17c478bd9Sstevel@tonic-gate %{ 27c478bd9Sstevel@tonic-gate /* 37c478bd9Sstevel@tonic-gate * Copyright (C) 2003 by Darren Reed. 47c478bd9Sstevel@tonic-gate * 57c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing. 67c478bd9Sstevel@tonic-gate * 7*22929378SDarren Reed * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 87c478bd9Sstevel@tonic-gate * Use is subject to license terms. 97c478bd9Sstevel@tonic-gate */ 107c478bd9Sstevel@tonic-gate 117c478bd9Sstevel@tonic-gate #include "ipf.h" 127c478bd9Sstevel@tonic-gate #include <sys/ioctl.h> 137c478bd9Sstevel@tonic-gate #include <syslog.h> 147c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 15ab25eeb5Syz155240 # include "pcap-bpf.h" 16ab25eeb5Syz155240 # define _NET_BPF_H_ 177c478bd9Sstevel@tonic-gate # include <pcap.h> 187c478bd9Sstevel@tonic-gate #endif 197c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h" 207c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h" 217c478bd9Sstevel@tonic-gate #include "netinet/ipl.h" 227c478bd9Sstevel@tonic-gate #include "ipf_l.h" 237c478bd9Sstevel@tonic-gate 247c478bd9Sstevel@tonic-gate #define YYDEBUG 1 257c478bd9Sstevel@tonic-gate #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 267c478bd9Sstevel@tonic-gate #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate #define OPTION_LOG 0x1 297c478bd9Sstevel@tonic-gate #define OPTION_QUICK 0x2 307c478bd9Sstevel@tonic-gate #define OPTION_DUP 0x4 317c478bd9Sstevel@tonic-gate #define OPTION_PROUTE 0x8 327c478bd9Sstevel@tonic-gate #define OPTION_ON 0x10 337c478bd9Sstevel@tonic-gate #define OPTION_REPLYTO 0x20 347c478bd9Sstevel@tonic-gate #define OPTION_FROUTE 0x40 357c478bd9Sstevel@tonic-gate 367c478bd9Sstevel@tonic-gate extern void yyerror __P((char *)); 377c478bd9Sstevel@tonic-gate extern int yyparse __P((void)); 387c478bd9Sstevel@tonic-gate extern int yylex __P((void)); 397c478bd9Sstevel@tonic-gate extern int yydebug; 407c478bd9Sstevel@tonic-gate extern FILE *yyin; 417c478bd9Sstevel@tonic-gate extern int yylineNum; 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate static void newrule __P((void)); 447c478bd9Sstevel@tonic-gate static void setipftype __P((void)); 459b4c7145Sjojemann static u_32_t lookuphost __P((char *, i6addr_t *)); 46ab25eeb5Syz155240 static void dobpf __P((int, char *)); 477c478bd9Sstevel@tonic-gate static void resetaddr __P((void)); 487c478bd9Sstevel@tonic-gate static struct alist_s *newalist __P((struct alist_s *)); 497c478bd9Sstevel@tonic-gate static u_int makehash __P((struct alist_s *)); 507c478bd9Sstevel@tonic-gate static int makepool __P((struct alist_s *)); 517c478bd9Sstevel@tonic-gate static frentry_t *addrule __P((void)); 527c478bd9Sstevel@tonic-gate static void setsyslog __P((void)); 537c478bd9Sstevel@tonic-gate static void unsetsyslog __P((void)); 547c478bd9Sstevel@tonic-gate static void fillgroup __P((frentry_t *)); 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate static int ifpflag = 0; 597c478bd9Sstevel@tonic-gate static int nowith = 0; 607c478bd9Sstevel@tonic-gate static int dynamic = -1; 617c478bd9Sstevel@tonic-gate static int pooled = 0; 627c478bd9Sstevel@tonic-gate static int hashed = 0; 637c478bd9Sstevel@tonic-gate static int nrules = 0; 647c478bd9Sstevel@tonic-gate static int newlist = 0; 657c478bd9Sstevel@tonic-gate static int added = 0; 667c478bd9Sstevel@tonic-gate static int ipffd = -1; 677c478bd9Sstevel@tonic-gate static int ruleopts = 0; 68ab25eeb5Syz155240 static int *yycont = 0; 697c478bd9Sstevel@tonic-gate static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 707c478bd9Sstevel@tonic-gate static addfunc_t ipfaddfunc = NULL; 711b47e080Sdr146992 static struct wordtab ipfwords[96]; 72ab25eeb5Syz155240 static struct wordtab addrwords[4]; 73ab25eeb5Syz155240 static struct wordtab maskwords[5]; 74ab25eeb5Syz155240 static struct wordtab icmpcodewords[17]; 75ab25eeb5Syz155240 static struct wordtab icmptypewords[16]; 76ab25eeb5Syz155240 static struct wordtab ipv4optwords[25]; 77ab25eeb5Syz155240 static struct wordtab ipv4secwords[9]; 78ab25eeb5Syz155240 static struct wordtab ipv6optwords[8]; 79ab25eeb5Syz155240 static struct wordtab logwords[33]; 807663b816Sml37995 static int set_ipv6_addr = 0; 817c478bd9Sstevel@tonic-gate 827c478bd9Sstevel@tonic-gate %} 837c478bd9Sstevel@tonic-gate %union { 847c478bd9Sstevel@tonic-gate char *str; 857c478bd9Sstevel@tonic-gate u_32_t num; 867c478bd9Sstevel@tonic-gate struct in_addr ipa; 877c478bd9Sstevel@tonic-gate frentry_t fr; 887c478bd9Sstevel@tonic-gate frtuc_t *frt; 897c478bd9Sstevel@tonic-gate struct alist_s *alist; 90ab25eeb5Syz155240 u_short port; 917c478bd9Sstevel@tonic-gate struct { 927c478bd9Sstevel@tonic-gate u_short p1; 937c478bd9Sstevel@tonic-gate u_short p2; 947c478bd9Sstevel@tonic-gate int pc; 957c478bd9Sstevel@tonic-gate } pc; 967c478bd9Sstevel@tonic-gate struct { 977c478bd9Sstevel@tonic-gate union i6addr a; 987c478bd9Sstevel@tonic-gate union i6addr m; 997c478bd9Sstevel@tonic-gate } ipp; 1007c478bd9Sstevel@tonic-gate union i6addr ip6; 1017c478bd9Sstevel@tonic-gate }; 1027c478bd9Sstevel@tonic-gate 103ab25eeb5Syz155240 %type <port> portnum 104ab25eeb5Syz155240 %type <num> facility priority icmpcode seclevel secname icmptype 1057c478bd9Sstevel@tonic-gate %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 1067c478bd9Sstevel@tonic-gate %type <num> portc porteq 1079b4c7145Sjojemann %type <ipa> ipv4 ipv4_16 ipv4_24 1089b4c7145Sjojemann %type <ip6> hostname mask 1097c478bd9Sstevel@tonic-gate %type <ipp> addr ipaddr 1107c478bd9Sstevel@tonic-gate %type <str> servicename name interfacename 1117c478bd9Sstevel@tonic-gate %type <pc> portrange portcomp 1127c478bd9Sstevel@tonic-gate %type <alist> addrlist poollist 1137c478bd9Sstevel@tonic-gate 1147c478bd9Sstevel@tonic-gate %token <num> YY_NUMBER YY_HEX 1157c478bd9Sstevel@tonic-gate %token <str> YY_STR 1167c478bd9Sstevel@tonic-gate %token YY_COMMENT 1177c478bd9Sstevel@tonic-gate %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 1187c478bd9Sstevel@tonic-gate %token YY_RANGE_OUT YY_RANGE_IN 1197c478bd9Sstevel@tonic-gate %token <ip6> YY_IPV6 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 1227c478bd9Sstevel@tonic-gate %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 1237c478bd9Sstevel@tonic-gate %token IPFY_IN IPFY_OUT 1247c478bd9Sstevel@tonic-gate %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 125ab25eeb5Syz155240 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO 1267c478bd9Sstevel@tonic-gate %token IPFY_TOS IPFY_TTL IPFY_PROTO 1277c478bd9Sstevel@tonic-gate %token IPFY_HEAD IPFY_GROUP 128ab25eeb5Syz155240 %token IPFY_AUTH IPFY_PREAUTH 1297c478bd9Sstevel@tonic-gate %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK 130ab25eeb5Syz155240 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP 131ab25eeb5Syz155240 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH 1327c478bd9Sstevel@tonic-gate %token IPFY_PPS 1337c478bd9Sstevel@tonic-gate %token IPFY_ESP IPFY_AH 1347c478bd9Sstevel@tonic-gate %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 1357c478bd9Sstevel@tonic-gate %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 1367c478bd9Sstevel@tonic-gate %token IPFY_FLAGS IPFY_MULTICAST 1377c478bd9Sstevel@tonic-gate %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 1387c478bd9Sstevel@tonic-gate %token IPFY_PORT 1397c478bd9Sstevel@tonic-gate %token IPFY_NOW 1407c478bd9Sstevel@tonic-gate %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 1417c478bd9Sstevel@tonic-gate %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 1427c478bd9Sstevel@tonic-gate %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 1437c478bd9Sstevel@tonic-gate %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 144ab25eeb5Syz155240 %token IPFY_SYNC IPFY_FRAGBODY 1457c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 1467c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 1477c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 1487c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 1497c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 1507c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 1517c478bd9Sstevel@tonic-gate %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 1527c478bd9Sstevel@tonic-gate %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 1557c478bd9Sstevel@tonic-gate %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 1587c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 1597c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 1607c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 1617c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_ROUTERSOL 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 1647c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 1657c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 1667c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 1677c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_CUTPRE 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gate %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 1707c478bd9Sstevel@tonic-gate %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 1717c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 1727c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 1737c478bd9Sstevel@tonic-gate %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 1747c478bd9Sstevel@tonic-gate %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 1757c478bd9Sstevel@tonic-gate 1767c478bd9Sstevel@tonic-gate %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 1777c478bd9Sstevel@tonic-gate %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 178381a2a9aSdr146992 %token IPFY_SET_LOOPBACK IPFY_SET 1797c478bd9Sstevel@tonic-gate %% 1807c478bd9Sstevel@tonic-gate file: line 1817c478bd9Sstevel@tonic-gate | assign 1827c478bd9Sstevel@tonic-gate | file line 1837c478bd9Sstevel@tonic-gate | file assign 1847c478bd9Sstevel@tonic-gate ; 1857c478bd9Sstevel@tonic-gate 1867c478bd9Sstevel@tonic-gate line: xx rule { while ((fr = frtop) != NULL) { 1877c478bd9Sstevel@tonic-gate frtop = fr->fr_next; 1887c478bd9Sstevel@tonic-gate fr->fr_next = NULL; 1897c478bd9Sstevel@tonic-gate (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); 1907c478bd9Sstevel@tonic-gate fr->fr_next = frold; 1917c478bd9Sstevel@tonic-gate frold = fr; 1927c478bd9Sstevel@tonic-gate } 1937c478bd9Sstevel@tonic-gate resetlexer(); 1947c478bd9Sstevel@tonic-gate } 1957c478bd9Sstevel@tonic-gate | YY_COMMENT 196381a2a9aSdr146992 | set 1977c478bd9Sstevel@tonic-gate ; 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate xx: { newrule(); } 2007c478bd9Sstevel@tonic-gate ; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 2037c478bd9Sstevel@tonic-gate resetlexer(); 2047c478bd9Sstevel@tonic-gate free($1); 2057c478bd9Sstevel@tonic-gate free($3); 206*22929378SDarren Reed yyvarnext = 0; 2077c478bd9Sstevel@tonic-gate } 2087c478bd9Sstevel@tonic-gate ; 2097c478bd9Sstevel@tonic-gate 2107c478bd9Sstevel@tonic-gate assigning: 2117c478bd9Sstevel@tonic-gate '=' { yyvarnext = 1; } 2127c478bd9Sstevel@tonic-gate ; 2137c478bd9Sstevel@tonic-gate 214381a2a9aSdr146992 set: 215381a2a9aSdr146992 IPFY_SET IPFY_SET_LOOPBACK YY_STR ';' 216381a2a9aSdr146992 { 217381a2a9aSdr146992 int data; 218381a2a9aSdr146992 if (frold != NULL) { 219381a2a9aSdr146992 yyerror("ipf rules before \"set\""); 220381a2a9aSdr146992 return 0; 221381a2a9aSdr146992 } 222381a2a9aSdr146992 if (!strcmp($3, "true")) 223381a2a9aSdr146992 data = 1; 224381a2a9aSdr146992 else if (!strcmp($3, "false")) 225381a2a9aSdr146992 data = 0; 226381a2a9aSdr146992 else { 227381a2a9aSdr146992 yyerror("invalid argument for ipf_loopback"); 228381a2a9aSdr146992 return 0; 229381a2a9aSdr146992 } 230381a2a9aSdr146992 if (((opts & OPT_DONOTHING) == 0) && 231381a2a9aSdr146992 (ioctl(ipffd, SIOCIPFLP, &data) == -1)) 232381a2a9aSdr146992 perror("ioctl(SIOCIPFLP)"); 233381a2a9aSdr146992 } 234381a2a9aSdr146992 ; 235381a2a9aSdr146992 236ab25eeb5Syz155240 rule: inrule eol 237ab25eeb5Syz155240 | outrule eol 238ab25eeb5Syz155240 ; 239ab25eeb5Syz155240 240ab25eeb5Syz155240 eol: | ';' 2417c478bd9Sstevel@tonic-gate ; 2427c478bd9Sstevel@tonic-gate 2437c478bd9Sstevel@tonic-gate inrule: 244ab25eeb5Syz155240 rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2 2457c478bd9Sstevel@tonic-gate ; 2467c478bd9Sstevel@tonic-gate 2477c478bd9Sstevel@tonic-gate outrule: 248ab25eeb5Syz155240 rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2 2497c478bd9Sstevel@tonic-gate ; 2507c478bd9Sstevel@tonic-gate 