Sstevel@tonic-gate extern int ipfrule_remove_out_%s __P((void));\n", 3810Sstevel@tonic-gate grp->fg_name, grp->fg_name); 3820Sstevel@tonic-gate } 3830Sstevel@tonic-gate } 3840Sstevel@tonic-gate } 3850Sstevel@tonic-gate 3860Sstevel@tonic-gate static void emittail() 3870Sstevel@tonic-gate { 3880Sstevel@tonic-gate frgroup_t *g; 3890Sstevel@tonic-gate 3900Sstevel@tonic-gate fprintf(cfile, "\n\ 3910Sstevel@tonic-gate int ipfrule_add()\n\ 3920Sstevel@tonic-gate {\n\ 3930Sstevel@tonic-gate int err;\n\ 3940Sstevel@tonic-gate \n"); 3950Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) 3960Sstevel@tonic-gate fprintf(cfile, "\ 3970Sstevel@tonic-gate err = ipfrule_add_%s_%s();\n\ 3980Sstevel@tonic-gate if (err != 0)\n\ 3990Sstevel@tonic-gate return err;\n", 4000Sstevel@tonic-gate (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name); 4010Sstevel@tonic-gate fprintf(cfile, "\ 4020Sstevel@tonic-gate return 0;\n"); 4030Sstevel@tonic-gate fprintf(cfile, "}\n\ 4040Sstevel@tonic-gate \n"); 4050Sstevel@tonic-gate 4060Sstevel@tonic-gate fprintf(cfile, "\n\ 4070Sstevel@tonic-gate int ipfrule_remove()\n\ 4080Sstevel@tonic-gate {\n\ 4090Sstevel@tonic-gate int err;\n\ 4100Sstevel@tonic-gate \n"); 4110Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) 4120Sstevel@tonic-gate fprintf(cfile, "\ 4130Sstevel@tonic-gate err = ipfrule_remove_%s_%s();\n\ 4140Sstevel@tonic-gate if (err != 0)\n\ 4150Sstevel@tonic-gate return err;\n", 4160Sstevel@tonic-gate (g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name); 4170Sstevel@tonic-gate fprintf(cfile, "\ 4180Sstevel@tonic-gate return 0;\n"); 4190Sstevel@tonic-gate fprintf(cfile, "}\n"); 4200Sstevel@tonic-gate } 4210Sstevel@tonic-gate 4220Sstevel@tonic-gate 4230Sstevel@tonic-gate static void emitGroup(num, dir, v, fr, group, incount, outcount) 4240Sstevel@tonic-gate int num, dir; 4250Sstevel@tonic-gate void *v; 4260Sstevel@tonic-gate frentry_t *fr; 4270Sstevel@tonic-gate char *group; 4280Sstevel@tonic-gate u_int incount, outcount; 4290Sstevel@tonic-gate { 4300Sstevel@tonic-gate static FILE *fp = NULL; 4310Sstevel@tonic-gate static int header[2] = { 0, 0 }; 4320Sstevel@tonic-gate static char egroup[FR_GROUPLEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; 4330Sstevel@tonic-gate static int openfunc = 0; 4340Sstevel@tonic-gate static mc_t *n = NULL; 4350Sstevel@tonic-gate static int sin = 0; 4360Sstevel@tonic-gate frentry_t *f; 4370Sstevel@tonic-gate frgroup_t *g; 4380Sstevel@tonic-gate fripf_t *ipf; 4390Sstevel@tonic-gate int i, in, j; 4400Sstevel@tonic-gate mc_t *m = v; 4410Sstevel@tonic-gate 4420Sstevel@tonic-gate if (fp == NULL) 4430Sstevel@tonic-gate fp = cfile; 4440Sstevel@tonic-gate if (fp == NULL) 4450Sstevel@tonic-gate return; 4460Sstevel@tonic-gate if (strncmp(egroup, group, FR_GROUPLEN)) { 4470Sstevel@tonic-gate for (sin--; sin > 0; sin--) { 4480Sstevel@tonic-gate indent(fp, sin); 4490Sstevel@tonic-gate fprintf(fp, "}\n"); 4500Sstevel@tonic-gate } 4510Sstevel@tonic-gate if (openfunc == 1) { 4520Sstevel@tonic-gate fprintf(fp, "\treturn fr;\n}\n"); 4530Sstevel@tonic-gate openfunc = 0; 4540Sstevel@tonic-gate if (n != NULL) { 4550Sstevel@tonic-gate free(n); 4560Sstevel@tonic-gate n = NULL; 4570Sstevel@tonic-gate } 4580Sstevel@tonic-gate } 4590Sstevel@tonic-gate sin = 0; 4600Sstevel@tonic-gate header[0] = 0; 4610Sstevel@tonic-gate header[1] = 0; 4620Sstevel@tonic-gate strncpy(egroup, group, FR_GROUPLEN); 4630Sstevel@tonic-gate } else if (openfunc == 1 && num < 0) { 4640Sstevel@tonic-gate if (n != NULL) { 4650Sstevel@tonic-gate free(n); 4660Sstevel@tonic-gate n = NULL; 4670Sstevel@tonic-gate } 4680Sstevel@tonic-gate for (sin--; sin > 0; sin--) { 4690Sstevel@tonic-gate indent(fp, sin); 4700Sstevel@tonic-gate fprintf(fp, "}\n"); 4710Sstevel@tonic-gate } 4720Sstevel@tonic-gate if (openfunc == 1) { 4730Sstevel@tonic-gate fprintf(fp, "\treturn fr;\n}\n"); 4740Sstevel@tonic-gate openfunc = 0; 4750Sstevel@tonic-gate } 4760Sstevel@tonic-gate } 4770Sstevel@tonic-gate 4780Sstevel@tonic-gate if (dir == -1) 4790Sstevel@tonic-gate return; 4800Sstevel@tonic-gate 4810Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) { 4820Sstevel@tonic-gate if (dir == 0 && (g->fg_flags & FR_INQUE) == 0) 4830Sstevel@tonic-gate continue; 4840Sstevel@tonic-gate else if (dir == 1 && (g->fg_flags & FR_OUTQUE) == 0) 4850Sstevel@tonic-gate continue; 4860Sstevel@tonic-gate if (strncmp(g->fg_name, group, FR_GROUPLEN) != 0) 4870Sstevel@tonic-gate continue; 4880Sstevel@tonic-gate break; 4890Sstevel@tonic-gate } 4900Sstevel@tonic-gate 4910Sstevel@tonic-gate /* 4920Sstevel@tonic-gate * Output the array of pointers to rules for this group. 