17c478bd9Sstevel@tonic-gate %{
27c478bd9Sstevel@tonic-gate /*
37c478bd9Sstevel@tonic-gate * Copyright (C) 2003 by Darren Reed.
47c478bd9Sstevel@tonic-gate *
57c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing.
67c478bd9Sstevel@tonic-gate *
7*22929378SDarren Reed * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
87c478bd9Sstevel@tonic-gate * Use is subject to license terms.
97c478bd9Sstevel@tonic-gate */
107c478bd9Sstevel@tonic-gate
117c478bd9Sstevel@tonic-gate #include "ipf.h"
127c478bd9Sstevel@tonic-gate #include <sys/ioctl.h>
137c478bd9Sstevel@tonic-gate #include <syslog.h>
147c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF
15ab25eeb5Syz155240 # include "pcap-bpf.h"
16ab25eeb5Syz155240 # define _NET_BPF_H_
177c478bd9Sstevel@tonic-gate # include <pcap.h>
187c478bd9Sstevel@tonic-gate #endif
197c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h"
207c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h"
217c478bd9Sstevel@tonic-gate #include "netinet/ipl.h"
227c478bd9Sstevel@tonic-gate #include "ipf_l.h"
237c478bd9Sstevel@tonic-gate
247c478bd9Sstevel@tonic-gate #define YYDEBUG 1
257c478bd9Sstevel@tonic-gate #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
267c478bd9Sstevel@tonic-gate #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
277c478bd9Sstevel@tonic-gate
287c478bd9Sstevel@tonic-gate #define OPTION_LOG 0x1
297c478bd9Sstevel@tonic-gate #define OPTION_QUICK 0x2
307c478bd9Sstevel@tonic-gate #define OPTION_DUP 0x4
317c478bd9Sstevel@tonic-gate #define OPTION_PROUTE 0x8
327c478bd9Sstevel@tonic-gate #define OPTION_ON 0x10
337c478bd9Sstevel@tonic-gate #define OPTION_REPLYTO 0x20
347c478bd9Sstevel@tonic-gate #define OPTION_FROUTE 0x40
357c478bd9Sstevel@tonic-gate
367c478bd9Sstevel@tonic-gate extern void yyerror __P((char *));
377c478bd9Sstevel@tonic-gate extern int yyparse __P((void));
387c478bd9Sstevel@tonic-gate extern int yylex __P((void));
397c478bd9Sstevel@tonic-gate extern int yydebug;
407c478bd9Sstevel@tonic-gate extern FILE *yyin;
417c478bd9Sstevel@tonic-gate extern int yylineNum;
427c478bd9Sstevel@tonic-gate
437c478bd9Sstevel@tonic-gate static void newrule __P((void));
447c478bd9Sstevel@tonic-gate static void setipftype __P((void));
459b4c7145Sjojemann static u_32_t lookuphost __P((char *, i6addr_t *));
46ab25eeb5Syz155240 static void dobpf __P((int, char *));
477c478bd9Sstevel@tonic-gate static void resetaddr __P((void));
487c478bd9Sstevel@tonic-gate static struct alist_s *newalist __P((struct alist_s *));
497c478bd9Sstevel@tonic-gate static u_int makehash __P((struct alist_s *));
507c478bd9Sstevel@tonic-gate static int makepool __P((struct alist_s *));
517c478bd9Sstevel@tonic-gate static frentry_t *addrule __P((void));
527c478bd9Sstevel@tonic-gate static void setsyslog __P((void));
537c478bd9Sstevel@tonic-gate static void unsetsyslog __P((void));
547c478bd9Sstevel@tonic-gate static void fillgroup __P((frentry_t *));
557c478bd9Sstevel@tonic-gate
567c478bd9Sstevel@tonic-gate frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
577c478bd9Sstevel@tonic-gate
587c478bd9Sstevel@tonic-gate static int ifpflag = 0;
597c478bd9Sstevel@tonic-gate static int nowith = 0;
607c478bd9Sstevel@tonic-gate static int dynamic = -1;
617c478bd9Sstevel@tonic-gate static int pooled = 0;
627c478bd9Sstevel@tonic-gate static int hashed = 0;
637c478bd9Sstevel@tonic-gate static int nrules = 0;
647c478bd9Sstevel@tonic-gate static int newlist = 0;
657c478bd9Sstevel@tonic-gate static int added = 0;
667c478bd9Sstevel@tonic-gate static int ipffd = -1;
677c478bd9Sstevel@tonic-gate static int ruleopts = 0;
68ab25eeb5Syz155240 static int *yycont = 0;
697c478bd9Sstevel@tonic-gate static ioctlfunc_t ipfioctl[IPL_LOGSIZE];
707c478bd9Sstevel@tonic-gate static addfunc_t ipfaddfunc = NULL;
711b47e080Sdr146992 static struct wordtab ipfwords[96];
72ab25eeb5Syz155240 static struct wordtab addrwords[4];
73ab25eeb5Syz155240 static struct wordtab maskwords[5];
74ab25eeb5Syz155240 static struct wordtab icmpcodewords[17];
75ab25eeb5Syz155240 static struct wordtab icmptypewords[16];
76ab25eeb5Syz155240 static struct wordtab ipv4optwords[25];
77ab25eeb5Syz155240 static struct wordtab ipv4secwords[9];
78ab25eeb5Syz155240 static struct wordtab ipv6optwords[8];
79ab25eeb5Syz155240 static struct wordtab logwords[33];
807663b816Sml37995 static int set_ipv6_addr = 0;
817c478bd9Sstevel@tonic-gate
827c478bd9Sstevel@tonic-gate %}
837c478bd9Sstevel@tonic-gate %union {
847c478bd9Sstevel@tonic-gate char *str;
857c478bd9Sstevel@tonic-gate u_32_t num;
867c478bd9Sstevel@tonic-gate struct in_addr ipa;
877c478bd9Sstevel@tonic-gate frentry_t fr;
887c478bd9Sstevel@tonic-gate frtuc_t *frt;
897c478bd9Sstevel@tonic-gate struct alist_s *alist;
90ab25eeb5Syz155240 u_short port;
917c478bd9Sstevel@tonic-gate struct {
927c478bd9Sstevel@tonic-gate u_short p1;
937c478bd9Sstevel@tonic-gate u_short p2;
947c478bd9Sstevel@tonic-gate int pc;
957c478bd9Sstevel@tonic-gate } pc;
967c478bd9Sstevel@tonic-gate struct {
977c478bd9Sstevel@tonic-gate union i6addr a;
987c478bd9Sstevel@tonic-gate union i6addr m;
997c478bd9Sstevel@tonic-gate } ipp;
1007c478bd9Sstevel@tonic-gate union i6addr ip6;
1017c478bd9Sstevel@tonic-gate };
1027c478bd9Sstevel@tonic-gate
103ab25eeb5Syz155240 %type <port> portnum
104ab25eeb5Syz155240 %type <num> facility priority icmpcode seclevel secname icmptype
1057c478bd9Sstevel@tonic-gate %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
1067c478bd9Sstevel@tonic-gate %type <num> portc porteq
1079b4c7145Sjojemann %type <ipa> ipv4 ipv4_16 ipv4_24
1089b4c7145Sjojemann %type <ip6> hostname mask
1097c478bd9Sstevel@tonic-gate %type <ipp> addr ipaddr
1107c478bd9Sstevel@tonic-gate %type <str> servicename name interfacename
1117c478bd9Sstevel@tonic-gate %type <pc> portrange portcomp
1127c478bd9Sstevel@tonic-gate %type <alist> addrlist poollist
1137c478bd9Sstevel@tonic-gate
1147c478bd9Sstevel@tonic-gate %token <num> YY_NUMBER YY_HEX
1157c478bd9Sstevel@tonic-gate %token <str> YY_STR
1167c478bd9Sstevel@tonic-gate %token YY_COMMENT
1177c478bd9Sstevel@tonic-gate %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
1187c478bd9Sstevel@tonic-gate %token YY_RANGE_OUT YY_RANGE_IN
1197c478bd9Sstevel@tonic-gate %token <ip6> YY_IPV6
1207c478bd9Sstevel@tonic-gate
1217c478bd9Sstevel@tonic-gate %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
1227c478bd9Sstevel@tonic-gate %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
1237c478bd9Sstevel@tonic-gate %token IPFY_IN IPFY_OUT
1247c478bd9Sstevel@tonic-gate %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
125ab25eeb5Syz155240 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
1267c478bd9Sstevel@tonic-gate %token IPFY_TOS IPFY_TTL IPFY_PROTO
1277c478bd9Sstevel@tonic-gate %token IPFY_HEAD IPFY_GROUP
128ab25eeb5Syz155240 %token IPFY_AUTH IPFY_PREAUTH
1297c478bd9Sstevel@tonic-gate %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
130ab25eeb5Syz155240 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
131ab25eeb5Syz155240 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
1327c478bd9Sstevel@tonic-gate %token IPFY_PPS
1337c478bd9Sstevel@tonic-gate %token IPFY_ESP IPFY_AH
1347c478bd9Sstevel@tonic-gate %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
1357c478bd9Sstevel@tonic-gate %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
1367c478bd9Sstevel@tonic-gate %token IPFY_FLAGS IPFY_MULTICAST
1377c478bd9Sstevel@tonic-gate %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
1387c478bd9Sstevel@tonic-gate %token IPFY_PORT
1397c478bd9Sstevel@tonic-gate %token IPFY_NOW
1407c478bd9Sstevel@tonic-gate %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
1417c478bd9Sstevel@tonic-gate %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
1427c478bd9Sstevel@tonic-gate %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
1437c478bd9Sstevel@tonic-gate %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
144ab25eeb5Syz155240 %token IPFY_SYNC IPFY_FRAGBODY
1457c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
1467c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
1477c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
1487c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
1497c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
1507c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
1517c478bd9Sstevel@tonic-gate %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
1527c478bd9Sstevel@tonic-gate %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
1537c478bd9Sstevel@tonic-gate
1547c478bd9Sstevel@tonic-gate %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
1557c478bd9Sstevel@tonic-gate %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
1567c478bd9Sstevel@tonic-gate
1577c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
1587c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
1597c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
1607c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
1617c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_ROUTERSOL
1627c478bd9Sstevel@tonic-gate
1637c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
1647c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
1657c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
1667c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
1677c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_CUTPRE
1687c478bd9Sstevel@tonic-gate
1697c478bd9Sstevel@tonic-gate %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
1707c478bd9Sstevel@tonic-gate %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
1717c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
1727c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
1737c478bd9Sstevel@tonic-gate %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
1747c478bd9Sstevel@tonic-gate %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE
1757c478bd9Sstevel@tonic-gate
1767c478bd9Sstevel@tonic-gate %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
1777c478bd9Sstevel@tonic-gate %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
178381a2a9aSdr146992 %token IPFY_SET_LOOPBACK IPFY_SET
1797c478bd9Sstevel@tonic-gate %%
1807c478bd9Sstevel@tonic-gate file: line
1817c478bd9Sstevel@tonic-gate | assign
1827c478bd9Sstevel@tonic-gate | file line
1837c478bd9Sstevel@tonic-gate | file assign
1847c478bd9Sstevel@tonic-gate ;
1857c478bd9Sstevel@tonic-gate
1867c478bd9Sstevel@tonic-gate line: xx rule { while ((fr = frtop) != NULL) {
1877c478bd9Sstevel@tonic-gate frtop = fr->fr_next;
1887c478bd9Sstevel@tonic-gate fr->fr_next = NULL;
1897c478bd9Sstevel@tonic-gate (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
1907c478bd9Sstevel@tonic-gate fr->fr_next = frold;
1917c478bd9Sstevel@tonic-gate frold = fr;
1927c478bd9Sstevel@tonic-gate }
1937c478bd9Sstevel@tonic-gate resetlexer();
1947c478bd9Sstevel@tonic-gate }
1957c478bd9Sstevel@tonic-gate | YY_COMMENT
196381a2a9aSdr146992 | set
1977c478bd9Sstevel@tonic-gate ;
1987c478bd9Sstevel@tonic-gate
1997c478bd9Sstevel@tonic-gate xx: { newrule(); }
2007c478bd9Sstevel@tonic-gate ;
2017c478bd9Sstevel@tonic-gate
2027c478bd9Sstevel@tonic-gate assign: YY_STR assigning YY_STR ';' { set_variable($1, $3);
2037c478bd9Sstevel@tonic-gate resetlexer();
2047c478bd9Sstevel@tonic-gate free($1);
2057c478bd9Sstevel@tonic-gate free($3);
206*22929378SDarren Reed yyvarnext = 0;
2077c478bd9Sstevel@tonic-gate }
2087c478bd9Sstevel@tonic-gate ;
2097c478bd9Sstevel@tonic-gate
2107c478bd9Sstevel@tonic-gate assigning:
2117c478bd9Sstevel@tonic-gate '=' { yyvarnext = 1; }
2127c478bd9Sstevel@tonic-gate ;
2137c478bd9Sstevel@tonic-gate
214381a2a9aSdr146992 set:
215381a2a9aSdr146992 IPFY_SET IPFY_SET_LOOPBACK YY_STR ';'
216381a2a9aSdr146992 {
217381a2a9aSdr146992 int data;
218381a2a9aSdr146992 if (frold != NULL) {
219381a2a9aSdr146992 yyerror("ipf rules before \"set\"");
220381a2a9aSdr146992 return 0;
221381a2a9aSdr146992 }
222381a2a9aSdr146992 if (!strcmp($3, "true"))
223381a2a9aSdr146992 data = 1;
224381a2a9aSdr146992 else if (!strcmp($3, "false"))
225381a2a9aSdr146992 data = 0;
226381a2a9aSdr146992 else {
227381a2a9aSdr146992 yyerror("invalid argument for ipf_loopback");
228381a2a9aSdr146992 return 0;
229381a2a9aSdr146992 }
230381a2a9aSdr146992 if (((opts & OPT_DONOTHING) == 0) &&
231381a2a9aSdr146992 (ioctl(ipffd, SIOCIPFLP, &data) == -1))
232381a2a9aSdr146992 perror("ioctl(SIOCIPFLP)");
233381a2a9aSdr146992 }
234381a2a9aSdr146992 ;
235381a2a9aSdr146992
236ab25eeb5Syz155240 rule: inrule eol
237ab25eeb5Syz155240 | outrule eol
238ab25eeb5Syz155240 ;
239ab25eeb5Syz155240
240ab25eeb5Syz155240 eol: | ';'
2417c478bd9Sstevel@tonic-gate ;
2427c478bd9Sstevel@tonic-gate
2437c478bd9Sstevel@tonic-gate inrule:
244ab25eeb5Syz155240 rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2
2457c478bd9Sstevel@tonic-gate ;
2467c478bd9Sstevel@tonic-gate
2477c478bd9Sstevel@tonic-gate outrule:
248ab25eeb5Syz155240 rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2
2497c478bd9Sstevel@tonic-gate ;
2507c478bd9Sstevel@tonic-gate
2517c478bd9Sstevel@tonic-gate rulehead:
2527c478bd9Sstevel@tonic-gate collection action
2537c478bd9Sstevel@tonic-gate | insert collection action
2547c478bd9Sstevel@tonic-gate ;
2557c478bd9Sstevel@tonic-gate
2567c478bd9Sstevel@tonic-gate markin: IPFY_IN { fr->fr_flags |= FR_INQUE; }
2577c478bd9Sstevel@tonic-gate ;
2587c478bd9Sstevel@tonic-gate
2597c478bd9Sstevel@tonic-gate markout:
2607c478bd9Sstevel@tonic-gate IPFY_OUT { fr->fr_flags |= FR_OUTQUE; }
2617c478bd9Sstevel@tonic-gate ;
2627c478bd9Sstevel@tonic-gate
2637c478bd9Sstevel@tonic-gate rulemain:
2647c478bd9Sstevel@tonic-gate ipfrule
2657c478bd9Sstevel@tonic-gate | bpfrule
2667c478bd9Sstevel@tonic-gate ;
2677c478bd9Sstevel@tonic-gate
2687c478bd9Sstevel@tonic-gate ipfrule:
2697c478bd9Sstevel@tonic-gate tos ttl proto ip
2707c478bd9Sstevel@tonic-gate ;
2717c478bd9Sstevel@tonic-gate
2727c478bd9Sstevel@tonic-gate bpfrule:
273ab25eeb5Syz155240 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); }
274ab25eeb5Syz155240 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
2757c478bd9Sstevel@tonic-gate ;
2767c478bd9Sstevel@tonic-gate
2777c478bd9Sstevel@tonic-gate ruletail:
278ab25eeb5Syz155240 with keep head group
279ab25eeb5Syz155240 ;
280ab25eeb5Syz155240
281ab25eeb5Syz155240 ruletail2:
282ab25eeb5Syz155240 pps age new
283ab25eeb5Syz155240 ;
284ab25eeb5Syz155240
