xref: /titanic_41/usr/src/cmd/ipf/tools/ipf_y.y (revision 210938ebfcf386cf4819f16c23979173b0d78097)
1 %{
2 /*
3  * Copyright (C) 2003 by Darren Reed.
4  *
5  * See the IPFILTER.LICENCE file for details on licencing.
6  *
7  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
8  * Use is subject to license terms.
9  */
10 
11 #pragma ident	"%Z%%M%	%I%	%E% SMI"
12 
13 #include "ipf.h"
14 #include <sys/ioctl.h>
15 #include <syslog.h>
16 #ifdef IPFILTER_BPF
17 # include "pcap-bpf.h"
18 # define _NET_BPF_H_
19 # include <pcap.h>
20 #endif
21 #include "netinet/ip_pool.h"
22 #include "netinet/ip_htable.h"
23 #include "netinet/ipl.h"
24 #include "ipf_l.h"
25 
26 #define	YYDEBUG	1
27 #define	DOALL(x)	for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
28 #define	DOREM(x)	for (; fr != NULL; fr = fr->fr_next) { x }
29 
30 #define OPTION_LOG              0x1
31 #define OPTION_QUICK            0x2
32 #define OPTION_DUP              0x4
33 #define OPTION_PROUTE           0x8
34 #define OPTION_ON               0x10
35 #define OPTION_REPLYTO          0x20
36 #define OPTION_FROUTE           0x40
37 
38 extern	void	yyerror __P((char *));
39 extern	int	yyparse __P((void));
40 extern	int	yylex __P((void));
41 extern	int	yydebug;
42 extern	FILE	*yyin;
43 extern	int	yylineNum;
44 
45 static	void	newrule __P((void));
46 static	void	setipftype __P((void));
47 static	u_32_t	lookuphost __P((char *, i6addr_t *));
48 static	void	dobpf __P((int, char *));
49 static	void	resetaddr __P((void));
50 static	struct	alist_s	*newalist __P((struct alist_s *));
51 static	u_int	makehash __P((struct alist_s *));
52 static	int	makepool __P((struct alist_s *));
53 static	frentry_t *addrule __P((void));
54 static	void	setsyslog __P((void));
55 static	void	unsetsyslog __P((void));
56 static	void	fillgroup __P((frentry_t *));
57 
58 frentry_t	*fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
59 
60 static	int		ifpflag = 0;
61 static	int		nowith = 0;
62 static	int		dynamic = -1;
63 static	int		pooled = 0;
64 static	int		hashed = 0;
65 static	int		nrules = 0;
66 static	int		newlist = 0;
67 static	int		added = 0;
68 static	int		ipffd = -1;
69 static  int             ruleopts = 0;
70 static	int		*yycont = 0;
71 static	ioctlfunc_t	ipfioctl[IPL_LOGSIZE];
72 static	addfunc_t	ipfaddfunc = NULL;
73 static	struct	wordtab ipfwords[95];
74 static	struct	wordtab	addrwords[4];
75 static	struct	wordtab	maskwords[5];
76 static	struct	wordtab icmpcodewords[17];
77 static	struct	wordtab icmptypewords[16];
78 static	struct	wordtab ipv4optwords[25];
79 static	struct	wordtab ipv4secwords[9];
80 static	struct	wordtab ipv6optwords[8];
81 static	struct	wordtab logwords[33];
82 static  int             set_ipv6_addr = 0;
83 
84 %}
85 %union	{
86 	char	*str;
87 	u_32_t	num;
88 	struct	in_addr	ipa;
89 	frentry_t	fr;
90 	frtuc_t	*frt;
91 	struct	alist_s	*alist;
92 	u_short	port;
93 	struct	{
94 		u_short	p1;
95 		u_short	p2;
96 		int	pc;
97 	} pc;
98 	struct	{
99 		union	i6addr	a;
100 		union	i6addr	m;
101 	} ipp;
102 	union	i6addr	ip6;
103 };
104 
105 %type	<port>	portnum
106 %type	<num>	facility priority icmpcode seclevel secname icmptype
107 %type	<num>	opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
108 %type	<num>	portc porteq
109 %type	<ipa>	ipv4 ipv4_16 ipv4_24
110 %type	<ip6>	hostname mask
111 %type	<ipp>	addr ipaddr
112 %type	<str>	servicename name interfacename
113 %type	<pc>	portrange portcomp
114 %type	<alist>	addrlist poollist
115 
116 %token	<num>	YY_NUMBER YY_HEX
117 %token	<str>	YY_STR
118 %token		YY_COMMENT
119 %token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
120 %token		YY_RANGE_OUT YY_RANGE_IN
121 %token	<ip6>	YY_IPV6
122 
123 %token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
124 %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
125 %token	IPFY_IN IPFY_OUT
126 %token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
127 %token	IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
128 %token	IPFY_TOS IPFY_TTL IPFY_PROTO
129 %token	IPFY_HEAD IPFY_GROUP
130 %token	IPFY_AUTH IPFY_PREAUTH
131 %token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
132 %token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
133 %token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
134 %token	IPFY_PPS
135 %token	IPFY_ESP IPFY_AH
136 %token	IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
137 %token	IPFY_TCPUDP IPFY_TCP IPFY_UDP
138 %token	IPFY_FLAGS IPFY_MULTICAST
139 %token	IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
140 %token	IPFY_PORT
141 %token	IPFY_NOW
142 %token	IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
143 %token	IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
144 %token	IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
145 %token	IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
146 %token	IPFY_SYNC IPFY_FRAGBODY
147 %token	IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
148 %token	IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
149 %token	IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
150 %token	IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
151 %token	IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
152 %token	IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
153 %token	IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
154 %token	IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
155 
156 %token	IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
157 %token	IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
158 
159 %token	IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
160 %token	IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
161 %token	IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
162 %token	IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
163 %token	IPFY_ICMPT_ROUTERSOL
164 
165 %token	IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
166 %token	IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
167 %token	IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
168 %token	IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
169 %token	IPFY_ICMPC_CUTPRE
170 
171 %token	IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
172 %token	IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
173 %token	IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
174 %token	IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
175 %token	IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
176 %token	IPFY_FAC_LFMT IPFY_FAC_CONSOLE
177 
178 %token	IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
179 %token	IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
180 %%
181 file:	line
182 	| assign
183 	| file line
184 	| file assign
185 	;
186 
187 line:	xx rule		{ while ((fr = frtop) != NULL) {
188 				frtop = fr->fr_next;
189 				fr->fr_next = NULL;
190 				(*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
191 				fr->fr_next = frold;
192 				frold = fr;
193 			  }
194 			  resetlexer();
195 			}
196 	| YY_COMMENT
197 	;
198 
199 xx:	{ newrule(); }
200 	;
201 
202 assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
203 					  resetlexer();
204 					  free($1);
205 					  free($3);
206 					}
207 	;
208 
209 assigning:
210 	'='				{ yyvarnext = 1; }
211 	;
212 
213 rule:	inrule eol
214 	| outrule eol
215 	;
216 
217 eol:	| ';'
218 	;
219 
220 inrule:
221 	rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2
222 	;
223 
224 outrule:
225 	rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2
226 	;
227 
228 rulehead:
229 	collection action
230 	| insert collection action
231 	;
232 
233 markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
234 	;
235 
236 markout:
237 	IPFY_OUT			{ fr->fr_flags |= FR_OUTQUE; }
238 	;
239 
240 rulemain:
241 	ipfrule
242 	| bpfrule
243 	;
244 
245 ipfrule:
246 	tos ttl proto ip
247 	;
248 
249 bpfrule:
250 	IPFY_BPFV4 '{' YY_STR '}' 	{ dobpf(4, $3); free($3); }
251 	| IPFY_BPFV6 '{' YY_STR '}' 	{ dobpf(6, $3); free($3); }
252 	;
253 
254 ruletail:
255 	with keep head group
256 	;
257 
258 ruletail2:
259 	pps age new
260 	;
261 
262 intag:	settagin matchtagin
263 	;
264 
265 outtag:	settagout matchtagout
266 	;
267 
268 insert:
269 	'@' YY_NUMBER			{ fr->fr_hits = (U_QUAD_T)$2 + 1; }
270 	;
271 
272 collection:
273 	| YY_NUMBER			{ fr->fr_collect = $1; }
274 	;
275 
276 action:	block
277 	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
278 	| log
279 	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
280 	| auth
281 	| IPFY_SKIP YY_NUMBER		{ fr->fr_flags |= FR_SKIP;
282 					  fr->fr_arg = $2; }
283 	| IPFY_CALL func
284 	| IPFY_CALL IPFY_NOW func	{ fr->fr_flags |= FR_CALLNOW; }
285 	;
286 
287 block:	blocked
288 	| blocked blockreturn
289 	;
290 
291 blocked:
292 	IPFY_BLOCK			{ fr->fr_flags = FR_BLOCK; }
293 	;
294 blockreturn:
295 	IPFY_RETICMP			{ fr->fr_flags |= FR_RETICMP; }
296 	| IPFY_RETICMP returncode	{ fr->fr_flags |= FR_RETICMP; }
297 	| IPFY_RETICMPASDST		{ fr->fr_flags |= FR_FAKEICMP; }
298 	| IPFY_RETICMPASDST returncode	{ fr->fr_flags |= FR_FAKEICMP; }
299 	| IPFY_RETRST			{ fr->fr_flags |= FR_RETRST; }
300 	;
301 
302 log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
303 	| IPFY_LOG logoptions		{ fr->fr_flags |= FR_LOG; }
304 	;
305 
306 auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
307 	| IPFY_AUTH IPFY_RETRST		{ fr->fr_flags |= (FR_AUTH|FR_RETRST);}
308 	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
309 	;
310 
311 func:	YY_STR '/' YY_NUMBER	{ fr->fr_func = nametokva($1,
312 							  ipfioctl[IPL_LOGIPF]);
313 				  fr->fr_arg = $3;
314 				  free($1); }
315 	;
316 
317 inopts:
318 	| inopts inopt
319 	;
320 
321 inopt:
322 	logopt
323 	{
324 		if ( ruleopts & OPTION_LOG )
325 			yyerror("Duplicate log option");
326 		ruleopts |= OPTION_LOG;
327 	}
328 	| quick
329 	{
330 		if ( ruleopts & OPTION_QUICK )
331 			yyerror("Duplicate quick option");
332 		ruleopts |= OPTION_QUICK;
333 	}
334 	| on
335 	{
336 		if ( ruleopts & OPTION_ON )
337 			yyerror("Duplicate on option");
338 		ruleopts |= OPTION_ON;
339 	}
340 	| dup
341 	{
342 		if ( ruleopts & OPTION_DUP )
343 			yyerror("Duplicate dup option");
344 		ruleopts |= OPTION_DUP;
345 	}
346 	| froute
347 	{
348 		if ( ruleopts & OPTION_FROUTE )
349 			yyerror("Duplicate froute option");
350 		ruleopts |= OPTION_FROUTE;
351 	}
352 	| proute
353 	{
354 		if ( ruleopts & OPTION_PROUTE )
355 			yyerror("Duplicate proute option");
356 		ruleopts |= OPTION_PROUTE;
357 	}
358 	| replyto
359 	{
360 		if ( ruleopts & OPTION_REPLYTO )
361 			yyerror("Duplicate replyto option");
362 		ruleopts |= OPTION_REPLYTO;
363 	}
364 	;
365 
366 outopts:
367 	| outopts outopt
368 	;
369 
370 outopt:
371 	logopt
372 	{
373 		if ( ruleopts & OPTION_LOG )
374 			yyerror("Duplicate log option");
375 		ruleopts |= OPTION_LOG;
376 	}
377 	| quick
378 	{
379 		if ( ruleopts & OPTION_QUICK )
380 			yyerror("Duplicate quick option");
381 		ruleopts |= OPTION_QUICK;
382 	}
383 	| on
384 	{
385 		if ( ruleopts & OPTION_ON )
386 			yyerror("Duplicate on option");
387 		ruleopts |= OPTION_ON;
388 	}
389 	| dup
390 	{
391 		if ( ruleopts & OPTION_DUP )
392 			yyerror("Duplicate dup option");
393 		ruleopts |= OPTION_DUP;
394 	}
395 	| proute
396 	{
397 		if ( ruleopts & OPTION_PROUTE )
398 			yyerror("Duplicate proute option");
399 		ruleopts |= OPTION_PROUTE;
400 	}
401 	| replyto
402 	{
403 		if ( ruleopts & OPTION_REPLYTO )
404 			yyerror("Duplicate replyto option");
405 		ruleopts |= OPTION_REPLYTO;
406 	}
407 	;
408 
409 tos:	| settos YY_NUMBER	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
410 	| settos YY_HEX	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
411 	| settos lstart toslist lend
412 	;
413 
414 settos:	IPFY_TOS			{ setipftype(); }
415 	;
416 
417 toslist:
418 	YY_NUMBER	{ DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
419 	| YY_HEX	{ DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
420 	| toslist lmore YY_NUMBER
421 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
422 	| toslist lmore YY_HEX
423 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
424 	;
425 
426 ttl:	| setttl YY_NUMBER
427 			{ DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
428 	| setttl lstart ttllist lend
429 	;
430 
431 lstart:	'('				{ newlist = 1; fr = frc; added = 0; }
432 	;
433 
434 lend:	')'				{ nrules += added; }
435 	;
436 
437 lmore:	lanother			{ if (newlist == 1) {
438 						newlist = 0;
439 					  }
440 					  fr = addrule();
441 					  if (yycont != NULL)
442 						*yycont = 1;
443 					}
444 	;
445 
446 lanother:
447 	| ','
448 	;
449 
450 setttl:	IPFY_TTL			{ setipftype(); }
451 	;
452 
453 ttllist:
454 	YY_NUMBER	{ DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
455 	| ttllist lmore YY_NUMBER
456 			{ DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
457 	;
458 
459 proto:	| protox protocol		{ yyresetdict(); }
460 	;
461 
462 protox:	IPFY_PROTO			{ setipftype();
463 					  fr = frc;
464 					  yysetdict(NULL); }
465 	;
466 
467 ip:	srcdst flags icmp
468 	;
469 
470 group:	| IPFY_GROUP YY_STR		{ DOALL(strncpy(fr->fr_group, $2, \
471 							FR_GROUPLEN); \
472 							fillgroup(fr););
473 					  free($2); }
474 	| IPFY_GROUP YY_NUMBER		{ DOALL(sprintf(fr->fr_group, "%d", \
475 							$2); \
476 							fillgroup(fr);) }
477 	;
478 
479 head:	| IPFY_HEAD YY_STR		{ DOALL(strncpy(fr->fr_grhead, $2, \
480 							FR_GROUPLEN););
481 					  free($2); }
482 	| IPFY_HEAD YY_NUMBER		{ DOALL(sprintf(fr->fr_grhead, "%d", \
483 							$2);) }
484 	;
485 
486 settagin:
487 	| IPFY_SETTAG '(' taginlist ')'
488 	;
489 
490 taginlist:
491 	taginspec
492 	| taginlist ',' taginspec
493 	;
494 
495 taginspec:
496 	logtag
497 	|nattag
498 	;
499 
500 nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
501 						$3, IPFTAG_LEN););
502 					  free($3); }
503 	| IPFY_NAT '=' YY_NUMBER	{ DOALL(sprintf(fr->fr_nattag.ipt_tag,\
504 						"%d", $3 & 0xffffffff);) }
505 	;
506 
507 logtag:	IPFY_LOG '=' YY_NUMBER		{ DOALL(fr->fr_logtag = $3;) }
508 	;
509 
510 settagout:
511 	| IPFY_SETTAG '(' tagoutlist ')'
512 	;
513 
514 tagoutlist:
515 	tagoutspec
516 	| tagoutlist ',' tagoutspec
517 	;
518 
519 tagoutspec:
520 	logtag
521 	| nattag
522 	;
523 
524 matchtagin:
525 	| IPFY_MATCHTAG '(' tagoutlist ')'
526 	;
527 
528 matchtagout:
529 	| IPFY_MATCHTAG '(' taginlist ')'
530 	;
531 
532 pps:	| IPFY_PPS YY_NUMBER		{ DOALL(fr->fr_pps = $2;) }
533 	;
534 
535 new:	| savegroup file restoregroup
536 	;
537 
538 savegroup:
539 	'{'
540 	;
541 
542 restoregroup:
543 	'}'
544 	;
545 
546 logopt:	log
547 	;
548 
549 quick:
550 	IPFY_QUICK			{ fr->fr_flags |= FR_QUICK; }
551 	;
552 
553 on:	IPFY_ON onname
554 	| IPFY_ON onname IPFY_INVIA vianame
555 	| IPFY_ON onname IPFY_OUTVIA vianame
556 	;
557 
558 onname:	interfacename
559 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
560 		  free($1);
561 		}
562 	| interfacename ',' interfacename
563 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
564 		  free($1);
565 		  strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
566 		  free($3);
567 		}
568 	;
569 
570 vianame:
571 	name
572 		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
573 		  free($1);
574 		}
575 	| name ',' name
576 		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
577 		  free($1);
578 		  strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
579 		  free($3);
580 		}
581 	;
582 
583 dup:	IPFY_DUPTO name
584 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
585 	  free($2);
586 	}
587 	| IPFY_DUPTO name duptoseparator hostname
588 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
589 	  if (use_inet6 == 0)
590 		fr->fr_dif.fd_ip = $4.in4;
591 	  else
592 	  	bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
593 	  yyexpectaddr = 0;
594 	  free($2);
595 	}
596 	| IPFY_DUPTO name duptoseparator YY_IPV6
597 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
598 	  bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
599 	  yyexpectaddr = 0;
600 	  free($2);
601 	}
602 	;
603 
604 duptoseparator:
605 	':'	{ yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
606 	;
607 
608 froute:	IPFY_FROUTE			{ fr->fr_flags |= FR_FASTROUTE; }
609 	;
610 
611 proute:	routeto name
612 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
613 	  free($2);
614 	}
615 	| routeto name duptoseparator hostname