4930Sstevel@tonic-gate */ 4940Sstevel@tonic-gate if (num == -2 && dir == 0 && header[0] == 0 && incount != 0) { 4950Sstevel@tonic-gate fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {", 4960Sstevel@tonic-gate group, incount); 4970Sstevel@tonic-gate for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { 4980Sstevel@tonic-gate if ((f->fr_flags & FR_INQUE) == 0) 4990Sstevel@tonic-gate continue; 5000Sstevel@tonic-gate if ((i & 1) == 0) { 5010Sstevel@tonic-gate fprintf(fp, "\n\t"); 5020Sstevel@tonic-gate } 5030Sstevel@tonic-gate fprintf(fp, 5040Sstevel@tonic-gate "(frentry_t *)&in_rule_%s_%d", 5050Sstevel@tonic-gate f->fr_group, i); 5060Sstevel@tonic-gate if (i + 1 < incount) 5070Sstevel@tonic-gate fprintf(fp, ", "); 5080Sstevel@tonic-gate i++; 5090Sstevel@tonic-gate } 5100Sstevel@tonic-gate fprintf(fp, "\n};\n"); 5110Sstevel@tonic-gate } 5120Sstevel@tonic-gate 5130Sstevel@tonic-gate if (num == -2 && dir == 1 && header[1] == 0 && outcount != 0) { 5140Sstevel@tonic-gate fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {", 5150Sstevel@tonic-gate group, outcount); 5160Sstevel@tonic-gate for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { 5170Sstevel@tonic-gate if ((f->fr_flags & FR_OUTQUE) == 0) 5180Sstevel@tonic-gate continue; 5190Sstevel@tonic-gate if ((i & 1) == 0) { 5200Sstevel@tonic-gate fprintf(fp, "\n\t"); 5210Sstevel@tonic-gate } 5220Sstevel@tonic-gate fprintf(fp, 5230Sstevel@tonic-gate "(frentry_t *)&out_rule_%s_%d", 5240Sstevel@tonic-gate f->fr_group, i); 5250Sstevel@tonic-gate if (i + 1 < outcount) 5260Sstevel@tonic-gate fprintf(fp, ", "); 5270Sstevel@tonic-gate i++; 5280Sstevel@tonic-gate } 5290Sstevel@tonic-gate fprintf(fp, "\n};\n"); 5300Sstevel@tonic-gate fp = NULL; 5310Sstevel@tonic-gate } 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate if (num < 0) 5340Sstevel@tonic-gate return; 5350Sstevel@tonic-gate 5360Sstevel@tonic-gate in = 0; 5370Sstevel@tonic-gate ipf = fr->fr_ipf; 5380Sstevel@tonic-gate 5390Sstevel@tonic-gate /* 5400Sstevel@tonic-gate * If the function header has not been printed then print it now. 5410Sstevel@tonic-gate */ 5420Sstevel@tonic-gate if (header[dir] == 0) { 5430Sstevel@tonic-gate int pdst = 0, psrc = 0; 5440Sstevel@tonic-gate 5450Sstevel@tonic-gate openfunc = 1; 5460Sstevel@tonic-gate fprintf(fp, "\nfrentry_t *ipfrule_match_%s_%s(fin, passp)\n", 5470Sstevel@tonic-gate (dir == 0) ? "in" : "out", group); 5480Sstevel@tonic-gate fprintf(fp, "fr_info_t *fin;\n"); 5490Sstevel@tonic-gate fprintf(fp, "u_32_t *passp;\n"); 5500Sstevel@tonic-gate fprintf(fp, "{\n"); 5510Sstevel@tonic-gate fprintf(fp, "\tfrentry_t *fr = NULL;\n"); 5520Sstevel@tonic-gate 5530Sstevel@tonic-gate /* 5540Sstevel@tonic-gate * Print out any variables that need to be declared. 5550Sstevel@tonic-gate */ 5560Sstevel@tonic-gate for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) { 5570Sstevel@tonic-gate if (incount + outcount > m[FRC_SRC].e + 1) 5580Sstevel@tonic-gate psrc = 1; 5590Sstevel@tonic-gate if (incount + outcount > m[FRC_DST].e + 1) 5600Sstevel@tonic-gate pdst = 1; 5610Sstevel@tonic-gate } 5620Sstevel@tonic-gate if (psrc == 1) 5630Sstevel@tonic-gate fprintf(fp, "\tu_32_t src = ntohl(%s);\n", 5640Sstevel@tonic-gate "fin->fin_fi.fi_saddr"); 5650Sstevel@tonic-gate if (pdst == 1) 5660Sstevel@tonic-gate fprintf(fp, "\tu_32_t dst = ntohl(%s);\n", 5670Sstevel@tonic-gate "fin->fin_fi.fi_daddr"); 5680Sstevel@tonic-gate } 5690Sstevel@tonic-gate 5700Sstevel@tonic-gate for (i = 0; i < FRC_MAX; i++) { 5710Sstevel@tonic-gate switch(m[i].c) 5720Sstevel@tonic-gate { 5730Sstevel@tonic-gate case FRC_IFN : 5740Sstevel@tonic-gate if (*fr->fr_ifname) 5750Sstevel@tonic-gate m[i].s = 1; 5760Sstevel@tonic-gate break; 5770Sstevel@tonic-gate case FRC_V : 5780Sstevel@tonic-gate if (ipf != NULL && ipf->fri_mip.fi_v != 0) 5790Sstevel@tonic-gate m[i].s = 1; 5800Sstevel@tonic-gate break; 5810Sstevel@tonic-gate case FRC_FL : 5820Sstevel@tonic-gate if (ipf != NULL && ipf->fri_mip.fi_flx != 0) 5830Sstevel@tonic-gate m[i].s = 1; 5840Sstevel@tonic-gate break; 5850Sstevel@tonic-gate case FRC_P : 5860Sstevel@tonic-gate if (ipf != NULL && ipf->fri_mip.fi_p != 0) 5870Sstevel@tonic-gate m[i].s = 1; 5880Sstevel@tonic-gate break; 5890Sstevel@tonic-gate case FRC_TTL : 5900Sstevel@tonic-gate if (ipf != NULL && ipf->fri_mip.fi_ttl != 0) 5910Sstevel@tonic-gate m[i].s = 1; 5920Sstevel@tonic-gate break; 5930Sstevel@tonic-gate case FRC_TOS : 5940Sstevel@tonic-gate if (ipf != NULL && ipf->fri_mip.fi_tos != 0) 5950Sstevel@tonic-gate m[i].s = 1; 5960Sstevel@tonic-gate break; 5970Sstevel@tonic-gate case FRC_TCP : 5980Sstevel@tonic-gate if (ipf == NULL) 5990Sstevel@tonic-gate break; 6000Sstevel@tonic-gate if ((ipf->fri_ip.fi_p == IPPROTO_TCP) && 6010Sstevel@tonic-gate fr->fr_tcpfm != 0) 6020Sstevel@tonic-gate m[i].s = 1; 6030Sstevel@tonic-gate break; 6040Sstevel@tonic-gate case FRC_SP : 6050Sstevel@tonic-gate if (ipf == NULL) 6060Sstevel@tonic-gate break; 6070Sstevel@tonic-gate if (fr->fr_scmp == FR_INRANGE) 6080Sstevel@tonic-gate m[i].s = 1; 6090Sstevel@tonic-gate else if (fr->fr_scmp == FR_OUTRANGE) 6100Sstevel@tonic-gate m[i].s = 1; 6110Sstevel@tonic-gate else if (fr->fr_scmp != 0) 6120Sstevel@tonic-gate m[i].s = 1; 6130Sstevel@tonic-gate break; 6140Sstevel@tonic-gate case FRC_DP : 6150Sstevel@tonic-gate if (ipf == NULL) 6160Sstevel@tonic-gate break; 6170Sstevel@tonic-gate if (fr->fr_dcmp == FR_INRANGE) 6180Sstevel@tonic-gate m[i].s = 1; 6190Sstevel@tonic-gate else if (fr->fr_dcmp == FR_OUTRANGE) 6200Sstevel@tonic-gate m[i].s = 1; 6210Sstevel@tonic-gate else if (fr->fr_dcmp != 0) 6220Sstevel@tonic-gate m[i].s = 1; 6230Sstevel@tonic-gate break; 6240Sstevel@tonic-gate case