xref: /freebsd/sbin/ipf/common/ipf_y.y (revision 2a63c3be158216222d89a073dcbd6a72ee4aab5a)
1 
2 /*
3  * Copyright (C) 2012 by Darren Reed.
4  *
5  * See the IPFILTER.LICENCE file for details on licencing.
6  */
7 %{
8 #include "ipf.h"
9 #include <sys/ioctl.h>
10 #include <syslog.h>
11 #include <err.h>
12 #ifdef IPFILTER_BPF
13 # include <pcap.h>
14 #endif
15 #include "netinet/ip_pool.h"
16 #include "netinet/ip_htable.h"
17 #include "netinet/ipl.h"
18 #include "ipf_l.h"
19 
20 #define	YYDEBUG	1
21 #define	DOALL(x)	for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
22 #define	DOREM(x)	for (; fr != NULL; fr = fr->fr_next) { x }
23 
24 extern	void	yyerror(char *);
25 extern	int	yyparse(void);
26 extern	int	yylex(void);
27 extern	int	yydebug;
28 extern	FILE	*yyin;
29 extern	int	yylineNum;
30 
31 static	int	addname(frentry_t **, char *);
32 static	frentry_t *addrule(void);
33 static frentry_t *allocfr(void);
34 static	void	build_dstaddr_af(frentry_t *, void *);
35 static	void	build_srcaddr_af(frentry_t *, void *);
36 static	void	dobpf(int, char *);
37 static	void	doipfexpr(char *);
38 static	void	do_tuneint(char *, int);
39 static	void	do_tunestr(char *, char *);
40 static	void	fillgroup(frentry_t *);
41 static	int	lookuphost(char *, i6addr_t *);
42 static	u_int	makehash(struct alist_s *);
43 static	int	makepool(struct alist_s *);
44 static	struct	alist_s	*newalist(struct alist_s *);
45 static	void	newrule(void);
46 static	void	resetaddr(void);
47 static	void	setgroup(frentry_t **, char *);
48 static	void	setgrhead(frentry_t **, char *);
49 static	void	seticmphead(frentry_t **, char *);
50 static	void	setifname(frentry_t **, int, char *);
51 static	void	setipftype(void);
52 static	void	setsyslog(void);
53 static	void	unsetsyslog(void);
54 
55 frentry_t	*fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
56 
57 static	int		ifpflag = 0;
58 static	int		nowith = 0;
59 static	int		dynamic = -1;
60 static	int		pooled = 0;
61 static	int		hashed = 0;
62 static	int		nrules = 0;
63 static	int		newlist = 0;
64 static	int		added = 0;
65 static	int		ipffd = -1;
66 static	int		*yycont = NULL;
67 static	ioctlfunc_t	ipfioctls[IPL_LOGSIZE];
68 static	addfunc_t	ipfaddfunc = NULL;
69 
70 %}
71 %union	{
72 	char	*str;
73 	u_32_t	num;
74 	frentry_t	fr;
75 	frtuc_t	*frt;
76 	struct	alist_s	*alist;
77 	u_short	port;
78 	struct	in_addr	ip4;
79 	struct	{
80 		u_short	p1;
81 		u_short	p2;
82 		int	pc;
83 	} pc;
84 	struct ipp_s {
85 		int		type;
86 		int		ifpos;
87 		int		f;
88 		int		v;
89 		int		lif;
90 		union	i6addr	a;
91 		union	i6addr	m;
92 		char		*name;
93 	} ipp;
94 	struct	{
95 		i6addr_t	adr;
96 		int		f;
97 	} adr;
98 	i6addr_t	ip6;
99 	struct	{
100 		char	*if1;
101 		char	*if2;
102 	} ifs;
103 	char	gname[FR_GROUPLEN];
104 };
105 
106 %type	<port>	portnum
107 %type	<num>	facility priority icmpcode seclevel secname icmptype
108 %type	<num>	opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
109 %type	<num>	portc porteq ipmask maskopts
110 %type	<ip4>	ipv4 ipv4_16 ipv4_24
111 %type	<adr>	hostname
112 %type	<ipp>	addr ipaddr
113 %type	<str>	servicename name interfacename groupname
114 %type	<pc>	portrange portcomp
115 %type	<alist>	addrlist poollist
116 %type	<ifs>	onname
117 
118 %token	<num>	YY_NUMBER YY_HEX
119 %token	<str>	YY_STR
120 %token		YY_COMMENT
121 %token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
122 %token		YY_RANGE_OUT YY_RANGE_IN
123 %token	<ip6>	YY_IPV6
124 
125 %token	IPFY_SET
126 %token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
127 %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
128 %token	IPFY_IN IPFY_OUT
129 %token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
130 %token	IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
131 %token	IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6
132 %token	IPFY_HEAD IPFY_GROUP
133 %token	IPFY_AUTH IPFY_PREAUTH
134 %token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS
135 %token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS
136 %token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
137 %token	IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST
138 %token	IPFY_ESP IPFY_AH
139 %token	IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
140 %token	IPFY_TCPUDP IPFY_TCP IPFY_UDP
141 %token	IPFY_FLAGS IPFY_MULTICAST
142 %token	IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
143 %token	IPFY_RPC IPFY_PORT
144 %token	IPFY_NOW IPFY_COMMENT IPFY_RULETTL
145 %token	IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
146 %token	IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
147 %token	IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
148 %token	IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
149 %token	IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE
150 %token	IPFY_MAX_SRCS IPFY_MAX_PER_SRC
151 %token	IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
152 %token	IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
153 %token	IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
154 %token	IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
155 %token	IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
156 %token	IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
157 %token	IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
158 %token	IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI
159 
160 %token	IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
161 %token	IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR
162 %token	IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
163 
164 %token	IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
165 %token	IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
166 %token	IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
167 %token	IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
168 %token	IPFY_ICMPT_ROUTERSOL
169 
170 %token	IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
171 %token	IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
172 %token	IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
173 %token	IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
174 %token	IPFY_ICMPC_CUTPRE
175 
176 %token	IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
177 %token	IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
178 %token	IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
179 %token	IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
180 %token	IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
181 %token	IPFY_FAC_LFMT IPFY_FAC_CONSOLE
182 
183 %token	IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
184 %token	IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
185 %%
186 file:	settings rules
187 	| rules
188 	;
189 
190 settings:
191 	YY_COMMENT
192 	| setting
193 	| settings setting
194 	;
195 
196 rules:	line
197 	| assign
198 	| rules line
199 	| rules assign
200 	;
201 
202 setting:
203 	IPFY_SET YY_STR YY_NUMBER ';'	{ do_tuneint($2, $3); }
204 	| IPFY_SET YY_STR YY_HEX ';'	{ do_tuneint($2, $3); }
205 	| IPFY_SET YY_STR YY_STR ';'	{ do_tunestr($2, $3); }
206 	;
207 
208 line:	rule		{ while ((fr = frtop) != NULL) {
209 				frtop = fr->fr_next;
210 				fr->fr_next = NULL;
211 				if ((fr->fr_type == FR_T_IPF) &&
212 				    (fr->fr_ip.fi_v == 0))
213 					fr->fr_mip.fi_v = 0;
214 				/* XXX validate ? */
215 				(*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr);
216 				fr->fr_next = frold;
217 				frold = fr;
218 			  }
219 			  resetlexer();
220 			}
221 	| YY_COMMENT
222 	;
223 
224 xx:					{ newrule(); }
225 	;
226 
227 assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
228 					  resetlexer();
229 					  free($1);
230 					  free($3);
231 					  yyvarnext = 0;
232 					}
233 	;
234 
235 assigning:
236 	'='				{ yyvarnext = 1; }
237 	;
238 
239 rule:	inrule eol
240 	| outrule eol
241 	;
242 
243 eol:	| ';'
244 	;
245 
246 inrule:
247 	rulehead markin inopts rulemain ruletail intag ruletail2
248 	;
249 
250 outrule:
251 	rulehead markout outopts rulemain ruletail outtag ruletail2
252 	;
253 
254 rulehead:
255 	xx collection action
256 	| xx insert collection action
257 	;
258 
259 markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
260 	;
261 
262 markout:
263 	IPFY_OUT			{ fr->fr_flags |= FR_OUTQUE; }
264 	;
265 
266 rulemain:
267 	ipfrule
268 	| bpfrule
269 	| exprrule
270 	;
271 
272 ipfrule:
273 	family tos ttl proto ip
274 	;
275 
276 family:	| IPFY_FAMILY IPFY_INET		{ if (use_inet6 == 1) {
277 						YYERROR;
278 					  } else {
279 						frc->fr_family = AF_INET;
280 					  }
281 					}
282 	| IPFY_INET			{ if (use_inet6 == 1) {
283 						YYERROR;
284 					  } else {
285 						frc->fr_family = AF_INET;
286 					  }
287 					}
288 	| IPFY_FAMILY IPFY_INET6	{ if (use_inet6 == -1) {
289 						YYERROR;
290 					  } else {
291 						frc->fr_family = AF_INET6;
292 					  }
293 					}
294 	| IPFY_INET6			{ if (use_inet6 == -1) {
295 						YYERROR;
296 					  } else {
297 						frc->fr_family = AF_INET6;
298 					  }
299 					}
300 	;
301 
302 bpfrule:
303 	IPFY_BPFV4 '{' YY_STR '}' 	{ dobpf(4, $3); free($3); }
304 	| IPFY_BPFV6 '{' YY_STR '}' 	{ dobpf(6, $3); free($3); }
305 	;
306 
307 exprrule:
308 	IPFY_IPFEXPR '{' YY_STR '}'	{ doipfexpr($3); }
309 	;
310 
311 ruletail:
312 	with keep head group
313 	;
314 
315 ruletail2:
316 	pps age new rulettl comment
317 	;
318 
319 intag:	settagin matchtagin
320 	;
321 
322 outtag:	settagout matchtagout
323 	;
324 
325 insert:
326 	'@' YY_NUMBER			{ fr->fr_hits = (U_QUAD_T)$2 + 1; }
327 	;
328 
329 collection:
330 	| YY_NUMBER			{ fr->fr_collect = $1; }