616 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
617 	  if (use_inet6 == 0)
618 		fr->fr_tif.fd_ip = $4.in4;
619 	  else
620 	  	bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
621 	  yyexpectaddr = 0;
622 	  free($2);
623 	}
624 	| routeto name duptoseparator YY_IPV6
625 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
626 	  bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
627 	  yyexpectaddr = 0;
628 	  free($2);
629 	}
630 	;
631 
632 routeto:
633 	IPFY_TO
634 	| IPFY_ROUTETO
635 	;
636 
637 replyto:
638 	IPFY_REPLY_TO name
639 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
640 	  free($2);
641 	}
642 	| IPFY_REPLY_TO name duptoseparator hostname
643 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
644 	  if (use_inet6 == 0)
645 		fr->fr_rif.fd_ip = $4.in4;
646 	  else
647 		bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
648 	  yyexpectaddr = 0;
649 	  free($2);
650 	}
651 	| IPFY_REPLY_TO name duptoseparator YY_IPV6
652 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
653 	  bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
654 	  yyexpectaddr = 0;
655 	  free($2);
656 	}
657 	;
658 
659 logoptions:
660 	logoption
661 	| logoptions logoption
662 	;
663 
664 logoption:
665 	IPFY_BODY			{ fr->fr_flags |= FR_LOGBODY; }
666 	| IPFY_FIRST			{ fr->fr_flags |= FR_LOGFIRST; }
667 	| IPFY_ORBLOCK			{ fr->fr_flags |= FR_LOGORBLOCK; }
668 	| level loglevel		{ unsetsyslog(); }
669 	;
670 
671 returncode:
672 	starticmpcode icmpcode ')'	{ fr->fr_icode = $2; yyresetdict(); }
673 	;
674 
675 starticmpcode:
676 	'('				{ yysetdict(icmpcodewords); }
677 	;
678 
679 srcdst:	| IPFY_ALL
680 	| fromto
681 	;
682 
683 protocol:
684 	YY_NUMBER		{ DOREM(fr->fr_proto = $1; \
685 					fr->fr_mproto = 0xff;) }
686 	| YY_STR		{ if (!strcmp($1, "tcp-udp")) {
687 					DOREM(fr->fr_flx |= FI_TCPUDP; \
688 					      fr->fr_mflx |= FI_TCPUDP;)
689 				  } else {
690 					int p = getproto($1);
691 					if (p == -1)
692 						yyerror("protocol unknown");
693 					DOREM(fr->fr_proto = p; \
694 						fr->fr_mproto = 0xff;)
695 				  }
696 				  free($1);
697 				}
698 	| YY_STR nextstring YY_STR
699 				{ if (!strcmp($1, "tcp") &&
700 				      !strcmp($3, "udp")) {
701 					DOREM(fr->fr_flx |= FI_TCPUDP; \
702 					      fr->fr_mflx |= FI_TCPUDP;)
703 				  } else
704 					YYERROR;
705 				  free($1);
706 				  free($3);
707 				}
708 	;
709 
710 nextstring:
711 	'/'			{ yysetdict(NULL); }
712 	;
713 
714 fromto:	from srcobject to dstobject	{ yyexpectaddr = 0; yycont = NULL; }
715 	| to dstobject			{ yyexpectaddr = 0; yycont = NULL; }
716 	| from srcobject		{ yyexpectaddr = 0; yycont = NULL; }
717 	;
718 
719 from:	IPFY_FROM			{ setipftype();
720 					  if (fr == NULL)
721 						fr = frc;
722 					  yyexpectaddr = 1;
723 					  if (yydebug)
724 						printf("set yyexpectaddr\n");
725 					  yycont = &yyexpectaddr;
726 					  yysetdict(addrwords);
727 					  resetaddr(); }
728 	;
729 
730 to:	IPFY_TO				{ if (fr == NULL)
731 						fr = frc;
732 					  yyexpectaddr = 1;
733 					  if (yydebug)
734 						printf("set yyexpectaddr\n");
735 					  yycont = &yyexpectaddr;
736 					  yysetdict(addrwords);
737 					  resetaddr(); }
738 	;
739 
740 with:	| andwith withlist
741 	;
742 
743 andwith:
744 	IPFY_WITH			{ nowith = 0; setipftype(); }
745 	| IPFY_AND			{ nowith = 0; setipftype(); }
746 	;
747 
748 flags:	| startflags flagset
749 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
750 	| startflags flagset '/' flagset
751 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
752 	| startflags '/' flagset
753 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
754 	| startflags YY_NUMBER
755 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
756 	| startflags '/' YY_NUMBER
757 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
758 	| startflags YY_NUMBER '/' YY_NUMBER
759 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
760 	| startflags flagset '/' YY_NUMBER
761 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
762 	| startflags YY_NUMBER '/' flagset
763 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
764 	;
765 
766 startflags:
767 	IPFY_FLAGS	{ if (frc->fr_type != FR_T_IPF)
768 				yyerror("flags with non-ipf type rule");
769 			  if (frc->fr_proto != IPPROTO_TCP)
770 				yyerror("flags with non-TCP rule");
771 			}
772 	;
773 
774 flagset:
775 	YY_STR				{ $$ = tcpflags($1); free($1); }
776 	| YY_HEX			{ $$ = $1; }
777 	;
778 
779 srcobject:
780 	{ yyresetdict(); } fromport
781 	| srcaddr srcport
782 	| '!' srcaddr srcport
783 		{ DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
784 	;
785 
786 srcaddr:
787 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
788 			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
789 			if (dynamic != -1) { \
790 				fr->fr_satype = ifpflag; \
791 				fr->fr_ipf->fri_sifpidx = dynamic; \
792 			} else if (pooled || hashed) \
793 				fr->fr_satype = FRI_LOOKUP;)
794 		}
795 	| lstart srcaddrlist lend
796 	;
797 
798 srcaddrlist:
799 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
800 			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
801 			if (dynamic != -1) { \
802 				fr->fr_satype = ifpflag; \
803 				fr->fr_ipf->fri_sifpidx = dynamic; \
804 			} else if (pooled || hashed) \
805 				fr->fr_satype = FRI_LOOKUP;)
806 		}
807 	| srcaddrlist lmore addr
808 		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
809 			bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
810 			if (dynamic != -1) { \
811 				fr->fr_satype = ifpflag; \
812 				fr->fr_ipf->fri_sifpidx = dynamic; \
813 			} else if (pooled || hashed) \
814 				fr->fr_satype = FRI_LOOKUP;)
815 		}
816 	;
817 
818 srcport:
819 	| portcomp
820 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
821 	| portrange
822 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
823 			fr->fr_stop = $1.p2;) }
824 	| porteq lstart srcportlist lend
825 		{ yyresetdict(); }
826 	;
827 
828 fromport:
829 	portcomp
830 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
831 	| portrange
832 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
833 			fr->fr_stop = $1.p2;) }
834 	| porteq lstart srcportlist lend
835 		{ yyresetdict(); }
836 	;
837 
838 srcportlist:
839 	portnum		{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
840 	| srcportlist lmore portnum
841 			{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
842 	;
843 
844 dstobject:
845 	{ yyresetdict(); } toport
846 	| dstaddr dstport
847 	| '!' dstaddr dstport
848 			{ DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
849 	;
850 
851 dstaddr:
852 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
853 			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
854 			if (dynamic != -1) { \
855 				fr->fr_datype = ifpflag; \
856 				fr->fr_ipf->fri_difpidx = dynamic; \
857 			  } else if (pooled || hashed) \
858 				fr->fr_datype = FRI_LOOKUP;)
859 		}
860 	| lstart dstaddrlist lend
861 	;
862 
863 dstaddrlist:
864 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
865 			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
866 			if (dynamic != -1) { \
867 				fr->fr_datype = ifpflag; \
868 				fr->fr_ipf->fri_difpidx = dynamic; \
869 			} else if (pooled || hashed) \
870 				fr->fr_datype = FRI_LOOKUP;)
871 		}
872 	| dstaddrlist lmore addr
873 		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
874 			bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
875 			if (dynamic != -1) { \
876 				fr->fr_datype = ifpflag; \
877 				fr->fr_ipf->fri_difpidx = dynamic; \
878 			} else if (pooled || hashed) \
879 				fr->fr_datype = FRI_LOOKUP;)
880 		}
881 	;
882 
883 
884 dstport:
885 	| portcomp
886 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
887 	| portrange
888 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
889 			fr->fr_dtop = $1.p2;) }
890 	| porteq lstart dstportlist lend
891 		{ yyresetdict(); }
892 	;
893 
894 toport:
895 	portcomp
896 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
897 	| portrange
898 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
899 			fr->fr_dtop = $1.p2;) }
900 	| porteq lstart dstportlist lend
901 		{ yyresetdict(); }
902 	;
903 
904 dstportlist:
905 	portnum		{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
906 	| dstportlist lmore portnum
907 			{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
908 	;
909 
910 addr:	pool '/' YY_NUMBER		{ pooled = 1;
911 					  yyexpectaddr = 0;
912 					  $$.a.iplookuptype = IPLT_POOL;
913 					  $$.a.iplookupnum = $3; }
914 	| pool '=' '(' poollist ')'	{ pooled = 1;
915 					  yyexpectaddr = 0;
916 					  $$.a.iplookuptype = IPLT_POOL;
917 					  $$.a.iplookupnum = makepool($4); }
918 	| hash '/' YY_NUMBER		{ hashed = 1;
919 					  yyexpectaddr = 0;
920 					  $$.a.iplookuptype = IPLT_HASH;
921 					  $$.a.iplookupnum = $3; }
922 	| hash '=' '(' addrlist ')'	{ hashed = 1;
923 					  yyexpectaddr = 0;
924 					  $$.a.iplookuptype = IPLT_HASH;
925 					  $$.a.iplookupnum = makehash($4); }
926 	| ipaddr			{ bcopy(&$1, &$$, sizeof($$));
927 					  yyexpectaddr = 0; }
928 	;
929 
930 ipaddr:	IPFY_ANY			{ bzero(&($$), sizeof($$));
931 					  yyresetdict();
932 					  yyexpectaddr = 0; }
933 	| hostname                      { if (use_inet6 == 0) {
934 						$$.a.in4 = $1.in4;
935 						$$.m.in4_addr = 0xffffffff;
936 					  } else {
937 						set_ipv6_addr = 1;
938 						bcopy(&$1, &$$.a, sizeof($$.a));
939 						fill6bits(128, (u_32_t *)&$$.m);
940 					  }
941 					  yyexpectaddr = 0; }
942 	| hostname                      { yyresetdict();
943 					  if (use_inet6 == 0)
944 						$$.a.in4 = $1.in4;
945 					  else {
946 						set_ipv6_addr = 1;
947 						bcopy(&$1, &$$.a, sizeof($$.a));
948 					  }
949 					}
950 		maskspace               { yysetdict(maskwords); }
951 		mask                    { if (use_inet6 == 0) {
952 						$$.m.in4_addr = $5.in4.s_addr;
953 						$$.a.in4_addr &= $5.in4.s_addr;
954 					  } else
955 						bcopy(&$5, &$$.m, sizeof($$.m));
956 					  yyresetdict();
957 					  yyexpectaddr = 0; }
958 	| YY_IPV6			{ set_ipv6_addr = 1;
959 					  bcopy(&$1, &$$.a, sizeof($$.a));
960 					  fill6bits(128, (u_32_t *)&$$.m);
961 					  yyresetdict();
962 					  yyexpectaddr = 0; }
963 	| YY_IPV6			{ set_ipv6_addr = 1;
964 					  yyresetdict();
965 					  bcopy(&$1, &$$.a, sizeof($$.a)); }
966 		maskspace               { yysetdict(maskwords); }
967 		mask                    { bcopy(&$5, &$$.m, sizeof($$.m));
968 					  yyresetdict();
969 					  yyexpectaddr = 0; }
970 	;
971 
972 maskspace:
973 	'/'
974 	| IPFY_MASK
975 	;
976 
977 mask:
978 	ipv4				{ $$.in4 = $1; }
979 	| YY_HEX			{ $$.in4.s_addr = htonl($1); }
980 	| YY_NUMBER                     { if ((use_inet6 == 0) && ($1 <= 32))
981 						ntomask(4, $1, (u_32_t *)&$$.in4);
982 					  else if ((use_inet6 != 0) && ($1 <= 128))
983 						ntomask(6, $1, $$.i6);
984 					  else {
985 						yyerror("Bad value specified for netmask");
986 						return 0;
987 					  }
988 					}
989 	| IPFY_BROADCAST		{ if (ifpflag == FRI_DYNAMIC) {
990 						bzero(&$$, sizeof($$));
991 						ifpflag = FRI_BROADCAST;
992 					  } else
993 						YYERROR;
994 					}
995 	| IPFY_NETWORK			{ if (ifpflag == FRI_DYNAMIC) {
996 						bzero(&$$, sizeof($$));
997 						ifpflag = FRI_NETWORK;
998 					  } else
999 						YYERROR;
1000 					}
1001 	| IPFY_NETMASKED		{ if (ifpflag == FRI_DYNAMIC) {
1002 						bzero(&$$, sizeof($$));
1003 						ifpflag = FRI_NETMASKED;
1004 					  } else
1005 						YYERROR;
1006 					}
1007 	| IPFY_PEER			{ if (ifpflag == FRI_DYNAMIC) {
1008 						bzero(&$$, sizeof($$));
1009 						ifpflag = FRI_PEERADDR;
1010 					  } else
1011 						YYERROR;
1012 					}
1013 	;
1014 
1015 hostname:
1016 	ipv4				{ $$.in4 = $1; }
1017 	| YY_NUMBER			{ $$.in4.s_addr = $1; }
1018 	| YY_HEX			{ $$.in4.s_addr = $1; }
1019 	| YY_STR                        { if (lookuphost($1, &$$) == 1)
1020 						free($1);
1021 					  else {
1022 						free($1);
1023 						if (ifpflag != FRI_DYNAMIC)
1024 							yyerror("Unknown hostname");
1025 					  }
1026 					}
1027 	;
1028 
1029 addrlist:
1030 	ipaddr		{ $$ = newalist(NULL);
1031 			  if (set_ipv6_addr)
1032 				  $$->al_family = AF_INET6;
1033 			  else
1034 				  $$->al_family = AF_INET;
1035 			  set_ipv6_addr = 0;
1036 			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1037 			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1038 	| addrlist ',' ipaddr
1039 			{ $$ = newalist($1);
1040 			  if (set_ipv6_addr)
1041 				  $$->al_family = AF_INET6;
1042 			  else
1043 				  $$->al_family = AF_INET;
1044 			  set_ipv6_addr = 0;
1045 			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1046 			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1047 	;
1048 
1049 pool:	IPFY_POOL	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1050 	;
1051 
1052 hash:	IPFY_HASH	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1053 	;
1054 
1055 poollist:
1056 	ipaddr		{ $$ = newalist(NULL);
1057 			  if (set_ipv6_addr)
1058 				  $$->al_family = AF_INET6;
1059 			  else
1060 				  $$->al_family = AF_INET;
1061 			  set_ipv6_addr = 0;
1062 			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1063 			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1064 	| '!' ipaddr	{ $$ = newalist(NULL);
1065 			  $$->al_not = 1;
1066 			  if (set_ipv6_addr)
1067 				  $$->al_family = AF_INET6;
1068 			  else
1069 				  $$->al_family = AF_INET;
1070 			  set_ipv6_addr = 0;
1071 			  bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
1072 			  bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
1073 	| poollist ',' ipaddr
1074 			{ $$ = newalist($1);
1075 			  if (set_ipv6_addr)
1076 				  $$->al_family = AF_INET6;
1077 			  else
1078 				  $$->al_family = AF_INET;
1079 			  set_ipv6_addr = 0;
1080 			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1081 			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1082 	| poollist ',' '!' ipaddr
1083 			{ $$ = newalist($1);
1084 			  $$->al_not = 1;
1085 			  if (set_ipv6_addr)
1086 				  $$->al_family = AF_INET6;
1087 			  else
1088 				  $$->al_family = AF_INET;
1089 			  set_ipv6_addr = 0;
1090 			  bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1091 			  bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1092 	;
1093 
1094 port:	IPFY_PORT			{ yyexpectaddr = 0;
1095 					  yycont = NULL;
1096 					}
1097 	;
1098 
1099 portc:	port compare			{ $$ = $2;
1100 					  yysetdict(NULL); }
1101 	| porteq			{ $$ = $1; }
1102 	;
1103 
1104 porteq:	port '='			{ $$ = FR_EQUAL;
1105 					  yysetdict(NULL); }
1106 	;
1107 
1108 portr:	IPFY_PORT			{ yyexpectaddr = 0;
1109 					  yycont = NULL;
1110 					  yysetdict(NULL); }
1111 	;
1112 
1113 portcomp:
1114 	portc portnum			{ $$.pc = $1;
1115 					  $$.p1 = $2;
1116 					  yyresetdict(); }
1117 	;
1118 
1119 portrange:
1120 	portr portnum range portnum	{ $$.p1 = $2;
1121 					  $$.pc = $3;
1122 					  $$.p2 = $4;
1123 					  yyresetdict(); }
1124 	;
1125 
1126 icmp:	| itype icode
1127 	;
1128 
1129 itype:	seticmptype icmptype
1130 	{ DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1131 	  yyresetdict();
1132 	}
1133 	| seticmptype lstart typelist lend	{ yyresetdict(); }
1134 	;
1135 
1136 seticmptype:
1137 	IPFY_ICMPTYPE				{ setipftype();
1138 						  yysetdict(icmptypewords); }
1139 	;
1140 
1141 icode:	| seticmpcode icmpcode
1142 	{ DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1143 	  yyresetdict();
1144 	}
1145 	| seticmpcode lstart codelist lend	{ yyresetdict(); }
1146 	;
1147 
1148 seticmpcode:
1149 	IPFY_ICMPCODE				{ yysetdict(icmpcodewords); }
1150 	;
1151 
1152 typelist:
1153 	icmptype
1154 	{ DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1155 	| typelist lmore icmptype
1156 	{ DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1157 	;
1158 
1159 codelist:
1160 	icmpcode
1161 	{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1162 	| codelist lmore icmpcode
1163 	{ DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
1164 	;
1165 
1166 age:	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
1167 						fr->fr_age[1] = $2;) }
1168 	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
1169 					{ DOALL(fr->fr_age[0] = $2; \
1170 						fr->fr_age[1] = $4;) }
1171 	;
1172 
1173 keep:	| IPFY_KEEP keepstate
1174 	| IPFY_KEEP keepfrag
1175 	| IPFY_KEEP keepstate IPFY_KEEP keepfrag
1176 	| IPFY_KEEP keepfrag IPFY_KEEP keepstate
