Lines Matching +full:dev +full:- +full:active +full:- +full:grp
3 /*-
4 * SPDX-License-Identifier: BSD-2-Clause
69 #include <grp.h>
311 /* new-style scrub opts */
527 !isdigit((addr).v.ifname[strlen((addr).v.ifname)-1])))
633 | ruleset error '\n' { file->errors++; }
671 yyerror("unknown ruleset-optimization %s", $1);
699 if (!(pf->opts & PF_OPT_OPTIMIZE)) {
700 pf->opts |= PF_OPT_OPTIMIZE;
701 pf->optimize = $3;
722 yyerror("hostid must be non-zero");
728 if (pf->opts & PF_OPT_VERBOSE)
729 printf("set block-policy drop\n");
735 if (pf->opts & PF_OPT_VERBOSE)
736 printf("set block-policy return\n");
742 if (pf->opts & PF_OPT_VERBOSE)
743 printf("set fail-policy drop\n");
749 if (pf->opts & PF_OPT_VERBOSE)
750 printf("set fail-policy return\n");
756 if (pf->opts & PF_OPT_VERBOSE)
757 printf("set require-order %s\n",
762 if (pf->opts & PF_OPT_VERBOSE)
768 if (!pf->anchor->name[0]) {
769 if (pfctl_file_fingerprints(pf->dev,
770 pf->opts, $3)) {
780 if (pf->opts & PF_OPT_VERBOSE)
783 printf("set state-policy floating\n");
786 printf("set state-policy if-bound\n");
811 yyerror("cannot redefine state-defaults");
817 pf->keep_counters = true;
881 if (asprintf(&$$, "%s %s", $1, $2) == -1)
890 if (asprintf(&$$, "%s %s", $1, $2) == -1)
900 if (asprintf(&s, "%lld", (long long)$1) == -1) {
911 if (pf->opts & PF_OPT_VERBOSE)
922 if (symset($1, $3, 0) == -1)
935 if (strlen(pf->anchor->path) + 1 +
939 PATH_MAX - 1);
967 if (pf->asd >= PFCTL_ANCHOR_STACK_DEPTH)
969 pf->asd++;
970 pf->bn++;
978 snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
982 pf->astack[pf->asd] = rs->anchor;
983 pf->anchor = rs->anchor;
986 pf->alast = pf->anchor;
987 pf->asd--;
988 pf->anchor = pf->astack[pf->asd];
1015 proto->proto != IPPROTO_TCP;
1016 proto = proto->next)
1046 pf->astack[pf->asd + 1] = NULL;
1093 " in rdr-anchor");
1097 if ($6.dst.port->next != NULL) {
1100 "rdr-anchor");
1102 } else if ($6.dst.port->op != PF_OP_EQ) {
1104 " not supported in rdr-anchor");
1107 r.dst.port[0] = $6.dst.port->port[0];
1108 r.dst.port[1] = $6.dst.port->port[1];
1109 r.dst.port_op = $6.dst.port->op;
1133 if ($5->next != NULL) {
1135 " not supported in binat-anchor");
1138 r.proto = $5->proto;
1145 " in binat-anchor");
1167 if ((loadanchor->anchorname = malloc(MAXPATHLEN)) ==
1170 if (pf->anchor->name[0])
1171 snprintf(loadanchor->anchorname, MAXPATHLEN,
1172 "%s/%s", pf->anchor->path, $3);
1174 strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
1175 if ((loadanchor->filename = strdup($5)) == NULL)
1212 PF_TAG_NAME_SIZE - 1);
1243 if (pf->asd >= PFCTL_ANCHOR_STACK_DEPTH)
1245 pf->asd++;
1246 pf->bn++;
1249 snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
1253 pf->eastack[pf->asd] = rs->anchor;
1254 pf->eanchor = rs->anchor;
1257 pf->ealast = pf->eanchor;
1258 pf->asd--;
1259 pf->eanchor = pf->eastack[pf->asd];
1281 if (pf->eastack[pf->asd + 1]) {
1291 &pf->eastack[pf->asd]->ruleset,
1292 $3 ? $3 : pf->ealast->name);
1297 if (pf->ealast != r.anchor) {
1298 if (r.anchor->match) {
1301 r.anchor->name);
1304 mv_eth_rules(&pf->ealast->ruleset,
1305 &r.anchor->ruleset);
1307 pf_remove_if_empty_eth_ruleset(&pf->ealast->ruleset);
1308 pf->ealast = r.anchor;
1322 pf->eastack[pf->asd + 1] ? pf->ealast->name : $3);
1325 pf->eastack[pf->asd + 1] = NULL;
1431 PF_TAG_NAME_SIZE - 1);
1445 scrub_opts.rtableid = -1;
1451 scrub_opts.rtableid = -1;
1462 yyerror("no-df cannot be respecified");
1469 yyerror("min-ttl cannot be respecified");
1473 yyerror("illegal min-ttl value %d", $2);
1481 yyerror("max-mss cannot be respecified");
1485 yyerror("illegal max-mss value %d", $2);
1493 yyerror("set-tos cannot be respecified");
1523 yyerror("random-id cannot be respecified");
1553 for (i = $3; i; i = i->next) {
1569 if (strlcpy(j->ifname, i->ifname,
1570 sizeof(j->ifname)) >= sizeof(j->ifname)) {
1575 j->not = 1;
1576 if (i->dynamic) {
1580 h->addr.type = PF_ADDR_DYNIFTL;
1582 if (strlcpy(h->addr.v.ifname, i->ifname,
1583 sizeof(h->addr.v.ifname)) >=
1584 sizeof(h->addr.v.ifname)) {
1594 h->addr.iflags = PFI_AFLAG_NETWORK;
1596 h = ifa_lookup(j->ifname,
1606 if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
1622 h = ifa_lookup(i->ifname, 0);
1642 $1->tail->next = $3;
1643 $1->tail = $3;
1650 $2->dynamic = 1;
1657 antispoof_opts.rtableid = -1;
1663 antispoof_opts.rtableid = -1;
1701 PF_TABLE_NAME_SIZE - 1);
1705 if (pf->loadopt & PFCTL_FLAG_TABLE)
1706 if (process_tabledef($3, &$5, pf->opts)) {
1713 if (ti->file)
1714 free(ti->file);
1715 for (h = ti->host; h != NULL; h = nh) {
1716 nh = h->next;
1762 for (n = $3; n != NULL; n = n->next) {
1763 switch (n->addr.type) {
1778 yyerror("\"no-route\" is not permitted "
1782 yyerror("\"urpf-failed\" is not "
1787 n->addr.type);
1793 ti->host = $3;
1803 ti->file = $2;
1847 "%d chars)", PF_QNAME_SIZE-1);
2301 $1->tail->next = $3;
2302 $1->tail = $3;
2311 if (strlcpy($$->queue, $1, sizeof($$->queue)) >=
2312 sizeof($$->queue)) {
2314 "%d chars)", $1, sizeof($$->queue)-1);
2320 $$->next = NULL;
2321 $$->tail = $$;
2369 proto->proto != IPPROTO_TCP;
2370 proto = proto->next)
2397 switch (o->type) {
2404 r.max_states = o->data.max_states;
2417 "'source-track' "
2421 srctrack = o->data.src_track;
2427 "'max-src-states' "
2431 if (o->data.max_src_states == 0) {
2432 yyerror("'max-src-states' must "
2437 o->data.max_src_states;
2447 o->data.overload.tblname,
2454 r.flush = o->data.overload.flush;
2459 "'max-src-conn' "
2463 if (o->data.max_src_conn == 0) {
2464 yyerror("'max-src-conn' "
2469 o->data.max_src_conn;
2476 "'max-src-conn-rate' "
2480 if (!o->data.max_src_conn_rate.limit ||
2481 !o->data.max_src_conn_rate.seconds) {
2482 yyerror("'max-src-conn-rate' "
2486 if (o->data.max_src_conn_rate.limit >
2488 yyerror("'max-src-conn-rate' "
2494 o->data.max_src_conn_rate.limit;
2496 o->data.max_src_conn_rate.seconds;
2503 "'max-src-nodes' "
2507 if (o->data.max_src_nodes == 0) {
2508 yyerror("'max-src-nodes' must "
2513 o->data.max_src_nodes;
2524 r.rule_flag |= o->data.statelock;
2544 yyerror("state allow-related option: "
2551 if (o->data.timeout.number ==
2553 o->data.timeout.number ==
2556 if (r.timeout[o->data.timeout.number]) {
2559 pf_timeouts[o->data.