331 	;
332 
333 action:	block
334 	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
335 	| IPFY_NOMATCH			{ fr->fr_flags |= FR_NOMATCH; }
336 	| log
337 	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
338 	| decaps			{ fr->fr_flags |= FR_DECAPSULATE; }
339 	| auth
340 	| IPFY_SKIP YY_NUMBER		{ fr->fr_flags |= FR_SKIP;
341 					  fr->fr_arg = $2; }
342 	| IPFY_CALL func
343 	| IPFY_CALL IPFY_NOW func	{ fr->fr_flags |= FR_CALLNOW; }
344 	;
345 
346 block:	blocked
347 	| blocked blockreturn
348 	;
349 
350 blocked:
351 	IPFY_BLOCK			{ fr->fr_flags = FR_BLOCK; }
352 	;
353 blockreturn:
354 	IPFY_RETICMP			{ fr->fr_flags |= FR_RETICMP; }
355 	| IPFY_RETICMP returncode	{ fr->fr_flags |= FR_RETICMP; }
356 	| IPFY_RETICMPASDST		{ fr->fr_flags |= FR_FAKEICMP; }
357 	| IPFY_RETICMPASDST returncode	{ fr->fr_flags |= FR_FAKEICMP; }
358 	| IPFY_RETRST			{ fr->fr_flags |= FR_RETRST; }
359 	;
360 
361 decaps:	IPFY_DECAPS
362 	| IPFY_DECAPS IPFY_L5AS '(' YY_STR ')'
363 					{ fr->fr_icode = atoi($4); }
364 	;
365 
366 log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
367 	| IPFY_LOG logoptions		{ fr->fr_flags |= FR_LOG; }
368 	;
369 
370 auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
371 	| IPFY_AUTH blockreturn		{ fr->fr_flags |= FR_AUTH;}
372 	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
373 	;
374 
375 func:	YY_STR '/' YY_NUMBER
376 			{ fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]);
377 			  fr->fr_arg = $3;
378 			  free($1);
379 			}
380 	;
381 
382 inopts:
383 	| inopts inopt
384 	;
385 
386 inopt:
387 	logopt
388 	| quick
389 	| on
390 	| dup
391 	| froute
392 	| proute
393 	| replyto
394 	;
395 
396 outopts:
397 	| outopts outopt
398 	;
399 
400 outopt:
401 	logopt
402 	| quick
403 	| on
404 	| dup
405 	| proute
406 	| froute
407 	| replyto
408 	;
409 
410 tos:	| settos YY_NUMBER	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
411 	| settos YY_HEX	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
412 	| settos lstart toslist lend
413 	;
414 
415 settos:	IPFY_TOS			{ setipftype(); }
416 	;
417 
418 toslist:
419 	YY_NUMBER	{ DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
420 	| YY_HEX	{ DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
421 	| toslist lmore YY_NUMBER
422 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
423 	| toslist lmore YY_HEX
424 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
425 	;
426 
427 ttl:	| setttl YY_NUMBER
428 			{ DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
429 	| setttl lstart ttllist lend
430 	;
431 
432 lstart:	'{'				{ newlist = 1; fr = frc; added = 0; }
433 	;
434 
435 lend:	'}'				{ nrules += added; }
436 	;
437 
438 lmore:	lanother			{ if (newlist == 1) {
439 						newlist = 0;
440 					  }
441 					  fr = addrule();
442 					  if (yycont != NULL)
443 						*yycont = 1;
444 					}
445 	;
446 
447 lanother:
448 	| ','
449 	;
450 
451 setttl:	IPFY_TTL			{ setipftype(); }
452 	;
453 
454 ttllist:
455 	YY_NUMBER	{ DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
456 	| ttllist lmore YY_NUMBER
457 			{ DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
458 	;
459 
460 proto:	| protox protocol		{ yyresetdict(); }
461 	;
462 
463 protox:	IPFY_PROTO			{ setipftype();
464 					  fr = frc;
465 					  yysetdict(NULL); }
466 	;
467 
468 ip:	srcdst flags icmp
469 	;
470 
471 group:	| IPFY_GROUP groupname		{ DOALL(setgroup(&fr, $2); \
472 						fillgroup(fr););
473 					  free($2);
474 					}
475 	;
476 
477 head:	| IPFY_HEAD groupname		{ DOALL(setgrhead(&fr, $2););
478 					  free($2);
479 					}
480 	;
481 
482 groupname:
483 	YY_STR				{ $$ = $1;
484 					  if (strlen($$) >= FR_GROUPLEN)
485 						$$[FR_GROUPLEN - 1] = '\0';
486 					}
487 	| YY_NUMBER			{ $$ = malloc(16);
488 					  sprintf($$, "%d", $1);
489 					}
490 	;
491 
492 settagin:
493 	| IPFY_SETTAG '(' taginlist ')'
494 	;
495 
496 taginlist:
497 	taginspec
498 	| taginlist ',' taginspec
499 	;
500 
501 taginspec:
502 	logtag
503 	;
504 
505 nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
506 						$3, IPFTAG_LEN););
507 					  free($3); }
508 	| IPFY_NAT '=' YY_NUMBER	{ DOALL(sprintf(fr->fr_nattag.ipt_tag,\
509 						"%d", $3 & 0xffffffff);) }
510 	;
511 
512 logtag:	IPFY_LOG '=' YY_NUMBER		{ DOALL(fr->fr_logtag = $3;) }
513 	;
514 
515 settagout:
516 	| IPFY_SETTAG '(' tagoutlist ')'
517 	;
518 
519 tagoutlist:
520 	tagoutspec
521 	| tagoutlist ',' tagoutspec
522 	;
523 
524 tagoutspec:
525 	logtag
526 	| nattag
527 	;
528 
529 matchtagin:
530 	| IPFY_MATCHTAG '(' tagoutlist ')'
531 	;
532 
533 matchtagout:
534 	| IPFY_MATCHTAG '(' taginlist ')'
535 	;
536 
537 pps:	| IPFY_PPS YY_NUMBER		{ DOALL(fr->fr_pps = $2;) }
538 	;
539 
540 new:	| savegroup file restoregroup
541 	;
542 
543 rulettl:
544 	| IPFY_RULETTL YY_NUMBER	{ DOALL(fr->fr_die = $2;) }
545 	;
546 
547 comment:
548 	| IPFY_COMMENT YY_STR		{ DOALL(fr->fr_comment = addname(&fr, \
549 						$2);) }
550 	;
551 
552 savegroup:
553 	'{'
554 	;
555 
556 restoregroup:
557 	'}'
558 	;
559 
560 logopt:	log
561 	;
562 
563 quick:	IPFY_QUICK				{ fr->fr_flags |= FR_QUICK; }
564 	;
565 
566 on:	IPFY_ON onname				{ setifname(&fr, 0, $2.if1);
567 						  free($2.if1);
568 						  if ($2.if2 != NULL) {
569 							setifname(&fr, 1,
570 								  $2.if2);
571 							free($2.if2);
572 						  }
573 						}
574 	| IPFY_ON lstart onlist lend
575 	| IPFY_ON onname IPFY_INVIA vianame	{ setifname(&fr, 0, $2.if1);
576 						  free($2.if1);
577 						  if ($2.if2 != NULL) {
578 							setifname(&fr, 1,
579 								  $2.if2);
580 							free($2.if2);
581 						  }
582 						}
583 	| IPFY_ON onname IPFY_OUTVIA vianame	{ setifname(&fr, 0, $2.if1);
584 						  free($2.if1);
585 						  if ($2.if2 != NULL) {
586 							setifname(&fr, 1,
587 								  $2.if2);
588 							free($2.if2);
589 						  }
590 						}
591 	;
592 
593 onlist:	onname			{ DOREM(setifname(&fr, 0, $1.if1);	   \
594 					if ($1.if2 != NULL)		   \
595 						setifname(&fr, 1, $1.if2); \
596 					)
597 				  free($1.if1);
598 				  if ($1.if2 != NULL)
599 					free($1.if2);
600 				}
601 	| onlist lmore onname	{ DOREM(setifname(&fr, 0, $3.if1);	   \
602 					if ($3.if2 != NULL)		   \
603 						setifname(&fr, 1, $3.if2); \
604 					)
605 				  free($3.if1);
606 				  if ($3.if2 != NULL)
607 					free($3.if2);
608 				}
609 	;
610 
611 onname:	interfacename		{ $$.if1 = $1;
612 				  $$.if2 = NULL;
613 				}
614 	| interfacename ',' interfacename
615 				{ $$.if1 = $1;
616 				  $$.if2 = $3;
617 				}
618 	;
619 
620 vianame:
621 	name			{ setifname(&fr, 2, $1);
622 				  free($1);
623 				}
624 	| name ',' name		{ setifname(&fr, 2, $1);
625 				  free($1);
626 				  setifname(&fr, 3, $3);
627 				  free($3);
628 				}
629 	;
630 
631 dup:	IPFY_DUPTO name
632 	{ int idx = addname(&fr, $2);
633 	  fr->fr_dif.fd_name = idx;
634 	  free($2);
635 	}
636 	| IPFY_DUPTO IPFY_DSTLIST '/' name
637 	{ int idx = addname(&fr, $4);
638 	  fr->fr_dif.fd_name = idx;
639 	  fr->fr_dif.fd_type = FRD_DSTLIST;
640 	  free($4);
641 	}
642 	| IPFY_DUPTO name duptoseparator hostname
643 	{ int idx = addname(&fr, $2);
644 	  fr->fr_dif.fd_name = idx;
645 	  fr->fr_dif.fd_ptr = (void *)-1;
646 	  fr->fr_dif.fd_ip6 = $4.adr;
647 	  if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
648 		fr->fr_family = $4.f;
649 	  yyexpectaddr = 0;
650 	  free($2);
651 	}
652 	;
653 
654 duptoseparator:
655 	':'	{ yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
656 	;
657 
658 froute:	IPFY_FROUTE			{ fr->fr_flags |= FR_FASTROUTE; }
659 	;
660 
661 proute:	routeto name
662 	{ int idx = addname(&fr, $2);
663 	  fr->fr_tif.fd_name = idx;
664 	  free($2);
665 	}
666 	| routeto IPFY_DSTLIST '/' name
667 	{ int idx = addname(&fr, $4);
668 	  fr->fr_tif.fd_name = idx;
669 	  fr->fr_tif.fd_type = FRD_DSTLIST;
670 	  free($4);
671 	}
672 	| routeto name duptoseparator hostname
673 	{ int idx = addname(&fr, $2);
674 	  fr->fr_tif.fd_name = idx;
675 	  fr->fr_tif.fd_ptr = (void *)-1;
676 	  fr->fr_tif.fd_ip6 = $4.adr;
677 	  if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
678 		fr->fr_family = $4.f;
679 	  yyexpectaddr = 0;
680 	  free($2);
681 	}
682 	;
683 
684 routeto:
685 	IPFY_TO
686 	| IPFY_ROUTETO
687 	;
688 
689 replyto:
690 	IPFY_REPLY_TO name
691 	{ int idx = addname(&fr, $2);
692 	  fr->fr_rif.fd_name = idx;
693 	  free($2);
694 	}
695 	| IPFY_REPLY_TO IPFY_DSTLIST '/' name
696 	{ fr->fr_rif.fd_name = addname(&fr, $4);
697 	  fr->fr_rif.fd_type = FRD_DSTLIST;
698 	  free($4);
699 	}
700 	| IPFY_REPLY_TO name duptoseparator hostname
701 	{ int idx = addname(&fr, $2);
702 	  fr->fr_rif.fd_name = idx;
703 	  fr->fr_rif.fd_ptr = (void *)-1;
704 	  fr->fr_rif.fd_ip6 = $4.adr;
705 	  if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC)
706 		fr->fr_family = $4.f;
707 	  free($2);
708 	}
709 	;
710 
711 logoptions:
712 	logoption
713 	| logoptions logoption
714 	;
715 
716 logoption:
717 	IPFY_BODY			{ fr->fr_flags |= FR_LOGBODY; }
718 	| IPFY_FIRST			{ fr->fr_flags |= FR_LOGFIRST; }
719 	| IPFY_ORBLOCK			{ fr->fr_flags |= FR_LOGORBLOCK; }
720 	| level loglevel		{ unsetsyslog(); }
721 	;
722 
723 returncode:
724 	starticmpcode icmpcode ')'	{ fr->fr_icode = $2; yyresetdict(); }
725 	;
726 
727 starticmpcode:
728 	'('				{ yysetdict(icmpcodewords); }
729 	;
730 
731 srcdst:	| IPFY_ALL
732 	| fromto
733 	;
734 
735 protocol:
736 	YY_NUMBER		{ DOALL(fr->fr_proto = $1; \
737 					fr->fr_mproto = 0xff;)
738 				}
739 	| YY_STR		{ if (!strcmp($1, "tcp-udp")) {
740 					DOALL(fr->fr_flx |= FI_TCPUDP; \