1177 	;
1178 
1179 keepstate:
1180 	IPFY_STATE stateoptlist		{ DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1181 	;
1182 
1183 keepfrag:
1184 	IPFY_FRAGS fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1185 	| IPFY_FRAG fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1186 	;
1187 
1188 fragoptlist:
1189 	| '(' fragopts ')'
1190 	;
1191 
1192 fragopts:
1193 	fragopt lanother fragopts
1194 	| fragopt
1195 	;
1196 
1197 fragopt:
1198 	IPFY_STRICT			{ DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1199 	;
1200 
1201 stateoptlist:
1202 	| '(' stateopts ')'
1203 	;
1204 
1205 stateopts:
1206 	stateopt lanother stateopts
1207 	| stateopt
1208 	;
1209 
1210 stateopt:
1211 	IPFY_LIMIT YY_NUMBER	{ DOALL(fr->fr_statemax = $2;) }
1212 	| IPFY_STRICT		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1213 						YYERROR; \
1214 					  } else \
1215 						fr->fr_flags |= FR_STSTRICT;)
1216 				}
1217 	| IPFY_NEWISN		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1218 						YYERROR; \
1219 					  } else \
1220 						fr->fr_flags |= FR_NEWISN;)
1221 				}
1222 	| IPFY_NOICMPERR	{ DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1223 
1224 	| IPFY_SYNC		{ DOALL(fr->fr_flags |= FR_STATESYNC;) }
1225 	;
1226 
1227 portnum:
1228 	servicename			{ if (getport(frc, $1, &($$)) == -1)
1229 						yyerror("service unknown");
1230 					  else
1231 						$$ = ntohs($$);
1232 					  free($1);
1233 					}
1234 	| YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
1235 						yyerror("invalid port number");
1236 					  else
1237 						$$ = $1;
1238 					}
1239 	;
1240 
1241 withlist:
1242 	withopt
1243 	| withlist withopt
1244 	| withlist ',' withopt
1245 	;
1246 
1247 withopt:
1248 	opttype		{ DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1249 	| notwith opttype
1250 					{ DOALL(fr->fr_mflx |= $2;) }
1251 	| ipopt ipopts			{ yyresetdict(); }
1252 	| notwith ipopt ipopts		{ yyresetdict(); }
1253 	| startv6hdrs ipv6hdrs		{ yyresetdict(); }
1254 	;
1255 
1256 ipopt:	IPFY_OPT			{ yysetdict(ipv4optwords); }
1257 	;
1258 
1259 startv6hdrs:
1260 	IPF6_V6HDRS	{ if (use_inet6 == 0)
1261 				yyerror("only available with IPv6");
1262 			  yysetdict(ipv6optwords);
1263 			}
1264 	;
1265 
1266 notwith:
1267 	IPFY_NOT			{ nowith = 1; }
1268 	| IPFY_NO			{ nowith = 1; }
1269 	;
1270 
1271 opttype:
1272 	IPFY_IPOPTS			{ $$ = FI_OPTIONS; }
1273 	| IPFY_SHORT			{ $$ = FI_SHORT; }
1274 	| IPFY_NAT			{ $$ = FI_NATED; }
1275 	| IPFY_BAD			{ $$ = FI_BAD; }
1276 	| IPFY_BADNAT			{ $$ = FI_BADNAT; }
1277 	| IPFY_BADSRC			{ $$ = FI_BADSRC; }
1278 	| IPFY_LOWTTL			{ $$ = FI_LOWTTL; }
1279 	| IPFY_FRAG			{ $$ = FI_FRAG; }
1280 	| IPFY_FRAGBODY			{ $$ = FI_FRAGBODY; }
1281 	| IPFY_FRAGS			{ $$ = FI_FRAG; }
1282 	| IPFY_MBCAST			{ $$ = FI_MBCAST; }
1283 	| IPFY_MULTICAST		{ $$ = FI_MULTICAST; }
1284 	| IPFY_BROADCAST		{ $$ = FI_BROADCAST; }
1285 	| IPFY_STATE			{ $$ = FI_STATE; }
1286 	| IPFY_OOW			{ $$ = FI_OOW; }
1287 	;
1288 
1289 ipopts:	optlist		{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1290 				if (!nowith)
1291 					fr->fr_ip.fi_optmsk |= $1;)
1292 			}
1293 	;
1294 
1295 optlist:
1296 	opt				{ $$ |= $1; }
1297 	| optlist ',' opt		{ $$ |= $1 | $3; }
1298 	;
1299 
1300 ipv6hdrs:
1301 	ipv6hdrlist	{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1302 				if (!nowith)
1303 					fr->fr_ip.fi_optmsk |= $1;)
1304 			}
1305 	;
1306 
1307 ipv6hdrlist:
1308 	ipv6hdr				{ $$ |= $1; }
1309 	| ipv6hdrlist ',' ipv6hdr	{ $$ |= $1 | $3; }
1310 	;
1311 
1312 secname:
1313 	seclevel			{ $$ |= $1; }
1314 	| secname ',' seclevel		{ $$ |= $1 | $3; }
1315 	;
1316 
1317 seclevel:
1318 	IPFY_SEC_UNC			{ $$ = secbit(IPSO_CLASS_UNCL); }
1319 	| IPFY_SEC_CONF			{ $$ = secbit(IPSO_CLASS_CONF); }
1320 	| IPFY_SEC_RSV1			{ $$ = secbit(IPSO_CLASS_RES1); }
1321 	| IPFY_SEC_RSV2			{ $$ = secbit(IPSO_CLASS_RES2); }
1322 	| IPFY_SEC_RSV3			{ $$ = secbit(IPSO_CLASS_RES3); }
1323 	| IPFY_SEC_RSV4			{ $$ = secbit(IPSO_CLASS_RES4); }
1324 	| IPFY_SEC_SEC			{ $$ = secbit(IPSO_CLASS_SECR); }
1325 	| IPFY_SEC_TS			{ $$ = secbit(IPSO_CLASS_TOPS); }
1326 	;
1327 
1328 icmptype:
1329 	YY_NUMBER			{ $$ = $1; }
1330 	| IPFY_ICMPT_UNR		{ $$ = ICMP_UNREACH; }
1331 	| IPFY_ICMPT_ECHO		{ $$ = ICMP_ECHO; }
1332 	| IPFY_ICMPT_ECHOR		{ $$ = ICMP_ECHOREPLY; }
1333 	| IPFY_ICMPT_SQUENCH		{ $$ = ICMP_SOURCEQUENCH; }
1334 	| IPFY_ICMPT_REDIR		{ $$ = ICMP_REDIRECT; }
1335 	| IPFY_ICMPT_TIMEX		{ $$ = ICMP_TIMXCEED; }
1336 	| IPFY_ICMPT_PARAMP		{ $$ = ICMP_PARAMPROB; }
1337 	| IPFY_ICMPT_TIMEST		{ $$ = ICMP_TSTAMP; }
1338 	| IPFY_ICMPT_TIMESTREP		{ $$ = ICMP_TSTAMPREPLY; }
1339 	| IPFY_ICMPT_INFOREQ		{ $$ = ICMP_IREQ; }
1340 	| IPFY_ICMPT_INFOREP		{ $$ = ICMP_IREQREPLY; }
1341 	| IPFY_ICMPT_MASKREQ		{ $$ = ICMP_MASKREQ; }
1342 	| IPFY_ICMPT_MASKREP		{ $$ = ICMP_MASKREPLY; }
1343 	| IPFY_ICMPT_ROUTERAD		{ $$ = ICMP_ROUTERADVERT; }
1344 	| IPFY_ICMPT_ROUTERSOL		{ $$ = ICMP_ROUTERSOLICIT; }
1345 	;
1346 
1347 icmpcode:
1348 	YY_NUMBER			{ $$ = $1; }
1349 	| IPFY_ICMPC_NETUNR		{ $$ = ICMP_UNREACH_NET; }
1350 	| IPFY_ICMPC_HSTUNR		{ $$ = ICMP_UNREACH_HOST; }
1351 	| IPFY_ICMPC_PROUNR		{ $$ = ICMP_UNREACH_PROTOCOL; }
1352 	| IPFY_ICMPC_PORUNR		{ $$ = ICMP_UNREACH_PORT; }
1353 	| IPFY_ICMPC_NEEDF		{ $$ = ICMP_UNREACH_NEEDFRAG; }
1354 	| IPFY_ICMPC_SRCFAIL		{ $$ = ICMP_UNREACH_SRCFAIL; }
1355 	| IPFY_ICMPC_NETUNK		{ $$ = ICMP_UNREACH_NET_UNKNOWN; }
1356 	| IPFY_ICMPC_HSTUNK		{ $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1357 	| IPFY_ICMPC_ISOLATE		{ $$ = ICMP_UNREACH_ISOLATED; }
1358 	| IPFY_ICMPC_NETPRO		{ $$ = ICMP_UNREACH_NET_PROHIB; }
1359 	| IPFY_ICMPC_HSTPRO		{ $$ = ICMP_UNREACH_HOST_PROHIB; }
1360 	| IPFY_ICMPC_NETTOS		{ $$ = ICMP_UNREACH_TOSNET; }
1361 	| IPFY_ICMPC_HSTTOS		{ $$ = ICMP_UNREACH_TOSHOST; }
1362 	| IPFY_ICMPC_FLTPRO		{ $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1363 	| IPFY_ICMPC_HSTPRE		{ $$ = 14; }
1364 	| IPFY_ICMPC_CUTPRE		{ $$ = 15; }
1365 	;
1366 
1367 opt:
1368 	IPFY_IPOPT_NOP			{ $$ = getoptbyvalue(IPOPT_NOP); }
1369 	| IPFY_IPOPT_RR			{ $$ = getoptbyvalue(IPOPT_RR); }
1370 	| IPFY_IPOPT_ZSU		{ $$ = getoptbyvalue(IPOPT_ZSU); }
1371 	| IPFY_IPOPT_MTUP		{ $$ = getoptbyvalue(IPOPT_MTUP); }
1372 	| IPFY_IPOPT_MTUR		{ $$ = getoptbyvalue(IPOPT_MTUR); }
1373 	| IPFY_IPOPT_ENCODE		{ $$ = getoptbyvalue(IPOPT_ENCODE); }
1374 	| IPFY_IPOPT_TS			{ $$ = getoptbyvalue(IPOPT_TS); }
1375 	| IPFY_IPOPT_TR			{ $$ = getoptbyvalue(IPOPT_TR); }
1376 	| IPFY_IPOPT_SEC		{ $$ = getoptbyvalue(IPOPT_SECURITY); }
1377 	| IPFY_IPOPT_LSRR		{ $$ = getoptbyvalue(IPOPT_LSRR); }
1378 	| IPFY_IPOPT_ESEC		{ $$ = getoptbyvalue(IPOPT_E_SEC); }
1379 	| IPFY_IPOPT_CIPSO		{ $$ = getoptbyvalue(IPOPT_CIPSO); }
1380 	| IPFY_IPOPT_SATID		{ $$ = getoptbyvalue(IPOPT_SATID); }
1381 	| IPFY_IPOPT_SSRR		{ $$ = getoptbyvalue(IPOPT_SSRR); }
1382 	| IPFY_IPOPT_ADDEXT		{ $$ = getoptbyvalue(IPOPT_ADDEXT); }
1383 	| IPFY_IPOPT_VISA		{ $$ = getoptbyvalue(IPOPT_VISA); }
1384 	| IPFY_IPOPT_IMITD		{ $$ = getoptbyvalue(IPOPT_IMITD); }
1385 	| IPFY_IPOPT_EIP		{ $$ = getoptbyvalue(IPOPT_EIP); }
1386 	| IPFY_IPOPT_FINN		{ $$ = getoptbyvalue(IPOPT_FINN); }
1387 	| IPFY_IPOPT_DPS		{ $$ = getoptbyvalue(IPOPT_DPS); }
1388 	| IPFY_IPOPT_SDB		{ $$ = getoptbyvalue(IPOPT_SDB); }
1389 	| IPFY_IPOPT_NSAPA		{ $$ = getoptbyvalue(IPOPT_NSAPA); }
1390 	| IPFY_IPOPT_RTRALRT		{ $$ = getoptbyvalue(IPOPT_RTRALRT); }
1391 	| IPFY_IPOPT_UMP		{ $$ = getoptbyvalue(IPOPT_UMP); }
1392 	| setsecclass secname
1393 			{ DOALL(fr->fr_mip.fi_secmsk |= $2;
1394 				if (!nowith)
1395 					fr->fr_ip.fi_secmsk |= $2;)
1396 			  $$ = 0;
1397 			  yyresetdict();
1398 			}
1399 	;
1400 
1401 setsecclass:
1402 	IPFY_SECCLASS	{ yysetdict(ipv4secwords); }
1403 	;
1404 
1405 ipv6hdr:
1406 	IPFY_AH			{ $$ = getv6optbyvalue(IPPROTO_AH); }
1407 	| IPFY_IPV6OPT_DSTOPTS	{ $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1408 	| IPFY_ESP		{ $$ = getv6optbyvalue(IPPROTO_ESP); }
1409 	| IPFY_IPV6OPT_HOPOPTS	{ $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1410 	| IPFY_IPV6OPT_IPV6	{ $$ = getv6optbyvalue(IPPROTO_IPV6); }
1411 	| IPFY_IPV6OPT_NONE	{ $$ = getv6optbyvalue(IPPROTO_NONE); }