FRC_SRC : 6250Sstevel@tonic-gate if (ipf == NULL) 6260Sstevel@tonic-gate break; 6270Sstevel@tonic-gate if (fr->fr_satype == FRI_LOOKUP) { 6280Sstevel@tonic-gate ; 6290Sstevel@tonic-gate } else if ((fr->fr_smask != 0) || 6300Sstevel@tonic-gate (fr->fr_flags & FR_NOTSRCIP) != 0) 6310Sstevel@tonic-gate m[i].s = 1; 6320Sstevel@tonic-gate break; 6330Sstevel@tonic-gate case FRC_DST : 6340Sstevel@tonic-gate if (ipf == NULL) 6350Sstevel@tonic-gate break; 6360Sstevel@tonic-gate if (fr->fr_datype == FRI_LOOKUP) { 6370Sstevel@tonic-gate ; 6380Sstevel@tonic-gate } else if ((fr->fr_dmask != 0) || 6390Sstevel@tonic-gate (fr->fr_flags & FR_NOTDSTIP) != 0) 6400Sstevel@tonic-gate m[i].s = 1; 6410Sstevel@tonic-gate break; 6420Sstevel@tonic-gate case FRC_OPT : 6430Sstevel@tonic-gate if (ipf == NULL) 6440Sstevel@tonic-gate break; 6450Sstevel@tonic-gate if (fr->fr_optmask != 0) 6460Sstevel@tonic-gate m[i].s = 1; 6470Sstevel@tonic-gate break; 6480Sstevel@tonic-gate case FRC_SEC : 6490Sstevel@tonic-gate if (ipf == NULL) 6500Sstevel@tonic-gate break; 6510Sstevel@tonic-gate if (fr->fr_secmask != 0) 6520Sstevel@tonic-gate m[i].s = 1; 6530Sstevel@tonic-gate break; 6540Sstevel@tonic-gate case FRC_ATH : 6550Sstevel@tonic-gate if (ipf == NULL) 6560Sstevel@tonic-gate break; 6570Sstevel@tonic-gate if (fr->fr_authmask != 0) 6580Sstevel@tonic-gate m[i].s = 1; 6590Sstevel@tonic-gate break; 6600Sstevel@tonic-gate case FRC_ICT : 6610Sstevel@tonic-gate if (ipf == NULL) 6620Sstevel@tonic-gate break; 6630Sstevel@tonic-gate if ((fr->fr_icmpm & 0xff00) != 0) 6640Sstevel@tonic-gate m[i].s = 1; 6650Sstevel@tonic-gate break; 6660Sstevel@tonic-gate case FRC_ICC : 6670Sstevel@tonic-gate if (ipf == NULL) 6680Sstevel@tonic-gate break; 6690Sstevel@tonic-gate if ((fr->fr_icmpm & 0xff) != 0) 6700Sstevel@tonic-gate m[i].s = 1; 6710Sstevel@tonic-gate break; 6720Sstevel@tonic-gate } 6730Sstevel@tonic-gate } 6740Sstevel@tonic-gate 6750Sstevel@tonic-gate if (!header[dir]) { 6760Sstevel@tonic-gate fprintf(fp, "\n"); 6770Sstevel@tonic-gate header[dir] = 1; 6780Sstevel@tonic-gate sin = 0; 6790Sstevel@tonic-gate } 6800Sstevel@tonic-gate 6810Sstevel@tonic-gate qsort(m, FRC_MAX, sizeof(mc_t), intcmp); 6820Sstevel@tonic-gate 6830Sstevel@tonic-gate if (n) { 6840Sstevel@tonic-gate /* 6850Sstevel@tonic-gate * Calculate the indentation interval upto the last common 6860Sstevel@tonic-gate * common comparison being made. 6870Sstevel@tonic-gate */ 6880Sstevel@tonic-gate for (i = 0, in = 1; i < FRC_MAX; i++) { 6890Sstevel@tonic-gate if (n[i].c != m[i].c) 6900Sstevel@tonic-gate break; 6910Sstevel@tonic-gate if (n[i].s != m[i].s) 6920Sstevel@tonic-gate break; 6930Sstevel@tonic-gate if (n[i].s) { 6940Sstevel@tonic-gate if (n[i].n && (n[i].n > n[i].e)) { 6950Sstevel@tonic-gate m[i].p++; 6960Sstevel@tonic-gate in += m[i].p; 6970Sstevel@tonic-gate break; 6980Sstevel@tonic-gate } 6990Sstevel@tonic-gate if (n[i].e > 0) { 7000Sstevel@tonic-gate in++; 7010Sstevel@tonic-gate } else 7020Sstevel@tonic-gate break; 7030Sstevel@tonic-gate } 7040Sstevel@tonic-gate } 7050Sstevel@tonic-gate if (sin != in) { 7060Sstevel@tonic-gate for (j = sin - 1; j >= in; j--) { 7070Sstevel@tonic-gate indent(fp, j); 7080Sstevel@tonic-gate fprintf(fp, "}\n"); 7090Sstevel@tonic-gate } 7100Sstevel@tonic-gate } 7110Sstevel@tonic-gate } else { 7120Sstevel@tonic-gate in = 1; 7130Sstevel@tonic-gate i = 0; 7140Sstevel@tonic-gate } 7150Sstevel@tonic-gate 7160Sstevel@tonic-gate /* 7170Sstevel@tonic-gate * print out C code that implements a filter rule. 718*2393Syz155240 */ 7190Sstevel@tonic-gate for (; i < FRC_MAX; i++) { 7200Sstevel@tonic-gate switch(m[i].c) 7210Sstevel@tonic-gate { 7220Sstevel@tonic-gate case FRC_IFN : 7230Sstevel@tonic-gate if (m[i].s) { 7240Sstevel@tonic-gate indent(fp, in); 7250Sstevel@tonic-gate fprintf(fp, "if (fin->fin_ifp == "); 7260Sstevel@tonic-gate fprintf(fp, "ipf_rules_%s_%s[%d]->fr_ifa) {\n", 7270Sstevel@tonic-gate dir ? "out" : "in", group, num); 7280Sstevel@tonic-gate in++; 7290Sstevel@tonic-gate } 7300Sstevel@tonic-gate break; 7310Sstevel@tonic-gate case FRC_V : 7320Sstevel@tonic-gate if (m[i].s) { 7330Sstevel@tonic-gate indent(fp, in); 7340Sstevel@tonic-gate fprintf(fp, "if (fin->fin_v == %d) {\n", 7350Sstevel@tonic-gate ipf->fri_ip.fi_v); 7360Sstevel@tonic-gate in++; 7370Sstevel@tonic-gate } 7380Sstevel@tonic-gate break; 7390Sstevel@tonic-gate case FRC_FL : 7400Sstevel@tonic-gate if (m[i].s) { 7410Sstevel@tonic-gate indent(fp, in); 7420Sstevel@tonic-gate fprintf(fp, "if ("); 7430Sstevel@tonic-gate printeq(fp, "fin->fin_flx", 7440Sstevel@tonic-gate ipf->fri_mip.fi_flx, 0xf, 7450Sstevel@tonic-gate ipf->fri_ip.fi_flx); 7460Sstevel@tonic-gate in++; 7470Sstevel@tonic-gate } 7480Sstevel@tonic-gate break; 7490Sstevel@tonic-gate case FRC_P : 7500Sstevel@tonic-gate if (m[i].s) { 7510Sstevel@tonic-gate indent(fp, in); 7520Sstevel@tonic-gate fprintf(fp, "if (fin->fin_p == %d) {\n", 7530Sstevel@tonic-gate ipf->fri_ip.fi_p); 7540Sstevel@tonic-gate in++; 7550Sstevel@tonic-gate } 7560Sstevel@tonic-gate break; 7570Sstevel@tonic-gate case FRC_TTL : 7580Sstevel@tonic-gate if (m[i].s) { 7590Sstevel@tonic-gate indent(fp, in); 7600Sstevel@tonic-gate