Lines Matching +full:stream +full:- +full:match +full:- +full:mask
3 /*-
4 * SPDX-License-Identifier: BSD-2-Clause
90 FILE *stream; member
277 /* new-style scrub opts */
498 !isdigit((addr).v.ifname[strlen((addr).v.ifname)-1])))
502 %token PASS BLOCK MATCH SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
602 | ruleset error '\n' { file->errors++; }
640 yyerror("unknown ruleset-optimization %s", $1);
668 if (!(pf->opts & PF_OPT_OPTIMIZE)) {
669 pf->opts |= PF_OPT_OPTIMIZE;
670 pf->optimize = $3;
691 yyerror("hostid must be non-zero");
700 if (pf->opts & PF_OPT_VERBOSE)
701 printf("set block-policy drop\n");
707 if (pf->opts & PF_OPT_VERBOSE)
708 printf("set block-policy return\n");
714 if (pf->opts & PF_OPT_VERBOSE)
715 printf("set fail-policy drop\n");
721 if (pf->opts & PF_OPT_VERBOSE)
722 printf("set fail-policy return\n");
728 if (pf->opts & PF_OPT_VERBOSE)
729 printf("set require-order %s\n",
734 if (pf->opts & PF_OPT_VERBOSE)
740 if (!pf->anchor->name[0]) {
741 if (pfctl_file_fingerprints(pf->dev,
742 pf->opts, $3)) {
752 if (pf->opts & PF_OPT_VERBOSE)
755 printf("set state-policy floating\n");
758 printf("set state-policy if-bound\n");
783 yyerror("cannot redefine state-defaults");
789 pf->keep_counters = true;
853 if (asprintf(&$$, "%s %s", $1, $2) == -1)
862 if (asprintf(&$$, "%s %s", $1, $2) == -1)
872 if (asprintf(&s, "%lld", (long long)$1) == -1) {
883 if (pf->opts & PF_OPT_VERBOSE)
892 if (symset($1, $3, 0) == -1)
915 pf->asd++;
916 pf->bn++;
924 snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
928 pf->astack[pf->asd] = rs->anchor;
929 pf->anchor = rs->anchor;
932 pf->alast = pf->anchor;
933 pf->asd--;
934 pf->anchor = pf->astack[pf->asd];
959 if (pf->astack[pf->asd + 1]) {
969 &pf->astack[pf->asd]->ruleset,
970 $2 ? $2 : pf->alast->name);
976 if (pf->alast != r.anchor) {
977 if (r.anchor->match) {
980 r.anchor->name);
983 mv_rules(&pf->alast->ruleset,
984 &r.anchor->ruleset);
986 pf_remove_if_empty_ruleset(&pf->alast->ruleset);
987 pf->alast = r.anchor;
1006 PF_TAG_NAME_SIZE - 1);
1013 PF_TAG_NAME_SIZE - 1);
1029 proto->proto != IPPROTO_TCP;
1030 proto = proto->next)
1056 PF_TAG_NAME_SIZE - 1);
1078 pf->astack[pf->asd + 1] ? pf->alast->name : $2);
1080 pf->astack[pf->asd + 1] = NULL;
1121 " in rdr-anchor");
1125 if ($6.dst.port->next != NULL) {
1128 "rdr-anchor");
1130 } else if ($6.dst.port->op != PF_OP_EQ) {
1132 " not supported in rdr-anchor");
1135 r.dst.port[0] = $6.dst.port->port[0];
1136 r.dst.port[1] = $6.dst.port->port[1];
1137 r.dst.port_op = $6.dst.port->op;
1158 if ($5->next != NULL) {
1160 " not supported in binat-anchor");
1163 r.proto = $5->proto;
1170 " in binat-anchor");
1185 if (strlen(pf->anchor->name) + 1 +
1188 $3, MAXPATHLEN - 1);
1195 if ((loadanchor->anchorname = malloc(MAXPATHLEN)) ==
1198 if (pf->anchor->name[0])
1199 snprintf(loadanchor->anchorname, MAXPATHLEN,
1200 "%s/%s", pf->anchor->name, $3);
1202 strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
1203 if ((loadanchor->filename = strdup($5)) == NULL)
1240 PF_TAG_NAME_SIZE - 1);
1271 pf->asd++;
1272 pf->bn++;
1275 snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
1279 pf->eastack[pf->asd] = rs->anchor;
1280 pf->eanchor = rs->anchor;
1283 pf->ealast = pf->eanchor;
1284 pf->asd--;
1285 pf->eanchor = pf->eastack[pf->asd];
1307 if (pf->eastack[pf->asd + 1]) {
1317 &pf->eastack[pf->asd]->ruleset,
1318 $3 ? $3 : pf->ealast->name);
1323 if (pf->ealast != r.anchor) {
1324 if (r.anchor->match) {
1327 r.anchor->name);
1330 mv_eth_rules(&pf->ealast->ruleset,
1331 &r.anchor->ruleset);
1333 pf_remove_if_empty_eth_ruleset(&pf->ealast->ruleset);
1334 pf->ealast = r.anchor;
1348 pf->eastack[pf->asd + 1] ? pf->ealast->name : $3);
1351 pf->eastack[pf->asd + 1] = NULL;
1457 PF_TAG_NAME_SIZE - 1);
1471 scrub_opts.rtableid = -1;
1477 scrub_opts.rtableid = -1;
1488 yyerror("no-df cannot be respecified");
1495 yyerror("min-ttl cannot be respecified");
1499 yyerror("illegal min-ttl value %d", $2);
1507 yyerror("max-mss cannot be respecified");
1511 yyerror("illegal max-mss value %d", $2);
1519 yyerror("set-tos cannot be respecified");
1549 yyerror("random-id cannot be respecified");
1579 for (i = $3; i; i = i->next) {
1595 if (strlcpy(j->ifname, i->ifname,
1596 sizeof(j->ifname)) >= sizeof(j->ifname)) {
1601 j->not = 1;
1602 if (i->dynamic) {
1606 h->addr.type = PF_ADDR_DYNIFTL;
1608 if (strlcpy(h->addr.v.ifname, i->ifname,
1609 sizeof(h->addr.v.ifname)) >=
1610 sizeof(h->addr.v.ifname)) {
1620 h->addr.iflags = PFI_AFLAG_NETWORK;
1622 h = ifa_lookup(j->ifname,
1632 if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
1648 h = ifa_lookup(i->ifname, 0);
1667 $1->tail->next = $3;
1668 $1->tail = $3;
1675 $2->dynamic = 1;
1682 antispoof_opts.rtableid = -1;
1688 antispoof_opts.rtableid = -1;
1726 PF_TABLE_NAME_SIZE - 1);
1730 if (pf->loadopt & PFCTL_FLAG_TABLE)
1738 if (ti->file)
1739 free(ti->file);
1740 for (h = ti->host; h != NULL; h = nh) {
1741 nh = h->next;
1787 for (n = $3; n != NULL; n = n->next) {
1788 switch (n->addr.type) {
1803 yyerror("\"no-route\" is not permitted "
1807 yyerror("\"urpf-failed\" is not "
1812 n->addr.type);
1818 ti->host = $3;
1828 ti->file = $2;
1872 "%d chars)", PF_QNAME_SIZE-1);
2326 $1->tail->next = $3;
2327 $1->tail = $3;
2336 if (strlcpy($$->queue, $1, sizeof($$->queue)) >=
2337 sizeof($$->queue)) {
2339 "%d chars)", $1, sizeof($$->queue)-1);
2345 $$->next = NULL;
2346 $$->tail = $$;
2422 PF_TAG_NAME_SIZE - 1);
2429 PF_TAG_NAME_SIZE - 1);
2446 proto->proto != IPPROTO_TCP;
2447 proto = proto->next)
2484 switch (o->type) {
2491 r.max_states = o->data.max_states;
2504 "'source-track' "
2508 srctrack = o->data.src_track;
2514 "'max-src-states' "
2518 if (o->data.max_src_states == 0) {
2519 yyerror("'max-src-states' must "
2524 o->data.max_src_states;
2534 o->data.overload.tblname,
2541 r.flush = o->data.overload.flush;
2546 "'max-src-conn' "
2550 if (o->data.max_src_conn == 0) {
2551 yyerror("'max-src-conn' "
2556 o->data.max_src_conn;
2563 "'max-src-conn-rate' "
2567 if (!o->data.max_src_conn_rate.limit ||
2568 !o->data.max_src_conn_rate.seconds) {
2569 yyerror("'max-src-conn-rate' "
2573 if (o->data.max_src_conn_rate.limit >
2575 yyerror("'max-src-conn-rate' "
2581 o->data.max_src_conn_rate.limit;
2583 o->data.max_src_conn_rate.seconds;
2590 "'max-src-nodes' "
2594 if (o->data.max_src_nodes == 0) {
2595 yyerror("'max-src-nodes' must "
2600 o->data.max_src_nodes;
2611 r.rule_flag |= o->data.statelock;
2630 if (o->data.timeout.number ==
2632 o->data.timeout.number ==
2635 if (r.timeout[o->data.timeout.number]) {
2638 pf_timeouts[o->data.