2563 r.timeout[o->data.timeout.number] =
2564 o->data.timeout.seconds;
2566 o = o->next;
2587 yyerror("'max-src-nodes' is "
2589 "'source-track global'");
2594 yyerror("'max-src-conn' is "
2596 "'source-track global'");
2601 yyerror("'max-src-conn-rate' is "
2603 "'source-track global'");
2628 if (!($5.redirspec->pool_opts.opts & PF_POOL_IPV6NH)) {
2629 decide_address_family($5.redirspec->host, &r.af);
2631 remove_invalid_hosts(&($5.redirspec->host), &r.af);
2632 if ($5.redirspec->host == NULL) {
2657 if ($9.divert.addr->af != r.af) {
2663 $9.divert.addr->addr.v.a.addr;
2678 r.naf = $9.nat->af;
2681 if (!r.af && ! $9.nat->host->ifindex)
2682 r.af = $9.nat->host->af;
2683 remove_invalid_hosts(&($9.nat->host), &r.af);
2684 if (invalid_redirect($9.nat->host, r.af))
2686 if ($9.nat->host->addr.type == PF_ADDR_DYNIFTL) {
2687 if (($9.nat->host = gen_dynnode($9.nat->host, r.af)) == NULL)
2690 if (check_netmask($9.nat->host, r.af))
2694 if (!r.af && ! $9.rdr->host->ifindex)
2695 r.af = $9.rdr->host->af;
2696 remove_invalid_hosts(&($9.rdr->host), &r.af);
2697 if (invalid_redirect($9.rdr->host, r.af))
2699 if ($9.rdr->host->addr.type == PF_ADDR_DYNIFTL) {
2700 if (($9.rdr->host = gen_dynnode($9.rdr->host, r.af)) == NULL)
2703 if (check_netmask($9.rdr->host, r.af))
2716 filter_opts.rtableid = -1;
2722 filter_opts.rtableid = -1;
2733 $2->tail->next = filter_opts.uid;
2738 $2->tail->next = filter_opts.gid;
2754 yyerror("icmp-type cannot be redefined");
2766 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
2847 yyerror("cannot respecify received-on");
2851 filter_opts.rcv->not = $1;
2883 if ((filter_opts.divert.addr = host($2, pf->opts)) == NULL) {
2901 yyerror("divert-reply has no meaning in FreeBSD pf(4)");
2911 /* Old style rules are "scrub set-tos 0x42"
2927 yyerror("cannot respecify nat-to/binat-to");
2934 yyerror("cannot respecify rdr-to");
2941 yyerror("cannot respecify nat-to/binat-to");
2945 filter_opts.nat->binat = 1;
2946 filter_opts.nat->pool_opts.staticport = 1;
2950 yyerror("cannot respecify af-to");
2959 filter_opts.nat->af = $2;
2960 remove_invalid_hosts(&($4->host), &(filter_opts.nat->af));
2961 if ($4->host == NULL) {
2962 yyerror("af-to addresses must be in the "
2970 yyerror("cannot respecify af-to");
2978 filter_opts.nat->af = $2;
2980 filter_opts.rdr->af = $2;
2981 remove_invalid_hosts(&($4->host), &(filter_opts.nat->af));
2982 remove_invalid_hosts(&($6->host), &(filter_opts.rdr->af));
2983 if ($4->host == NULL || $6->host == NULL) {
2984 yyerror("af-to addresses must be in the "
2997 yyerror("cannot respecify max-pkt-rate");
3043 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
3051 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
3248 $1->tail->next = $3;
3249 $1->tail = $3;
3254 if_item_not : not if_item { $$ = $2; $$->not = $1; }
3263 if (strlcpy($$->ifname, $1, sizeof($$->ifname)) >=
3264 sizeof($$->ifname)) {
3272 $$->ifa_flags = n->ifa_flags;
3275 $$->not = 0;
3276 $$->next = NULL;
3277 $$->tail = $$;
3283 strlcpy($$->ifname, "any", sizeof($$->ifname));
3284 $$->not = 0;
3285 $$->next = NULL;
3286 $$->tail = $$;
3302 $1->tail->next = $3;
3303 $1->tail = $3;
3319 $$->proto = pr;
3320 $$->next = NULL;
3321 $$->tail = $$;
3352 $1->tail->next = $3;
3353 $1->tail = $3;
3369 $$->proto = pr;
3370 $$->next = NULL;
3371 $$->tail = $$;
3384 $$ = p->p_proto;
3400 $2.src.host->addr.type != PF_ADDR_ADDRMASK &&
3401 $2.src.host->addr.type != PF_ADDR_TABLE) {
3406 $2.dst.host->addr.type != PF_ADDR_ADDRMASK &&
3407 $2.dst.host->addr.type != PF_ADDR_TABLE) {
3463 for (n = $2; n != NULL; n = n->next)
3464 n->neg = $1;
3485 $1->tail->next = $3;
3486 $1->tail = $3->tail;
3514 $$->os = $1;
3515 $$->tail = $$;
3521 $1->tail->next = $3;
3522 $1->tail = $3;
3541 if (disallow_urpf_failed($2.host, "\"urpf-failed\" is "
3584 $1->tail->next = $3;
3585 $1->tail = $3->tail;
3594 for (n = $2; n != NULL; n = n->next)
3595 n->not = $1;
3602 $$->addr.type = PF_ADDR_NOROUTE;
3603 $$->next = NULL;
3604 $$->not = $1;
3605 $$->tail = $$;
3611 $$->addr.type = PF_ADDR_URPFFAILED;
3612 $$->next = NULL;
3613 $$->not = $1;
3614 $$->tail = $$;
3619 if (($$ = host($1, pf->opts)) == NULL) {
3628 | STRING '-' STRING {
3631 if ((b = host($1, pf->opts)) == NULL ||
3632 (e = host($3, pf->opts)) == NULL) {
3638 if (b->af != e->af ||
3639 b->addr.type != PF_ADDR_ADDRMASK ||
3640 e->addr.type != PF_ADDR_ADDRMASK ||
3641 unmask(&b->addr.v.a.mask) !=
3642 (b->af == AF_INET ? 32 : 128) ||
3643 unmask(&e->addr.v.a.mask) !=
3644 (e->af == AF_INET ? 32 : 128) ||
3645 b->next != NULL || b->not ||
3646 e->next != NULL || e->not) {
3654 memcpy(&b->addr.v.a.mask, &e->addr.v.a.addr,
3655 sizeof(b->addr.v.a.mask));
3656 b->addr.type = PF_ADDR_RANGE;
3665 if (asprintf(&buf, "%s/%lld", $1, (long long)$3) == -1)
3668 if (($$ = host(buf, pf->opts)) == NULL) {
3681 if (asprintf(&buf, "%lld/%lld", (long long)$1, (long long)$3) == -1)
3683 if (asprintf(&buf, "%lld/%lld", $1, $3) == -1)
3686 if (($$ = host(buf, pf->opts)) == NULL) {
3703 for (n = $1; n != NULL; n = n->next)
3715 $$->addr.type = PF_ADDR_TABLE;
3716 if (strlcpy($$->addr.v.tblname, $2,
3717 sizeof($$->addr.v.tblname)) >=
3718 sizeof($$->addr.v.tblname))
3721 $$->next = NULL;
3722 $$->tail = $$;
3730 if (atoul($1, &ulval) == -1) {
3767 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) {
3776 $$->af = 0;
3778 $$->addr.type = PF_ADDR_DYNIFTL;
3779 $$->addr.iflags = flags;
3780 if (strlcpy($$->addr.v.ifname, $2,
3781 sizeof($$->addr.v.ifname)) >=
3782 sizeof($$->addr.v.ifname)) {
3789 $$->next = NULL;
3790 $$->tail = $$;
3800 $1->tail->next = $3;
3801 $1->tail = $3;
3810 $$->port[0] = $1.a;
3811 $$->port[1] = $1.b;
3813 $$->op = PF_OP_RRG;
3814 if (validate_range($$->op, $$->port[0],
3815 $$->port[1])) {
3820 $$->op = PF_OP_EQ;
3821 $$->next = NULL;
3822 $$->tail = $$;
3833 $$->port[0] = $2.a;
3834 $$->port[1] = $2.b;
3835 $$->op = $1;
3836 if (validate_range($$->op, $$->port[0], $$->port[1])) {
3840 $$->next = NULL;
3841 $$->tail = $$;
3852 $$->port[0] = $1.a;
3853 $$->port[1] = $3.a;
3854 $$->op = $2;
3855 if (validate_range($$->op, $$->port[0], $$->port[1])) {
3859 $$->next = NULL;
3860 $$->tail = $$;
3865 if (parseport($1, &$$, 0) == -1) {
3874 if (parseport($1, &$$, PPORT_RANGE) == -1) {
3888 $1->tail->next = $3;
3889 $1->tail = $3;
3898 $$->uid[0] = $1;
3899 $$->uid[1] = $1;
3900 $$->op = PF_OP_EQ;
3901 $$->next = NULL;
3902 $$->tail = $$;
3905 if ($2 == -1 && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
3913 $$->uid[0] = $2;
3914 $$->uid[1] = $2;
3915 $$->op = $1;
3916 $$->next = NULL;
3917 $$->tail = $$;
3920 if ($1 == -1 || $3 == -1) {
3928 $$->uid[0] = $1;
3929 $$->uid[1] = $3;
3930 $$->op = $2;
3931 $$->next = NULL;
3932 $$->tail = $$;
3938 $$ = -1;
3942 if (uid_from_user($1, &uid) == -1) {
3966 $1->tail->next = $3;
3967 $1->tail = $3;
3976 $$->gid[0] = $1;
3977 $$->gid[1] = $1;
3978 $$->op = PF_OP_EQ;
3979 $$->next = NULL;
3980 $$->tail = $$;
3983 if ($2 == -1 && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
3991 $$->gid[0] = $2;
3992 $$->gid[1] = $2;
3993 $$->op = $1;
3994 $$->next = NULL;
3995 $$->tail = $$;
3998 if ($1 == -1 || $3 == -1) {
4006 $$->gid[0] = $1;
4007 $$->gid[1] = $3;
4008 $$->op = $2;
4009 $$->next = NULL;
4010 $$->tail = $$;
4016 $$ = -1;
4020 if (gid_from_group($1, &gid) == -1) {
4064 $1->tail->next = $3;
4065 $1->tail = $3;
4072 $1->tail->next = $3;
4073 $1->tail = $3;
4082 $$->type = $1;
4083 $$->code = 0;
4084 $$->proto = IPPROTO_ICMP;
4085 $$->next = NULL;
4086 $$->tail = $$;
4091 if ((p = geticmpcodebyname($1-1, $3, AF_INET)) == NULL) {
4092 yyerror("unknown icmp-code %s", $3);
4101 $$->type = $1;
4102 $$->code = p->code + 1;
4103 $$->proto = IPPROTO_ICMP;
4104 $$->next = NULL;
4105 $$->tail = $$;
4109 yyerror("illegal icmp-code %lu", $3);
4115 $$->type = $1;
4116 $$->code = $3 + 1;
4117 $$->proto = IPPROTO_ICMP;
4118 $$->next = NULL;
4119 $$->tail = $$;
4127 $$->type = $1;
4128 $$->code = 0;
4129 $$->proto = IPPROTO_ICMPV6;
4130 $$->next = NULL;
4131 $$->tail = $$;
4136 if ((p = geticmpcodebyname($1-1, $3, AF_INET6)) == NULL) {
4137 yyerror("unknown icmp6-code %s", $3);
4146 $$->type = $1;
4147 $$->code = p->code + 1;