fprintf(fp, "if ("); 7610Sstevel@tonic-gate printeq(fp, "fin->fin_ttl", 7620Sstevel@tonic-gate ipf->fri_mip.fi_ttl, 0xff, 7630Sstevel@tonic-gate ipf->fri_ip.fi_ttl); 7640Sstevel@tonic-gate in++; 7650Sstevel@tonic-gate } 7660Sstevel@tonic-gate break; 7670Sstevel@tonic-gate case FRC_TOS : 7680Sstevel@tonic-gate if (m[i].s) { 7690Sstevel@tonic-gate indent(fp, in); 7700Sstevel@tonic-gate fprintf(fp, "if (fin->fin_tos"); 7710Sstevel@tonic-gate printeq(fp, "fin->fin_tos", 7720Sstevel@tonic-gate ipf->fri_mip.fi_tos, 0xff, 7730Sstevel@tonic-gate ipf->fri_ip.fi_tos); 7740Sstevel@tonic-gate in++; 7750Sstevel@tonic-gate } 7760Sstevel@tonic-gate break; 7770Sstevel@tonic-gate case FRC_TCP : 7780Sstevel@tonic-gate if (m[i].s) { 7790Sstevel@tonic-gate indent(fp, in); 7800Sstevel@tonic-gate fprintf(fp, "if ("); 7810Sstevel@tonic-gate printeq(fp, "fin->fin_tcpf", fr->fr_tcpfm, 7820Sstevel@tonic-gate 0xff, fr->fr_tcpf); 7830Sstevel@tonic-gate in++; 7840Sstevel@tonic-gate } 7850Sstevel@tonic-gate break; 7860Sstevel@tonic-gate case FRC_SP : 7870Sstevel@tonic-gate if (!m[i].s) 7880Sstevel@tonic-gate break; 7890Sstevel@tonic-gate if (fr->fr_scmp == FR_INRANGE) { 7900Sstevel@tonic-gate indent(fp, in); 7910Sstevel@tonic-gate fprintf(fp, "if ((fin->fin_data[0] > %d) && ", 7920Sstevel@tonic-gate fr->fr_sport); 7930Sstevel@tonic-gate fprintf(fp, "(fin->fin_data[0] < %d)", 7940Sstevel@tonic-gate fr->fr_stop); 7950Sstevel@tonic-gate fprintf(fp, ") {\n"); 7960Sstevel@tonic-gate in++; 7970Sstevel@tonic-gate } else if (fr->fr_scmp == FR_OUTRANGE) { 7980Sstevel@tonic-gate indent(fp, in); 7990Sstevel@tonic-gate fprintf(fp, "if ((fin->fin_data[0] < %d) || ", 8000Sstevel@tonic-gate fr->fr_sport); 8010Sstevel@tonic-gate fprintf(fp, "(fin->fin_data[0] > %d)", 8020Sstevel@tonic-gate fr->fr_stop); 8030Sstevel@tonic-gate fprintf(fp, ") {\n"); 8040Sstevel@tonic-gate in++; 8050Sstevel@tonic-gate } else if (fr->fr_scmp) { 8060Sstevel@tonic-gate indent(fp, in); 8070Sstevel@tonic-gate fprintf(fp, "if (fin->fin_data[0] %s %d)", 8080Sstevel@tonic-gate portcmp[fr->fr_scmp], fr->fr_sport); 8090Sstevel@tonic-gate fprintf(fp, " {\n"); 8100Sstevel@tonic-gate in++; 8110Sstevel@tonic-gate } 8120Sstevel@tonic-gate break; 8130Sstevel@tonic-gate case FRC_DP : 8140Sstevel@tonic-gate if (!m[i].s) 8150Sstevel@tonic-gate break; 8160Sstevel@tonic-gate if (fr->fr_dcmp == FR_INRANGE) { 8170Sstevel@tonic-gate indent(fp, in); 8180Sstevel@tonic-gate fprintf(fp, "if ((fin->fin_data[1] > %d) && ", 8190Sstevel@tonic-gate fr->fr_dport); 8200Sstevel@tonic-gate fprintf(fp, "(fin->fin_data[1] < %d)", 8210Sstevel@tonic-gate fr->fr_dtop); 8220Sstevel@tonic-gate fprintf(fp, ") {\n"); 8230Sstevel@tonic-gate in++; 8240Sstevel@tonic-gate } else if (fr->fr_dcmp == FR_OUTRANGE) { 8250Sstevel@tonic-gate indent(fp, in); 8260Sstevel@tonic-gate fprintf(fp, "if ((fin->fin_data[1] < %d) || ", 8270Sstevel@tonic-gate fr->fr_dport); 8280Sstevel@tonic-gate fprintf(fp, "(fin->fin_data[1] > %d)", 8290Sstevel@tonic-gate fr->fr_dtop); 8300Sstevel@tonic-gate fprintf(fp, ") {\n"); 8310Sstevel@tonic-gate in++; 8320Sstevel@tonic-gate } else if (fr->fr_dcmp) { 8330Sstevel@tonic-gate indent(fp, in); 8340Sstevel@tonic-gate fprintf(fp, "if (fin->fin_data[1] %s %d)", 8350Sstevel@tonic-gate portcmp[fr->fr_dcmp], fr->fr_dport); 8360Sstevel@tonic-gate fprintf(fp, " {\n"); 8370Sstevel@tonic-gate in++; 8380Sstevel@tonic-gate } 8390Sstevel@tonic-gate break; 8400Sstevel@tonic-gate case FRC_SRC : 8410Sstevel@tonic-gate if (!m[i].s) 8420Sstevel@tonic-gate break; 8430Sstevel@tonic-gate if (fr->fr_satype == FRI_LOOKUP) { 8440Sstevel@tonic-gate ; 8450Sstevel@tonic-gate } else if ((fr->fr_smask != 0) || 8460Sstevel@tonic-gate (fr->fr_flags & FR_NOTSRCIP) != 0) { 8470Sstevel@tonic-gate indent(fp, in); 8480Sstevel@tonic-gate fprintf(fp, "if ("); 8490Sstevel@tonic-gate printipeq(fp, "src", 8500Sstevel@tonic-gate fr->fr_flags & FR_NOTSRCIP, 8510Sstevel@tonic-gate fr->fr_smask, fr->fr_saddr); 8520Sstevel@tonic-gate in++; 8530Sstevel@tonic-gate } 8540Sstevel@tonic-gate break; 8550Sstevel@tonic-gate case FRC_DST : 8560Sstevel@tonic-gate if (!m[i].s) 8570Sstevel@tonic-gate break; 8580Sstevel@tonic-gate if (fr->fr_datype == FRI_LOOKUP) { 8590Sstevel@tonic-gate ; 8600Sstevel@tonic-gate } else if ((fr->fr_dmask != 0) || 8610Sstevel@tonic-gate (fr->fr_flags & FR_NOTDSTIP) != 0) { 8620Sstevel@tonic-gate indent(fp, in); 8630Sstevel@tonic-gate fprintf(fp, "if ("); 8640Sstevel@tonic-gate printipeq(fp, "dst", 8650Sstevel@tonic-gate fr->fr_flags & FR_NOTDSTIP, 8660Sstevel@tonic-gate fr->fr_dmask, fr->fr_daddr); 8670Sstevel@tonic-gate in++; 8680Sstevel@tonic-gate } 8690Sstevel@tonic-gate break; 8700Sstevel@tonic-gate case FRC_OPT : 8710Sstevel@tonic-gate if (m[i].s) { 8720Sstevel@tonic-gate indent(fp, in); 8730Sstevel@tonic-gate fprintf(fp, "if ("); 8740Sstevel@tonic-gate printeq(fp, "fin->fin_fi.fi_optmsk", 8750Sstevel@tonic-gate fr->fr_optmask, 0xffffffff, 8760Sstevel@tonic-gate fr->fr_optbits); 8770Sstevel@tonic-gate in++; 8780Sstevel@tonic-gate } 8790Sstevel@tonic-gate break; 8800Sstevel@tonic-gate case FRC_SEC : 8810Sstevel@tonic-gate if (m[i].s) { 8820Sstevel@tonic-gate indent(fp, in); 