2642 r.timeout[o->data.timeout.number] =
2643 o->data.timeout.seconds;
2645 o = o->next;
2666 yyerror("'max-src-nodes' is "
2668 "'source-track global'");
2673 yyerror("'max-src-conn' is "
2675 "'source-track global'");
2680 yyerror("'max-src-conn-rate' is "
2682 "'source-track global'");
2724 PF_POOL_NONE && ($5.host->next != NULL ||
2725 $5.host->addr.type == PF_ADDR_TABLE ||
2726 DYNIF_MULTIADDR($5.host->addr)))
2731 "supported in round-robin routing pools"))
2736 "is only supported in round-robin "
2739 if ($5.host->next != NULL) {
2752 "%d chars)", sizeof(r.qname)-1);
2761 "%d chars)", sizeof(r.pqname)-1);
2784 if ($9.divert.addr->af != r.af) {
2790 $9.divert.addr->addr.v.a.addr;
2812 filter_opts.rtableid = -1;
2818 filter_opts.rtableid = -1;
2829 $2->tail->next = filter_opts.uid;
2834 $2->tail->next = filter_opts.gid;
2850 yyerror("icmp-type cannot be redefined");
2862 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
2943 yyerror("cannot respecify received-on");
2996 yyerror("divert-reply has no meaning in FreeBSD pf(4)");
3006 /* Old style rules are "scrub set-tos 0x42"
3010 * "set tos" of a pass/match rule.
3050 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
3058 yyerror("prio must be 0 - %u", PF_PRIO_MAX);
3094 | MATCH { $$.b1 = PF_MATCH; $$.b2 = $$.w = 0; }
3256 $1->tail->next = $3;
3257 $1->tail = $3;
3262 if_item_not : not if_item { $$ = $2; $$->not = $1; }
3271 if (strlcpy($$->ifname, $1, sizeof($$->ifname)) >=
3272 sizeof($$->ifname)) {
3280 $$->ifa_flags = n->ifa_flags;
3283 $$->not = 0;
3284 $$->next = NULL;
3285 $$->tail = $$;
3301 $1->tail->next = $3;
3302 $1->tail = $3;
3318 $$->proto = pr;
3319 $$->next = NULL;
3320 $$->tail = $$;
3351 $1->tail->next = $3;
3352 $1->tail = $3;
3368 $$->proto = pr;
3369 $$->next = NULL;
3370 $$->tail = $$;
3383 $$ = p->p_proto;
3399 $2.src.host->addr.type != PF_ADDR_ADDRMASK &&
3400 $2.src.host->addr.type != PF_ADDR_TABLE) {
3405 $2.dst.host->addr.type != PF_ADDR_ADDRMASK &&
3406 $2.dst.host->addr.type != PF_ADDR_TABLE) {
3447 /* mac&mask */
3449 char *mask = strtok(NULL, "&"); variable
3450 $$ = node_mac_from_string_mask(mac, mask);
3462 for (n = $2; n != NULL; n = n->next)
3463 n->neg = $1;
3484 $1->tail->next = $3;
3485 $1->tail = $3->tail;
3513 $$->os = $1;
3514 $$->tail = $$;
3520 $1->tail->next = $3;
3521 $1->tail = $3;
3540 if (disallow_urpf_failed($2.host, "\"urpf-failed\" is "
3583 $1->tail->next = $3;
3584 $1->tail = $3->tail;
3593 for (n = $2; n != NULL; n = n->next)
3594 n->not = $1;
3601 $$->addr.type = PF_ADDR_NOROUTE;
3602 $$->next = NULL;
3603 $$->not = $1;
3604 $$->tail = $$;
3610 $$->addr.type = PF_ADDR_URPFFAILED;
3611 $$->next = NULL;
3612 $$->not = $1;
3613 $$->tail = $$;
3627 | STRING '-' STRING {
3636 if (b->af != e->af ||
3637 b->addr.type != PF_ADDR_ADDRMASK ||
3638 e->addr.type != PF_ADDR_ADDRMASK ||
3639 unmask(&b->addr.v.a.mask, b->af) !=
3640 (b->af == AF_INET ? 32 : 128) ||
3641 unmask(&e->addr.v.a.mask, e->af) !=
3642 (e->af == AF_INET ? 32 : 128) ||
3643 b->next != NULL || b->not ||
3644 e->next != NULL || e->not) {
3652 memcpy(&b->addr.v.a.mask, &e->addr.v.a.addr,
3653 sizeof(b->addr.v.a.mask));
3654 b->addr.type = PF_ADDR_RANGE;
3663 if (asprintf(&buf, "%s/%lld", $1, (long long)$3) == -1)
3679 if (asprintf(&buf, "%lld/%lld", (long long)$1, (long long)$3) == -1)
3681 if (asprintf(&buf, "%lld/%lld", $1, $3) == -1)
3701 for (n = $1; n != NULL; n = n->next)
3713 $$->addr.type = PF_ADDR_TABLE;
3714 if (strlcpy($$->addr.v.tblname, $2,
3715 sizeof($$->addr.v.tblname)) >=
3716 sizeof($$->addr.v.tblname))
3719 $$->next = NULL;
3720 $$->tail = $$;
3728 if (atoul($1, &ulval) == -1) {
3765 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) {
3774 $$->af = 0;
3776 $$->addr.type = PF_ADDR_DYNIFTL;
3777 $$->addr.iflags = flags;
3778 if (strlcpy($$->addr.v.ifname, $2,
3779 sizeof($$->addr.v.ifname)) >=
3780 sizeof($$->addr.v.ifname)) {
3787 $$->next = NULL;
3788 $$->tail = $$;
3798 $1->tail->next = $3;
3799 $1->tail = $3;
3808 $$->port[0] = $1.a;
3809 $$->port[1] = $1.b;
3811 $$->op = PF_OP_RRG;
3813 $$->op = PF_OP_EQ;
3814 $$->next = NULL;
3815 $$->tail = $$;
3826 $$->port[0] = $2.a;
3827 $$->port[1] = $2.b;
3828 $$->op = $1;
3829 $$->next = NULL;
3830 $$->tail = $$;
3841 $$->port[0] = $1.a;
3842 $$->port[1] = $3.a;
3843 $$->op = $2;
3844 $$->next = NULL;
3845 $$->tail = $$;
3850 if (parseport($1, &$$, 0) == -1) {
3859 if (parseport($1, &$$, PPORT_RANGE) == -1) {
3873 $1->tail->next = $3;
3874 $1->tail = $3;
3883 $$->uid[0] = $1;
3884 $$->uid[1] = $1;
3885 $$->op = PF_OP_EQ;
3886 $$->next = NULL;
3887 $$->tail = $$;
3898 $$->uid[0] = $2;
3899 $$->uid[1] = $2;
3900 $$->op = $1;
3901 $$->next = NULL;
3902 $$->tail = $$;
3913 $$->uid[0] = $1;
3914 $$->uid[1] = $3;
3915 $$->op = $2;
3916 $$->next = NULL;
3917 $$->tail = $$;
3932 $$ = pw->pw_uid;
3951 $1->tail->next = $3;
3952 $1->tail = $3;
3961 $$->gid[0] = $1;
3962 $$->gid[1] = $1;
3963 $$->op = PF_OP_EQ;
3964 $$->next = NULL;
3965 $$->tail = $$;
3976 $$->gid[0] = $2;
3977 $$->gid[1] = $2;
3978 $$->op = $1;
3979 $$->next = NULL;
3980 $$->tail = $$;
3991 $$->gid[0] = $1;
3992 $$->gid[1] = $3;
3993 $$->op = $2;
3994 $$->next = NULL;
3995 $$->tail = $$;
4010 $$ = grp->gr_gid;
4049 $1->tail->next = $3;
4050 $1->tail = $3;
4057 $1->tail->next = $3;
4058 $1->tail = $3;
4067 $$->type = $1;
4068 $$->code = 0;
4069 $$->proto = IPPROTO_ICMP;
4070 $$->next = NULL;
4071 $$->tail = $$;
4076 if ((p = geticmpcodebyname($1-1, $3, AF_INET)) == NULL) {
4077 yyerror("unknown icmp-code %s", $3);
4086 $$->type = $1;
4087 $$->code = p->code + 1;
4088 $$->proto = IPPROTO_ICMP;
4089 $$->next = NULL;
4090 $$->tail = $$;
4094 yyerror("illegal icmp-code %lu", $3);
4100 $$->type = $1;
4101 $$->code = $3 + 1;
4102 $$->proto = IPPROTO_ICMP;
4103 $$->next = NULL;
4104 $$->tail = $$;
4112 $$->type = $1;
4113 $$->code = 0;