4148 $$->proto = IPPROTO_ICMPV6;
4149 $$->next = NULL;
4150 $$->tail = $$;
4154 yyerror("illegal icmp-code %lu", $3);
4160 $$->type = $1;
4161 $$->code = $3 + 1;
4162 $$->proto = IPPROTO_ICMPV6;
4163 $$->next = NULL;
4164 $$->tail = $$;
4172 yyerror("unknown icmp-type %s", $1);
4176 $$ = p->type + 1;
4181 yyerror("illegal icmp-type %lu", $1);
4193 yyerror("unknown icmp6-type %s", $1);
4197 $$ = p->type + 1;
4202 yyerror("illegal icmp6-type %lu", $1);
4282 $1->tail->next = $3;
4283 $1->tail = $3;
4296 $$->type = PF_STATE_OPT_MAX;
4297 $$->data.max_states = $2;
4298 $$->next = NULL;
4299 $$->tail = $$;
4305 $$->type = PF_STATE_OPT_NOSYNC;
4306 $$->next = NULL;
4307 $$->tail = $$;
4317 $$->type = PF_STATE_OPT_MAX_SRC_STATES;
4318 $$->data.max_src_states = $2;
4319 $$->next = NULL;
4320 $$->tail = $$;
4330 $$->type = PF_STATE_OPT_MAX_SRC_CONN;
4331 $$->data.max_src_conn = $2;
4332 $$->next = NULL;
4333 $$->tail = $$;
4344 $$->type = PF_STATE_OPT_MAX_SRC_CONN_RATE;
4345 $$->data.max_src_conn_rate.limit = $2;
4346 $$->data.max_src_conn_rate.seconds = $4;
4347 $$->next = NULL;
4348 $$->tail = $$;
4359 if (strlcpy($$->data.overload.tblname, $3,
4363 $$->type = PF_STATE_OPT_OVERLOAD;
4364 $$->data.overload.flush = $5;
4365 $$->next = NULL;
4366 $$->tail = $$;
4376 $$->type = PF_STATE_OPT_MAX_SRC_NODES;
4377 $$->data.max_src_nodes = $2;
4378 $$->next = NULL;
4379 $$->tail = $$;
4385 $$->type = PF_STATE_OPT_SRCTRACK;
4386 $$->data.src_track = $1;
4387 $$->next = NULL;
4388 $$->tail = $$;
4394 $$->type = PF_STATE_OPT_STATELOCK;
4395 $$->data.statelock = $1;
4396 $$->next = NULL;
4397 $$->tail = $$;
4403 $$->type = PF_STATE_OPT_SLOPPY;
4404 $$->next = NULL;
4405 $$->tail = $$;
4411 $$->type = PF_STATE_OPT_PFLOW;
4412 $$->next = NULL;
4413 $$->tail = $$;
4419 $$->type = PF_STATE_OPT_ALLOW_RELATED;
4420 $$->next = NULL;
4421 $$->tail = $$;
4447 $$->type = PF_STATE_OPT_TIMEOUT;
4448 $$->data.timeout.number = pf_timeouts[i].timeout;
4449 $$->data.timeout.seconds = $2;
4450 $$->next = NULL;
4451 $$->tail = $$;
4487 if (parseport($1, &$$, PPORT_RANGE|PPORT_STAR) == -1) {
4501 $1->tail->next = $3;
4502 $1->tail = $3->tail;
4512 $$->host = $1;
4513 $$->pool_opts = $2;
4514 $$->rport.a = $$->rport.b = $$->rport.t = 0;
4524 $$->host = $1;
4525 $$->rport = $3;
4526 $$->pool_opts = $4;
4536 /* Redirection with interfaces and without ports: route-to rules */
4541 $$->host = $1;
4542 $$->pool_opts = $2;
4551 $$->key32[0] = arc4random();
4552 $$->key32[1] = arc4random();
4553 $$->key32[2] = arc4random();
4554 $$->key32[3] = arc4random();
4570 &$$->key32[0], &$$->key32[1],
4571 &$$->key32[2], &$$->key32[3]) != 4) {
4587 HTONL($$->key32[0]);
4588 HTONL($$->key32[1]);
4589 HTONL($$->key32[2]);
4590 HTONL($$->key32[3]);
4640 yyerror("static-port cannot be redefined");
4647 yyerror("sticky-address cannot be redefined");
4655 yyerror("endpoint-independent cannot be redefined");
4663 yyerror("prefer-ipv6-nexthop cannot be redefined");
4671 yyerror("map-e-portset cannot be redefined");
4675 yyerror("map-e-portset cannot be used with "
4680 yyerror("MAP-E PSID offset must be 1-15");
4684 yyerror("Invalid MAP-E PSID length");
4688 " you do not need MAP-E");
4692 yyerror("Invalid MAP-E PSID");
4706 $$->host = $2;
4707 $$->rport.a = $$->rport.b = $$->rport.t = 0;
4713 $$->host = $2;
4714 $$->rport = $4;
4770 if ($5.src.host && $5.src.host->af &&
4771 !$5.src.host->ifindex)
4772 r.af = $5.src.host->af;
4773 else if ($5.dst.host && $5.dst.host->af &&
4774 !$5.dst.host->ifindex)
4775 r.af = $5.dst.host->af;
4782 PF_TAG_NAME_SIZE - 1);
4790 PF_TAG_NAME_SIZE - 1);
4799 "does not need '->'");
4803 if ($9 == NULL || $9->host == NULL) {
4804 yyerror("translation rule requires '-> "
4808 if ($9->pool_opts.opts & PF_POOL_IPV6NH) {
4809 yyerror("The prefer-ipv6-nexthop option "
4814 if (!r.af && ! $9->host->ifindex)
4815 r.af = $9->host->af;
4817 remove_invalid_hosts(&$9->host, &r.af);
4818 if (invalid_redirect($9->host, r.af))
4820 if ($9->host->addr.type == PF_ADDR_DYNIFTL) {
4821 if (($9->host = gen_dynnode($9->host, r.af)) == NULL)
4824 if (check_netmask($9->host, r.af))
4830 switch (o->type) {
4840 o = o->next;
4857 if (disallow_urpf_failed($9, "\"urpf-failed\" is not "
4875 if (!binat.af && $8 != NULL && $8->af)
4876 binat.af = $8->af;
4877 if (!binat.af && $9 != NULL && $9->af)
4878 binat.af = $9->af;
4880 if (!binat.af && $13 != NULL && $13->host)
4881 binat.af = $13->host->af;
4889 memcpy(binat.ifname, $4->ifname,
4891 binat.ifnot = $4->not;
4899 PF_TAG_NAME_SIZE - 1);
4906 PF_TAG_NAME_SIZE - 1);
4913 binat.proto = $6->proto;
4924 if ($13 != NULL && $13->host != NULL && disallow_table(
4925 $13->host, "invalid use of table <%s> as the "
4928 if ($13 != NULL && $13->host != NULL && disallow_alias(
4929 $13->host, "invalid use of interface (%s) as the "
4934 if ($8->next) {
4938 if ($8->addr.type == PF_ADDR_DYNIFTL)
4939 $8->af = binat.af;
4940 if ($8->af != binat.af) {
4944 if ($8->addr.type == PF_ADDR_DYNIFTL) {
4950 memcpy(&binat.src.addr, &$8->addr,
4955 if ($9->next) {
4959 if ($9->af != binat.af && $9->af) {
4963 if ($9->addr.type == PF_ADDR_DYNIFTL) {
4969 memcpy(&binat.dst.addr, &$9->addr,
4971 binat.dst.neg = $9->not;
4978 " '->'");
4982 if ($13 == NULL || $13->host == NULL) {
4984 " '-> address'");
4988 remove_invalid_hosts(&$13->host, &binat.af);
4989 if (invalid_redirect($13->host, binat.af))
4991 if ($13->host->next != NULL) {
4996 if ($13->host->addr.type == PF_ADDR_DYNIFTL) {
4997 if (($13->host = gen_dynnode($13->host, binat.af)) == NULL)
5000 if (check_netmask($13->host, binat.af))
5006 &$13->host->addr.v.a.mask, binat.af)) {
5015 pa->addr = $13->host->addr;
5016 pa->ifname[0] = 0;
5017 pa->af = $13->host->af;
5036 rtable : /* empty */ { $$ = -1; }
5054 $$->ifname = strdup($1);
5056 $$->next = NULL;
5057 $$->tail = $$;
5063 for (n = $3; n != NULL; n = n->next) {
5068 n->ifname = strdup($2);
5075 $1->tail->next = $3;
5076 $1->tail = $3->tail;
5089 /* backwards-compat */
5195 file->errors++;
5197 fprintf(stderr, "%s:%d: ", file->name, yylval.lineno);
5220 for (; h != NULL; h = h->next) in disallow_table()
5221 if (h->addr.type == PF_ADDR_TABLE) { in disallow_table()
5222 yyerror(fmt, h->addr.v.tblname); in disallow_table()
5231 for (; h != NULL; h = h->next) in disallow_urpf_failed()
5232 if (h->addr.type == PF_ADDR_URPFFAILED) { in disallow_urpf_failed()
5242 for (; h != NULL; h = h->next) in disallow_alias()
5243 if (DYNIF_MULTIADDR(h->addr)) { in disallow_alias()
5244 yyerror(fmt, h->addr.v.tblname); in disallow_alias()
5255 switch (r->action) { in rule_consistent()
5284 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && in filter_consistent()
5285 r->proto != IPPROTO_SCTP && in filter_consistent()
5286 (r->src.port_op || r->dst.port_op)) { in filter_consistent()
5290 if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 && in filter_consistent()
5291 (r->type || r->code)) { in filter_consistent()
5292 yyerror("icmp-type/code only applies to icmp"); in filter_consistent()
5295 if (!r->af && (r->type || r->code)) { in filter_consistent()
5296 yyerror("must indicate address family with icmp-type/code"); in filter_consistent()
5299 if (r->rule_flag & PFRULE_AFTO && r->af == r->naf) { in filter_consistent()
5300 yyerror("must indicate different address family with af-to"); in filter_consistent()
5303 if (r->overload_tblname[0] && in filter_consistent()
5304 r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) { in filter_consistent()
5305 yyerror("'overload' requires 'max-src-conn' " in filter_consistent()
5306 "or 'max-src-conn-rate'"); in filter_consistent()
5309 if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) || in filter_consistent()
5310 (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) { in filter_consistent()
5312 r->proto == IPPROTO_ICMP ? "icmp" : "icmp6", in filter_consistent()
5313 r->af == AF_INET ? "inet" : "inet6"); in filter_consistent()
5316 if (r->allow_opts && r->action != PF_PASS && r->action != PF_MATCH) { in filter_consistent()
5317 yyerror("allow-opts can only be specified for pass or " in filter_consistent()
5321 if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op || in filter_consistent()