285ab25eeb5Syz155240 intag: settagin matchtagin
286ab25eeb5Syz155240 ;
287ab25eeb5Syz155240
288ab25eeb5Syz155240 outtag: settagout matchtagout
2897c478bd9Sstevel@tonic-gate ;
2907c478bd9Sstevel@tonic-gate
2917c478bd9Sstevel@tonic-gate insert:
292ab25eeb5Syz155240 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
2937c478bd9Sstevel@tonic-gate ;
2947c478bd9Sstevel@tonic-gate
2957c478bd9Sstevel@tonic-gate collection:
2967c478bd9Sstevel@tonic-gate | YY_NUMBER { fr->fr_collect = $1; }
2977c478bd9Sstevel@tonic-gate ;
2987c478bd9Sstevel@tonic-gate
2997c478bd9Sstevel@tonic-gate action: block
3007c478bd9Sstevel@tonic-gate | IPFY_PASS { fr->fr_flags |= FR_PASS; }
3017c478bd9Sstevel@tonic-gate | log
3027c478bd9Sstevel@tonic-gate | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; }
3037c478bd9Sstevel@tonic-gate | auth
3047c478bd9Sstevel@tonic-gate | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP;
3057c478bd9Sstevel@tonic-gate fr->fr_arg = $2; }
3067c478bd9Sstevel@tonic-gate | IPFY_CALL func
3077c478bd9Sstevel@tonic-gate | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; }
3087c478bd9Sstevel@tonic-gate ;
3097c478bd9Sstevel@tonic-gate
3107c478bd9Sstevel@tonic-gate block: blocked
3117c478bd9Sstevel@tonic-gate | blocked blockreturn
3127c478bd9Sstevel@tonic-gate ;
3137c478bd9Sstevel@tonic-gate
3147c478bd9Sstevel@tonic-gate blocked:
3157c478bd9Sstevel@tonic-gate IPFY_BLOCK { fr->fr_flags = FR_BLOCK; }
3167c478bd9Sstevel@tonic-gate ;
3177c478bd9Sstevel@tonic-gate blockreturn:
3187c478bd9Sstevel@tonic-gate IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; }
3197c478bd9Sstevel@tonic-gate | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; }
3207c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; }
3217c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; }
3227c478bd9Sstevel@tonic-gate | IPFY_RETRST { fr->fr_flags |= FR_RETRST; }
3237c478bd9Sstevel@tonic-gate ;
3247c478bd9Sstevel@tonic-gate
3257c478bd9Sstevel@tonic-gate log: IPFY_LOG { fr->fr_flags |= FR_LOG; }
3267c478bd9Sstevel@tonic-gate | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; }
3277c478bd9Sstevel@tonic-gate ;
3287c478bd9Sstevel@tonic-gate
3297c478bd9Sstevel@tonic-gate auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; }
3307c478bd9Sstevel@tonic-gate | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);}
3317c478bd9Sstevel@tonic-gate | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; }
3327c478bd9Sstevel@tonic-gate ;
3337c478bd9Sstevel@tonic-gate
3347c478bd9Sstevel@tonic-gate func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1,
3357c478bd9Sstevel@tonic-gate ipfioctl[IPL_LOGIPF]);
3367c478bd9Sstevel@tonic-gate fr->fr_arg = $3;
3377c478bd9Sstevel@tonic-gate free($1); }
3387c478bd9Sstevel@tonic-gate ;
3397c478bd9Sstevel@tonic-gate
3407c478bd9Sstevel@tonic-gate inopts:
3417c478bd9Sstevel@tonic-gate | inopts inopt
3427c478bd9Sstevel@tonic-gate ;
3437c478bd9Sstevel@tonic-gate
3447c478bd9Sstevel@tonic-gate inopt:
3457c478bd9Sstevel@tonic-gate logopt
3467c478bd9Sstevel@tonic-gate {
3477c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG )
3487c478bd9Sstevel@tonic-gate yyerror("Duplicate log option");
3497c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG;
3507c478bd9Sstevel@tonic-gate }
3517c478bd9Sstevel@tonic-gate | quick
3527c478bd9Sstevel@tonic-gate {
3537c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK )
3547c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option");
3557c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK;
3567c478bd9Sstevel@tonic-gate }
3577c478bd9Sstevel@tonic-gate | on
3587c478bd9Sstevel@tonic-gate {
3597c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON )
3607c478bd9Sstevel@tonic-gate yyerror("Duplicate on option");
3617c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON;
3627c478bd9Sstevel@tonic-gate }
3637c478bd9Sstevel@tonic-gate | dup
3647c478bd9Sstevel@tonic-gate {
3657c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP )
3667c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option");
3677c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP;
3687c478bd9Sstevel@tonic-gate }
3697c478bd9Sstevel@tonic-gate | froute
3707c478bd9Sstevel@tonic-gate {
3717c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_FROUTE )
3727c478bd9Sstevel@tonic-gate yyerror("Duplicate froute option");
3737c478bd9Sstevel@tonic-gate ruleopts |= OPTION_FROUTE;
3747c478bd9Sstevel@tonic-gate }
3757c478bd9Sstevel@tonic-gate | proute
3767c478bd9Sstevel@tonic-gate {
3777c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE )
3787c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option");
3797c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE;
3807c478bd9Sstevel@tonic-gate }
3817c478bd9Sstevel@tonic-gate | replyto
3827c478bd9Sstevel@tonic-gate {
3837c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO )
3847c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option");
3857c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO;
3867c478bd9Sstevel@tonic-gate }
3877c478bd9Sstevel@tonic-gate ;
3887c478bd9Sstevel@tonic-gate
3897c478bd9Sstevel@tonic-gate outopts:
3907c478bd9Sstevel@tonic-gate | outopts outopt
3917c478bd9Sstevel@tonic-gate ;
3927c478bd9Sstevel@tonic-gate
3937c478bd9Sstevel@tonic-gate outopt:
3947c478bd9Sstevel@tonic-gate logopt
3957c478bd9Sstevel@tonic-gate {
3967c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG )
3977c478bd9Sstevel@tonic-gate yyerror("Duplicate log option");
3987c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG;
3997c478bd9Sstevel@tonic-gate }
4007c478bd9Sstevel@tonic-gate | quick
4017c478bd9Sstevel@tonic-gate {
4027c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK )
4037c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option");
4047c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK;
4057c478bd9Sstevel@tonic-gate }
4067c478bd9Sstevel@tonic-gate | on
4077c478bd9Sstevel@tonic-gate {
4087c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON )
4097c478bd9Sstevel@tonic-gate yyerror("Duplicate on option");
4107c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON;
4117c478bd9Sstevel@tonic-gate }
4127c478bd9Sstevel@tonic-gate | dup
4137c478bd9Sstevel@tonic-gate {
4147c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP )
4157c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option");
4167c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP;
4177c478bd9Sstevel@tonic-gate }
4187c478bd9Sstevel@tonic-gate | proute
4197c478bd9Sstevel@tonic-gate {
4207c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE )
4217c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option");
4227c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE;
4237c478bd9Sstevel@tonic-gate }
4247c478bd9Sstevel@tonic-gate | replyto
4257c478bd9Sstevel@tonic-gate {
4267c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO )
4277c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option");
4287c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO;
4297c478bd9Sstevel@tonic-gate }
4307c478bd9Sstevel@tonic-gate ;
4317c478bd9Sstevel@tonic-gate
4327c478bd9Sstevel@tonic-gate tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
4337c478bd9Sstevel@tonic-gate | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
4347c478bd9Sstevel@tonic-gate | settos lstart toslist lend
4357c478bd9Sstevel@tonic-gate ;
4367c478bd9Sstevel@tonic-gate
4377c478bd9Sstevel@tonic-gate settos: IPFY_TOS { setipftype(); }
4387c478bd9Sstevel@tonic-gate ;
4397c478bd9Sstevel@tonic-gate
4407c478bd9Sstevel@tonic-gate toslist:
4417c478bd9Sstevel@tonic-gate YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
4427c478bd9Sstevel@tonic-gate | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
4437c478bd9Sstevel@tonic-gate | toslist lmore YY_NUMBER
4447c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
4457c478bd9Sstevel@tonic-gate | toslist lmore YY_HEX
4467c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
4477c478bd9Sstevel@tonic-gate ;
4487c478bd9Sstevel@tonic-gate
4497c478bd9Sstevel@tonic-gate ttl: | setttl YY_NUMBER
4507c478bd9Sstevel@tonic-gate { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
4517c478bd9Sstevel@tonic-gate | setttl lstart ttllist lend
4527c478bd9Sstevel@tonic-gate ;
4537c478bd9Sstevel@tonic-gate
4547c478bd9Sstevel@tonic-gate lstart: '(' { newlist = 1; fr = frc; added = 0; }
4557c478bd9Sstevel@tonic-gate ;
4567c478bd9Sstevel@tonic-gate
4577c478bd9Sstevel@tonic-gate lend: ')' { nrules += added; }
4587c478bd9Sstevel@tonic-gate ;
4597c478bd9Sstevel@tonic-gate
4607c478bd9Sstevel@tonic-gate lmore: lanother { if (newlist == 1) {
4617c478bd9Sstevel@tonic-gate newlist = 0;
4627c478bd9Sstevel@tonic-gate }
4637c478bd9Sstevel@tonic-gate fr = addrule();
4647c478bd9Sstevel@tonic-gate if (yycont != NULL)
4657c478bd9Sstevel@tonic-gate *yycont = 1;
4667c478bd9Sstevel@tonic-gate }
4677c478bd9Sstevel@tonic-gate ;
4687c478bd9Sstevel@tonic-gate
4697c478bd9Sstevel@tonic-gate lanother:
4707c478bd9Sstevel@tonic-gate | ','
4717c478bd9Sstevel@tonic-gate ;
4727c478bd9Sstevel@tonic-gate
4737c478bd9Sstevel@tonic-gate setttl: IPFY_TTL { setipftype(); }
4747c478bd9Sstevel@tonic-gate ;
4757c478bd9Sstevel@tonic-gate
4767c478bd9Sstevel@tonic-gate ttllist:
4777c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
4787c478bd9Sstevel@tonic-gate | ttllist lmore YY_NUMBER
4797c478bd9Sstevel@tonic-gate { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
4807c478bd9Sstevel@tonic-gate ;
4817c478bd9Sstevel@tonic-gate
4827c478bd9Sstevel@tonic-gate proto: | protox protocol { yyresetdict(); }
4837c478bd9Sstevel@tonic-gate ;
4847c478bd9Sstevel@tonic-gate
4857c478bd9Sstevel@tonic-gate protox: IPFY_PROTO { setipftype();
4867c478bd9Sstevel@tonic-gate fr = frc;
4877c478bd9Sstevel@tonic-gate yysetdict(NULL); }
4887c478bd9Sstevel@tonic-gate ;
4897c478bd9Sstevel@tonic-gate
490ab25eeb5Syz155240 ip: srcdst flags icmp
4917c478bd9Sstevel@tonic-gate ;
4927c478bd9Sstevel@tonic-gate
4937c478bd9Sstevel@tonic-gate group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \
4947c478bd9Sstevel@tonic-gate FR_GROUPLEN); \
4957c478bd9Sstevel@tonic-gate fillgroup(fr););
4967c478bd9Sstevel@tonic-gate free($2); }
4977c478bd9Sstevel@tonic-gate | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \
4987c478bd9Sstevel@tonic-gate $2); \
4997c478bd9Sstevel@tonic-gate fillgroup(fr);) }
5007c478bd9Sstevel@tonic-gate ;
5017c478bd9Sstevel@tonic-gate
5027c478bd9Sstevel@tonic-gate head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
5037c478bd9Sstevel@tonic-gate FR_GROUPLEN););
5047c478bd9Sstevel@tonic-gate free($2); }
5057c478bd9Sstevel@tonic-gate | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
5067c478bd9Sstevel@tonic-gate $2);) }
5077c478bd9Sstevel@tonic-gate ;
5087c478bd9Sstevel@tonic-gate
509ab25eeb5Syz155240 settagin:
510ab25eeb5Syz155240 | IPFY_SETTAG '(' taginlist ')'
5117c478bd9Sstevel@tonic-gate ;
5127c478bd9Sstevel@tonic-gate
513ab25eeb5Syz155240 taginlist:
514ab25eeb5Syz155240 taginspec
515ab25eeb5Syz155240 | taginlist ',' taginspec
516ab25eeb5Syz155240 ;
517ab25eeb5Syz155240
518ab25eeb5Syz155240 taginspec:
519ab25eeb5Syz155240 logtag
520ab25eeb5Syz155240 |nattag
521ab25eeb5Syz155240 ;
522ab25eeb5Syz155240
523ab25eeb5Syz155240 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
524ab25eeb5Syz155240 $3, IPFTAG_LEN););
5257c478bd9Sstevel@tonic-gate free($3); }
5267c478bd9Sstevel@tonic-gate | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
527ab25eeb5Syz155240 "%d", $3 & 0xffffffff);) }
528ab25eeb5Syz155240 ;
529ab25eeb5Syz155240
530ab25eeb5Syz155240 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
531ab25eeb5Syz155240 ;
532ab25eeb5Syz155240
533ab25eeb5Syz155240 settagout:
534ab25eeb5Syz155240 | IPFY_SETTAG '(' tagoutlist ')'
535ab25eeb5Syz155240 ;
536ab25eeb5Syz155240
537ab25eeb5Syz155240 tagoutlist:
538ab25eeb5Syz155240 tagoutspec
539ab25eeb5Syz155240 | tagoutlist ',' tagoutspec
540ab25eeb5Syz155240 ;
541ab25eeb5Syz155240
542ab25eeb5Syz155240 tagoutspec:
543ab25eeb5Syz155240 logtag
544ab25eeb5Syz155240 | nattag
545ab25eeb5Syz155240 ;
546ab25eeb5Syz155240
547ab25eeb5Syz155240 matchtagin:
548ab25eeb5Syz155240 | IPFY_MATCHTAG '(' tagoutlist ')'
549ab25eeb5Syz155240 ;
550ab25eeb5Syz155240
551ab25eeb5Syz155240 matchtagout:
552ab25eeb5Syz155240 | IPFY_MATCHTAG '(' taginlist ')'
5537c478bd9Sstevel@tonic-gate ;
5547c478bd9Sstevel@tonic-gate
5557c478bd9Sstevel@tonic-gate pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
5567c478bd9Sstevel@tonic-gate ;
5577c478bd9Sstevel@tonic-gate
5587c478bd9Sstevel@tonic-gate new: | savegroup file restoregroup
5597c478bd9Sstevel@tonic-gate ;
5607c478bd9Sstevel@tonic-gate
5617c478bd9Sstevel@tonic-gate savegroup:
5627c478bd9Sstevel@tonic-gate '{'
5637c478bd9Sstevel@tonic-gate ;
5647c478bd9Sstevel@tonic-gate
5657c478bd9Sstevel@tonic-gate restoregroup:
5667c478bd9Sstevel@tonic-gate '}'
5677c478bd9Sstevel@tonic-gate ;
5687c478bd9Sstevel@tonic-gate
5697c478bd9Sstevel@tonic-gate logopt: log
5707c478bd9Sstevel@tonic-gate ;
5717c478bd9Sstevel@tonic-gate
5727c478bd9Sstevel@tonic-gate quick:
5737c478bd9Sstevel@tonic-gate IPFY_QUICK { fr->fr_flags |= FR_QUICK; }
5747c478bd9Sstevel@tonic-gate ;
5757c478bd9Sstevel@tonic-gate
5767c478bd9Sstevel@tonic-gate on: IPFY_ON onname
5777c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_INVIA vianame
5787c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_OUTVIA vianame
5797c478bd9Sstevel@tonic-gate ;
5807c478bd9Sstevel@tonic-gate
5817c478bd9Sstevel@tonic-gate onname: interfacename
582ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
5837c478bd9Sstevel@tonic-gate free($1);
5847c478bd9Sstevel@tonic-gate }
585ab25eeb5Syz155240 | interfacename ',' interfacename
586ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
5877c478bd9Sstevel@tonic-gate free($1);
5887c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
5897c478bd9Sstevel@tonic-gate free($3);
5907c478bd9Sstevel@tonic-gate }
5917c478bd9Sstevel@tonic-gate ;
5927c478bd9Sstevel@tonic-gate
5937c478bd9Sstevel@tonic-gate vianame:
594ab25eeb5Syz155240 name
595ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
5967c478bd9Sstevel@tonic-gate free($1);
5977c478bd9Sstevel@tonic-gate }
598ab25eeb5Syz155240 | name ',' name
599ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
6007c478bd9Sstevel@tonic-gate free($1);
6017c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