4114 $$->proto = IPPROTO_ICMPV6;
4115 $$->next = NULL;
4116 $$->tail = $$;
4121 if ((p = geticmpcodebyname($1-1, $3, AF_INET6)) == NULL) {
4122 yyerror("unknown icmp6-code %s", $3);
4131 $$->type = $1;
4132 $$->code = p->code + 1;
4133 $$->proto = IPPROTO_ICMPV6;
4134 $$->next = NULL;
4135 $$->tail = $$;
4139 yyerror("illegal icmp-code %lu", $3);
4145 $$->type = $1;
4146 $$->code = $3 + 1;
4147 $$->proto = IPPROTO_ICMPV6;
4148 $$->next = NULL;
4149 $$->tail = $$;
4157 yyerror("unknown icmp-type %s", $1);
4161 $$ = p->type + 1;
4166 yyerror("illegal icmp-type %lu", $1);
4178 yyerror("unknown icmp6-type %s", $1);
4182 $$ = p->type + 1;
4187 yyerror("illegal icmp6-type %lu", $1);
4267 $1->tail->next = $3;
4268 $1->tail = $3;
4281 $$->type = PF_STATE_OPT_MAX;
4282 $$->data.max_states = $2;
4283 $$->next = NULL;
4284 $$->tail = $$;
4290 $$->type = PF_STATE_OPT_NOSYNC;
4291 $$->next = NULL;
4292 $$->tail = $$;
4302 $$->type = PF_STATE_OPT_MAX_SRC_STATES;
4303 $$->data.max_src_states = $2;
4304 $$->next = NULL;
4305 $$->tail = $$;
4315 $$->type = PF_STATE_OPT_MAX_SRC_CONN;
4316 $$->data.max_src_conn = $2;
4317 $$->next = NULL;
4318 $$->tail = $$;
4329 $$->type = PF_STATE_OPT_MAX_SRC_CONN_RATE;
4330 $$->data.max_src_conn_rate.limit = $2;
4331 $$->data.max_src_conn_rate.seconds = $4;
4332 $$->next = NULL;
4333 $$->tail = $$;
4344 if (strlcpy($$->data.overload.tblname, $3,
4348 $$->type = PF_STATE_OPT_OVERLOAD;
4349 $$->data.overload.flush = $5;
4350 $$->next = NULL;
4351 $$->tail = $$;
4361 $$->type = PF_STATE_OPT_MAX_SRC_NODES;
4362 $$->data.max_src_nodes = $2;
4363 $$->next = NULL;
4364 $$->tail = $$;
4370 $$->type = PF_STATE_OPT_SRCTRACK;
4371 $$->data.src_track = $1;
4372 $$->next = NULL;
4373 $$->tail = $$;
4379 $$->type = PF_STATE_OPT_STATELOCK;
4380 $$->data.statelock = $1;
4381 $$->next = NULL;
4382 $$->tail = $$;
4388 $$->type = PF_STATE_OPT_SLOPPY;
4389 $$->next = NULL;
4390 $$->tail = $$;
4396 $$->type = PF_STATE_OPT_PFLOW;
4397 $$->next = NULL;
4398 $$->tail = $$;
4424 $$->type = PF_STATE_OPT_TIMEOUT;
4425 $$->data.timeout.number = pf_timeouts[i].timeout;
4426 $$->data.timeout.seconds = $2;
4427 $$->next = NULL;
4428 $$->tail = $$;
4464 if (parseport($1, &$$, PPORT_RANGE|PPORT_STAR) == -1) {
4478 $1->tail->next = $3;
4479 $1->tail = $3->tail;
4489 $$->host = $2;
4490 $$->rport.a = $$->rport.b = $$->rport.t = 0;
4496 $$->host = $2;
4497 $$->rport = $4;
4506 $$->key32[0] = arc4random();
4507 $$->key32[1] = arc4random();
4508 $$->key32[2] = arc4random();
4509 $$->key32[3] = arc4random();
4525 &$$->key32[0], &$$->key32[1],
4526 &$$->key32[2], &$$->key32[3]) != 4) {
4542 HTONL($$->key32[0]);
4543 HTONL($$->key32[1]);
4544 HTONL($$->key32[2]);
4545 HTONL($$->key32[3]);
4595 yyerror("static-port cannot be redefined");
4602 yyerror("sticky-address cannot be redefined");
4610 yyerror("endpoint-independent cannot be redefined");
4618 yyerror("map-e-portset cannot be redefined");
4622 yyerror("map-e-portset cannot be used with "
4627 yyerror("MAP-E PSID offset must be 1-15");
4631 yyerror("Invalid MAP-E PSID length");
4635 " you do not need MAP-E");
4639 yyerror("Invalid MAP-E PSID");
4653 $$->host = $2;
4654 $$->rport.a = $$->rport.b = $$->rport.t = 0;
4660 $$->host = $2;
4661 $$->rport = $4;
4717 if ($5.src.host && $5.src.host->af &&
4718 !$5.src.host->ifindex)
4719 r.af = $5.src.host->af;
4720 else if ($5.dst.host && $5.dst.host->af &&
4721 !$5.dst.host->ifindex)
4722 r.af = $5.dst.host->af;
4729 PF_TAG_NAME_SIZE - 1);
4737 PF_TAG_NAME_SIZE - 1);
4746 "does not need '->'");
4750 if ($9 == NULL || $9->host == NULL) {
4751 yyerror("translation rule requires '-> "
4755 if (!r.af && ! $9->host->ifindex)
4756 r.af = $9->host->af;
4758 remove_invalid_hosts(&$9->host, &r.af);
4759 if (invalid_redirect($9->host, r.af))
4761 if ($9->host->addr.type == PF_ADDR_DYNIFTL) {
4762 if (($9->host = gen_dynnode($9->host, r.af)) == NULL)
4765 if (check_netmask($9->host, r.af))
4768 r.rpool.proxy_port[0] = ntohs($9->rport.a);
4772 if (!$9->rport.b && $9->rport.t &&
4775 ntohs($9->rport.a) +
4777 $5.dst.port->port[1]) -
4779 $5.dst.port->port[0]));
4782 ntohs($9->rport.b);
4786 ntohs($9->rport.b);
4803 PF_POOL_NONE && ($9->host->next != NULL ||
4804 $9->host->addr.type == PF_ADDR_TABLE ||
4805 DYNIF_MULTIADDR($9->host->addr)))
4809 disallow_table($9->host, "tables are only "
4810 "supported in round-robin redirection "
4815 disallow_alias($9->host, "interface (%s) "
4816 "is only supported in round-robin "
4819 if ($9->host->next != NULL) {
4822 yyerror("only round-robin "
4839 yyerror("the 'static-port' option is "
4847 yyerror("the 'static-port' option can't"
4858 yyerror("the 'map-e-portset' option is"
4863 yyerror("the 'map-e-portset' option"
4864 " can't be used 'static-port'");
4871 yyerror("the 'map-e-portset' option"
4881 switch (o->type) {
4891 o = o->next;
4894 expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4,
4909 if (disallow_urpf_failed($9, "\"urpf-failed\" is not "
4927 if (!binat.af && $8 != NULL && $8->af)
4928 binat.af = $8->af;
4929 if (!binat.af && $9 != NULL && $9->af)
4930 binat.af = $9->af;
4932 if (!binat.af && $13 != NULL && $13->host)
4933 binat.af = $13->host->af;
4941 memcpy(binat.ifname, $4->ifname,
4943 binat.ifnot = $4->not;
4951 PF_TAG_NAME_SIZE - 1);
4958 PF_TAG_NAME_SIZE - 1);
4965 binat.proto = $6->proto;
4976 if ($13 != NULL && $13->host != NULL && disallow_table(
4977 $13->host, "invalid use of table <%s> as the "
4980 if ($13 != NULL && $13->host != NULL && disallow_alias(
4981 $13->host, "invalid use of interface (%s) as the "
4986 if ($8->next) {
4990 if ($8->addr.type == PF_ADDR_DYNIFTL)
4991 $8->af = binat.af;
4992 if ($8->af != binat.af) {
4993 yyerror("binat ip versions must match");
4996 if ($8->addr.type == PF_ADDR_DYNIFTL) {
5002 memcpy(&binat.src.addr, &$8->addr,
5007 if ($9->next) {
5011 if ($9->af != binat.af && $9->af) {