5322 r->dst.port_op || r->flagset || r->type || r->code)) { in filter_consistent()
5326 if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) { in filter_consistent()
5327 yyerror("return-rst can only be applied to TCP rules"); in filter_consistent()
5330 if (r->max_src_nodes && !(r->rule_flag & PFRULE_RULESRCTRACK)) { in filter_consistent()
5331 yyerror("max-src-nodes requires 'source-track rule'"); in filter_consistent()
5334 if (r->action != PF_PASS && r->keep_state) { in filter_consistent()
5338 if (r->rule_flag & PFRULE_STATESLOPPY && in filter_consistent()
5339 (r->keep_state == PF_STATE_MODULATE || in filter_consistent()
5340 r->keep_state == PF_STATE_SYNPROXY)) { in filter_consistent()
5345 if ((r->keep_state == PF_STATE_SYNPROXY) && (r->direction != PF_IN)) in filter_consistent()
5348 "ignored for outbound\n", file->name, yylval.lineno); in filter_consistent()
5349 if (r->rule_flag & PFRULE_AFTO && r->rt) { in filter_consistent()
5350 if (r->rt != PF_ROUTETO && r->rt != PF_REPLYTO) { in filter_consistent()
5351 yyerror("dup-to " in filter_consistent()
5352 "must not be used on af-to rules"); in filter_consistent()
5357 switch (r->action) { in filter_consistent()
5359 if (r->divert.port) { in filter_consistent()
5363 if (r->rt) { in filter_consistent()
5364 yyerror("route-to, reply-to, dup-to and fastroute " in filter_consistent()
5368 if (r->rule_flag & PFRULE_AFTO) { in filter_consistent()
5369 yyerror("af-to is not supported on match rules"); in filter_consistent()
5374 if (r->rt) { in filter_consistent()
5375 yyerror("route-to, reply-to and dup-to " in filter_consistent()
5382 if (!TAILQ_EMPTY(&(r->nat.list)) || !TAILQ_EMPTY(&(r->rdr.list))) { in filter_consistent()
5383 if (r->action != PF_MATCH && !r->keep_state) { in filter_consistent()
5384 yyerror("nat-to and rdr-to require keep state"); in filter_consistent()
5387 if (r->direction == PF_INOUT) { in filter_consistent()
5388 yyerror("nat-to and rdr-to require a direction"); in filter_consistent()
5392 if (r->route.opts & PF_POOL_STICKYADDR && !r->keep_state) { in filter_consistent()
5393 yyerror("'sticky-address' requires 'keep state'"); in filter_consistent()
5395 return (-problems); in filter_consistent()
5409 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && in rdr_consistent()
5410 r->proto != IPPROTO_SCTP) { in rdr_consistent()
5411 if (r->src.port_op) { in rdr_consistent()
5415 if (r->dst.port_op) { in rdr_consistent()
5419 if (r->rdr.proxy_port[0]) { in rdr_consistent()
5424 if (r->dst.port_op && in rdr_consistent()
5425 r->dst.port_op != PF_OP_EQ && r->dst.port_op != PF_OP_RRG) { in rdr_consistent()
5429 return (-problems); in rdr_consistent()
5443 SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { in process_tabledef()
5444 if (ti->file) in process_tabledef()
5445 if (pfr_buf_load(&ab, ti->file, 0, append_addr, popts)) { in process_tabledef()
5448 ti->file, strerror(errno)); in process_tabledef()
5451 ti->file); in process_tabledef()
5454 if (ti->host) in process_tabledef()
5455 if (append_addr_host(&ab, ti->host, 0, 0)) { in process_tabledef()
5461 if (pf->opts & PF_OPT_VERBOSE) in process_tabledef()
5462 print_tabledef(name, opts->flags, opts->init_addr, in process_tabledef()
5463 &opts->init_nodes); in process_tabledef()
5464 if (!(pf->opts & PF_OPT_NOACTION) || in process_tabledef()
5465 (pf->opts & PF_OPT_DUMMYACTION)) in process_tabledef()
5466 warn_duplicate_tables(name, pf->anchor->path); in process_tabledef()
5467 else if (pf->opts & PF_OPT_VERBOSE) in process_tabledef()
5469 " for <%s>\n", file->name, yylval.lineno, name); in process_tabledef()
5471 * postpone definition of non-root tables to moment in process_tabledef()
5474 if (pf->asd > 0) { in process_tabledef()
5478 "%s:%d: not enough memory for <%s>\n", file->name, in process_tabledef()
5484 if (!(pf->opts & PF_OPT_NOACTION) && in process_tabledef()
5485 pfctl_define_table(name, opts->flags, opts->init_addr, in process_tabledef()
5486 pf->anchor->path, &ab, pf->anchor->ruleset.tticket, ukt)) { in process_tabledef()
5489 NULL, 0) == -1) in process_tabledef()
5504 ukt->pfrukt_init_addr = opts->init_addr; in process_tabledef()
5506 &ukt->pfrukt_kt) != NULL) { in process_tabledef()
5514 file->name, yylval.lineno, in process_tabledef()
5515 ukt->pfrukt_name, pf->anchor->path); in process_tabledef()
5520 __func__, ukt->pfrukt_name, pf->anchor->path); in process_tabledef()
5524 pf->tdirty = 1; in process_tabledef()
5529 return (-1); in process_tabledef()
5544 node = node->next; \
5556 r->next = NULL; \
5563 n = n->next; \
5608 switch (addr->addr.type) { in expand_label_addr()
5610 snprintf(tmp, sizeof(tmp), "(%s)", addr->addr.v.ifname); in expand_label_addr()
5613 snprintf(tmp, sizeof(tmp), "<%s>", addr->addr.v.tblname); in expand_label_addr()
5616 snprintf(tmp, sizeof(tmp), "no-route"); in expand_label_addr()
5619 snprintf(tmp, sizeof(tmp), "urpf-failed"); in expand_label_addr()
5622 if (!af || (PF_AZERO(&addr->addr.v.a.addr, af) && in expand_label_addr()
5623 PF_AZERO(&addr->addr.v.a.mask, af))) in expand_label_addr()
5629 if (inet_ntop(af, &addr->addr.v.a.addr, a, in expand_label_addr()
5633 bits = unmask(&addr->addr.v.a.mask); in expand_label_addr()
5649 if (addr->neg) { in expand_label_addr()
5664 snprintf(a1, sizeof(a1), "%u", ntohs(addr->port[0])); in expand_label_port()
5665 snprintf(a2, sizeof(a2), "%u", ntohs(addr->port[1])); in expand_label_port()
5666 if (!addr->port_op) in expand_label_port()
5668 else if (addr->port_op == PF_OP_IRG) in expand_label_port()
5670 else if (addr->port_op == PF_OP_XRG) in expand_label_port()
5672 else if (addr->port_op == PF_OP_EQ) in expand_label_port()
5674 else if (addr->port_op == PF_OP_NE) in expand_label_port()
5676 else if (addr->port_op == PF_OP_LT) in expand_label_port()
5678 else if (addr->port_op == PF_OP_LE) in expand_label_port()
5680 else if (addr->port_op == PF_OP_GT) in expand_label_port()
5682 else if (addr->port_op == PF_OP_GE) in expand_label_port()
5712 snprintf(n, sizeof(n), "%u", r->nr); in expand_label_nr()
5720 expand_label_if("$if", label, len, r->ifname); in expand_label()
5721 expand_label_addr("$srcaddr", label, len, r->af, &r->src); in expand_label()
5722 expand_label_addr("$dstaddr", label, len, r->af, &r->dst); in expand_label()
5723 expand_label_port("$srcport", label, len, &r->src); in expand_label()
5724 expand_label_port("$dstport", label, len, &r->dst); in expand_label()
5725 expand_label_proto("$proto", label, len, r->proto); in expand_label()
5740 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { in expand_altq()
5749 if (strlcpy(pa.ifname, interface->ifname, in expand_altq()
5753 if (interface->not) { in expand_altq()
5763 if (pf->opts & PF_OPT_VERBOSE) { in expand_altq()
5764 print_altq(&pf->paltq->altq, 0, in expand_altq()
5766 if (nqueues && nqueues->tail) { in expand_altq()
5771 queue->queue); in expand_altq()
5786 if (strlcat(qname, interface->ifname, in expand_altq()
5792 if (strlcpy(pb.ifname, interface->ifname, in expand_altq()
5813 if (strlcpy(n->parent, qname, in expand_altq()
5814 sizeof(n->parent)) >= in expand_altq()
5815 sizeof(n->parent)) in expand_altq()
5817 if (strlcpy(n->queue, queue->queue, in expand_altq()
5818 sizeof(n->queue)) >= sizeof(n->queue)) in expand_altq()
5820 if (strlcpy(n->ifname, interface->ifname, in expand_altq()
5821 sizeof(n->ifname)) >= sizeof(n->ifname)) in expand_altq()
5823 n->scheduler = pa.scheduler; in expand_altq()
5824 n->next = NULL; in expand_altq()
5825 n->tail = n; in expand_altq()
5829 queues->tail->next = n; in expand_altq()
5830 queues->tail = n; in expand_altq()
5852 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { in expand_queue()
5858 yyerror("queue %s has no parent", a->qname); in expand_queue()
5865 if (!strncmp(a->qname, tqueue->queue, PF_QNAME_SIZE) && in expand_queue()
5866 (interface->ifname[0] == 0 || in expand_queue()
5867 (!interface->not && !strncmp(interface->ifname, in expand_queue()
5868 tqueue->ifname, IFNAMSIZ)) || in expand_queue()
5869 (interface->not && strncmp(interface->ifname, in expand_queue()
5870 tqueue->ifname, IFNAMSIZ)))) { in expand_queue()