741 					      fr->fr_mflx |= FI_TCPUDP;)
742 				  } else {
743 					int p = getproto($1);
744 					if (p == -1)
745 						yyerror("protocol unknown");
746 					DOALL(fr->fr_proto = p; \
747 						fr->fr_mproto = 0xff;)
748 				  }
749 				  free($1);
750 				}
751 	| YY_STR nextstring YY_STR
752 				{ if (!strcmp($1, "tcp") &&
753 				      !strcmp($3, "udp")) {
754 					DOREM(fr->fr_flx |= FI_TCPUDP; \
755 					      fr->fr_mflx |= FI_TCPUDP;)
756 				  } else {
757 					YYERROR;
758 				  }
759 				  free($1);
760 				  free($3);
761 				}
762 	;
763 
764 nextstring:
765 	'/'			{ yysetdict(NULL); }
766 	;
767 
768 fromto:	from srcobject to dstobject	{ yyexpectaddr = 0; yycont = NULL; }
769 	| to dstobject			{ yyexpectaddr = 0; yycont = NULL; }
770 	| from srcobject		{ yyexpectaddr = 0; yycont = NULL; }
771 	;
772 
773 from:	IPFY_FROM			{ setipftype();
774 					  if (fr == NULL)
775 						fr = frc;
776 					  yyexpectaddr = 1;
777 					  if (yydebug)
778 						printf("set yyexpectaddr\n");
779 					  yycont = &yyexpectaddr;
780 					  yysetdict(addrwords);
781 					  resetaddr(); }
782 	;
783 
784 to:	IPFY_TO				{ if (fr == NULL)
785 						fr = frc;
786 					  yyexpectaddr = 1;
787 					  if (yydebug)
788 						printf("set yyexpectaddr\n");
789 					  yycont = &yyexpectaddr;
790 					  yysetdict(addrwords);
791 					  resetaddr();
792 					}
793 	;
794 
795 with:	| andwith withlist
796 	;
797 
798 andwith:
799 	IPFY_WITH			{ nowith = 0; setipftype(); }
800 	| IPFY_AND			{ nowith = 0; setipftype(); }
801 	;
802 
803 flags:	| startflags flagset
804 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
805 	| startflags flagset '/' flagset
806 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
807 	| startflags '/' flagset
808 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
809 	| startflags YY_NUMBER
810 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
811 	| startflags '/' YY_NUMBER
812 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
813 	| startflags YY_NUMBER '/' YY_NUMBER
814 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
815 	| startflags flagset '/' YY_NUMBER
816 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
817 	| startflags YY_NUMBER '/' flagset
818 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
819 	;
820 
821 startflags:
822 	IPFY_FLAGS	{ if (frc->fr_type != FR_T_IPF)
823 				yyerror("flags with non-ipf type rule");
824 			  if (frc->fr_proto != IPPROTO_TCP)
825 				yyerror("flags with non-TCP rule");
826 			}
827 	;
828 
829 flagset:
830 	YY_STR				{ $$ = tcpflags($1); free($1); }
831 	| YY_HEX			{ $$ = $1; }
832 	;
833 
834 srcobject:
835 	{ yyresetdict(); } fromport
836 	| srcaddr srcport
837 	| '!' srcaddr srcport
838 		{ DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
839 	;
840 
841 srcaddr:
842 	addr	{ build_srcaddr_af(fr, &$1); }
843 	| lstart srcaddrlist lend
844 	;
845 
846 srcaddrlist:
847 	addr	{ build_srcaddr_af(fr, &$1); }
848 	| srcaddrlist lmore addr
849 		{ build_srcaddr_af(fr, &$3); }
850 	;
851 
852 srcport:
853 	| portcomp
854 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
855 	| portrange
856 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
857 			fr->fr_stop = $1.p2;) }
858 	| porteq lstart srcportlist lend
859 		{ yyresetdict(); }
860 	;
861 
862 fromport:
863 	portcomp
864 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
865 	| portrange
866 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
867 			fr->fr_stop = $1.p2;) }
868 	| porteq lstart srcportlist lend
869 		{ yyresetdict(); }
870 	;
871 
872 srcportlist:
873 	portnum		{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
874 	| portnum ':' portnum
875 			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
876 				fr->fr_stop = $3;) }
877 	| portnum YY_RANGE_IN portnum
878 			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
879 				fr->fr_stop = $3;) }
880 	| srcportlist lmore portnum
881 			{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
882 	| srcportlist lmore portnum ':' portnum
883 			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
884 				fr->fr_stop = $5;) }
885 	| srcportlist lmore portnum YY_RANGE_IN portnum
886 			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
887 				fr->fr_stop = $5;) }
888 	;
889 
890 dstobject:
891 	{ yyresetdict(); } toport
892 	| dstaddr dstport
893 	| '!' dstaddr dstport
894 			{ DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
895 	;
896 
897 dstaddr:
898 	addr	{ if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
899 		      ($1.f != frc->fr_family))
900 			yyerror("1.src/dst address family mismatch");
901 		  build_dstaddr_af(fr, &$1);
902 		}
903 	| lstart dstaddrlist lend
904 	;
905 
906 dstaddrlist:
907 	addr	{ if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
908 		      ($1.f != frc->fr_family))
909 			yyerror("2.src/dst address family mismatch");
910 		  build_dstaddr_af(fr, &$1);
911 		}
912 	| dstaddrlist lmore addr
913 		{ if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) &&
914 		      ($3.f != frc->fr_family))
915 			yyerror("3.src/dst address family mismatch");
916 		  build_dstaddr_af(fr, &$3);
917 		}
918 	;
919 
920 
921 dstport:
922 	| portcomp
923 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
924 	| portrange
925 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
926 			fr->fr_dtop = $1.p2;) }
927 	| porteq lstart dstportlist lend
928 		{ yyresetdict(); }
929 	;
930 
931 toport:
932 	portcomp
933 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
934 	| portrange
935 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
936 			fr->fr_dtop = $1.p2;) }
937 	| porteq lstart dstportlist lend
938 		{ yyresetdict(); }
939 	;
940 
941 dstportlist:
942 	portnum		{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
943 	| portnum ':' portnum
944 			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
945 				fr->fr_dtop = $3;) }
946 	| portnum YY_RANGE_IN portnum
947 			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
948 				fr->fr_dtop = $3;) }
949 	| dstportlist lmore portnum
950 			{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
951 	| dstportlist lmore portnum ':' portnum
952 			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
953 				fr->fr_dtop = $5;) }
954 	| dstportlist lmore portnum YY_RANGE_IN portnum
955 			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
956 				fr->fr_dtop = $5;) }
957 	;
958 
959 addr:	pool '/' YY_NUMBER		{ pooled = 1;
960 					  yyexpectaddr = 0;
961 					  $$.type = FRI_LOOKUP;
962 					  $$.v = 0;
963 					  $$.ifpos = -1;
964 					  $$.f = AF_UNSPEC;
965 					  $$.a.iplookuptype = IPLT_POOL;
966 					  $$.a.iplookupsubtype = 0;
967 					  $$.a.iplookupnum = $3; }
968 	| pool '/' YY_STR		{ pooled = 1;
969 					  $$.ifpos = -1;
970 					  $$.f = AF_UNSPEC;
971 					  $$.type = FRI_LOOKUP;
972 					  $$.a.iplookuptype = IPLT_POOL;
973 					  $$.a.iplookupsubtype = 1;
974 					  $$.a.iplookupname = addname(&fr, $3);
975 					}
976 	| pool '=' '('			{ yyexpectaddr = 1;
977 					  pooled = 1;
978 					}
979 			poollist ')'	{ yyexpectaddr = 0;
980 					  $$.v = 0;
981 					  $$.ifpos = -1;
982 					  $$.f = AF_UNSPEC;
983 					  $$.type = FRI_LOOKUP;
984 					  $$.a.iplookuptype = IPLT_POOL;
985 					  $$.a.iplookupsubtype = 0;
986 					  $$.a.iplookupnum = makepool($5);
987 					}
988 	| hash '/' YY_NUMBER		{ hashed = 1;
989 					  yyexpectaddr = 0;
990 					  $$.v = 0;
991 					  $$.ifpos = -1;
992 					  $$.f = AF_UNSPEC;
993 					  $$.type = FRI_LOOKUP;
994 					  $$.a.iplookuptype = IPLT_HASH;
995 					  $$.a.iplookupsubtype = 0;
996 					  $$.a.iplookupnum = $3;
997 					}
998 	| hash '/' YY_STR		{ hashed = 1;
999 					  $$.type = FRI_LOOKUP;
1000 					  $$.v = 0;
1001 					  $$.ifpos = -1;
1002 					  $$.f = AF_UNSPEC;
1003 					  $$.a.iplookuptype = IPLT_HASH;
1004 					  $$.a.iplookupsubtype = 1;
1005 					  $$.a.iplookupname = addname(&fr, $3);
1006 					}
1007 	| hash '=' '(' 			{ hashed = 1;
1008 					  yyexpectaddr = 1;
1009 					}
1010 			addrlist ')'	{ yyexpectaddr = 0;
1011 					  $$.v = 0;
1012 					  $$.ifpos = -1;
1013 					  $$.f = AF_UNSPEC;
1014 					  $$.type = FRI_LOOKUP;
1015 					  $$.a.iplookuptype = IPLT_HASH;
1016 					  $$.a.iplookupsubtype = 0;
1017 					  $$.a.iplookupnum = makehash($5);
1018 					}
1019 	| ipaddr			{ $$ = $1;
1020 					  yyexpectaddr = 0; }
1021 	;
1022 
1023 ipaddr:	IPFY_ANY			{ memset(&($$), 0, sizeof($$));
1024 					  $$.type = FRI_NORMAL;
1025 					  $$.ifpos = -1;
1026 					  yyexpectaddr = 0;
1027 					}
1028 	| hostname			{ memset(&($$), 0, sizeof($$));
1029 					  $$.a = $1.adr;
1030 					  $$.f = $1.f;
1031 					  if ($1.f == AF_INET6)
1032 						  fill6bits(128, $$.m.i6);
1033 					  else if ($1.f == AF_INET)
1034 						  fill6bits(32, $$.m.i6);
1035 					  $$.v = ftov($1.f);
1036 					  $$.ifpos = dynamic;
1037 					  $$.type = FRI_NORMAL;
1038 					}
1039 	| hostname			{ yyresetdict(); }
1040 		maskspace		{ yysetdict(maskwords);
1041 					  yyexpectaddr = 2; }
1042 		ipmask			{ memset(&($$), 0, sizeof($$));
1043 					  ntomask($1.f, $5, $$.m.i6);
1044 					  $$.a = $1.adr;
1045 					  $$.a.i6[0] &= $$.m.i6[0];
1046 					  $$.a.i6[1] &= $$.m.i6[1];
1047 					  $$.a.i6[2] &= $$.m.i6[2];
1048 					  $$.a.i6[3] &= $$.m.i6[3];
1049 					  $$.f = $1.f;
1050 					  $$.v = ftov($1.f);
1051 					  $$.type = ifpflag;
1052 					  $$.ifpos = dynamic;
1053 					  if (ifpflag != 0 && $$.v == 0) {
1054 						if (frc->fr_family == AF_INET6){
1055 							$$.v = 6;
1056 							$$.f = AF_INET6;
1057 						} else {
1058 							$$.v = 4;