5012 yyerror("binat ip versions must match");
5015 if ($9->addr.type == PF_ADDR_DYNIFTL) {
5021 memcpy(&binat.dst.addr, &$9->addr,
5023 binat.dst.neg = $9->not;
5030 " '->'");
5034 if ($13 == NULL || $13->host == NULL) {
5036 " '-> address'");
5040 remove_invalid_hosts(&$13->host, &binat.af);
5041 if (invalid_redirect($13->host, binat.af))
5043 if ($13->host->next != NULL) {
5048 if ($13->host->addr.type == PF_ADDR_DYNIFTL) {
5049 if (($13->host = gen_dynnode($13->host, binat.af)) == NULL)
5052 if (check_netmask($13->host, binat.af))
5055 if (!PF_AZERO(&binat.src.addr.v.a.mask,
5057 !PF_AEQ(&binat.src.addr.v.a.mask,
5058 &$13->host->addr.v.a.mask, binat.af)) {
5059 yyerror("'binat' source mask and "
5060 "redirect mask must be the same");
5068 pa->addr = $13->host->addr;
5069 pa->ifname[0] = 0;
5088 rtable : /* empty */ { $$ = -1; }
5106 $$->ifname = strdup($1);
5108 $$->next = NULL;
5109 $$->tail = $$;
5115 for (n = $3; n != NULL; n = n->next) {
5120 n->ifname = strdup($2);
5127 if ($1->af == 0)
5128 $1->af = $3->af;
5129 if ($1->af != $3->af) {
5134 $1->tail->next = $3;
5135 $1->tail = $3->tail;
5150 /* backwards-compat */
5267 file->errors++;
5269 fprintf(stderr, "%s:%d: ", file->name, yylval.lineno);
5279 for (; h != NULL; h = h->next) in disallow_table()
5280 if (h->addr.type == PF_ADDR_TABLE) { in disallow_table()
5281 yyerror(fmt, h->addr.v.tblname); in disallow_table()
5290 for (; h != NULL; h = h->next) in disallow_urpf_failed()
5291 if (h->addr.type == PF_ADDR_URPFFAILED) { in disallow_urpf_failed()
5301 for (; h != NULL; h = h->next) in disallow_alias()
5302 if (DYNIF_MULTIADDR(h->addr)) { in disallow_alias()
5303 yyerror(fmt, h->addr.v.tblname); in disallow_alias()
5314 switch (r->action) { in rule_consistent()
5343 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && in filter_consistent()
5344 r->proto != IPPROTO_SCTP && in filter_consistent()
5345 (r->src.port_op || r->dst.port_op)) { in filter_consistent()
5349 if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 && in filter_consistent()
5350 (r->type || r->code)) { in filter_consistent()
5351 yyerror("icmp-type/code only applies to icmp"); in filter_consistent()
5354 if (!r->af && (r->type || r->code)) { in filter_consistent()
5355 yyerror("must indicate address family with icmp-type/code"); in filter_consistent()
5358 if (r->overload_tblname[0] && in filter_consistent()
5359 r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) { in filter_consistent()
5360 yyerror("'overload' requires 'max-src-conn' " in filter_consistent()
5361 "or 'max-src-conn-rate'"); in filter_consistent()
5364 if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) || in filter_consistent()
5365 (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) { in filter_consistent()
5366 yyerror("proto %s doesn't match address family %s", in filter_consistent()
5367 r->proto == IPPROTO_ICMP ? "icmp" : "icmp6", in filter_consistent()
5368 r->af == AF_INET ? "inet" : "inet6"); in filter_consistent()
5371 if (r->allow_opts && r->action != PF_PASS) { in filter_consistent()
5372 yyerror("allow-opts can only be specified for pass rules"); in filter_consistent()
5375 if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op || in filter_consistent()
5376 r->dst.port_op || r->flagset || r->type || r->code)) { in filter_consistent()
5380 if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) { in filter_consistent()
5381 yyerror("return-rst can only be applied to TCP rules"); in filter_consistent()
5384 if (r->max_src_nodes && !(r->rule_flag & PFRULE_RULESRCTRACK)) { in filter_consistent()
5385 yyerror("max-src-nodes requires 'source-track rule'"); in filter_consistent()
5388 if (r->action != PF_PASS && r->keep_state) { in filter_consistent()
5392 if (r->rule_flag & PFRULE_STATESLOPPY && in filter_consistent()
5393 (r->keep_state == PF_STATE_MODULATE || in filter_consistent()
5394 r->keep_state == PF_STATE_SYNPROXY)) { in filter_consistent()
5399 /* match rules rules */ in filter_consistent()
5400 if (r->action == PF_MATCH) { in filter_consistent()
5401 if (r->divert.port) { in filter_consistent()
5402 yyerror("divert is not supported on match rules"); in filter_consistent()
5405 if (r->rt) { in filter_consistent()
5406 yyerror("route-to, reply-to, dup-to and fastroute " in filter_consistent()
5407 "must not be used on match rules"); in filter_consistent()
5411 if (r->rpool.opts & PF_POOL_STICKYADDR && !r->keep_state) { in filter_consistent()
5412 yyerror("'sticky-address' requires 'keep state'"); in filter_consistent()
5415 return (-problems); in filter_consistent()
5429 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP && in rdr_consistent()
5430 r->proto != IPPROTO_SCTP) { in rdr_consistent()
5431 if (r->src.port_op) { in rdr_consistent()
5435 if (r->dst.port_op) { in rdr_consistent()
5439 if (r->rpool.proxy_port[0]) { in rdr_consistent()
5444 if (r->dst.port_op && in rdr_consistent()
5445 r->dst.port_op != PF_OP_EQ && r->dst.port_op != PF_OP_RRG) { in rdr_consistent()
5449 return (-problems); in rdr_consistent()
5462 SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) { in process_tabledef()
5463 if (ti->file) in process_tabledef()
5464 if (pfr_buf_load(&ab, ti->file, 0, append_addr)) { in process_tabledef()
5467 ti->file, strerror(errno)); in process_tabledef()
5470 ti->file); in process_tabledef()
5473 if (ti->host) in process_tabledef()
5474 if (append_addr_host(&ab, ti->host, 0, 0)) { in process_tabledef()
5480 if (pf->opts & PF_OPT_VERBOSE) in process_tabledef()
5481 print_tabledef(name, opts->flags, opts->init_addr, in process_tabledef()
5482 &opts->init_nodes); in process_tabledef()
5483 if (!(pf->opts & PF_OPT_NOACTION) && in process_tabledef()
5484 pfctl_define_table(name, opts->flags, opts->init_addr, in process_tabledef()