6027c478bd9Sstevel@tonic-gate free($3);
6037c478bd9Sstevel@tonic-gate }
6047c478bd9Sstevel@tonic-gate ;
6057c478bd9Sstevel@tonic-gate
6067c478bd9Sstevel@tonic-gate dup: IPFY_DUPTO name
6077c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
6087c478bd9Sstevel@tonic-gate free($2);
609f17d2b41San207044 fr->fr_flags |= FR_DUP;
6107c478bd9Sstevel@tonic-gate }
611ab25eeb5Syz155240 | IPFY_DUPTO name duptoseparator hostname
6127c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
6139b4c7145Sjojemann if (use_inet6 == 0)
6149b4c7145Sjojemann fr->fr_dif.fd_ip = $4.in4;
6159b4c7145Sjojemann else
6169b4c7145Sjojemann bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
617ab25eeb5Syz155240 yyexpectaddr = 0;
618f17d2b41San207044 fr->fr_flags |= FR_DUP;
6197c478bd9Sstevel@tonic-gate free($2);
6207c478bd9Sstevel@tonic-gate }
621ab25eeb5Syz155240 | IPFY_DUPTO name duptoseparator YY_IPV6
622ab25eeb5Syz155240 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
623ab25eeb5Syz155240 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
624ab25eeb5Syz155240 yyexpectaddr = 0;
625f17d2b41San207044 fr->fr_flags |= FR_DUP;
626ab25eeb5Syz155240 free($2);
627ab25eeb5Syz155240 }
628ab25eeb5Syz155240 ;
629ab25eeb5Syz155240
630ab25eeb5Syz155240 duptoseparator:
631ab25eeb5Syz155240 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
6327c478bd9Sstevel@tonic-gate ;
6337c478bd9Sstevel@tonic-gate
6347c478bd9Sstevel@tonic-gate froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; }
6357c478bd9Sstevel@tonic-gate ;
6367c478bd9Sstevel@tonic-gate
637ab25eeb5Syz155240 proute: routeto name
6387c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
6397c478bd9Sstevel@tonic-gate free($2);
6407c478bd9Sstevel@tonic-gate }
641ab25eeb5Syz155240 | routeto name duptoseparator hostname
6427c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
6439b4c7145Sjojemann if (use_inet6 == 0)
6449b4c7145Sjojemann fr->fr_tif.fd_ip = $4.in4;
6459b4c7145Sjojemann else
6469b4c7145Sjojemann bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
647ab25eeb5Syz155240 yyexpectaddr = 0;
6487c478bd9Sstevel@tonic-gate free($2);
6497c478bd9Sstevel@tonic-gate }
650ab25eeb5Syz155240 | routeto name duptoseparator YY_IPV6
651ab25eeb5Syz155240 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
652ab25eeb5Syz155240 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
653ab25eeb5Syz155240 yyexpectaddr = 0;
654ab25eeb5Syz155240 free($2);
655ab25eeb5Syz155240 }
656ab25eeb5Syz155240 ;
657ab25eeb5Syz155240
658ab25eeb5Syz155240 routeto:
659ab25eeb5Syz155240 IPFY_TO
660ab25eeb5Syz155240 | IPFY_ROUTETO
6617c478bd9Sstevel@tonic-gate ;
6627c478bd9Sstevel@tonic-gate
6637c478bd9Sstevel@tonic-gate replyto:
6647c478bd9Sstevel@tonic-gate IPFY_REPLY_TO name
6657c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
6667c478bd9Sstevel@tonic-gate free($2);
6677c478bd9Sstevel@tonic-gate }
668ab25eeb5Syz155240 | IPFY_REPLY_TO name duptoseparator hostname
6697c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
6709b4c7145Sjojemann if (use_inet6 == 0)
6719b4c7145Sjojemann fr->fr_rif.fd_ip = $4.in4;
6729b4c7145Sjojemann else
6739b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
6749b4c7145Sjojemann yyexpectaddr = 0;
6759b4c7145Sjojemann free($2);
6769b4c7145Sjojemann }
6779b4c7145Sjojemann | IPFY_REPLY_TO name duptoseparator YY_IPV6
6789b4c7145Sjojemann { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
6799b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
6809b4c7145Sjojemann yyexpectaddr = 0;
6817c478bd9Sstevel@tonic-gate free($2);
6827c478bd9Sstevel@tonic-gate }
6837c478bd9Sstevel@tonic-gate ;
6847c478bd9Sstevel@tonic-gate
6857c478bd9Sstevel@tonic-gate logoptions:
6867c478bd9Sstevel@tonic-gate logoption
6877c478bd9Sstevel@tonic-gate | logoptions logoption
6887c478bd9Sstevel@tonic-gate ;
6897c478bd9Sstevel@tonic-gate
6907c478bd9Sstevel@tonic-gate logoption:
6917c478bd9Sstevel@tonic-gate IPFY_BODY { fr->fr_flags |= FR_LOGBODY; }
6927c478bd9Sstevel@tonic-gate | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; }
6937c478bd9Sstevel@tonic-gate | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; }
6947c478bd9Sstevel@tonic-gate | level loglevel { unsetsyslog(); }
6957c478bd9Sstevel@tonic-gate ;
6967c478bd9Sstevel@tonic-gate
6977c478bd9Sstevel@tonic-gate returncode:
6987c478bd9Sstevel@tonic-gate starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); }
6997c478bd9Sstevel@tonic-gate ;
7007c478bd9Sstevel@tonic-gate
7017c478bd9Sstevel@tonic-gate starticmpcode:
7027c478bd9Sstevel@tonic-gate '(' { yysetdict(icmpcodewords); }
7037c478bd9Sstevel@tonic-gate ;
7047c478bd9Sstevel@tonic-gate
705ab25eeb5Syz155240 srcdst: | IPFY_ALL
7067c478bd9Sstevel@tonic-gate | fromto
7077c478bd9Sstevel@tonic-gate ;
7087c478bd9Sstevel@tonic-gate
7097c478bd9Sstevel@tonic-gate protocol:
7107c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_proto = $1; \
7117c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) }
7127c478bd9Sstevel@tonic-gate | YY_STR { if (!strcmp($1, "tcp-udp")) {
7137c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \
7147c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;)
7157c478bd9Sstevel@tonic-gate } else {
7167c478bd9Sstevel@tonic-gate int p = getproto($1);
7177c478bd9Sstevel@tonic-gate if (p == -1)
718ab25eeb5Syz155240 yyerror("protocol unknown");
7197c478bd9Sstevel@tonic-gate DOREM(fr->fr_proto = p; \
7207c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;)
7217c478bd9Sstevel@tonic-gate }
7227c478bd9Sstevel@tonic-gate free($1);
7237c478bd9Sstevel@tonic-gate }
7247c478bd9Sstevel@tonic-gate | YY_STR nextstring YY_STR
7257c478bd9Sstevel@tonic-gate { if (!strcmp($1, "tcp") &&
7267c478bd9Sstevel@tonic-gate !strcmp($3, "udp")) {
7277c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \
7287c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;)
7297c478bd9Sstevel@tonic-gate } else
7307c478bd9Sstevel@tonic-gate YYERROR;
7317c478bd9Sstevel@tonic-gate free($1);
7327c478bd9Sstevel@tonic-gate free($3);
7337c478bd9Sstevel@tonic-gate }
7347c478bd9Sstevel@tonic-gate ;
7357c478bd9Sstevel@tonic-gate
7367c478bd9Sstevel@tonic-gate nextstring:
7377c478bd9Sstevel@tonic-gate '/' { yysetdict(NULL); }
7387c478bd9Sstevel@tonic-gate ;
7397c478bd9Sstevel@tonic-gate
7407c478bd9Sstevel@tonic-gate fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; }
7417c478bd9Sstevel@tonic-gate | to dstobject { yyexpectaddr = 0; yycont = NULL; }
7427c478bd9Sstevel@tonic-gate | from srcobject { yyexpectaddr = 0; yycont = NULL; }
7437c478bd9Sstevel@tonic-gate ;
7447c478bd9Sstevel@tonic-gate
7457c478bd9Sstevel@tonic-gate from: IPFY_FROM { setipftype();
7467c478bd9Sstevel@tonic-gate if (fr == NULL)
7477c478bd9Sstevel@tonic-gate fr = frc;
7487c478bd9Sstevel@tonic-gate yyexpectaddr = 1;
749ab25eeb5Syz155240 if (yydebug)
750ab25eeb5Syz155240 printf("set yyexpectaddr\n");
7517c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr;
7527c478bd9Sstevel@tonic-gate yysetdict(addrwords);
7537c478bd9Sstevel@tonic-gate resetaddr(); }
7547c478bd9Sstevel@tonic-gate ;
7557c478bd9Sstevel@tonic-gate
7567c478bd9Sstevel@tonic-gate to: IPFY_TO { if (fr == NULL)
7577c478bd9Sstevel@tonic-gate fr = frc;
7587c478bd9Sstevel@tonic-gate yyexpectaddr = 1;
759ab25eeb5Syz155240 if (yydebug)
760ab25eeb5Syz155240 printf("set yyexpectaddr\n");
7617c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr;
7627c478bd9Sstevel@tonic-gate yysetdict(addrwords);
7637c478bd9Sstevel@tonic-gate resetaddr(); }
7647c478bd9Sstevel@tonic-gate ;
7657c478bd9Sstevel@tonic-gate
7667c478bd9Sstevel@tonic-gate with: | andwith withlist
7677c478bd9Sstevel@tonic-gate ;
7687c478bd9Sstevel@tonic-gate
7697c478bd9Sstevel@tonic-gate andwith:
7707c478bd9Sstevel@tonic-gate IPFY_WITH { nowith = 0; setipftype(); }
7717c478bd9Sstevel@tonic-gate | IPFY_AND { nowith = 0; setipftype(); }
7727c478bd9Sstevel@tonic-gate ;
7737c478bd9Sstevel@tonic-gate
774ab25eeb5Syz155240 flags: | startflags flagset
7757c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
776ab25eeb5Syz155240 | startflags flagset '/' flagset
7777c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
778ab25eeb5Syz155240 | startflags '/' flagset
7797c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
780ab25eeb5Syz155240 | startflags YY_NUMBER
7817c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
782ab25eeb5Syz155240 | startflags '/' YY_NUMBER
7837c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
784ab25eeb5Syz155240 | startflags YY_NUMBER '/' YY_NUMBER
7857c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
786ab25eeb5Syz155240 | startflags flagset '/' YY_NUMBER
7877c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
788ab25eeb5Syz155240 | startflags YY_NUMBER '/' flagset
7897c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
7907c478bd9Sstevel@tonic-gate ;
7917c478bd9Sstevel@tonic-gate
792ab25eeb5Syz155240 startflags:
793ab25eeb5Syz155240 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF)
794ab25eeb5Syz155240 yyerror("flags with non-ipf type rule");
795ab25eeb5Syz155240 if (frc->fr_proto != IPPROTO_TCP)
796ab25eeb5Syz155240 yyerror("flags with non-TCP rule");
797ab25eeb5Syz155240 }
798ab25eeb5Syz155240 ;
799ab25eeb5Syz155240
8007c478bd9Sstevel@tonic-gate flagset:
8017c478bd9Sstevel@tonic-gate YY_STR { $$ = tcpflags($1); free($1); }
8027c478bd9Sstevel@tonic-gate | YY_HEX { $$ = $1; }
8037c478bd9Sstevel@tonic-gate ;
8047c478bd9Sstevel@tonic-gate
8057c478bd9Sstevel@tonic-gate srcobject:
806ab25eeb5Syz155240 { yyresetdict(); } fromport
807ab25eeb5Syz155240 | srcaddr srcport
8087c478bd9Sstevel@tonic-gate | '!' srcaddr srcport
8097c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
8107c478bd9Sstevel@tonic-gate ;
8117c478bd9Sstevel@tonic-gate
8127c478bd9Sstevel@tonic-gate srcaddr:
8137c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
8147c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
8157c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
8167c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \
8177c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \
8187c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
8197c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;)
8207c478bd9Sstevel@tonic-gate }
8217c478bd9Sstevel@tonic-gate | lstart srcaddrlist lend
8227c478bd9Sstevel@tonic-gate ;
8237c478bd9Sstevel@tonic-gate
8247c478bd9Sstevel@tonic-gate srcaddrlist:
8257c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
8267c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
8277c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
8287c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \
8297c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \
8307c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
8317c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;)
8327c478bd9Sstevel@tonic-gate }
8337c478bd9Sstevel@tonic-gate | srcaddrlist lmore addr
8347c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
8357c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
8367c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
8377c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \
8387c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \
8397c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
8407c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;)
8417c478bd9Sstevel@tonic-gate }
8427c478bd9Sstevel@tonic-gate ;
8437c478bd9Sstevel@tonic-gate
8447c478bd9Sstevel@tonic-gate srcport:
8457c478bd9Sstevel@tonic-gate | portcomp
8467c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
8477c478bd9Sstevel@tonic-gate | portrange
8487c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
8497c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) }
8507c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend
8517c478bd9Sstevel@tonic-gate { yyresetdict(); }
8527c478bd9Sstevel@tonic-gate ;
8537c478bd9Sstevel@tonic-gate
8547c478bd9Sstevel@tonic-gate fromport:
8557c478bd9Sstevel@tonic-gate portcomp
8567c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
8577c478bd9Sstevel@tonic-gate | portrange
8587c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
8597c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) }
8607c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend
8617c478bd9Sstevel@tonic-gate { yyresetdict(); }
8627c478bd9Sstevel@tonic-gate ;
8637c478bd9Sstevel@tonic-gate
8647c478bd9Sstevel@tonic-gate srcportlist:
8657c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
8667c478bd9Sstevel@tonic-gate | srcportlist lmore portnum
8677c478bd9Sstevel@tonic-gate { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
8687c478bd9Sstevel@tonic-gate ;
8697c478bd9Sstevel@tonic-gate
8707c478bd9Sstevel@tonic-gate dstobject:
871ab25eeb5Syz155240 { yyresetdict(); } toport
8727c478bd9Sstevel@tonic-gate | dstaddr dstport
8737c478bd9Sstevel@tonic-gate | '!' dstaddr dstport
8747c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
8757c478bd9Sstevel@tonic-gate ;
8767c478bd9Sstevel@tonic-gate
8777c478bd9Sstevel@tonic-gate dstaddr:
8787c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
8797c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
8807c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
8817c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \
8827c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \
8837c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
8847c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;)
8857c478bd9Sstevel@tonic-gate }
8867c478bd9Sstevel@tonic-gate | lstart dstaddrlist lend
8877c478bd9Sstevel@tonic-gate ;
8887c478bd9Sstevel@tonic-gate
8897c478bd9Sstevel@tonic-gate dstaddrlist:
8907c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
8917c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
8927c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
8937c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \
8947c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \
8957c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
8967c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;)
8977c478bd9Sstevel@tonic-gate }
8987c478bd9Sstevel@tonic-gate | dstaddrlist lmore addr
8997c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
9007c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
9017c478bd9Sstevel@tonic-gate if (dynamic != -1) { \
9027c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \
9037c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \
9047c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \
9057c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;)
9067c478bd9Sstevel@tonic-gate }
9077c478bd9Sstevel@tonic-gate ;
9087c478bd9Sstevel@tonic-gate
9097c478bd9Sstevel@tonic-gate
9107c478bd9Sstevel@tonic-gate dstport:
9117c478bd9Sstevel@tonic-gate | portcomp
9127c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
9137c478bd9Sstevel@tonic-gate | portrange
9147c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
9157c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) }
9167c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend
9177c478bd9Sstevel@tonic-gate { yyresetdict(); }
9187c478bd9Sstevel@tonic-gate ;
9197c478bd9Sstevel@tonic-gate
9207c478bd9Sstevel@tonic-gate toport:
9217c478bd9Sstevel@tonic-gate portcomp
9227c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
9237c478bd9Sstevel@tonic-gate | portrange
9247c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
9257c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) }
9267c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend
9277c478bd9Sstevel@tonic-gate { yyresetdict(); }
9287c478bd9Sstevel@tonic-gate ;
9297c478bd9Sstevel@tonic-gate
9307c478bd9Sstevel@tonic-gate dstportlist:
9317c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
9327c478bd9Sstevel@tonic-gate | dstportlist lmore portnum
9337c478bd9Sstevel@tonic-gate { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
9347c478bd9Sstevel@tonic-gate ;
9357c478bd9Sstevel@tonic-gate
9367c478bd9Sstevel@tonic-gate addr: pool '/' YY_NUMBER { pooled = 1;
9377c478bd9Sstevel@tonic-gate yyexpectaddr = 0;
9387c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL;
9397c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; }
9407c478bd9Sstevel@tonic-gate | pool '=' '(' poollist ')' { pooled = 1;
9417c478bd9Sstevel@tonic-gate yyexpectaddr = 0;
9427c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL;
9437c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makepool($4); }
9447c478bd9Sstevel@tonic-gate | hash '/' YY_NUMBER { hashed = 1;
9457c478bd9Sstevel@tonic-gate yyexpectaddr = 0;
9467c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH;
9477c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; }
9487c478bd9Sstevel@tonic-gate | hash '=' '(' addrlist ')' { hashed = 1;
9497c478bd9Sstevel@tonic-gate yyexpectaddr = 0;
9507c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH;
9517c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makehash($4); }
9527c478bd9Sstevel@tonic-gate | ipaddr { bcopy(&$1, &$$, sizeof($$));
9537c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9547c478bd9Sstevel@tonic-gate ;
9557c478bd9Sstevel@tonic-gate
9567c478bd9Sstevel@tonic-gate ipaddr: IPFY_ANY { bzero(&($$), sizeof($$));
9577c478bd9Sstevel@tonic-gate yyresetdict();
9587c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9599b4c7145Sjojemann | hostname { if (use_inet6 == 0) {
9609b4c7145Sjojemann $$.a.in4 = $1.in4;
9617c478bd9Sstevel@tonic-gate $$.m.in4_addr = 0xffffffff;
9629b4c7145Sjojemann } else {
9639b4c7145Sjojemann set_ipv6_addr = 1;
9649b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a));
9659b4c7145Sjojemann fill6bits(128, (u_32_t *)&$$.m);
9669b4c7145Sjojemann }
9677c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9687c478bd9Sstevel@tonic-gate | hostname { yyresetdict();
9699b4c7145Sjojemann if (use_inet6 == 0)
9709b4c7145Sjojemann $$.a.in4 = $1.in4;
9719b4c7145Sjojemann else {
9729b4c7145Sjojemann set_ipv6_addr = 1;
9739b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a));
9749b4c7145Sjojemann }
9759b4c7145Sjojemann }
9767c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); }
9779b4c7145Sjojemann mask { if (use_inet6 == 0) {
9789b4c7145Sjojemann $$.m.in4_addr = $5.in4.s_addr;
9799b4c7145Sjojemann $$.a.in4_addr &= $5.in4.s_addr;
9809b4c7145Sjojemann } else
9819b4c7145Sjojemann bcopy(&$5, &$$.m, sizeof($$.m));
9827c478bd9Sstevel@tonic-gate yyresetdict();
9837c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9847663b816Sml37995 | YY_IPV6 { set_ipv6_addr = 1;
9857663b816Sml37995 bcopy(&$1, &$$.a, sizeof($$.a));
9867c478bd9Sstevel@tonic-gate fill6bits(128, (u_32_t *)&$$.m);
9877c478bd9Sstevel@tonic-gate yyresetdict();
9887c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9897663b816Sml37995 | YY_IPV6 { set_ipv6_addr = 1;
9907663b816Sml37995 yyresetdict();
9917c478bd9Sstevel@tonic-gate bcopy(&$1, &$$.a, sizeof($$.a)); }
9927c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); }
9939b4c7145Sjojemann mask { bcopy(&$5, &$$.m, sizeof($$.m));
9947c478bd9Sstevel@tonic-gate yyresetdict();
9957c478bd9Sstevel@tonic-gate yyexpectaddr = 0; }
9967c478bd9Sstevel@tonic-gate ;
9977c478bd9Sstevel@tonic-gate
9987c478bd9Sstevel@tonic-gate maskspace:
9997c478bd9Sstevel@tonic-gate '/'
10007c478bd9Sstevel@tonic-gate | IPFY_MASK
10017c478bd9Sstevel@tonic-gate ;
10027c478bd9Sstevel@tonic-gate
10039b4c7145Sjojemann mask:
10049b4c7145Sjojemann ipv4 { $$.in4 = $1; }
10059b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = htonl($1); }
10069b4c7145Sjojemann | YY_NUMBER { if ((use_inet6 == 0) && ($1 <= 32))
10079b4c7145Sjojemann ntomask(4, $1, (u_32_t *)&$$.in4);
10089b4c7145Sjojemann else if ((use_inet6 != 0) && ($1 <= 128))
10099b4c7145Sjojemann ntomask(6, $1, $$.i6);
10109b4c7145Sjojemann else {
10119b4c7145Sjojemann yyerror("Bad value specified for netmask");
10129b4c7145Sjojemann return 0;
10139b4c7145Sjojemann }
1014ab25eeb5Syz155240 }
10157c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) {
10169b4c7145Sjojemann bzero(&$$, sizeof($$));
10177c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST;
10187c478bd9Sstevel@tonic-gate } else
10197c478bd9Sstevel@tonic-gate YYERROR;
10207c478bd9Sstevel@tonic-gate }
10217c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) {
10229b4c7145Sjojemann bzero(&$$, sizeof($$));
10237c478bd9Sstevel@tonic-gate ifpflag = FRI_NETWORK;
10247c478bd9Sstevel@tonic-gate } else
10257c478bd9Sstevel@tonic-gate YYERROR;
10267c478bd9Sstevel@tonic-gate }
10277c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) {
10289b4c7145Sjojemann bzero(&$$, sizeof($$));
10297c478bd9Sstevel@tonic-gate ifpflag = FRI_NETMASKED;
10307c478bd9Sstevel@tonic-gate } else
10317c478bd9Sstevel@tonic-gate YYERROR;
10327c478bd9Sstevel@tonic-gate }
10337c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) {
10349b4c7145Sjojemann bzero(&$$, sizeof($$));
10357c478bd9Sstevel@tonic-gate ifpflag = FRI_PEERADDR;
10367c478bd9Sstevel@tonic-gate } else
10377c478bd9Sstevel@tonic-gate YYERROR;
10387c478bd9Sstevel@tonic-gate }
10397c478bd9Sstevel@tonic-gate ;
10407c478bd9Sstevel@tonic-gate
10417c478bd9Sstevel@tonic-gate hostname:
10429b4c7145Sjojemann ipv4 { $$.in4 = $1; }
10439b4c7145Sjojemann | YY_NUMBER { $$.in4.s_addr = $1; }
10449b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = $1; }
10459b4c7145Sjojemann | YY_STR { if (lookuphost($1, &$$) == 1)
10467c478bd9Sstevel@tonic-gate free($1);
10479b4c7145Sjojemann else {
10489b4c7145Sjojemann free($1);
10499b4c7145Sjojemann if (ifpflag != FRI_DYNAMIC)
10507c478bd9Sstevel@tonic-gate yyerror("Unknown hostname");
10517c478bd9Sstevel@tonic-gate }
10529b4c7145Sjojemann }
10537c478bd9Sstevel@tonic-gate ;
10547c478bd9Sstevel@tonic-gate
10557c478bd9Sstevel@tonic-gate addrlist:
10567c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL);
10577663b816Sml37995 if (set_ipv6_addr)
10587663b816Sml37995 $$->al_family = AF_INET6;
10597663b816Sml37995 else
10607663b816Sml37995 $$->al_family = AF_INET;
10617663b816Sml37995 set_ipv6_addr = 0;
10627c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
10637c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
10647c478bd9Sstevel@tonic-gate | addrlist ',' ipaddr
10657c478bd9Sstevel@tonic-gate { $$ = newalist($1);
10667663b816Sml37995 if (set_ipv6_addr)
10677663b816Sml37995 $$->al_family = AF_INET6;
10687663b816Sml37995 else
10697663b816Sml37995 $$->al_family = AF_INET;
10707663b816Sml37995 set_ipv6_addr = 0;
10717c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
10727c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
10737c478bd9Sstevel@tonic-gate ;
10747c478bd9Sstevel@tonic-gate
10757c478bd9Sstevel@tonic-gate pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
10767c478bd9Sstevel@tonic-gate ;
10777c478bd9Sstevel@tonic-gate
10787c478bd9Sstevel@tonic-gate hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
10797c478bd9Sstevel@tonic-gate ;
10807c478bd9Sstevel@tonic-gate
10817c478bd9Sstevel@tonic-gate poollist:
10827c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL);
10837663b816Sml37995 if (set_ipv6_addr)
10847663b816Sml37995 $$->al_family = AF_INET6;
10857663b816Sml37995 else
10867663b816Sml37995 $$->al_family = AF_INET;
10877663b816Sml37995 set_ipv6_addr = 0;
10887c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
10897c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
10907c478bd9Sstevel@tonic-gate | '!' ipaddr { $$ = newalist(NULL);
10917c478bd9Sstevel@tonic-gate $$->al_not = 1;
10927663b816Sml37995 if (set_ipv6_addr)
10937663b816Sml37995 $$->al_family = AF_INET6;
10947663b816Sml37995 else
10957663b816Sml37995 $$->al_family = AF_INET;
10967663b816Sml37995 set_ipv6_addr = 0;
10977c478bd9Sstevel@tonic-gate bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
10987c478bd9Sstevel@tonic-gate bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
10997c478bd9Sstevel@tonic-gate | poollist ',' ipaddr
11007c478bd9Sstevel@tonic-gate { $$ = newalist($1);
11017663b816Sml37995 if (set_ipv6_addr)
11027663b816Sml37995 $$->al_family = AF_INET6;
11037663b816Sml37995 else
11047663b816Sml37995 $$->al_family = AF_INET;
11057663b816Sml37995 set_ipv6_addr = 0;
11067c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
11077c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
11087c478bd9Sstevel@tonic-gate | poollist ',' '!' ipaddr
11097c478bd9Sstevel@tonic-gate { $$ = newalist($1);
11107c478bd9Sstevel@tonic-gate $$->al_not = 1;
11117663b816Sml37995 if (set_ipv6_addr)
11127663b816Sml37995 $$->al_family = AF_INET6;
11137663b816Sml37995 else
11147663b816Sml37995 $$->al_family = AF_INET;
11157663b816Sml37995 set_ipv6_addr = 0;
11167c478bd9Sstevel@tonic-gate bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
11177c478bd9Sstevel@tonic-gate bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
11187c478bd9Sstevel@tonic-gate ;
11197c478bd9Sstevel@tonic-gate
11207c478bd9Sstevel@tonic-gate port: IPFY_PORT { yyexpectaddr = 0;
11217c478bd9Sstevel@tonic-gate yycont = NULL;
11227c478bd9Sstevel@tonic-gate }
11237c478bd9Sstevel@tonic-gate ;
11247c478bd9Sstevel@tonic-gate
11257c478bd9Sstevel@tonic-gate portc: port compare { $$ = $2;
11267c478bd9Sstevel@tonic-gate yysetdict(NULL); }
11277c478bd9Sstevel@tonic-gate | porteq { $$ = $1; }
11287c478bd9Sstevel@tonic-gate ;
11297c478bd9Sstevel@tonic-gate
11307c478bd9Sstevel@tonic-gate porteq: port '=' { $$ = FR_EQUAL;
11317c478bd9Sstevel@tonic-gate yysetdict(NULL); }
11327c478bd9Sstevel@tonic-gate ;
11337c478bd9Sstevel@tonic-gate
11347c478bd9Sstevel@tonic-gate portr: IPFY_PORT { yyexpectaddr = 0;
11357c478bd9Sstevel@tonic-gate yycont = NULL;
11367c478bd9Sstevel@tonic-gate yysetdict(NULL); }
11377c478bd9Sstevel@tonic-gate ;
11387c478bd9Sstevel@tonic-gate
11397c478bd9Sstevel@tonic-gate portcomp:
11407c478bd9Sstevel@tonic-gate portc portnum { $$.pc = $1;
11417c478bd9Sstevel@tonic-gate $$.p1 = $2;
11427c478bd9Sstevel@tonic-gate yyresetdict(); }
11437c478bd9Sstevel@tonic-gate ;
11447c478bd9Sstevel@tonic-gate
11457c478bd9Sstevel@tonic-gate portrange:
11467c478bd9Sstevel@tonic-gate portr portnum range portnum { $$.p1 = $2;
11477c478bd9Sstevel@tonic-gate $$.pc = $3;
11487c478bd9Sstevel@tonic-gate $$.p2 = $4;
11497c478bd9Sstevel@tonic-gate yyresetdict(); }
11507c478bd9Sstevel@tonic-gate ;
11517c478bd9Sstevel@tonic-gate
11527c478bd9Sstevel@tonic-gate icmp: | itype icode
11537c478bd9Sstevel@tonic-gate ;
11547c478bd9Sstevel@tonic-gate
11557c478bd9Sstevel@tonic-gate itype: seticmptype icmptype
11567c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
11577c478bd9Sstevel@tonic-gate yyresetdict();
11587c478bd9Sstevel@tonic-gate }
11597c478bd9Sstevel@tonic-gate | seticmptype lstart typelist lend { yyresetdict(); }
11607c478bd9Sstevel@tonic-gate ;
11617c478bd9Sstevel@tonic-gate
11627c478bd9Sstevel@tonic-gate seticmptype:
11637c478bd9Sstevel@tonic-gate IPFY_ICMPTYPE { setipftype();
11647c478bd9Sstevel@tonic-gate yysetdict(icmptypewords); }
11657c478bd9Sstevel@tonic-gate ;
11667c478bd9Sstevel@tonic-gate
11677c478bd9Sstevel@tonic-gate icode: | seticmpcode icmpcode
11687c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
11697c478bd9Sstevel@tonic-gate yyresetdict();
11707c478bd9Sstevel@tonic-gate }
11717c478bd9Sstevel@tonic-gate | seticmpcode lstart codelist lend { yyresetdict(); }
11727c478bd9Sstevel@tonic-gate ;
11737c478bd9Sstevel@tonic-gate
11747c478bd9Sstevel@tonic-gate seticmpcode:
11757c478bd9Sstevel@tonic-gate IPFY_ICMPCODE { yysetdict(icmpcodewords); }
11767c478bd9Sstevel@tonic-gate ;
11777c478bd9Sstevel@tonic-gate
11787c478bd9Sstevel@tonic-gate typelist:
11797c478bd9Sstevel@tonic-gate icmptype
11807c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
11817c478bd9Sstevel@tonic-gate | typelist lmore icmptype
11827c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
11837c478bd9Sstevel@tonic-gate ;
11847c478bd9Sstevel@tonic-gate
11857c478bd9Sstevel@tonic-gate codelist:
11867c478bd9Sstevel@tonic-gate icmpcode
11877c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
11887c478bd9Sstevel@tonic-gate | codelist lmore icmpcode
11897c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
11907c478bd9Sstevel@tonic-gate ;
11917c478bd9Sstevel@tonic-gate
11927c478bd9Sstevel@tonic-gate age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \
11937c478bd9Sstevel@tonic-gate fr->fr_age[1] = $2;) }
11947c478bd9Sstevel@tonic-gate | IPFY_AGE YY_NUMBER '/' YY_NUMBER
11957c478bd9Sstevel@tonic-gate { DOALL(fr->fr_age[0] = $2; \
11967c478bd9Sstevel@tonic-gate fr->fr_age[1] = $4;) }
11977c478bd9Sstevel@tonic-gate ;
11987c478bd9Sstevel@tonic-gate
11997c478bd9Sstevel@tonic-gate keep: | IPFY_KEEP keepstate
12007c478bd9Sstevel@tonic-gate | IPFY_KEEP keepfrag
12017c478bd9Sstevel@tonic-gate | IPFY_KEEP keepstate IPFY_KEEP keepfrag
1202ab25eeb5Syz155240 | IPFY_KEEP keepfrag IPFY_KEEP keepstate