1059 							$$.f = AF_INET;
1060 						}
1061 					  }
1062 					  yyresetdict();
1063 					  yyexpectaddr = 0;
1064 					}
1065 	| '(' YY_STR ')'		{ memset(&($$), 0, sizeof($$));
1066 					  $$.type = FRI_DYNAMIC;
1067 					  ifpflag = FRI_DYNAMIC;
1068 					  $$.ifpos = addname(&fr, $2);
1069 					  $$.lif = 0;
1070 					}
1071 	| '(' YY_STR ')' '/'
1072 	  { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
1073 	  maskopts
1074 					{ memset(&($$), 0, sizeof($$));
1075 					  $$.type = ifpflag;
1076 					  $$.ifpos = addname(&fr, $2);
1077 					  $$.lif = 0;
1078 					  if (frc->fr_family == AF_UNSPEC)
1079 						frc->fr_family = AF_INET;
1080 					  if (ifpflag == FRI_DYNAMIC) {
1081 						ntomask(frc->fr_family,
1082 							$6, $$.m.i6);
1083 					  }
1084 					  yyresetdict();
1085 					  yyexpectaddr = 0;
1086 					}
1087 	| '(' YY_STR ':' YY_NUMBER ')' '/'
1088 	  { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); }
1089 	  maskopts
1090 					{ memset(&($$), 0, sizeof($$));
1091 					  $$.type = ifpflag;
1092 					  $$.ifpos = addname(&fr, $2);
1093 					  $$.lif = $4;
1094 					  if (frc->fr_family == AF_UNSPEC)
1095 						frc->fr_family = AF_INET;
1096 					  if (ifpflag == FRI_DYNAMIC) {
1097 						ntomask(frc->fr_family,
1098 							$8, $$.m.i6);
1099 					  }
1100 					  yyresetdict();
1101 					  yyexpectaddr = 0;
1102 					}
1103 	;
1104 
1105 maskspace:
1106 	'/'
1107 	| IPFY_MASK
1108 	;
1109 
1110 ipmask:	ipv4				{ $$ = count4bits($1.s_addr); }
1111 	| YY_HEX			{ $$ = count4bits(htonl($1)); }
1112 	| YY_NUMBER			{ $$ = $1; }
1113 	| YY_IPV6			{ $$ = count6bits($1.i6); }
1114 	| maskopts			{ $$ = $1; }
1115 	;
1116 
1117 maskopts:
1118 	IPFY_BROADCAST			{ if (ifpflag == FRI_DYNAMIC) {
1119 						ifpflag = FRI_BROADCAST;
1120 					  } else {
1121 						YYERROR;
1122 					  }
1123 					  $$ = 0;
1124 					}
1125 	| IPFY_NETWORK			{ if (ifpflag == FRI_DYNAMIC) {
1126 						ifpflag = FRI_NETWORK;
1127 					  } else {
1128 						YYERROR;
1129 					  }
1130 					  $$ = 0;
1131 					}
1132 	| IPFY_NETMASKED		{ if (ifpflag == FRI_DYNAMIC) {
1133 						ifpflag = FRI_NETMASKED;
1134 					  } else {
1135 						YYERROR;
1136 					  }
1137 					  $$ = 0;
1138 					}
1139 	| IPFY_PEER			{ if (ifpflag == FRI_DYNAMIC) {
1140 						ifpflag = FRI_PEERADDR;
1141 					  } else {
1142 						YYERROR;
1143 					  }
1144 					  $$ = 0;
1145 					}
1146 	| YY_NUMBER			{ $$ = $1; }
1147 	;
1148 
1149 hostname:
1150 	ipv4				{ memset(&($$), 0, sizeof($$));
1151 					  $$.adr.in4 = $1;
1152 					  if (frc->fr_family == AF_INET6)
1153 						YYERROR;
1154 					  $$.f = AF_INET;
1155 					  yyexpectaddr = 2;
1156 					}
1157 	| YY_NUMBER			{ memset(&($$), 0, sizeof($$));
1158 					  if (frc->fr_family == AF_INET6)
1159 						YYERROR;
1160 					  $$.adr.in4_addr = $1;
1161 					  $$.f = AF_INET;
1162 					  yyexpectaddr = 2;
1163 					}
1164 	| YY_HEX			{ memset(&($$), 0, sizeof($$));
1165 					  if (frc->fr_family == AF_INET6)
1166 						YYERROR;
1167 					  $$.adr.in4_addr = $1;
1168 					  $$.f = AF_INET;
1169 					  yyexpectaddr = 2;
1170 					}
1171 	| YY_STR			{ memset(&($$), 0, sizeof($$));
1172 					  if (lookuphost($1, &$$.adr) == 0)
1173 						  $$.f = AF_INET;
1174 					  free($1);
1175 					  yyexpectaddr = 2;
1176 					}
1177 	| YY_IPV6			{ memset(&($$), 0, sizeof($$));
1178 					  if (frc->fr_family == AF_INET)
1179 						YYERROR;
1180 					  $$.adr = $1;
1181 					  $$.f = AF_INET6;
1182 					  yyexpectaddr = 2;
1183 					}
1184 	;
1185 
1186 addrlist:
1187 	ipaddr		{ $$ = newalist(NULL);
1188 			  $$->al_family = $1.f;
1189 			  $$->al_i6addr = $1.a;
1190 			  $$->al_i6mask = $1.m;
1191 			}
1192 	| ipaddr ',' { yyexpectaddr = 1; } addrlist
1193 			{ $$ = newalist($4);
1194 			  $$->al_family = $1.f;
1195 			  $$->al_i6addr = $1.a;
1196 			  $$->al_i6mask = $1.m;
1197 			}
1198 	;
1199 
1200 pool:	IPFY_POOL	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1201 	;
1202 
1203 hash:	IPFY_HASH	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1204 	;
1205 
1206 poollist:
1207 	ipaddr		{ $$ = newalist(NULL);
1208 			  $$->al_family = $1.f;
1209 			  $$->al_i6addr = $1.a;
1210 			  $$->al_i6mask = $1.m;
1211 			}
1212 	| '!' ipaddr	{ $$ = newalist(NULL);
1213 			  $$->al_not = 1;
1214 			  $$->al_family = $2.f;
1215 			  $$->al_i6addr = $2.a;
1216 			  $$->al_i6mask = $2.m;
1217 			}
1218 	| poollist ',' ipaddr
1219 			{ $$ = newalist($1);
1220 			  $$->al_family = $3.f;
1221 			  $$->al_i6addr = $3.a;
1222 			  $$->al_i6mask = $3.m;
1223 			}
1224 	| poollist ',' '!' ipaddr
1225 			{ $$ = newalist($1);
1226 			  $$->al_not = 1;
1227 			  $$->al_family = $4.f;
1228 			  $$->al_i6addr = $4.a;
1229 			  $$->al_i6mask = $4.m;
1230 			}
1231 	;
1232 
1233 port:	IPFY_PORT			{ yyexpectaddr = 0;
1234 					  yycont = NULL;
1235 					  if (frc->fr_proto != 0 &&
1236 					      frc->fr_proto != IPPROTO_UDP &&
1237 					      frc->fr_proto != IPPROTO_TCP)
1238 						yyerror("port use incorrect");
1239 					}
1240 	;
1241 
1242 portc:	port compare			{ $$ = $2;
1243 					  yysetdict(NULL);
1244 					}
1245 	| porteq			{ $$ = $1; }
1246 	;
1247 
1248 porteq:	port '='			{ $$ = FR_EQUAL;
1249 					  yysetdict(NULL);
1250 					}
1251 	;
1252 
1253 portr:	IPFY_PORT			{ yyexpectaddr = 0;
1254 					  yycont = NULL;
1255 					  yysetdict(NULL);
1256 					}
1257 	;
1258 
1259 portcomp:
1260 	portc portnum			{ $$.pc = $1;
1261 					  $$.p1 = $2;
1262 					  yyresetdict();
1263 					}
1264 	;
1265 
1266 portrange:
1267 	portr portnum range portnum	{ $$.p1 = $2;
1268 					  $$.pc = $3;
1269 					  $$.p2 = $4;
1270 					  yyresetdict();
1271 					}
1272 	;
1273 
1274 icmp:	| itype icode
1275 	;
1276 
1277 itype:	seticmptype icmptype
1278 	{ DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1279 	  yyresetdict();
1280 	}
1281 	| seticmptype lstart typelist lend	{ yyresetdict(); }
1282 	;
1283 
1284 seticmptype:
1285 	IPFY_ICMPTYPE		{ if (frc->fr_family == AF_UNSPEC)
1286 					frc->fr_family = AF_INET;
1287 				  if (frc->fr_family == AF_INET &&
1288 				      frc->fr_type == FR_T_IPF &&
1289 				      frc->fr_proto != IPPROTO_ICMP) {
1290 					yyerror("proto not icmp");
1291 				  }
1292 				  if (frc->fr_family == AF_INET6 &&
1293 				      frc->fr_type == FR_T_IPF &&
1294 				      frc->fr_proto != IPPROTO_ICMPV6) {
1295 					yyerror("proto not ipv6-icmp");
1296 				  }
1297 				  setipftype();
1298 				  DOALL(if (fr->fr_family == AF_INET) { \
1299 						fr->fr_ip.fi_v = 4; \
1300 						fr->fr_mip.fi_v = 0xf; \
1301 					}
1302 					if (fr->fr_family == AF_INET6) { \
1303 						fr->fr_ip.fi_v = 6; \
1304 						fr->fr_mip.fi_v = 0xf; \
1305 					}
1306 				  )
1307 				  yysetdict(NULL);
1308 				}
1309 	;
1310 
1311 icode:	| seticmpcode icmpcode
1312 	{ DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1313 	  yyresetdict();
1314 	}
1315 	| seticmpcode lstart codelist lend	{ yyresetdict(); }
1316 	;
1317 
1318 seticmpcode:
1319 	IPFY_ICMPCODE				{ yysetdict(icmpcodewords); }
1320 	;
1321 
1322 typelist:
1323 	icmptype
1324 	{ DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1325 	| typelist lmore icmptype
1326 	{ DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1327 	;
1328 
1329 codelist:
1330 	icmpcode
1331 	{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1332 	| codelist lmore icmpcode
1333 	{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
1334 		fr->fr_icmpm |= htons(0xff);) }
1335 	;
1336 
1337 age:	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
1338 						fr->fr_age[1] = $2;) }
1339 	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
1340 					{ DOALL(fr->fr_age[0] = $2; \
1341 						fr->fr_age[1] = $4;) }
1342 	;
1343 
1344 keep:	| IPFY_KEEP keepstate keep
1345 	| IPFY_KEEP keepfrag keep
1346 	;
1347 
1348 keepstate:
1349 	IPFY_STATE stateoptlist		{ DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1350 	;
1351 
1352 keepfrag:
1353 	IPFY_FRAGS fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1354 	| IPFY_FRAG fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1355 	;
1356 
1357 fragoptlist:
1358 	| '(' fragopts ')'
1359 	;
1360 
1361 fragopts:
1362 	fragopt lanother fragopts
1363 	| fragopt
1364 	;
1365 
1366 fragopt:
1367 	IPFY_STRICT			{ DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1368 	;
1369 
1370 stateoptlist:
1371 	| '(' stateopts ')'
1372 	;
1373 
1374 stateopts:
1375 	stateopt lanother stateopts
1376 	| stateopt
1377 	;
1378 
1379 stateopt:
1380 	IPFY_LIMIT YY_NUMBER	{ DOALL(fr->fr_statemax = $2;) }
1381 	| IPFY_STRICT		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1382 						YYERROR; \
1383 					} else if (fr->fr_flags & FR_STLOOSE) {\
1384 						YYERROR; \
1385 					} else \
1386 						fr->fr_flags |= FR_STSTRICT;)
1387 				}
1388 	| IPFY_LOOSE		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1389 						YYERROR; \
1390 					} else if (fr->fr_flags & FR_STSTRICT){\
1391 						YYERROR; \
1392 					} else \
1393 						fr->fr_flags |= FR_STLOOSE;)
1394 				}
1395 	| IPFY_NEWISN		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1396 						YYERROR; \
1397 					  } else \
1398 						fr->fr_flags |= FR_NEWISN;)
1399 				}
1400 	| IPFY_NOICMPERR	{ DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1401 
1402 	| IPFY_SYNC		{ DOALL(fr->fr_flags |= FR_STATESYNC;) }
1403 	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
1404 						fr->fr_age[1] = $2;) }
1405 	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
1406 					{ DOALL(fr->fr_age[0] = $2; \
1407 						fr->fr_age[1] = $4;) }
