1 %{ 2 /* 3 * Copyright (C) 2003 by Darren Reed. 4 * 5 * See the IPFILTER.LICENCE file for details on licencing. 6 * 7 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 8 * Use is subject to license terms. 9 */ 10 11 #pragma ident "%Z%%M% %I% %E% SMI" 12 13 #include "ipf.h" 14 #include <netinet/ip_icmp.h> 15 #include <sys/ioctl.h> 16 #include <syslog.h> 17 #ifdef IPFILTER_BPF 18 # include <net/bpf.h> 19 # include <pcap-int.h> 20 # include <pcap.h> 21 #endif 22 #if SOLARIS2 >= 10 23 #include "ip_pool.h" 24 #include "ip_htable.h" 25 #include "ipl.h" 26 #else 27 #include "netinet/ip_pool.h" 28 #include "netinet/ip_htable.h" 29 #include "netinet/ipl.h" 30 #endif 31 #include "ipf_l.h" 32 33 #define YYDEBUG 1 34 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 35 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 36 #if SOLARIS2 >= 10 37 #define VNI "vni" 38 #define VNISTRLEN 3 39 #endif 40 41 #define OPTION_LOG 0x1 42 #define OPTION_QUICK 0x2 43 #define OPTION_DUP 0x4 44 #define OPTION_PROUTE 0x8 45 #define OPTION_ON 0x10 46 #define OPTION_REPLYTO 0x20 47 #define OPTION_FROUTE 0x40 48 49 extern void yyerror __P((char *)); 50 extern int yyparse __P((void)); 51 extern int yylex __P((void)); 52 extern int yydebug; 53 extern FILE *yyin; 54 extern int yylineNum; 55 56 static void newrule __P((void)); 57 static void setipftype __P((void)); 58 static u_32_t lookuphost __P((char *)); 59 static void dobpf __P((char *)); 60 static void resetaddr __P((void)); 61 static struct alist_s *newalist __P((struct alist_s *)); 62 static u_int makehash __P((struct alist_s *)); 63 static int makepool __P((struct alist_s *)); 64 static frentry_t *addrule __P((void)); 65 static void setsyslog __P((void)); 66 static void unsetsyslog __P((void)); 67 static void fillgroup __P((frentry_t *)); 68 69 frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 70 71 static int ifpflag = 0; 72 static int nowith = 0; 73 static int dynamic = -1; 74 static int pooled = 0; 75 static int hashed = 0; 76 static int nrules = 0; 77 static int newlist = 0; 78 static int added = 0; 79 static int ipffd = -1; 80 static int *yycont = 0; 81 static int ruleopts = 0; 82 static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 83 static addfunc_t ipfaddfunc = NULL; 84 static wordtab_t addrwords[4]; 85 static wordtab_t maskwords[5]; 86 static wordtab_t *savewords; 87 88 %} 89 %union { 90 char *str; 91 u_32_t num; 92 struct in_addr ipa; 93 frentry_t fr; 94 frtuc_t *frt; 95 struct alist_s *alist; 96 struct { 97 u_short p1; 98 u_short p2; 99 int pc; 100 } pc; 101 struct { 102 union i6addr a; 103 union i6addr m; 104 } ipp; 105 union i6addr ip6; 106 }; 107 108 %type <num> portnum facility priority icmpcode seclevel secname icmptype 109 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 110 %type <num> portc porteq 111 %type <ipa> hostname ipv4 ipv4mask 112 %type <ip6> ipv6mask 113 %type <ipp> addr ipaddr 114 %type <str> servicename name interfacename 115 %type <pc> portrange portcomp 116 %type <alist> addrlist poollist 117 118 %token <num> YY_NUMBER YY_HEX 119 %token <str> YY_STR 120 %token YY_COMMENT 121 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 122 %token YY_RANGE_OUT YY_RANGE_IN 123 %token <ip6> YY_IPV6 124 125 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 126 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 127 %token IPFY_IN IPFY_OUT 128 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 129 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO 130 %token IPFY_TOS IPFY_TTL IPFY_PROTO 131 %token IPFY_HEAD IPFY_GROUP 132 %token IPFY_AUTH IPFY_PREAUTH IPFY_DIVERT 133 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK 134 %token IPFY_LOGTAG IPFY_TAG IPFY_SKIP 135 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPF IPFY_POOL IPFY_HASH 136 %token IPFY_PPS 137 %token IPFY_ESP IPFY_AH 138 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 139 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 140 %token IPFY_FLAGS IPFY_MULTICAST 141 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 142 %token IPFY_PORT 143 %token IPFY_NOW 144 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 145 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 146 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 147 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 148 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 149 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 150 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 151 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 152 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 153 %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 154 %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 155 %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 156 157 %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 158 %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING 159 160 %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 161 %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 162 %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 163 %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 164 %token IPFY_ICMPT_ROUTERSOL 165 166 %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 167 %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 168 %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 169 %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 170 %token IPFY_ICMPC_CUTPRE 171 172 %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 173 %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 174 %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 175 %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 176 %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 177 %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 178 179 %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 180 %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 181 %% 182 file: line 183 | assign 184 | file line 185 | file assign 186 ; 187 188 line: xx rule { while ((fr = frtop) != NULL) { 189 frtop = fr->fr_next; 190 fr->fr_next = NULL; 191 (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); 192 fr->fr_next = frold; 193 frold = fr; 194 } 195 resetlexer(); 196 } 197 | YY_COMMENT 198 ; 199 200 xx: { newrule(); } 201 ; 202 203 assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 204 resetlexer(); 205 free($1); 206 free($3); 207 } 208 ; 209 210 assigning: 211 '=' { yyvarnext = 1; } 212 ; 213 214 rule: inrule 215 | outrule 216 ; 217 218 inrule: 219 rulehead markin { ruleopts = 0; } inopts rulemain ruletail 220 ; 221 222 outrule: 223 rulehead markout { ruleopts = 0; } outopts rulemain ruletail 224 ; 225 226 rulehead: 227 collection action 228 | insert collection action 229 ; 230 231 markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 232 ; 233 234 markout: 235 IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 236 ; 237 238 rulemain: 239 ipfrule 240 | bpfrule 241 ; 242 243 ipfrule: 244 tos ttl proto ip 245 ; 246 247 bpfrule: 248 IPFY_BPF '{' YY_STR '}' { dobpf($3); free($3); } 249 ; 250 251 ruletail: 252 keep head group tag pps age new 253 ; 254 255 insert: 256 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2; } 257 ; 258 259 collection: 260 | YY_NUMBER { fr->fr_collect = $1; } 261 ; 262 263 action: block 264 | IPFY_PASS { fr->fr_flags |= FR_PASS; } 265 | IPFY_DIVERT YY_NUMBER { fr->fr_flags |= FR_DIVERT; 266 fr->fr_arg = $2; } 267 | log 268 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 269 | auth 270 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 271 fr->fr_arg = $2; } 272 | IPFY_CALL func 273 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 274 ; 275 276 block: blocked 277 | blocked blockreturn 278 ; 279 280 blocked: 281 IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 282 ; 283 blockreturn: 284 IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 285 | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 286 | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 287 | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 288 | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 289 ; 290 291 log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 292 | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 293 ; 294 295 auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 296 | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} 297 | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 298 ; 299 300 func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, 301 ipfioctl[IPL_LOGIPF]); 302 fr->fr_arg = $3; 303 free($1); } 304 ; 305 306 inopts: 307 | inopts inopt 308 ; 309 310 inopt: 311 logopt 312 { 313 if ( ruleopts & OPTION_LOG ) 314 yyerror("Duplicate log option"); 315 ruleopts |= OPTION_LOG; 316 } 317 | quick 318 { 319 if ( ruleopts & OPTION_QUICK ) 320 yyerror("Duplicate quick option"); 321 ruleopts |= OPTION_QUICK; 322 } 323 | on 324 { 325 if ( ruleopts & OPTION_ON ) 326 yyerror("Duplicate on option"); 327 ruleopts |= OPTION_ON; 328 } 329 | dup 330 { 331 if ( ruleopts & OPTION_DUP ) 332 yyerror("Duplicate dup option"); 333 ruleopts |= OPTION_DUP; 334 } 335 | froute 336 { 337 if ( ruleopts & OPTION_FROUTE ) 338 yyerror("Duplicate froute option"); 339 ruleopts |= OPTION_FROUTE; 340 } 341 | proute 342 { 343 if ( ruleopts & OPTION_PROUTE ) 344 yyerror("Duplicate proute option"); 345 ruleopts |= OPTION_PROUTE; 346 } 347 | replyto 348 { 349 if ( ruleopts & OPTION_REPLYTO ) 350 yyerror("Duplicate replyto option"); 351 ruleopts |= OPTION_REPLYTO; 352 } 353 ; 354 355 outopts: 356 | outopts outopt 357 ; 358 359 outopt: 360 logopt 361 { 362 if ( ruleopts & OPTION_LOG ) 363 yyerror("Duplicate log option"); 364 ruleopts |= OPTION_LOG; 365 } 366 | quick 367 { 368 if ( ruleopts & OPTION_QUICK ) 369 yyerror("Duplicate quick option"); 370 ruleopts |= OPTION_QUICK; 371 } 372 | on 373 { 374 if ( ruleopts & OPTION_ON ) 375 yyerror("Duplicate on option"); 376 ruleopts |= OPTION_ON; 377 } 378 | dup 379 { 380 if ( ruleopts & OPTION_DUP ) 381 yyerror("Duplicate dup option"); 382 ruleopts |= OPTION_DUP; 383 } 384 | proute 385 { 386 if ( ruleopts & OPTION_PROUTE ) 387 yyerror("Duplicate proute option"); 388 ruleopts |= OPTION_PROUTE; 389 } 390 | replyto 391 { 392 if ( ruleopts & OPTION_REPLYTO ) 393 yyerror("Duplicate replyto option"); 394 ruleopts |= OPTION_REPLYTO; 395 } 396 ; 397 398 tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 399 | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 400 | settos lstart toslist lend 401 ; 402 403 settos: IPFY_TOS { setipftype(); } 404 ; 405 406 toslist: 407 YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 408 | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 409 | toslist lmore YY_NUMBER 410 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 411 | toslist lmore YY_HEX 412 { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 413 ; 414 415 ttl: | setttl YY_NUMBER 416 { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 417 | setttl lstart ttllist lend 418 ; 419 420 lstart: '(' { newlist = 1; fr = frc; added = 0; } 421 ; 422 423 lend: ')' { nrules += added; } 424 ; 425 426 lmore: lanother { if (newlist == 1) { 427 newlist = 0; 428 } 429 fr = addrule(); 430 if (yycont != NULL) 431 *yycont = 1; 432 } 433 ; 434 435 lanother: 436 | ',' 437 ; 438 439 setttl: IPFY_TTL { setipftype(); } 440 ; 441 442 ttllist: 443 YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 444 | ttllist lmore YY_NUMBER 445 { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 446 ; 447 448 proto: | protox protocol { yyresetdict(); } 449 ; 450 451 protox: IPFY_PROTO { setipftype(); 452 fr = frc; 453 yysetdict(NULL); } 454 ; 455 456 ip: srcdst flags with icmp 457 ; 458 459 group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 460 FR_GROUPLEN); \ 461 fillgroup(fr);); 462 free($2); } 463 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 464 $2); \ 465 fillgroup(fr);) } 466 ; 467 468 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 469 FR_GROUPLEN);); 470 free($2); } 471 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 472 $2);) } 473 ; 474 475 tag: | IPFY_TAG YY_NUMBER { DOALL(fr->fr_logtag = $2;) } 476 | IPFY_TAG '(' taglist ')' 477 478 taglist: 479 tagspec 480 | taglist ',' tagspec 481 ; 482 483 tagspec: 484 IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 485 $3, 16);); 486 free($3); } 487 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 488 "%15d", $3);) } 489 | IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 490 ; 491 492 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 493 ; 494 495 new: | savegroup file restoregroup 496 ; 497 498 savegroup: 499 '{' 500 ; 501 502 restoregroup: 503 '}' 504 ; 505 506 logopt: log 507 ; 508 509 quick: 510 IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 511 ; 512 513 on: IPFY_ON onname 514 | IPFY_ON onname IPFY_INVIA vianame 515 | IPFY_ON onname IPFY_OUTVIA vianame 516 ; 517 518 onname: interfacename 519 { 520 #if SOLARIS2 >=10 521 char *cp; 522 #endif 523 strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 524 #if SOLARIS2 >= 10 525 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 526 cp = $1 + VNISTRLEN; 527 cp += strspn(cp, "0123456789"); 528 if (*cp == '\0' || *cp == ':') { 529 fprintf(stderr, "%d: Warning- %s specified. vni" 530 " is a virtual interface, use a physical" 531 " interface instead. See vni(7D)\n", 532 yylineNum, $1); 533 } 534 } 535 #endif 536 free($1); 537 } 538 | interfacename ',' name 539 { 540 #if SOLARIS2 >= 10 541 char *cp; 542 #endif 543 strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 544 #if SOLARIS2 >= 10 545 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 546 cp = $1 + VNISTRLEN; 547 cp += strspn(cp, "0123456789"); 548 if (*cp == '\0' || *cp == ':') { 549 fprintf(stderr, "%d: Warning- %s specified. vni" 550 " is a virtual interface, use a physical" 551 " interface instead. See vni(7D)\n", 552 yylineNum, $1); 553 } 554 } 555 #endif 556 free($1); 557 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); 558 #if SOLARIS2 >= 10 559 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 560 cp = $3 + VNISTRLEN; 561 cp += strspn(cp, "0123456789"); 562 if (*cp == '\0' || *cp == ':') { 563 fprintf(stderr, "%d: Warning- %s specified. vni" 564 " is a virtual interface, use a physical" 565 " interface instead. See vni(7D)\n", 566 yylineNum, $3); 567 } 568 } 569 #endif 570 free($3); 571 } 572 ; 573 574 vianame: 575 interfacename 576 { 577 #if SOLARIS2 >= 10 578 char *cp; 579 #endif 580 strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 