5877 pa.scheduler != tqueue->scheduler) { in expand_queue()
5882 pa.scheduler = tqueue->scheduler; in expand_queue()
5903 if (strlcpy(pa.ifname, tqueue->ifname, in expand_queue()
5906 if (strlcpy(pa.parent, tqueue->parent, in expand_queue()
5916 for (nq = nqueues; nq != NULL; nq = nq->next) { in expand_queue()
5917 if (!strcmp(a->qname, nq->queue)) { in expand_queue()
5927 if (strlcpy(n->parent, a->qname, in expand_queue()
5928 sizeof(n->parent)) >= in expand_queue()
5929 sizeof(n->parent)) in expand_queue()
5931 if (strlcpy(n->queue, nq->queue, in expand_queue()
5932 sizeof(n->queue)) >= in expand_queue()
5933 sizeof(n->queue)) in expand_queue()
5935 if (strlcpy(n->ifname, tqueue->ifname, in expand_queue()
5936 sizeof(n->ifname)) >= in expand_queue()
5937 sizeof(n->ifname)) in expand_queue()
5939 n->scheduler = tqueue->scheduler; in expand_queue()
5940 n->next = NULL; in expand_queue()
5941 n->tail = n; in expand_queue()
5945 queues->tail->next = n; in expand_queue()
5946 queues->tail = n; in expand_queue()
5949 if ((pf->opts & PF_OPT_VERBOSE) && ( in expand_queue()
5950 (found == 1 && interface->ifname[0] == 0) || in expand_queue()
5951 (found > 0 && interface->ifname[0] != 0))) { in expand_queue()
5952 print_queue(&pf->paltq->altq, 0, in expand_queue()
5953 &bwspec, interface->ifname[0] != 0, in expand_queue()
5955 if (nqueues && nqueues->tail) { in expand_queue()
5960 queue->queue); in expand_queue()
5974 yyerror("queue %s has no parent", a->qname); in expand_queue()
6006 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) in expand_eth_rule()
6008 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= in expand_eth_rule()
6011 if (strlcpy(qname, r->qname, sizeof(qname)) >= sizeof(qname)) in expand_eth_rule()
6020 strlcpy(r->ifname, interface->ifname, in expand_eth_rule()
6021 sizeof(r->ifname)); in expand_eth_rule()
6022 r->ifnot = interface->not; in expand_eth_rule()
6023 r->proto = proto->proto; in expand_eth_rule()
6024 if (!r->proto && ipsrc->af) in expand_eth_rule()
6025 r->proto = pf_af_to_proto(ipsrc->af); in expand_eth_rule()
6026 else if (!r->proto && ipdst->af) in expand_eth_rule()
6027 r->proto = pf_af_to_proto(ipdst->af); in expand_eth_rule()
6028 bcopy(src->mac, r->src.addr, ETHER_ADDR_LEN); in expand_eth_rule()
6029 bcopy(src->mask, r->src.mask, ETHER_ADDR_LEN); in expand_eth_rule()
6030 r->src.neg = src->neg; in expand_eth_rule()
6031 r->src.isset = src->isset; in expand_eth_rule()
6032 r->ipsrc.addr = ipsrc->addr; in expand_eth_rule()
6033 r->ipsrc.neg = ipsrc->not; in expand_eth_rule()
6034 r->ipdst.addr = ipdst->addr; in expand_eth_rule()
6035 r->ipdst.neg = ipdst->not; in expand_eth_rule()
6036 bcopy(dst->mac, r->dst.addr, ETHER_ADDR_LEN); in expand_eth_rule()
6037 bcopy(dst->mask, r->dst.mask, ETHER_ADDR_LEN); in expand_eth_rule()
6038 r->dst.neg = dst->neg; in expand_eth_rule()
6039 r->dst.isset = dst->isset; in expand_eth_rule()
6040 r->nr = pf->eastack[pf->asd]->match++; in expand_eth_rule()
6042 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= in expand_eth_rule()
6043 sizeof(r->tagname)) in expand_eth_rule()
6044 errx(1, "%s: r->tagname", __func__); in expand_eth_rule()
6045 if (strlcpy(r->match_tagname, match_tagname, in expand_eth_rule()
6046 sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) in expand_eth_rule()
6047 errx(1, "%s: r->match_tagname", __func__); in expand_eth_rule()
6048 if (strlcpy(r->qname, qname, sizeof(r->qname)) >= sizeof(r->qname)) in expand_eth_rule()
6049 errx(1, "%s: r->qname", __func__); in expand_eth_rule()
6052 strlcpy(r->bridge_to, bridge_to, sizeof(r->bridge_to)); in expand_eth_rule()
6071 rpool->proxy_port[0] = ntohs(rs->rport.a); in apply_rdr_ports()
6073 if (!rs->rport.b && rs->rport.t) { in apply_rdr_ports()
6074 rpool->proxy_port[1] = ntohs(rs->rport.a) + in apply_rdr_ports()
6075 (ntohs(r->dst.port[1]) - ntohs(r->dst.port[0])); in apply_rdr_ports()
6077 if (validate_range(rs->rport.t, rs->rport.a, in apply_rdr_ports()
6078 rs->rport.b)) { in apply_rdr_ports()
6079 yyerror("invalid rdr-to port range"); in apply_rdr_ports()
6082 r->rdr.proxy_port[1] = ntohs(rs->rport.b); in apply_rdr_ports()
6085 if (rs->pool_opts.staticport) { in apply_rdr_ports()
6086 yyerror("the 'static-port' option is only valid with nat rules"); in apply_rdr_ports()
6090 if (rs->pool_opts.mape.offset) { in apply_rdr_ports()
6091 yyerror("the 'map-e-portset' option is only valid with nat rules"); in apply_rdr_ports()
6104 rpool->proxy_port[0] = ntohs(rs->rport.a); in apply_nat_ports()
6105 rpool->proxy_port[1] = ntohs(rs->rport.b); in apply_nat_ports()
6106 if (!rpool->proxy_port[0] && !rpool->proxy_port[1]) { in apply_nat_ports()
6107 rpool->proxy_port[0] = PF_NAT_PROXY_PORT_LOW; in apply_nat_ports()
6108 rpool->proxy_port[1] = PF_NAT_PROXY_PORT_HIGH; in apply_nat_ports()
6109 } else if (!rpool->proxy_port[1]) in apply_nat_ports()
6110 rpool->proxy_port[1] = rpool->proxy_port[0]; in apply_nat_ports()
6112 if (rs->pool_opts.staticport) { in apply_nat_ports()
6113 if (rpool->proxy_port[0] != PF_NAT_PROXY_PORT_LOW && in apply_nat_ports()
6114 rpool->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) { in apply_nat_ports()
6115 yyerror("the 'static-port' option can't" in apply_nat_ports()
6120 rpool->proxy_port[0] = 0; in apply_nat_ports()
6121 rpool->proxy_port[1] = 0; in apply_nat_ports()
6124 if (rs->pool_opts.mape.offset) { in apply_nat_ports()
6125 if (rs->pool_opts.staticport) { in apply_nat_ports()
6126 yyerror("the 'map-e-portset' option" in apply_nat_ports()
6127 " can't be used 'static-port'"); in apply_nat_ports()
6130 if (rpool->proxy_port[0] != PF_NAT_PROXY_PORT_LOW && in apply_nat_ports()
6131 rpool->proxy_port[1] != PF_NAT_PROXY_PORT_HIGH) { in apply_nat_ports()
6132 yyerror("the 'map-e-portset' option" in apply_nat_ports()
6137 rpool->mape = rs->pool_opts.mape; in apply_nat_ports()
6152 rpool->opts = rs->pool_opts.type; in apply_redirspec()
6154 if ((rpool->opts & PF_POOL_TYPEMASK) == PF_POOL_NONE && in apply_redirspec()
6155 (rs->host->next != NULL || in apply_redirspec()
6156 rs->host->addr.type == PF_ADDR_TABLE || in apply_redirspec()
6157 DYNIF_MULTIADDR(rs->host->addr))) in apply_redirspec()
6158 rpool->opts = PF_POOL_ROUNDROBIN; in apply_redirspec()
6160 if (!PF_POOL_DYNTYPE(rpool->opts) && in apply_redirspec()
6161 (disallow_table(rs->host, "tables are not supported by pool type") || in apply_redirspec()
6162 disallow_alias(rs->host, "interface (%s) is not supported by pool type"))) in apply_redirspec()
6165 if (rs->host->next != NULL && in apply_redirspec()
6166 ((rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_ROUNDROBIN)) { in apply_redirspec()
6171 if (rs->host->next != NULL) { in apply_redirspec()
6172 if ((rpool->opts & PF_POOL_TYPEMASK) != in apply_redirspec()
6174 yyerror("only round-robin valid for multiple " in apply_redirspec()
6180 rpool->opts |= rs->pool_opts.opts; in apply_redirspec()
6182 if (rs->pool_opts.key != NULL) in apply_redirspec()
6183 memcpy(&(rpool->key), rs->pool_opts.key, in apply_redirspec()
6186 for (h = rs->host; h != NULL; h = h->next) { in apply_redirspec()
6190 pa->addr = h->addr; in apply_redirspec()
6191 pa->af = h->af; in apply_redirspec()
6192 if (h->ifname != NULL) { in apply_redirspec()
6193 if (strlcpy(pa->ifname, h->ifname, in apply_redirspec()
6194 sizeof(pa->ifname)) >= sizeof(pa->ifname)) in apply_redirspec()
6197 pa->ifname[0] = 0; in apply_redirspec()
6198 TAILQ_INSERT_TAIL(&(rpool->list), pa, entries); in apply_redirspec()
6208 struct pfctl_pooladdr *nat_pool = TAILQ_FIRST(&(r->nat.list)); in check_binat_redirspec()
6213 * syntax "{ (iface1 host1), (iface2 iface2) }" is allowed for route-to in check_binat_redirspec()
6214 * redirection. Add a FreeBSD-specific guard against using multiple in check_binat_redirspec()
6217 if (src_host->next) { in check_binat_redirspec()
6219 "of a binat-to rule"); in check_binat_redirspec()
6224 "address of a binat-to rule"); in check_binat_redirspec()
6229 "<%s> as the source address of a binat-to rule") || in check_binat_redirspec()
6231 "(%s) as the source address of a binat-to rule")) { in check_binat_redirspec()