5485 pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) { in process_tabledef()
5488 NULL, 0) == -1) in process_tabledef()
5501 pf->tdirty = 1; in process_tabledef()
5506 return (-1); in process_tabledef()
5521 node = node->next; \
5533 r->next = NULL; \
5540 n = n->next; \
5585 switch (addr->addr.type) { in expand_label_addr()
5587 snprintf(tmp, sizeof(tmp), "(%s)", addr->addr.v.ifname); in expand_label_addr()
5590 snprintf(tmp, sizeof(tmp), "<%s>", addr->addr.v.tblname); in expand_label_addr()
5593 snprintf(tmp, sizeof(tmp), "no-route"); in expand_label_addr()
5596 snprintf(tmp, sizeof(tmp), "urpf-failed"); in expand_label_addr()
5599 if (!af || (PF_AZERO(&addr->addr.v.a.addr, af) && in expand_label_addr()
5600 PF_AZERO(&addr->addr.v.a.mask, af))) in expand_label_addr()
5606 if (inet_ntop(af, &addr->addr.v.a.addr, a, in expand_label_addr()
5610 bits = unmask(&addr->addr.v.a.mask, af); in expand_label_addr()
5626 if (addr->neg) { in expand_label_addr()
5641 snprintf(a1, sizeof(a1), "%u", ntohs(addr->port[0])); in expand_label_port()
5642 snprintf(a2, sizeof(a2), "%u", ntohs(addr->port[1])); in expand_label_port()
5643 if (!addr->port_op) in expand_label_port()
5645 else if (addr->port_op == PF_OP_IRG) in expand_label_port()
5647 else if (addr->port_op == PF_OP_XRG) in expand_label_port()
5649 else if (addr->port_op == PF_OP_EQ) in expand_label_port()
5651 else if (addr->port_op == PF_OP_NE) in expand_label_port()
5653 else if (addr->port_op == PF_OP_LT) in expand_label_port()
5655 else if (addr->port_op == PF_OP_LE) in expand_label_port()
5657 else if (addr->port_op == PF_OP_GT) in expand_label_port()
5659 else if (addr->port_op == PF_OP_GE) in expand_label_port()
5689 snprintf(n, sizeof(n), "%u", r->nr); in expand_label_nr()
5697 expand_label_if("$if", label, len, r->ifname); in expand_label()
5698 expand_label_addr("$srcaddr", label, len, r->af, &r->src); in expand_label()
5699 expand_label_addr("$dstaddr", label, len, r->af, &r->dst); in expand_label()
5700 expand_label_port("$srcport", label, len, &r->src); in expand_label()
5701 expand_label_port("$dstport", label, len, &r->dst); in expand_label()
5702 expand_label_proto("$proto", label, len, r->proto); in expand_label()
5717 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { in expand_altq()
5726 if (strlcpy(pa.ifname, interface->ifname, in expand_altq()
5730 if (interface->not) { in expand_altq()
5740 if (pf->opts & PF_OPT_VERBOSE) { in expand_altq()
5741 print_altq(&pf->paltq->altq, 0, in expand_altq()
5743 if (nqueues && nqueues->tail) { in expand_altq()
5748 queue->queue); in expand_altq()
5763 if (strlcat(qname, interface->ifname, in expand_altq()
5769 if (strlcpy(pb.ifname, interface->ifname, in expand_altq()
5790 if (strlcpy(n->parent, qname, in expand_altq()
5791 sizeof(n->parent)) >= in expand_altq()
5792 sizeof(n->parent)) in expand_altq()
5794 if (strlcpy(n->queue, queue->queue, in expand_altq()
5795 sizeof(n->queue)) >= sizeof(n->queue)) in expand_altq()
5797 if (strlcpy(n->ifname, interface->ifname, in expand_altq()
5798 sizeof(n->ifname)) >= sizeof(n->ifname)) in expand_altq()
5800 n->scheduler = pa.scheduler; in expand_altq()
5801 n->next = NULL; in expand_altq()
5802 n->tail = n; in expand_altq()
5806 queues->tail->next = n; in expand_altq()
5807 queues->tail = n; in expand_altq()
5829 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) { in expand_queue()
5835 yyerror("queue %s has no parent", a->qname); in expand_queue()
5842 if (!strncmp(a->qname, tqueue->queue, PF_QNAME_SIZE) && in expand_queue()
5843 (interface->ifname[0] == 0 || in expand_queue()
5844 (!interface->not && !strncmp(interface->ifname, in expand_queue()
5845 tqueue->ifname, IFNAMSIZ)) || in expand_queue()
5846 (interface->not && strncmp(interface->ifname, in expand_queue()
5847 tqueue->ifname, IFNAMSIZ)))) { in expand_queue()
5854 pa.scheduler != tqueue->scheduler) { in expand_queue()
5859 pa.scheduler = tqueue->scheduler; in expand_queue()
5880 if (strlcpy(pa.ifname, tqueue->ifname, in expand_queue()
5883 if (strlcpy(pa.parent, tqueue->parent, in expand_queue()
5893 for (nq = nqueues; nq != NULL; nq = nq->next) { in expand_queue()
5894 if (!strcmp(a->qname, nq->queue)) { in expand_queue()
5904 if (strlcpy(n->parent, a->qname, in expand_queue()
5905 sizeof(n->parent)) >= in expand_queue()
5906 sizeof(n->parent)) in expand_queue()
5908 if (strlcpy(n->queue, nq->queue, in expand_queue()
5909 sizeof(n->queue)) >= in expand_queue()
5910 sizeof(n->queue)) in expand_queue()
5912 if (strlcpy(n->ifname, tqueue->ifname, in expand_queue()
5913 sizeof(n->ifname)) >= in expand_queue()
5914 sizeof(n->ifname)) in expand_queue()
5916 n->scheduler = tqueue->scheduler; in expand_queue()
5917 n->next = NULL; in expand_queue()
5918 n->tail = n; in expand_queue()
5922 queues->tail->next = n; in expand_queue()
5923 queues->tail = n; in expand_queue()
5926 if ((pf->opts & PF_OPT_VERBOSE) && ( in expand_queue()
5927 (found == 1 && interface->ifname[0] == 0) || in expand_queue()
5928 (found > 0 && interface->ifname[0] != 0))) { in expand_queue()
5929 print_queue(&pf->paltq->altq, 0, in expand_queue()
5930 &bwspec, interface->ifname[0] != 0, in expand_queue()
5932 if (nqueues && nqueues->tail) { in expand_queue()
5937 queue->queue); in expand_queue()
5951 yyerror("queue %s has no parent", a->qname); in expand_queue()
5983 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) in expand_eth_rule()
5985 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= in expand_eth_rule()
5988 if (strlcpy(qname, r->qname, sizeof(qname)) >= sizeof(qname)) in expand_eth_rule()
5997 strlcpy(r->ifname, interface->ifname, in expand_eth_rule()
5998 sizeof(r->ifname)); in expand_eth_rule()
5999 r->ifnot = interface->not; in expand_eth_rule()
6000 r->proto = proto->proto; in expand_eth_rule()
6001 if (!r->proto && ipsrc->af) in expand_eth_rule()