12037c478bd9Sstevel@tonic-gate ;
12047c478bd9Sstevel@tonic-gate
12057c478bd9Sstevel@tonic-gate keepstate:
12067c478bd9Sstevel@tonic-gate IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
12077c478bd9Sstevel@tonic-gate ;
12087c478bd9Sstevel@tonic-gate
12097c478bd9Sstevel@tonic-gate keepfrag:
12107c478bd9Sstevel@tonic-gate IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1211ab25eeb5Syz155240 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
12127c478bd9Sstevel@tonic-gate ;
12137c478bd9Sstevel@tonic-gate
12147c478bd9Sstevel@tonic-gate fragoptlist:
12157c478bd9Sstevel@tonic-gate | '(' fragopts ')'
12167c478bd9Sstevel@tonic-gate ;
12177c478bd9Sstevel@tonic-gate
12187c478bd9Sstevel@tonic-gate fragopts:
12197c478bd9Sstevel@tonic-gate fragopt lanother fragopts
12207c478bd9Sstevel@tonic-gate | fragopt
12217c478bd9Sstevel@tonic-gate ;
12227c478bd9Sstevel@tonic-gate
12237c478bd9Sstevel@tonic-gate fragopt:
12247c478bd9Sstevel@tonic-gate IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) }
12257c478bd9Sstevel@tonic-gate ;
12267c478bd9Sstevel@tonic-gate
12277c478bd9Sstevel@tonic-gate stateoptlist:
12287c478bd9Sstevel@tonic-gate | '(' stateopts ')'
12297c478bd9Sstevel@tonic-gate ;
12307c478bd9Sstevel@tonic-gate
12317c478bd9Sstevel@tonic-gate stateopts:
12327c478bd9Sstevel@tonic-gate stateopt lanother stateopts
12337c478bd9Sstevel@tonic-gate | stateopt
12347c478bd9Sstevel@tonic-gate ;
12357c478bd9Sstevel@tonic-gate
12367c478bd9Sstevel@tonic-gate stateopt:
12377c478bd9Sstevel@tonic-gate IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) }
12387c478bd9Sstevel@tonic-gate | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
12397c478bd9Sstevel@tonic-gate YYERROR; \
12407c478bd9Sstevel@tonic-gate } else \
12417c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_STSTRICT;)
12427c478bd9Sstevel@tonic-gate }
12437c478bd9Sstevel@tonic-gate | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
12447c478bd9Sstevel@tonic-gate YYERROR; \
12457c478bd9Sstevel@tonic-gate } else \
12467c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_NEWISN;)
12477c478bd9Sstevel@tonic-gate }
12487c478bd9Sstevel@tonic-gate | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1249ab25eeb5Syz155240
1250ab25eeb5Syz155240 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) }
12517c478bd9Sstevel@tonic-gate ;
12527c478bd9Sstevel@tonic-gate
12537c478bd9Sstevel@tonic-gate portnum:
1254ab25eeb5Syz155240 servicename { if (getport(frc, $1, &($$)) == -1)
1255ab25eeb5Syz155240 yyerror("service unknown");
1256ab25eeb5Syz155240 else
1257ab25eeb5Syz155240 $$ = ntohs($$);
12587c478bd9Sstevel@tonic-gate free($1);
12597c478bd9Sstevel@tonic-gate }
1260ab25eeb5Syz155240 | YY_NUMBER { if ($1 > 65535) /* Unsigned */
1261ab25eeb5Syz155240 yyerror("invalid port number");
1262ab25eeb5Syz155240 else
1263ab25eeb5Syz155240 $$ = $1;
1264ab25eeb5Syz155240 }
12657c478bd9Sstevel@tonic-gate ;
12667c478bd9Sstevel@tonic-gate
12677c478bd9Sstevel@tonic-gate withlist:
12687c478bd9Sstevel@tonic-gate withopt
12697c478bd9Sstevel@tonic-gate | withlist withopt
1270ab25eeb5Syz155240 | withlist ',' withopt
12717c478bd9Sstevel@tonic-gate ;
12727c478bd9Sstevel@tonic-gate
12737c478bd9Sstevel@tonic-gate withopt:
12747c478bd9Sstevel@tonic-gate opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
12757c478bd9Sstevel@tonic-gate | notwith opttype
12767c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mflx |= $2;) }
1277ab25eeb5Syz155240 | ipopt ipopts { yyresetdict(); }
1278ab25eeb5Syz155240 | notwith ipopt ipopts { yyresetdict(); }
1279ab25eeb5Syz155240 | startv6hdrs ipv6hdrs { yyresetdict(); }
1280ab25eeb5Syz155240 ;
1281ab25eeb5Syz155240
1282ab25eeb5Syz155240 ipopt: IPFY_OPT { yysetdict(ipv4optwords); }
12837c478bd9Sstevel@tonic-gate ;
12847c478bd9Sstevel@tonic-gate
12857c478bd9Sstevel@tonic-gate startv6hdrs:
12867c478bd9Sstevel@tonic-gate IPF6_V6HDRS { if (use_inet6 == 0)
12877c478bd9Sstevel@tonic-gate yyerror("only available with IPv6");
1288ab25eeb5Syz155240 yysetdict(ipv6optwords);
12897c478bd9Sstevel@tonic-gate }
12907c478bd9Sstevel@tonic-gate ;
12917c478bd9Sstevel@tonic-gate
12927c478bd9Sstevel@tonic-gate notwith:
12937c478bd9Sstevel@tonic-gate IPFY_NOT { nowith = 1; }
12947c478bd9Sstevel@tonic-gate | IPFY_NO { nowith = 1; }
12957c478bd9Sstevel@tonic-gate ;
12967c478bd9Sstevel@tonic-gate
12977c478bd9Sstevel@tonic-gate opttype:
12987c478bd9Sstevel@tonic-gate IPFY_IPOPTS { $$ = FI_OPTIONS; }
12997c478bd9Sstevel@tonic-gate | IPFY_SHORT { $$ = FI_SHORT; }
13007c478bd9Sstevel@tonic-gate | IPFY_NAT { $$ = FI_NATED; }
13017c478bd9Sstevel@tonic-gate | IPFY_BAD { $$ = FI_BAD; }
13027c478bd9Sstevel@tonic-gate | IPFY_BADNAT { $$ = FI_BADNAT; }
13037c478bd9Sstevel@tonic-gate | IPFY_BADSRC { $$ = FI_BADSRC; }
13047c478bd9Sstevel@tonic-gate | IPFY_LOWTTL { $$ = FI_LOWTTL; }
13057c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = FI_FRAG; }
1306ab25eeb5Syz155240 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; }
1307ab25eeb5Syz155240 | IPFY_FRAGS { $$ = FI_FRAG; }
13087c478bd9Sstevel@tonic-gate | IPFY_MBCAST { $$ = FI_MBCAST; }
13097c478bd9Sstevel@tonic-gate | IPFY_MULTICAST { $$ = FI_MULTICAST; }
13107c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { $$ = FI_BROADCAST; }
13117c478bd9Sstevel@tonic-gate | IPFY_STATE { $$ = FI_STATE; }
13127c478bd9Sstevel@tonic-gate | IPFY_OOW { $$ = FI_OOW; }
13137c478bd9Sstevel@tonic-gate ;
13147c478bd9Sstevel@tonic-gate
13157c478bd9Sstevel@tonic-gate ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
13167c478bd9Sstevel@tonic-gate if (!nowith)
13177c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;)
13187c478bd9Sstevel@tonic-gate }
13197c478bd9Sstevel@tonic-gate ;
13207c478bd9Sstevel@tonic-gate
13217c478bd9Sstevel@tonic-gate optlist:
13227c478bd9Sstevel@tonic-gate opt { $$ |= $1; }
13237c478bd9Sstevel@tonic-gate | optlist ',' opt { $$ |= $1 | $3; }
13247c478bd9Sstevel@tonic-gate ;
13257c478bd9Sstevel@tonic-gate
13267c478bd9Sstevel@tonic-gate ipv6hdrs:
13277c478bd9Sstevel@tonic-gate ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1;
13287c478bd9Sstevel@tonic-gate if (!nowith)
13297c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;)
13307c478bd9Sstevel@tonic-gate }
13317c478bd9Sstevel@tonic-gate ;
13327c478bd9Sstevel@tonic-gate
13337c478bd9Sstevel@tonic-gate ipv6hdrlist:
13347c478bd9Sstevel@tonic-gate ipv6hdr { $$ |= $1; }
13357c478bd9Sstevel@tonic-gate | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; }
13367c478bd9Sstevel@tonic-gate ;
13377c478bd9Sstevel@tonic-gate
13387c478bd9Sstevel@tonic-gate secname:
13397c478bd9Sstevel@tonic-gate seclevel { $$ |= $1; }
13407c478bd9Sstevel@tonic-gate | secname ',' seclevel { $$ |= $1 | $3; }
13417c478bd9Sstevel@tonic-gate ;
13427c478bd9Sstevel@tonic-gate
13437c478bd9Sstevel@tonic-gate seclevel:
13447c478bd9Sstevel@tonic-gate IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); }
13457c478bd9Sstevel@tonic-gate | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); }
13467c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); }
13477c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); }
13487c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); }
13497c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); }
13507c478bd9Sstevel@tonic-gate | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); }
13517c478bd9Sstevel@tonic-gate | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); }
13527c478bd9Sstevel@tonic-gate ;
13537c478bd9Sstevel@tonic-gate
13547c478bd9Sstevel@tonic-gate icmptype:
13557c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; }
13567c478bd9Sstevel@tonic-gate | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; }
13577c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; }
13587c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; }
13597c478bd9Sstevel@tonic-gate | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; }
13607c478bd9Sstevel@tonic-gate | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; }
13617c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; }
13627c478bd9Sstevel@tonic-gate | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; }
13637c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; }
13647c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; }
13657c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; }
13667c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; }
13677c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; }
13687c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; }
13697c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; }
13707c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; }
13717c478bd9Sstevel@tonic-gate ;
13727c478bd9Sstevel@tonic-gate
13737c478bd9Sstevel@tonic-gate icmpcode:
13747c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; }
13757c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; }
13767c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; }
13777c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; }
13787c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; }
13797c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; }
13807c478bd9Sstevel@tonic-gate | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; }
13817c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; }
13827c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; }
13837c478bd9Sstevel@tonic-gate | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; }
13847c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; }
13857c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; }
13867c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; }
13877c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; }
13887c478bd9Sstevel@tonic-gate | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
13897c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRE { $$ = 14; }
13907c478bd9Sstevel@tonic-gate | IPFY_ICMPC_CUTPRE { $$ = 15; }
13917c478bd9Sstevel@tonic-gate ;
13927c478bd9Sstevel@tonic-gate
13937c478bd9Sstevel@tonic-gate opt:
13947c478bd9Sstevel@tonic-gate IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); }
13957c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); }
13967c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); }
13977c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); }
13987c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); }
13997c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); }
14007c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); }
14017c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); }
14027c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); }
14037c478bd9Sstevel@tonic-gate | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); }
14047c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); }
14057c478bd9Sstevel@tonic-gate | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); }
14067c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); }
14077c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); }
14087c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); }
14097c478bd9Sstevel@tonic-gate | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); }
14107c478bd9Sstevel@tonic-gate | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); }
14117c478bd9Sstevel@tonic-gate | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); }
14127c478bd9Sstevel@tonic-gate | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); }
14137c478bd9Sstevel@tonic-gate | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); }
14147c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); }
14157c478bd9Sstevel@tonic-gate | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); }
14167c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); }
14177c478bd9Sstevel@tonic-gate | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1418ab25eeb5Syz155240 | setsecclass secname
14197c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mip.fi_secmsk |= $2;
14207c478bd9Sstevel@tonic-gate if (!nowith)
14217c478bd9Sstevel@tonic-gate fr->fr_ip.fi_secmsk |= $2;)
14227c478bd9Sstevel@tonic-gate $$ = 0;
1423ab25eeb5Syz155240 yyresetdict();
14247c478bd9Sstevel@tonic-gate }
14257c478bd9Sstevel@tonic-gate ;
14267c478bd9Sstevel@tonic-gate
1427ab25eeb5Syz155240 setsecclass:
1428ab25eeb5Syz155240 IPFY_SECCLASS { yysetdict(ipv4secwords); }
1429ab25eeb5Syz155240 ;
1430ab25eeb5Syz155240
14317c478bd9Sstevel@tonic-gate ipv6hdr:
14327c478bd9Sstevel@tonic-gate IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); }
14337c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
14347c478bd9Sstevel@tonic-gate | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); }
14357c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
14367c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); }
14377c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); }
14387c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); }
14397c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
14407c478bd9Sstevel@tonic-gate ;
14417c478bd9Sstevel@tonic-gate
14427c478bd9Sstevel@tonic-gate level: IPFY_LEVEL { setsyslog(); }
14437c478bd9Sstevel@tonic-gate ;
14447c478bd9Sstevel@tonic-gate
14457c478bd9Sstevel@tonic-gate loglevel:
14467c478bd9Sstevel@tonic-gate priority { fr->fr_loglevel = LOG_LOCAL0|$1; }
14477c478bd9Sstevel@tonic-gate | facility '.' priority { fr->fr_loglevel = $1 | $3; }
14487c478bd9Sstevel@tonic-gate ;
14497c478bd9Sstevel@tonic-gate
14507c478bd9Sstevel@tonic-gate facility:
14517c478bd9Sstevel@tonic-gate IPFY_FAC_KERN { $$ = LOG_KERN; }
14527c478bd9Sstevel@tonic-gate | IPFY_FAC_USER { $$ = LOG_USER; }
14537c478bd9Sstevel@tonic-gate | IPFY_FAC_MAIL { $$ = LOG_MAIL; }
14547c478bd9Sstevel@tonic-gate | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; }
14557c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTH { $$ = LOG_AUTH; }
14567c478bd9Sstevel@tonic-gate | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; }
14577c478bd9Sstevel@tonic-gate | IPFY_FAC_LPR { $$ = LOG_LPR; }
14587c478bd9Sstevel@tonic-gate | IPFY_FAC_NEWS { $$ = LOG_NEWS; }
14597c478bd9Sstevel@tonic-gate | IPFY_FAC_UUCP { $$ = LOG_UUCP; }
14607c478bd9Sstevel@tonic-gate | IPFY_FAC_CRON { $$ = LOG_CRON; }
14617c478bd9Sstevel@tonic-gate | IPFY_FAC_FTP { $$ = LOG_FTP; }
14627c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; }
14637c478bd9Sstevel@tonic-gate | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; }