2517c478bd9Sstevel@tonic-gate rulehead: 2527c478bd9Sstevel@tonic-gate collection action 2537c478bd9Sstevel@tonic-gate | insert collection action 2547c478bd9Sstevel@tonic-gate ; 2557c478bd9Sstevel@tonic-gate 2567c478bd9Sstevel@tonic-gate markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 2577c478bd9Sstevel@tonic-gate ; 2587c478bd9Sstevel@tonic-gate 2597c478bd9Sstevel@tonic-gate markout: 2607c478bd9Sstevel@tonic-gate IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 2617c478bd9Sstevel@tonic-gate ; 2627c478bd9Sstevel@tonic-gate 2637c478bd9Sstevel@tonic-gate rulemain: 2647c478bd9Sstevel@tonic-gate ipfrule 2657c478bd9Sstevel@tonic-gate | bpfrule 2667c478bd9Sstevel@tonic-gate ; 2677c478bd9Sstevel@tonic-gate 2687c478bd9Sstevel@tonic-gate ipfrule: 2697c478bd9Sstevel@tonic-gate tos ttl proto ip 2707c478bd9Sstevel@tonic-gate ; 2717c478bd9Sstevel@tonic-gate 2727c478bd9Sstevel@tonic-gate bpfrule: 273ab25eeb5Syz155240 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 274ab25eeb5Syz155240 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } 2757c478bd9Sstevel@tonic-gate ; 2767c478bd9Sstevel@tonic-gate 2777c478bd9Sstevel@tonic-gate ruletail: 278ab25eeb5Syz155240 with keep head group 279ab25eeb5Syz155240 ; 280ab25eeb5Syz155240 281ab25eeb5Syz155240 ruletail2: 282ab25eeb5Syz155240 pps age new 283ab25eeb5Syz155240 ; 284ab25eeb5Syz155240 285ab25eeb5Syz155240 intag: settagin matchtagin 286ab25eeb5Syz155240 ; 287ab25eeb5Syz155240 288ab25eeb5Syz155240 outtag: settagout matchtagout 2897c478bd9Sstevel@tonic-gate ; 2907c478bd9Sstevel@tonic-gate 2917c478bd9Sstevel@tonic-gate insert: 292ab25eeb5Syz155240 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } 2937c478bd9Sstevel@tonic-gate ; 2947c478bd9Sstevel@tonic-gate 2957c478bd9Sstevel@tonic-gate collection: 2967c478bd9Sstevel@tonic-gate | YY_NUMBER { fr->fr_collect = $1; } 2977c478bd9Sstevel@tonic-gate ; 2987c478bd9Sstevel@tonic-gate 2997c478bd9Sstevel@tonic-gate action: block 3007c478bd9Sstevel@tonic-gate | IPFY_PASS { fr->fr_flags |= FR_PASS; } 3017c478bd9Sstevel@tonic-gate | log 3027c478bd9Sstevel@tonic-gate | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 3037c478bd9Sstevel@tonic-gate | auth 3047c478bd9Sstevel@tonic-gate | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 3057c478bd9Sstevel@tonic-gate fr->fr_arg = $2; } 3067c478bd9Sstevel@tonic-gate | IPFY_CALL func 3077c478bd9Sstevel@tonic-gate | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 3087c478bd9Sstevel@tonic-gate ; 3097c478bd9Sstevel@tonic-gate 3107c478bd9Sstevel@tonic-gate block: blocked 3117c478bd9Sstevel@tonic-gate | blocked blockreturn 3127c478bd9Sstevel@tonic-gate ; 3137c478bd9Sstevel@tonic-gate 3147c478bd9Sstevel@tonic-gate blocked: 3157c478bd9Sstevel@tonic-gate IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 3167c478bd9Sstevel@tonic-gate ; 3177c478bd9Sstevel@tonic-gate blockreturn: 3187c478bd9Sstevel@tonic-gate IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 3197c478bd9Sstevel@tonic-gate | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 3207c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 3217c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 3227c478bd9Sstevel@tonic-gate | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 3237c478bd9Sstevel@tonic-gate ; 3247c478bd9Sstevel@tonic-gate 3257c478bd9Sstevel@tonic-gate log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 3267c478bd9Sstevel@tonic-gate | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 3277c478bd9Sstevel@tonic-gate ; 3287c478bd9Sstevel@tonic-gate 3297c478bd9Sstevel@tonic-gate auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 3307c478bd9Sstevel@tonic-gate | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} 3317c478bd9Sstevel@tonic-gate | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 3327c478bd9Sstevel@tonic-gate ; 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gate func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, 3357c478bd9Sstevel@tonic-gate ipfioctl[IPL_LOGIPF]); 3367c478bd9Sstevel@tonic-gate fr->fr_arg = $3; 3377c478bd9Sstevel@tonic-gate free($1); } 3387c478bd9Sstevel@tonic-gate ; 3397c478bd9Sstevel@tonic-gate 3407c478bd9Sstevel@tonic-gate inopts: 3417c478bd9Sstevel@tonic-gate | inopts inopt 3427c478bd9Sstevel@tonic-gate ; 3437c478bd9Sstevel@tonic-gate 3447c478bd9Sstevel@tonic-gate inopt: 3457c478bd9Sstevel@tonic-gate logopt 3467c478bd9Sstevel@tonic-gate { 3477c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3487c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3497c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 3507c478bd9Sstevel@tonic-gate } 3517c478bd9Sstevel@tonic-gate | quick 3527c478bd9Sstevel@tonic-gate { 3537c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 3547c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 3557c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 3567c478bd9Sstevel@tonic-gate } 3577c478bd9Sstevel@tonic-gate | on 3587c478bd9Sstevel@tonic-gate { 3597c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 3607c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 3617c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 3627c478bd9Sstevel@tonic-gate } 3637c478bd9Sstevel@tonic-gate | dup 3647c478bd9Sstevel@tonic-gate { 3657c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 3667c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 3677c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 3687c478bd9Sstevel@tonic-gate } 3697c478bd9Sstevel@tonic-gate | froute 3707c478bd9Sstevel@tonic-gate { 3717c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_FROUTE ) 3727c478bd9Sstevel@tonic-gate yyerror("Duplicate froute option"); 3737c478bd9Sstevel@tonic-gate ruleopts |= OPTION_FROUTE; 3747c478bd9Sstevel@tonic-gate } 3757c478bd9Sstevel@tonic-gate | proute 3767c478bd9Sstevel@tonic-gate { 3777c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 3787c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 3797c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 3807c478bd9Sstevel@tonic-gate } 3817c478bd9Sstevel@tonic-gate | replyto 3827c478bd9Sstevel@tonic-gate { 3837c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 3847c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 3857c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 3867c478bd9Sstevel@tonic-gate } 3877c478bd9Sstevel@tonic-gate ; 3887c478bd9Sstevel@tonic-gate 3897c478bd9Sstevel@tonic-gate outopts: 3907c478bd9Sstevel@tonic-gate | outopts outopt 3917c478bd9Sstevel@tonic-gate ; 3927c478bd9Sstevel@tonic-gate 3937c478bd9Sstevel@tonic-gate outopt: 3947c478bd9Sstevel@tonic-gate logopt 3957c478bd9Sstevel@tonic-gate { 3967c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3977c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3987c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 3997c478bd9Sstevel@tonic-gate } 4007c478bd9Sstevel@tonic-gate | quick 4017c478bd9Sstevel@tonic-gate { 4027c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 4037c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 4047c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 4057c478bd9Sstevel@tonic-gate } 4067c478bd9Sstevel@tonic-gate | on 4077c478bd9Sstevel@tonic-gate { 4087c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 4097c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 4107c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 4117c478bd9Sstevel@tonic-gate } 4127c478bd9Sstevel@tonic-gate | dup 4137c478bd9Sstevel@tonic-gate { 4147c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 4157c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 4167c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 4177c478bd9Sstevel@tonic-gate } 4187c478bd9Sstevel@tonic-gate | proute 4197c478bd9Sstevel@tonic-gate { 4207c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 4217c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 4227c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 4237c478bd9Sstevel@tonic-gate } 4247c478bd9Sstevel@tonic-gate | replyto 4257c478bd9Sstevel@tonic-gate { 4267c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 4277c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 4287c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 4297c478bd9Sstevel@tonic-gate } 4307c478bd9Sstevel@tonic-gate ; 4317c478bd9Sstevel@tonic-gate 4327c478bd9Sstevel@tonic-gate tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4337c478bd9Sstevel@tonic-gate | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4347c478bd9Sstevel@tonic-gate | settos lstart toslist lend 4357c478bd9Sstevel@tonic-gate ; 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate settos: IPFY_TOS { setipftype(); } 4387c478bd9Sstevel@tonic-gate ; 4397c478bd9Sstevel@tonic-gate 4407c478bd9Sstevel@tonic-gate toslist: 4417c478bd9Sstevel@tonic-gate YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4427c478bd9Sstevel@tonic-gate | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4437c478bd9Sstevel@tonic-gate | toslist lmore YY_NUMBER 4447c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4457c478bd9Sstevel@tonic-gate | toslist lmore YY_HEX 4467c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4477c478bd9Sstevel@tonic-gate ; 4487c478bd9Sstevel@tonic-gate 4497c478bd9Sstevel@tonic-gate ttl: | setttl YY_NUMBER 4507c478bd9Sstevel@tonic-gate { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 4517c478bd9Sstevel@tonic-gate | setttl lstart ttllist lend 4527c478bd9Sstevel@tonic-gate ; 4537c478bd9Sstevel@tonic-gate 4547c478bd9Sstevel@tonic-gate lstart: '(' { newlist = 1; fr = frc; added = 0; } 4557c478bd9Sstevel@tonic-gate ; 4567c478bd9Sstevel@tonic-gate 4577c478bd9Sstevel@tonic-gate lend: ')' { nrules += added; } 4587c478bd9Sstevel@tonic-gate ; 4597c478bd9Sstevel@tonic-gate 4607c478bd9Sstevel@tonic-gate lmore: lanother { if (newlist == 1) { 4617c478bd9Sstevel@tonic-gate newlist = 0; 4627c478bd9Sstevel@tonic-gate } 4637c478bd9Sstevel@tonic-gate fr = addrule(); 4647c478bd9Sstevel@tonic-gate if (yycont != NULL) 4657c478bd9Sstevel@tonic-gate *yycont = 1; 4667c478bd9Sstevel@tonic-gate } 4677c478bd9Sstevel@tonic-gate ; 4687c478bd9Sstevel@tonic-gate 4697c478bd9Sstevel@tonic-gate lanother: 4707c478bd9Sstevel@tonic-gate | ',' 4717c478bd9Sstevel@tonic-gate ; 4727c478bd9Sstevel@tonic-gate 4737c478bd9Sstevel@tonic-gate setttl: IPFY_TTL { setipftype(); } 4747c478bd9Sstevel@tonic-gate ; 4757c478bd9Sstevel@tonic-gate 4767c478bd9Sstevel@tonic-gate ttllist: 4777c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 4787c478bd9Sstevel@tonic-gate | ttllist lmore YY_NUMBER 4797c478bd9Sstevel@tonic-gate { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 4807c478bd9Sstevel@tonic-gate ; 4817c478bd9Sstevel@tonic-gate 4827c478bd9Sstevel@tonic-gate proto: | protox protocol { yyresetdict(); } 4837c478bd9Sstevel@tonic-gate ; 4847c478bd9Sstevel@tonic-gate 4857c478bd9Sstevel@tonic-gate protox: IPFY_PROTO { setipftype(); 4867c478bd9Sstevel@tonic-gate fr = frc; 4877c478bd9Sstevel@tonic-gate yysetdict(NULL); } 4887c478bd9Sstevel@tonic-gate ; 4897c478bd9Sstevel@tonic-gate 490ab25eeb5Syz155240 ip: srcdst flags icmp 4917c478bd9Sstevel@tonic-gate ; 4927c478bd9Sstevel@tonic-gate 4937c478bd9Sstevel@tonic-gate group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 4947c478bd9Sstevel@tonic-gate FR_GROUPLEN); \ 4957c478bd9Sstevel@tonic-gate fillgroup(fr);); 4967c478bd9Sstevel@tonic-gate free($2); } 4977c478bd9Sstevel@tonic-gate | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 4987c478bd9Sstevel@tonic-gate $2); \ 4997c478bd9Sstevel@tonic-gate fillgroup(fr);) } 5007c478bd9Sstevel@tonic-gate ; 5017c478bd9Sstevel@tonic-gate 5027c478bd9Sstevel@tonic-gate head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 5037c478bd9Sstevel@tonic-gate FR_GROUPLEN);); 5047c478bd9Sstevel@tonic-gate free($2); } 5057c478bd9Sstevel@tonic-gate | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 5067c478bd9Sstevel@tonic-gate $2);) } 5077c478bd9Sstevel@tonic-gate ; 5087c478bd9Sstevel@tonic-gate 509ab25eeb5Syz155240 settagin: 510ab25eeb5Syz155240 | IPFY_SETTAG '(' taginlist ')' 5117c478bd9Sstevel@tonic-gate ; 5127c478bd9Sstevel@tonic-gate 513ab25eeb5Syz155240 taginlist: 514ab25eeb5Syz155240 taginspec 515ab25eeb5Syz155240 | taginlist ',' taginspec 516ab25eeb5Syz155240 ; 517ab25eeb5Syz155240 518ab25eeb5Syz155240 taginspec: 519ab25eeb5Syz155240 logtag 520ab25eeb5Syz155240 |nattag 521ab25eeb5Syz155240 ; 522ab25eeb5Syz155240 523ab25eeb5Syz155240 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 