581 #if SOLARIS2 >= 10 582 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 583 cp = $1 + VNISTRLEN; 584 cp += strspn(cp, "0123456789"); 585 if (*cp == '\0' || *cp == ':') { 586 fprintf(stderr, "%d: Warning- %s specified. vni" 587 " is a virtual interface, use a physical" 588 " interface instead. See vni(7D)\n", 589 yylineNum, $1); 590 } 591 } 592 #endif 593 free($1); 594 } 595 | interfacename ',' name 596 { 597 #if SOLARIS2 >= 10 598 char *cp; 599 #endif 600 strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 601 #if SOLARIS2 >= 10 602 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 603 cp = $1 + VNISTRLEN; 604 cp += strspn(cp, "0123456789"); 605 if (*cp == '\0' || *cp == ':') { 606 fprintf(stderr, "%d: Warning- %s specified. vni" 607 " is a virtual interface, use a physical" 608 " interface instead. See vni(7D)\n", 609 yylineNum, $1); 610 } 611 } 612 #endif 613 free($1); 614 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); 615 #if SOLARIS2 >= 10 616 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 617 cp = $3 + VNISTRLEN; 618 cp += strspn(cp, "0123456789"); 619 if (*cp == '\0' || *cp == ':') { 620 fprintf(stderr, "%d: Warning- %s specified. vni" 621 " is a virtual interface, use a physical" 622 " interface instead. See vni(7D)\n", 623 yylineNum, $3); 624 } 625 } 626 #endif 627 free($3); 628 } 629 ; 630 631 dup: IPFY_DUPTO name 632 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 633 free($2); 634 } 635 | IPFY_DUPTO name ':' hostname 636 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 637 fr->fr_dif.fd_ip = $4; 638 free($2); 639 } 640 ; 641 642 froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 643 ; 644 645 proute: IPFY_TO name 646 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 647 free($2); 648 } 649 | IPFY_TO name ':' hostname 650 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 651 fr->fr_tif.fd_ip = $4; 652 free($2); 653 } 654 ; 655 656 replyto: 657 IPFY_REPLY_TO name 658 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 659 free($2); 660 } 661 | IPFY_REPLY_TO name ':' hostname 662 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 663 fr->fr_rif.fd_ip = $4; 664 free($2); 665 } 666 ; 667 668 logoptions: 669 logoption 670 | logoptions logoption 671 ; 672 673 logoption: 674 IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 675 | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 676 | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 677 | level loglevel { unsetsyslog(); } 678 ; 679 680 returncode: 681 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 682 ; 683 684 starticmpcode: 685 '(' { yysetdict(icmpcodewords); } 686 ; 687 688 srcdst: IPFY_ALL 689 | fromto 690 ; 691 692 protocol: 693 YY_NUMBER { DOREM(fr->fr_proto = $1; \ 694 fr->fr_mproto = 0xff;) } 695 | YY_STR { if (!strcmp($1, "tcp-udp")) { 696 DOREM(fr->fr_flx |= FI_TCPUDP; \ 697 fr->fr_mflx |= FI_TCPUDP;) 698 } else { 699 int p = getproto($1); 700 if (p == -1) 701 fprintf(stderr, "protocol unknown: %s, line %d\n", $1, yylineNum); 702 DOREM(fr->fr_proto = p; \ 703 fr->fr_mproto = 0xff;) 704 } 705 free($1); 706 } 707 | YY_STR nextstring YY_STR 708 { if (!strcmp($1, "tcp") && 709 !strcmp($3, "udp")) { 710 DOREM(fr->fr_flx |= FI_TCPUDP; \ 711 fr->fr_mflx |= FI_TCPUDP;) 712 } else 713 YYERROR; 714 free($1); 715 free($3); 716 } 717 ; 718 719 nextstring: 720 '/' { yysetdict(NULL); } 721 ; 722 723 fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 724 | to dstobject { yyexpectaddr = 0; yycont = NULL; } 725 | from srcobject { yyexpectaddr = 0; yycont = NULL; } 726 ; 727 728 from: IPFY_FROM { setipftype(); 729 if (fr == NULL) 730 fr = frc; 731 yyexpectaddr = 1; 732 yycont = &yyexpectaddr; 733 yysetdict(addrwords); 734 resetaddr(); } 735 ; 736 737 to: IPFY_TO { if (fr == NULL) 738 fr = frc; 739 yyexpectaddr = 1; 740 yycont = &yyexpectaddr; 741 yysetdict(addrwords); 742 resetaddr(); } 743 ; 744 745 with: | andwith withlist 746 ; 747 748 andwith: 749 IPFY_WITH { nowith = 0; setipftype(); } 750 | IPFY_AND { nowith = 0; setipftype(); } 751 ; 752 753 flags: | IPFY_FLAGS flagset 754 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 755 | IPFY_FLAGS flagset '/' flagset 756 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 757 | IPFY_FLAGS '/' flagset 758 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 759 | IPFY_FLAGS YY_NUMBER 760 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 761 | IPFY_FLAGS '/' YY_NUMBER 762 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 763 | IPFY_FLAGS YY_NUMBER '/' YY_NUMBER 764 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 765 | IPFY_FLAGS flagset '/' YY_NUMBER 766 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 767 | IPFY_FLAGS YY_NUMBER '/' flagset 768 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 769 ; 770 771 flagset: 772 YY_STR { $$ = tcpflags($1); free($1); } 773 | YY_HEX { $$ = $1; } 774 ; 775 776 srcobject: 777 srcaddr srcport 778 | '!' srcaddr srcport 779 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 780 | fromport 781 ; 782 783 srcaddr: 784 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 785 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 786 if (dynamic != -1) { \ 787 fr->fr_satype = ifpflag; \ 788 fr->fr_ipf->fri_sifpidx = dynamic; \ 789 } else if (pooled || hashed) \ 790 fr->fr_satype = FRI_LOOKUP;) 791 } 792 | lstart srcaddrlist lend 793 ; 794 795 srcaddrlist: 796 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 797 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 798 if (dynamic != -1) { \ 799 fr->fr_satype = ifpflag; \ 800 fr->fr_ipf->fri_sifpidx = dynamic; \ 801 } else if (pooled || hashed) \ 802 fr->fr_satype = FRI_LOOKUP;) 803 } 804 | srcaddrlist lmore addr 805 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ 806 bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ 807 if (dynamic != -1) { \ 808 fr->fr_satype = ifpflag; \ 809 fr->fr_ipf->fri_sifpidx = dynamic; \ 810 } else if (pooled || hashed) \ 811 fr->fr_satype = FRI_LOOKUP;) 812 } 813 ; 814 815 srcport: 816 | portcomp 817 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 818 | portrange 819 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 820 fr->fr_stop = $1.p2;) } 821 | porteq lstart srcportlist lend 822 { yyresetdict(); } 823 ; 824 825 fromport: 826 portcomp 827 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 828 | portrange 829 { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 830 fr->fr_stop = $1.p2;) } 831 | porteq lstart srcportlist lend 832 { yyresetdict(); } 833 ; 834 835 srcportlist: 836 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 837 | srcportlist lmore portnum 838 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 839 ; 840 841 dstobject: 842 toport 843 | dstaddr dstport 844 | '!' dstaddr dstport 845 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 846 ; 847 848 dstaddr: 849 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 850 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 851 if (dynamic != -1) { \ 852 fr->fr_datype = ifpflag; \ 853 fr->fr_ipf->fri_difpidx = dynamic; \ 854 } else if (pooled || hashed) \ 855 fr->fr_datype = FRI_LOOKUP;) 856 } 857 | lstart dstaddrlist lend 858 ; 859 860 dstaddrlist: 861 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 862 