1412 	| IPFY_IPV6OPT_ROUTING	{ $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1413 	| IPFY_FRAG		{ $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1414 	;
1415 
1416 level:	IPFY_LEVEL			{ setsyslog(); }
1417 	;
1418 
1419 loglevel:
1420 	priority			{ fr->fr_loglevel = LOG_LOCAL0|$1; }
1421 	| facility '.' priority		{ fr->fr_loglevel = $1 | $3; }
1422 	;
1423 
1424 facility:
1425 	IPFY_FAC_KERN			{ $$ = LOG_KERN; }
1426 	| IPFY_FAC_USER			{ $$ = LOG_USER; }
1427 	| IPFY_FAC_MAIL			{ $$ = LOG_MAIL; }
1428 	| IPFY_FAC_DAEMON		{ $$ = LOG_DAEMON; }
1429 	| IPFY_FAC_AUTH			{ $$ = LOG_AUTH; }
1430 	| IPFY_FAC_SYSLOG		{ $$ = LOG_SYSLOG; }
1431 	| IPFY_FAC_LPR			{ $$ = LOG_LPR; }
1432 	| IPFY_FAC_NEWS			{ $$ = LOG_NEWS; }
1433 	| IPFY_FAC_UUCP			{ $$ = LOG_UUCP; }
1434 	| IPFY_FAC_CRON			{ $$ = LOG_CRON; }
1435 	| IPFY_FAC_FTP			{ $$ = LOG_FTP; }
1436 	| IPFY_FAC_AUTHPRIV		{ $$ = LOG_AUTHPRIV; }
1437 	| IPFY_FAC_AUDIT		{ $$ = LOG_AUDIT; }
1438 	| IPFY_FAC_LFMT			{ $$ = LOG_LFMT; }
1439 	| IPFY_FAC_LOCAL0		{ $$ = LOG_LOCAL0; }
1440 	| IPFY_FAC_LOCAL1		{ $$ = LOG_LOCAL1; }
1441 	| IPFY_FAC_LOCAL2		{ $$ = LOG_LOCAL2; }
1442 	| IPFY_FAC_LOCAL3		{ $$ = LOG_LOCAL3; }
1443 	| IPFY_FAC_LOCAL4		{ $$ = LOG_LOCAL4; }
1444 	| IPFY_FAC_LOCAL5		{ $$ = LOG_LOCAL5; }
1445 	| IPFY_FAC_LOCAL6		{ $$ = LOG_LOCAL6; }
1446 	| IPFY_FAC_LOCAL7		{ $$ = LOG_LOCAL7; }
1447 	| IPFY_FAC_SECURITY		{ $$ = LOG_SECURITY; }
1448 	;
1449 
1450 priority:
1451 	IPFY_PRI_EMERG			{ $$ = LOG_EMERG; }
1452 	| IPFY_PRI_ALERT		{ $$ = LOG_ALERT; }
1453 	| IPFY_PRI_CRIT			{ $$ = LOG_CRIT; }
1454 	| IPFY_PRI_ERR			{ $$ = LOG_ERR; }
1455 	| IPFY_PRI_WARN			{ $$ = LOG_WARNING; }
1456 	| IPFY_PRI_NOTICE		{ $$ = LOG_NOTICE; }
1457 	| IPFY_PRI_INFO			{ $$ = LOG_INFO; }
1458 	| IPFY_PRI_DEBUG		{ $$ = LOG_DEBUG; }
1459 	;
1460 
1461 compare:
1462 	YY_CMP_EQ			{ $$ = FR_EQUAL; }
1463 	| YY_CMP_NE			{ $$ = FR_NEQUAL; }
1464 	| YY_CMP_LT			{ $$ = FR_LESST; }
1465 	| YY_CMP_LE			{ $$ = FR_LESSTE; }
1466 	| YY_CMP_GT			{ $$ = FR_GREATERT; }
1467 	| YY_CMP_GE			{ $$ = FR_GREATERTE; }
1468 	;
1469 
1470 range:	YY_RANGE_IN			{ $$ = FR_INRANGE; }
1471 	| YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
1472 	| ':'				{ $$ = FR_INCRANGE; }
1473 	;
1474 
1475 servicename:
1476 	YY_STR				{ $$ = $1; }
1477 	;
1478 
1479 interfacename:	YY_STR			{ $$ = $1; }
1480 	| YY_STR ':' YY_NUMBER
1481 		{ $$ = $1;
1482 		  fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1483 			  "use the physical interface %s instead.\n",
1484 			  yylineNum, $1, $3, $1);
1485 		}
1486 	;
1487 
1488 name:	YY_STR				{ $$ = $1; }
1489 	;
1490 
1491 ipv4_16:
1492 	YY_NUMBER '.' YY_NUMBER
1493 		{ if ($1 > 255 || $3 > 255) {
1494 			yyerror("Invalid octet string for IP address");
1495 			return 0;
1496 		  }
1497 		  $$.s_addr = ($1 << 24) | ($3 << 16);
1498 		  $$.s_addr = htonl($$.s_addr);
1499 		}
1500 	;
1501 
1502 ipv4_24:
1503 	ipv4_16 '.' YY_NUMBER
1504 		{ if ($3 > 255) {
1505 			yyerror("Invalid octet string for IP address");
1506 			return 0;
1507 		  }
1508 		  $$.s_addr |= htonl($3 << 8);
1509 		}
1510 	;
1511 
1512 ipv4:	ipv4_24 '.' YY_NUMBER
1513 		{ if ($3 > 255) {
1514 			yyerror("Invalid octet string for IP address");
1515 			return 0;
1516 		  }
1517 		  $$.s_addr |= htonl($3);
1518 		}
1519 	| ipv4_24
1520 	| ipv4_16
1521 	;
1522 
1523 %%
1524 
1525 
1526 static	struct	wordtab ipfwords[95] = {
1527 	{ "age",			IPFY_AGE },
1528 	{ "ah",				IPFY_AH },
1529 	{ "all",			IPFY_ALL },
1530 	{ "and",			IPFY_AND },
1531 	{ "auth",			IPFY_AUTH },
1532 	{ "bad",			IPFY_BAD },
1533 	{ "bad-nat",			IPFY_BADNAT },
1534 	{ "bad-src",			IPFY_BADSRC },
1535 	{ "bcast",			IPFY_BROADCAST },
1536 	{ "block",			IPFY_BLOCK },
1537 	{ "body",			IPFY_BODY },
1538 	{ "bpf-v4",			IPFY_BPFV4 },
1539 #ifdef USE_INET6
1540 	{ "bpf-v6",			IPFY_BPFV6 },
1541 #endif
1542 	{ "call",			IPFY_CALL },
1543 	{ "code",			IPFY_ICMPCODE },
1544 	{ "count",			IPFY_COUNT },
1545 	{ "dup-to",			IPFY_DUPTO },
1546 	{ "eq",				YY_CMP_EQ },
1547 	{ "esp",			IPFY_ESP },
1548 	{ "fastroute",			IPFY_FROUTE },
1549 	{ "first",			IPFY_FIRST },
1550 	{ "flags",			IPFY_FLAGS },
1551 	{ "frag",			IPFY_FRAG },
1552 	{ "frag-body",			IPFY_FRAGBODY },
1553 	{ "frags",			IPFY_FRAGS },
1554 	{ "from",			IPFY_FROM },
1555 	{ "ge",				YY_CMP_GE },
1556 	{ "group",			IPFY_GROUP },
1557 	{ "gt",				YY_CMP_GT },
1558 	{ "head",			IPFY_HEAD },
1559 	{ "icmp",			IPFY_ICMP },
1560 	{ "icmp-type",			IPFY_ICMPTYPE },
1561 	{ "in",				IPFY_IN },
1562 	{ "in-via",			IPFY_INVIA },
1563 	{ "ipopt",			IPFY_IPOPTS },
1564 	{ "ipopts",			IPFY_IPOPTS },
1565 	{ "keep",			IPFY_KEEP },
1566 	{ "le",				YY_CMP_LE },
1567 	{ "level",			IPFY_LEVEL },
1568 	{ "limit",			IPFY_LIMIT },
1569 	{ "log",			IPFY_LOG },
1570 	{ "lowttl",			IPFY_LOWTTL },
1571 	{ "lt",				YY_CMP_LT },
1572 	{ "mask",			IPFY_MASK },
1573 	{ "match-tag",			IPFY_MATCHTAG },
1574 	{ "mbcast",			IPFY_MBCAST },
1575 	{ "multicast",			IPFY_MULTICAST },
1576 	{ "nat",			IPFY_NAT },
1577 	{ "ne",				YY_CMP_NE },
1578 	{ "net",			IPFY_NETWORK },
1579 	{ "newisn",			IPFY_NEWISN },
1580 	{ "no",				IPFY_NO },
1581 	{ "no-icmp-err",		IPFY_NOICMPERR },
1582 	{ "now",			IPFY_NOW },
1583 	{ "not",			IPFY_NOT },
1584 	{ "oow",			IPFY_OOW },
1585 	{ "on",				IPFY_ON },
1586 	{ "opt",			IPFY_OPT },
1587 	{ "or-block",			IPFY_ORBLOCK },
1588 	{ "out",			IPFY_OUT },
1589 	{ "out-via",			IPFY_OUTVIA },
1590 	{ "pass",			IPFY_PASS },
1591 	{ "port",			IPFY_PORT },
1592 	{ "pps",			IPFY_PPS },
1593 	{ "preauth",			IPFY_PREAUTH },
1594 	{ "proto",			IPFY_PROTO },
1595 	{ "quick",			IPFY_QUICK },
1596 	{ "reply-to",			IPFY_REPLY_TO },
1597 	{ "return-icmp",		IPFY_RETICMP },
1598 	{ "return-icmp-as-dest",	IPFY_RETICMPASDST },
1599 	{ "return-rst",			IPFY_RETRST },
1600 	{ "route-to",			IPFY_ROUTETO },
1601 	{ "sec-class",			IPFY_SECCLASS },
1602 	{ "set-tag",			IPFY_SETTAG },
1603 	{ "skip",			IPFY_SKIP },
1604 	{ "short",			IPFY_SHORT },
1605 	{ "state",			IPFY_STATE },
1606 	{ "state-age",			IPFY_AGE },
1607 	{ "strict",			IPFY_STRICT },
1608 	{ "sync",			IPFY_SYNC },
1609 	{ "tcp",			IPFY_TCP },
1610 	{ "tcp-udp",			IPFY_TCPUDP },
1611 	{ "tos",			IPFY_TOS },
1612 	{ "to",				IPFY_TO },
1613 	{ "ttl",			IPFY_TTL },
1614 	{ "udp",			IPFY_UDP },
1615 	{ "v6hdrs",			IPF6_V6HDRS },
1616 	{ "with",			IPFY_WITH },
1617 	{ NULL,				0 }
1618 };
1619 
1620 static	struct	wordtab	addrwords[4] = {
1621 	{ "any",			IPFY_ANY },
1622 	{ "hash",			IPFY_HASH },
1623 	{ "pool",			IPFY_POOL },
1624 	{ NULL,				0 }
1625 };
1626 
1627 static	struct	wordtab	maskwords[5] = {
1628 	{ "broadcast",			IPFY_BROADCAST },
1629 	{ "netmasked",			IPFY_NETMASKED },
1630 	{ "network",			IPFY_NETWORK },
1631 	{ "peer",			IPFY_PEER },
1632 	{ NULL,				0 }
1633 };
1634 
1635 static	struct	wordtab icmptypewords[16] = {
1636 	{ "echo",			IPFY_ICMPT_ECHO },
1637 	{ "echorep",			IPFY_ICMPT_ECHOR },
1638 	{ "inforeq",			IPFY_ICMPT_INFOREQ },
1639 	{ "inforep",			IPFY_ICMPT_INFOREP },
1640 	{ "maskrep",			IPFY_ICMPT_MASKREP },
1641 	{ "maskreq",			IPFY_ICMPT_MASKREQ },
1642 	{ "paramprob",			IPFY_ICMPT_PARAMP },
1643 	{ "redir",			IPFY_ICMPT_REDIR },
1644 	{ "unreach",			IPFY_ICMPT_UNR },
1645 	{ "routerad",			IPFY_ICMPT_ROUTERAD },
1646 	{ "routersol",			IPFY_ICMPT_ROUTERSOL },
1647 	{ "squench",			IPFY_ICMPT_SQUENCH },
1648 	{ "timest",			IPFY_ICMPT_TIMEST },
1649 	{ "timestrep",			IPFY_ICMPT_TIMESTREP },
1650 	{ "timex",			IPFY_ICMPT_TIMEX },
1651 	{ NULL,				0 },
1652 };
1653 
1654 static	struct	wordtab icmpcodewords[17] = {
1655 	{ "cutoff-preced",		IPFY_ICMPC_CUTPRE },
1656 	{ "filter-prohib",		IPFY_ICMPC_FLTPRO },
1657 	{ "isolate",			IPFY_ICMPC_ISOLATE },
1658 	{ "needfrag",			IPFY_ICMPC_NEEDF },
1659 	{ "net-prohib",			IPFY_ICMPC_NETPRO },
1660 	{ "net-tos",			IPFY_ICMPC_NETTOS },
1661 	{ "host-preced",		IPFY_ICMPC_HSTPRE },
1662 	{ "host-prohib",		IPFY_ICMPC_HSTPRO },
1663 	{ "host-tos",			IPFY_ICMPC_HSTTOS },
1664 	{ "host-unk",			IPFY_ICMPC_HSTUNK },
1665 	{ "host-unr",			IPFY_ICMPC_HSTUNR },
1666 	{ "net-unk",			IPFY_ICMPC_NETUNK },
1667 	{ "net-unr",			IPFY_ICMPC_NETUNR },
1668 	{ "port-unr",			IPFY_ICMPC_PORUNR },
1669 	{ "proto-unr",			IPFY_ICMPC_PROUNR },