1408 	| IPFY_ICMPHEAD groupname
1409 				{ DOALL(seticmphead(&fr, $2);)
1410 				  free($2);
1411 				}
1412 	| IPFY_NOLOG
1413 				{ DOALL(fr->fr_nostatelog = 1;) }
1414 	| IPFY_RPC
1415 				{ DOALL(fr->fr_rpc = 1;) }
1416 	| IPFY_RPC IPFY_IN YY_STR
1417 				{ DOALL(fr->fr_rpc = 1;) }
1418 	| IPFY_MAX_SRCS YY_NUMBER
1419 				{ DOALL(fr->fr_srctrack.ht_max_nodes = $2;) }
1420 	| IPFY_MAX_PER_SRC YY_NUMBER
1421 				{ DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
1422 					fr->fr_srctrack.ht_netmask = \
1423 					fr->fr_family == AF_INET ? 32: 128;)
1424 				}
1425 	| IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER
1426 				{ DOALL(fr->fr_srctrack.ht_max_per_node = $2; \
1427 					fr->fr_srctrack.ht_netmask = $4;)
1428 				}
1429 	;
1430 
1431 portnum:
1432 	servicename			{ if (getport(frc, $1,
1433 						      &($$), NULL) == -1)
1434 						yyerror("service unknown");
1435 					  $$ = ntohs($$);
1436 					  free($1);
1437 					}
1438 	| YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
1439 						yyerror("invalid port number");
1440 					  else
1441 						$$ = $1;
1442 					}
1443 	;
1444 
1445 withlist:
1446 	withopt				{ nowith = 0; }
1447 	| withlist withopt		{ nowith = 0; }
1448 	| withlist ',' withopt		{ nowith = 0; }
1449 	;
1450 
1451 withopt:
1452 	opttype		{ DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1453 	| notwith opttype		{ DOALL(fr->fr_mflx |= $2;) }
1454 	| ipopt ipopts			{ yyresetdict(); }
1455 	| notwith ipopt ipopts		{ yyresetdict(); }
1456 	| startv6hdr ipv6hdrs		{ yyresetdict(); }
1457 	;
1458 
1459 ipopt:	IPFY_OPT			{ yysetdict(ipv4optwords); }
1460 	;
1461 
1462 startv6hdr:
1463 	IPFY_V6HDR	{ if (frc->fr_family != AF_INET6)
1464 				yyerror("only available with IPv6");
1465 			  yysetdict(ipv6optwords);
1466 			}
1467 	;
1468 
1469 notwith:
1470 	IPFY_NOT			{ nowith = 1; }
1471 	| IPFY_NO			{ nowith = 1; }
1472 	;
1473 
1474 opttype:
1475 	IPFY_IPOPTS			{ $$ = FI_OPTIONS; }
1476 	| IPFY_SHORT			{ $$ = FI_SHORT; }
1477 	| IPFY_NAT			{ $$ = FI_NATED; }
1478 	| IPFY_BAD			{ $$ = FI_BAD; }
1479 	| IPFY_BADNAT			{ $$ = FI_BADNAT; }
1480 	| IPFY_BADSRC			{ $$ = FI_BADSRC; }
1481 	| IPFY_LOWTTL			{ $$ = FI_LOWTTL; }
1482 	| IPFY_FRAG			{ $$ = FI_FRAG; }
1483 	| IPFY_FRAGBODY			{ $$ = FI_FRAGBODY; }
1484 	| IPFY_FRAGS			{ $$ = FI_FRAG; }
1485 	| IPFY_MBCAST			{ $$ = FI_MBCAST; }
1486 	| IPFY_MULTICAST		{ $$ = FI_MULTICAST; }
1487 	| IPFY_BROADCAST		{ $$ = FI_BROADCAST; }
1488 	| IPFY_STATE			{ $$ = FI_STATE; }
1489 	| IPFY_OOW			{ $$ = FI_OOW; }
1490 	| IPFY_AH			{ $$ = FI_AH; }
1491 	| IPFY_V6HDRS			{ $$ = FI_V6EXTHDR; }
1492 	;
1493 
1494 ipopts:	optlist		{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1495 				if (fr->fr_family == AF_UNSPEC) {
1496 					fr->fr_family = AF_INET;
1497 					fr->fr_ip.fi_v = 4;
1498 					fr->fr_mip.fi_v = 0xf;
1499 				} else if (fr->fr_family != AF_INET) {
1500 					YYERROR;
1501 				}
1502 				if (!nowith)
1503 					fr->fr_ip.fi_optmsk |= $1;)
1504 			}
1505 	;
1506 
1507 optlist:
1508 	opt				{ $$ |= $1; }
1509 	| optlist ',' opt		{ $$ |= $1 | $3; }
1510 	;
1511 
1512 ipv6hdrs:
1513 	ipv6hdrlist	{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1514 				if (!nowith)
1515 					fr->fr_ip.fi_optmsk |= $1;)
1516 			}
1517 	;
1518 
1519 ipv6hdrlist:
1520 	ipv6hdr				{ $$ |= $1; }
1521 	| ipv6hdrlist ',' ipv6hdr	{ $$ |= $1 | $3; }
1522 	;
1523 
1524 secname:
1525 	seclevel			{ $$ |= $1; }
1526 	| secname ',' seclevel		{ $$ |= $1 | $3; }
1527 	;
1528 
1529 seclevel:
1530 	IPFY_SEC_UNC			{ $$ = secbit(IPSO_CLASS_UNCL); }
1531 	| IPFY_SEC_CONF			{ $$ = secbit(IPSO_CLASS_CONF); }
1532 	| IPFY_SEC_RSV1			{ $$ = secbit(IPSO_CLASS_RES1); }
1533 	| IPFY_SEC_RSV2			{ $$ = secbit(IPSO_CLASS_RES2); }
1534 	| IPFY_SEC_RSV3			{ $$ = secbit(IPSO_CLASS_RES3); }
1535 	| IPFY_SEC_RSV4			{ $$ = secbit(IPSO_CLASS_RES4); }
1536 	| IPFY_SEC_SEC			{ $$ = secbit(IPSO_CLASS_SECR); }
1537 	| IPFY_SEC_TS			{ $$ = secbit(IPSO_CLASS_TOPS); }
1538 	;
1539 
1540 icmptype:
1541 	YY_NUMBER		{ $$ = $1; }
1542 	| YY_STR		{ $$ = geticmptype(frc->fr_family, $1);
1543 				  if ($$ == -1)
1544 					yyerror("unrecognised icmp type");
1545 				}
1546 	;
1547 
1548 icmpcode:
1549 	YY_NUMBER			{ $$ = $1; }
1550 	| IPFY_ICMPC_NETUNR		{ $$ = ICMP_UNREACH_NET; }
1551 	| IPFY_ICMPC_HSTUNR		{ $$ = ICMP_UNREACH_HOST; }
1552 	| IPFY_ICMPC_PROUNR		{ $$ = ICMP_UNREACH_PROTOCOL; }
1553 	| IPFY_ICMPC_PORUNR		{ $$ = ICMP_UNREACH_PORT; }
1554 	| IPFY_ICMPC_NEEDF		{ $$ = ICMP_UNREACH_NEEDFRAG; }
1555 	| IPFY_ICMPC_SRCFAIL		{ $$ = ICMP_UNREACH_SRCFAIL; }
1556 	| IPFY_ICMPC_NETUNK		{ $$ = ICMP_UNREACH_NET_UNKNOWN; }
1557 	| IPFY_ICMPC_HSTUNK		{ $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1558 	| IPFY_ICMPC_ISOLATE		{ $$ = ICMP_UNREACH_ISOLATED; }
1559 	| IPFY_ICMPC_NETPRO		{ $$ = ICMP_UNREACH_NET_PROHIB; }
1560 	| IPFY_ICMPC_HSTPRO		{ $$ = ICMP_UNREACH_HOST_PROHIB; }
1561 	| IPFY_ICMPC_NETTOS		{ $$ = ICMP_UNREACH_TOSNET; }
1562 	| IPFY_ICMPC_HSTTOS		{ $$ = ICMP_UNREACH_TOSHOST; }
1563 	| IPFY_ICMPC_FLTPRO		{ $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1564 	| IPFY_ICMPC_HSTPRE		{ $$ = 14; }
1565 	| IPFY_ICMPC_CUTPRE		{ $$ = 15; }
1566 	;
1567 
1568 opt:
1569 	IPFY_IPOPT_NOP			{ $$ = getoptbyvalue(IPOPT_NOP); }
1570 	| IPFY_IPOPT_RR			{ $$ = getoptbyvalue(IPOPT_RR); }
1571 	| IPFY_IPOPT_ZSU		{ $$ = getoptbyvalue(IPOPT_ZSU); }
1572 	| IPFY_IPOPT_MTUP		{ $$ = getoptbyvalue(IPOPT_MTUP); }
1573 	| IPFY_IPOPT_MTUR		{ $$ = getoptbyvalue(IPOPT_MTUR); }
1574 	| IPFY_IPOPT_ENCODE		{ $$ = getoptbyvalue(IPOPT_ENCODE); }
1575 	| IPFY_IPOPT_TS			{ $$ = getoptbyvalue(IPOPT_TS); }
1576 	| IPFY_IPOPT_TR			{ $$ = getoptbyvalue(IPOPT_TR); }
1577 	| IPFY_IPOPT_SEC		{ $$ = getoptbyvalue(IPOPT_SECURITY); }
1578 	| IPFY_IPOPT_LSRR		{ $$ = getoptbyvalue(IPOPT_LSRR); }
1579 	| IPFY_IPOPT_ESEC		{ $$ = getoptbyvalue(IPOPT_E_SEC); }
1580 	| IPFY_IPOPT_CIPSO 		{ $$ = getoptbyvalue(IPOPT_CIPSO); }
1581 	| IPFY_IPOPT_CIPSO doi		{ $$ = getoptbyvalue(IPOPT_CIPSO); }
1582 	| IPFY_IPOPT_SATID		{ $$ = getoptbyvalue(IPOPT_SATID); }
1583 	| IPFY_IPOPT_SSRR		{ $$ = getoptbyvalue(IPOPT_SSRR); }
1584 	| IPFY_IPOPT_ADDEXT		{ $$ = getoptbyvalue(IPOPT_ADDEXT); }
1585 	| IPFY_IPOPT_VISA		{ $$ = getoptbyvalue(IPOPT_VISA); }
1586 	| IPFY_IPOPT_IMITD		{ $$ = getoptbyvalue(IPOPT_IMITD); }
1587 	| IPFY_IPOPT_EIP		{ $$ = getoptbyvalue(IPOPT_EIP); }
1588 	| IPFY_IPOPT_FINN		{ $$ = getoptbyvalue(IPOPT_FINN); }
1589 	| IPFY_IPOPT_DPS		{ $$ = getoptbyvalue(IPOPT_DPS); }
1590 	| IPFY_IPOPT_SDB		{ $$ = getoptbyvalue(IPOPT_SDB); }
1591 	| IPFY_IPOPT_NSAPA		{ $$ = getoptbyvalue(IPOPT_NSAPA); }
1592 	| IPFY_IPOPT_RTRALRT		{ $$ = getoptbyvalue(IPOPT_RTRALRT); }
1593 	| IPFY_IPOPT_UMP		{ $$ = getoptbyvalue(IPOPT_UMP); }
1594 	| setsecclass secname
1595 			{ DOALL(fr->fr_mip.fi_secmsk |= $2;
1596 				if (fr->fr_family == AF_UNSPEC) {
1597 					fr->fr_family = AF_INET;
1598 					fr->fr_ip.fi_v = 4;
1599 					fr->fr_mip.fi_v = 0xf;
1600 				} else if (fr->fr_family != AF_INET) {
1601 					YYERROR;
1602 				}
1603 				if (!nowith)
1604 					fr->fr_ip.fi_secmsk |= $2;)
1605 			  $$ = 0;
1606 			  yyresetdict();
1607 			}
1608 	;
1609 
1610 setsecclass:
1611 	IPFY_SECCLASS			{ yysetdict(ipv4secwords); }
1612 	;
1613 
1614 doi:	IPFY_DOI YY_NUMBER		{ DOALL(fr->fr_doimask = 0xffffffff; \
1615 						if (!nowith) \
1616 							fr->fr_doi = $2;) }
1617 	| IPFY_DOI YY_HEX		{ DOALL(fr->fr_doimask = 0xffffffff; \
1618 						if (!nowith) \
1619 							fr->fr_doi = $2;) }
1620 	;
1621 
1622 ipv6hdr:
1623 	IPFY_AH			{ $$ = getv6optbyvalue(IPPROTO_AH); }
1624 	| IPFY_IPV6OPT_DSTOPTS	{ $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1625 	| IPFY_IPV6OPT_ESP	{ $$ = getv6optbyvalue(IPPROTO_ESP); }
1626 	| IPFY_IPV6OPT_HOPOPTS	{ $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1627 	| IPFY_IPV6OPT_IPV6	{ $$ = getv6optbyvalue(IPPROTO_IPV6); }
1628 	| IPFY_IPV6OPT_NONE	{ $$ = getv6optbyvalue(IPPROTO_NONE); }
1629 	| IPFY_IPV6OPT_ROUTING	{ $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1630 	| IPFY_IPV6OPT_FRAG	{ $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1631 	| IPFY_IPV6OPT_MOBILITY	{ $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
1632 	;
1633 
1634 level:	IPFY_LEVEL			{ setsyslog(); }
1635 	;
1636 
1637 loglevel:
1638 	priority			{ fr->fr_loglevel = LOG_LOCAL0|$1; }
1639 	| facility '.' priority		{ fr->fr_loglevel = $1 | $3; }
1640 	;
1641 
1642 facility:
1643 	IPFY_FAC_KERN			{ $$ = LOG_KERN; }
1644 	| IPFY_FAC_USER			{ $$ = LOG_USER; }
1645 	| IPFY_FAC_MAIL			{ $$ = LOG_MAIL; }
1646 	| IPFY_FAC_DAEMON		{ $$ = LOG_DAEMON; }
1647 	| IPFY_FAC_AUTH			{ $$ = LOG_AUTH; }
1648 	| IPFY_FAC_SYSLOG		{ $$ = LOG_SYSLOG; }
1649 	| IPFY_FAC_LPR			{ $$ = LOG_LPR; }
1650 	| IPFY_FAC_NEWS			{ $$ = LOG_NEWS; }
1651 	| IPFY_FAC_UUCP			{ $$ = LOG_UUCP; }
1652 	| IPFY_FAC_CRON			{ $$ = LOG_CRON; }
1653 	| IPFY_FAC_FTP			{ $$ = LOG_FTP; }
1654 	| IPFY_FAC_AUTHPRIV		{ $$ = LOG_AUTHPRIV; }
1655 	| IPFY_FAC_AUDIT		{ $$ = LOG_AUDIT; }
1656 	| IPFY_FAC_LFMT			{ $$ = LOG_LFMT; }
1657 	| IPFY_FAC_LOCAL0		{ $$ = LOG_LOCAL0; }
1658 	| IPFY_FAC_LOCAL1		{ $$ = LOG_LOCAL1; }
1659 	| IPFY_FAC_LOCAL2		{ $$ = LOG_LOCAL2; }
1660 	| IPFY_FAC_LOCAL3		{ $$ = LOG_LOCAL3; }
1661 	| IPFY_FAC_LOCAL4		{ $$ = LOG_LOCAL4; }
1662 	| IPFY_FAC_LOCAL5		{ $$ = LOG_LOCAL5; }
1663 	| IPFY_FAC_LOCAL6		{ $$ = LOG_LOCAL6; }
1664 	| IPFY_FAC_LOCAL7		{ $$ = LOG_LOCAL7; }
1665 	| IPFY_FAC_SECURITY		{ $$ = LOG_SECURITY; }
1666 	;
1667 
1668 priority:
1669 	IPFY_PRI_EMERG			{ $$ = LOG_EMERG; }
1670 	| IPFY_PRI_ALERT		{ $$ = LOG_ALERT; }