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 863 if (dynamic != -1) { \ 864 fr->fr_datype = ifpflag; \ 865 fr->fr_ipf->fri_difpidx = dynamic; \ 866 } else if (pooled || hashed) \ 867 fr->fr_datype = FRI_LOOKUP;) 868 } 869 | dstaddrlist lmore addr 870 { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ 871 bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ 872 if (dynamic != -1) { \ 873 fr->fr_datype = ifpflag; \ 874 fr->fr_ipf->fri_difpidx = dynamic; \ 875 } else if (pooled || hashed) \ 876 fr->fr_datype = FRI_LOOKUP;) 877 } 878 ; 879 880 881 dstport: 882 | portcomp 883 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 884 | portrange 885 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 886 fr->fr_dtop = $1.p2;) } 887 | porteq lstart dstportlist lend 888 { yyresetdict(); } 889 ; 890 891 toport: 892 portcomp 893 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 894 | portrange 895 { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 896 fr->fr_dtop = $1.p2;) } 897 | porteq lstart dstportlist lend 898 { yyresetdict(); } 899 ; 900 901 dstportlist: 902 portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 903 | dstportlist lmore portnum 904 { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 905 ; 906 907 addr: pool '/' YY_NUMBER { pooled = 1; 908 yyexpectaddr = 0; 909 $$.a.iplookuptype = IPLT_POOL; 910 $$.a.iplookupnum = $3; } 911 | pool '=' '(' poollist ')' { pooled = 1; 912 yyexpectaddr = 0; 913 $$.a.iplookuptype = IPLT_POOL; 914 $$.a.iplookupnum = makepool($4); } 915 | hash '/' YY_NUMBER { hashed = 1; 916 yyexpectaddr = 0; 917 $$.a.iplookuptype = IPLT_HASH; 918 $$.a.iplookupnum = $3; } 919 | hash '=' '(' addrlist ')' { hashed = 1; 920 yyexpectaddr = 0; 921 $$.a.iplookuptype = IPLT_HASH; 922 $$.a.iplookupnum = makehash($4); } 923 | ipaddr { bcopy(&$1, &$$, sizeof($$)); 924 yyexpectaddr = 0; } 925 ; 926 927 ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 928 yyresetdict(); 929 yyexpectaddr = 0; } 930 | hostname { $$.a.in4 = $1; 931 $$.m.in4_addr = 0xffffffff; 932 yyexpectaddr = 0; } 933 | hostname { yyresetdict(); 934 $$.a.in4_addr = $1.s_addr; } 935 maskspace { yysetdict(maskwords); } 936 ipv4mask { $$.m.in4_addr = $5.s_addr; 937 $$.a.in4_addr &= $5.s_addr; 938 yyresetdict(); 939 yyexpectaddr = 0; } 940 | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); 941 fill6bits(128, (u_32_t *)&$$.m); 942 yyresetdict(); 943 yyexpectaddr = 0; } 944 | YY_IPV6 { yyresetdict(); 945 bcopy(&$1, &$$.a, sizeof($$.a)); } 946 maskspace { yysetdict(maskwords); } 947 ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); 948 yyresetdict(); 949 yyexpectaddr = 0; } 950 ; 951 952 maskspace: 953 '/' 954 | IPFY_MASK 955 ; 956 957 ipv4mask: 958 ipv4 { $$ = $1; } 959 | YY_HEX { $$.s_addr = htonl($1); } 960 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } 961 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 962 $$.s_addr = 0; 963 ifpflag = FRI_BROADCAST; 964 } else 965 YYERROR; 966 } 967 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 968 $$.s_addr = 0; 969 ifpflag = FRI_NETWORK; 970 } else 971 YYERROR; 972 } 973 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 974 $$.s_addr = 0; 975 ifpflag = FRI_NETMASKED; 976 } else 977 YYERROR; 978 } 979 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 980 $$.s_addr = 0; 981 ifpflag = FRI_PEERADDR; 982 } else 983 YYERROR; 984 } 985 ; 986 987 ipv6mask: 988 YY_NUMBER { ntomask(6, $1, $$.i6); } 989 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 990 bzero(&$$, sizeof($$)); 991 ifpflag = FRI_BROADCAST; 992 } else 993 YYERROR; 994 } 995 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 996 bzero(&$$, sizeof($$)); 997 ifpflag = FRI_BROADCAST; 998 } else 999 YYERROR; 1000 } 1001 | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 1002 bzero(&$$, sizeof($$)); 1003 ifpflag = FRI_BROADCAST; 1004 } else 1005 YYERROR; 1006 } 1007 | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 1008 bzero(&$$, sizeof($$)); 1009 ifpflag = FRI_BROADCAST; 1010 } else 1011 YYERROR; 1012 } 1013 ; 1014 1015 hostname: 1016 ipv4 { $$ = $1; } 1017 | YY_NUMBER { $$.s_addr = $1; } 1018 | YY_HEX { $$.s_addr = $1; } 1019 | YY_STR { $$.s_addr = lookuphost($1); 1020 free($1); 1021 if ($$.s_addr == 0 && 1022 ifpflag != FRI_DYNAMIC) 1023 yyerror("Unknown hostname"); 1024 } 1025 ; 1026 1027 addrlist: 1028 ipaddr { $$ = newalist(NULL); 1029 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 1030 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 1031 | addrlist ',' ipaddr 1032 { $$ = newalist($1); 1033 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 1034 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 1035 ; 1036 1037 pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1038 ; 1039 1040 hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1041 ; 1042 1043 poollist: 1044 ipaddr { $$ = newalist(NULL); 1045 bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 1046 bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 1047 | '!' ipaddr { $$ = newalist(NULL); 1048 $$->al_not = 1; 1049 bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); 1050 bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } 1051 | poollist ',' ipaddr 1052 { $$ = newalist($1); 1053 bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 1054 bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 1055 | poollist ',' '!' ipaddr 1056 { $$ = newalist($1); 1057 $$->al_not = 1; 1058 bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); 1059 bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } 1060 ; 1061 1062 port: IPFY_PORT { yyexpectaddr = 0; 1063 yycont = NULL; 1064 } 1065 ; 1066 1067 portc: port compare { $$ = $2; 1068 yysetdict(NULL); } 1069 | porteq { $$ = $1; } 1070 ; 1071 1072 porteq: port '=' { $$ = FR_EQUAL; 1073 yysetdict(NULL); } 1074 ; 1075 1076 portr: IPFY_PORT { yyexpectaddr = 0; 1077 yycont = NULL; 1078 yysetdict(NULL); } 1079 ; 1080 1081 portcomp: 1082 portc portnum { $$.pc = $1; 1083 $$.p1 = $2; 1084 yyresetdict(); } 1085 ; 1086 1087 portrange: 1088 portr portnum range portnum { $$.p1 = $2; 1089 $$.pc = $3; 1090 $$.p2 = $4; 1091 yyresetdict(); } 1092 ; 1093 1094 icmp: | itype icode 1095 ; 1096 1097 itype: seticmptype icmptype 1098 { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 1099 yyresetdict(); 1100 } 1101 | seticmptype lstart typelist lend { yyresetdict(); } 1102 ; 1103 1104 seticmptype: 1105 IPFY_ICMPTYPE { setipftype(); 1106 yysetdict(icmptypewords); } 1107 ; 1108 1109 icode: | seticmpcode icmpcode 1110 { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 1111 yyresetdict(); 1112 } 1113 | seticmpcode lstart codelist lend { yyresetdict(); } 1114 ; 1115 1116 seticmpcode: 1117 IPFY_ICMPCODE { yysetdict(icmpcodewords); } 1118 ; 1119 1120 typelist: 1121 icmptype 1122 { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 1123 | typelist lmore icmptype 1124 { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 1125 ; 1126 1127 codelist: 1128 icmpcode 1129 { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 1130 | codelist lmore icmpcode 1131 { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } 1132 ; 1133 1134 age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 1135 fr->fr_age[1] = $2;) } 1136 | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1137 { DOALL(fr->fr_age[0] = $2; \ 1138 fr->fr_age[1] = $4;) } 1139 ; 1140 1141 keep: | IPFY_KEEP keepstate 1142 | IPFY_KEEP keepfrag 1143 | IPFY_KEEP keepstate IPFY_KEEP keepfrag 1144 ; 1145 1146 keepstate: 1147 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 1148 ; 1149 1150 keepfrag: 1151 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1152 ; 1153 1154 fragoptlist: 1155 | '(' fragopts ')' 1156 ; 1157 1158 fragopts: 1159 fragopt lanother fragopts 1160 | fragopt 1161 ; 1162 1163 fragopt: 1164 IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 1165 ; 1166 1167 stateoptlist: 1168 | '(' stateopts ')' 1169 ; 1170 1171 stateopts: 1172 stateopt lanother stateopts 1173 | stateopt 1174 ; 1175 1176 stateopt: 1177 IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 1178 | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1179 YYERROR; \ 1180 } else \ 1181 fr->fr_flags |= FR_STSTRICT;) 1182 } 1183 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1184 YYERROR; \ 1185 } else \ 1186 fr->fr_flags |= FR_NEWISN;) 1187 } 1188 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1189 ; 1190 1191 portnum: 1192 servicename { $$ = ntohs(getport(frc, $1)); 1193 if ($$ == -1) 1194 fprintf(stderr, "service unknown: %s, line %d\n", $1, yylineNum); 1195 free($1); 1196 } 1197 | YY_NUMBER { $$ = $1; } 1198 ; 1199 1200 withlist: 1201 withopt 1202 | withlist withopt 1203 ; 1204 1205 withopt: 1206 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 1207 | notwith opttype 1208 { DOALL(fr->fr_mflx |= $2;) } 1209 | IPFY_OPT ipopts 1210 | notwith IPFY_OPT ipopts 1211 | startv6hdrs ipv6hdrs 1212 ; 1213 1214 startv6hdrs: 1215 IPF6_V6HDRS { if (use_inet6 == 0) 1216 yyerror("only available with IPv6"); 1217 } 1218 ; 1219 1220 notwith: 1221 IPFY_NOT { nowith = 1; } 1222 | IPFY_NO { nowith = 1; } 1223 ; 1224 1225 opttype: 1226 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1227 | IPFY_SHORT { $$ = FI_SHORT; } 1228 | IPFY_NAT { $$ = FI_NATED; } 1229 | IPFY_BAD { $$ = FI_BAD; } 1230 | IPFY_BADNAT { $$ = FI_BADNAT; } 1231 | IPFY_BADSRC { $$ = FI_BADSRC; } 1232 | IPFY_LOWTTL { $$ = FI_LOWTTL; } 1233 | IPFY_FRAG { $$ = FI_FRAG; } 1234 | IPFY_MBCAST { $$ = FI_MBCAST; } 1235 | IPFY_MULTICAST { $$ = FI_MULTICAST; } 1236 | IPFY_BROADCAST { $$ = FI_BROADCAST; } 1237 | IPFY_STATE { $$ = FI_STATE; } 1238 | IPFY_OOW { $$ = FI_OOW; } 1239 ; 1240 1241 ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1242 if (!nowith) 1243 fr->fr_ip.fi_optmsk |= $1;) 1244 } 1245 ; 1246 1247 optlist: 1248 opt { $$ |= $1; } 1249 | optlist ',' opt { $$ |= $1 | $3; } 1250 ; 1251 1252 ipv6hdrs: 1253 ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1254 if (!nowith) 1255 fr->fr_ip.fi_optmsk |= $1;) 1256 } 1257 ; 1258 1259 ipv6hdrlist: 1260 ipv6hdr { $$ |= $1; } 1261 | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 1262 ; 1263 1264 secname: 1265 seclevel { $$ |= $1; } 1266 | secname ',' seclevel { $$ |= $1 | $3; } 1267 ; 1268 1269 seclevel: 1270 IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 1271 | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 1272 | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 1273 | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 1274 | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 1275 | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 1276 | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 1277 | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 1278 ; 1279 1280 icmptype: 1281 YY_NUMBER { $$ = $1; } 1282 | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } 1283 | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } 1284 | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } 1285 | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } 1286 | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } 1287 | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } 1288 | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } 1289 | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } 1290 | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } 1291 | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } 1292 | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } 1293 | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } 1294 | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } 1295 | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } 1296 | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } 1297 ; 1298 1299 icmpcode: 1300 YY_NUMBER { $$ = $1; } 1301 | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 1302 | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 1303 | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 1304 | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 1305 | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 1306 | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 1307 | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 1308 | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 1309 | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 1310 | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 1311 | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 1312 | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 1313 | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 1314 | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 1315 | IPFY_ICMPC_HSTPRE { $$ = 14; } 1316 | IPFY_ICMPC_CUTPRE { $$ = 15; } 1317 ; 1318 1319 opt: 1320 IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 1321 | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 1322 | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 1323 | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 1324 | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 1325 | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 1326 | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 1327 | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 1328 | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 1329 | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 1330 | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 1331 | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 1332 | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 1333 | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 1334 | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 1335 | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 1336 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1337 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1338 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1339 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1340 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1341 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1342 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1343 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1344 | IPFY_SECCLASS secname 1345 { DOALL(fr->fr_mip.fi_secmsk |= $2; 1346 if (!nowith) 1347 fr->fr_ip.fi_secmsk |= $2;) 1348 $$ = 0; 1349 } 1350 ; 1351 1352 ipv6hdr: 1353 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1354 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1355 | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1356 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1357 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1358 