8830Sstevel@tonic-gate fprintf(fp, "if ("); 8840Sstevel@tonic-gate printeq(fp, "fin->fin_fi.fi_secmsk", 8850Sstevel@tonic-gate fr->fr_secmask, 0xffff, 8860Sstevel@tonic-gate fr->fr_secbits); 8870Sstevel@tonic-gate in++; 8880Sstevel@tonic-gate } 8890Sstevel@tonic-gate break; 8900Sstevel@tonic-gate case FRC_ATH : 8910Sstevel@tonic-gate if (m[i].s) { 8920Sstevel@tonic-gate indent(fp, in); 8930Sstevel@tonic-gate fprintf(fp, "if ("); 8940Sstevel@tonic-gate printeq(fp, "fin->fin_fi.fi_authmsk", 8950Sstevel@tonic-gate fr->fr_authmask, 0xffff, 8960Sstevel@tonic-gate fr->fr_authbits); 8970Sstevel@tonic-gate in++; 8980Sstevel@tonic-gate } 8990Sstevel@tonic-gate break; 9000Sstevel@tonic-gate case FRC_ICT : 9010Sstevel@tonic-gate if (m[i].s) { 9020Sstevel@tonic-gate indent(fp, in); 9030Sstevel@tonic-gate fprintf(fp, "if ("); 9040Sstevel@tonic-gate printeq(fp, "fin->fin_data[0]", 9050Sstevel@tonic-gate fr->fr_icmpm & 0xff00, 0xffff, 9060Sstevel@tonic-gate fr->fr_icmp & 0xff00); 9070Sstevel@tonic-gate in++; 9080Sstevel@tonic-gate } 9090Sstevel@tonic-gate break; 9100Sstevel@tonic-gate case FRC_ICC : 9110Sstevel@tonic-gate if (m[i].s) { 9120Sstevel@tonic-gate indent(fp, in); 9130Sstevel@tonic-gate fprintf(fp, "if ("); 9140Sstevel@tonic-gate printeq(fp, "fin->fin_data[0]", 9150Sstevel@tonic-gate fr->fr_icmpm & 0xff, 0xffff, 9160Sstevel@tonic-gate fr->fr_icmp & 0xff); 9170Sstevel@tonic-gate in++; 9180Sstevel@tonic-gate } 9190Sstevel@tonic-gate break; 9200Sstevel@tonic-gate } 9210Sstevel@tonic-gate 9220Sstevel@tonic-gate } 9230Sstevel@tonic-gate 9240Sstevel@tonic-gate indent(fp, in); 9250Sstevel@tonic-gate if (fr->fr_flags & FR_QUICK) { 9260Sstevel@tonic-gate fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n", 9270Sstevel@tonic-gate fr->fr_flags & FR_INQUE ? "in" : "out", 9280Sstevel@tonic-gate fr->fr_group, num); 9290Sstevel@tonic-gate } else { 9300Sstevel@tonic-gate fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n", 9310Sstevel@tonic-gate fr->fr_flags & FR_INQUE ? "in" : "out", 9320Sstevel@tonic-gate fr->fr_group, num); 9330Sstevel@tonic-gate } 9340Sstevel@tonic-gate if (n == NULL) 9350Sstevel@tonic-gate n = (mc_t *)malloc(sizeof(*n) * FRC_MAX); 9360Sstevel@tonic-gate bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX); 9370Sstevel@tonic-gate sin = in; 9380Sstevel@tonic-gate } 9390Sstevel@tonic-gate 9400Sstevel@tonic-gate 9410Sstevel@tonic-gate void printC(dir) 9420Sstevel@tonic-gate int dir; 9430Sstevel@tonic-gate { 9440Sstevel@tonic-gate static mc_t *m = NULL; 9450Sstevel@tonic-gate frgroup_t *g; 9460Sstevel@tonic-gate 9470Sstevel@tonic-gate if (m == NULL) 9480Sstevel@tonic-gate m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX); 9490Sstevel@tonic-gate 9500Sstevel@tonic-gate for (g = groups; g != NULL; g = g->fg_next) { 9510Sstevel@tonic-gate if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0)) 9520Sstevel@tonic-gate printCgroup(dir, g->fg_start, m, g->fg_name); 9530Sstevel@tonic-gate if ((dir == 1) && ((g->fg_flags & FR_OUTQUE) != 0)) 9540Sstevel@tonic-gate printCgroup(dir, g->fg_start, m, g->fg_name); 9550Sstevel@tonic-gate } 9560Sstevel@tonic-gate 9570Sstevel@tonic-gate emit(-1, dir, m, NULL); 9580Sstevel@tonic-gate } 9590Sstevel@tonic-gate 9600Sstevel@tonic-gate 9610Sstevel@tonic-gate /* 9620Sstevel@tonic-gate * Now print out code to implement all of the rules. 9630Sstevel@tonic-gate */ 9640Sstevel@tonic-gate static void printCgroup(dir, top, m, group) 9650Sstevel@tonic-gate int dir; 9660Sstevel@tonic-gate frentry_t *top; 9670Sstevel@tonic-gate mc_t *m; 9680Sstevel@tonic-gate char *group; 9690Sstevel@tonic-gate { 9700Sstevel@tonic-gate frentry_t *fr, *fr1; 9710Sstevel@tonic-gate int i, n, rn; 9720Sstevel@tonic-gate u_int count; 9730Sstevel@tonic-gate 9740Sstevel@tonic-gate for (count = 0, fr1 = top; fr1 != NULL; fr1 = fr1->fr_next) { 9750Sstevel@tonic-gate if ((dir == 0) && ((fr1->fr_flags & FR_INQUE) != 0)) 9760Sstevel@tonic-gate count++; 9770Sstevel@tonic-gate else if ((dir == 1) && ((fr1->fr_flags & FR_OUTQUE) != 0)) 9780Sstevel@tonic-gate count++; 9790Sstevel@tonic-gate } 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate if (dir == 0) 9820Sstevel@tonic-gate emitGroup(-2, dir, m, fr1, group, count, 0); 9830Sstevel@tonic-gate else if (dir == 1) 9840Sstevel@tonic-gate emitGroup(-2, dir, m, fr1, group, 0, count); 9850Sstevel@tonic-gate 9860Sstevel@tonic-gate /* 9870Sstevel@tonic-gate * Before printing each rule, check to see how many of its fields are 9880Sstevel@tonic-gate * matched by subsequent rules. 9890Sstevel@tonic-gate */ 9900Sstevel@tonic-gate for (fr1 = top, rn = 0; fr1 != NULL; fr1 = fr1->fr_next, rn++) { 9910Sstevel@tonic-gate if (!dir && !(fr1->fr_flags & FR_INQUE)) 9920Sstevel@tonic-gate continue; 9930Sstevel@tonic-gate if (dir && !(fr1->fr_flags & FR_OUTQUE)) 9940Sstevel@tonic-gate continue; 9950Sstevel@tonic-gate n = 0xfffffff; 9960Sstevel@tonic-gate 9970Sstevel@tonic-gate for (i = 0; i < FRC_MAX; i++) 9980Sstevel@tonic-gate m[i].e = 0; 9990Sstevel@tonic-gate qsort(m, FRC_MAX, sizeof(mc_t), intcmp); 10000Sstevel@tonic-gate 10010Sstevel@tonic-gate for (i = 0; i < FRC_MAX; i++) { 10020Sstevel@tonic-gate m[i].c = i; 10030Sstevel@tonic-gate m[i].e = 0; 10040Sstevel@tonic-gate m[i].n = 0; 10050Sstevel@tonic-gate m[i].s = 0; 10060Sstevel@tonic-gate } 10070Sstevel@tonic-gate 10080Sstevel@tonic-gate for (fr = fr1->fr_next; fr; fr = fr->fr_next) { 10090Sstevel@tonic-gate if (!dir && !