524ab25eeb5Syz155240 $3, IPFTAG_LEN);); 5257c478bd9Sstevel@tonic-gate free($3); } 5267c478bd9Sstevel@tonic-gate | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 527ab25eeb5Syz155240 "%d", $3 & 0xffffffff);) } 528ab25eeb5Syz155240 ; 529ab25eeb5Syz155240 530ab25eeb5Syz155240 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 531ab25eeb5Syz155240 ; 532ab25eeb5Syz155240 533ab25eeb5Syz155240 settagout: 534ab25eeb5Syz155240 | IPFY_SETTAG '(' tagoutlist ')' 535ab25eeb5Syz155240 ; 536ab25eeb5Syz155240 537ab25eeb5Syz155240 tagoutlist: 538ab25eeb5Syz155240 tagoutspec 539ab25eeb5Syz155240 | tagoutlist ',' tagoutspec 540ab25eeb5Syz155240 ; 541ab25eeb5Syz155240 542ab25eeb5Syz155240 tagoutspec: 543ab25eeb5Syz155240 logtag 544ab25eeb5Syz155240 | nattag 545ab25eeb5Syz155240 ; 546ab25eeb5Syz155240 547ab25eeb5Syz155240 matchtagin: 548ab25eeb5Syz155240 | IPFY_MATCHTAG '(' tagoutlist ')' 549ab25eeb5Syz155240 ; 550ab25eeb5Syz155240 551ab25eeb5Syz155240 matchtagout: 552ab25eeb5Syz155240 | IPFY_MATCHTAG '(' taginlist ')' 5537c478bd9Sstevel@tonic-gate ; 5547c478bd9Sstevel@tonic-gate 5557c478bd9Sstevel@tonic-gate pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 5567c478bd9Sstevel@tonic-gate ; 5577c478bd9Sstevel@tonic-gate 5587c478bd9Sstevel@tonic-gate new: | savegroup file restoregroup 5597c478bd9Sstevel@tonic-gate ; 5607c478bd9Sstevel@tonic-gate 5617c478bd9Sstevel@tonic-gate savegroup: 5627c478bd9Sstevel@tonic-gate '{' 5637c478bd9Sstevel@tonic-gate ; 5647c478bd9Sstevel@tonic-gate 5657c478bd9Sstevel@tonic-gate restoregroup: 5667c478bd9Sstevel@tonic-gate '}' 5677c478bd9Sstevel@tonic-gate ; 5687c478bd9Sstevel@tonic-gate 5697c478bd9Sstevel@tonic-gate logopt: log 5707c478bd9Sstevel@tonic-gate ; 5717c478bd9Sstevel@tonic-gate 5727c478bd9Sstevel@tonic-gate quick: 5737c478bd9Sstevel@tonic-gate IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 5747c478bd9Sstevel@tonic-gate ; 5757c478bd9Sstevel@tonic-gate 5767c478bd9Sstevel@tonic-gate on: IPFY_ON onname 5777c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_INVIA vianame 5787c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_OUTVIA vianame 5797c478bd9Sstevel@tonic-gate ; 5807c478bd9Sstevel@tonic-gate 5817c478bd9Sstevel@tonic-gate onname: interfacename 582ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5837c478bd9Sstevel@tonic-gate free($1); 5847c478bd9Sstevel@tonic-gate } 585ab25eeb5Syz155240 | interfacename ',' interfacename 586ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5877c478bd9Sstevel@tonic-gate free($1); 5887c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); 5897c478bd9Sstevel@tonic-gate free($3); 5907c478bd9Sstevel@tonic-gate } 5917c478bd9Sstevel@tonic-gate ; 5927c478bd9Sstevel@tonic-gate 5937c478bd9Sstevel@tonic-gate vianame: 594ab25eeb5Syz155240 name 595ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 5967c478bd9Sstevel@tonic-gate free($1); 5977c478bd9Sstevel@tonic-gate } 598ab25eeb5Syz155240 | name ',' name 599ab25eeb5Syz155240 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 6007c478bd9Sstevel@tonic-gate free($1); 6017c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); 6027c478bd9Sstevel@tonic-gate free($3); 6037c478bd9Sstevel@tonic-gate } 6047c478bd9Sstevel@tonic-gate ; 6057c478bd9Sstevel@tonic-gate 6067c478bd9Sstevel@tonic-gate dup: IPFY_DUPTO name 6077c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 6087c478bd9Sstevel@tonic-gate free($2); 609f17d2b41San207044 fr->fr_flags |= FR_DUP; 6107c478bd9Sstevel@tonic-gate } 611ab25eeb5Syz155240 | IPFY_DUPTO name duptoseparator hostname 6127c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 6139b4c7145Sjojemann if (use_inet6 == 0) 6149b4c7145Sjojemann fr->fr_dif.fd_ip = $4.in4; 6159b4c7145Sjojemann else 6169b4c7145Sjojemann bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 617ab25eeb5Syz155240 yyexpectaddr = 0; 618f17d2b41San207044 fr->fr_flags |= FR_DUP; 6197c478bd9Sstevel@tonic-gate free($2); 6207c478bd9Sstevel@tonic-gate } 621ab25eeb5Syz155240 | IPFY_DUPTO name duptoseparator YY_IPV6 622ab25eeb5Syz155240 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 623ab25eeb5Syz155240 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 624ab25eeb5Syz155240 yyexpectaddr = 0; 625f17d2b41San207044 fr->fr_flags |= FR_DUP; 626ab25eeb5Syz155240 free($2); 627ab25eeb5Syz155240 } 628ab25eeb5Syz155240 ; 629ab25eeb5Syz155240 630ab25eeb5Syz155240 duptoseparator: 631ab25eeb5Syz155240 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 6327c478bd9Sstevel@tonic-gate ; 6337c478bd9Sstevel@tonic-gate 6347c478bd9Sstevel@tonic-gate froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 6357c478bd9Sstevel@tonic-gate ; 6367c478bd9Sstevel@tonic-gate 637ab25eeb5Syz155240 proute: routeto name 6387c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6397c478bd9Sstevel@tonic-gate free($2); 6407c478bd9Sstevel@tonic-gate } 641ab25eeb5Syz155240 | routeto name duptoseparator hostname 6427c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6439b4c7145Sjojemann if (use_inet6 == 0) 6449b4c7145Sjojemann fr->fr_tif.fd_ip = $4.in4; 6459b4c7145Sjojemann else 6469b4c7145Sjojemann bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 647ab25eeb5Syz155240 yyexpectaddr = 0; 6487c478bd9Sstevel@tonic-gate free($2); 6497c478bd9Sstevel@tonic-gate } 650ab25eeb5Syz155240 | routeto name duptoseparator YY_IPV6 651ab25eeb5Syz155240 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 652ab25eeb5Syz155240 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 653ab25eeb5Syz155240 yyexpectaddr = 0; 654ab25eeb5Syz155240 free($2); 655ab25eeb5Syz155240 } 656ab25eeb5Syz155240 ; 657ab25eeb5Syz155240 658ab25eeb5Syz155240 routeto: 659ab25eeb5Syz155240 IPFY_TO 660ab25eeb5Syz155240 | IPFY_ROUTETO 6617c478bd9Sstevel@tonic-gate ; 6627c478bd9Sstevel@tonic-gate 6637c478bd9Sstevel@tonic-gate replyto: 6647c478bd9Sstevel@tonic-gate IPFY_REPLY_TO name 6657c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6667c478bd9Sstevel@tonic-gate free($2); 6677c478bd9Sstevel@tonic-gate } 668ab25eeb5Syz155240 | IPFY_REPLY_TO name duptoseparator hostname 6697c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6709b4c7145Sjojemann if (use_inet6 == 0) 6719b4c7145Sjojemann fr->fr_rif.fd_ip = $4.in4; 6729b4c7145Sjojemann else 6739b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6)); 6749b4c7145Sjojemann yyexpectaddr = 0; 6759b4c7145Sjojemann free($2); 6769b4c7145Sjojemann } 6779b4c7145Sjojemann | IPFY_REPLY_TO name duptoseparator YY_IPV6 6789b4c7145Sjojemann { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6799b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6)); 6809b4c7145Sjojemann yyexpectaddr = 0; 6817c478bd9Sstevel@tonic-gate free($2); 6827c478bd9Sstevel@tonic-gate } 6837c478bd9Sstevel@tonic-gate ; 6847c478bd9Sstevel@tonic-gate 6857c478bd9Sstevel@tonic-gate logoptions: 6867c478bd9Sstevel@tonic-gate logoption 6877c478bd9Sstevel@tonic-gate | logoptions logoption 6887c478bd9Sstevel@tonic-gate ; 6897c478bd9Sstevel@tonic-gate 6907c478bd9Sstevel@tonic-gate logoption: 6917c478bd9Sstevel@tonic-gate IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 6927c478bd9Sstevel@tonic-gate | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 6937c478bd9Sstevel@tonic-gate | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 6947c478bd9Sstevel@tonic-gate | level loglevel { unsetsyslog(); } 6957c478bd9Sstevel@tonic-gate ; 6967c478bd9Sstevel@tonic-gate 6977c478bd9Sstevel@tonic-gate returncode: 6987c478bd9Sstevel@tonic-gate starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 6997c478bd9Sstevel@tonic-gate ; 7007c478bd9Sstevel@tonic-gate 7017c478bd9Sstevel@tonic-gate starticmpcode: 7027c478bd9Sstevel@tonic-gate '(' { yysetdict(icmpcodewords); } 7037c478bd9Sstevel@tonic-gate ; 7047c478bd9Sstevel@tonic-gate 705ab25eeb5Syz155240 srcdst: | IPFY_ALL 7067c478bd9Sstevel@tonic-gate | fromto 7077c478bd9Sstevel@tonic-gate ; 7087c478bd9Sstevel@tonic-gate 7097c478bd9Sstevel@tonic-gate protocol: 7107c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_proto = $1; \ 7117c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) } 7127c478bd9Sstevel@tonic-gate | YY_STR { if (!strcmp($1, "tcp-udp")) { 7137c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 7147c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 7157c478bd9Sstevel@tonic-gate } else { 7167c478bd9Sstevel@tonic-gate int p = getproto($1); 7177c478bd9Sstevel@tonic-gate if (p == -1) 718ab25eeb5Syz155240 yyerror("protocol unknown"); 7197c478bd9Sstevel@tonic-gate DOREM(fr->fr_proto = p; \ 7207c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) 7217c478bd9Sstevel@tonic-gate } 7227c478bd9Sstevel@tonic-gate free($1); 7237c478bd9Sstevel@tonic-gate } 7247c478bd9Sstevel@tonic-gate | YY_STR nextstring YY_STR 7257c478bd9Sstevel@tonic-gate { if (!strcmp($1, "tcp") && 7267c478bd9Sstevel@tonic-gate !strcmp($3, "udp")) { 7277c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 7287c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 7297c478bd9Sstevel@tonic-gate } else 7307c478bd9Sstevel@tonic-gate YYERROR; 7317c478bd9Sstevel@tonic-gate free($1); 7327c478bd9Sstevel@tonic-gate free($3); 7337c478bd9Sstevel@tonic-gate } 7347c478bd9Sstevel@tonic-gate ; 7357c478bd9Sstevel@tonic-gate 7367c478bd9Sstevel@tonic-gate nextstring: 7377c478bd9Sstevel@tonic-gate '/' { yysetdict(NULL); } 7387c478bd9Sstevel@tonic-gate ; 7397c478bd9Sstevel@tonic-gate 7407c478bd9Sstevel@tonic-gate fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 7417c478bd9Sstevel@tonic-gate | to dstobject { yyexpectaddr = 0; yycont = NULL; } 7427c478bd9Sstevel@tonic-gate | from srcobject { yyexpectaddr = 0; yycont = NULL; } 7437c478bd9Sstevel@tonic-gate ; 7447c478bd9Sstevel@tonic-gate 7457c478bd9Sstevel@tonic-gate from: IPFY_FROM { setipftype(); 7467c478bd9Sstevel@tonic-gate if (fr == NULL) 7477c478bd9Sstevel@tonic-gate fr = frc; 7487c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 749ab25eeb5Syz155240 if (yydebug) 750ab25eeb5Syz155240 printf("set yyexpectaddr\n"); 7517c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7527c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7537c478bd9Sstevel@tonic-gate resetaddr(); } 7547c478bd9Sstevel@tonic-gate ; 7557c478bd9Sstevel@tonic-gate 7567c478bd9Sstevel@tonic-gate to: IPFY_TO { if (fr == NULL) 7577c478bd9Sstevel@tonic-gate fr = frc; 7587c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 759ab25eeb5Syz155240 if (yydebug) 760ab25eeb5Syz155240 printf("set yyexpectaddr\n"); 7617c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7627c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7637c478bd9Sstevel@tonic-gate resetaddr(); } 7647c478bd9Sstevel@tonic-gate ; 7657c478bd9Sstevel@tonic-gate 7667c478bd9Sstevel@tonic-gate with: | andwith withlist 7677c478bd9Sstevel@tonic-gate ; 7687c478bd9Sstevel@tonic-gate 7697c478bd9Sstevel@tonic-gate andwith: 7707c478bd9Sstevel@tonic-gate IPFY_WITH { nowith = 0; setipftype(); } 7717c478bd9Sstevel@tonic-gate | IPFY_AND { nowith = 0; setipftype(); } 7727c478bd9Sstevel@tonic-gate ; 7737c478bd9Sstevel@tonic-gate 774ab25eeb5Syz155240 flags: | startflags flagset 7757c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 776ab25eeb5Syz155240 | startflags flagset '/' flagset 7777c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 778ab25eeb5Syz155240 | startflags '/' flagset 7797c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 780ab25eeb5Syz155240 | startflags YY_NUMBER 7817c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 782ab25eeb5Syz155240 | startflags '/' YY_NUMBER 7837c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 784ab25eeb5Syz155240 | startflags YY_NUMBER '/' YY_NUMBER 7857c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 786ab25eeb5Syz155240 | startflags flagset '/' YY_NUMBER 7877c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 788ab25eeb5Syz155240 | startflags YY_NUMBER '/' flagset 7897c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 7907c478bd9Sstevel@tonic-gate ; 7917c478bd9Sstevel@tonic-gate 792ab25eeb5Syz155240 startflags: 793ab25eeb5Syz155240 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 794ab25eeb5Syz155240 yyerror("flags with non-ipf type rule"); 795ab25eeb5Syz155240 if (frc->fr_proto != IPPROTO_TCP) 796ab25eeb5Syz155240 yyerror("flags with non-TCP rule"); 797ab25eeb5Syz155240 } 798ab25eeb5Syz155240 ; 799ab25eeb5Syz155240 8007c478bd9Sstevel@tonic-gate flagset: 8017c478bd9Sstevel@tonic-gate YY_STR { $$ = tcpflags($1); free($1); } 8027c478bd9Sstevel@tonic-gate | YY_HEX { $$ = $1; } 8037c478bd9Sstevel@tonic-gate ; 8047c478bd9Sstevel@tonic-gate 8057c478bd9Sstevel@tonic-gate srcobject: 806ab25eeb5Syz155240 { yyresetdict(); } fromport 807ab25eeb5Syz155240 | srcaddr srcport 8087c478bd9Sstevel@tonic-gate | '!' srcaddr srcport 8097c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 8107c478bd9Sstevel@tonic-gate ; 8117c478bd9Sstevel@tonic-gate 8127c478bd9Sstevel@tonic-gate srcaddr: 8137c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 8147c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 8157c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8167c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8177c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8187c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8197c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8207c478bd9Sstevel@tonic-gate } 8217c478bd9Sstevel@tonic-gate | lstart srcaddrlist lend 8227c478bd9Sstevel@tonic-gate ; 8237c478bd9Sstevel@tonic-gate 8247c478bd9Sstevel@tonic-gate srcaddrlist: 8257c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 8267c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 8277c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8287c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8297c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8307c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8317c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8327c478bd9Sstevel@tonic-gate } 8337c478bd9Sstevel@tonic-gate | srcaddrlist lmore addr 8347c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ 8357c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ 8367c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8377c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8387c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8397c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8407c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8417c478bd9Sstevel@tonic-gate } 8427c478bd9Sstevel@tonic-gate ; 8437c478bd9Sstevel@tonic-gate 8447c478bd9Sstevel@tonic-gate srcport: 8457c478bd9Sstevel@tonic-gate | portcomp 8467c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8477c478bd9Sstevel@tonic-gate | portrange 8487c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8497c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8507c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8517c478bd9Sstevel@tonic-gate { yyresetdict(); } 8527c478bd9Sstevel@tonic-gate ; 8537c478bd9Sstevel@tonic-gate 8547c478bd9Sstevel@tonic-gate fromport: 8557c478bd9Sstevel@tonic-gate portcomp 8567c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8577c478bd9Sstevel@tonic-gate | portrange 8587c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8597c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8607c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8617c478bd9Sstevel@tonic-gate { yyresetdict(); } 8627c478bd9Sstevel@tonic-gate ; 8637c478bd9Sstevel@tonic-gate 8647c478bd9Sstevel@tonic-gate srcportlist: 8657c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 8667c478bd9Sstevel@tonic-gate | srcportlist lmore portnum 8677c478bd9Sstevel@tonic-gate { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 8687c478bd9Sstevel@tonic-gate ; 8697c478bd9Sstevel@tonic-gate 8707c478bd9Sstevel@tonic-gate dstobject: 871ab25eeb5Syz155240 { yyresetdict(); } toport 8727c478bd9Sstevel@tonic-gate | dstaddr dstport 8737c478bd9Sstevel@tonic-gate | '!' dstaddr dstport 8747c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 8757c478bd9Sstevel@tonic-gate ; 8767c478bd9Sstevel@tonic-gate 8777c478bd9Sstevel@tonic-gate dstaddr: 8787c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8797c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8807c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8817c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8827c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8837c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8847c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8857c478bd9Sstevel@tonic-gate } 8867c478bd9Sstevel@tonic-gate | lstart dstaddrlist lend 8877c478bd9Sstevel@tonic-gate ; 8887c478bd9Sstevel@tonic-gate 8897c478bd9Sstevel@tonic-gate dstaddrlist: 8907c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8917c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8927c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8937c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8947c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8957c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8967c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8977c478bd9Sstevel@tonic-gate } 8987c478bd9Sstevel@tonic-gate | dstaddrlist lmore addr 8997c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ 9007c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ 9017c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 9027c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 9037c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 9047c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 9057c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 9067c478bd9Sstevel@tonic-gate } 9077c478bd9Sstevel@tonic-gate ; 9087c478bd9Sstevel@tonic-gate 9097c478bd9Sstevel@tonic-gate 9107c478bd9Sstevel@tonic-gate dstport: 9117c478bd9Sstevel@tonic-gate | portcomp 9127c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 9137c478bd9Sstevel@tonic-gate | portrange 9147c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 9157c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 9167c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 9177c478bd9Sstevel@tonic-gate { yyresetdict(); } 9187c478bd9Sstevel@tonic-gate ; 9197c478bd9Sstevel@tonic-gate 9207c478bd9Sstevel@tonic-gate toport: 9217c478bd9Sstevel@tonic-gate portcomp 9227c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 9237c478bd9Sstevel@tonic-gate | portrange 9247c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 9257c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 9267c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 9277c478bd9Sstevel@tonic-gate { yyresetdict(); } 9287c478bd9Sstevel@tonic-gate ; 9297c478bd9Sstevel@tonic-gate 9307c478bd9Sstevel@tonic-gate dstportlist: 9317c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 9327c478bd9Sstevel@tonic-gate | dstportlist lmore portnum 9337c478bd9Sstevel@tonic-gate { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 9347c478bd9Sstevel@tonic-gate ; 9357c478bd9Sstevel@tonic-gate 9367c478bd9Sstevel@tonic-gate addr: pool '/' YY_NUMBER { pooled = 1; 9377c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9387c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 9397c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 9407c478bd9Sstevel@tonic-gate | pool '=' '(' poollist ')' { pooled = 1; 9417c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9427c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 9437c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makepool($4); } 9447c478bd9Sstevel@tonic-gate | hash '/' YY_NUMBER { hashed = 1; 9457c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9467c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9477c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 9487c478bd9Sstevel@tonic-gate | hash '=' '(' addrlist ')' { hashed = 1; 9497c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9507c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9517c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makehash($4); } 9527c478bd9Sstevel@tonic-gate | ipaddr { bcopy(&$1, &$$, sizeof($$)); 9537c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9547c478bd9Sstevel@tonic-gate ; 9557c478bd9Sstevel@tonic-gate 9567c478bd9Sstevel@tonic-gate ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 9577c478bd9Sstevel@tonic-gate yyresetdict(); 9587c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9599b4c7145Sjojemann | hostname { if (use_inet6 == 0) { 9609b4c7145Sjojemann $$.a.in4 = $1.in4; 9617c478bd9Sstevel@tonic-gate $$.m.in4_addr = 0xffffffff; 9629b4c7145Sjojemann } else { 9639b4c7145Sjojemann set_ipv6_addr = 1; 9649b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a)); 9659b4c7145Sjojemann fill6bits(128, (u_32_t *)&$$.m); 9669b4c7145Sjojemann } 9677c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9687c478bd9Sstevel@tonic-gate | hostname { yyresetdict(); 9699b4c7145Sjojemann if (use_inet6 == 0) 9709b4c7145Sjojemann $$.a.in4 = $1.in4; 9719b4c7145Sjojemann else { 9729b4c7145Sjojemann set_ipv6_addr = 1; 9739b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a)); 9749b4c7145Sjojemann } 9759b4c7145Sjojemann } 9767c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 9779b4c7145Sjojemann mask { if (use_inet6 == 0) { 9789b4c7145Sjojemann $$.m.in4_addr = $5.in4.s_addr; 9799b4c7145Sjojemann $$.a.in4_addr &= $5.in4.s_addr; 9809b4c7145Sjojemann } else 9819b4c7145Sjojemann bcopy(&$5, &$$.m, sizeof($$.m)); 9827c478bd9Sstevel@tonic-gate yyresetdict(); 9837c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9847663b816Sml37995 | YY_IPV6 { set_ipv6_addr = 1; 9857663b816Sml37995 bcopy(&$1, &$$.a, sizeof($$.a)); 9867c478bd9Sstevel@tonic-gate fill6bits(128, (u_32_t *)&$$.m); 9877c478bd9Sstevel@tonic-gate yyresetdict(); 9887c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9897663b816Sml37995 | YY_IPV6 { set_ipv6_addr = 1; 9907663b816Sml37995 yyresetdict(); 9917c478bd9Sstevel@tonic-gate bcopy(&$1, &$$.a, sizeof($$.a)); } 9927c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 9939b4c7145Sjojemann mask { bcopy(&$5, &$$.m, sizeof($$.m)); 9947c478bd9Sstevel@tonic-gate yyresetdict(); 9957c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9967c478bd9Sstevel@tonic-gate ; 9977c478bd9Sstevel@tonic-gate 9987c478bd9Sstevel@tonic-gate maskspace: 9997c478bd9Sstevel@tonic-gate '/' 10007c478bd9Sstevel@tonic-gate | IPFY_MASK 10017c478bd9Sstevel@tonic-gate ; 10027c478bd9Sstevel@tonic-gate 10039b4c7145Sjojemann mask: 10049b4c7145Sjojemann ipv4 { $$.in4 = $1; } 10059b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = htonl($1); } 10069b4c7145Sjojemann | YY_NUMBER { if ((use_inet6 == 0) && ($1 <= 32)) 10079b4c7145Sjojemann ntomask(4, $1, (u_32_t *)&$$.in4); 10089b4c7145Sjojemann else if ((use_inet6 != 0) && ($1 <= 128)) 10099b4c7145Sjojemann ntomask(6, $1, $$.i6); 10109b4c7145Sjojemann else { 10119b4c7145Sjojemann yyerror("Bad value specified for netmask"); 10129b4c7145Sjojemann return 0; 10139b4c7145Sjojemann } 1014ab25eeb5Syz155240 } 10157c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 10169b4c7145Sjojemann bzero(&$$, sizeof($$)); 10177c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 10187c478bd9Sstevel@tonic-gate } else 10197c478bd9Sstevel@tonic-gate YYERROR; 10207c478bd9Sstevel@tonic-gate } 10217c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 10229b4c7145Sjojemann bzero(&$$, sizeof($$)); 10237c478bd9Sstevel@tonic-gate ifpflag = FRI_NETWORK; 10247c478bd9Sstevel@tonic-gate } else 10257c478bd9Sstevel@tonic-gate YYERROR; 10267c478bd9Sstevel@tonic-gate } 10277c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 10289b4c7145Sjojemann bzero(&$$, sizeof($$)); 10297c478bd9Sstevel@tonic-gate ifpflag = FRI_NETMASKED; 10307c478bd9Sstevel@tonic-gate } else 10317c478bd9Sstevel@tonic-gate YYERROR; 10327c478bd9Sstevel@tonic-gate } 10337c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 10349b4c7145Sjojemann bzero(&$$, sizeof($$)); 10357c478bd9Sstevel@tonic-gate ifpflag = FRI_PEERADDR; 10367c478bd9Sstevel@tonic-gate } else 10377c478bd9Sstevel@tonic-gate YYERROR; 10387c478bd9Sstevel@tonic-gate } 10397c478bd9Sstevel@tonic-gate ; 10407c478bd9Sstevel@tonic-gate 10417c478bd9Sstevel@tonic-gate hostname: 10429b4c7145Sjojemann ipv4 { $$.in4 = $1; } 10439b4c7145Sjojemann | YY_NUMBER { $$.in4.s_addr = $1; } 10449b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = $1; } 10459b4c7145Sjojemann | YY_STR { if (lookuphost($1, &$$) == 1) 10467c478bd9Sstevel@tonic-gate free($1); 10479b4c7145Sjojemann else { 10489b4c7145Sjojemann free($1); 10499b4c7145Sjojemann if (ifpflag != FRI_DYNAMIC) 10507c478bd9Sstevel@tonic-gate yyerror("Unknown hostname"); 10517c478bd9Sstevel@tonic-gate } 10529b4c7145Sjojemann } 10537c478bd9Sstevel@tonic-gate ; 10547c478bd9Sstevel@tonic-gate 10557c478bd9Sstevel@tonic-gate addrlist: 10567c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10577663b816Sml37995 if (set_ipv6_addr) 10587663b816Sml37995 $$->al_family = AF_INET6; 10597663b816Sml37995 else 