1671 	| IPFY_PRI_CRIT			{ $$ = LOG_CRIT; }
1672 	| IPFY_PRI_ERR			{ $$ = LOG_ERR; }
1673 	| IPFY_PRI_WARN			{ $$ = LOG_WARNING; }
1674 	| IPFY_PRI_NOTICE		{ $$ = LOG_NOTICE; }
1675 	| IPFY_PRI_INFO			{ $$ = LOG_INFO; }
1676 	| IPFY_PRI_DEBUG		{ $$ = LOG_DEBUG; }
1677 	;
1678 
1679 compare:
1680 	YY_CMP_EQ			{ $$ = FR_EQUAL; }
1681 	| YY_CMP_NE			{ $$ = FR_NEQUAL; }
1682 	| YY_CMP_LT			{ $$ = FR_LESST; }
1683 	| YY_CMP_LE			{ $$ = FR_LESSTE; }
1684 	| YY_CMP_GT			{ $$ = FR_GREATERT; }
1685 	| YY_CMP_GE			{ $$ = FR_GREATERTE; }
1686 	;
1687 
1688 range:	YY_RANGE_IN			{ $$ = FR_INRANGE; }
1689 	| YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
1690 	| ':'				{ $$ = FR_INCRANGE; }
1691 	;
1692 
1693 servicename:
1694 	YY_STR				{ $$ = $1; }
1695 	;
1696 
1697 interfacename:	name				{ $$ = $1; }
1698 	| name ':' YY_NUMBER
1699 		{ $$ = $1;
1700 		  fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1701 			  "use the physical interface %s instead.\n",
1702 			  yylineNum, $1, $3, $1);
1703 		}
1704 	;
1705 
1706 name:	YY_STR				{ $$ = $1; }
1707 	| '-'				{ $$ = strdup("-"); }
1708 	;
1709 
1710 ipv4_16:
1711 	YY_NUMBER '.' YY_NUMBER
1712 		{ if ($1 > 255 || $3 > 255) {
1713 			yyerror("Invalid octet string for IP address");
1714 			return(0);
1715 		  }
1716 		  $$.s_addr = ($1 << 24) | ($3 << 16);
1717 		  $$.s_addr = htonl($$.s_addr);
1718 		}
1719 	;
1720 
1721 ipv4_24:
1722 	ipv4_16 '.' YY_NUMBER
1723 		{ if ($3 > 255) {
1724 			yyerror("Invalid octet string for IP address");
1725 			return(0);
1726 		  }
1727 		  $$.s_addr |= htonl($3 << 8);
1728 		}
1729 	;
1730 
1731 ipv4:	ipv4_24 '.' YY_NUMBER
1732 		{ if ($3 > 255) {
1733 			yyerror("Invalid octet string for IP address");
1734 			return(0);
1735 		  }
1736 		  $$.s_addr |= htonl($3);
1737 		}
1738 	| ipv4_24
1739 	| ipv4_16
1740 	;
1741 
1742 %%
1743 
1744 
1745 static	struct	wordtab ipfwords[] = {
1746 	{ "age",			IPFY_AGE },
1747 	{ "ah",				IPFY_AH },
1748 	{ "all",			IPFY_ALL },
1749 	{ "and",			IPFY_AND },
1750 	{ "auth",			IPFY_AUTH },
1751 	{ "bad",			IPFY_BAD },
1752 	{ "bad-nat",			IPFY_BADNAT },
1753 	{ "bad-src",			IPFY_BADSRC },
1754 	{ "bcast",			IPFY_BROADCAST },
1755 	{ "block",			IPFY_BLOCK },
1756 	{ "body",			IPFY_BODY },
1757 	{ "bpf-v4",			IPFY_BPFV4 },
1758 #ifdef USE_INET6
1759 	{ "bpf-v6",			IPFY_BPFV6 },
1760 #endif
1761 	{ "call",			IPFY_CALL },
1762 	{ "code",			IPFY_ICMPCODE },
1763 	{ "comment",			IPFY_COMMENT },
1764 	{ "count",			IPFY_COUNT },
1765 	{ "decapsulate",		IPFY_DECAPS },
1766 	{ "dstlist",			IPFY_DSTLIST },
1767 	{ "doi",			IPFY_DOI },
1768 	{ "dup-to",			IPFY_DUPTO },
1769 	{ "eq",				YY_CMP_EQ },
1770 	{ "esp",			IPFY_ESP },
1771 	{ "exp",			IPFY_IPFEXPR },
1772 	{ "family",			IPFY_FAMILY },
1773 	{ "fastroute",			IPFY_FROUTE },
1774 	{ "first",			IPFY_FIRST },
1775 	{ "flags",			IPFY_FLAGS },
1776 	{ "frag",			IPFY_FRAG },
1777 	{ "frag-body",			IPFY_FRAGBODY },
1778 	{ "frags",			IPFY_FRAGS },
1779 	{ "from",			IPFY_FROM },
1780 	{ "ge",				YY_CMP_GE },
1781 	{ "group",			IPFY_GROUP },
1782 	{ "gt",				YY_CMP_GT },
1783 	{ "head",			IPFY_HEAD },
1784 	{ "icmp",			IPFY_ICMP },
1785 	{ "icmp-head",			IPFY_ICMPHEAD },
1786 	{ "icmp-type",			IPFY_ICMPTYPE },
1787 	{ "in",				IPFY_IN },
1788 	{ "in-via",			IPFY_INVIA },
1789 	{ "inet",			IPFY_INET },
1790 	{ "inet6",			IPFY_INET6 },
1791 	{ "ipopt",			IPFY_IPOPTS },
1792 	{ "ipopts",			IPFY_IPOPTS },
1793 	{ "keep",			IPFY_KEEP },
1794 	{ "l5-as",			IPFY_L5AS },
1795 	{ "le",				YY_CMP_LE },
1796 	{ "level",			IPFY_LEVEL },
1797 	{ "limit",			IPFY_LIMIT },
1798 	{ "log",			IPFY_LOG },
1799 	{ "loose",			IPFY_LOOSE },
1800 	{ "lowttl",			IPFY_LOWTTL },
1801 	{ "lt",				YY_CMP_LT },
1802 	{ "mask",			IPFY_MASK },
1803 	{ "match-tag",			IPFY_MATCHTAG },
1804 	{ "max-per-src",		IPFY_MAX_PER_SRC },
1805 	{ "max-srcs",			IPFY_MAX_SRCS },
1806 	{ "mbcast",			IPFY_MBCAST },
1807 	{ "mcast",			IPFY_MULTICAST },
1808 	{ "multicast",			IPFY_MULTICAST },
1809 	{ "nat",			IPFY_NAT },
1810 	{ "ne",				YY_CMP_NE },
1811 	{ "net",			IPFY_NETWORK },
1812 	{ "newisn",			IPFY_NEWISN },
1813 	{ "no",				IPFY_NO },
1814 	{ "no-icmp-err",		IPFY_NOICMPERR },
1815 	{ "nolog",			IPFY_NOLOG },
1816 	{ "nomatch",			IPFY_NOMATCH },
1817 	{ "now",			IPFY_NOW },
1818 	{ "not",			IPFY_NOT },
1819 	{ "oow",			IPFY_OOW },
1820 	{ "on",				IPFY_ON },
1821 	{ "opt",			IPFY_OPT },
1822 	{ "or-block",			IPFY_ORBLOCK },
1823 	{ "out",			IPFY_OUT },
1824 	{ "out-via",			IPFY_OUTVIA },
1825 	{ "pass",			IPFY_PASS },
1826 	{ "port",			IPFY_PORT },
1827 	{ "pps",			IPFY_PPS },
1828 	{ "preauth",			IPFY_PREAUTH },
1829 	{ "proto",			IPFY_PROTO },
1830 	{ "quick",			IPFY_QUICK },
1831 	{ "reply-to",			IPFY_REPLY_TO },
1832 	{ "return-icmp",		IPFY_RETICMP },
1833 	{ "return-icmp-as-dest",	IPFY_RETICMPASDST },
1834 	{ "return-rst",			IPFY_RETRST },
1835 	{ "route-to",			IPFY_ROUTETO },
1836 	{ "rule-ttl",			IPFY_RULETTL },
1837 	{ "rpc",			IPFY_RPC },
1838 	{ "sec-class",			IPFY_SECCLASS },
1839 	{ "set",			IPFY_SET },
1840 	{ "set-tag",			IPFY_SETTAG },
1841 	{ "skip",			IPFY_SKIP },
1842 	{ "short",			IPFY_SHORT },
1843 	{ "state",			IPFY_STATE },
1844 	{ "state-age",			IPFY_AGE },
1845 	{ "strict",			IPFY_STRICT },
1846 	{ "sync",			IPFY_SYNC },
1847 	{ "tcp",			IPFY_TCP },
1848 	{ "tcp-udp",			IPFY_TCPUDP },
1849 	{ "tos",			IPFY_TOS },
1850 	{ "to",				IPFY_TO },
1851 	{ "ttl",			IPFY_TTL },
1852 	{ "udp",			IPFY_UDP },
1853 	{ "v6hdr",			IPFY_V6HDR },
1854 	{ "v6hdrs",			IPFY_V6HDRS },
1855 	{ "with",			IPFY_WITH },
1856 	{ NULL,				0 }
1857 };
1858 
1859 static	struct	wordtab	addrwords[] = {
1860 	{ "any",			IPFY_ANY },
1861 	{ "hash",			IPFY_HASH },
1862 	{ "pool",			IPFY_POOL },
1863 	{ NULL,				0 }
1864 };
1865 
1866 static	struct	wordtab	maskwords[] = {
1867 	{ "broadcast",			IPFY_BROADCAST },
1868 	{ "netmasked",			IPFY_NETMASKED },
1869 	{ "network",			IPFY_NETWORK },
1870 	{ "peer",			IPFY_PEER },
1871 	{ NULL,				0 }
1872 };
1873 
1874 static	struct	wordtab icmpcodewords[] = {
1875 	{ "cutoff-preced",		IPFY_ICMPC_CUTPRE },
1876 	{ "filter-prohib",		IPFY_ICMPC_FLTPRO },
1877 	{ "isolate",			IPFY_ICMPC_ISOLATE },
1878 	{ "needfrag",			IPFY_ICMPC_NEEDF },
1879 	{ "net-prohib",			IPFY_ICMPC_NETPRO },
1880 	{ "net-tos",			IPFY_ICMPC_NETTOS },
1881 	{ "host-preced",		IPFY_ICMPC_HSTPRE },
1882 	{ "host-prohib",		IPFY_ICMPC_HSTPRO },
1883 	{ "host-tos",			IPFY_ICMPC_HSTTOS },
1884 	{ "host-unk",			IPFY_ICMPC_HSTUNK },
1885 	{ "host-unr",			IPFY_ICMPC_HSTUNR },
1886 	{ "net-unk",			IPFY_ICMPC_NETUNK },
1887 	{ "net-unr",			IPFY_ICMPC_NETUNR },
1888 	{ "port-unr",			IPFY_ICMPC_PORUNR },
1889 	{ "proto-unr",			IPFY_ICMPC_PROUNR },
1890 	{ "srcfail",			IPFY_ICMPC_SRCFAIL },
1891 	{ NULL,				0 },
1892 };
1893 
1894 static	struct	wordtab ipv4optwords[] = {
1895 	{ "addext",			IPFY_IPOPT_ADDEXT },
1896 	{ "cipso",			IPFY_IPOPT_CIPSO },
1897 	{ "dps",			IPFY_IPOPT_DPS },
1898 	{ "e-sec",			IPFY_IPOPT_ESEC },
1899 	{ "eip",			IPFY_IPOPT_EIP },
1900 	{ "encode",			IPFY_IPOPT_ENCODE },
1901 	{ "finn",			IPFY_IPOPT_FINN },
1902 	{ "imitd",			IPFY_IPOPT_IMITD },
1903 	{ "lsrr",			IPFY_IPOPT_LSRR },
1904 	{ "mtup",			IPFY_IPOPT_MTUP },
1905 	{ "mtur",			IPFY_IPOPT_MTUR },
1906 	{ "nop",			IPFY_IPOPT_NOP },
1907 	{ "nsapa",			IPFY_IPOPT_NSAPA },
1908 	{ "rr",				IPFY_IPOPT_RR },
1909 	{ "rtralrt",			IPFY_IPOPT_RTRALRT },
1910 	{ "satid",			IPFY_IPOPT_SATID },
1911 	{ "sdb",			IPFY_IPOPT_SDB },
1912 	{ "sec",			IPFY_IPOPT_SEC },
1913 	{ "ssrr",			IPFY_IPOPT_SSRR },
1914 	{ "tr",				IPFY_IPOPT_TR },
1915 	{ "ts",				IPFY_IPOPT_TS },
1916 	{ "ump",			IPFY_IPOPT_UMP },
1917 	{ "visa",			IPFY_IPOPT_VISA },
1918 	{ "zsu",			IPFY_IPOPT_ZSU },
1919 	{ NULL,				0 },
1920 };
1921 
1922 static	struct	wordtab ipv4secwords[] = {
1923 	{ "confid",			IPFY_SEC_CONF },
1924 	{ "reserv-1",			IPFY_SEC_RSV1 },
1925 	{ "reserv-2",			IPFY_SEC_RSV2 },
1926 	{ "reserv-3",			IPFY_SEC_RSV3 },
1927 	{ "reserv-4",			IPFY_SEC_RSV4 },
1928 	{ "secret",			IPFY_SEC_SEC },
1929 	{ "topsecret",			IPFY_SEC_TS },
1930 	{ "unclass",			IPFY_SEC_UNC },
1931 	{ NULL,				0 },
1932 };
1933 
1934 static	struct	wordtab ipv6optwords[] = {
1935 	{ "dstopts",			IPFY_IPV6OPT_DSTOPTS },
1936 	{ "esp",			IPFY_IPV6OPT_ESP },
1937 	{ "frag",			IPFY_IPV6OPT_FRAG },
1938 	{ "hopopts",			IPFY_IPV6OPT_HOPOPTS },
1939 	{ "ipv6",			IPFY_IPV6OPT_IPV6 },
1940 	{ "mobility",			IPFY_IPV6OPT_MOBILITY },
1941 	{ "none",			IPFY_IPV6OPT_NONE },
1942 	{ "routing",			IPFY_IPV6OPT_ROUTING },
1943 	{ NULL,				0 },
1944 };
1945 
1946 static	struct	wordtab logwords[] = {
1947 	{ "kern",			IPFY_FAC_KERN },
1948 	{ "user",			IPFY_FAC_USER },
1949 	{ "mail",			IPFY_FAC_MAIL },
1950 	{ "daemon",			IPFY_FAC_DAEMON },
1951 	{ "auth",			IPFY_FAC_AUTH },
1952 	{ "syslog",			IPFY_FAC_SYSLOG },
1953 	{ "lpr",			IPFY_FAC_LPR },
1954 	{ "news",			IPFY_FAC_NEWS },
1955 	{ "uucp",			IPFY_FAC_UUCP },
1956 	{ "cron",			IPFY_FAC_CRON },
1957 	{ "ftp",			IPFY_FAC_FTP },
1958 	{ "authpriv",			IPFY_FAC_AUTHPRIV },
1959 	{ "audit",			IPFY_FAC_AUDIT },
1960 	{ "logalert",			IPFY_FAC_LFMT },
1961 	{ "console",			IPFY_FAC_CONSOLE },
1962 	{ "security",			IPFY_FAC_SECURITY },
1963 	{ "local0",			IPFY_FAC_LOCAL0 },
1964 	{ "local1",			IPFY_FAC_LOCAL1 },
1965 	{ "local2",			IPFY_FAC_LOCAL2 },
1966 	{ "local3",			IPFY_FAC_LOCAL3 },
1967 	{ "local4",			IPFY_FAC_LOCAL4 },
1968 	{ "local5",			IPFY_FAC_LOCAL5 },
1969 	{ "local6",			IPFY_FAC_LOCAL6 },
1970 	{ "local7",			IPFY_FAC_LOCAL7 },
1971 	{ "emerg",			IPFY_PRI_EMERG },
1972 	{ "alert",			IPFY_PRI_ALERT },
1973 	{ "crit",			IPFY_PRI_CRIT },