14647c478bd9Sstevel@tonic-gate | IPFY_FAC_LFMT { $$ = LOG_LFMT; }
14657c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; }
14667c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; }
14677c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; }
14687c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; }
14697c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; }
14707c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; }
14717c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; }
14727c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; }
14737c478bd9Sstevel@tonic-gate | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; }
14747c478bd9Sstevel@tonic-gate ;
14757c478bd9Sstevel@tonic-gate
14767c478bd9Sstevel@tonic-gate priority:
14777c478bd9Sstevel@tonic-gate IPFY_PRI_EMERG { $$ = LOG_EMERG; }
14787c478bd9Sstevel@tonic-gate | IPFY_PRI_ALERT { $$ = LOG_ALERT; }
14797c478bd9Sstevel@tonic-gate | IPFY_PRI_CRIT { $$ = LOG_CRIT; }
14807c478bd9Sstevel@tonic-gate | IPFY_PRI_ERR { $$ = LOG_ERR; }
14817c478bd9Sstevel@tonic-gate | IPFY_PRI_WARN { $$ = LOG_WARNING; }
14827c478bd9Sstevel@tonic-gate | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; }
14837c478bd9Sstevel@tonic-gate | IPFY_PRI_INFO { $$ = LOG_INFO; }
14847c478bd9Sstevel@tonic-gate | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; }
14857c478bd9Sstevel@tonic-gate ;
14867c478bd9Sstevel@tonic-gate
14877c478bd9Sstevel@tonic-gate compare:
1488ab25eeb5Syz155240 YY_CMP_EQ { $$ = FR_EQUAL; }
14897c478bd9Sstevel@tonic-gate | YY_CMP_NE { $$ = FR_NEQUAL; }
14907c478bd9Sstevel@tonic-gate | YY_CMP_LT { $$ = FR_LESST; }
14917c478bd9Sstevel@tonic-gate | YY_CMP_LE { $$ = FR_LESSTE; }
14927c478bd9Sstevel@tonic-gate | YY_CMP_GT { $$ = FR_GREATERT; }
14937c478bd9Sstevel@tonic-gate | YY_CMP_GE { $$ = FR_GREATERTE; }
14947c478bd9Sstevel@tonic-gate ;
14957c478bd9Sstevel@tonic-gate
14967c478bd9Sstevel@tonic-gate range: YY_RANGE_IN { $$ = FR_INRANGE; }
14977c478bd9Sstevel@tonic-gate | YY_RANGE_OUT { $$ = FR_OUTRANGE; }
14987c478bd9Sstevel@tonic-gate | ':' { $$ = FR_INCRANGE; }
14997c478bd9Sstevel@tonic-gate ;
15007c478bd9Sstevel@tonic-gate
15017c478bd9Sstevel@tonic-gate servicename:
15027c478bd9Sstevel@tonic-gate YY_STR { $$ = $1; }
15037c478bd9Sstevel@tonic-gate ;
15047c478bd9Sstevel@tonic-gate
15057c478bd9Sstevel@tonic-gate interfacename: YY_STR { $$ = $1; }
15067c478bd9Sstevel@tonic-gate | YY_STR ':' YY_NUMBER
15077c478bd9Sstevel@tonic-gate { $$ = $1;
15087c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
15097c478bd9Sstevel@tonic-gate "use the physical interface %s instead.\n",
15107c478bd9Sstevel@tonic-gate yylineNum, $1, $3, $1);
15117c478bd9Sstevel@tonic-gate }
15127c478bd9Sstevel@tonic-gate ;
15137c478bd9Sstevel@tonic-gate
15147c478bd9Sstevel@tonic-gate name: YY_STR { $$ = $1; }
15157c478bd9Sstevel@tonic-gate ;
15167c478bd9Sstevel@tonic-gate
1517ab25eeb5Syz155240 ipv4_16:
1518ab25eeb5Syz155240 YY_NUMBER '.' YY_NUMBER
1519ab25eeb5Syz155240 { if ($1 > 255 || $3 > 255) {
15207c478bd9Sstevel@tonic-gate yyerror("Invalid octet string for IP address");
15217c478bd9Sstevel@tonic-gate return 0;
15227c478bd9Sstevel@tonic-gate }
1523ab25eeb5Syz155240 $$.s_addr = ($1 << 24) | ($3 << 16);
15247c478bd9Sstevel@tonic-gate $$.s_addr = htonl($$.s_addr);
15257c478bd9Sstevel@tonic-gate }
15267c478bd9Sstevel@tonic-gate ;
1527ab25eeb5Syz155240
1528ab25eeb5Syz155240 ipv4_24:
1529ab25eeb5Syz155240 ipv4_16 '.' YY_NUMBER
1530ab25eeb5Syz155240 { if ($3 > 255) {
1531ab25eeb5Syz155240 yyerror("Invalid octet string for IP address");
1532ab25eeb5Syz155240 return 0;
1533ab25eeb5Syz155240 }
1534ab25eeb5Syz155240 $$.s_addr |= htonl($3 << 8);
1535ab25eeb5Syz155240 }
1536ab25eeb5Syz155240 ;
1537ab25eeb5Syz155240
1538ab25eeb5Syz155240 ipv4: ipv4_24 '.' YY_NUMBER
1539ab25eeb5Syz155240 { if ($3 > 255) {
1540ab25eeb5Syz155240 yyerror("Invalid octet string for IP address");
1541ab25eeb5Syz155240 return 0;
1542ab25eeb5Syz155240 }
1543ab25eeb5Syz155240 $$.s_addr |= htonl($3);
1544ab25eeb5Syz155240 }
1545ab25eeb5Syz155240 | ipv4_24
1546ab25eeb5Syz155240 | ipv4_16
1547ab25eeb5Syz155240 ;
1548ab25eeb5Syz155240
15497c478bd9Sstevel@tonic-gate %%
15507c478bd9Sstevel@tonic-gate
15517c478bd9Sstevel@tonic-gate
15521b47e080Sdr146992 static struct wordtab ipfwords[96] = {
15537c478bd9Sstevel@tonic-gate { "age", IPFY_AGE },
15547c478bd9Sstevel@tonic-gate { "ah", IPFY_AH },
15557c478bd9Sstevel@tonic-gate { "all", IPFY_ALL },
15567c478bd9Sstevel@tonic-gate { "and", IPFY_AND },
15577c478bd9Sstevel@tonic-gate { "auth", IPFY_AUTH },
15587c478bd9Sstevel@tonic-gate { "bad", IPFY_BAD },
15597c478bd9Sstevel@tonic-gate { "bad-nat", IPFY_BADNAT },
15607c478bd9Sstevel@tonic-gate { "bad-src", IPFY_BADSRC },
15617c478bd9Sstevel@tonic-gate { "bcast", IPFY_BROADCAST },
15627c478bd9Sstevel@tonic-gate { "block", IPFY_BLOCK },
15637c478bd9Sstevel@tonic-gate { "body", IPFY_BODY },
1564ab25eeb5Syz155240 { "bpf-v4", IPFY_BPFV4 },
1565ab25eeb5Syz155240 #ifdef USE_INET6
1566ab25eeb5Syz155240 { "bpf-v6", IPFY_BPFV6 },
1567ab25eeb5Syz155240 #endif
15687c478bd9Sstevel@tonic-gate { "call", IPFY_CALL },
15697c478bd9Sstevel@tonic-gate { "code", IPFY_ICMPCODE },
15707c478bd9Sstevel@tonic-gate { "count", IPFY_COUNT },
15717c478bd9Sstevel@tonic-gate { "dup-to", IPFY_DUPTO },
15727c478bd9Sstevel@tonic-gate { "eq", YY_CMP_EQ },
15737c478bd9Sstevel@tonic-gate { "esp", IPFY_ESP },
15747c478bd9Sstevel@tonic-gate { "fastroute", IPFY_FROUTE },
15757c478bd9Sstevel@tonic-gate { "first", IPFY_FIRST },
15767c478bd9Sstevel@tonic-gate { "flags", IPFY_FLAGS },
1577ab25eeb5Syz155240 { "frag", IPFY_FRAG },
1578ab25eeb5Syz155240 { "frag-body", IPFY_FRAGBODY },
15797c478bd9Sstevel@tonic-gate { "frags", IPFY_FRAGS },
15807c478bd9Sstevel@tonic-gate { "from", IPFY_FROM },
15817c478bd9Sstevel@tonic-gate { "ge", YY_CMP_GE },
15827c478bd9Sstevel@tonic-gate { "group", IPFY_GROUP },
15837c478bd9Sstevel@tonic-gate { "gt", YY_CMP_GT },
15847c478bd9Sstevel@tonic-gate { "head", IPFY_HEAD },
15857c478bd9Sstevel@tonic-gate { "icmp", IPFY_ICMP },
15867c478bd9Sstevel@tonic-gate { "icmp-type", IPFY_ICMPTYPE },
15877c478bd9Sstevel@tonic-gate { "in", IPFY_IN },
15887c478bd9Sstevel@tonic-gate { "in-via", IPFY_INVIA },
1589381a2a9aSdr146992 { "intercept_loopback", IPFY_SET_LOOPBACK },
15907c478bd9Sstevel@tonic-gate { "ipopt", IPFY_IPOPTS },
15917c478bd9Sstevel@tonic-gate { "ipopts", IPFY_IPOPTS },
15927c478bd9Sstevel@tonic-gate { "keep", IPFY_KEEP },
15937c478bd9Sstevel@tonic-gate { "le", YY_CMP_LE },
15947c478bd9Sstevel@tonic-gate { "level", IPFY_LEVEL },
15957c478bd9Sstevel@tonic-gate { "limit", IPFY_LIMIT },
15967c478bd9Sstevel@tonic-gate { "log", IPFY_LOG },
15977c478bd9Sstevel@tonic-gate { "lowttl", IPFY_LOWTTL },
15987c478bd9Sstevel@tonic-gate { "lt", YY_CMP_LT },
15997c478bd9Sstevel@tonic-gate { "mask", IPFY_MASK },
1600ab25eeb5Syz155240 { "match-tag", IPFY_MATCHTAG },
16017c478bd9Sstevel@tonic-gate { "mbcast", IPFY_MBCAST },
16021b47e080Sdr146992 { "mcast", IPFY_MULTICAST },
16037c478bd9Sstevel@tonic-gate { "multicast", IPFY_MULTICAST },
16047c478bd9Sstevel@tonic-gate { "nat", IPFY_NAT },
16057c478bd9Sstevel@tonic-gate { "ne", YY_CMP_NE },
16067c478bd9Sstevel@tonic-gate { "net", IPFY_NETWORK },
16077c478bd9Sstevel@tonic-gate { "newisn", IPFY_NEWISN },
16087c478bd9Sstevel@tonic-gate { "no", IPFY_NO },
16097c478bd9Sstevel@tonic-gate { "no-icmp-err", IPFY_NOICMPERR },
16107c478bd9Sstevel@tonic-gate { "now", IPFY_NOW },
16117c478bd9Sstevel@tonic-gate { "not", IPFY_NOT },
16127c478bd9Sstevel@tonic-gate { "oow", IPFY_OOW },
16137c478bd9Sstevel@tonic-gate { "on", IPFY_ON },
16147c478bd9Sstevel@tonic-gate { "opt", IPFY_OPT },
16157c478bd9Sstevel@tonic-gate { "or-block", IPFY_ORBLOCK },
16167c478bd9Sstevel@tonic-gate { "out", IPFY_OUT },
16177c478bd9Sstevel@tonic-gate { "out-via", IPFY_OUTVIA },
16187c478bd9Sstevel@tonic-gate { "pass", IPFY_PASS },
16197c478bd9Sstevel@tonic-gate { "port", IPFY_PORT },
16207c478bd9Sstevel@tonic-gate { "pps", IPFY_PPS },
16217c478bd9Sstevel@tonic-gate { "preauth", IPFY_PREAUTH },
16227c478bd9Sstevel@tonic-gate { "proto", IPFY_PROTO },
16237c478bd9Sstevel@tonic-gate { "quick", IPFY_QUICK },
16247c478bd9Sstevel@tonic-gate { "reply-to", IPFY_REPLY_TO },
16257c478bd9Sstevel@tonic-gate { "return-icmp", IPFY_RETICMP },
16267c478bd9Sstevel@tonic-gate { "return-icmp-as-dest", IPFY_RETICMPASDST },
16277c478bd9Sstevel@tonic-gate { "return-rst", IPFY_RETRST },
1628ab25eeb5Syz155240 { "route-to", IPFY_ROUTETO },
16297c478bd9Sstevel@tonic-gate { "sec-class", IPFY_SECCLASS },
1630ab25eeb5Syz155240 { "set-tag", IPFY_SETTAG },
1631381a2a9aSdr146992 { "set", IPFY_SET },
16327c478bd9Sstevel@tonic-gate { "skip", IPFY_SKIP },
16337c478bd9Sstevel@tonic-gate { "short", IPFY_SHORT },
16347c478bd9Sstevel@tonic-gate { "state", IPFY_STATE },
1635ab25eeb5Syz155240 { "state-age", IPFY_AGE },
16367c478bd9Sstevel@tonic-gate { "strict", IPFY_STRICT },
1637ab25eeb5Syz155240 { "sync", IPFY_SYNC },
16387c478bd9Sstevel@tonic-gate { "tcp", IPFY_TCP },
16397c478bd9Sstevel@tonic-gate { "tcp-udp", IPFY_TCPUDP },
16407c478bd9Sstevel@tonic-gate { "tos", IPFY_TOS },
16417c478bd9Sstevel@tonic-gate { "to", IPFY_TO },
16427c478bd9Sstevel@tonic-gate { "ttl", IPFY_TTL },
16437c478bd9Sstevel@tonic-gate { "udp", IPFY_UDP },
16447c478bd9Sstevel@tonic-gate { "v6hdrs", IPF6_V6HDRS },
16457c478bd9Sstevel@tonic-gate { "with", IPFY_WITH },
16467c478bd9Sstevel@tonic-gate { NULL, 0 }
16477c478bd9Sstevel@tonic-gate };
16487c478bd9Sstevel@tonic-gate
16497c478bd9Sstevel@tonic-gate static struct wordtab addrwords[4] = {
16507c478bd9Sstevel@tonic-gate { "any", IPFY_ANY },
16517c478bd9Sstevel@tonic-gate { "hash", IPFY_HASH },
16527c478bd9Sstevel@tonic-gate { "pool", IPFY_POOL },
16537c478bd9Sstevel@tonic-gate { NULL, 0 }
16547c478bd9Sstevel@tonic-gate };
16557c478bd9Sstevel@tonic-gate
16567c478bd9Sstevel@tonic-gate static struct wordtab maskwords[5] = {
16577c478bd9Sstevel@tonic-gate { "broadcast", IPFY_BROADCAST },
16587c478bd9Sstevel@tonic-gate { "netmasked", IPFY_NETMASKED },
16597c478bd9Sstevel@tonic-gate { "network", IPFY_NETWORK },
16607c478bd9Sstevel@tonic-gate { "peer", IPFY_PEER },
16617c478bd9Sstevel@tonic-gate { NULL, 0 }
16627c478bd9Sstevel@tonic-gate };
16637c478bd9Sstevel@tonic-gate
16647c478bd9Sstevel@tonic-gate static struct wordtab icmptypewords[16] = {
16657c478bd9Sstevel@tonic-gate { "echo", IPFY_ICMPT_ECHO },
16667c478bd9Sstevel@tonic-gate { "echorep", IPFY_ICMPT_ECHOR },
16677c478bd9Sstevel@tonic-gate { "inforeq", IPFY_ICMPT_INFOREQ },
16687c478bd9Sstevel@tonic-gate { "inforep", IPFY_ICMPT_INFOREP },
16697c478bd9Sstevel@tonic-gate { "maskrep", IPFY_ICMPT_MASKREP },
16707c478bd9Sstevel@tonic-gate { "maskreq", IPFY_ICMPT_MASKREQ },
16717c478bd9Sstevel@tonic-gate { "paramprob", IPFY_ICMPT_PARAMP },
16727c478bd9Sstevel@tonic-gate { "redir", IPFY_ICMPT_REDIR },
16737c478bd9Sstevel@tonic-gate { "unreach", IPFY_ICMPT_UNR },
16747c478bd9Sstevel@tonic-gate { "routerad", IPFY_ICMPT_ROUTERAD },
16757c478bd9Sstevel@tonic-gate { "routersol", IPFY_ICMPT_ROUTERSOL },
16767c478bd9Sstevel@tonic-gate { "squench", IPFY_ICMPT_SQUENCH },
16777c478bd9Sstevel@tonic-gate { "timest", IPFY_ICMPT_TIMEST },
16787c478bd9Sstevel@tonic-gate { "timestrep", IPFY_ICMPT_TIMESTREP },
16797c478bd9Sstevel@tonic-gate { "timex", IPFY_ICMPT_TIMEX },
16807c478bd9Sstevel@tonic-gate { NULL, 0 },
16817c478bd9Sstevel@tonic-gate };
16827c478bd9Sstevel@tonic-gate
16837c478bd9Sstevel@tonic-gate static struct wordtab icmpcodewords[17] = {
16847c478bd9Sstevel@tonic-gate { "cutoff-preced", IPFY_ICMPC_CUTPRE },
16857c478bd9Sstevel@tonic-gate { "filter-prohib", IPFY_ICMPC_FLTPRO },
16867c478bd9Sstevel@tonic-gate { "isolate", IPFY_ICMPC_ISOLATE },
16877c478bd9Sstevel@tonic-gate { "needfrag", IPFY_ICMPC_NEEDF },
16887c478bd9Sstevel@tonic-gate { "net-prohib", IPFY_ICMPC_NETPRO },
16897c478bd9Sstevel@tonic-gate { "net-tos", IPFY_ICMPC_NETTOS },
16907c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE },
16917c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO },
16927c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS },
16937c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK },
16947c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR },
16957c478bd9Sstevel@tonic-gate { "net-unk", IPFY_ICMPC_NETUNK },
16967c478bd9Sstevel@tonic-gate { "net-unr", IPFY_ICMPC_NETUNR },
16977c478bd9Sstevel@tonic-gate { "port-unr", IPFY_ICMPC_PORUNR },
16987c478bd9Sstevel@tonic-gate { "proto-unr", IPFY_ICMPC_PROUNR },
16997c478bd9Sstevel@tonic-gate { "srcfail", IPFY_ICMPC_SRCFAIL },
17007c478bd9Sstevel@tonic-gate { NULL, 0 },
17017c478bd9Sstevel@tonic-gate };
17027c478bd9Sstevel@tonic-gate
1703ab25eeb5Syz155240 static struct wordtab ipv4optwords[25] = {
1704ab25eeb5Syz155240 { "addext", IPFY_IPOPT_ADDEXT },
1705ab25eeb5Syz155240 { "cipso", IPFY_IPOPT_CIPSO },
1706ab25eeb5Syz155240 { "dps", IPFY_IPOPT_DPS },
1707ab25eeb5Syz155240 { "e-sec", IPFY_IPOPT_ESEC },
1708ab25eeb5Syz155240 { "eip", IPFY_IPOPT_EIP },
1709ab25eeb5Syz155240 { "encode", IPFY_IPOPT_ENCODE },
1710ab25eeb5Syz155240 { "finn", IPFY_IPOPT_FINN },
1711ab25eeb5Syz155240 { "imitd", IPFY_IPOPT_IMITD },
1712ab25eeb5Syz155240 { "lsrr", IPFY_IPOPT_LSRR },
1713ab25eeb5Syz155240 { "mtup", IPFY_IPOPT_MTUP },
1714ab25eeb5Syz155240 { "mtur", IPFY_IPOPT_MTUR },
1715ab25eeb5Syz155240 { "nop", IPFY_IPOPT_NOP },
1716ab25eeb5Syz155240 { "nsapa", IPFY_IPOPT_NSAPA },
1717ab25eeb5Syz155240 { "rr", IPFY_IPOPT_RR },
1718ab25eeb5Syz155240 { "rtralrt", IPFY_IPOPT_RTRALRT },
1719ab25eeb5Syz155240 { "satid", IPFY_IPOPT_SATID },
1720ab25eeb5Syz155240 { "sdb", IPFY_IPOPT_SDB },
1721ab25eeb5Syz155240 { "sec", IPFY_IPOPT_SEC },
1722ab25eeb5Syz155240 { "ssrr", IPFY_IPOPT_SSRR },
1723ab25eeb5Syz155240 { "tr", IPFY_IPOPT_TR },
1724ab25eeb5Syz155240 { "ts", IPFY_IPOPT_TS },
1725ab25eeb5Syz155240 { "ump", IPFY_IPOPT_UMP },
1726ab25eeb5Syz155240 { "visa", IPFY_IPOPT_VISA },
1727ab25eeb5Syz155240 { "zsu", IPFY_IPOPT_ZSU },
1728ab25eeb5Syz155240 { NULL, 0 },
1729ab25eeb5Syz155240 };
1730ab25eeb5Syz155240
1731ab25eeb5Syz155240 static struct wordtab ipv4secwords[9] = {
1732ab25eeb5Syz155240 { "confid", IPFY_SEC_CONF },
1733ab25eeb5Syz155240 { "reserv-1", IPFY_SEC_RSV1 },
1734ab25eeb5Syz155240 { "reserv-2", IPFY_SEC_RSV2 },
1735ab25eeb5Syz155240 { "reserv-3", IPFY_SEC_RSV3 },