1670 	{ "srcfail",			IPFY_ICMPC_SRCFAIL },
1671 	{ NULL,				0 },
1672 };
1673 
1674 static	struct	wordtab ipv4optwords[25] = {
1675 	{ "addext",			IPFY_IPOPT_ADDEXT },
1676 	{ "cipso",			IPFY_IPOPT_CIPSO },
1677 	{ "dps",			IPFY_IPOPT_DPS },
1678 	{ "e-sec",			IPFY_IPOPT_ESEC },
1679 	{ "eip",			IPFY_IPOPT_EIP },
1680 	{ "encode",			IPFY_IPOPT_ENCODE },
1681 	{ "finn",			IPFY_IPOPT_FINN },
1682 	{ "imitd",			IPFY_IPOPT_IMITD },
1683 	{ "lsrr",			IPFY_IPOPT_LSRR },
1684 	{ "mtup",			IPFY_IPOPT_MTUP },
1685 	{ "mtur",			IPFY_IPOPT_MTUR },
1686 	{ "nop",			IPFY_IPOPT_NOP },
1687 	{ "nsapa",			IPFY_IPOPT_NSAPA },
1688 	{ "rr",				IPFY_IPOPT_RR },
1689 	{ "rtralrt",			IPFY_IPOPT_RTRALRT },
1690 	{ "satid",			IPFY_IPOPT_SATID },
1691 	{ "sdb",			IPFY_IPOPT_SDB },
1692 	{ "sec",			IPFY_IPOPT_SEC },
1693 	{ "ssrr",			IPFY_IPOPT_SSRR },
1694 	{ "tr",				IPFY_IPOPT_TR },
1695 	{ "ts",				IPFY_IPOPT_TS },
1696 	{ "ump",			IPFY_IPOPT_UMP },
1697 	{ "visa",			IPFY_IPOPT_VISA },
1698 	{ "zsu",			IPFY_IPOPT_ZSU },
1699 	{ NULL,				0 },
1700 };
1701 
1702 static	struct	wordtab ipv4secwords[9] = {
1703 	{ "confid",			IPFY_SEC_CONF },
1704 	{ "reserv-1",			IPFY_SEC_RSV1 },
1705 	{ "reserv-2",			IPFY_SEC_RSV2 },
1706 	{ "reserv-3",			IPFY_SEC_RSV3 },
1707 	{ "reserv-4",			IPFY_SEC_RSV4 },
1708 	{ "secret",			IPFY_SEC_SEC },
1709 	{ "topsecret",			IPFY_SEC_TS },
1710 	{ "unclass",			IPFY_SEC_UNC },
1711 	{ NULL,				0 },
1712 };
1713 
1714 static	struct	wordtab ipv6optwords[8] = {
1715 	{ "dstopts",			IPFY_IPV6OPT_DSTOPTS },
1716 	{ "esp",			IPFY_ESP },
1717 	{ "frag",			IPFY_FRAG },
1718 	{ "hopopts",			IPFY_IPV6OPT_HOPOPTS },
1719 	{ "ipv6",			IPFY_IPV6OPT_IPV6 },
1720 	{ "none",			IPFY_IPV6OPT_NONE },
1721 	{ "routing",			IPFY_IPV6OPT_ROUTING },
1722 	{ NULL,				0 },
1723 };
1724 
1725 static	struct	wordtab logwords[33] = {
1726 	{ "kern",			IPFY_FAC_KERN },
1727 	{ "user",			IPFY_FAC_USER },
1728 	{ "mail",			IPFY_FAC_MAIL },
1729 	{ "daemon",			IPFY_FAC_DAEMON },
1730 	{ "auth",			IPFY_FAC_AUTH },
1731 	{ "syslog",			IPFY_FAC_SYSLOG },
1732 	{ "lpr",			IPFY_FAC_LPR },
1733 	{ "news",			IPFY_FAC_NEWS },
1734 	{ "uucp",			IPFY_FAC_UUCP },
1735 	{ "cron",			IPFY_FAC_CRON },
1736 	{ "ftp",			IPFY_FAC_FTP },
1737 	{ "authpriv",			IPFY_FAC_AUTHPRIV },
1738 	{ "audit",			IPFY_FAC_AUDIT },
1739 	{ "logalert",			IPFY_FAC_LFMT },
1740 	{ "console",			IPFY_FAC_CONSOLE },
1741 	{ "security",			IPFY_FAC_SECURITY },
1742 	{ "local0",			IPFY_FAC_LOCAL0 },
1743 	{ "local1",			IPFY_FAC_LOCAL1 },
1744 	{ "local2",			IPFY_FAC_LOCAL2 },
1745 	{ "local3",			IPFY_FAC_LOCAL3 },
1746 	{ "local4",			IPFY_FAC_LOCAL4 },
1747 	{ "local5",			IPFY_FAC_LOCAL5 },
1748 	{ "local6",			IPFY_FAC_LOCAL6 },
1749 	{ "local7",			IPFY_FAC_LOCAL7 },
1750 	{ "emerg",			IPFY_PRI_EMERG },
1751 	{ "alert",			IPFY_PRI_ALERT },
1752 	{ "crit",			IPFY_PRI_CRIT },
1753 	{ "err",			IPFY_PRI_ERR },
1754 	{ "warn",			IPFY_PRI_WARN },
1755 	{ "notice",			IPFY_PRI_NOTICE },
1756 	{ "info",			IPFY_PRI_INFO },
1757 	{ "debug",			IPFY_PRI_DEBUG },
1758 	{ NULL,				0 },
1759 };
1760 
1761 
1762 
1763 
1764 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1765 int fd;
1766 addfunc_t addfunc;
1767 ioctlfunc_t *iocfuncs;
1768 char *filename;
1769 {
1770 	FILE *fp = NULL;
1771 	char *s;
1772 
1773 	yylineNum = 1;
1774 	yysettab(ipfwords);
1775 
1776 	s = getenv("YYDEBUG");
1777 	if (s != NULL)
1778 		yydebug = atoi(s);
1779 	else
1780 		yydebug = 0;
1781 
1782 	if (strcmp(filename, "-")) {
1783 		fp = fopen(filename, "r");
1784 		if (fp == NULL) {
1785 			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1786 				STRERROR(errno));
1787 			return -1;
1788 		}
1789 	} else
1790 		fp = stdin;
1791 
1792 	while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1793 		;
1794 	if (fp != NULL)
1795 		fclose(fp);
1796 	return 0;
1797 }
1798 
1799 
1800 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1801 int fd;
1802 addfunc_t addfunc;
1803 ioctlfunc_t *iocfuncs;
1804 FILE *fp;
1805 {
1806 	char *s;
1807 	int i;
1808 
1809 	ipffd = fd;
1810 	for (i = 0; i <= IPL_LOGMAX; i++)
1811 		ipfioctl[i] = iocfuncs[i];
1812 	ipfaddfunc = addfunc;
1813 
1814 	if (feof(fp))
1815 		return 0;
1816 	i = fgetc(fp);
1817 	if (i == EOF)
1818 		return 0;
1819 	if (ungetc(i, fp) == 0)
1820 		return 0;
1821 	if (feof(fp))
1822 		return 0;
1823 	s = getenv("YYDEBUG");
1824 	if (s != NULL)
1825 		yydebug = atoi(s);
1826 	else
1827 		yydebug = 0;
1828 
1829 	yyin = fp;
1830 	yyparse();
1831 	return 1;
1832 }
1833 
1834 
1835 static void newrule()
1836 {
1837 	frentry_t *frn;
1838 
1839 	frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1840 	if (frn == NULL)
1841 		yyerror("sorry, out of memory");
1842 	for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1843 		;
1844 	if (fr != NULL)
1845 		fr->fr_next = frn;
1846 	if (frtop == NULL)
1847 		frtop = frn;
1848 	fr = frn;
1849 	frc = frn;
1850 	fr->fr_loglevel = 0xffff;
1851 	fr->fr_isc = (void *)-1;
1852 	fr->fr_logtag = FR_NOLOGTAG;
1853 	fr->fr_type = FR_T_NONE;
1854 	if (use_inet6 != 0)
1855 		fr->fr_v = 6;
1856 	else
1857 		fr->fr_v = 4;
1858 
1859 	nrules = 1;
1860 }
1861 
1862 
1863 static void setipftype()
1864 {
1865 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
1866 		if (fr->fr_type == FR_T_NONE) {
1867 			fr->fr_type = FR_T_IPF;
1868 			fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1869 			if (fr->fr_data == NULL)
1870 				yyerror("sorry, out of memory");
1871 			fr->fr_dsize = sizeof(fripf_t);
1872 			fr->fr_ip.fi_v = frc->fr_v;
1873 			fr->fr_mip.fi_v = 0xf;
1874 			fr->fr_ipf->fri_sifpidx = -1;
1875 			fr->fr_ipf->fri_difpidx = -1;
1876 		}
1877 		if (fr->fr_type != FR_T_IPF) {
1878 			fprintf(stderr, "IPF Type not set\n");
1879 		}
1880 	}
1881 }
1882 
1883 
1884 static frentry_t *addrule()
1885 {
1886 	frentry_t *f, *f1, *f2;
1887 	int count;
1888 
1889 	for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1890 		;
1891 
1892 	count = nrules;
1893 	if (count == 0) {
1894 		f = (frentry_t *)calloc(sizeof(*f), 1);
1895 		if (f == NULL)
1896 			yyerror("sorry, out of memory");
1897 		added++;
1898 		f2->fr_next = f;
1899 		bcopy(f2, f, sizeof(*f));
1900 		if (f2->fr_caddr != NULL) {
1901 			f->fr_caddr = malloc(f->fr_dsize);
1902 			if (f->fr_caddr == NULL)
1903 				yyerror("sorry, out of memory");
1904 			bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
1905 		}
1906 		f->fr_next = NULL;
1907 		return f;
1908 	}
1909 	f = f2;
1910 	for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1911 		f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1912 		if (f->fr_next == NULL)
1913 			yyerror("sorry, out of memory");
1914 		added++;
1915 		f = f->fr_next;
1916 		bcopy(f1, f, sizeof(*f));
1917 		f->fr_next = NULL;
1918 		if (f->fr_caddr != NULL) {
1919 			f->fr_caddr = malloc(f->fr_dsize);
1920 			if (f->fr_caddr == NULL)
1921 				yyerror("sorry, out of memory");
1922 			bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1923 		}
1924 	}
1925 
1926 	return f2->fr_next;
1927 }
1928 
1929 
1930 static u_32_t lookuphost(name, addr)
1931 char *name;
1932 i6addr_t *addr;
1933 {
1934 	int i;
1935 
1936 	hashed = 0;
1937 	pooled = 0;
1938 	dynamic = -1;
1939 
1940 	for (i = 0; i < 4; i++) {
1941 		if (strncmp(name, frc->fr_ifnames[i],
1942 			    sizeof(frc->fr_ifnames[i])) == 0) {
1943 			ifpflag = FRI_DYNAMIC;
1944 			dynamic = i;
1945 			return 0;
1946 		}
1947 	}
1948 
1949 	if (gethost(name, addr, use_inet6) == -1) {
1950 		fprintf(stderr, "unknown name \"%s\"\n", name);
1951 		return 0;
1952 	}
1953 	return 1;
1954 }
1955 
1956 
1957 static void dobpf(v, phrase)
1958 int v;
1959 char *phrase;
1960 {
1961 #ifdef IPFILTER_BPF
1962 	struct bpf_program bpf;
1963 	struct pcap *p;
1964 #endif
1965 	fakebpf_t *fb;
1966 	u_32_t l;
1967 	char *s;
1968 	int i;
1969 
1970 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
1971 		if (fr->fr_type != FR_T_NONE) {
1972 			fprintf(stderr, "cannot mix IPF and BPF matching\n");
1973 			return;
1974 		}
1975 		fr->fr_v = v;
1976 		fr->fr_type = FR_T_BPFOPC;
1977 
1978 		if (!strncmp(phrase, "\"0x", 2)) {
1979 			phrase++;
1980 			fb = malloc(sizeof(fakebpf_t));
1981 			if (fb == NULL)