1974 	{ "err",			IPFY_PRI_ERR },
1975 	{ "warn",			IPFY_PRI_WARN },
1976 	{ "notice",			IPFY_PRI_NOTICE },
1977 	{ "info",			IPFY_PRI_INFO },
1978 	{ "debug",			IPFY_PRI_DEBUG },
1979 	{ NULL,				0 },
1980 };
1981 
1982 
1983 
1984 
1985 int
ipf_parsefile(int fd,addfunc_t addfunc,ioctlfunc_t * iocfuncs,char * filename)1986 ipf_parsefile(int fd, addfunc_t addfunc, ioctlfunc_t *iocfuncs, char *filename)
1987 {
1988 	FILE *fp = NULL;
1989 	char *s;
1990 
1991 	yylineNum = 1;
1992 	yysettab(ipfwords);
1993 
1994 	s = getenv("YYDEBUG");
1995 	if (s != NULL)
1996 		yydebug = atoi(s);
1997 	else
1998 		yydebug = 0;
1999 
2000 	if (strcmp(filename, "-")) {
2001 		fp = fopen(filename, "r");
2002 		if (fp == NULL) {
2003 			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
2004 				STRERROR(errno));
2005 			return(-1);
2006 		}
2007 	} else
2008 		fp = stdin;
2009 
2010 	while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
2011 		;
2012 	if (fp != NULL)
2013 		fclose(fp);
2014 	return(0);
2015 }
2016 
2017 
2018 int
ipf_parsesome(int fd,addfunc_t addfunc,ioctlfunc_t * iocfuncs,FILE * fp)2019 ipf_parsesome(int fd, addfunc_t addfunc, ioctlfunc_t *iocfuncs, FILE *fp)
2020 {
2021 	char *s;
2022 	int i;
2023 
2024 	ipffd = fd;
2025 	for (i = 0; i <= IPL_LOGMAX; i++)
2026 		ipfioctls[i] = iocfuncs[i];
2027 	ipfaddfunc = addfunc;
2028 
2029 	if (feof(fp))
2030 		return(0);
2031 	i = fgetc(fp);
2032 	if (i == EOF)
2033 		return(0);
2034 	if (ungetc(i, fp) == 0)
2035 		return(0);
2036 	if (feof(fp))
2037 		return(0);
2038 	s = getenv("YYDEBUG");
2039 	if (s != NULL)
2040 		yydebug = atoi(s);
2041 	else
2042 		yydebug = 0;
2043 
2044 	yyin = fp;
2045 	yyparse();
2046 	return(1);
2047 }
2048 
2049 
2050 static void
newrule(void)2051 newrule(void)
2052 {
2053 	frentry_t *frn;
2054 
2055 	frn = allocfr();
2056 	for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
2057 		;
2058 	if (fr != NULL) {
2059 		fr->fr_next = frn;
2060 		frn->fr_pnext = &fr->fr_next;
2061 	}
2062 	if (frtop == NULL) {
2063 		frtop = frn;
2064 		frn->fr_pnext = &frtop;
2065 	}
2066 	fr = frn;
2067 	frc = frn;
2068 	fr->fr_loglevel = 0xffff;
2069 	fr->fr_isc = (void *)-1;
2070 	fr->fr_logtag = FR_NOLOGTAG;
2071 	fr->fr_type = FR_T_NONE;
2072 	fr->fr_flineno = yylineNum;
2073 
2074 	if (use_inet6 == 1)
2075 		fr->fr_family = AF_INET6;
2076 	else if (use_inet6 == -1)
2077 		fr->fr_family = AF_INET;
2078 
2079 	nrules = 1;
2080 }
2081 
2082 
2083 static void
setipftype(void)2084 setipftype(void)
2085 {
2086 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
2087 		if (fr->fr_type == FR_T_NONE) {
2088 			fr->fr_type = FR_T_IPF;
2089 			fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
2090 			fr->fr_dsize = sizeof(fripf_t);
2091 			fr->fr_family = frc->fr_family;
2092 			if (fr->fr_family == AF_INET) {
2093 				fr->fr_ip.fi_v = 4;
2094 			}
2095 			else if (fr->fr_family == AF_INET6) {
2096 				fr->fr_ip.fi_v = 6;
2097 			}
2098 			fr->fr_mip.fi_v = 0xf;
2099 			fr->fr_ipf->fri_sifpidx = -1;
2100 			fr->fr_ipf->fri_difpidx = -1;
2101 		}
2102 		if (fr->fr_type != FR_T_IPF) {
2103 			fprintf(stderr, "IPF Type not set\n");
2104 		}
2105 	}
2106 }
2107 
2108 
2109 static frentry_t *
addrule(void)2110 addrule(void)
2111 {
2112 	frentry_t *f, *f1, *f2;
2113 	int count;
2114 
2115 	for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
2116 		;
2117 
2118 	count = nrules;
2119 	f = f2;
2120 	for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
2121 		f->fr_next = allocfr();
2122 		if (f->fr_next == NULL)
2123 			return(NULL);
2124 		f->fr_next->fr_pnext = &f->fr_next;
2125 		added++;
2126 		f = f->fr_next;
2127 		*f = *f1;
2128 		f->fr_next = NULL;
2129 		if (f->fr_caddr != NULL) {
2130 			f->fr_caddr = malloc(f->fr_dsize);
2131 			bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
2132 		}
2133 	}
2134 
2135 	return(f2->fr_next);
2136 }
2137 
2138 
2139 static int
lookuphost(char * name,i6addr_t * addrp)2140 lookuphost(char *name, i6addr_t *addrp)
2141 {
2142 	int i;
2143 
2144 	hashed = 0;
2145 	pooled = 0;
2146 	dynamic = -1;
2147 
2148 	for (i = 0; i < 4; i++) {
2149 		if (fr->fr_ifnames[i] == -1)
2150 			continue;
2151 		if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) {
2152 			ifpflag = FRI_DYNAMIC;
2153 			dynamic = addname(&fr, name);
2154 			return(1);
2155 		}
2156 	}
2157 
2158 	if (gethost(AF_INET, name, addrp) == -1) {
2159 		fprintf(stderr, "unknown name \"%s\"\n", name);
2160 		return(-1);
2161 	}
2162 	return(0);
2163 }
2164 
2165 
2166 static void
dobpf(int v,char * phrase)2167 dobpf(int v, char *phrase)
2168 {
2169 #ifdef IPFILTER_BPF
2170 	struct bpf_program bpf;
2171 	struct pcap *p;
2172 #endif
2173 	fakebpf_t *fb;
2174 	u_32_t l;
2175 	char *s;
2176 	int i;
2177 
2178 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
2179 		if (fr->fr_type != FR_T_NONE) {
2180 			fprintf(stderr, "cannot mix IPF and BPF matching\n");
2181 			return;
2182 		}
2183 		fr->fr_family = vtof(v);
2184 		fr->fr_type = FR_T_BPFOPC;
2185 
2186 		if (!strncmp(phrase, "0x", 2)) {
2187 			fb = malloc(sizeof(fakebpf_t));
2188 
2189 			for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
2190 			     s = strtok(NULL, " \r\n\t"), i++) {
2191 				fb = reallocarray(fb, i / 4 + 1, sizeof(*fb));
2192 				if (fb == NULL) {
2193 					warnx("memory allocation error at %d in %s in %s", __LINE__, __FUNCTION__, __FILE__);
2194 					abort();
2195 				}
2196 				l = (u_32_t)strtol(s, NULL, 0);
2197 				switch (i & 3)
2198 				{
2199 				case 0 :
2200 					fb[i / 4].fb_c = l & 0xffff;
2201 					break;
2202 				case 1 :
2203 					fb[i / 4].fb_t = l & 0xff;
2204 					break;
2205 				case 2 :
2206 					fb[i / 4].fb_f = l & 0xff;
2207 					break;
2208 				case 3 :
2209 					fb[i / 4].fb_k = l;
2210 					break;
2211 				}
2212 			}
2213 			if ((i & 3) != 0) {
2214 				fprintf(stderr,
2215 					"Odd number of bytes in BPF code\n");
2216 				exit(1);
2217 			}
2218 			i--;
2219 			fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
2220 			fr->fr_data = fb;
2221 			return;
2222 		}
2223 
2224 #ifdef IPFILTER_BPF
2225 		bzero((char *)&bpf, sizeof(bpf));
2226 		p = pcap_open_dead(DLT_RAW, 1);
2227 		if (!p) {
2228 			fprintf(stderr, "pcap_open_dead failed\n");
2229 			return;
2230 		}
2231 
2232 		if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
2233 			pcap_perror(p, "ipf");
2234 			pcap_close(p);
2235 			fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
2236 			return;
2237 		}
2238 		pcap_close(p);
2239 
2240 		fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
2241 		fr->fr_data = malloc(fr->fr_dsize);
2242 		bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
2243 		if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
2244 			fprintf(stderr, "BPF validation failed\n");
2245 			return;
2246 		}
2247 #endif
2248 	}
2249 
2250 #ifdef IPFILTER_BPF
2251 	if (opts & OPT_DEBUG)
2252 		bpf_dump(&bpf, 0);
2253 #else
2254 	fprintf(stderr, "BPF filter expressions not supported\n");
2255 	exit(1);
2256 #endif
2257 }
2258 
2259 
2260 static void
resetaddr(void)2261 resetaddr(void)
2262 {
2263 	hashed = 0;
2264 	pooled = 0;
2265 	dynamic = -1;
2266 }
2267 
2268 
2269 static alist_t *
newalist(alist_t * ptr)2270 newalist(alist_t *ptr)
2271 {
2272 	alist_t *al;
2273 
2274 	al = malloc(sizeof(*al));
2275 	if (al == NULL)
2276 		return(NULL);
2277 	al->al_not = 0;
2278 	al->al_next = ptr;
2279 	return(al);
2280 }
2281 
2282 
2283 static int
makepool(alist_t * list)2284 makepool(alist_t *list)
2285 {
2286 	ip_pool_node_t *n, *top;
2287 	ip_pool_t pool;
2288 	alist_t *a;
2289 	int num;
2290 
2291 	if (list == NULL)
2292 		return(0);
2293 	top = calloc(1, sizeof(*top));
2294 	if (top == NULL)
2295 		return(0);
2296 
2297 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2298 		if (use_inet6 == 1) {
2299 #ifdef USE_INET6
2300 			n->ipn_addr.adf_family = AF_INET6;
2301 			n->ipn_addr.adf_addr = a->al_i6addr;
2302 			n->ipn_addr.adf_len = offsetof(addrfamily_t,
2303 						       adf_addr) + 16;
2304 			n->ipn_mask.adf_family = AF_INET6;
2305 			n->ipn_mask.adf_addr = a->al_i6mask;
2306 			n->ipn_mask.adf_len = offsetof(addrfamily_t,
2307 						       adf_addr) + 16;
2308 
2309 #endif
2310 		} else {
2311 			n->ipn_addr.adf_family = AF_INET;
2312 			n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
2313 			n->ipn_addr.adf_len = offsetof(addrfamily_t,
2314 						       adf_addr) + 4;
2315 			n->ipn_mask.adf_family = AF_INET;
2316 			n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
2317 			n->ipn_mask.adf_len = offsetof(addrfamily_t,
2318 						       adf_addr) + 4;
2319 		}
2320 		n->ipn_info = a->al_not;
2321 		if (a->al_next != NULL) {
2322 			n->ipn_next = calloc(1, sizeof(*n));
2323 			n = n->ipn_next;
2324 		}
2325 	}
2326 
2327 	bzero((char *)&pool, sizeof(pool));
2328 	pool.ipo_unit = IPL_LOGIPF;
2329 	pool.ipo_list = top;
2330 	num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]);
2331 
2332 	while ((n = top) != NULL) {
2333 		top = n->ipn_next;
2334 		free(n);
2335 	}
2336 	return(num);
2337 }
2338 
2339 
2340 static u_int
makehash(alist_t * list)2341 makehash(alist_t *list)
2342 {
2343 	iphtent_t *n, *top;
2344 	iphtable_t iph;
2345 	alist_t *a;
2346 	int num;
2347 
2348 	if (list == NULL)
2349 		return(0);
2350 	top = calloc(1, sizeof(*top));
2351 	if (top == NULL)
2352 		return(0);
2353 
2354 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2355 		if (a->al_family == AF_INET6) {
2356 			n->ipe_family = AF_INET6;
2357 			n->ipe_addr = a->al_i6addr;
2358 			n->ipe_mask = a->al_i6mask;