(fr->fr_flags & FR_INQUE)) 10100Sstevel@tonic-gate continue; 10110Sstevel@tonic-gate if (dir && !(fr->fr_flags & FR_OUTQUE)) 10120Sstevel@tonic-gate continue; 10130Sstevel@tonic-gate 10140Sstevel@tonic-gate if ((n & 0x0001) && 10150Sstevel@tonic-gate !strcmp(fr1->fr_ifname, fr->fr_ifname)) { 10160Sstevel@tonic-gate m[FRC_IFN].e++; 10170Sstevel@tonic-gate m[FRC_IFN].n++; 10180Sstevel@tonic-gate } else 10190Sstevel@tonic-gate n &= ~0x0001; 10200Sstevel@tonic-gate 10210Sstevel@tonic-gate if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) { 10220Sstevel@tonic-gate m[FRC_V].e++; 10230Sstevel@tonic-gate m[FRC_V].n++; 10240Sstevel@tonic-gate } else 10250Sstevel@tonic-gate n &= ~0x0002; 10260Sstevel@tonic-gate 10270Sstevel@tonic-gate if ((n & 0x0004) && 10280Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10290Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10300Sstevel@tonic-gate (fr1->fr_mip.fi_flx == fr->fr_mip.fi_flx) && 10310Sstevel@tonic-gate (fr1->fr_ip.fi_flx == fr->fr_ip.fi_flx)) { 10320Sstevel@tonic-gate m[FRC_FL].e++; 10330Sstevel@tonic-gate m[FRC_FL].n++; 10340Sstevel@tonic-gate } else 10350Sstevel@tonic-gate n &= ~0x0004; 10360Sstevel@tonic-gate 10370Sstevel@tonic-gate if ((n & 0x0008) && 10380Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10390Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10400Sstevel@tonic-gate (fr1->fr_proto == fr->fr_proto)) { 10410Sstevel@tonic-gate m[FRC_P].e++; 10420Sstevel@tonic-gate m[FRC_P].n++; 10430Sstevel@tonic-gate } else 10440Sstevel@tonic-gate n &= ~0x0008; 10450Sstevel@tonic-gate 10460Sstevel@tonic-gate if ((n & 0x0010) && 10470Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10480Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10490Sstevel@tonic-gate (fr1->fr_ttl == fr->fr_ttl)) { 10500Sstevel@tonic-gate m[FRC_TTL].e++; 10510Sstevel@tonic-gate m[FRC_TTL].n++; 10520Sstevel@tonic-gate } else 10530Sstevel@tonic-gate n &= ~0x0010; 10540Sstevel@tonic-gate 10550Sstevel@tonic-gate if ((n & 0x0020) && 10560Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10570Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10580Sstevel@tonic-gate (fr1->fr_tos == fr->fr_tos)) { 10590Sstevel@tonic-gate m[FRC_TOS].e++; 10600Sstevel@tonic-gate m[FRC_TOS].n++; 10610Sstevel@tonic-gate } else 10620Sstevel@tonic-gate n &= ~0x0020; 10630Sstevel@tonic-gate 10640Sstevel@tonic-gate if ((n & 0x0040) && 10650Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10660Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10670Sstevel@tonic-gate ((fr1->fr_tcpfm == fr->fr_tcpfm) && 10680Sstevel@tonic-gate (fr1->fr_tcpf == fr->fr_tcpf))) { 10690Sstevel@tonic-gate m[FRC_TCP].e++; 10700Sstevel@tonic-gate m[FRC_TCP].n++; 10710Sstevel@tonic-gate } else 10720Sstevel@tonic-gate n &= ~0x0040; 10730Sstevel@tonic-gate 10740Sstevel@tonic-gate if ((n & 0x0080) && 10750Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10760Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10770Sstevel@tonic-gate ((fr1->fr_scmp == fr->fr_scmp) && 10780Sstevel@tonic-gate (fr1->fr_stop == fr->fr_stop) && 10790Sstevel@tonic-gate (fr1->fr_sport == fr->fr_sport))) { 10800Sstevel@tonic-gate m[FRC_SP].e++; 10810Sstevel@tonic-gate m[FRC_SP].n++; 10820Sstevel@tonic-gate } else 10830Sstevel@tonic-gate n &= ~0x0080; 10840Sstevel@tonic-gate 10850Sstevel@tonic-gate if ((n & 0x0100) && 10860Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10870Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10880Sstevel@tonic-gate ((fr1->fr_dcmp == fr->fr_dcmp) && 10890Sstevel@tonic-gate (fr1->fr_dtop == fr->fr_dtop) && 10900Sstevel@tonic-gate (fr1->fr_dport == fr->fr_dport))) { 10910Sstevel@tonic-gate m[FRC_DP].e++; 10920Sstevel@tonic-gate m[FRC_DP].n++; 10930Sstevel@tonic-gate } else 10940Sstevel@tonic-gate n &= ~0x0100; 10950Sstevel@tonic-gate 10960Sstevel@tonic-gate if ((n & 0x0200) && 10970Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 10980Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 10990Sstevel@tonic-gate ((fr1->fr_satype == FRI_LOOKUP) && 11000Sstevel@tonic-gate (fr->fr_satype == FRI_LOOKUP) && 11010Sstevel@tonic-gate (fr1->fr_srcnum == fr->fr_srcnum))) { 11020Sstevel@tonic-gate m[FRC_SRC].e++; 11030Sstevel@tonic-gate m[FRC_SRC].n++; 11040Sstevel@tonic-gate } else if ((n & 0x0200) && 11050Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11060Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11070Sstevel@tonic-gate (((fr1->fr_flags & FR_NOTSRCIP) == 11080Sstevel@tonic-gate (fr->fr_flags & FR_NOTSRCIP)))) { 11090Sstevel@tonic-gate if ((fr1->fr_smask == fr->fr_smask) && 11100Sstevel@tonic-gate (fr1->fr_saddr == fr->fr_saddr)) 11110Sstevel@tonic-gate m[FRC_SRC].e++; 11120Sstevel@tonic-gate else 11130Sstevel@tonic-gate n &= ~0x0200; 11140Sstevel@tonic-gate if (fr1->fr_smask && 11150Sstevel@tonic-gate (fr1->fr_saddr & fr1->fr_smask) == 11160Sstevel@tonic-gate (fr->fr_saddr & fr1->fr_smask)) { 11170Sstevel@tonic-gate m[FRC_SRC].n++; 11180Sstevel@tonic-gate n |= 0x0200; 11190Sstevel@tonic-gate } 11200Sstevel@tonic-gate } else { 11210Sstevel@tonic-gate n &= ~0x0200; 11220Sstevel@tonic-gate } 11230Sstevel@tonic-gate 11240Sstevel@tonic-gate if ((n & 0x0400) && 11250Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11260Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11270Sstevel@tonic-gate ((fr1->fr_datype == FRI_LOOKUP) && 11280Sstevel@tonic-gate (fr->fr_datype == FRI_LOOKUP) && 11290Sstevel@tonic-gate (fr1->fr_dstnum == fr->fr_dstnum))) { 11300Sstevel@tonic-gate m[FRC_DST].e++; 11310Sstevel@tonic-gate m[FRC_DST].n++; 11320Sstevel@tonic-gate } else if ((n & 0x0400) && 11330Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11340Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11350Sstevel@tonic-gate (((fr1->fr_flags & FR_NOTDSTIP) == 11360Sstevel@tonic-gate (fr->fr_flags & FR_NOTDSTIP)))) { 11370Sstevel@tonic-gate if ((fr1->fr_dmask == fr->fr_dmask) && 11380Sstevel@tonic-gate (fr1->fr_daddr == fr->fr_daddr)) 11390Sstevel@tonic-gate m[FRC_DST].e++; 11400Sstevel@tonic-gate else 11410Sstevel@tonic-gate n &= ~0x0400; 11420Sstevel@tonic-gate if (fr1->fr_dmask && 11430Sstevel@tonic-gate (fr1->fr_daddr & fr1->fr_dmask) == 11440Sstevel@tonic-gate (fr->fr_daddr & fr1->fr_dmask)) { 11450Sstevel@tonic-gate m[FRC_DST].n++; 11460Sstevel@tonic-gate n |= 0x0400; 11470Sstevel@tonic-gate } 11480Sstevel@tonic-gate } else { 11490Sstevel@tonic-gate n &= ~0x0400; 11500Sstevel@tonic-gate } 11510Sstevel@tonic-gate 11520Sstevel@tonic-gate if ((n & 0x0800) && 11530Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11540Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11550Sstevel@tonic-gate (fr1->fr_optmask == fr->fr_optmask) && 11560Sstevel@tonic-gate (fr1->fr_optbits == fr->fr_optbits)) { 11570Sstevel@tonic-gate m[FRC_OPT].e++; 11580Sstevel@tonic-gate m[FRC_OPT].n++; 11590Sstevel@tonic-gate } else 11600Sstevel@tonic-gate n &= ~0x0800; 11610Sstevel@tonic-gate 11620Sstevel@tonic-gate if ((n & 0x1000) && 11630Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11640Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11650Sstevel@tonic-gate (fr1->fr_secmask == fr->fr_secmask) && 11660Sstevel@tonic-gate (fr1->fr_secbits == fr->fr_secbits)) { 11670Sstevel@tonic-gate m[FRC_SEC].e++; 11680Sstevel@tonic-gate m[FRC_SEC].n++; 11690Sstevel@tonic-gate } else 11700Sstevel@tonic-gate n &= ~0x1000; 11710Sstevel@tonic-gate 11720Sstevel@tonic-gate if ((n & 0x10000) && 11730Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11740Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11750Sstevel@tonic-gate (fr1->fr_authmask == fr->fr_authmask) && 11760Sstevel@tonic-gate (fr1->fr_authbits == fr->fr_authbits)) { 11770Sstevel@tonic-gate m[FRC_ATH].e++; 11780Sstevel@tonic-gate m[FRC_ATH].n++; 11790Sstevel@tonic-gate } else 11800Sstevel@tonic-gate n &= ~0x10000; 11810Sstevel@tonic-gate 11820Sstevel@tonic-gate if ((n & 0x20000) && 11830Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11840Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11850Sstevel@tonic-gate ((fr1->fr_icmpm & 0xff00) == 11860Sstevel@tonic-gate (fr->fr_icmpm & 0xff00)) && 11870Sstevel@tonic-gate ((fr1->fr_icmp & 0xff00) == 11880Sstevel@tonic-gate (fr->fr_icmp & 0xff00))) { 11890Sstevel@tonic-gate m[FRC_ICT].e++; 11900Sstevel@tonic-gate m[FRC_ICT].n++; 11910Sstevel@tonic-gate } else 11920Sstevel@tonic-gate n &= ~0x20000; 11930Sstevel@tonic-gate 11940Sstevel@tonic-gate if ((n & 0x40000) && 11950Sstevel@tonic-gate (fr->fr_type == fr1->fr_type) && 11960Sstevel@tonic-gate (fr->fr_type == FR_T_IPF) && 11970Sstevel@tonic-gate ((fr1->fr_icmpm & 0xff) == (fr->fr_icmpm & 0xff)) && 11980Sstevel@tonic-gate ((fr1->fr_icmp & 0xff) == (fr->fr_icmp & 0xff))) { 11990Sstevel@tonic-gate m[FRC_ICC].e++; 12000Sstevel@tonic-gate m[FRC_ICC].n++; 12010Sstevel@tonic-gate } else 12020Sstevel@tonic-gate n &= ~0x40000; 12030Sstevel@tonic-gate } 12040Sstevel@tonic-gate /*msort(m);*/ 12050Sstevel@tonic-gate 12060Sstevel@tonic-gate if (dir == 0) 12070Sstevel@tonic-gate emitGroup(rn, dir, m, fr1, group, count, 0); 12080Sstevel@tonic-gate else if (dir == 1) 12090Sstevel@tonic-gate emitGroup(rn, dir, m, fr1, group, 0, count); 12100Sstevel@tonic-gate } 12110Sstevel@tonic-gate } 12120Sstevel@tonic-gate 12130Sstevel@tonic-gate static void printhooks(fp, in, out, grp) 12140Sstevel@tonic-gate FILE *fp; 12150Sstevel@tonic-gate int in; 12160Sstevel@tonic-gate int out; 12170Sstevel@tonic-gate frgroup_t *grp; 12180Sstevel@tonic-gate { 12190Sstevel@tonic-gate frentry_t *fr; 12200Sstevel@tonic-gate char *group; 12210Sstevel@tonic-gate int dogrp, i; 12220Sstevel@tonic-gate char *instr; 12230Sstevel@tonic-gate 12240Sstevel@tonic-gate group = grp->fg_name; 12250Sstevel@tonic-gate dogrp = 0; 12260Sstevel@tonic-gate 12270Sstevel@tonic-gate if (in && out) { 12280Sstevel@tonic-gate fprintf(stderr, 12290Sstevel@tonic-gate "printhooks called with both in and out set\n"); 12300Sstevel@tonic-gate exit(1); 12310Sstevel@tonic-gate } 12320Sstevel@tonic-gate 12330Sstevel@tonic-gate if (in) { 12340Sstevel@tonic-gate