6233 } else if ((r->src.addr.type != PF_ADDR_ADDRMASK && in check_binat_redirspec()
6234 r->src.addr.type != PF_ADDR_DYNIFTL) || in check_binat_redirspec()
6235 (nat_pool->addr.type != PF_ADDR_ADDRMASK && in check_binat_redirspec()
6236 nat_pool->addr.type != PF_ADDR_DYNIFTL)) { in check_binat_redirspec()
6237 yyerror("binat-to requires a specified " in check_binat_redirspec()
6241 if (DYNIF_MULTIADDR(r->src.addr) || in check_binat_redirspec()
6242 DYNIF_MULTIADDR(nat_pool->addr)) { in check_binat_redirspec()
6244 "used with:0 in a binat-to rule"); in check_binat_redirspec()
6247 if (PF_AZERO(&r->src.addr.v.a.mask, af) || in check_binat_redirspec()
6248 PF_AZERO(&(nat_pool->addr.v.a.mask), af)) { in check_binat_redirspec()
6250 "a matching network mask in binat-rule"); in check_binat_redirspec()
6253 if (nat_pool->addr.type == PF_ADDR_TABLE) { in check_binat_redirspec()
6255 "address of a binat-to rule"); in check_binat_redirspec()
6258 if (r->direction != PF_INOUT) { in check_binat_redirspec()
6259 yyerror("binat-to cannot be specified " in check_binat_redirspec()
6265 r->direction = PF_OUT; in check_binat_redirspec()
6280 * We're copying the whole rule, but we must re-init redir pools. in add_binat_rdr_rule()
6284 TAILQ_INIT(&(rdr_rule->rdr.list)); in add_binat_rdr_rule()
6285 TAILQ_INIT(&(rdr_rule->nat.list)); in add_binat_rdr_rule()
6288 rdr_rule->direction = PF_IN; in add_binat_rdr_rule()
6293 rdr_src_host->ifname = NULL; in add_binat_rdr_rule()
6294 rdr_src_host->next = NULL; in add_binat_rdr_rule()
6295 rdr_src_host->tail = NULL; in add_binat_rdr_rule()
6299 bcopy(&(binat_nat_redirspec->host->addr), &((*rdr_dst_host)->addr), in add_binat_rdr_rule()
6300 sizeof((*rdr_dst_host)->addr)); in add_binat_rdr_rule()
6301 (*rdr_dst_host)->ifname = NULL; in add_binat_rdr_rule()
6302 (*rdr_dst_host)->next = NULL; in add_binat_rdr_rule()
6303 (*rdr_dst_host)->tail = NULL; in add_binat_rdr_rule()
6308 (*rdr_redirspec)->pool_opts.staticport = 0; in add_binat_rdr_rule()
6309 (*rdr_redirspec)->host = rdr_src_host; in add_binat_rdr_rule()
6322 sa_family_t af = r->af; in expand_rule()
6331 memcpy(label, r->label, sizeof(r->label)); in expand_rule()
6332 assert(sizeof(r->label) == sizeof(label)); in expand_rule()
6333 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) in expand_rule()
6335 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= in expand_rule()
6338 flags = r->flags; in expand_rule()
6339 flagset = r->flagset; in expand_rule()
6340 keep_state = r->keep_state; in expand_rule()
6353 r->af = af; in expand_rule()
6355 if (r->rule_flag & PFRULE_AFTO) { in expand_rule()
6357 r->naf = nat->af; in expand_rule()
6360 /* for link-local IPv6 address, interface must match up */ in expand_rule()
6361 if ((r->af && src_host->af && r->af != src_host->af) || in expand_rule()
6362 (r->af && dst_host->af && r->af != dst_host->af) || in expand_rule()
6363 (src_host->af && dst_host->af && in expand_rule()
6364 src_host->af != dst_host->af) || in expand_rule()
6365 (src_host->ifindex && dst_host->ifindex && in expand_rule()
6366 src_host->ifindex != dst_host->ifindex) || in expand_rule()
6367 (src_host->ifindex && *interface->ifname && in expand_rule()
6368 src_host->ifindex != ifa_nametoindex(interface->ifname)) || in expand_rule()
6369 (dst_host->ifindex && *interface->ifname && in expand_rule()
6370 dst_host->ifindex != ifa_nametoindex(interface->ifname))) in expand_rule()
6372 if (!r->af && src_host->af) in expand_rule()
6373 r->af = src_host->af; in expand_rule()
6374 else if (!r->af && dst_host->af) in expand_rule()
6375 r->af = dst_host->af; in expand_rule()
6377 if (*interface->ifname) in expand_rule()
6378 strlcpy(r->ifname, interface->ifname, in expand_rule()
6379 sizeof(r->ifname)); in expand_rule()
6380 else if (ifa_indextoname(src_host->ifindex, ifname)) in expand_rule()
6381 strlcpy(r->ifname, ifname, sizeof(r->ifname)); in expand_rule()
6382 else if (ifa_indextoname(dst_host->ifindex, ifname)) in expand_rule()
6383 strlcpy(r->ifname, ifname, sizeof(r->ifname)); in expand_rule()
6385 memset(r->ifname, '\0', sizeof(r->ifname)); in expand_rule()
6387 memcpy(r->label, label, sizeof(r->label)); in expand_rule()
6388 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= in expand_rule()
6389 sizeof(r->tagname)) in expand_rule()
6391 if (strlcpy(r->match_tagname, match_tagname, in expand_rule()
6392 sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) in expand_rule()
6396 if (src_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6398 if ((src_host = gen_dynnode(src_host, r->af)) == NULL) in expand_rule()
6401 if (dst_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6403 if ((dst_host = gen_dynnode(dst_host, r->af)) == NULL) in expand_rule()
6407 error += check_netmask(src_host, r->af); in expand_rule()
6408 error += check_netmask(dst_host, r->af); in expand_rule()
6410 r->ifnot = interface->not; in expand_rule()
6411 r->proto = proto->proto; in expand_rule()
6412 r->src.addr = src_host->addr; in expand_rule()
6413 r->src.neg = src_host->not; in expand_rule()
6414 r->src.port[0] = src_port->port[0]; in expand_rule()
6415 r->src.port[1] = src_port->port[1]; in expand_rule()
6416 r->src.port_op = src_port->op; in expand_rule()
6417 r->dst.addr = dst_host->addr; in expand_rule()
6418 r->dst.neg = dst_host->not; in expand_rule()
6419 r->dst.port[0] = dst_port->port[0]; in expand_rule()
6420 r->dst.port[1] = dst_port->port[1]; in expand_rule()
6421 r->dst.port_op = dst_port->op; in expand_rule()
6422 r->uid.op = uid->op; in expand_rule()
6423 r->uid.uid[0] = uid->uid[0]; in expand_rule()
6424 r->uid.uid[1] = uid->uid[1]; in expand_rule()
6425 r->gid.op = gid->op; in expand_rule()
6426 r->gid.gid[0] = gid->gid[0]; in expand_rule()
6427 r->gid.gid[1] = gid->gid[1]; in expand_rule()
6429 strlcpy(r->rcv_ifname, rcv->ifname, in expand_rule()
6430 sizeof(r->rcv_ifname)); in expand_rule()
6431 r->rcvifnot = rcv->not; in expand_rule()
6433 r->type = icmp_type->type; in expand_rule()
6434 r->code = icmp_type->code; in expand_rule()
6438 r->proto && r->proto != IPPROTO_TCP) in expand_rule()
6439 r->keep_state = PF_STATE_NORMAL; in expand_rule()
6441 r->keep_state = keep_state; in expand_rule()
6443 if (r->proto && r->proto != IPPROTO_TCP) { in expand_rule()
6444 r->flags = 0; in expand_rule()
6445 r->flagset = 0; in expand_rule()
6447 r->flags = flags; in expand_rule()
6448 r->flagset = flagset; in expand_rule()
6450 if (icmp_type->proto && r->proto != icmp_type->proto) { in expand_rule()
6451 yyerror("icmp-type mismatch"); in expand_rule()
6455 if (src_os && src_os->os) { in expand_rule()
6456 r->os_fingerprint = pfctl_get_fingerprint(src_os->os); in expand_rule()
6457 if ((pf->opts & PF_OPT_VERBOSE2) && in expand_rule()
6458 r->os_fingerprint == PF_OSFP_NOMATCH) in expand_rule()
6461 src_os->os); in expand_rule()
6463 r->os_fingerprint = PF_OSFP_ANY; in expand_rule()
6466 if (r->action == PF_RDR) { in expand_rule()
6467 /* Pre-FreeBSD 15 "rdr" rule */ in expand_rule()
6468 error += apply_rdr_ports(r, &(r->rdr), rdr); in expand_rule()
6469 error += apply_redirspec(&(r->rdr), rdr); in expand_rule()
6470 } else if (r->action == PF_NAT) { in expand_rule()
6471 /* Pre-FreeBSD 15 "nat" rule */ in expand_rule()
6472 error += apply_nat_ports(&(r->rdr), rdr); in expand_rule()
6473 error += apply_redirspec(&(r->rdr), rdr); in expand_rule()
6476 error += apply_redirspec(&(r->route), route); in expand_rule()
6478 error += apply_nat_ports(&(r->nat), nat); in expand_rule()
6479 error += apply_redirspec(&(r->nat), nat); in expand_rule()
6480 error += apply_rdr_ports(r, &(r->rdr), rdr); in expand_rule()
6481 error += apply_redirspec(&(r->rdr), rdr); in expand_rule()
6483 if (nat && nat->binat) in expand_rule()
6490 r->nr = pf->astack[pf->asd]->match++; in expand_rule()
6496 if (!error && nat && nat->binat) { in expand_rule()
6510 if (osrch && src_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6514 if (odsth && dst_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6533 FREE_LIST(struct node_host, nat->host); in expand_rule()
6537 FREE_LIST(struct node_host, rdr->host); in expand_rule()
6541 FREE_LIST(struct node_host, route->host); in expand_rule()