2359 		} else {
2360 			n->ipe_family = AF_INET;
2361 			n->ipe_addr.in4_addr = a->al_1;
2362 			n->ipe_mask.in4_addr = a->al_2;
2363 		}
2364 		n->ipe_value = 0;
2365 		if (a->al_next != NULL) {
2366 			n->ipe_next = calloc(1, sizeof(*n));
2367 			n = n->ipe_next;
2368 		}
2369 	}
2370 
2371 	bzero((char *)&iph, sizeof(iph));
2372 	iph.iph_unit = IPL_LOGIPF;
2373 	iph.iph_type = IPHASH_LOOKUP;
2374 	*iph.iph_name = '\0';
2375 
2376 	if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0)
2377 		sscanf(iph.iph_name, "%u", &num);
2378 	else
2379 		num = 0;
2380 
2381 	while ((n = top) != NULL) {
2382 		top = n->ipe_next;
2383 		free(n);
2384 	}
2385 	return(num);
2386 }
2387 
2388 
2389 int
ipf_addrule(int fd,ioctlfunc_t ioctlfunc,void * ptr)2390 ipf_addrule(int fd, ioctlfunc_t ioctlfunc, void *ptr)
2391 {
2392 	ioctlcmd_t add, del;
2393 	frentry_t *fr;
2394 	ipfobj_t obj;
2395 
2396 	if (ptr == NULL)
2397 		return(0);
2398 
2399 	fr = ptr;
2400 	add = 0;
2401 	del = 0;
2402 
2403 	bzero((char *)&obj, sizeof(obj));
2404 	obj.ipfo_rev = IPFILTER_VERSION;
2405 	obj.ipfo_size = fr->fr_size;
2406 	obj.ipfo_type = IPFOBJ_FRENTRY;
2407 	obj.ipfo_ptr = ptr;
2408 
2409 	if ((opts & OPT_DONOTHING) != 0)
2410 		fd = -1;
2411 
2412 	if (opts & OPT_ZERORULEST) {
2413 		add = SIOCZRLST;
2414 	} else if (opts & OPT_INACTIVE) {
2415 		add = (u_int)fr->fr_hits ? SIOCINIFR :
2416 					   SIOCADIFR;
2417 		del = SIOCRMIFR;
2418 	} else {
2419 		add = (u_int)fr->fr_hits ? SIOCINAFR :
2420 					   SIOCADAFR;
2421 		del = SIOCRMAFR;
2422 	}
2423 
2424 	if ((opts & OPT_OUTQUE) != 0)
2425 		fr->fr_flags |= FR_OUTQUE;
2426 	if (fr->fr_hits)
2427 		fr->fr_hits--;
2428 	if ((opts & OPT_VERBOSE) != 0)
2429 		printfr(fr, ioctlfunc);
2430 
2431 	if ((opts & OPT_DEBUG) != 0) {
2432 		binprint(fr, sizeof(*fr));
2433 		if (fr->fr_data != NULL)
2434 			binprint(fr->fr_data, fr->fr_dsize);
2435 	}
2436 
2437 	if ((opts & OPT_ZERORULEST) != 0) {
2438 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2439 			if ((opts & OPT_DONOTHING) == 0) {
2440 				char msg[80];
2441 
2442 				snprintf(msg, sizeof(msg), "%d:ioctl(zero rule)",
2443 					fr->fr_flineno);
2444 				return(ipf_perror_fd(fd, ioctlfunc, msg));
2445 			}
2446 		} else {
2447 #ifdef	USE_QUAD_T
2448 			printf("hits %qd bytes %qd ",
2449 				(long long)fr->fr_hits,
2450 				(long long)fr->fr_bytes);
2451 #else
2452 			printf("hits %ld bytes %ld ",
2453 				fr->fr_hits, fr->fr_bytes);
2454 #endif
2455 			printfr(fr, ioctlfunc);
2456 		}
2457 	} else if ((opts & OPT_REMOVE) != 0) {
2458 		if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2459 			if ((opts & OPT_DONOTHING) == 0) {
2460 				char msg[80];
2461 
2462 				snprintf(msg, sizeof(msg), "%d:ioctl(delete rule)",
2463 					fr->fr_flineno);
2464 				return(ipf_perror_fd(fd, ioctlfunc, msg));
2465 			}
2466 		}
2467 	} else {
2468 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2469 			if ((opts & OPT_DONOTHING) == 0) {
2470 				char msg[80];
2471 
2472 				snprintf(msg, sizeof(msg), "%d:ioctl(add/insert rule)",
2473 					fr->fr_flineno);
2474 				return(ipf_perror_fd(fd, ioctlfunc, msg));
2475 			}
2476 		}
2477 	}
2478 	return(0);
2479 }
2480 
2481 static void
setsyslog(void)2482 setsyslog(void)
2483 {
2484 	yysetdict(logwords);
2485 	yybreakondot = 1;
2486 }
2487 
2488 
2489 static void
unsetsyslog(void)2490 unsetsyslog(void)
2491 {
2492 	yyresetdict();
2493 	yybreakondot = 0;
2494 }
2495 
2496 
2497 static void
fillgroup(frentry_t * fr)2498 fillgroup(frentry_t *fr)
2499 {
2500 	frentry_t *f;
2501 
2502 	for (f = frold; f != NULL; f = f->fr_next) {
2503 		if (f->fr_grhead == -1 && fr->fr_group == -1)
2504 			break;
2505 		if (f->fr_grhead == -1 || fr->fr_group == -1)
2506 			continue;
2507 		if (strcmp(f->fr_names + f->fr_grhead,
2508 			   fr->fr_names + fr->fr_group) == 0)
2509 			break;
2510 	}
2511 
2512 	if (f == NULL)
2513 		return;
2514 
2515 	/*
2516 	 * Only copy down matching fields if the rules are of the same type
2517 	 * and are of ipf type.   The only fields that are copied are those
2518 	 * that impact the rule parsing itself, eg. need for knowing what the
2519 	 * protocol should be for rules with port comparisons in them.
2520 	 */
2521 	if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2522 		return;
2523 
2524 	if (fr->fr_family == 0 && f->fr_family != 0)
2525 		fr->fr_family = f->fr_family;
2526 
2527 	if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2528 		fr->fr_mproto = f->fr_mproto;
2529 	if (fr->fr_proto == 0 && f->fr_proto != 0)
2530 		fr->fr_proto = f->fr_proto;
2531 
2532 	if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2533 	    ((f->fr_flx & FI_TCPUDP) != 0)) {
2534 		fr->fr_flx |= FI_TCPUDP;
2535 		fr->fr_mflx |= FI_TCPUDP;
2536 	}
2537 }
2538 
2539 
2540 static void
doipfexpr(char * line)2541 doipfexpr(char *line)
2542 {
2543 	int *array;
2544 	char *error;
2545 
2546 	array = parseipfexpr(line, &error);
2547 	if (array == NULL) {
2548 		fprintf(stderr, "%s:", error);
2549 		yyerror("error parsing ipf matching expression");
2550 		return;
2551 	}
2552 
2553 	fr->fr_type = FR_T_IPFEXPR;
2554 	fr->fr_data = array;
2555 	fr->fr_dsize = array[0] * sizeof(*array);
2556 }
2557 
2558 
2559 static void
do_tuneint(char * varname,int value)2560 do_tuneint(char *varname, int value)
2561 {
2562 	char buffer[80];
2563 
2564 	strncpy(buffer, varname, 60);
2565 	buffer[59] = '\0';
2566 	strcat(buffer, "=");
2567 	snprintf(buffer, sizeof(buffer), "%u", value);
2568 	ipf_dotuning(ipffd, buffer, ioctl);
2569 }
2570 
2571 
2572 static void
do_tunestr(char * varname,char * value)2573 do_tunestr(char *varname, char *value)
2574 {
2575 
2576 	if (!strcasecmp(value, "true")) {
2577 		do_tuneint(varname, 1);
2578 	} else if (!strcasecmp(value, "false")) {
2579 		do_tuneint(varname, 0);
2580 	} else {
2581 		yyerror("did not find true/false where expected");
2582 	}
2583 }
2584 
2585 
2586 static void
setifname(frentry_t ** frp,int idx,char * name)2587 setifname(frentry_t **frp, int idx, char *name)
2588 {
2589 	int pos;
2590 
2591 	pos = addname(frp, name);
2592 	if (pos == -1)
2593 		return;
2594 	(*frp)->fr_ifnames[idx] = pos;
2595 }
2596 
2597 
2598 static int
addname(frentry_t ** frp,char * name)2599 addname(frentry_t **frp, char *name)
2600 {
2601 	frentry_t *f;
2602 	int nlen;
2603 	int pos;
2604 
2605 	nlen = strlen(name) + 1;
2606 	f = realloc(*frp, (*frp)->fr_size + nlen);
2607 	if (*frp == frc)
2608 		frc = f;
2609 	*frp = f;
2610 	if (f == NULL)
2611 		return(-1);
2612 	if (f->fr_pnext != NULL)
2613 		*f->fr_pnext = f;
2614 	f->fr_size += nlen;
2615 	pos = f->fr_namelen;
2616 	f->fr_namelen += nlen;
2617 	strcpy(f->fr_names + pos, name);
2618 	f->fr_names[f->fr_namelen] = '\0';
2619 	return(pos);
2620 }
2621 
2622 
2623 static frentry_t *
allocfr(void)2624 allocfr(void)
2625 {
2626 	frentry_t *fr;
2627 
2628 	fr = calloc(1, sizeof(*fr));
2629 	if (fr != NULL) {
2630 		fr->fr_size = sizeof(*fr);
2631 		fr->fr_comment = -1;
2632 		fr->fr_group = -1;
2633 		fr->fr_grhead = -1;
2634 		fr->fr_icmphead = -1;
2635 		fr->fr_ifnames[0] = -1;
2636 		fr->fr_ifnames[1] = -1;
2637 		fr->fr_ifnames[2] = -1;
2638 		fr->fr_ifnames[3] = -1;
2639 		fr->fr_tif.fd_name = -1;
2640 		fr->fr_rif.fd_name = -1;
2641 		fr->fr_dif.fd_name = -1;
2642 	}
2643 	return(fr);
2644 }
2645 
2646 
2647 static void
setgroup(frentry_t ** frp,char * name)2648 setgroup(frentry_t **frp, char *name)
2649 {
2650 	int pos;
2651 
2652 	pos = addname(frp, name);
2653 	if (pos == -1)
2654 		return;
2655 	(*frp)->fr_group = pos;
2656 }
2657 
2658 
2659 static void
setgrhead(frentry_t ** frp,char * name)2660 setgrhead(frentry_t **frp, char *name)
2661 {
2662 	int pos;
2663 
2664 	pos = addname(frp, name);
2665 	if (pos == -1)
2666 		return;
2667 	(*frp)->fr_grhead = pos;
2668 }
2669 
2670 
2671 static void
seticmphead(frentry_t ** frp,char * name)2672 seticmphead(frentry_t **frp, char *name)
2673 {
2674 	int pos;
2675 
2676 	pos = addname(frp, name);
2677 	if (pos == -1)
2678 		return;
2679 	(*frp)->fr_icmphead = pos;
2680 }
2681 
2682 
2683 static void
build_dstaddr_af(frentry_t * fp,void * ptr)2684 build_dstaddr_af(frentry_t *fp, void *ptr)
2685 {
2686 	struct ipp_s *ipp = ptr;
2687 	frentry_t *f = fp;
2688 
2689 	if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
2690 		ipp->f = f->fr_family;
2691 		ipp->v = f->fr_ip.fi_v;
2692 	}
2693 	if (ipp->f == AF_INET)
2694 		ipp->v = 4;
2695 	else if (ipp->f == AF_INET6)
2696 		ipp->v = 6;
2697 
2698 	for (; f != NULL; f = f->fr_next) {
2699 		f->fr_ip.fi_dst = ipp->a;
2700 		f->fr_mip.fi_dst = ipp->m;
2701 		f->fr_family = ipp->f;
2702 		f->fr_ip.fi_v = ipp->v;
2703 		f->fr_mip.fi_v = 0xf;
2704 		f->fr_datype = ipp->type;
2705 		if (ipp->ifpos != -1)
2706 			f->fr_ipf->fri_difpidx = ipp->ifpos;
2707 	}
2708 	fr = NULL;
2709 }
2710 
2711 
2712 static void
build_srcaddr_af(frentry_t * fp,void * ptr)2713 build_srcaddr_af(frentry_t *fp, void *ptr)
2714 {
2715 	struct ipp_s *ipp = ptr;
2716 	frentry_t *f = fp;
2717 
2718 	if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) {
2719 		ipp->f = f->fr_family;
2720 		ipp->v = f->fr_ip.fi_v;
2721 	}
2722 	if (ipp->f == AF_INET)
2723 		ipp->v = 4;
2724 	else if (ipp->f == AF_INET6)
2725 		ipp->v = 6;
2726 
2727 	for (; f != NULL; f = f->fr_next) {
2728 		f->fr_ip.fi_src = ipp->a;
2729 		f->fr_mip.fi_src = ipp->m;
2730 		f->fr_family = ipp->f;
2731 		f->fr_ip.fi_v = ipp->v;
2732 		f->fr_mip.fi_v = 0xf;
2733 		f->fr_satype = ipp->type;
2734 		f->fr_ipf->fri_sifpidx = ipp->ifpos;
2735 	}
2736 	fr = NULL;
2737 }
2738