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1359 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 1360 | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 1361 ; 1362 1363 level: IPFY_LEVEL { setsyslog(); } 1364 ; 1365 1366 loglevel: 1367 priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 1368 | facility '.' priority { fr->fr_loglevel = $1 | $3; } 1369 ; 1370 1371 facility: 1372 IPFY_FAC_KERN { $$ = LOG_KERN; } 1373 | IPFY_FAC_USER { $$ = LOG_USER; } 1374 | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 1375 | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 1376 | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 1377 | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 1378 | IPFY_FAC_LPR { $$ = LOG_LPR; } 1379 | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 1380 | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 1381 | IPFY_FAC_CRON { $$ = LOG_CRON; } 1382 | IPFY_FAC_FTP { $$ = LOG_FTP; } 1383 | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 1384 | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 1385 | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 1386 | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 1387 | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 1388 | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 1389 | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 1390 | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 1391 | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 1392 | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 1393 | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 1394 | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 1395 ; 1396 1397 priority: 1398 IPFY_PRI_EMERG { $$ = LOG_EMERG; } 1399 | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 1400 | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 1401 | IPFY_PRI_ERR { $$ = LOG_ERR; } 1402 | IPFY_PRI_WARN { $$ = LOG_WARNING; } 1403 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1404 | IPFY_PRI_INFO { $$ = LOG_INFO; } 1405 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1406 ; 1407 1408 compare: 1409 '=' { $$ = FR_EQUAL; } 1410 | YY_CMP_EQ { $$ = FR_EQUAL; } 1411 | YY_CMP_NE { $$ = FR_NEQUAL; } 1412 | YY_CMP_LT { $$ = FR_LESST; } 1413 | YY_CMP_LE { $$ = FR_LESSTE; } 1414 | YY_CMP_GT { $$ = FR_GREATERT; } 1415 | YY_CMP_GE { $$ = FR_GREATERTE; } 1416 ; 1417 1418 range: YY_RANGE_IN { $$ = FR_INRANGE; } 1419 | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1420 | ':' { $$ = FR_INCRANGE; } 1421 ; 1422 1423 servicename: 1424 YY_STR { $$ = $1; } 1425 ; 1426 1427 interfacename: YY_STR { $$ = $1; } 1428 | YY_STR ':' YY_NUMBER 1429 { $$ = $1; 1430 #if SOLARIS2 >= 10 1431 if (strncmp(VNI, $1, VNISTRLEN) != 0) 1432 #endif 1433 fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 1434 "use the physical interface %s instead.\n", 1435 yylineNum, $1, $3, $1); 1436 } 1437 ; 1438 1439 name: YY_STR { $$ = $1; } 1440 ; 1441 1442 ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER 1443 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { 1444 yyerror("Invalid octet string for IP address"); 1445 return 0; 1446 } 1447 $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; 1448 $$.s_addr = htonl($$.s_addr); 1449 } 1450 ; 1451 %% 1452 1453 1454 static struct wordtab ipfwords[] = { 1455 { "addext", IPFY_IPOPT_ADDEXT }, 1456 { "age", IPFY_AGE }, 1457 { "ah", IPFY_AH }, 1458 { "all", IPFY_ALL }, 1459 { "and", IPFY_AND }, 1460 { "auth", IPFY_AUTH }, 1461 { "bad", IPFY_BAD }, 1462 { "bad-nat", IPFY_BADNAT }, 1463 { "bad-src", IPFY_BADSRC }, 1464 { "bcast", IPFY_BROADCAST }, 1465 { "block", IPFY_BLOCK }, 1466 { "body", IPFY_BODY }, 1467 { "bpf", IPFY_BPF }, 1468 { "call", IPFY_CALL }, 1469 { "cipso", IPFY_IPOPT_CIPSO }, 1470 { "code", IPFY_ICMPCODE }, 1471 { "confid", IPFY_SEC_CONF }, 1472 { "count", IPFY_COUNT }, 1473 { "divert", IPFY_DIVERT }, 1474 { "dps", IPFY_IPOPT_DPS }, 1475 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1476 { "dup-to", IPFY_DUPTO }, 1477 { "e-sec", IPFY_IPOPT_ESEC }, 1478 { "eip", IPFY_IPOPT_EIP }, 1479 { "encode", IPFY_IPOPT_ENCODE }, 1480 { "eq", YY_CMP_EQ }, 1481 { "esp", IPFY_ESP }, 1482 { "fastroute", IPFY_FROUTE }, 1483 { "first", IPFY_FIRST }, 1484 { "finn", IPFY_IPOPT_FINN }, 1485 { "frag", IPFY_FRAG }, 1486 { "flags", IPFY_FLAGS }, 1487 { "frags", IPFY_FRAGS }, 1488 { "from", IPFY_FROM }, 1489 { "ge", YY_CMP_GE }, 1490 { "group", IPFY_GROUP }, 1491 { "gt", YY_CMP_GT }, 1492 { "head", IPFY_HEAD }, 1493 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1494 { "host-preced", IPFY_ICMPC_HSTPRE }, 1495 { "host-prohib", IPFY_ICMPC_HSTPRO }, 1496 { "host-tos", IPFY_ICMPC_HSTTOS }, 1497 { "host-unk", IPFY_ICMPC_HSTUNK }, 1498 { "host-unr", IPFY_ICMPC_HSTUNR }, 1499 { "icmp", IPFY_ICMP }, 1500 { "icmp-type", IPFY_ICMPTYPE }, 1501 { "imitd", IPFY_IPOPT_IMITD }, 1502 { "in", IPFY_IN }, 1503 { "in-via", IPFY_INVIA }, 1504 { "ipopt", IPFY_IPOPTS }, 1505 { "ipopts", IPFY_IPOPTS }, 1506 { "ipv6", IPFY_IPV6OPT_IPV6 }, 1507 { "keep", IPFY_KEEP }, 1508 { "le", YY_CMP_LE }, 1509 { "level", IPFY_LEVEL }, 1510 { "limit", IPFY_LIMIT }, 1511 { "log", IPFY_LOG }, 1512 { "lowttl", IPFY_LOWTTL }, 1513 { "lsrr", IPFY_IPOPT_LSRR }, 1514 { "lt", YY_CMP_LT }, 1515 { "mask", IPFY_MASK }, 1516 { "mbcast", IPFY_MBCAST }, 1517 { "mtup", IPFY_IPOPT_MTUP }, 1518 { "mtur", IPFY_IPOPT_MTUR }, 1519 { "multicast", IPFY_MULTICAST }, 1520 { "nat", IPFY_NAT }, 1521 { "ne", YY_CMP_NE }, 1522 { "net", IPFY_NETWORK }, 1523 { "newisn", IPFY_NEWISN }, 1524 { "no", IPFY_NO }, 1525 { "no-icmp-err", IPFY_NOICMPERR }, 1526 { "none", IPFY_IPV6OPT_NONE }, 1527 { "nop", IPFY_IPOPT_NOP }, 1528 { "now", IPFY_NOW }, 1529 { "not", IPFY_NOT }, 1530 { "nsapa", IPFY_IPOPT_NSAPA }, 1531 { "oow", IPFY_OOW }, 1532 { "on", IPFY_ON }, 1533 { "opt", IPFY_OPT }, 1534 { "or-block", IPFY_ORBLOCK }, 1535 { "out", IPFY_OUT }, 1536 { "out-via", IPFY_OUTVIA }, 1537 { "pass", IPFY_PASS }, 1538 { "port", IPFY_PORT }, 1539 { "pps", IPFY_PPS }, 1540 { "preauth", IPFY_PREAUTH }, 1541 { "proto", IPFY_PROTO }, 1542 { "quick", IPFY_QUICK }, 1543 { "reply-to", IPFY_REPLY_TO }, 1544 { "reserv-1", IPFY_SEC_RSV1 }, 1545 { "reserv-2", IPFY_SEC_RSV2 }, 1546 { "reserv-3", IPFY_SEC_RSV3 }, 1547 { "reserv-4", IPFY_SEC_RSV4 }, 1548 { "return-icmp", IPFY_RETICMP }, 1549 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1550 { "return-rst", IPFY_RETRST }, 1551 { "routing", IPFY_IPV6OPT_ROUTING }, 1552 { "rr", IPFY_IPOPT_RR }, 1553 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1554 { "satid", IPFY_IPOPT_SATID }, 1555 { "sdb", IPFY_IPOPT_SDB }, 1556 { "sec", IPFY_IPOPT_SEC }, 1557 { "sec-class", IPFY_SECCLASS }, 1558 { "secret", IPFY_SEC_SEC }, 1559 { "skip", IPFY_SKIP }, 1560 { "short", IPFY_SHORT }, 1561 { "ssrr", IPFY_IPOPT_SSRR }, 1562 { "state", IPFY_STATE }, 1563 { "strict", IPFY_STRICT }, 1564 { "tag", IPFY_TAG }, 1565 { "tcp", IPFY_TCP }, 1566 { "tcp-udp", IPFY_TCPUDP }, 1567 { "tos", IPFY_TOS }, 1568 { "topsecret", IPFY_SEC_TS }, 1569 { "to", IPFY_TO }, 1570 { "tr", IPFY_IPOPT_TR }, 1571 { "ts", IPFY_IPOPT_TS }, 1572 { "ttl", IPFY_TTL }, 1573 { "udp", IPFY_UDP }, 1574 { "ump", IPFY_IPOPT_UMP }, 1575 { "unclass", IPFY_SEC_UNC }, 1576 { "v6hdrs", IPF6_V6HDRS }, 1577 { "visa", IPFY_IPOPT_VISA }, 1578 { "with", IPFY_WITH }, 1579 { "zsu", IPFY_IPOPT_ZSU }, 1580 { NULL, 0 } 1581 }; 1582 1583 static struct wordtab addrwords[4] = { 1584 { "any", IPFY_ANY }, 1585 { "hash", IPFY_HASH }, 1586 { "pool", IPFY_POOL }, 1587 { NULL, 0 } 1588 }; 1589 1590 static struct wordtab maskwords[5] = { 1591 { "broadcast", IPFY_BROADCAST }, 1592 { "netmasked", IPFY_NETMASKED }, 1593 { "network", IPFY_NETWORK }, 1594 { "peer", IPFY_PEER }, 1595 { NULL, 0 } 1596 }; 1597 1598 static struct wordtab icmptypewords[16] = { 1599 { "echo", IPFY_ICMPT_ECHO }, 1600 { "echorep", IPFY_ICMPT_ECHOR }, 1601 { "inforeq", IPFY_ICMPT_INFOREQ }, 1602 { "inforep", IPFY_ICMPT_INFOREP }, 1603 { "maskrep", IPFY_ICMPT_MASKREP }, 1604 { "maskreq", IPFY_ICMPT_MASKREQ }, 1605 { "paramprob", IPFY_ICMPT_PARAMP }, 1606 { "redir", IPFY_ICMPT_REDIR }, 1607 { "unreach", IPFY_ICMPT_UNR }, 1608 { "routerad", IPFY_ICMPT_ROUTERAD }, 1609 { "routersol", IPFY_ICMPT_ROUTERSOL }, 1610 { "squench", IPFY_ICMPT_SQUENCH }, 1611 { "timest", IPFY_ICMPT_TIMEST }, 1612 { "timestrep", IPFY_ICMPT_TIMESTREP }, 1613 { "timex", IPFY_ICMPT_TIMEX }, 1614 { NULL, 0 }, 1615 }; 1616 1617 static struct wordtab icmpcodewords[17] = { 1618 { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 1619 { "filter-prohib", IPFY_ICMPC_FLTPRO }, 1620 { "isolate", IPFY_ICMPC_ISOLATE }, 1621 { "needfrag", IPFY_ICMPC_NEEDF }, 1622 { "net-prohib", IPFY_ICMPC_NETPRO }, 1623 { "net-tos", IPFY_ICMPC_NETTOS }, 1624 { "host-preced", IPFY_ICMPC_HSTPRE }, 1625 { "host-prohib", IPFY_ICMPC_HSTPRO }, 1626 { "host-tos", IPFY_ICMPC_HSTTOS }, 1627 { "host-unk", IPFY_ICMPC_HSTUNK }, 1628 { "host-unr", IPFY_ICMPC_HSTUNR }, 1629 { "net-unk", IPFY_ICMPC_NETUNK }, 1630 { "net-unr", IPFY_ICMPC_NETUNR }, 1631 { "port-unr", IPFY_ICMPC_PORUNR }, 1632 { "proto-unr", IPFY_ICMPC_PROUNR }, 1633 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1634 { NULL, 0 }, 1635 }; 1636 1637 static struct wordtab logwords[] = { 1638 { "kern", IPFY_FAC_KERN }, 1639 { "user", IPFY_FAC_USER }, 1640 { "mail", IPFY_FAC_MAIL }, 1641 { "daemon", IPFY_FAC_DAEMON }, 1642 { "auth", IPFY_FAC_AUTH }, 1643 { "syslog", IPFY_FAC_SYSLOG }, 1644 { "lpr", IPFY_FAC_LPR }, 1645 { "news", IPFY_FAC_NEWS }, 1646 { "uucp", IPFY_FAC_UUCP }, 1647 { "cron", IPFY_FAC_CRON }, 1648 { "ftp", IPFY_FAC_FTP }, 1649 { "authpriv", IPFY_FAC_AUTHPRIV }, 1650 { "audit", IPFY_FAC_AUDIT }, 1651 { "logalert", IPFY_FAC_LFMT }, 1652 { "console", IPFY_FAC_CONSOLE }, 1653 { "security", IPFY_FAC_SECURITY }, 1654 { "local0", IPFY_FAC_LOCAL0 }, 1655 { "local1", IPFY_FAC_LOCAL1 }, 1656 { "local2", IPFY_FAC_LOCAL2 }, 1657 { "local3", IPFY_FAC_LOCAL3 }, 1658 { "local4", IPFY_FAC_LOCAL4 }, 1659 { "local5", IPFY_FAC_LOCAL5 }, 1660 { "local6", IPFY_FAC_LOCAL6 }, 1661 { "local7", IPFY_FAC_LOCAL7 }, 1662 { "emerg", IPFY_PRI_EMERG }, 1663 { "alert", IPFY_PRI_ALERT }, 1664 { "crit", IPFY_PRI_CRIT }, 1665 { "err", IPFY_PRI_ERR }, 1666 { "warn", IPFY_PRI_WARN }, 1667 { "notice", IPFY_PRI_NOTICE }, 1668 { "info", IPFY_PRI_INFO }, 1669 { "debug", IPFY_PRI_DEBUG }, 1670 { NULL, 0 }, 1671 }; 1672 1673 1674 1675 1676 int ipf_parsefile(fd, addfunc, iocfuncs, filename) 1677 int fd; 1678 addfunc_t addfunc; 1679 ioctlfunc_t *iocfuncs; 1680 char *filename; 1681 { 1682 FILE *fp = NULL; 1683 char *s; 1684 1685 yylineNum = 1; 1686 yysettab(ipfwords); 1687 1688 s = getenv("YYDEBUG"); 1689 if (s != NULL) 1690 yydebug = atoi(s); 1691 else 1692 yydebug = 0; 1693 1694 if (strcmp(filename, "-")) { 1695 fp = fopen(filename, "r"); 1696 if (fp == NULL) { 1697 fprintf(stderr, "fopen(%s) failed: %s\n", filename, 1698 STRERROR(errno)); 1699 return -1; 1700 } 1701 } else 1702 fp = stdin; 1703 1704 while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 1705 ; 1706 if (fp != NULL) 1707 fclose(fp); 1708 return 0; 1709 } 1710 1711 1712 int ipf_parsesome(fd, addfunc, iocfuncs, fp) 1713 int fd; 1714 addfunc_t addfunc; 1715 ioctlfunc_t *iocfuncs; 1716 FILE *fp; 1717 { 1718 char *s; 1719 int i; 1720 1721 ipffd = fd; 1722 for (i = 0; i <= IPL_LOGMAX; i++) 1723 ipfioctl[i] = iocfuncs[i]; 1724 ipfaddfunc = addfunc; 1725 1726 if (feof(fp)) 1727 return 0; 1728 i = fgetc(fp); 1729 if (i == EOF) 1730 return 0; 1731 if (ungetc(i, fp) == 0) 1732 return 0; 1733 if (feof(fp)) 1734 return 0; 1735 s = getenv("YYDEBUG"); 1736 if (s != NULL) 1737 yydebug = atoi(s); 1738 else 1739 yydebug = 0; 1740 1741 yyin = fp; 1742 yyparse(); 1743 return 1; 1744 } 1745 1746 1747 static void newrule() 1748 { 1749 frentry_t *frn; 1750 1751 frn = (frentry_t *)calloc(1, sizeof(frentry_t)); 1752 for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 1753 ; 1754 if (fr != NULL) 1755 fr->fr_next = frn; 1756 if (frtop == NULL) 1757 frtop = frn; 1758 fr = frn; 1759 frc = frn; 1760 fr->fr_loglevel = 0xffff; 1761 fr->fr_isc = (void *)-1; 1762 fr->fr_logtag = FR_NOLOGTAG; 1763 fr->fr_type = FR_T_NONE; 1764 if (use_inet6 != 0) 1765 fr->fr_v = 6; 1766 else 1767 fr->fr_v = 4; 1768 1769 nrules = 1; 1770 } 1771 1772 1773 static void setipftype() 1774 { 1775 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1776 if (fr->fr_type == FR_T_NONE) { 1777 fr->fr_type = FR_T_IPF; 1778 fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 1779 fr->fr_dsize = sizeof(fripf_t); 1780 fr->fr_ip.fi_v = frc->fr_v; 1781 fr->fr_mip.fi_v = 0xf; 1782 fr->fr_ipf->fri_sifpidx = -1; 1783 fr->fr_ipf->fri_difpidx = -1; 1784 } 1785 if (fr->fr_type != FR_T_IPF) { 1786 fprintf(stderr, "IPF Type not set\n"); 1787 } 1788 } 1789 } 1790 1791 1792 static frentry_t *addrule() 1793 { 1794 frentry_t *f, *f1, *f2; 1795 int count; 1796 1797 for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 1798 ; 1799 1800 count = nrules; 1801 if (count == 0) { 1802 f = (frentry_t *)calloc(sizeof(*f), 1); 1803 added++; 1804 f2->fr_next = f; 1805 bcopy(f2, f, sizeof(*f)); 1806 if (f2->fr_caddr != NULL) { 1807 f->fr_caddr = malloc(f->fr_dsize); 1808 bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); 1809 } 1810 f->fr_next = NULL; 1811 return f; 1812 } 1813 f = f2; 1814 for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 1815 f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); 1816 added++; 1817 f = f->fr_next; 1818 bcopy(f1, f, sizeof(*f)); 1819 f->fr_next = NULL; 1820 if (f->fr_caddr != NULL) { 1821 f->fr_caddr = malloc(f->fr_dsize); 1822 bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 1823 } 1824 } 1825 1826 return f2->fr_next; 1827 } 1828 1829 1830 static u_32_t lookuphost(name) 1831 char *name; 1832 { 1833 u_32_t addr; 1834 int i; 1835 1836 hashed = 0; 1837 pooled = 0; 1838 dynamic = -1; 1839 1840 for (i = 0; i < 4; i++) { 1841 if (strncmp(name, frc->fr_ifnames[i], 1842 sizeof(frc->fr_ifnames[i])) == 0) { 1843 ifpflag = FRI_DYNAMIC; 1844 dynamic = i; 1845 return 0; 1846 } 1847 } 1848 1849 if (gethost(name, &addr) == -1) { 1850 return 0; 1851 } 1852 return addr; 1853 } 1854 1855 1856 static void dobpf(phrase) 1857 char *phrase; 1858 { 1859 #ifdef IPFILTER_BPF 1860 struct bpf_program bpf; 1861 struct pcap *p; 1862 u_32_t l; 1863 char *s; 1864 int i; 1865 1866 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1867 if (fr->fr_type != FR_T_NONE) { 1868 fprintf(stderr, "cannoy mix IPF and BPF matching\n"); 1869 return; 1870 } 1871 fr->fr_type = FR_T_IPF; 1872 1873 if (!strncmp(phrase, "\"0x", 2)) { 1874 phrase++; 1875 fr->fr_data = malloc(4); 