6555 if (!interfaces || (!interfaces->next && !interfaces->not && in expand_skip_interface()
6556 !strcmp(interfaces->ifname, "none"))) { in expand_skip_interface()
6557 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6563 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6566 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6567 printf(" %s", interface->ifname); in expand_skip_interface()
6568 if (interface->not) { in expand_skip_interface()
6573 interface->ifname, PFI_IFLAG_SKIP, 1); in expand_skip_interface()
6575 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6610 return (strcmp(k, ((const struct keywords *)e)->k_name)); in kw_cmp()
6618 { "af-to", AFTO}, in lookup()
6620 { "allow-opts", ALLOWOPTS}, in lookup()
6621 { "allow-related", ALLOW_RELATED}, in lookup()
6628 { "binat-anchor", BINATANCHOR}, in lookup()
6629 { "binat-to", BINATTO}, in lookup()
6632 { "block-policy", BLOCKPOLICY}, in lookup()
6633 { "bridge-to", BRIDGE_TO}, in lookup()
6639 { "divert-reply", DIVERTREPLY}, in lookup()
6640 { "divert-to", DIVERTTO}, in lookup()
6644 { "dup-to", DUPTO}, in lookup()
6645 { "endpoint-independent", ENDPI}, in lookup()
6647 { "fail-policy", FAILPOLICY}, in lookup()
6663 { "icmp-type", ICMPTYPE}, in lookup()
6664 { "icmp6-type", ICMP6TYPE}, in lookup()
6665 { "if-bound", IFBOUND}, in lookup()
6680 { "map-e-portset", MAPEPORTSET}, in lookup()
6684 { "max-mss", MAXMSS}, in lookup()
6685 { "max-pkt-rate", MAXPKTRATE}, in lookup()
6686 { "max-pkt-size", MAXPKTSIZE}, in lookup()
6687 { "max-src-conn", MAXSRCCONN}, in lookup()
6688 { "max-src-conn-rate", MAXSRCCONNRATE}, in lookup()
6689 { "max-src-nodes", MAXSRCNODES}, in lookup()
6690 { "max-src-states", MAXSRCSTATES}, in lookup()
6691 { "min-ttl", MINTTL}, in lookup()
6694 { "nat-anchor", NATANCHOR}, in lookup()
6695 { "nat-to", NATTO}, in lookup()
6697 { "no-df", NODF}, in lookup()
6698 { "no-route", NOROUTE}, in lookup()
6699 { "no-sync", NOSYNC}, in lookup()
6709 { "prefer-ipv6-nexthop", IPV6NH}, in lookup()
6719 { "random-id", RANDOMID}, in lookup()
6721 { "rdr-anchor", RDRANCHOR}, in lookup()
6722 { "rdr-to", RDRTO}, in lookup()
6725 { "received-on", RECEIVEDON}, in lookup()
6726 { "reply-to", REPLYTO}, in lookup()
6727 { "require-order", REQUIREORDER}, in lookup()
6729 { "return-icmp", RETURNICMP}, in lookup()
6730 { "return-icmp6", RETURNICMP6}, in lookup()
6731 { "return-rst", RETURNRST}, in lookup()
6733 { "round-robin", ROUNDROBIN}, in lookup()
6735 { "route-to", ROUTETO}, in lookup()
6738 { "ruleset-optimization", RULESET_OPTIMIZATION}, in lookup()
6741 { "set-tos", SETTOS}, in lookup()
6744 { "source-hash", SOURCEHASH}, in lookup()
6745 { "source-track", SOURCETRACK}, in lookup()
6747 { "state-defaults", STATEDEFAULTS}, in lookup()
6748 { "state-policy", STATEPOLICY}, in lookup()
6749 { "static-port", STATICPORT}, in lookup()
6750 { "sticky-address", STICKYADDRESS}, in lookup()
6763 { "urpf-failed", URPFFAILED}, in lookup()
6773 fprintf(stderr, "%s: %d\n", s, p->k_val); in lookup()
6774 return (p->k_val); in lookup()
6792 if (file->ungetpos > 0) in igetc()
6793 c = file->ungetbuf[--file->ungetpos]; in igetc()
6795 c = getc(file->stream); in igetc()
6827 yylval.lineno = file->lineno; in lgetc()
6828 file->lineno++; in lgetc()
6837 if (file->eof_reached == 0) { in lgetc()
6838 file->eof_reached = 1; in lgetc()
6855 if (file->ungetpos >= file->ungetsize) { in lungetc()
6856 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); in lungetc()
6859 file->ungetbuf = p; in lungetc()
6860 file->ungetsize *= 2; in lungetc()
6862 file->ungetbuf[file->ungetpos++] = c; in lungetc()
6874 file->lineno++; in findeol()
6896 yylval.lineno = file->lineno; in yylex()
6905 if (p + 1 >= buf + sizeof(buf) - 1) { in yylex()
6922 p = val + strlen(val) - 1; in yylex()
6926 p--; in yylex()
6940 file->lineno++; in yylex()
6949 file->lineno++; in yylex()
6961 if (p + 1 >= buf + sizeof(buf) - 1) { in yylex()
6995 case '-': in yylex()
7006 if (c == '-' || isdigit(c)) { in yylex()
7009 if ((size_t)(p-buf) >= sizeof(buf)) { in yylex()
7015 if (p == buf + 1 && buf[0] == '-') in yylex()
7032 lungetc(*--p); in yylex()
7033 c = *--p; in yylex()
7034 if (c == '-') in yylex()
7048 if ((size_t)(p-buf) >= sizeof(buf)) { in yylex()
7061 yylval.lineno = file->lineno; in yylex()
7062 file->lineno++; in yylex()
7076 return (-1); in check_file_secrecy()
7080 return (-1); in check_file_secrecy()
7084 return (-1); in check_file_secrecy()
7095 (nfile->name = strdup(name)) == NULL) { in pushfile()
7101 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { in pushfile()
7102 nfile->stream = stdin; in pushfile()
7103 free(nfile->name); in pushfile()
7104 if ((nfile->name = strdup("stdin")) == NULL) { in pushfile()
7109 } else if ((nfile->stream = pfctl_fopen(nfile->name, "r")) == NULL) { in pushfile()
7110 warn("%s: %s", __func__, nfile->name); in pushfile()
7111 free(nfile->name); in pushfile()
7115 check_file_secrecy(fileno(nfile->stream), nfile->name)) { in pushfile()
7116 fclose(nfile->stream); in pushfile()
7117 free(nfile->name); in pushfile()
7121 nfile->lineno = TAILQ_EMPTY(&files) ? 1 : 0; in pushfile()
7122 nfile->ungetsize = 16; in pushfile()
7123 nfile->ungetbuf = malloc(nfile->ungetsize); in pushfile()
7124 if (nfile->ungetbuf == NULL) { in pushfile()
7126 fclose(nfile->stream); in pushfile()
7127 free(nfile->name); in pushfile()
7141 prev->errors += file->errors; in popfile()
7144 fclose(file->stream); in popfile()
7145 free(file->name); in popfile()
7146 free(file->ungetbuf); in popfile()
7171 return (-1); in parse_config()
7176 errors = file->errors; in parse_config()
7181 if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used) in parse_config()
7183 "used\n", sym->nam); in parse_config()
7184 free(sym->nam); in parse_config()
7185 free(sym->val); in parse_config()
7190 return (errors ? -1 : 0); in parse_config()
7199 if (strcmp(nam, sym->nam) == 0) in symset()
7204 if (sym->persist == 1) in symset()
7207 free(sym->nam); in symset()
7208 free(sym->val); in symset()
7214 return (-1); in symset()
7216 sym->nam = strdup(nam); in symset()
7217 if (sym->nam == NULL) { in symset()
7219 return (-1); in symset()
7221 sym->val = strdup(val); in symset()
7222 if (sym->val == NULL) { in symset()
7223 free(sym->nam); in symset()
7225 return (-1); in symset()
7227 sym->used = 0; in symset()
7228 sym->persist = persist; in symset()
7240 return (-1); in pfctl_cmdline_symset()
7242 sym = strndup(s, val - s); in pfctl_cmdline_symset()
7258 if (strcmp(nam, sym->nam) == 0) { in symget()
7259 sym->used = 1; in symget()
7260 return (sym->val); in symget()
7273 TAILQ_FOREACH(r, src->rules[i].active.ptr, entries) in mv_rules()
7274 dst->anchor->match++; in mv_rules()
7275 TAILQ_CONCAT(dst->rules[i].active.ptr, src->rules[i].active.ptr, entries); in mv_rules()
7276 src->anchor->match = 0; in mv_rules()
7277 TAILQ_CONCAT(dst->rules[i].inactive.ptr, src->rules[i].inactive.ptr, entries); in mv_rules()
7286 while ((r = TAILQ_FIRST(&src->rules)) != NULL) { in mv_eth_rules()
7287 TAILQ_REMOVE(&src->rules, r, entries); in mv_eth_rules()
7288 TAILQ_INSERT_TAIL(&dst->rules, r, entries); in mv_eth_rules()
7289 dst->anchor->match++; in mv_eth_rules()
7291 src->anchor->match = 0; in mv_eth_rules()
7313 DBGPRINT("%s [ %s ] (%s)\n", __func__, a->path, alast->path); in mv_tables()
7315 path_cut = strstr(kt->pfrkt_anchor, alast->path); in mv_tables()
7317 path_cut += strlen(alast->path); in mv_tables()
7320 "%s%s", a->path, path_cut); in mv_tables()
7323 "%s", a->path); in mv_tables()
7326 kt->pfrkt_name, kt->pfrkt_anchor); in mv_tables()
7328 DBGPRINT("%s %s@%s -> %s@%s\n", __func__, in mv_tables()
7329 kt->pfrkt_name, kt->pfrkt_anchor, in mv_tables()
7330 kt->pfrkt_name, new_path); in mv_tables()
7332 strlcpy(kt->pfrkt_anchor, new_path, in mv_tables()
7333 sizeof(kt->pfrkt_anchor)); in mv_tables()
7344 ukt->pfrukt_name, in mv_tables()
7345 ukt->pfrukt_anchor); in mv_tables()
7354 *af = n->af; in decide_address_family()
7355 while ((n = n->next) != NULL) { in decide_address_family()
7356 if (n->af != *af) { in decide_address_family()