10607663b816Sml37995 $$->al_family = AF_INET; 10617663b816Sml37995 set_ipv6_addr = 0; 10627c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10637c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10647c478bd9Sstevel@tonic-gate | addrlist ',' ipaddr 10657c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10667663b816Sml37995 if (set_ipv6_addr) 10677663b816Sml37995 $$->al_family = AF_INET6; 10687663b816Sml37995 else 10697663b816Sml37995 $$->al_family = AF_INET; 10707663b816Sml37995 set_ipv6_addr = 0; 10717c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 10727c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 10737c478bd9Sstevel@tonic-gate ; 10747c478bd9Sstevel@tonic-gate 10757c478bd9Sstevel@tonic-gate pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10767c478bd9Sstevel@tonic-gate ; 10777c478bd9Sstevel@tonic-gate 10787c478bd9Sstevel@tonic-gate hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10797c478bd9Sstevel@tonic-gate ; 10807c478bd9Sstevel@tonic-gate 10817c478bd9Sstevel@tonic-gate poollist: 10827c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10837663b816Sml37995 if (set_ipv6_addr) 10847663b816Sml37995 $$->al_family = AF_INET6; 10857663b816Sml37995 else 10867663b816Sml37995 $$->al_family = AF_INET; 10877663b816Sml37995 set_ipv6_addr = 0; 10887c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10897c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10907c478bd9Sstevel@tonic-gate | '!' ipaddr { $$ = newalist(NULL); 10917c478bd9Sstevel@tonic-gate $$->al_not = 1; 10927663b816Sml37995 if (set_ipv6_addr) 10937663b816Sml37995 $$->al_family = AF_INET6; 10947663b816Sml37995 else 10957663b816Sml37995 $$->al_family = AF_INET; 10967663b816Sml37995 set_ipv6_addr = 0; 10977c478bd9Sstevel@tonic-gate bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); 10987c478bd9Sstevel@tonic-gate bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } 10997c478bd9Sstevel@tonic-gate | poollist ',' ipaddr 11007c478bd9Sstevel@tonic-gate { $$ = newalist($1); 11017663b816Sml37995 if (set_ipv6_addr) 11027663b816Sml37995 $$->al_family = AF_INET6; 11037663b816Sml37995 else 11047663b816Sml37995 $$->al_family = AF_INET; 11057663b816Sml37995 set_ipv6_addr = 0; 11067c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 11077c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 11087c478bd9Sstevel@tonic-gate | poollist ',' '!' ipaddr 11097c478bd9Sstevel@tonic-gate { $$ = newalist($1); 11107c478bd9Sstevel@tonic-gate $$->al_not = 1; 11117663b816Sml37995 if (set_ipv6_addr) 11127663b816Sml37995 $$->al_family = AF_INET6; 11137663b816Sml37995 else 11147663b816Sml37995 $$->al_family = AF_INET; 11157663b816Sml37995 set_ipv6_addr = 0; 11167c478bd9Sstevel@tonic-gate bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); 11177c478bd9Sstevel@tonic-gate bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } 11187c478bd9Sstevel@tonic-gate ; 11197c478bd9Sstevel@tonic-gate 11207c478bd9Sstevel@tonic-gate port: IPFY_PORT { yyexpectaddr = 0; 11217c478bd9Sstevel@tonic-gate yycont = NULL; 11227c478bd9Sstevel@tonic-gate } 11237c478bd9Sstevel@tonic-gate ; 11247c478bd9Sstevel@tonic-gate 11257c478bd9Sstevel@tonic-gate portc: port compare { $$ = $2; 11267c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11277c478bd9Sstevel@tonic-gate | porteq { $$ = $1; } 11287c478bd9Sstevel@tonic-gate ; 11297c478bd9Sstevel@tonic-gate 11307c478bd9Sstevel@tonic-gate porteq: port '=' { $$ = FR_EQUAL; 11317c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11327c478bd9Sstevel@tonic-gate ; 11337c478bd9Sstevel@tonic-gate 11347c478bd9Sstevel@tonic-gate portr: IPFY_PORT { yyexpectaddr = 0; 11357c478bd9Sstevel@tonic-gate yycont = NULL; 11367c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11377c478bd9Sstevel@tonic-gate ; 11387c478bd9Sstevel@tonic-gate 11397c478bd9Sstevel@tonic-gate portcomp: 11407c478bd9Sstevel@tonic-gate portc portnum { $$.pc = $1; 11417c478bd9Sstevel@tonic-gate $$.p1 = $2; 11427c478bd9Sstevel@tonic-gate yyresetdict(); } 11437c478bd9Sstevel@tonic-gate ; 11447c478bd9Sstevel@tonic-gate 11457c478bd9Sstevel@tonic-gate portrange: 11467c478bd9Sstevel@tonic-gate portr portnum range portnum { $$.p1 = $2; 11477c478bd9Sstevel@tonic-gate $$.pc = $3; 11487c478bd9Sstevel@tonic-gate $$.p2 = $4; 11497c478bd9Sstevel@tonic-gate yyresetdict(); } 11507c478bd9Sstevel@tonic-gate ; 11517c478bd9Sstevel@tonic-gate 11527c478bd9Sstevel@tonic-gate icmp: | itype icode 11537c478bd9Sstevel@tonic-gate ; 11547c478bd9Sstevel@tonic-gate 11557c478bd9Sstevel@tonic-gate itype: seticmptype icmptype 11567c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 11577c478bd9Sstevel@tonic-gate yyresetdict(); 11587c478bd9Sstevel@tonic-gate } 11597c478bd9Sstevel@tonic-gate | seticmptype lstart typelist lend { yyresetdict(); } 11607c478bd9Sstevel@tonic-gate ; 11617c478bd9Sstevel@tonic-gate 11627c478bd9Sstevel@tonic-gate seticmptype: 11637c478bd9Sstevel@tonic-gate IPFY_ICMPTYPE { setipftype(); 11647c478bd9Sstevel@tonic-gate yysetdict(icmptypewords); } 11657c478bd9Sstevel@tonic-gate ; 11667c478bd9Sstevel@tonic-gate 11677c478bd9Sstevel@tonic-gate icode: | seticmpcode icmpcode 11687c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 11697c478bd9Sstevel@tonic-gate yyresetdict(); 11707c478bd9Sstevel@tonic-gate } 11717c478bd9Sstevel@tonic-gate | seticmpcode lstart codelist lend { yyresetdict(); } 11727c478bd9Sstevel@tonic-gate ; 11737c478bd9Sstevel@tonic-gate 11747c478bd9Sstevel@tonic-gate seticmpcode: 11757c478bd9Sstevel@tonic-gate IPFY_ICMPCODE { yysetdict(icmpcodewords); } 11767c478bd9Sstevel@tonic-gate ; 11777c478bd9Sstevel@tonic-gate 11787c478bd9Sstevel@tonic-gate typelist: 11797c478bd9Sstevel@tonic-gate icmptype 11807c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 11817c478bd9Sstevel@tonic-gate | typelist lmore icmptype 11827c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 11837c478bd9Sstevel@tonic-gate ; 11847c478bd9Sstevel@tonic-gate 11857c478bd9Sstevel@tonic-gate codelist: 11867c478bd9Sstevel@tonic-gate icmpcode 11877c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 11887c478bd9Sstevel@tonic-gate | codelist lmore icmpcode 11897c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } 11907c478bd9Sstevel@tonic-gate ; 11917c478bd9Sstevel@tonic-gate 11927c478bd9Sstevel@tonic-gate age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 11937c478bd9Sstevel@tonic-gate fr->fr_age[1] = $2;) } 11947c478bd9Sstevel@tonic-gate | IPFY_AGE YY_NUMBER '/' YY_NUMBER 11957c478bd9Sstevel@tonic-gate { DOALL(fr->fr_age[0] = $2; \ 11967c478bd9Sstevel@tonic-gate fr->fr_age[1] = $4;) } 11977c478bd9Sstevel@tonic-gate ; 11987c478bd9Sstevel@tonic-gate 11997c478bd9Sstevel@tonic-gate keep: | IPFY_KEEP keepstate 12007c478bd9Sstevel@tonic-gate | IPFY_KEEP keepfrag 12017c478bd9Sstevel@tonic-gate | IPFY_KEEP keepstate IPFY_KEEP keepfrag 1202ab25eeb5Syz155240 | IPFY_KEEP keepfrag IPFY_KEEP keepstate 12037c478bd9Sstevel@tonic-gate ; 12047c478bd9Sstevel@tonic-gate 12057c478bd9Sstevel@tonic-gate keepstate: 12067c478bd9Sstevel@tonic-gate IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 12077c478bd9Sstevel@tonic-gate ; 12087c478bd9Sstevel@tonic-gate 12097c478bd9Sstevel@tonic-gate keepfrag: 12107c478bd9Sstevel@tonic-gate IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1211ab25eeb5Syz155240 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 12127c478bd9Sstevel@tonic-gate ; 12137c478bd9Sstevel@tonic-gate 12147c478bd9Sstevel@tonic-gate fragoptlist: 12157c478bd9Sstevel@tonic-gate | '(' fragopts ')' 12167c478bd9Sstevel@tonic-gate ; 12177c478bd9Sstevel@tonic-gate 12187c478bd9Sstevel@tonic-gate fragopts: 12197c478bd9Sstevel@tonic-gate fragopt lanother fragopts 12207c478bd9Sstevel@tonic-gate | fragopt 12217c478bd9Sstevel@tonic-gate ; 12227c478bd9Sstevel@tonic-gate 12237c478bd9Sstevel@tonic-gate fragopt: 12247c478bd9Sstevel@tonic-gate IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 12257c478bd9Sstevel@tonic-gate ; 12267c478bd9Sstevel@tonic-gate 12277c478bd9Sstevel@tonic-gate stateoptlist: 12287c478bd9Sstevel@tonic-gate | '(' stateopts ')' 12297c478bd9Sstevel@tonic-gate ; 12307c478bd9Sstevel@tonic-gate 12317c478bd9Sstevel@tonic-gate stateopts: 12327c478bd9Sstevel@tonic-gate stateopt lanother stateopts 12337c478bd9Sstevel@tonic-gate | stateopt 12347c478bd9Sstevel@tonic-gate ; 12357c478bd9Sstevel@tonic-gate 12367c478bd9Sstevel@tonic-gate stateopt: 12377c478bd9Sstevel@tonic-gate IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 12387c478bd9Sstevel@tonic-gate | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12397c478bd9Sstevel@tonic-gate YYERROR; \ 12407c478bd9Sstevel@tonic-gate } else \ 12417c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_STSTRICT;) 12427c478bd9Sstevel@tonic-gate } 12437c478bd9Sstevel@tonic-gate | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12447c478bd9Sstevel@tonic-gate YYERROR; \ 12457c478bd9Sstevel@tonic-gate } else \ 12467c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_NEWISN;) 12477c478bd9Sstevel@tonic-gate } 12487c478bd9Sstevel@tonic-gate | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1249ab25eeb5Syz155240 1250ab25eeb5Syz155240 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } 12517c478bd9Sstevel@tonic-gate ; 12527c478bd9Sstevel@tonic-gate 12537c478bd9Sstevel@tonic-gate portnum: 1254ab25eeb5Syz155240 servicename { if (getport(frc, $1, &($$)) == -1) 1255ab25eeb5Syz155240 yyerror("service unknown"); 1256ab25eeb5Syz155240 else 1257ab25eeb5Syz155240 $$ = ntohs($$); 12587c478bd9Sstevel@tonic-gate free($1); 12597c478bd9Sstevel@tonic-gate } 1260ab25eeb5Syz155240 | YY_NUMBER { if ($1 > 65535) /* Unsigned */ 1261ab25eeb5Syz155240 yyerror("invalid port number"); 1262ab25eeb5Syz155240 else 1263ab25eeb5Syz155240 $$ = $1; 1264ab25eeb5Syz155240 } 12657c478bd9Sstevel@tonic-gate ; 12667c478bd9Sstevel@tonic-gate 12677c478bd9Sstevel@tonic-gate withlist: 12687c478bd9Sstevel@tonic-gate withopt 12697c478bd9Sstevel@tonic-gate | withlist withopt 1270ab25eeb5Syz155240 | withlist ',' withopt 12717c478bd9Sstevel@tonic-gate ; 12727c478bd9Sstevel@tonic-gate 12737c478bd9Sstevel@tonic-gate withopt: 12747c478bd9Sstevel@tonic-gate opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 12757c478bd9Sstevel@tonic-gate | notwith opttype 12767c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mflx |= $2;) } 1277ab25eeb5Syz155240 | ipopt ipopts { yyresetdict(); } 1278ab25eeb5Syz155240 | notwith ipopt ipopts { yyresetdict(); } 1279ab25eeb5Syz155240 | startv6hdrs ipv6hdrs { yyresetdict(); } 1280ab25eeb5Syz155240 ; 1281ab25eeb5Syz155240 1282ab25eeb5Syz155240 ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 12837c478bd9Sstevel@tonic-gate ; 12847c478bd9Sstevel@tonic-gate 12857c478bd9Sstevel@tonic-gate startv6hdrs: 12867c478bd9Sstevel@tonic-gate IPF6_V6HDRS { if (use_inet6 == 0) 12877c478bd9Sstevel@tonic-gate yyerror("only available with IPv6"); 1288ab25eeb5Syz155240 yysetdict(ipv6optwords); 12897c478bd9Sstevel@tonic-gate } 12907c478bd9Sstevel@tonic-gate ; 12917c478bd9Sstevel@tonic-gate 12927c478bd9Sstevel@tonic-gate notwith: 12937c478bd9Sstevel@tonic-gate IPFY_NOT { nowith = 1; } 12947c478bd9Sstevel@tonic-gate | IPFY_NO { nowith = 1; } 12957c478bd9Sstevel@tonic-gate ; 12967c478bd9Sstevel@tonic-gate 12977c478bd9Sstevel@tonic-gate opttype: 12987c478bd9Sstevel@tonic-gate IPFY_IPOPTS { $$ = FI_OPTIONS; } 12997c478bd9Sstevel@tonic-gate | IPFY_SHORT { $$ = FI_SHORT; } 13007c478bd9Sstevel@tonic-gate | IPFY_NAT { $$ = FI_NATED; } 13017c478bd9Sstevel@tonic-gate | IPFY_BAD { $$ = FI_BAD; } 13027c478bd9Sstevel@tonic-gate | IPFY_BADNAT { $$ = FI_BADNAT; } 13037c478bd9Sstevel@tonic-gate | IPFY_BADSRC { $$ = FI_BADSRC; } 13047c478bd9Sstevel@tonic-gate | IPFY_LOWTTL { $$ = FI_LOWTTL; } 13057c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = FI_FRAG; } 1306ab25eeb5Syz155240 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1307ab25eeb5Syz155240 | IPFY_FRAGS { $$ = FI_FRAG; } 13087c478bd9Sstevel@tonic-gate | IPFY_MBCAST { $$ = FI_MBCAST; } 13097c478bd9Sstevel@tonic-gate | IPFY_MULTICAST { $$ = FI_MULTICAST; } 13107c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { $$ = FI_BROADCAST; } 13117c478bd9Sstevel@tonic-gate | IPFY_STATE { $$ = FI_STATE; } 13127c478bd9Sstevel@tonic-gate | IPFY_OOW { $$ = FI_OOW; } 13137c478bd9Sstevel@tonic-gate ; 13147c478bd9Sstevel@tonic-gate 13157c478bd9Sstevel@tonic-gate ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 13167c478bd9Sstevel@tonic-gate if (!nowith) 13177c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 