1736ab25eeb5Syz155240 { "reserv-4", IPFY_SEC_RSV4 },
1737ab25eeb5Syz155240 { "secret", IPFY_SEC_SEC },
1738ab25eeb5Syz155240 { "topsecret", IPFY_SEC_TS },
1739ab25eeb5Syz155240 { "unclass", IPFY_SEC_UNC },
1740ab25eeb5Syz155240 { NULL, 0 },
1741ab25eeb5Syz155240 };
1742ab25eeb5Syz155240
1743ab25eeb5Syz155240 static struct wordtab ipv6optwords[8] = {
1744ab25eeb5Syz155240 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1745ab25eeb5Syz155240 { "esp", IPFY_ESP },
1746ab25eeb5Syz155240 { "frag", IPFY_FRAG },
1747ab25eeb5Syz155240 { "hopopts", IPFY_IPV6OPT_HOPOPTS },
1748ab25eeb5Syz155240 { "ipv6", IPFY_IPV6OPT_IPV6 },
1749ab25eeb5Syz155240 { "none", IPFY_IPV6OPT_NONE },
1750ab25eeb5Syz155240 { "routing", IPFY_IPV6OPT_ROUTING },
1751ab25eeb5Syz155240 { NULL, 0 },
1752ab25eeb5Syz155240 };
1753ab25eeb5Syz155240
1754ab25eeb5Syz155240 static struct wordtab logwords[33] = {
17557c478bd9Sstevel@tonic-gate { "kern", IPFY_FAC_KERN },
17567c478bd9Sstevel@tonic-gate { "user", IPFY_FAC_USER },
17577c478bd9Sstevel@tonic-gate { "mail", IPFY_FAC_MAIL },
17587c478bd9Sstevel@tonic-gate { "daemon", IPFY_FAC_DAEMON },
17597c478bd9Sstevel@tonic-gate { "auth", IPFY_FAC_AUTH },
17607c478bd9Sstevel@tonic-gate { "syslog", IPFY_FAC_SYSLOG },
17617c478bd9Sstevel@tonic-gate { "lpr", IPFY_FAC_LPR },
17627c478bd9Sstevel@tonic-gate { "news", IPFY_FAC_NEWS },
17637c478bd9Sstevel@tonic-gate { "uucp", IPFY_FAC_UUCP },
17647c478bd9Sstevel@tonic-gate { "cron", IPFY_FAC_CRON },
17657c478bd9Sstevel@tonic-gate { "ftp", IPFY_FAC_FTP },
17667c478bd9Sstevel@tonic-gate { "authpriv", IPFY_FAC_AUTHPRIV },
17677c478bd9Sstevel@tonic-gate { "audit", IPFY_FAC_AUDIT },
17687c478bd9Sstevel@tonic-gate { "logalert", IPFY_FAC_LFMT },
17697c478bd9Sstevel@tonic-gate { "console", IPFY_FAC_CONSOLE },
17707c478bd9Sstevel@tonic-gate { "security", IPFY_FAC_SECURITY },
17717c478bd9Sstevel@tonic-gate { "local0", IPFY_FAC_LOCAL0 },
17727c478bd9Sstevel@tonic-gate { "local1", IPFY_FAC_LOCAL1 },
17737c478bd9Sstevel@tonic-gate { "local2", IPFY_FAC_LOCAL2 },
17747c478bd9Sstevel@tonic-gate { "local3", IPFY_FAC_LOCAL3 },
17757c478bd9Sstevel@tonic-gate { "local4", IPFY_FAC_LOCAL4 },
17767c478bd9Sstevel@tonic-gate { "local5", IPFY_FAC_LOCAL5 },
17777c478bd9Sstevel@tonic-gate { "local6", IPFY_FAC_LOCAL6 },
17787c478bd9Sstevel@tonic-gate { "local7", IPFY_FAC_LOCAL7 },
17797c478bd9Sstevel@tonic-gate { "emerg", IPFY_PRI_EMERG },
17807c478bd9Sstevel@tonic-gate { "alert", IPFY_PRI_ALERT },
17817c478bd9Sstevel@tonic-gate { "crit", IPFY_PRI_CRIT },
17827c478bd9Sstevel@tonic-gate { "err", IPFY_PRI_ERR },
17837c478bd9Sstevel@tonic-gate { "warn", IPFY_PRI_WARN },
17847c478bd9Sstevel@tonic-gate { "notice", IPFY_PRI_NOTICE },
17857c478bd9Sstevel@tonic-gate { "info", IPFY_PRI_INFO },
17867c478bd9Sstevel@tonic-gate { "debug", IPFY_PRI_DEBUG },
17877c478bd9Sstevel@tonic-gate { NULL, 0 },
17887c478bd9Sstevel@tonic-gate };
17897c478bd9Sstevel@tonic-gate
17907c478bd9Sstevel@tonic-gate
17917c478bd9Sstevel@tonic-gate
17927c478bd9Sstevel@tonic-gate
ipf_parsefile(fd,addfunc,iocfuncs,filename)17937c478bd9Sstevel@tonic-gate int ipf_parsefile(fd, addfunc, iocfuncs, filename)
17947c478bd9Sstevel@tonic-gate int fd;
17957c478bd9Sstevel@tonic-gate addfunc_t addfunc;
17967c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs;
17977c478bd9Sstevel@tonic-gate char *filename;
17987c478bd9Sstevel@tonic-gate {
17997c478bd9Sstevel@tonic-gate FILE *fp = NULL;
18007c478bd9Sstevel@tonic-gate char *s;
18017c478bd9Sstevel@tonic-gate
18027c478bd9Sstevel@tonic-gate yylineNum = 1;
18037c478bd9Sstevel@tonic-gate yysettab(ipfwords);
18047c478bd9Sstevel@tonic-gate
18057c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG");
18067c478bd9Sstevel@tonic-gate if (s != NULL)
18077c478bd9Sstevel@tonic-gate yydebug = atoi(s);
18087c478bd9Sstevel@tonic-gate else
18097c478bd9Sstevel@tonic-gate yydebug = 0;
18107c478bd9Sstevel@tonic-gate
18117c478bd9Sstevel@tonic-gate if (strcmp(filename, "-")) {
18127c478bd9Sstevel@tonic-gate fp = fopen(filename, "r");
18137c478bd9Sstevel@tonic-gate if (fp == NULL) {
18147c478bd9Sstevel@tonic-gate fprintf(stderr, "fopen(%s) failed: %s\n", filename,
18157c478bd9Sstevel@tonic-gate STRERROR(errno));
18167c478bd9Sstevel@tonic-gate return -1;
18177c478bd9Sstevel@tonic-gate }
18187c478bd9Sstevel@tonic-gate } else
18197c478bd9Sstevel@tonic-gate fp = stdin;
18207c478bd9Sstevel@tonic-gate
18217c478bd9Sstevel@tonic-gate while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
18227c478bd9Sstevel@tonic-gate ;
18237c478bd9Sstevel@tonic-gate if (fp != NULL)
18247c478bd9Sstevel@tonic-gate fclose(fp);
18257c478bd9Sstevel@tonic-gate return 0;
18267c478bd9Sstevel@tonic-gate }
18277c478bd9Sstevel@tonic-gate
18287c478bd9Sstevel@tonic-gate
ipf_parsesome(fd,addfunc,iocfuncs,fp)18297c478bd9Sstevel@tonic-gate int ipf_parsesome(fd, addfunc, iocfuncs, fp)
18307c478bd9Sstevel@tonic-gate int fd;
18317c478bd9Sstevel@tonic-gate addfunc_t addfunc;
18327c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs;
18337c478bd9Sstevel@tonic-gate FILE *fp;
18347c478bd9Sstevel@tonic-gate {
18357c478bd9Sstevel@tonic-gate char *s;
18367c478bd9Sstevel@tonic-gate int i;
18377c478bd9Sstevel@tonic-gate
18387c478bd9Sstevel@tonic-gate ipffd = fd;
18397c478bd9Sstevel@tonic-gate for (i = 0; i <= IPL_LOGMAX; i++)
18407c478bd9Sstevel@tonic-gate ipfioctl[i] = iocfuncs[i];
18417c478bd9Sstevel@tonic-gate ipfaddfunc = addfunc;
18427c478bd9Sstevel@tonic-gate
18437c478bd9Sstevel@tonic-gate if (feof(fp))
18447c478bd9Sstevel@tonic-gate return 0;
18457c478bd9Sstevel@tonic-gate i = fgetc(fp);
18467c478bd9Sstevel@tonic-gate if (i == EOF)
18477c478bd9Sstevel@tonic-gate return 0;
18487c478bd9Sstevel@tonic-gate if (ungetc(i, fp) == 0)
18497c478bd9Sstevel@tonic-gate return 0;
18507c478bd9Sstevel@tonic-gate if (feof(fp))
18517c478bd9Sstevel@tonic-gate return 0;
18527c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG");
18537c478bd9Sstevel@tonic-gate if (s != NULL)
18547c478bd9Sstevel@tonic-gate yydebug = atoi(s);
18557c478bd9Sstevel@tonic-gate else
18567c478bd9Sstevel@tonic-gate yydebug = 0;
18577c478bd9Sstevel@tonic-gate
18587c478bd9Sstevel@tonic-gate yyin = fp;
18597c478bd9Sstevel@tonic-gate yyparse();
18607c478bd9Sstevel@tonic-gate return 1;
18617c478bd9Sstevel@tonic-gate }
18627c478bd9Sstevel@tonic-gate
18637c478bd9Sstevel@tonic-gate
newrule()18647c478bd9Sstevel@tonic-gate static void newrule()
18657c478bd9Sstevel@tonic-gate {
18667c478bd9Sstevel@tonic-gate frentry_t *frn;
18677c478bd9Sstevel@tonic-gate
18687c478bd9Sstevel@tonic-gate frn = (frentry_t *)calloc(1, sizeof(frentry_t));
18695e985db5Sschuster if (frn == NULL)
18705e985db5Sschuster yyerror("sorry, out of memory");
18717c478bd9Sstevel@tonic-gate for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
18727c478bd9Sstevel@tonic-gate ;
18737c478bd9Sstevel@tonic-gate if (fr != NULL)
18747c478bd9Sstevel@tonic-gate fr->fr_next = frn;
18757c478bd9Sstevel@tonic-gate if (frtop == NULL)
18767c478bd9Sstevel@tonic-gate frtop = frn;
18777c478bd9Sstevel@tonic-gate fr = frn;
18787c478bd9Sstevel@tonic-gate frc = frn;
18797c478bd9Sstevel@tonic-gate fr->fr_loglevel = 0xffff;
18807c478bd9Sstevel@tonic-gate fr->fr_isc = (void *)-1;
18817c478bd9Sstevel@tonic-gate fr->fr_logtag = FR_NOLOGTAG;
18827c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_NONE;
18837c478bd9Sstevel@tonic-gate if (use_inet6 != 0)
18847c478bd9Sstevel@tonic-gate fr->fr_v = 6;
18857c478bd9Sstevel@tonic-gate else
18867c478bd9Sstevel@tonic-gate fr->fr_v = 4;
18877c478bd9Sstevel@tonic-gate
18887c478bd9Sstevel@tonic-gate nrules = 1;
18897c478bd9Sstevel@tonic-gate }
18907c478bd9Sstevel@tonic-gate
18917c478bd9Sstevel@tonic-gate
setipftype()18927c478bd9Sstevel@tonic-gate static void setipftype()
18937c478bd9Sstevel@tonic-gate {
18947c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) {
18957c478bd9Sstevel@tonic-gate if (fr->fr_type == FR_T_NONE) {
18967c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF;
18977c478bd9Sstevel@tonic-gate fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
18985e985db5Sschuster if (fr->fr_data == NULL)
18995e985db5Sschuster yyerror("sorry, out of memory");
19007c478bd9Sstevel@tonic-gate fr->fr_dsize = sizeof(fripf_t);
19017c478bd9Sstevel@tonic-gate fr->fr_ip.fi_v = frc->fr_v;
19027c478bd9Sstevel@tonic-gate fr->fr_mip.fi_v = 0xf;
19037c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = -1;
19047c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = -1;
19057c478bd9Sstevel@tonic-gate }
19067c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_IPF) {
19077c478bd9Sstevel@tonic-gate fprintf(stderr, "IPF Type not set\n");
19087c478bd9Sstevel@tonic-gate }
19097c478bd9Sstevel@tonic-gate }
19107c478bd9Sstevel@tonic-gate }
19117c478bd9Sstevel@tonic-gate
19127c478bd9Sstevel@tonic-gate
addrule()19137c478bd9Sstevel@tonic-gate static frentry_t *addrule()
19147c478bd9Sstevel@tonic-gate {
19157c478bd9Sstevel@tonic-gate frentry_t *f, *f1, *f2;
19167c478bd9Sstevel@tonic-gate int count;
19177c478bd9Sstevel@tonic-gate
19187c478bd9Sstevel@tonic-gate for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
19197c478bd9Sstevel@tonic-gate ;
19207c478bd9Sstevel@tonic-gate
19217c478bd9Sstevel@tonic-gate count = nrules;
19227c478bd9Sstevel@tonic-gate if (count == 0) {
19237c478bd9Sstevel@tonic-gate f = (frentry_t *)calloc(sizeof(*f), 1);
19245e985db5Sschuster if (f == NULL)
19255e985db5Sschuster yyerror("sorry, out of memory");
19267c478bd9Sstevel@tonic-gate added++;
19277c478bd9Sstevel@tonic-gate f2->fr_next = f;
19287c478bd9Sstevel@tonic-gate bcopy(f2, f, sizeof(*f));
19297c478bd9Sstevel@tonic-gate if (f2->fr_caddr != NULL) {
19307c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize);
19315e985db5Sschuster if (f->fr_caddr == NULL)
19325e985db5Sschuster yyerror("sorry, out of memory");
19337c478bd9Sstevel@tonic-gate bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
19347c478bd9Sstevel@tonic-gate }
19357c478bd9Sstevel@tonic-gate f->fr_next = NULL;
19367c478bd9Sstevel@tonic-gate return f;
19377c478bd9Sstevel@tonic-gate }
19387c478bd9Sstevel@tonic-gate f = f2;
19397c478bd9Sstevel@tonic-gate for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
19407c478bd9Sstevel@tonic-gate f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
19415e985db5Sschuster if (f->fr_next == NULL)
19425e985db5Sschuster yyerror("sorry, out of memory");
19437c478bd9Sstevel@tonic-gate added++;
19447c478bd9Sstevel@tonic-gate f = f->fr_next;
19457c478bd9Sstevel@tonic-gate bcopy(f1, f, sizeof(*f));
19467c478bd9Sstevel@tonic-gate f->fr_next = NULL;
19477c478bd9Sstevel@tonic-gate if (f->fr_caddr != NULL) {
19487c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize);
19495e985db5Sschuster if (f->fr_caddr == NULL)
19505e985db5Sschuster yyerror("sorry, out of memory");
19517c478bd9Sstevel@tonic-gate bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
19527c478bd9Sstevel@tonic-gate }
19537c478bd9Sstevel@tonic-gate }
19547c478bd9Sstevel@tonic-gate
19557c478bd9Sstevel@tonic-gate return f2->fr_next;
19567c478bd9Sstevel@tonic-gate }
19577c478bd9Sstevel@tonic-gate
19587c478bd9Sstevel@tonic-gate
lookuphost(name,addr)19599b4c7145Sjojemann static u_32_t lookuphost(name, addr)
19607c478bd9Sstevel@tonic-gate char *name;
19619b4c7145Sjojemann i6addr_t *addr;
19627c478bd9Sstevel@tonic-gate {
19637c478bd9Sstevel@tonic-gate int i;
19647c478bd9Sstevel@tonic-gate
19657c478bd9Sstevel@tonic-gate hashed = 0;
19667c478bd9Sstevel@tonic-gate pooled = 0;
19677c478bd9Sstevel@tonic-gate dynamic = -1;
19687c478bd9Sstevel@tonic-gate
19697c478bd9Sstevel@tonic-gate for (i = 0; i < 4; i++) {
19707c478bd9Sstevel@tonic-gate if (strncmp(name, frc->fr_ifnames[i],
19717c478bd9Sstevel@tonic-gate sizeof(frc->fr_ifnames[i])) == 0) {
19727c478bd9Sstevel@tonic-gate ifpflag = FRI_DYNAMIC;
19737c478bd9Sstevel@tonic-gate dynamic = i;
19747c478bd9Sstevel@tonic-gate return 0;
19757c478bd9Sstevel@tonic-gate }
19767c478bd9Sstevel@tonic-gate }
19777c478bd9Sstevel@tonic-gate
19789b4c7145Sjojemann if (gethost(name, addr, use_inet6) == -1) {
1979ab25eeb5Syz155240 fprintf(stderr, "unknown name \"%s\"\n", name);
19807c478bd9Sstevel@tonic-gate return 0;
19817c478bd9Sstevel@tonic-gate }
19829b4c7145Sjojemann return 1;
19837c478bd9Sstevel@tonic-gate }
19847c478bd9Sstevel@tonic-gate
19857c478bd9Sstevel@tonic-gate
dobpf(v,phrase)1986ab25eeb5Syz155240 static void dobpf(v, phrase)
1987ab25eeb5Syz155240 int v;
19887c478bd9Sstevel@tonic-gate char *phrase;
19897c478bd9Sstevel@tonic-gate {
19907c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF
19917c478bd9Sstevel@tonic-gate struct bpf_program bpf;
19927c478bd9Sstevel@tonic-gate struct pcap *p;
1993ab25eeb5Syz155240 #endif
1994ab25eeb5Syz155240 fakebpf_t *fb;
19957c478bd9Sstevel@tonic-gate u_32_t l;
19967c478bd9Sstevel@tonic-gate char *s;
19977c478bd9Sstevel@tonic-gate int i;
19987c478bd9Sstevel@tonic-gate
19997c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) {
20007c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_NONE) {
2001ab25eeb5Syz155240 fprintf(stderr, "cannot mix IPF and BPF matching\n");
20027c478bd9Sstevel@tonic-gate return;
20037c478bd9Sstevel@tonic-gate }
2004ab25eeb5Syz155240 fr->fr_v = v;
2005ab25eeb5Syz155240 fr->fr_type = FR_T_BPFOPC;
20067c478bd9Sstevel@tonic-gate
20077c478bd9Sstevel@tonic-gate if (!strncmp(phrase, "\"0x", 2)) {
20087c478bd9Sstevel@tonic-gate phrase++;
2009ab25eeb5Syz155240 fb = malloc(sizeof(fakebpf_t));
2010ab25eeb5Syz155240 if (fb == NULL)
20115e985db5Sschuster yyerror("sorry, out of memory");
20127c478bd9Sstevel@tonic-gate
2013ab25eeb5Syz155240 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
20147c478bd9Sstevel@tonic-gate s = strtok(NULL, " \r\n\t"), i++) {
2015ab25eeb5Syz155240 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
2016ab25eeb5Syz155240 if (fb == NULL)
20175e985db5Sschuster yyerror("sorry, out of memory");
20187c478bd9Sstevel@tonic-gate l = (u_32_t)strtol(s, NULL, 0);
2019ab25eeb5Syz155240 switch (i & 3)
2020ab25eeb5Syz155240 {
2021ab25eeb5Syz155240 case 0 :
2022ab25eeb5Syz155240 fb[i / 4].fb_c = l & 0xffff;
2023ab25eeb5Syz155240 break;
2024ab25eeb5Syz155240 case 1 :
2025ab25eeb5Syz155240 fb[i / 4].fb_t = l & 0xff;
2026ab25eeb5Syz155240 break;
2027ab25eeb5Syz155240 case 2 :
2028ab25eeb5Syz155240 fb[i / 4].fb_f = l & 0xff;
2029ab25eeb5Syz155240 break;
2030ab25eeb5Syz155240 case 3 :