instr = "in"; 12350Sstevel@tonic-gate } else if (out) { 12360Sstevel@tonic-gate instr = "out"; 12370Sstevel@tonic-gate } else { 12380Sstevel@tonic-gate instr = "???"; 12390Sstevel@tonic-gate } 12400Sstevel@tonic-gate fprintf(fp, "static frentry_t ipfrule_%s_%s;\n", instr, group); 12410Sstevel@tonic-gate 12420Sstevel@tonic-gate fprintf(fp, "\ 12430Sstevel@tonic-gate \n\ 12440Sstevel@tonic-gate int ipfrule_add_%s_%s()\n", instr, group); 12450Sstevel@tonic-gate fprintf(fp, "\ 12460Sstevel@tonic-gate {\n\ 12470Sstevel@tonic-gate int i, j, err = 0, max;\n\ 12480Sstevel@tonic-gate frentry_t *fp;\n"); 12490Sstevel@tonic-gate 12500Sstevel@tonic-gate if (dogrp) 12510Sstevel@tonic-gate fprintf(fp, "\ 12520Sstevel@tonic-gate frgroup_t *fg;\n"); 12530Sstevel@tonic-gate 12540Sstevel@tonic-gate fprintf(fp, "\n"); 12550Sstevel@tonic-gate 12560Sstevel@tonic-gate for (i = 0, fr = grp->fg_start; fr != NULL; i++, fr = fr->fr_next) 12570Sstevel@tonic-gate if (fr->fr_dsize > 0) { 12580Sstevel@tonic-gate fprintf(fp, "\ 12590Sstevel@tonic-gate ipf_rules_%s_%s[%d]->fr_data = &ipf%s_rule_data_%s_%u;\n", 12600Sstevel@tonic-gate instr, grp->fg_name, i, 12610Sstevel@tonic-gate instr, grp->fg_name, i); 12620Sstevel@tonic-gate } 12630Sstevel@tonic-gate fprintf(fp, "\ 12640Sstevel@tonic-gate max = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *);\n\ 12650Sstevel@tonic-gate for (i = 0; i < max; i++) {\n\ 12660Sstevel@tonic-gate fp = ipf_rules_%s_%s[i];\n\ 12670Sstevel@tonic-gate fp->fr_next = NULL;\n", instr, group, instr, group); 12680Sstevel@tonic-gate 12690Sstevel@tonic-gate fprintf(fp, "\ 12700Sstevel@tonic-gate for (j = i + 1; j < max; j++)\n\ 12710Sstevel@tonic-gate if (strncmp(fp->fr_group,\n\ 12720Sstevel@tonic-gate ipf_rules_%s_%s[j]->fr_group,\n\ 12730Sstevel@tonic-gate FR_GROUPLEN) == 0) {\n\ 12740Sstevel@tonic-gate fp->fr_next = ipf_rules_%s_%s[j];\n\ 12750Sstevel@tonic-gate break;\n\ 12760Sstevel@tonic-gate }\n", instr, group, instr, group); 12770Sstevel@tonic-gate if (dogrp) 12780Sstevel@tonic-gate fprintf(fp, "\ 12790Sstevel@tonic-gate \n\ 12800Sstevel@tonic-gate if (fp->fr_grhead != 0) {\n\ 12810Sstevel@tonic-gate fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\ 12820Sstevel@tonic-gate IPL_LOGIPF, 0);\n\ 12830Sstevel@tonic-gate if (fg != NULL)\n\ 12840Sstevel@tonic-gate fp->fr_grp = &fg->fg_start;\n\ 12850Sstevel@tonic-gate }\n"); 12860Sstevel@tonic-gate fprintf(fp, "\ 12870Sstevel@tonic-gate }\n\ 12880Sstevel@tonic-gate \n\ 12890Sstevel@tonic-gate fp = &ipfrule_%s_%s;\n", instr, group); 12900Sstevel@tonic-gate fprintf(fp, "\ 12910Sstevel@tonic-gate bzero((char *)fp, sizeof(*fp));\n\ 12920Sstevel@tonic-gate fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\ 12930Sstevel@tonic-gate fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\ 12940Sstevel@tonic-gate fp->fr_data = (void *)ipf_rules_%s_%s[0];\n", 12950Sstevel@tonic-gate (in != 0) ? "IN" : "OUT", instr, group); 1296*2393Syz155240 fprintf(fp, "\ 1297*2393Syz155240 fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n", 1298*2393Syz155240 instr, group); 12990Sstevel@tonic-gate 13000Sstevel@tonic-gate fprintf(fp, "\ 13010Sstevel@tonic-gate fp->fr_v = 4;\n\ 13020Sstevel@tonic-gate fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\ 13030Sstevel@tonic-gate err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n", 13040Sstevel@tonic-gate instr, group); 13050Sstevel@tonic-gate fprintf(fp, "\treturn err;\n}\n"); 13060Sstevel@tonic-gate 13070Sstevel@tonic-gate fprintf(fp, "\n\n\ 13080Sstevel@tonic-gate int ipfrule_remove_%s_%s()\n", instr, group); 13090Sstevel@tonic-gate fprintf(fp, "\ 13100Sstevel@tonic-gate {\n\ 13110Sstevel@tonic-gate int err = 0, i;\n\ 13120Sstevel@tonic-gate frentry_t *fp;\n\ 13130Sstevel@tonic-gate \n\ 13140Sstevel@tonic-gate /*\n\ 13150Sstevel@tonic-gate * Try to remove the %sbound rule.\n", instr); 13160Sstevel@tonic-gate 13170Sstevel@tonic-gate fprintf(fp, "\ 13180Sstevel@tonic-gate */\n\ 13190Sstevel@tonic-gate if (ipfrule_%s_%s.fr_ref > 0) {\n", instr, group); 13200Sstevel@tonic-gate 13210Sstevel@tonic-gate fprintf(fp, "\ 13220Sstevel@tonic-gate err = EBUSY;\n\ 13230Sstevel@tonic-gate } else {\n"); 13240Sstevel@tonic-gate 13250Sstevel@tonic-gate fprintf(fp, "\ 13260Sstevel@tonic-gate i = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *) - 1;\n\ 13270Sstevel@tonic-gate for (; i >= 0; i--) {\n\ 13280Sstevel@tonic-gate fp = ipf_rules_%s_%s[i];\n\ 13290Sstevel@tonic-gate if (fp->fr_ref > 1) {\n\ 13300Sstevel@tonic-gate err = EBUSY;\n\ 13310Sstevel@tonic-gate break;\n\ 13320Sstevel@tonic-gate }\n\ 13330Sstevel@tonic-gate }\n\ 13340Sstevel@tonic-gate }\n\ 13350Sstevel@tonic-gate if (err == 0)\n\ 13360Sstevel@tonic-gate err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\ 13370Sstevel@tonic-gate (caddr_t)&ipfrule_%s_%s, fr_active, 0);\n", 13380Sstevel@tonic-gate instr, group, instr, group, instr, group); 13390Sstevel@tonic-gate fprintf(fp, "\ 13400Sstevel@tonic-gate if (err)\n\ 13410Sstevel@tonic-gate return err;\n\ 13420Sstevel@tonic-gate \n\n"); 13430Sstevel@tonic-gate 13440Sstevel@tonic-gate fprintf(fp, "\treturn err;\n}\n"); 13450Sstevel@tonic-gate } 1346