13187c478bd9Sstevel@tonic-gate } 13197c478bd9Sstevel@tonic-gate ; 13207c478bd9Sstevel@tonic-gate 13217c478bd9Sstevel@tonic-gate optlist: 13227c478bd9Sstevel@tonic-gate opt { $$ |= $1; } 13237c478bd9Sstevel@tonic-gate | optlist ',' opt { $$ |= $1 | $3; } 13247c478bd9Sstevel@tonic-gate ; 13257c478bd9Sstevel@tonic-gate 13267c478bd9Sstevel@tonic-gate ipv6hdrs: 13277c478bd9Sstevel@tonic-gate ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 13287c478bd9Sstevel@tonic-gate if (!nowith) 13297c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 13307c478bd9Sstevel@tonic-gate } 13317c478bd9Sstevel@tonic-gate ; 13327c478bd9Sstevel@tonic-gate 13337c478bd9Sstevel@tonic-gate ipv6hdrlist: 13347c478bd9Sstevel@tonic-gate ipv6hdr { $$ |= $1; } 13357c478bd9Sstevel@tonic-gate | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 13367c478bd9Sstevel@tonic-gate ; 13377c478bd9Sstevel@tonic-gate 13387c478bd9Sstevel@tonic-gate secname: 13397c478bd9Sstevel@tonic-gate seclevel { $$ |= $1; } 13407c478bd9Sstevel@tonic-gate | secname ',' seclevel { $$ |= $1 | $3; } 13417c478bd9Sstevel@tonic-gate ; 13427c478bd9Sstevel@tonic-gate 13437c478bd9Sstevel@tonic-gate seclevel: 13447c478bd9Sstevel@tonic-gate IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 13457c478bd9Sstevel@tonic-gate | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 13467c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 13477c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 13487c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 13497c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 13507c478bd9Sstevel@tonic-gate | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 13517c478bd9Sstevel@tonic-gate | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 13527c478bd9Sstevel@tonic-gate ; 13537c478bd9Sstevel@tonic-gate 13547c478bd9Sstevel@tonic-gate icmptype: 13557c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13567c478bd9Sstevel@tonic-gate | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } 13577c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } 13587c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } 13597c478bd9Sstevel@tonic-gate | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } 13607c478bd9Sstevel@tonic-gate | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } 13617c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } 13627c478bd9Sstevel@tonic-gate | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } 13637c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } 13647c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } 13657c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } 13667c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } 13677c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } 13687c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } 13697c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } 13707c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } 13717c478bd9Sstevel@tonic-gate ; 13727c478bd9Sstevel@tonic-gate 13737c478bd9Sstevel@tonic-gate icmpcode: 13747c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13757c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 13767c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 13777c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 13787c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 13797c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 13807c478bd9Sstevel@tonic-gate | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 13817c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 13827c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 13837c478bd9Sstevel@tonic-gate | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 13847c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 13857c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 13867c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 13877c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 13887c478bd9Sstevel@tonic-gate | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 13897c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRE { $$ = 14; } 13907c478bd9Sstevel@tonic-gate | IPFY_ICMPC_CUTPRE { $$ = 15; } 13917c478bd9Sstevel@tonic-gate ; 13927c478bd9Sstevel@tonic-gate 13937c478bd9Sstevel@tonic-gate opt: 13947c478bd9Sstevel@tonic-gate IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 13957c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 13967c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 13977c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 13987c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 13997c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 14007c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 14017c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 14027c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 14037c478bd9Sstevel@tonic-gate | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 14047c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 14057c478bd9Sstevel@tonic-gate | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 14067c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 14077c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 14087c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 14097c478bd9Sstevel@tonic-gate | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 14107c478bd9Sstevel@tonic-gate | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 14117c478bd9Sstevel@tonic-gate | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 14127c478bd9Sstevel@tonic-gate | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 14137c478bd9Sstevel@tonic-gate | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 14147c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 14157c478bd9Sstevel@tonic-gate | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 14167c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 14177c478bd9Sstevel@tonic-gate | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1418ab25eeb5Syz155240 | setsecclass secname 14197c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mip.fi_secmsk |= $2; 14207c478bd9Sstevel@tonic-gate if (!nowith) 14217c478bd9Sstevel@tonic-gate fr->fr_ip.fi_secmsk |= $2;) 14227c478bd9Sstevel@tonic-gate $$ = 0; 1423ab25eeb5Syz155240 yyresetdict(); 14247c478bd9Sstevel@tonic-gate } 14257c478bd9Sstevel@tonic-gate ; 14267c478bd9Sstevel@tonic-gate 1427ab25eeb5Syz155240 setsecclass: 1428ab25eeb5Syz155240 IPFY_SECCLASS { yysetdict(ipv4secwords); } 1429ab25eeb5Syz155240 ; 1430ab25eeb5Syz155240 14317c478bd9Sstevel@tonic-gate ipv6hdr: 14327c478bd9Sstevel@tonic-gate IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 14337c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 14347c478bd9Sstevel@tonic-gate | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 14357c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 14367c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 14377c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 14387c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 14397c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 14407c478bd9Sstevel@tonic-gate ; 14417c478bd9Sstevel@tonic-gate 14427c478bd9Sstevel@tonic-gate level: IPFY_LEVEL { setsyslog(); } 14437c478bd9Sstevel@tonic-gate ; 14447c478bd9Sstevel@tonic-gate 14457c478bd9Sstevel@tonic-gate loglevel: 14467c478bd9Sstevel@tonic-gate priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 14477c478bd9Sstevel@tonic-gate | facility '.' priority { fr->fr_loglevel = $1 | $3; } 14487c478bd9Sstevel@tonic-gate ; 14497c478bd9Sstevel@tonic-gate 14507c478bd9Sstevel@tonic-gate facility: 14517c478bd9Sstevel@tonic-gate IPFY_FAC_KERN { $$ = LOG_KERN; } 14527c478bd9Sstevel@tonic-gate | IPFY_FAC_USER { $$ = LOG_USER; } 14537c478bd9Sstevel@tonic-gate | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 14547c478bd9Sstevel@tonic-gate | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 14557c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 14567c478bd9Sstevel@tonic-gate | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 14577c478bd9Sstevel@tonic-gate | IPFY_FAC_LPR { $$ = LOG_LPR; } 14587c478bd9Sstevel@tonic-gate | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 14597c478bd9Sstevel@tonic-gate | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 14607c478bd9Sstevel@tonic-gate | IPFY_FAC_CRON { $$ = LOG_CRON; } 14617c478bd9Sstevel@tonic-gate | IPFY_FAC_FTP { $$ = LOG_FTP; } 14627c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 14637c478bd9Sstevel@tonic-gate | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 14647c478bd9Sstevel@tonic-gate | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 14657c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 14667c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 14677c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 14687c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 14697c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 14707c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 14717c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 14727c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 14737c478bd9Sstevel@tonic-gate | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 14747c478bd9Sstevel@tonic-gate ; 14757c478bd9Sstevel@tonic-gate 14767c478bd9Sstevel@tonic-gate priority: 14777c478bd9Sstevel@tonic-gate IPFY_PRI_EMERG { $$ = LOG_EMERG; } 14787c478bd9Sstevel@tonic-gate | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 14797c478bd9Sstevel@tonic-gate | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 14807c478bd9Sstevel@tonic-gate | IPFY_PRI_ERR { $$ = LOG_ERR; } 14817c478bd9Sstevel@tonic-gate | IPFY_PRI_WARN { $$ = LOG_WARNING; } 14827c478bd9Sstevel@tonic-gate | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 14837c478bd9Sstevel@tonic-gate | IPFY_PRI_INFO { $$ = LOG_INFO; } 14847c478bd9Sstevel@tonic-gate | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 14857c478bd9Sstevel@tonic-gate ; 14867c478bd9Sstevel@tonic-gate 14877c478bd9Sstevel@tonic-gate compare: 1488ab25eeb5Syz155240 YY_CMP_EQ { $$ = FR_EQUAL; } 14897c478bd9Sstevel@tonic-gate | YY_CMP_NE { $$ = FR_NEQUAL; } 14907c478bd9Sstevel@tonic-gate | YY_CMP_LT { $$ = FR_LESST; } 14917c478bd9Sstevel@tonic-gate | YY_CMP_LE { $$ = FR_LESSTE; } 14927c478bd9Sstevel@tonic-gate | YY_CMP_GT { $$ = FR_GREATERT; } 14937c478bd9Sstevel@tonic-gate | YY_CMP_GE { $$ = FR_GREATERTE; } 14947c478bd9Sstevel@tonic-gate ; 14957c478bd9Sstevel@tonic-gate 14967c478bd9Sstevel@tonic-gate range: YY_RANGE_IN { $$ = FR_INRANGE; } 14977c478bd9Sstevel@tonic-gate | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 14987c478bd9Sstevel@tonic-gate | ':' { $$ = FR_INCRANGE; } 14997c478bd9Sstevel@tonic-gate ; 15007c478bd9Sstevel@tonic-gate 15017c478bd9Sstevel@tonic-gate servicename: 15027c478bd9Sstevel@tonic-gate YY_STR { $$ = $1; } 15037c478bd9Sstevel@tonic-gate ; 15047c478bd9Sstevel@tonic-gate 15057c478bd9Sstevel@tonic-gate interfacename: YY_STR { $$ = $1; } 15067c478bd9Sstevel@tonic-gate | YY_STR ':' YY_NUMBER 15077c478bd9Sstevel@tonic-gate { $$ = $1; 15087c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 15097c478bd9Sstevel@tonic-gate "use the physical interface %s instead.