2031ab25eeb5Syz155240 fb[i / 4].fb_k = l;
2032ab25eeb5Syz155240 break;
20337c478bd9Sstevel@tonic-gate }
2034ab25eeb5Syz155240 }
2035ab25eeb5Syz155240 if ((i & 3) != 0) {
2036ab25eeb5Syz155240 fprintf(stderr,
2037ab25eeb5Syz155240 "Odd number of bytes in BPF code\n");
2038ab25eeb5Syz155240 exit(1);
2039ab25eeb5Syz155240 }
2040ab25eeb5Syz155240 i--;
2041ab25eeb5Syz155240 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
2042ab25eeb5Syz155240 fr->fr_data = fb;
20437c478bd9Sstevel@tonic-gate return;
20447c478bd9Sstevel@tonic-gate }
20457c478bd9Sstevel@tonic-gate
2046ab25eeb5Syz155240 #ifdef IPFILTER_BPF
20477c478bd9Sstevel@tonic-gate bzero((char *)&bpf, sizeof(bpf));
20487c478bd9Sstevel@tonic-gate p = pcap_open_dead(DLT_RAW, 1);
20497c478bd9Sstevel@tonic-gate if (!p) {
20507c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap_open_dead failed\n");
20517c478bd9Sstevel@tonic-gate return;
20527c478bd9Sstevel@tonic-gate }
20537c478bd9Sstevel@tonic-gate
2054ab25eeb5Syz155240 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
20557c478bd9Sstevel@tonic-gate pcap_perror(p, "ipf");
20567c478bd9Sstevel@tonic-gate pcap_close(p);
2057ab25eeb5Syz155240 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
20587c478bd9Sstevel@tonic-gate return;
20597c478bd9Sstevel@tonic-gate }
20607c478bd9Sstevel@tonic-gate pcap_close(p);
20617c478bd9Sstevel@tonic-gate
20627c478bd9Sstevel@tonic-gate fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
2063ab25eeb5Syz155240 fr->fr_data = malloc(fr->fr_dsize);
20645e985db5Sschuster if (fr->fr_data == NULL)
20655e985db5Sschuster yyerror("sorry, out of memory");
2066ab25eeb5Syz155240 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
20677c478bd9Sstevel@tonic-gate if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
20687c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF validation failed\n");
20697c478bd9Sstevel@tonic-gate return;
20707c478bd9Sstevel@tonic-gate }
2071ab25eeb5Syz155240 #endif
20727c478bd9Sstevel@tonic-gate }
20737c478bd9Sstevel@tonic-gate
2074ab25eeb5Syz155240 #ifdef IPFILTER_BPF
20757c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG)
20767c478bd9Sstevel@tonic-gate bpf_dump(&bpf, 0);
20777c478bd9Sstevel@tonic-gate #else
2078ab25eeb5Syz155240 fprintf(stderr, "BPF filter expressions not supported\n");
2079ab25eeb5Syz155240 exit(1);
20807c478bd9Sstevel@tonic-gate #endif
20817c478bd9Sstevel@tonic-gate }
20827c478bd9Sstevel@tonic-gate
20837c478bd9Sstevel@tonic-gate
resetaddr()20847c478bd9Sstevel@tonic-gate static void resetaddr()
20857c478bd9Sstevel@tonic-gate {
20867c478bd9Sstevel@tonic-gate hashed = 0;
20877c478bd9Sstevel@tonic-gate pooled = 0;
20887c478bd9Sstevel@tonic-gate dynamic = -1;
20897c478bd9Sstevel@tonic-gate }
20907c478bd9Sstevel@tonic-gate
20917c478bd9Sstevel@tonic-gate
newalist(ptr)20927c478bd9Sstevel@tonic-gate static alist_t *newalist(ptr)
20937c478bd9Sstevel@tonic-gate alist_t *ptr;
20947c478bd9Sstevel@tonic-gate {
20957c478bd9Sstevel@tonic-gate alist_t *al;
20967c478bd9Sstevel@tonic-gate
20977c478bd9Sstevel@tonic-gate al = malloc(sizeof(*al));
20987c478bd9Sstevel@tonic-gate if (al == NULL)
20997c478bd9Sstevel@tonic-gate return NULL;
21007c478bd9Sstevel@tonic-gate al->al_not = 0;
21017c478bd9Sstevel@tonic-gate al->al_next = ptr;
21027c478bd9Sstevel@tonic-gate return al;
21037c478bd9Sstevel@tonic-gate }
21047c478bd9Sstevel@tonic-gate
21057c478bd9Sstevel@tonic-gate
makepool(list)21067c478bd9Sstevel@tonic-gate static int makepool(list)
21077c478bd9Sstevel@tonic-gate alist_t *list;
21087c478bd9Sstevel@tonic-gate {
21097c478bd9Sstevel@tonic-gate ip_pool_node_t *n, *top;
21107c478bd9Sstevel@tonic-gate ip_pool_t pool;
21117c478bd9Sstevel@tonic-gate alist_t *a;
21127c478bd9Sstevel@tonic-gate int num;
21137c478bd9Sstevel@tonic-gate
21147c478bd9Sstevel@tonic-gate if (list == NULL)
21157c478bd9Sstevel@tonic-gate return 0;
21167c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top));
21177c478bd9Sstevel@tonic-gate if (top == NULL)
21187c478bd9Sstevel@tonic-gate return 0;
21197c478bd9Sstevel@tonic-gate
21207c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
21217663b816Sml37995 n->ipn_addr.adf_family = a->al_family;
21227663b816Sml37995 n->ipn_mask.adf_family = a->al_family;
21237663b816Sml37995 (void *)bcopy((void *)&a->al_i6addr,
21247663b816Sml37995 (void *)&n->ipn_addr.adf_addr,
21257663b816Sml37995 sizeof(n->ipn_addr.adf_addr));
21267663b816Sml37995 (void *)bcopy((void *)&a->al_i6mask,
21277663b816Sml37995 (void *)&n->ipn_mask.adf_addr,
21287663b816Sml37995 sizeof(n->ipn_mask.adf_addr));
21297c478bd9Sstevel@tonic-gate n->ipn_info = a->al_not;
21307c478bd9Sstevel@tonic-gate if (a->al_next != NULL) {
21317c478bd9Sstevel@tonic-gate n->ipn_next = calloc(1, sizeof(*n));
21325e985db5Sschuster if (n->ipn_next == NULL)
21335e985db5Sschuster yyerror("sorry, out of memory");
21347c478bd9Sstevel@tonic-gate n = n->ipn_next;
21357c478bd9Sstevel@tonic-gate }
21367c478bd9Sstevel@tonic-gate }
21377c478bd9Sstevel@tonic-gate
21387c478bd9Sstevel@tonic-gate bzero((char *)&pool, sizeof(pool));
21397c478bd9Sstevel@tonic-gate pool.ipo_unit = IPL_LOGIPF;
21407c478bd9Sstevel@tonic-gate pool.ipo_list = top;
21417c478bd9Sstevel@tonic-gate num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
21427c478bd9Sstevel@tonic-gate
21437c478bd9Sstevel@tonic-gate while ((n = top) != NULL) {
21447c478bd9Sstevel@tonic-gate top = n->ipn_next;
21457c478bd9Sstevel@tonic-gate free(n);
21467c478bd9Sstevel@tonic-gate }
21477c478bd9Sstevel@tonic-gate return num;
21487c478bd9Sstevel@tonic-gate }
21497c478bd9Sstevel@tonic-gate
21507c478bd9Sstevel@tonic-gate
makehash(list)21517c478bd9Sstevel@tonic-gate static u_int makehash(list)
21527c478bd9Sstevel@tonic-gate alist_t *list;
21537c478bd9Sstevel@tonic-gate {
21547c478bd9Sstevel@tonic-gate iphtent_t *n, *top;
21557c478bd9Sstevel@tonic-gate iphtable_t iph;
21567c478bd9Sstevel@tonic-gate alist_t *a;
21577c478bd9Sstevel@tonic-gate int num;
21587c478bd9Sstevel@tonic-gate
21597c478bd9Sstevel@tonic-gate if (list == NULL)
21607c478bd9Sstevel@tonic-gate return 0;
21617c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top));
21627c478bd9Sstevel@tonic-gate if (top == NULL)
21637c478bd9Sstevel@tonic-gate return 0;
21647c478bd9Sstevel@tonic-gate
21657c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
21667663b816Sml37995 n->ipe_family = a->al_family;
21677663b816Sml37995 (void *)bcopy((void *)&a->al_i6addr,
21687663b816Sml37995 (void *)&n->ipe_addr,
21697663b816Sml37995 sizeof(n->ipe_addr));
21707663b816Sml37995 (void *)bcopy((void *)&a->al_i6mask,
21717663b816Sml37995 (void *)&n->ipe_mask,
21727663b816Sml37995 sizeof(n->ipe_mask));
21737c478bd9Sstevel@tonic-gate n->ipe_value = 0;
21747c478bd9Sstevel@tonic-gate if (a->al_next != NULL) {
21757c478bd9Sstevel@tonic-gate n->ipe_next = calloc(1, sizeof(*n));
21765e985db5Sschuster if (n->ipe_next == NULL)
21775e985db5Sschuster yyerror("sorry, out of memory");
21787c478bd9Sstevel@tonic-gate n = n->ipe_next;
21797c478bd9Sstevel@tonic-gate }
21807c478bd9Sstevel@tonic-gate }
21817c478bd9Sstevel@tonic-gate
21827c478bd9Sstevel@tonic-gate bzero((char *)&iph, sizeof(iph));
21837c478bd9Sstevel@tonic-gate iph.iph_unit = IPL_LOGIPF;
21847c478bd9Sstevel@tonic-gate iph.iph_type = IPHASH_LOOKUP;
21857c478bd9Sstevel@tonic-gate *iph.iph_name = '\0';
21867c478bd9Sstevel@tonic-gate
21877c478bd9Sstevel@tonic-gate if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
21887c478bd9Sstevel@tonic-gate sscanf(iph.iph_name, "%u", &num);
21897c478bd9Sstevel@tonic-gate else
21907c478bd9Sstevel@tonic-gate num = 0;
21917c478bd9Sstevel@tonic-gate
21927c478bd9Sstevel@tonic-gate while ((n = top) != NULL) {
21937c478bd9Sstevel@tonic-gate top = n->ipe_next;
21947c478bd9Sstevel@tonic-gate free(n);
21957c478bd9Sstevel@tonic-gate }
21967c478bd9Sstevel@tonic-gate return num;
21977c478bd9Sstevel@tonic-gate }
21987c478bd9Sstevel@tonic-gate
21997c478bd9Sstevel@tonic-gate
ipf_addrule(fd,ioctlfunc,ptr)22007c478bd9Sstevel@tonic-gate void ipf_addrule(fd, ioctlfunc, ptr)
22017c478bd9Sstevel@tonic-gate int fd;
22027c478bd9Sstevel@tonic-gate ioctlfunc_t ioctlfunc;
22037c478bd9Sstevel@tonic-gate void *ptr;
22047c478bd9Sstevel@tonic-gate {
2205ab25eeb5Syz155240 ioctlcmd_t add, del;
22067c478bd9Sstevel@tonic-gate frentry_t *fr;
22077c478bd9Sstevel@tonic-gate ipfobj_t obj;
22087c478bd9Sstevel@tonic-gate
22097c478bd9Sstevel@tonic-gate fr = ptr;
22107c478bd9Sstevel@tonic-gate add = 0;
22117c478bd9Sstevel@tonic-gate del = 0;
22127c478bd9Sstevel@tonic-gate
22137c478bd9Sstevel@tonic-gate bzero((char *)&obj, sizeof(obj));
22147c478bd9Sstevel@tonic-gate obj.ipfo_rev = IPFILTER_VERSION;
22157c478bd9Sstevel@tonic-gate obj.ipfo_size = sizeof(*fr);
22167c478bd9Sstevel@tonic-gate obj.ipfo_type = IPFOBJ_FRENTRY;
22177c478bd9Sstevel@tonic-gate obj.ipfo_ptr = ptr;
22187c478bd9Sstevel@tonic-gate
22197c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0)
22207c478bd9Sstevel@tonic-gate fd = -1;
22217c478bd9Sstevel@tonic-gate
22227c478bd9Sstevel@tonic-gate if (opts & OPT_ZERORULEST) {
22237c478bd9Sstevel@tonic-gate add = SIOCZRLST;
22247c478bd9Sstevel@tonic-gate } else if (opts & OPT_INACTIVE) {
22257c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINIFR :
22267c478bd9Sstevel@tonic-gate SIOCADIFR;
22277c478bd9Sstevel@tonic-gate del = SIOCRMIFR;
22287c478bd9Sstevel@tonic-gate } else {
22297c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINAFR :
22307c478bd9Sstevel@tonic-gate SIOCADAFR;
22317c478bd9Sstevel@tonic-gate del = SIOCRMAFR;
22327c478bd9Sstevel@tonic-gate }
22337c478bd9Sstevel@tonic-gate
22347c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_OUTQUE))
22357c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_OUTQUE;
22367c478bd9Sstevel@tonic-gate if (fr->fr_hits)
22377c478bd9Sstevel@tonic-gate fr->fr_hits--;
22387c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_VERBOSE))
22397c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc);
22407c478bd9Sstevel@tonic-gate
22417c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) {
22427c478bd9Sstevel@tonic-gate binprint(fr, sizeof(*fr));
22437c478bd9Sstevel@tonic-gate if (fr->fr_data != NULL)
22447c478bd9Sstevel@tonic-gate binprint(fr->fr_data, fr->fr_dsize);
22457c478bd9Sstevel@tonic-gate }
22467c478bd9Sstevel@tonic-gate
22477c478bd9Sstevel@tonic-gate if ((opts & OPT_ZERORULEST) != 0) {
22487c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
22496aed92a9Syx160601 if ((opts & OPT_DONOTHING) == 0) {
22507c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum);
22517c478bd9Sstevel@tonic-gate perror("ioctl(SIOCZRLST)");
22527c478bd9Sstevel@tonic-gate }
22537c478bd9Sstevel@tonic-gate } else {
22547c478bd9Sstevel@tonic-gate #ifdef USE_QUAD_T
22557c478bd9Sstevel@tonic-gate printf("hits %qd bytes %qd ",
22567c478bd9Sstevel@tonic-gate (long long)fr->fr_hits,
22577c478bd9Sstevel@tonic-gate (long long)fr->fr_bytes);
22587c478bd9Sstevel@tonic-gate #else
22597c478bd9Sstevel@tonic-gate printf("hits %ld bytes %ld ",
22607c478bd9Sstevel@tonic-gate fr->fr_hits, fr->fr_bytes);
22617c478bd9Sstevel@tonic-gate #endif
22627c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc);
22637c478bd9Sstevel@tonic-gate }
22647c478bd9Sstevel@tonic-gate } else if ((opts & OPT_REMOVE) != 0) {
22657c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2266ab25eeb5Syz155240 if ((opts & OPT_DONOTHING) != 0) {
22677c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum);
22687c478bd9Sstevel@tonic-gate perror("ioctl(delete rule)");
22697c478bd9Sstevel@tonic-gate }
22707c478bd9Sstevel@tonic-gate }
22717c478bd9Sstevel@tonic-gate } else {
22727c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
22737c478bd9Sstevel@tonic-gate if (!(opts & OPT_DONOTHING)) {
22747c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum);
2275ab25eeb5Syz155240 perror("ioctl(add/insert rule)");
22767c478bd9Sstevel@tonic-gate }
22777c478bd9Sstevel@tonic-gate }
22787c478bd9Sstevel@tonic-gate }
22797c478bd9Sstevel@tonic-gate }
22807c478bd9Sstevel@tonic-gate
setsyslog()22817c478bd9Sstevel@tonic-gate static void setsyslog()
22827c478bd9Sstevel@tonic-gate {
2283ab25eeb5Syz155240 yysetdict(logwords);
22847c478bd9Sstevel@tonic-gate yybreakondot = 1;
22857c478bd9Sstevel@tonic-gate }
22867c478bd9Sstevel@tonic-gate
22877c478bd9Sstevel@tonic-gate
unsetsyslog()22887c478bd9Sstevel@tonic-gate static void unsetsyslog()
22897c478bd9Sstevel@tonic-gate {
2290ab25eeb5Syz155240 yyresetdict();
22917c478bd9Sstevel@tonic-gate yybreakondot = 0;
22927c478bd9Sstevel@tonic-gate }
22937c478bd9Sstevel@tonic-gate
22947c478bd9Sstevel@tonic-gate
fillgroup(fr)22957c478bd9Sstevel@tonic-gate static void fillgroup(fr)
22967c478bd9Sstevel@tonic-gate frentry_t *fr;
22977c478bd9Sstevel@tonic-gate {
22987c478bd9Sstevel@tonic-gate frentry_t *f;
22997c478bd9Sstevel@tonic-gate
23007c478bd9Sstevel@tonic-gate for (f = frold; f != NULL; f = f->fr_next)
23017c478bd9Sstevel@tonic-gate if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
23027c478bd9Sstevel@tonic-gate break;
23037c478bd9Sstevel@tonic-gate if (f == NULL)
23047c478bd9Sstevel@tonic-gate return;
23057c478bd9Sstevel@tonic-gate
23067c478bd9Sstevel@tonic-gate /*
23077c478bd9Sstevel@tonic-gate * Only copy down matching fields if the rules are of the same type
2308ab25eeb5Syz155240 * and are of ipf type. The only fields that are copied are those
2309ab25eeb5Syz155240 * that impact the rule parsing itself, eg. need for knowing what the
2310ab25eeb5Syz155240 * protocol should be for rules with port comparisons in them.
23117c478bd9Sstevel@tonic-gate */
23127c478bd9Sstevel@tonic-gate if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
23137c478bd9Sstevel@tonic-gate return;
23147c478bd9Sstevel@tonic-gate
23157c478bd9Sstevel@tonic-gate if (fr->fr_v == 0 && f->fr_v != 0)
23167c478bd9Sstevel@tonic-gate fr->fr_v = f->fr_v;
23177c478bd9Sstevel@tonic-gate
23187c478bd9Sstevel@tonic-gate if (fr->fr_mproto == 0 && f->fr_mproto != 0)
23197c478bd9Sstevel@tonic-gate fr->fr_mproto = f->fr_mproto;
23207c478bd9Sstevel@tonic-gate if (fr->fr_proto == 0 && f->fr_proto != 0)
23217c478bd9Sstevel@tonic-gate fr->fr_proto = f->fr_proto;
23227c478bd9Sstevel@tonic-gate
2323ab25eeb5Syz155240 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2324ab25eeb5Syz155240 ((f->fr_flx & FI_TCPUDP) != 0))
2325ab25eeb5Syz155240 fr->fr_flx |= FI_TCPUDP;
23267c478bd9Sstevel@tonic-gate }
2327