6002 r->proto = pf_af_to_proto(ipsrc->af); in expand_eth_rule()
6003 else if (!r->proto && ipdst->af) in expand_eth_rule()
6004 r->proto = pf_af_to_proto(ipdst->af); in expand_eth_rule()
6005 bcopy(src->mac, r->src.addr, ETHER_ADDR_LEN); in expand_eth_rule()
6006 bcopy(src->mask, r->src.mask, ETHER_ADDR_LEN); in expand_eth_rule()
6007 r->src.neg = src->neg; in expand_eth_rule()
6008 r->src.isset = src->isset; in expand_eth_rule()
6009 r->ipsrc.addr = ipsrc->addr; in expand_eth_rule()
6010 r->ipsrc.neg = ipsrc->not; in expand_eth_rule()
6011 r->ipdst.addr = ipdst->addr; in expand_eth_rule()
6012 r->ipdst.neg = ipdst->not; in expand_eth_rule()
6013 bcopy(dst->mac, r->dst.addr, ETHER_ADDR_LEN); in expand_eth_rule()
6014 bcopy(dst->mask, r->dst.mask, ETHER_ADDR_LEN); in expand_eth_rule()
6015 r->dst.neg = dst->neg; in expand_eth_rule()
6016 r->dst.isset = dst->isset; in expand_eth_rule()
6017 r->nr = pf->eastack[pf->asd]->match++; in expand_eth_rule()
6019 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= in expand_eth_rule()
6020 sizeof(r->tagname)) in expand_eth_rule()
6021 errx(1, "expand_eth_rule: r->tagname"); in expand_eth_rule()
6022 if (strlcpy(r->match_tagname, match_tagname, in expand_eth_rule()
6023 sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) in expand_eth_rule()
6024 errx(1, "expand_eth_rule: r->match_tagname"); in expand_eth_rule()
6025 if (strlcpy(r->qname, qname, sizeof(r->qname)) >= sizeof(r->qname)) in expand_eth_rule()
6026 errx(1, "expand_eth_rule: r->qname"); in expand_eth_rule()
6029 strlcpy(r->bridge_to, bridge_to, sizeof(r->bridge_to)); in expand_eth_rule()
6051 sa_family_t af = r->af; in expand_rule()
6061 memcpy(label, r->label, sizeof(r->label)); in expand_rule()
6062 assert(sizeof(r->label) == sizeof(label)); in expand_rule()
6063 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) in expand_rule()
6065 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= in expand_rule()
6068 flags = r->flags; in expand_rule()
6069 flagset = r->flagset; in expand_rule()
6070 keep_state = r->keep_state; in expand_rule()
6083 r->af = af; in expand_rule()
6084 /* for link-local IPv6 address, interface must match up */ in expand_rule()
6085 if ((r->af && src_host->af && r->af != src_host->af) || in expand_rule()
6086 (r->af && dst_host->af && r->af != dst_host->af) || in expand_rule()
6087 (src_host->af && dst_host->af && in expand_rule()
6088 src_host->af != dst_host->af) || in expand_rule()
6089 (src_host->ifindex && dst_host->ifindex && in expand_rule()
6090 src_host->ifindex != dst_host->ifindex) || in expand_rule()
6091 (src_host->ifindex && *interface->ifname && in expand_rule()
6092 src_host->ifindex != if_nametoindex(interface->ifname)) || in expand_rule()
6093 (dst_host->ifindex && *interface->ifname && in expand_rule()
6094 dst_host->ifindex != if_nametoindex(interface->ifname))) in expand_rule()
6096 if (!r->af && src_host->af) in expand_rule()
6097 r->af = src_host->af; in expand_rule()
6098 else if (!r->af && dst_host->af) in expand_rule()
6099 r->af = dst_host->af; in expand_rule()
6101 if (*interface->ifname) in expand_rule()
6102 strlcpy(r->ifname, interface->ifname, in expand_rule()
6103 sizeof(r->ifname)); in expand_rule()
6104 else if (if_indextoname(src_host->ifindex, ifname)) in expand_rule()
6105 strlcpy(r->ifname, ifname, sizeof(r->ifname)); in expand_rule()
6106 else if (if_indextoname(dst_host->ifindex, ifname)) in expand_rule()
6107 strlcpy(r->ifname, ifname, sizeof(r->ifname)); in expand_rule()
6109 memset(r->ifname, '\0', sizeof(r->ifname)); in expand_rule()
6111 memcpy(r->label, label, sizeof(r->label)); in expand_rule()
6112 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= in expand_rule()
6113 sizeof(r->tagname)) in expand_rule()
6115 if (strlcpy(r->match_tagname, match_tagname, in expand_rule()
6116 sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) in expand_rule()
6120 if (src_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6122 if ((src_host = gen_dynnode(src_host, r->af)) == NULL) in expand_rule()
6125 if (dst_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6127 if ((dst_host = gen_dynnode(dst_host, r->af)) == NULL) in expand_rule()
6131 error += check_netmask(src_host, r->af); in expand_rule()
6132 error += check_netmask(dst_host, r->af); in expand_rule()
6134 r->ifnot = interface->not; in expand_rule()
6135 r->proto = proto->proto; in expand_rule()
6136 r->src.addr = src_host->addr; in expand_rule()
6137 r->src.neg = src_host->not; in expand_rule()
6138 r->src.port[0] = src_port->port[0]; in expand_rule()
6139 r->src.port[1] = src_port->port[1]; in expand_rule()
6140 r->src.port_op = src_port->op; in expand_rule()
6141 r->dst.addr = dst_host->addr; in expand_rule()
6142 r->dst.neg = dst_host->not; in expand_rule()
6143 r->dst.port[0] = dst_port->port[0]; in expand_rule()
6144 r->dst.port[1] = dst_port->port[1]; in expand_rule()
6145 r->dst.port_op = dst_port->op; in expand_rule()
6146 r->uid.op = uid->op; in expand_rule()
6147 r->uid.uid[0] = uid->uid[0]; in expand_rule()
6148 r->uid.uid[1] = uid->uid[1]; in expand_rule()
6149 r->gid.op = gid->op; in expand_rule()
6150 r->gid.gid[0] = gid->gid[0]; in expand_rule()
6151 r->gid.gid[1] = gid->gid[1]; in expand_rule()
6153 strlcpy(r->rcv_ifname, rcv->ifname, in expand_rule()
6154 sizeof(r->rcv_ifname)); in expand_rule()
6156 r->type = icmp_type->type; in expand_rule()
6157 r->code = icmp_type->code; in expand_rule()
6161 r->proto && r->proto != IPPROTO_TCP) in expand_rule()
6162 r->keep_state = PF_STATE_NORMAL; in expand_rule()
6164 r->keep_state = keep_state; in expand_rule()
6166 if (r->proto && r->proto != IPPROTO_TCP) { in expand_rule()
6167 r->flags = 0; in expand_rule()
6168 r->flagset = 0; in expand_rule()
6170 r->flags = flags; in expand_rule()
6171 r->flagset = flagset; in expand_rule()