7369 if (*af && n->af && n->af != *af) { in remove_invalid_hosts()
7371 struct node_host *next = n->next; in remove_invalid_hosts()
7374 if (n == (*nh)->tail) in remove_invalid_hosts()
7375 (*nh)->tail = prev; in remove_invalid_hosts()
7380 prev->next = next; in remove_invalid_hosts()
7382 if (n->ifname != NULL) in remove_invalid_hosts()
7383 free(n->ifname); in remove_invalid_hosts()
7387 if (n->af && !*af) in remove_invalid_hosts()
7388 *af = n->af; in remove_invalid_hosts()
7390 n = n->next; in remove_invalid_hosts()
7402 for (n = nh; n != NULL; n = n->next) { in invalid_redirect()
7403 if (n->addr.type != PF_ADDR_TABLE && in invalid_redirect()
7404 n->addr.type != PF_ADDR_DYNIFTL) { in invalid_redirect()
7429 return (-1); in atoul()
7431 return (-1); in atoul()
7445 return (-1); in getservice()
7456 return (-1); in getservice()
7458 return (s->s_port); in getservice()
7469 if (strlcpy(r->label[i], s[i], sizeof(r->label[0])) >= in rule_label()
7470 sizeof(r->label[0])) { in rule_label()
7472 sizeof(r->label[0])-1); in rule_label()
7473 return (-1); in rule_label()
7486 if (strlcpy(r->label[i], s[i], sizeof(r->label[0])) >= in eth_rule_label()
7487 sizeof(r->label[0])) { in eth_rule_label()
7489 sizeof(r->label[0])-1); in eth_rule_label()
7490 return (-1); in eth_rule_label()
7508 if (atoul(w, &ulval) == -1) { in parseicmpspec()
7513 ulval = p->code; in parseicmpspec()
7528 if ((r->a = getservice(port)) == -1) in parseport()
7529 return (-1); in parseport()
7530 r->b = 0; in parseport()
7531 r->t = PF_OP_NONE; in parseport()
7536 if ((r->a = getservice(port)) == -1) in parseport()
7537 return (-1); in parseport()
7538 r->b = 0; in parseport()
7539 r->t = PF_OP_IRG; in parseport()
7544 if ((r->a = getservice(port)) == -1 || in parseport()
7545 (r->b = getservice(p)) == -1) in parseport()
7546 return (-1); in parseport()
7547 if (r->a == r->b) { in parseport()
7548 r->b = 0; in parseport()
7549 r->t = PF_OP_NONE; in parseport()
7551 r->t = PF_OP_RRG; in parseport()
7554 return (-1); in parseport()
7558 pfctl_load_anchors(int dev, struct pfctl *pf) in pfctl_load_anchors() argument
7563 if (pf->opts & PF_OPT_VERBOSE) in pfctl_load_anchors()
7565 la->anchorname, la->filename); in pfctl_load_anchors()
7566 if (pfctl_rules(dev, la->filename, pf->opts, pf->optimize, in pfctl_load_anchors()
7567 la->anchorname, pf->trans) == -1) in pfctl_load_anchors()
7568 return (-1); in pfctl_load_anchors()
7577 return (strcasecmp(k, ((const struct keywords *)e)->k_name)); in kw_casecmp()
7620 *val = p->k_val; in map_tos()
7633 if (sysctlbyname("net.fibs", &fibs, &l, NULL, 0) == -1) in rt_tableid_max()
7640 return (fibs - 1); in rt_tableid_max()
7656 &m->mac[0], &m->mac[1], &m->mac[2], &m->mac[3], &m->mac[4], in node_mac_from_string()
7657 &m->mac[5]) != 6) { in node_mac_from_string()
7663 memset(m->mask, 0xff, ETHER_ADDR_LEN); in node_mac_from_string()
7664 m->isset = true; in node_mac_from_string()
7665 m->next = NULL; in node_mac_from_string()
7666 m->tail = m; in node_mac_from_string()
7685 memset(m->mask, 0, ETHER_ADDR_LEN); in node_mac_from_string_masklen()
7687 m->mask[i / 8] |= 1 << (i % 8); in node_mac_from_string_masklen()
7702 &m->mask[0], &m->mask[1], &m->mask[2], &m->mask[3], &m->mask[4], in node_mac_from_string_mask()
7703 &m->mask[5]) != 6) { in node_mac_from_string_mask()
7715 if (opts->marker & FOM_ONCE) { in filteropts_to_rule()
7716 if ((r->action != PF_PASS && r->action != PF_DROP) || r->anchor) { in filteropts_to_rule()
7720 r->rule_flag |= PFRULE_ONCE; in filteropts_to_rule()
7723 r->keep_state = opts->keep.action; in filteropts_to_rule()
7724 r->pktrate.limit = opts->pktrate.limit; in filteropts_to_rule()
7725 r->pktrate.seconds = opts->pktrate.seconds; in filteropts_to_rule()
7726 r->prob = opts->prob; in filteropts_to_rule()
7727 r->rtableid = opts->rtableid; in filteropts_to_rule()
7728 r->ridentifier = opts->ridentifier; in filteropts_to_rule()
7729 r->max_pkt_size = opts->max_pkt_size; in filteropts_to_rule()
7730 r->tos = opts->tos; in filteropts_to_rule()
7732 if (opts->nodf) in filteropts_to_rule()
7733 r->scrub_flags |= PFSTATE_NODF; in filteropts_to_rule()
7734 if (opts->randomid) in filteropts_to_rule()
7735 r->scrub_flags |= PFSTATE_RANDOMID; in filteropts_to_rule()
7736 if (opts->minttl) in filteropts_to_rule()
7737 r->min_ttl = opts->minttl; in filteropts_to_rule()
7738 if (opts->max_mss) in filteropts_to_rule()
7739 r->max_mss = opts->max_mss; in filteropts_to_rule()
7741 if (opts->tag) in filteropts_to_rule()
7742 if (strlcpy(r->tagname, opts->tag, in filteropts_to_rule()
7745 PF_TAG_NAME_SIZE - 1); in filteropts_to_rule()
7748 if (opts->match_tag) in filteropts_to_rule()
7749 if (strlcpy(r->match_tagname, opts->match_tag, in filteropts_to_rule()
7752 PF_TAG_NAME_SIZE - 1); in filteropts_to_rule()
7755 r->match_tag_not = opts->match_tag_not; in filteropts_to_rule()
7757 if (rule_label(r, opts->label)) in filteropts_to_rule()
7760 free(opts->label[i]); in filteropts_to_rule()
7762 if (opts->marker & FOM_AFTO) in filteropts_to_rule()
7763 r->rule_flag |= PFRULE_AFTO; in filteropts_to_rule()
7764 if (opts->marker & FOM_SCRUB_TCP) in filteropts_to_rule()
7765 r->scrub_flags |= PFSTATE_SCRUB_TCP; in filteropts_to_rule()
7766 if (opts->marker & FOM_PRIO) in filteropts_to_rule()
7767 r->prio = opts->prio ? opts->prio : PF_PRIO_ZERO; in filteropts_to_rule()
7768 if (opts->marker & FOM_SETPRIO) { in filteropts_to_rule()
7769 r->set_prio[0] = opts->set_prio[0]; in filteropts_to_rule()
7770 r->set_prio[1] = opts->set_prio[1]; in filteropts_to_rule()
7771 r->scrub_flags |= PFSTATE_SETPRIO; in filteropts_to_rule()
7773 if (opts->marker & FOM_SETTOS) { in filteropts_to_rule()
7774 r->scrub_flags |= PFSTATE_SETTOS; in filteropts_to_rule()
7775 r->set_tos = opts->settos; in filteropts_to_rule()
7778 r->flags = opts->flags.b1; in filteropts_to_rule()
7779 r->flagset = opts->flags.b2; in filteropts_to_rule()
7780 if ((opts->flags.b1 & opts->flags.b2) != opts->flags.b1) { in filteropts_to_rule()
7785 if (opts->queues.qname != NULL) { in filteropts_to_rule()
7786 if (strlcpy(r->qname, opts->queues.qname, in filteropts_to_rule()
7787 sizeof(r->qname)) >= sizeof(r->qname)) { in filteropts_to_rule()
7789 "%d chars)", sizeof(r->qname)-1); in filteropts_to_rule()
7792 free(opts->queues.qname); in filteropts_to_rule()
7794 if (opts->queues.pqname != NULL) { in filteropts_to_rule()
7795 if (strlcpy(r->pqname, opts->queues.pqname, in filteropts_to_rule()
7796 sizeof(r->pqname)) >= sizeof(r->pqname)) { in filteropts_to_rule()
7798 "%d chars)", sizeof(r->pqname)-1); in filteropts_to_rule()
7801 free(opts->queues.pqname); in filteropts_to_rule()
7804 if (opts->fragment) in filteropts_to_rule()
7805 r->rule_flag |= PFRULE_FRAGMENT; in filteropts_to_rule()
7806 r->allow_opts = opts->allowopts; in filteropts_to_rule()
7816 if (pf->astack[pf->asd + 1]) { in pfctl_setup_anchor()
7826 &pf->astack[pf->asd]->ruleset, in pfctl_setup_anchor()
7827 anchorname ? anchorname : pf->alast->name); in pfctl_setup_anchor()
7829 if (r->anchor == NULL) in pfctl_setup_anchor()
7833 if (pf->alast != r->anchor) { in pfctl_setup_anchor()
7834 if (r->anchor->match) { in pfctl_setup_anchor()
7837 r->anchor->name); in pfctl_setup_anchor()
7840 mv_rules(&pf->alast->ruleset, in pfctl_setup_anchor()
7841 &r->anchor->ruleset); in pfctl_setup_anchor()
7842 mv_tables(pf, &pfr_ktables, r->anchor, pf->alast); in pfctl_setup_anchor()
7844 pf_remove_if_empty_ruleset(&pf->alast->ruleset); in pfctl_setup_anchor()
7845 pf->alast = r->anchor; in pfctl_setup_anchor()
7853 * Don't make non-brace anchors part of the main anchor pool. in pfctl_setup_anchor()
7855 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL) { in pfctl_setup_anchor()
7858 pf_init_ruleset(&r->anchor->ruleset); in pfctl_setup_anchor()
7859 r->anchor->ruleset.anchor = r->anchor; in pfctl_setup_anchor()
7860 if (strlcpy(r->anchor->path, anchorname, in pfctl_setup_anchor()
7861 sizeof(r->anchor->path)) >= sizeof(r->anchor->path)) { in pfctl_setup_anchor()
7872 if (strlcpy(r->anchor->name, p, in pfctl_setup_anchor()
7873 sizeof(r->anchor->name)) >= sizeof(r->anchor->name)) { in pfctl_setup_anchor()