1982 				yyerror("sorry, out of memory");
1983 
1984 			for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1985 			     s = strtok(NULL, " \r\n\t"), i++) {
1986 				fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
1987 				if (fb == NULL)
1988 					yyerror("sorry, out of memory");
1989 				l = (u_32_t)strtol(s, NULL, 0);
1990 				switch (i & 3)
1991 				{
1992 				case 0 :
1993 					fb[i / 4].fb_c = l & 0xffff;
1994 					break;
1995 				case 1 :
1996 					fb[i / 4].fb_t = l & 0xff;
1997 					break;
1998 				case 2 :
1999 					fb[i / 4].fb_f = l & 0xff;
2000 					break;
2001 				case 3 :
2002 					fb[i / 4].fb_k = l;
2003 					break;
2004 				}
2005 			}
2006 			if ((i & 3) != 0) {
2007 				fprintf(stderr,
2008 					"Odd number of bytes in BPF code\n");
2009 				exit(1);
2010 			}
2011 			i--;
2012 			fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
2013 			fr->fr_data = fb;
2014 			return;
2015 		}
2016 
2017 #ifdef IPFILTER_BPF
2018 		bzero((char *)&bpf, sizeof(bpf));
2019 		p = pcap_open_dead(DLT_RAW, 1);
2020 		if (!p) {
2021 			fprintf(stderr, "pcap_open_dead failed\n");
2022 			return;
2023 		}
2024 
2025 		if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
2026 			pcap_perror(p, "ipf");
2027 			pcap_close(p);
2028 			fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
2029 			return;
2030 		}
2031 		pcap_close(p);
2032 
2033 		fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
2034 		fr->fr_data = malloc(fr->fr_dsize);
2035 		if (fr->fr_data == NULL)
2036 			yyerror("sorry, out of memory");
2037 		bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
2038 		if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
2039 			fprintf(stderr, "BPF validation failed\n");
2040 			return;
2041 		}
2042 #endif
2043 	}
2044 
2045 #ifdef IPFILTER_BPF
2046 	if (opts & OPT_DEBUG)
2047 		bpf_dump(&bpf, 0);
2048 #else
2049 	fprintf(stderr, "BPF filter expressions not supported\n");
2050 	exit(1);
2051 #endif
2052 }
2053 
2054 
2055 static void resetaddr()
2056 {
2057 	hashed = 0;
2058 	pooled = 0;
2059 	dynamic = -1;
2060 }
2061 
2062 
2063 static alist_t *newalist(ptr)
2064 alist_t *ptr;
2065 {
2066 	alist_t *al;
2067 
2068 	al = malloc(sizeof(*al));
2069 	if (al == NULL)
2070 		return NULL;
2071 	al->al_not = 0;
2072 	al->al_next = ptr;
2073 	return al;
2074 }
2075 
2076 
2077 static int makepool(list)
2078 alist_t *list;
2079 {
2080 	ip_pool_node_t *n, *top;
2081 	ip_pool_t pool;
2082 	alist_t *a;
2083 	int num;
2084 
2085 	if (list == NULL)
2086 		return 0;
2087 	top = calloc(1, sizeof(*top));
2088 	if (top == NULL)
2089 		return 0;
2090 
2091 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2092 		n->ipn_addr.adf_family = a->al_family;
2093 		n->ipn_mask.adf_family = a->al_family;
2094 		(void *)bcopy((void *)&a->al_i6addr,
2095 			      (void *)&n->ipn_addr.adf_addr,
2096 			      sizeof(n->ipn_addr.adf_addr));
2097 		(void *)bcopy((void *)&a->al_i6mask,
2098 			      (void *)&n->ipn_mask.adf_addr,
2099 			      sizeof(n->ipn_mask.adf_addr));
2100 		n->ipn_info = a->al_not;
2101 		if (a->al_next != NULL) {
2102 			n->ipn_next = calloc(1, sizeof(*n));
2103 			if (n->ipn_next == NULL)
2104 				yyerror("sorry, out of memory");
2105 			n = n->ipn_next;
2106 		}
2107 	}
2108 
2109 	bzero((char *)&pool, sizeof(pool));
2110 	pool.ipo_unit = IPL_LOGIPF;
2111 	pool.ipo_list = top;
2112 	num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
2113 
2114 	while ((n = top) != NULL) {
2115 		top = n->ipn_next;
2116 		free(n);
2117 	}
2118 	return num;
2119 }
2120 
2121 
2122 static u_int makehash(list)
2123 alist_t *list;
2124 {
2125 	iphtent_t *n, *top;
2126 	iphtable_t iph;
2127 	alist_t *a;
2128 	int num;
2129 
2130 	if (list == NULL)
2131 		return 0;
2132 	top = calloc(1, sizeof(*top));
2133 	if (top == NULL)
2134 		return 0;
2135 
2136 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2137 		n->ipe_family = a->al_family;
2138 		(void *)bcopy((void *)&a->al_i6addr,
2139 			      (void *)&n->ipe_addr,
2140 			      sizeof(n->ipe_addr));
2141 		(void *)bcopy((void *)&a->al_i6mask,
2142 			      (void *)&n->ipe_mask,
2143 			      sizeof(n->ipe_mask));
2144 		n->ipe_value = 0;
2145 		if (a->al_next != NULL) {
2146 			n->ipe_next = calloc(1, sizeof(*n));
2147 			if (n->ipe_next == NULL)
2148 				yyerror("sorry, out of memory");
2149 			n = n->ipe_next;
2150 		}
2151 	}
2152 
2153 	bzero((char *)&iph, sizeof(iph));
2154 	iph.iph_unit = IPL_LOGIPF;
2155 	iph.iph_type = IPHASH_LOOKUP;
2156 	*iph.iph_name = '\0';
2157 
2158 	if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2159 		sscanf(iph.iph_name, "%u", &num);
2160 	else
2161 		num = 0;
2162 
2163 	while ((n = top) != NULL) {
2164 		top = n->ipe_next;
2165 		free(n);
2166 	}
2167 	return num;
2168 }
2169 
2170 
2171 void ipf_addrule(fd, ioctlfunc, ptr)
2172 int fd;
2173 ioctlfunc_t ioctlfunc;
2174 void *ptr;
2175 {
2176 	ioctlcmd_t add, del;
2177 	frentry_t *fr;
2178 	ipfobj_t obj;
2179 
2180 	fr = ptr;
2181 	add = 0;
2182 	del = 0;
2183 
2184 	bzero((char *)&obj, sizeof(obj));
2185 	obj.ipfo_rev = IPFILTER_VERSION;
2186 	obj.ipfo_size = sizeof(*fr);
2187 	obj.ipfo_type = IPFOBJ_FRENTRY;
2188 	obj.ipfo_ptr = ptr;
2189 
2190 	if ((opts & OPT_DONOTHING) != 0)
2191 		fd = -1;
2192 
2193 	if (opts & OPT_ZERORULEST) {
2194 		add = SIOCZRLST;
2195 	} else if (opts & OPT_INACTIVE) {
2196 		add = (u_int)fr->fr_hits ? SIOCINIFR :
2197 					   SIOCADIFR;
2198 		del = SIOCRMIFR;
2199 	} else {
2200 		add = (u_int)fr->fr_hits ? SIOCINAFR :
2201 					   SIOCADAFR;
2202 		del = SIOCRMAFR;
2203 	}
2204 
2205 	if (fr && (opts & OPT_OUTQUE))
2206 		fr->fr_flags |= FR_OUTQUE;
2207 	if (fr->fr_hits)
2208 		fr->fr_hits--;
2209 	if (fr && (opts & OPT_VERBOSE))
2210 		printfr(fr, ioctlfunc);
2211 
2212 	if (opts & OPT_DEBUG) {
2213 		binprint(fr, sizeof(*fr));
2214 		if (fr->fr_data != NULL)
2215 			binprint(fr->fr_data, fr->fr_dsize);
2216 	}
2217 
2218 	if ((opts & OPT_ZERORULEST) != 0) {
2219 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2220 			if ((opts & OPT_DONOTHING) == 0) {
2221 				fprintf(stderr, "%d:", yylineNum);
2222 				perror("ioctl(SIOCZRLST)");
2223 			}
2224 		} else {
2225 #ifdef	USE_QUAD_T
2226 			printf("hits %qd bytes %qd ",
2227 				(long long)fr->fr_hits,
2228 				(long long)fr->fr_bytes);
2229 #else
2230 			printf("hits %ld bytes %ld ",
2231 				fr->fr_hits, fr->fr_bytes);
2232 #endif
2233 			printfr(fr, ioctlfunc);
2234 		}
2235 	} else if ((opts & OPT_REMOVE) != 0) {
2236 		if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2237 			if ((opts & OPT_DONOTHING) != 0) {
2238 				fprintf(stderr, "%d:", yylineNum);
2239 				perror("ioctl(delete rule)");
2240 			}
2241 		}
2242 	} else {
2243 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2244 			if (!(opts & OPT_DONOTHING)) {
2245 				fprintf(stderr, "%d:", yylineNum);
2246 				perror("ioctl(add/insert rule)");
2247 			}
2248 		}
2249 	}
2250 }
2251 
2252 static void setsyslog()
2253 {
2254 	yysetdict(logwords);
2255 	yybreakondot = 1;
2256 }
2257 
2258 
2259 static void unsetsyslog()
2260 {
2261 	yyresetdict();
2262 	yybreakondot = 0;
2263 }
2264 
2265 
2266 static void fillgroup(fr)
2267 frentry_t *fr;
2268 {
2269 	frentry_t *f;
2270 
2271 	for (f = frold; f != NULL; f = f->fr_next)
2272 		if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2273 			break;
2274 	if (f == NULL)
2275 		return;
2276 
2277 	/*
2278 	 * Only copy down matching fields if the rules are of the same type
2279 	 * and are of ipf type.   The only fields that are copied are those
2280 	 * that impact the rule parsing itself, eg. need for knowing what the
2281 	 * protocol should be for rules with port comparisons in them.
2282 	 */
2283 	if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2284 		return;
2285 
2286 	if (fr->fr_v == 0 && f->fr_v != 0)
2287 		fr->fr_v = f->fr_v;
2288 
2289 	if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2290 		fr->fr_mproto = f->fr_mproto;
2291 	if (fr->fr_proto == 0 && f->fr_proto != 0)
2292 		fr->fr_proto = f->fr_proto;
2293 
2294 	if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2295 	    ((f->fr_flx & FI_TCPUDP) != 0))
2296 		fr->fr_flx |= FI_TCPUDP;
2297 }
2298