6173 if (icmp_type->proto && r->proto != icmp_type->proto) { in expand_rule()
6174 yyerror("icmp-type mismatch"); in expand_rule()
6178 if (src_os && src_os->os) { in expand_rule()
6179 r->os_fingerprint = pfctl_get_fingerprint(src_os->os); in expand_rule()
6180 if ((pf->opts & PF_OPT_VERBOSE2) && in expand_rule()
6181 r->os_fingerprint == PF_OSFP_NOMATCH) in expand_rule()
6184 src_os->os); in expand_rule()
6186 r->os_fingerprint = PF_OSFP_ANY; in expand_rule()
6189 TAILQ_INIT(&r->rpool.list); in expand_rule()
6190 for (h = rpool_hosts; h != NULL; h = h->next) { in expand_rule()
6194 pa->addr = h->addr; in expand_rule()
6195 if (h->ifname != NULL) { in expand_rule()
6196 if (strlcpy(pa->ifname, h->ifname, in expand_rule()
6197 sizeof(pa->ifname)) >= in expand_rule()
6198 sizeof(pa->ifname)) in expand_rule()
6201 pa->ifname[0] = 0; in expand_rule()
6202 TAILQ_INSERT_TAIL(&r->rpool.list, pa, entries); in expand_rule()
6208 r->nr = pf->astack[pf->asd]->match++; in expand_rule()
6213 if (osrch && src_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6217 if (odsth && dst_host->addr.type == PF_ADDR_DYNIFTL) { in expand_rule()
6245 if (!interfaces || (!interfaces->next && !interfaces->not && in expand_skip_interface()
6246 !strcmp(interfaces->ifname, "none"))) { in expand_skip_interface()
6247 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6253 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6256 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6257 printf(" %s", interface->ifname); in expand_skip_interface()
6258 if (interface->not) { in expand_skip_interface()
6263 interface->ifname, PFI_IFLAG_SKIP, 1); in expand_skip_interface()
6265 if (pf->opts & PF_OPT_VERBOSE) in expand_skip_interface()
6300 return (strcmp(k, ((const struct keywords *)e)->k_name)); in kw_cmp()
6309 { "allow-opts", ALLOWOPTS}, in lookup()
6316 { "binat-anchor", BINATANCHOR}, in lookup()
6319 { "block-policy", BLOCKPOLICY}, in lookup()
6320 { "bridge-to", BRIDGE_TO}, in lookup()
6326 { "divert-reply", DIVERTREPLY}, in lookup()
6327 { "divert-to", DIVERTTO}, in lookup()
6331 { "dup-to", DUPTO}, in lookup()
6332 { "endpoint-independent", ENDPI}, in lookup()
6334 { "fail-policy", FAILPOLICY}, in lookup()
6350 { "icmp-type", ICMPTYPE}, in lookup()
6351 { "icmp6-type", ICMP6TYPE}, in lookup()
6352 { "if-bound", IFBOUND}, in lookup()
6367 { "map-e-portset", MAPEPORTSET}, in lookup()
6368 { "match", MATCH}, in lookup()
6371 { "max-mss", MAXMSS}, in lookup()
6372 { "max-src-conn", MAXSRCCONN}, in lookup()
6373 { "max-src-conn-rate", MAXSRCCONNRATE}, in lookup()
6374 { "max-src-nodes", MAXSRCNODES}, in lookup()
6375 { "max-src-states", MAXSRCSTATES}, in lookup()
6376 { "min-ttl", MINTTL}, in lookup()
6379 { "nat-anchor", NATANCHOR}, in lookup()
6381 { "no-df", NODF}, in lookup()
6382 { "no-route", NOROUTE}, in lookup()
6383 { "no-sync", NOSYNC}, in lookup()
6401 { "random-id", RANDOMID}, in lookup()
6403 { "rdr-anchor", RDRANCHOR}, in lookup()
6406 { "received-on", RECEIVEDON}, in lookup()
6407 { "reply-to", REPLYTO}, in lookup()
6408 { "require-order", REQUIREORDER}, in lookup()
6410 { "return-icmp", RETURNICMP}, in lookup()
6411 { "return-icmp6", RETURNICMP6}, in lookup()
6412 { "return-rst", RETURNRST}, in lookup()
6414 { "round-robin", ROUNDROBIN}, in lookup()
6416 { "route-to", ROUTETO}, in lookup()
6419 { "ruleset-optimization", RULESET_OPTIMIZATION}, in lookup()
6422 { "set-tos", SETTOS}, in lookup()
6425 { "source-hash", SOURCEHASH}, in lookup()
6426 { "source-track", SOURCETRACK}, in lookup()
6428 { "state-defaults", STATEDEFAULTS}, in lookup()
6429 { "state-policy", STATEPOLICY}, in lookup()
6430 { "static-port", STATICPORT}, in lookup()
6431 { "sticky-address", STICKYADDRESS}, in lookup()
6444 { "urpf-failed", URPFFAILED}, in lookup()
6454 fprintf(stderr, "%s: %d\n", s, p->k_val); in lookup()
6455 return (p->k_val); in lookup()
6487 return (pushback_buffer[--pushback_index]); in lgetc()
6490 if ((c = getc(file->stream)) == EOF) { in lgetc()
6499 while ((c = getc(file->stream)) == '\\') { in lgetc()
6500 next = getc(file->stream); in lgetc()
6505 yylval.lineno = file->lineno; in lgetc()
6506 file->lineno++; in lgetc()
6512 c = getc(file->stream); in lgetc()
6523 parseindex--; in lungetc()
6527 if (pushback_index < MAXPUSHBACK-1) in lungetc()
6543 c = pushback_buffer[--pushback_index]; in findeol()
6547 file->lineno++; in findeol()
6569 yylval.lineno = file->lineno; in yylex()
6578 if (p + 1 >= buf + sizeof(buf) - 1) { in yylex()
6608 file->lineno++; in yylex()
6616 file->lineno++; in yylex()
6625 if (p + 1 >= buf + sizeof(buf) - 1) { in yylex()
6659 case '-': in yylex()
6670 if (c == '-' || isdigit(c)) { in yylex()
6673 if ((unsigned)(p-buf) >= sizeof(buf)) { in yylex()
6679 if (p == buf + 1 && buf[0] == '-') in yylex()
6696 lungetc(*--p); in yylex()
6697 c = *--p; in yylex()
6698 if (c == '-') in yylex()
6712 if ((unsigned)(p-buf) >= sizeof(buf)) { in yylex()
6725 yylval.lineno = file->lineno; in yylex()
6726 file->lineno++; in yylex()
6740 return (-1); in check_file_secrecy()
6744 return (-1); in check_file_secrecy()
6748 return (-1); in check_file_secrecy()
6759 (nfile->name = strdup(name)) == NULL) { in pushfile()
6763 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { in pushfile()
6764 nfile->stream = stdin; in pushfile()
6765 free(nfile->name); in pushfile()
6766 if ((nfile->name = strdup("stdin")) == NULL) { in pushfile()
6771 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { in pushfile()
6772 warn("%s", nfile->name); in pushfile()
6773 free(nfile->name); in pushfile()
6777 check_file_secrecy(fileno(nfile->stream), nfile->name)) { in pushfile()
6778 fclose(nfile->stream); in pushfile()
6779 free(nfile->name); in pushfile()
6783 nfile->lineno = 1; in pushfile()
6794 prev->errors += file->errors; in popfile()
6796 fclose(file->stream); in popfile()