1876 1877 for (i = 0, s = strtok(phrase, " \r\n\t"; s != NULL; 1878 s = strtok(NULL, " \r\n\t"), i++) { 1879 fr->fr_data = realloc(fr->fr_data, (i + 1) * 4); 1880 l = (u_32_t)strtol(s, NULL, 0); 1881 ((u_32_t *)fr->fr_data)[i] = l; 1882 } 1883 return; 1884 } 1885 1886 bzero((char *)&bpf, sizeof(bpf)); 1887 p = pcap_open_dead(DLT_RAW, 1); 1888 if (!p) { 1889 fprintf(stderr, "pcap_open_dead failed\n"); 1890 return; 1891 } 1892 1893 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff) { 1894 pcap_perror(p, "ipf"); 1895 pcap_close(p); 1896 fprintf(stderr, "pcap parsing failed\n"); 1897 return; 1898 } 1899 pcap_close(p); 1900 1901 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 1902 fr->fr_data = malloc(bpf.bf_len); 1903 bcopy((char *)bpf.bf_insns, fr->fr_data, bpf.bf_len); 1904 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 1905 fprintf(stderr, "BPF validation failed\n"); 1906 return; 1907 } 1908 } 1909 1910 if (opts & OPT_DEBUG) 1911 bpf_dump(&bpf, 0); 1912 #else 1913 fprintf(stderr, "BPF expressions for matching not supported\n"); 1914 #endif 1915 } 1916 1917 1918 static void resetaddr() 1919 { 1920 hashed = 0; 1921 pooled = 0; 1922 dynamic = -1; 1923 } 1924 1925 1926 static alist_t *newalist(ptr) 1927 alist_t *ptr; 1928 { 1929 alist_t *al; 1930 1931 al = malloc(sizeof(*al)); 1932 if (al == NULL) 1933 return NULL; 1934 al->al_not = 0; 1935 al->al_next = ptr; 1936 return al; 1937 } 1938 1939 1940 static int makepool(list) 1941 alist_t *list; 1942 { 1943 ip_pool_node_t *n, *top; 1944 ip_pool_t pool; 1945 alist_t *a; 1946 int num; 1947 1948 if (list == NULL) 1949 return 0; 1950 top = calloc(1, sizeof(*top)); 1951 if (top == NULL) 1952 return 0; 1953 1954 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 1955 n->ipn_addr.adf_addr.in4.s_addr = a->al_1; 1956 n->ipn_mask.adf_addr.in4.s_addr = a->al_2; 1957 n->ipn_info = a->al_not; 1958 if (a->al_next != NULL) { 1959 n->ipn_next = calloc(1, sizeof(*n)); 1960 n = n->ipn_next; 1961 } 1962 } 1963 1964 bzero((char *)&pool, sizeof(pool)); 1965 pool.ipo_unit = IPL_LOGIPF; 1966 pool.ipo_list = top; 1967 num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); 1968 1969 while ((n = top) != NULL) { 1970 top = n->ipn_next; 1971 free(n); 1972 } 1973 return num; 1974 } 1975 1976 1977 static u_int makehash(list) 1978 alist_t *list; 1979 { 1980 iphtent_t *n, *top; 1981 iphtable_t iph; 1982 alist_t *a; 1983 int num; 1984 1985 if (list == NULL) 1986 return 0; 1987 top = calloc(1, sizeof(*top)); 1988 if (top == NULL) 1989 return 0; 1990 1991 for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 1992 n->ipe_addr.in4_addr = a->al_1; 1993 n->ipe_mask.in4_addr = a->al_2; 1994 n->ipe_value = 0; 1995 if (a->al_next != NULL) { 1996 n->ipe_next = calloc(1, sizeof(*n)); 1997 n = n->ipe_next; 1998 } 1999 } 2000 2001 bzero((char *)&iph, sizeof(iph)); 2002 iph.iph_unit = IPL_LOGIPF; 2003 iph.iph_type = IPHASH_LOOKUP; 2004 *iph.iph_name = '\0'; 2005 2006 if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) 2007 sscanf(iph.iph_name, "%u", &num); 2008 else 2009 num = 0; 2010 2011 while ((n = top) != NULL) { 2012 top = n->ipe_next; 2013 free(n); 2014 } 2015 return num; 2016 } 2017 2018 2019 void ipf_addrule(fd, ioctlfunc, ptr) 2020 int fd; 2021 ioctlfunc_t ioctlfunc; 2022 void *ptr; 2023 { 2024 u_int add, del; 2025 frentry_t *fr; 2026 ipfobj_t obj; 2027 2028 fr = ptr; 2029 add = 0; 2030 del = 0; 2031 2032 bzero((char *)&obj, sizeof(obj)); 2033 obj.ipfo_rev = IPFILTER_VERSION; 2034 obj.ipfo_size = sizeof(*fr); 2035 obj.ipfo_type = IPFOBJ_FRENTRY; 2036 obj.ipfo_ptr = ptr; 2037 2038 if ((opts & OPT_DONOTHING) != 0) 2039 fd = -1; 2040 2041 if (opts & OPT_ZERORULEST) { 2042 add = SIOCZRLST; 2043 } else if (opts & OPT_INACTIVE) { 2044 add = (u_int)fr->fr_hits ? SIOCINIFR : 2045 SIOCADIFR; 2046 del = SIOCRMIFR; 2047 } else { 2048 add = (u_int)fr->fr_hits ? SIOCINAFR : 2049 SIOCADAFR; 2050 del = SIOCRMAFR; 2051 } 2052 2053 if (fr && (opts & OPT_OUTQUE)) 2054 fr->fr_flags |= FR_OUTQUE; 2055 if (fr->fr_hits) 2056 fr->fr_hits--; 2057 if (fr && (opts & OPT_VERBOSE)) 2058 printfr(fr, ioctlfunc); 2059 2060 if (opts & OPT_DEBUG) { 2061 binprint(fr, sizeof(*fr)); 2062 if (fr->fr_data != NULL) 2063 binprint(fr->fr_data, fr->fr_dsize); 2064 } 2065 2066 if ((opts & OPT_ZERORULEST) != 0) { 2067 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2068 if ((opts & OPT_DONOTHING) == 0) { 2069 fprintf(stderr, "%d:", yylineNum); 2070 perror("ioctl(SIOCZRLST)"); 2071 } 2072 } else { 2073 #ifdef USE_QUAD_T 2074 printf("hits %qd bytes %qd ", 2075 (long long)fr->fr_hits, 2076 (long long)fr->fr_bytes); 2077 #else 2078 printf("hits %ld bytes %ld ", 2079 fr->fr_hits, fr->fr_bytes); 2080 #endif 2081 printfr(fr, ioctlfunc); 2082 } 2083 } else if ((opts & OPT_REMOVE) != 0) { 2084 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2085 if ((opts & OPT_DONOTHING) == 0) { 2086 fprintf(stderr, "%d:", yylineNum); 2087 perror("ioctl(delete rule)"); 2088 } 2089 } 2090 } else { 2091 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2092 if (!(opts & OPT_DONOTHING)) { 2093 fprintf(stderr, "%d:", yylineNum); 2094 fprintf(stderr,"ioctl(add/insert rule) failed: rule exists\n"); 2095 } 2096 } 2097 } 2098 } 2099 2100 2101 static void setsyslog() 2102 { 2103 savewords = yysettab(logwords); 2104 yybreakondot = 1; 2105 } 2106 2107 2108 static void unsetsyslog() 2109 { 2110 yysettab(savewords); 2111 yybreakondot = 0; 2112 } 2113 2114 2115 static void fillgroup(fr) 2116 frentry_t *fr; 2117 { 2118 frentry_t *f; 2119 int i; 2120 2121 for (f = frold; f != NULL; f = f->fr_next) 2122 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2123 break; 2124 if (f == NULL) 2125 return; 2126 2127 /* 2128 * Only copy down matching fields if the rules are of the same type 2129 * and are of ipf type. 2130 */ 2131 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 2132 return; 2133 2134 if (fr->fr_v == 0 && f->fr_v != 0) 2135 fr->fr_v = f->fr_v; 2136 2137 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2138 fr->fr_mproto = f->fr_mproto; 2139 if (fr->fr_proto == 0 && f->fr_proto != 0) 2140 fr->fr_proto = f->fr_proto; 2141 2142 if (fr->fr_proto == IPPROTO_TCP) { 2143 if (fr->fr_tcpfm == 0 && f->fr_tcpfm != 0) 2144 fr->fr_tcpfm = f->fr_tcpfm; 2145 if (fr->fr_tcpf == 0 && f->fr_tcpf != 0) 2146 fr->fr_tcpf = f->fr_tcpf; 2147 } 2148 2149 if (fr->fr_proto == IPPROTO_ICMP) { 2150 if (fr->fr_icmpm == 0 && f->fr_icmpm != 0) 2151 fr->fr_icmpm = f->fr_icmpm; 2152 if (fr->fr_icmp == 0 && f->fr_icmp != 0) 2153 fr->fr_icmp = f->fr_icmp; 2154 } 2155 2156 if (fr->fr_optbits == 0 && f->fr_optbits != 0) 2157 fr->fr_optbits = f->fr_optbits; 2158 if (fr->fr_optmask == 0 && f->fr_optmask != 0) 2159 fr->fr_optmask = f->fr_optmask; 2160 if (fr->fr_secbits == 0 && f->fr_secbits != 0) 2161 fr->fr_secbits = f->fr_secbits; 2162 if (fr->fr_secmask == 0 && f->fr_secmask != 0) 2163 fr->fr_secmask = f->fr_secmask; 2164 if (fr->fr_authbits == 0 && f->fr_authbits != 0) 2165 fr->fr_authbits = f->fr_authbits; 2166 if (fr->fr_authmask == 0 && f->fr_authmask != 0) 2167 fr->fr_authmask = f->fr_authmask; 2168 2169 for (i = 0; i < 3; i++) { 2170 if (*f->fr_ifnames[i] != '\0' && *fr->fr_ifnames[i] == '\0') 2171 strncpy(fr->fr_ifnames[i], f->fr_ifnames[i], 2172 sizeof(f->fr_ifnames[i])); 2173 } 2174 } 2175