6797 free(file->name); in popfile()
6823 return (-1); in parse_config()
6827 errors = file->errors; in parse_config()
6832 if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used) in parse_config()
6834 "used\n", sym->nam); in parse_config()
6835 free(sym->nam); in parse_config()
6836 free(sym->val); in parse_config()
6841 return (errors ? -1 : 0); in parse_config()
6849 for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam); in symset()
6854 if (sym->persist == 1) in symset()
6857 free(sym->nam); in symset()
6858 free(sym->val); in symset()
6864 return (-1); in symset()
6866 sym->nam = strdup(nam); in symset()
6867 if (sym->nam == NULL) { in symset()
6869 return (-1); in symset()
6871 sym->val = strdup(val); in symset()
6872 if (sym->val == NULL) { in symset()
6873 free(sym->nam); in symset()
6875 return (-1); in symset()
6877 sym->used = 0; in symset()
6878 sym->persist = persist; in symset()
6890 return (-1); in pfctl_cmdline_symset()
6892 if ((sym = malloc(strlen(s) - strlen(val) + 1)) == NULL) in pfctl_cmdline_symset()
6895 strlcpy(sym, s, strlen(s) - strlen(val) + 1); in pfctl_cmdline_symset()
6909 if (strcmp(nam, sym->nam) == 0) { in symget()
6910 sym->used = 1; in symget()
6911 return (sym->val); in symget()
6923 while ((r = TAILQ_FIRST(src->rules[i].active.ptr)) in mv_rules()
6925 TAILQ_REMOVE(src->rules[i].active.ptr, r, entries); in mv_rules()
6926 TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries); in mv_rules()
6927 dst->anchor->match++; in mv_rules()
6929 src->anchor->match = 0; in mv_rules()
6930 while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr)) in mv_rules()
6932 TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries); in mv_rules()
6933 TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr, in mv_rules()
6944 while ((r = TAILQ_FIRST(&src->rules)) != NULL) { in mv_eth_rules()
6945 TAILQ_REMOVE(&src->rules, r, entries); in mv_eth_rules()
6946 TAILQ_INSERT_TAIL(&dst->rules, r, entries); in mv_eth_rules()
6947 dst->anchor->match++; in mv_eth_rules()
6949 src->anchor->match = 0; in mv_eth_rules()
6957 *af = n->af; in decide_address_family()
6958 while ((n = n->next) != NULL) { in decide_address_family()
6959 if (n->af != *af) { in decide_address_family()
6972 if (*af && n->af && n->af != *af) { in remove_invalid_hosts()
6974 struct node_host *next = n->next; in remove_invalid_hosts()
6977 if (n == (*nh)->tail) in remove_invalid_hosts()
6978 (*nh)->tail = prev; in remove_invalid_hosts()
6983 prev->next = next; in remove_invalid_hosts()
6985 if (n->ifname != NULL) in remove_invalid_hosts()
6986 free(n->ifname); in remove_invalid_hosts()
6990 if (n->af && !*af) in remove_invalid_hosts()
6991 *af = n->af; in remove_invalid_hosts()
6993 n = n->next; in remove_invalid_hosts()
7005 for (n = nh; n != NULL; n = n->next) { in invalid_redirect()
7006 if (n->addr.type != PF_ADDR_TABLE && in invalid_redirect()
7007 n->addr.type != PF_ADDR_DYNIFTL) { in invalid_redirect()
7032 return (-1); in atoul()
7034 return (-1); in atoul()
7048 return (-1); in getservice()
7059 return (-1); in getservice()
7061 return (s->s_port); in getservice()
7072 if (strlcpy(r->label[i], s[i], sizeof(r->label[0])) >= in rule_label()
7073 sizeof(r->label[0])) { in rule_label()
7075 sizeof(r->label[0])-1); in rule_label()
7076 return (-1); in rule_label()
7089 if (strlcpy(r->label[i], s[i], sizeof(r->label[0])) >= in eth_rule_label()
7090 sizeof(r->label[0])) { in eth_rule_label()
7092 sizeof(r->label[0])-1); in eth_rule_label()
7093 return (-1); in eth_rule_label()
7111 if (atoul(w, &ulval) == -1) { in parseicmpspec()
7116 ulval = p->code; in parseicmpspec()
7131 if ((r->a = getservice(port)) == -1) in parseport()
7132 return (-1); in parseport()
7133 r->b = 0; in parseport()
7134 r->t = PF_OP_NONE; in parseport()
7139 if ((r->a = getservice(port)) == -1) in parseport()
7140 return (-1); in parseport()
7141 r->b = 0; in parseport()
7142 r->t = PF_OP_IRG; in parseport()
7147 if ((r->a = getservice(port)) == -1 || in parseport()
7148 (r->b = getservice(p)) == -1) in parseport()
7149 return (-1); in parseport()
7150 if (r->a == r->b) { in parseport()
7151 r->b = 0; in parseport()
7152 r->t = PF_OP_NONE; in parseport()
7154 r->t = PF_OP_RRG; in parseport()
7157 return (-1); in parseport()
7166 if (pf->opts & PF_OPT_VERBOSE) in pfctl_load_anchors()
7168 la->anchorname, la->filename); in pfctl_load_anchors()
7169 if (pfctl_rules(dev, la->filename, pf->opts, pf->optimize, in pfctl_load_anchors()
7170 la->anchorname, trans) == -1) in pfctl_load_anchors()
7171 return (-1); in pfctl_load_anchors()
7180 return (strcasecmp(k, ((const struct keywords *)e)->k_name)); in kw_casecmp()
7223 *val = p->k_val; in map_tos()
7236 if (sysctlbyname("net.fibs", &fibs, &l, NULL, 0) == -1) in rt_tableid_max()
7243 return (fibs - 1); in rt_tableid_max()
7259 &m->mac[0], &m->mac[1], &m->mac[2], &m->mac[3], &m->mac[4], in node_mac_from_string()
7260 &m->mac[5]) != 6) { in node_mac_from_string()
7266 memset(m->mask, 0xff, ETHER_ADDR_LEN); in node_mac_from_string()
7267 m->isset = true; in node_mac_from_string()
7268 m->next = NULL; in node_mac_from_string()
7269 m->tail = m; in node_mac_from_string()
7280 yyerror("invalid MAC mask length"); in node_mac_from_string_masklen()
7288 memset(m->mask, 0, ETHER_ADDR_LEN); in node_mac_from_string_masklen()
7290 m->mask[i / 8] |= 1 << (i % 8); in node_mac_from_string_masklen()
7296 node_mac_from_string_mask(const char *str, const char *mask) in node_mac_from_string_mask() argument
7304 if (sscanf(mask, "%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx", in node_mac_from_string_mask()
7305 &m->mask[0], &m->mask[1], &m->mask[2], &m->mask[3], &m->mask[4], in node_mac_from_string_mask()
7306 &m->mask[5]) != 6) { in node_mac_from_string_mask()
7308 yyerror("invalid MAC mask"); in node_mac_from_string_mask()