\n", 15107c478bd9Sstevel@tonic-gate yylineNum, $1, $3, $1); 15117c478bd9Sstevel@tonic-gate } 15127c478bd9Sstevel@tonic-gate ; 15137c478bd9Sstevel@tonic-gate 15147c478bd9Sstevel@tonic-gate name: YY_STR { $$ = $1; } 15157c478bd9Sstevel@tonic-gate ; 15167c478bd9Sstevel@tonic-gate 1517ab25eeb5Syz155240 ipv4_16: 1518ab25eeb5Syz155240 YY_NUMBER '.' YY_NUMBER 1519ab25eeb5Syz155240 { if ($1 > 255 || $3 > 255) { 15207c478bd9Sstevel@tonic-gate yyerror("Invalid octet string for IP address"); 15217c478bd9Sstevel@tonic-gate return 0; 15227c478bd9Sstevel@tonic-gate } 1523ab25eeb5Syz155240 $$.s_addr = ($1 << 24) | ($3 << 16); 15247c478bd9Sstevel@tonic-gate $$.s_addr = htonl($$.s_addr); 15257c478bd9Sstevel@tonic-gate } 15267c478bd9Sstevel@tonic-gate ; 1527ab25eeb5Syz155240 1528ab25eeb5Syz155240 ipv4_24: 1529ab25eeb5Syz155240 ipv4_16 '.' YY_NUMBER 1530ab25eeb5Syz155240 { if ($3 > 255) { 1531ab25eeb5Syz155240 yyerror("Invalid octet string for IP address"); 1532ab25eeb5Syz155240 return 0; 1533ab25eeb5Syz155240 } 1534ab25eeb5Syz155240 $$.s_addr |= htonl($3 << 8); 1535ab25eeb5Syz155240 } 1536ab25eeb5Syz155240 ; 1537ab25eeb5Syz155240 1538ab25eeb5Syz155240 ipv4: ipv4_24 '.' YY_NUMBER 1539ab25eeb5Syz155240 { if ($3 > 255) { 1540ab25eeb5Syz155240 yyerror("Invalid octet string for IP address"); 1541ab25eeb5Syz155240 return 0; 1542ab25eeb5Syz155240 } 1543ab25eeb5Syz155240 $$.s_addr |= htonl($3); 1544ab25eeb5Syz155240 } 1545ab25eeb5Syz155240 | ipv4_24 1546ab25eeb5Syz155240 | ipv4_16 1547ab25eeb5Syz155240 ; 1548ab25eeb5Syz155240 15497c478bd9Sstevel@tonic-gate %% 15507c478bd9Sstevel@tonic-gate 15517c478bd9Sstevel@tonic-gate 15521b47e080Sdr146992 static struct wordtab ipfwords[96] = { 15537c478bd9Sstevel@tonic-gate { "age", IPFY_AGE }, 15547c478bd9Sstevel@tonic-gate { "ah", IPFY_AH }, 15557c478bd9Sstevel@tonic-gate { "all", IPFY_ALL }, 15567c478bd9Sstevel@tonic-gate { "and", IPFY_AND }, 15577c478bd9Sstevel@tonic-gate { "auth", IPFY_AUTH }, 15587c478bd9Sstevel@tonic-gate { "bad", IPFY_BAD }, 15597c478bd9Sstevel@tonic-gate { "bad-nat", IPFY_BADNAT }, 15607c478bd9Sstevel@tonic-gate { "bad-src", IPFY_BADSRC }, 15617c478bd9Sstevel@tonic-gate { "bcast", IPFY_BROADCAST }, 15627c478bd9Sstevel@tonic-gate { "block", IPFY_BLOCK }, 15637c478bd9Sstevel@tonic-gate { "body", IPFY_BODY }, 1564ab25eeb5Syz155240 { "bpf-v4", IPFY_BPFV4 }, 1565ab25eeb5Syz155240 #ifdef USE_INET6 1566ab25eeb5Syz155240 { "bpf-v6", IPFY_BPFV6 }, 1567ab25eeb5Syz155240 #endif 15687c478bd9Sstevel@tonic-gate { "call", IPFY_CALL }, 15697c478bd9Sstevel@tonic-gate { "code", IPFY_ICMPCODE }, 15707c478bd9Sstevel@tonic-gate { "count", IPFY_COUNT }, 15717c478bd9Sstevel@tonic-gate { "dup-to", IPFY_DUPTO }, 15727c478bd9Sstevel@tonic-gate { "eq", YY_CMP_EQ }, 15737c478bd9Sstevel@tonic-gate { "esp", IPFY_ESP }, 15747c478bd9Sstevel@tonic-gate { "fastroute", IPFY_FROUTE }, 15757c478bd9Sstevel@tonic-gate { "first", IPFY_FIRST }, 15767c478bd9Sstevel@tonic-gate { "flags", IPFY_FLAGS }, 1577ab25eeb5Syz155240 { "frag", IPFY_FRAG }, 1578ab25eeb5Syz155240 { "frag-body", IPFY_FRAGBODY }, 15797c478bd9Sstevel@tonic-gate { "frags", IPFY_FRAGS }, 15807c478bd9Sstevel@tonic-gate { "from", IPFY_FROM }, 15817c478bd9Sstevel@tonic-gate { "ge", YY_CMP_GE }, 15827c478bd9Sstevel@tonic-gate { "group", IPFY_GROUP }, 15837c478bd9Sstevel@tonic-gate { "gt", YY_CMP_GT }, 15847c478bd9Sstevel@tonic-gate { "head", IPFY_HEAD }, 15857c478bd9Sstevel@tonic-gate { "icmp", IPFY_ICMP }, 15867c478bd9Sstevel@tonic-gate { "icmp-type", IPFY_ICMPTYPE }, 15877c478bd9Sstevel@tonic-gate { "in", IPFY_IN }, 15887c478bd9Sstevel@tonic-gate { "in-via", IPFY_INVIA }, 1589381a2a9aSdr146992 { "intercept_loopback", IPFY_SET_LOOPBACK }, 15907c478bd9Sstevel@tonic-gate { "ipopt", IPFY_IPOPTS }, 15917c478bd9Sstevel@tonic-gate { "ipopts", IPFY_IPOPTS }, 15927c478bd9Sstevel@tonic-gate { "keep", IPFY_KEEP }, 15937c478bd9Sstevel@tonic-gate { "le", YY_CMP_LE }, 15947c478bd9Sstevel@tonic-gate { "level", IPFY_LEVEL }, 15957c478bd9Sstevel@tonic-gate { "limit", IPFY_LIMIT }, 15967c478bd9Sstevel@tonic-gate { "log", IPFY_LOG }, 15977c478bd9Sstevel@tonic-gate { "lowttl", IPFY_LOWTTL }, 15987c478bd9Sstevel@tonic-gate { "lt", YY_CMP_LT }, 15997c478bd9Sstevel@tonic-gate { "mask", IPFY_MASK }, 1600ab25eeb5Syz155240 { "match-tag", IPFY_MATCHTAG }, 16017c478bd9Sstevel@tonic-gate { "mbcast", IPFY_MBCAST }, 16021b47e080Sdr146992 { "mcast", IPFY_MULTICAST }, 16037c478bd9Sstevel@tonic-gate { "multicast", IPFY_MULTICAST }, 16047c478bd9Sstevel@tonic-gate { "nat", IPFY_NAT }, 16057c478bd9Sstevel@tonic-gate { "ne", YY_CMP_NE }, 16067c478bd9Sstevel@tonic-gate { "net", IPFY_NETWORK }, 16077c478bd9Sstevel@tonic-gate { "newisn", IPFY_NEWISN }, 16087c478bd9Sstevel@tonic-gate { "no", IPFY_NO }, 16097c478bd9Sstevel@tonic-gate { "no-icmp-err", IPFY_NOICMPERR }, 16107c478bd9Sstevel@tonic-gate { "now", IPFY_NOW }, 16117c478bd9Sstevel@tonic-gate { "not", IPFY_NOT }, 16127c478bd9Sstevel@tonic-gate { "oow", IPFY_OOW }, 16137c478bd9Sstevel@tonic-gate { "on", IPFY_ON }, 16147c478bd9Sstevel@tonic-gate { "opt", IPFY_OPT }, 16157c478bd9Sstevel@tonic-gate { "or-block", IPFY_ORBLOCK }, 16167c478bd9Sstevel@tonic-gate { "out", IPFY_OUT }, 16177c478bd9Sstevel@tonic-gate { "out-via", IPFY_OUTVIA }, 16187c478bd9Sstevel@tonic-gate { "pass", IPFY_PASS }, 16197c478bd9Sstevel@tonic-gate { "port", IPFY_PORT }, 16207c478bd9Sstevel@tonic-gate { "pps", IPFY_PPS }, 16217c478bd9Sstevel@tonic-gate { "preauth", IPFY_PREAUTH }, 16227c478bd9Sstevel@tonic-gate { "proto", IPFY_PROTO }, 16237c478bd9Sstevel@tonic-gate { "quick", IPFY_QUICK }, 16247c478bd9Sstevel@tonic-gate { "reply-to", IPFY_REPLY_TO }, 16257c478bd9Sstevel@tonic-gate { "return-icmp", IPFY_RETICMP }, 16267c478bd9Sstevel@tonic-gate { "return-icmp-as-dest", IPFY_RETICMPASDST }, 16277c478bd9Sstevel@tonic-gate { "return-rst", IPFY_RETRST }, 1628ab25eeb5Syz155240 { "route-to", IPFY_ROUTETO }, 16297c478bd9Sstevel@tonic-gate { "sec-class", IPFY_SECCLASS }, 1630ab25eeb5Syz155240 { "set-tag", IPFY_SETTAG }, 1631381a2a9aSdr146992 { "set", IPFY_SET }, 16327c478bd9Sstevel@tonic-gate { "skip", IPFY_SKIP }, 16337c478bd9Sstevel@tonic-gate { "short", IPFY_SHORT }, 16347c478bd9Sstevel@tonic-gate { "state", IPFY_STATE }, 1635ab25eeb5Syz155240 { "state-age", IPFY_AGE }, 16367c478bd9Sstevel@tonic-gate { "strict", IPFY_STRICT }, 1637ab25eeb5Syz155240 { "sync", IPFY_SYNC }, 16387c478bd9Sstevel@tonic-gate { "tcp", IPFY_TCP }, 16397c478bd9Sstevel@tonic-gate { "tcp-udp", IPFY_TCPUDP }, 16407c478bd9Sstevel@tonic-gate { "tos", IPFY_TOS }, 16417c478bd9Sstevel@tonic-gate { "to", IPFY_TO }, 16427c478bd9Sstevel@tonic-gate { "ttl", IPFY_TTL }, 16437c478bd9Sstevel@tonic-gate { "udp", IPFY_UDP }, 16447c478bd9Sstevel@tonic-gate { "v6hdrs", IPF6_V6HDRS }, 16457c478bd9Sstevel@tonic-gate { "with", IPFY_WITH }, 16467c478bd9Sstevel@tonic-gate { NULL, 0 } 16477c478bd9Sstevel@tonic-gate }; 16487c478bd9Sstevel@tonic-gate 16497c478bd9Sstevel@tonic-gate static struct wordtab addrwords[4] = { 16507c478bd9Sstevel@tonic-gate { "any", IPFY_ANY }, 16517c478bd9Sstevel@tonic-gate { "hash", IPFY_HASH }, 16527c478bd9Sstevel@tonic-gate { "pool", IPFY_POOL }, 16537c478bd9Sstevel@tonic-gate { NULL, 0 } 16547c478bd9Sstevel@tonic-gate }; 16557c478bd9Sstevel@tonic-gate 16567c478bd9Sstevel@tonic-gate static struct wordtab maskwords[5] = { 16577c478bd9Sstevel@tonic-gate { "broadcast", IPFY_BROADCAST }, 16587c478bd9Sstevel@tonic-gate { "netmasked", IPFY_NETMASKED }, 16597c478bd9Sstevel@tonic-gate { "network", IPFY_NETWORK }, 16607c478bd9Sstevel@tonic-gate { "peer", IPFY_PEER }, 16617c478bd9Sstevel@tonic-gate { NULL, 0 } 16627c478bd9Sstevel@tonic-gate }; 16637c478bd9Sstevel@tonic-gate 16647c478bd9Sstevel@tonic-gate static struct wordtab icmptypewords[16] = { 16657c478bd9Sstevel@tonic-gate { "echo", IPFY_ICMPT_ECHO }, 16667c478bd9Sstevel@tonic-gate { "echorep", IPFY_ICMPT_ECHOR }, 16677c478bd9Sstevel@tonic-gate { "inforeq", IPFY_ICMPT_INFOREQ }, 16687c478bd9Sstevel@tonic-gate { "inforep", IPFY_ICMPT_INFOREP }, 16697c478bd9Sstevel@tonic-gate { "maskrep", IPFY_ICMPT_MASKREP }, 16707c478bd9Sstevel@tonic-gate { "maskreq", IPFY_ICMPT_MASKREQ }, 16717c478bd9Sstevel@tonic-gate { "paramprob", IPFY_ICMPT_PARAMP }, 16727c478bd9Sstevel@tonic-gate { "redir", IPFY_ICMPT_REDIR }, 16737c478bd9Sstevel@tonic-gate { "unreach", IPFY_ICMPT_UNR }, 16747c478bd9Sstevel@tonic-gate { "routerad", IPFY_ICMPT_ROUTERAD }, 16757c478bd9Sstevel@tonic-gate { "routersol", IPFY_ICMPT_ROUTERSOL }, 16767c478bd9Sstevel@tonic-gate { "squench", IPFY_ICMPT_SQUENCH }, 16777c478bd9Sstevel@tonic-gate { "timest", IPFY_ICMPT_TIMEST }, 16787c478bd9Sstevel@tonic-gate { "timestrep", IPFY_ICMPT_TIMESTREP }, 16797c478bd9Sstevel@tonic-gate { "timex", IPFY_ICMPT_TIMEX }, 16807c478bd9Sstevel@tonic-gate { NULL, 0 }, 16817c478bd9Sstevel@tonic-gate }; 16827c478bd9Sstevel@tonic-gate 16837c478bd9Sstevel@tonic-gate static struct wordtab icmpcodewords[17] = { 16847c478bd9Sstevel@tonic-gate { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 16857c478bd9Sstevel@tonic-gate { "filter-prohib", IPFY_ICMPC_FLTPRO }, 16867c478bd9Sstevel@tonic-gate { "isolate", IPFY_ICMPC_ISOLATE }, 16877c478bd9Sstevel@tonic-gate { "needfrag", IPFY_ICMPC_NEEDF }, 16887c478bd9Sstevel@tonic-gate { "net-prohib", IPFY_ICMPC_NETPRO }, 16897c478bd9Sstevel@tonic-gate { "net-tos", IPFY_ICMPC_NETTOS }, 16907c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE }, 16917c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO }, 16927c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS }, 16937c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK }, 16947c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR }, 16957c478bd9Sstevel@tonic-gate { "net-unk", IPFY_ICMPC_NETUNK }, 16967c478bd9Sstevel@tonic-gate { "net-unr", IPFY_ICMPC_NETUNR }, 16977c478bd9Sstevel@tonic-gate { "port-unr", IPFY_ICMPC_PORUNR }, 16987c478bd9Sstevel@tonic-gate { "proto-unr", IPFY_ICMPC_PROUNR }, 16997c478bd9Sstevel@tonic-gate { "srcfail", IPFY_ICMPC_SRCFAIL }, 17007c478bd9Sstevel@tonic-gate { NULL, 0 }, 17017c478bd9Sstevel@tonic-gate }; 17027c478bd9Sstevel@tonic-gate 1703ab25eeb5Syz155240 static struct wordtab ipv4optwords[25] = { 1704ab25eeb5Syz155240 { "addext", IPFY_IPOPT_ADDEXT }, 1705ab25eeb5Syz155240 { "cipso", IPFY_IPOPT_CIPSO }, 1706ab25eeb5Syz155240 { "dps", IPFY_IPOPT_DPS }, 1707ab25eeb5Syz155240 { "e-sec", IPFY_IPOPT_ESEC }, 1708ab25eeb5Syz155240 { "eip", IPFY_IPOPT_EIP }, 1709ab25eeb5Syz155240 { "encode", IPFY_IPOPT_ENCODE }, 1710ab25eeb5Syz155240 { "finn", IPFY_IPOPT_FINN }, 1711ab25eeb5Syz155240 { "imitd", IPFY_IPOPT_IMITD }, 1712ab25eeb5Syz155240 { "lsrr", IPFY_IPOPT_LSRR }, 1713ab25eeb5Syz155240 { "mtup", IPFY_IPOPT_MTUP }, 1714ab25eeb5Syz155240 { "mtur", IPFY_IPOPT_MTUR }, 1715ab25eeb5Syz155240 { "nop", IPFY_IPOPT_NOP }, 1716ab25eeb5Syz155240 { "nsapa", IPFY_IPOPT_NSAPA }, 1717ab25eeb5Syz155240 { "rr", IPFY_IPOPT_RR }, 1718ab25eeb5Syz155240 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1719ab25eeb5Syz155240 { "satid", IPFY_IPOPT_SATID }, 1720ab25eeb5Syz155240 { "sdb", IPFY_IPOPT_SDB }, 1721ab25eeb5Syz155240 { "sec", IPFY_IPOPT_SEC }, 1722ab25eeb5Syz155240 { "ssrr", IPFY_IPOPT_SSRR }, 1723ab25eeb5Syz155240 { "tr", IPFY_IPOPT_TR }, 1724ab25eeb5Syz155240 { "ts", IPFY_IPOPT_TS }, 1725ab25eeb5Syz155240 { "ump", IPFY_IPOPT_UMP }, 1726ab25eeb5Syz155240 { "visa", IPFY_IPOPT_VISA }, 1727ab25eeb5Syz155240 { "zsu", IPFY_IPOPT_ZSU }, 1728ab25eeb5Syz155240 { NULL, 0 }, 1729ab25eeb5Syz155240 }; 1730ab25eeb5Syz155240 1731ab25eeb5Syz155240 static struct wordtab ipv4secwords[9] = { 1732ab25eeb5Syz155240 { "confid", IPFY_SEC_CONF }, 1733ab25eeb5Syz155240 { "reserv-1", IPFY_SEC_RSV1 }, 1734ab25eeb5Syz155240 { "reserv-2", IPFY_SEC_RSV2 }, 1735ab25eeb5Syz155240 { "reserv-3", IPFY_SEC_RSV3 }, 1736ab25eeb5Syz155240 { "reserv-4", IPFY_SEC_RSV4 }, 1737ab25eeb5Syz155240 { "secret", IPFY_SEC_SEC }, 1738ab25eeb5Syz155240 { "topsecret", IPFY_SEC_TS }, 1739ab25eeb5Syz155240 { "unclass", IPFY_SEC_UNC }, 1740ab25eeb5Syz155240 { NULL, 0 }, 1741ab25eeb5Syz155240 }; 1742ab25eeb5Syz155240 1743ab25eeb5Syz155240 static struct wordtab ipv6optwords[8] = { 1744ab25eeb5Syz155240 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1745ab25eeb5Syz155240 { "esp", IPFY_ESP }, 1746ab25eeb5Syz155240 { "frag", IPFY_FRAG }, 1747ab25eeb5Syz155240 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1748ab25eeb5Syz155240 { "ipv6", IPFY_IPV6OPT_IPV6 }, 1749ab25eeb5Syz155240 { "none", IPFY_IPV6OPT_NONE }, 1750ab25eeb5Syz155240 { "routing", IPFY_IPV6OPT_ROUTING }, 1751ab25eeb5Syz155240 { NULL, 0 }, 1752ab25eeb5Syz155240 }; 1753ab25eeb5Syz155240 1754ab25eeb5Syz155240 static struct wordtab logwords[33] = { 17557c478bd9Sstevel@tonic-gate { "kern", IPFY_FAC_KERN }, 17567c478bd9Sstevel@tonic-gate { "user", IPFY_FAC_USER }, 17577c478bd9Sstevel@tonic-gate { "mail", IPFY_FAC_MAIL }, 17587c478bd9Sstevel@tonic-gate { "daemon", IPFY_FAC_DAEMON }, 17597c478bd9Sstevel@tonic-gate { "auth", IPFY_FAC_AUTH }, 17607c478bd9Sstevel@tonic-gate { "syslog", IPFY_FAC_SYSLOG }, 17617c478bd9Sstevel@tonic-gate { "lpr", IPFY_FAC_LPR }, 17627c478bd9Sstevel@tonic-gate { "news", IPFY_FAC_NEWS }, 17637c478bd9Sstevel@tonic-gate { "uucp", IPFY_FAC_UUCP }, 17647c478bd9Sstevel@tonic-gate { "cron", IPFY_FAC_CRON }, 17657c478bd9Sstevel@tonic-gate { "ftp", IPFY_FAC_FTP }, 17667c478bd9Sstevel@tonic-gate { "authpriv", IPFY_FAC_AUTHPRIV }, 17677c478bd9Sstevel@tonic-gate { "audit", IPFY_FAC_AUDIT }, 17687c478bd9Sstevel@tonic-gate { "logalert", IPFY_FAC_LFMT }, 17697c478bd9Sstevel@tonic-gate { "console", IPFY_FAC_CONSOLE }, 17707c478bd9Sstevel@tonic-gate { "security", IPFY_FAC_SECURITY }, 17717c478bd9Sstevel@tonic-gate { "local0", IPFY_FAC_LOCAL0 }, 17727c478bd9Sstevel@tonic-gate { "local1", IPFY_FAC_LOCAL1 }, 17737c478bd9Sstevel@tonic-gate { "local2", IPFY_FAC_LOCAL2 }, 17747c478bd9Sstevel@tonic-gate { "local3", IPFY_FAC_LOCAL3 }, 17757c478bd9Sstevel@tonic-gate { "local4", IPFY_FAC_LOCAL4 }, 17767c478bd9Sstevel@tonic-gate { "local5", IPFY_FAC_LOCAL5 }, 17777c478bd9Sstevel@tonic-gate { "local6", IPFY_FAC_LOCAL6 }, 17787c478bd9Sstevel@tonic-gate { "local7", IPFY_FAC_LOCAL7 }, 17797c478bd9Sstevel@tonic-gate { "emerg", IPFY_PRI_EMERG }, 17807c478bd9Sstevel@tonic-gate { "alert", IPFY_PRI_ALERT }, 17817c478bd9Sstevel@tonic-gate { "crit", IPFY_PRI_CRIT }, 17827c478bd9Sstevel@tonic-gate { "err", IPFY_PRI_ERR }, 17837c478bd9Sstevel@tonic-gate { "warn", IPFY_PRI_WARN }, 17847c478bd9Sstevel@tonic-gate { "notice", IPFY_PRI_NOTICE }, 17857c478bd9Sstevel@tonic-gate { "info", IPFY_PRI_INFO }, 17867c478bd9Sstevel@tonic-gate { "debug", IPFY_PRI_DEBUG }, 17877c478bd9Sstevel@tonic-gate { NULL, 0 }, 17887c478bd9Sstevel@tonic-gate }; 17897c478bd9Sstevel@tonic-gate 17907c478bd9Sstevel@tonic-gate 17917c478bd9Sstevel@tonic-gate 17927c478bd9Sstevel@tonic-gate 17937c478bd9Sstevel@tonic-gate int ipf_parsefile(fd, addfunc, iocfuncs, filename) 17947c478bd9Sstevel@tonic-gate int fd; 17957c478bd9Sstevel@tonic-gate addfunc_t addfunc; 17967c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 17977c478bd9Sstevel@tonic-gate char *filename; 17987c478bd9Sstevel@tonic-gate { 17997c478bd9Sstevel@tonic-gate FILE *fp = NULL; 18007c478bd9Sstevel@tonic-gate char *s; 18017c478bd9Sstevel@tonic-gate 18027c478bd9Sstevel@tonic-gate yylineNum = 1; 18037c478bd9Sstevel@tonic-gate yysettab(ipfwords); 18047c478bd9Sstevel@tonic-gate 18057c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 18067c478bd9Sstevel@tonic-gate if (s != NULL) 18077c478bd9Sstevel@tonic-gate yydebug = atoi(s); 18087c478bd9Sstevel@tonic-gate else 18097c478bd9Sstevel@tonic-gate yydebug = 0; 18107c478bd9Sstevel@tonic-gate 18117c478bd9Sstevel@tonic-gate if (strcmp(filename, "-")) { 18127c478bd9Sstevel@tonic-gate fp = fopen(filename, "r"); 18137c478bd9Sstevel@tonic-gate if (fp == NULL) { 18147c478bd9Sstevel@tonic-gate fprintf(stderr, "fopen(%s) failed: %s\n", filename, 18157c478bd9Sstevel@tonic-gate STRERROR(errno)); 18167c478bd9Sstevel@tonic-gate return -1; 18177c478bd9Sstevel@tonic-gate } 18187c478bd9Sstevel@tonic-gate } else 18197c478bd9Sstevel@tonic-gate fp = stdin; 18207c478bd9Sstevel@tonic-gate 18217c478bd9Sstevel@tonic-gate while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 18227c478bd9Sstevel@tonic-gate ; 18237c478bd9Sstevel@tonic-gate if (fp != NULL) 18247c478bd9Sstevel@tonic-gate fclose(fp); 18257c478bd9Sstevel@tonic-gate return 0; 18267c478bd9Sstevel@tonic-gate } 18277c478bd9Sstevel@tonic-gate 18287c478bd9Sstevel@tonic-gate 18297c478bd9Sstevel@tonic-gate int ipf_parsesome(fd, addfunc, iocfuncs, fp) 18307c478bd9Sstevel@tonic-gate int fd; 18317c478bd9Sstevel@tonic-gate addfunc_t addfunc; 18327c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 18337c478bd9Sstevel@tonic-gate FILE *fp; 18347c478bd9Sstevel@tonic-gate { 18357c478bd9Sstevel@tonic-gate char *s; 18367c478bd9Sstevel@tonic-gate int i; 18377c478bd9Sstevel@tonic-gate 18387c478bd9Sstevel@tonic-gate ipffd = fd; 18397c478bd9Sstevel@tonic-gate for (i = 0; i <= IPL_LOGMAX; i++) 18407c478bd9Sstevel@tonic-gate ipfioctl[i] = iocfuncs[i]; 18417c478bd9Sstevel@tonic-gate ipfaddfunc = addfunc; 18427c478bd9Sstevel@tonic-gate 18437c478bd9Sstevel@tonic-gate if (feof(fp)) 18447c478bd9Sstevel@tonic-gate return 0; 18457c478bd9Sstevel@tonic-gate i = fgetc(fp); 18467c478bd9Sstevel@tonic-gate if (i == EOF) 18477c478bd9Sstevel@tonic-gate return 0; 18487c478bd9Sstevel@tonic-gate if (ungetc(i, fp) == 0) 18497c478bd9Sstevel@tonic-gate return 0; 18507c478bd9Sstevel@tonic-gate if (feof(fp)) 18517c478bd9Sstevel@tonic-gate return 0; 18527c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 18537c478bd9Sstevel@tonic-gate if (s != NULL) 18547c478bd9Sstevel@tonic-gate yydebug = atoi(s); 18557c478bd9Sstevel@tonic-gate else 18567c478bd9Sstevel@tonic-gate yydebug = 0; 18577c478bd9Sstevel@tonic-gate 18587c478bd9Sstevel@tonic-gate yyin = fp; 18597c478bd9Sstevel@tonic-gate yyparse(); 18607c478bd9Sstevel@tonic-gate return 1; 18617c478bd9Sstevel@tonic-gate } 18627c478bd9Sstevel@tonic-gate 18637c478bd9Sstevel@tonic-gate 18647c478bd9Sstevel@tonic-gate static void newrule() 18657c478bd9Sstevel@tonic-gate { 18667c478bd9Sstevel@tonic-gate frentry_t *frn; 18677c478bd9Sstevel@tonic-gate 18687c478bd9Sstevel@tonic-gate frn = (frentry_t *)calloc(1, sizeof(frentry_t)); 18695e985db5Sschuster if (frn == NULL) 18705e985db5Sschuster yyerror("sorry, out of memory"); 18717c478bd9Sstevel@tonic-gate for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 18727c478bd9Sstevel@tonic-gate ; 18737c478bd9Sstevel@tonic-gate if (fr != NULL) 18747c478bd9Sstevel@tonic-gate fr->fr_next = frn; 18757c478bd9Sstevel@tonic-gate if (frtop == NULL) 18767c478bd9Sstevel@tonic-gate frtop = frn; 18777c478bd9Sstevel@tonic-gate fr = frn; 18787c478bd9Sstevel@tonic-gate frc = frn; 18797c478bd9Sstevel@tonic-gate fr->fr_loglevel = 0xffff; 18807c478bd9Sstevel@tonic-gate fr->fr_isc = (void *)-1; 18817c478bd9Sstevel@tonic-gate fr->fr_logtag = FR_NOLOGTAG; 18827c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_NONE; 18837c478bd9Sstevel@tonic-gate if (use_inet6 != 0) 18847c478bd9Sstevel@tonic-gate fr->fr_v = 6; 18857c478bd9Sstevel@tonic-gate else 18867c478bd9Sstevel@tonic-gate fr->fr_v = 4; 18877c478bd9Sstevel@tonic-gate 18887c478bd9Sstevel@tonic-gate nrules = 1; 18897c478bd9Sstevel@tonic-gate } 18907c478bd9Sstevel@tonic-gate 18917c478bd9Sstevel@tonic-gate 18927c478bd9Sstevel@tonic-gate static void setipftype() 18937c478bd9Sstevel@tonic-gate { 18947c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 18957c478bd9Sstevel@tonic-gate if (fr->fr_type == FR_T_NONE) { 18967c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF; 18977c478bd9Sstevel@tonic-gate fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 18985e985db5Sschuster if (fr->fr_data == NULL) 18995e985db5Sschuster yyerror("sorry, out of memory"); 19007c478bd9Sstevel@tonic-gate fr->fr_dsize = sizeof(fripf_t); 19017c478bd9Sstevel@tonic-gate fr->fr_ip.fi_v = frc->fr_v; 19027c478bd9Sstevel@tonic-gate fr->fr_mip.fi_v = 0xf; 19037c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = -1; 19047c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = -1; 19057c478bd9Sstevel@tonic-gate } 19067c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_IPF) { 19077c478bd9Sstevel@tonic-gate fprintf(stderr, "IPF Type not set\n"); 19087c478bd9Sstevel@tonic-gate } 19097c478bd9Sstevel@tonic-gate } 19107c478bd9Sstevel@tonic-gate } 19117c478bd9Sstevel@tonic-gate 19127c478bd9Sstevel@tonic-gate 19137c478bd9Sstevel@tonic-gate static frentry_t *addrule() 19147c478bd9Sstevel@tonic-gate { 19157c478bd9Sstevel@tonic-gate frentry_t *f, *f1, *f2; 19167c478bd9Sstevel@tonic-gate int count; 19177c478bd9Sstevel@tonic-gate 19187c478bd9Sstevel@tonic-gate for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 19197c478bd9Sstevel@tonic-gate ; 19207c478bd9Sstevel@tonic-gate 19217c478bd9Sstevel@tonic-gate count = nrules; 19227c478bd9Sstevel@tonic-gate if (count == 0) { 19237c478bd9Sstevel@tonic-gate f = (frentry_t *)calloc(sizeof(*f), 1); 19245e985db5Sschuster if (f == NULL) 19255e985db5Sschuster yyerror("sorry, out of memory"); 19267c478bd9Sstevel@tonic-gate added++; 19277c478bd9Sstevel@tonic-gate f2->fr_next = f; 19287c478bd9Sstevel@tonic-gate bcopy(f2, f, sizeof(*f)); 19297c478bd9Sstevel@tonic-gate if (f2->fr_caddr != NULL) { 19307c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 19315e985db5Sschuster if (f->fr_caddr == NULL) 19325e985db5Sschuster yyerror("sorry, out of memory"); 19337c478bd9Sstevel@tonic-gate bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); 19347c478bd9Sstevel@tonic-gate } 19357c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19367c478bd9Sstevel@tonic-gate return f; 19377c478bd9Sstevel@tonic-gate } 19387c478bd9Sstevel@tonic-gate f = f2; 19397c478bd9Sstevel@tonic-gate for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 19407c478bd9Sstevel@tonic-gate f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); 19415e985db5Sschuster if (f->fr_next == NULL) 19425e985db5Sschuster yyerror("sorry, out of memory"); 19437c478bd9Sstevel@tonic-gate added++; 19447c478bd9Sstevel@tonic-gate f = f->fr_next; 19457c478bd9Sstevel@tonic-gate bcopy(f1, f, sizeof(*f)); 19467c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19477c478bd9Sstevel@tonic-gate if (f->fr_caddr != NULL) { 19487c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 19495e985db5Sschuster if (f->fr_caddr == NULL) 19505e985db5Sschuster yyerror("sorry, out of memory"); 19517c478bd9Sstevel@tonic-gate bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 19527c478bd9Sstevel@tonic-gate } 19537c478bd9Sstevel@tonic-gate } 19547c478bd9Sstevel@tonic-gate 19557c478bd9Sstevel@tonic-gate return f2->fr_next; 19567c478bd9Sstevel@tonic-gate } 19577c478bd9Sstevel@tonic-gate 19587c478bd9Sstevel@tonic-gate 19599b4c7145Sjojemann static u_32_t lookuphost(name, addr) 19607c478bd9Sstevel@tonic-gate char *name; 19619b4c7145Sjojemann i6addr_t *addr; 19627c478bd9Sstevel@tonic-gate { 19637c478bd9Sstevel@tonic-gate int i; 19647c478bd9Sstevel@tonic-gate 19657c478bd9Sstevel@tonic-gate hashed = 0; 19667c478bd9Sstevel@tonic-gate pooled = 0; 19677c478bd9Sstevel@tonic-gate dynamic = -1; 19687c478bd9Sstevel@tonic-gate 19697c478bd9Sstevel@tonic-gate for (i = 0; i < 4; i++) { 19707c478bd9Sstevel@tonic-gate if (strncmp(name, frc->fr_ifnames[i], 19717c478bd9Sstevel@tonic-gate sizeof(frc->fr_ifnames[i])) == 0) { 19727c478bd9Sstevel@tonic-gate ifpflag = FRI_DYNAMIC; 19737c478bd9Sstevel@tonic-gate dynamic = i; 19747c478bd9Sstevel@tonic-gate return 0; 19757c478bd9Sstevel@tonic-gate } 19767c478bd9Sstevel@tonic-gate } 19777c478bd9Sstevel@tonic-gate 19789b4c7145Sjojemann if (gethost(name, addr, use_inet6) == -1) { 1979ab25eeb5Syz155240 fprintf(stderr, "unknown name \"%s\"\n", name); 19807c478bd9Sstevel@tonic-gate return 0; 19817c478bd9Sstevel@tonic-gate } 19829b4c7145Sjojemann return 1; 19837c478bd9Sstevel@tonic-gate } 19847c478bd9Sstevel@tonic-gate 19857c478bd9Sstevel@tonic-gate 1986ab25eeb5Syz155240 static void dobpf(v, phrase) 1987ab25eeb5Syz155240 int v; 19887c478bd9Sstevel@tonic-gate char *phrase; 19897c478bd9Sstevel@tonic-gate { 19907c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 19917c478bd9Sstevel@tonic-gate struct bpf_program bpf; 19927c478bd9Sstevel@tonic-gate struct pcap *p; 1993ab25eeb5Syz155240 #endif 1994ab25eeb5Syz155240 fakebpf_t *fb; 19957c478bd9Sstevel@tonic-gate u_32_t l; 19967c478bd9Sstevel@tonic-gate char *s; 19977c478bd9Sstevel@tonic-gate int i; 19987c478bd9Sstevel@tonic-gate 19997c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 20007c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_NONE) { 2001ab25eeb5Syz155240 fprintf(stderr, "cannot mix IPF and BPF matching\n"); 20027c478bd9Sstevel@tonic-gate return; 20037c478bd9Sstevel@tonic-gate } 2004ab25eeb5Syz155240 fr->fr_v = v; 2005ab25eeb5Syz155240 fr->fr_type = FR_T_BPFOPC; 20067c478bd9Sstevel@tonic-gate 20077c478bd9Sstevel@tonic-gate if (!strncmp(phrase, "\"0x", 2)) { 20087c478bd9Sstevel@tonic-gate phrase++; 2009ab25eeb5Syz155240 fb = malloc(sizeof(fakebpf_t)); 2010ab25eeb5Syz155240 if (fb == NULL) 20115e985db5Sschuster yyerror("sorry, out of memory"); 20127c478bd9Sstevel@tonic-gate 2013ab25eeb5Syz155240 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; 20147c478bd9Sstevel@tonic-gate s = strtok(NULL, " \r\n\t"), i++) { 2015ab25eeb5Syz155240 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); 2016ab25eeb5Syz155240 if (fb == NULL) 20175e985db5Sschuster yyerror("sorry, out of memory"); 20187c478bd9Sstevel@tonic-gate l = (u_32_t)strtol(s, NULL, 0); 2019ab25eeb5Syz155240 switch (i & 3) 2020ab25eeb5Syz155240 { 2021ab25eeb5Syz155240 case 0 : 2022ab25eeb5Syz155240 fb[i / 4].fb_c = l & 0xffff; 2023ab25eeb5Syz155240 break; 2024ab25eeb5Syz155240 case 1 : 2025ab25eeb5Syz155240 fb[i / 4].fb_t = l & 0xff; 2026ab25eeb5Syz155240 break; 2027ab25eeb5Syz155240 case 2 : 2028ab25eeb5Syz155240 fb[i / 4].fb_f = l & 0xff; 2029ab25eeb5Syz155240 break; 2030ab25eeb5Syz155240 case 3 : 2031ab25eeb5Syz155240 fb[i / 4].fb_k = l; 2032ab25eeb5Syz155240 break; 20337c478bd9Sstevel@tonic-gate } 2034ab25eeb5Syz155240 } 2035ab25eeb5Syz155240 if ((i & 3) != 0) { 2036ab25eeb5Syz155240 fprintf(stderr, 2037ab25eeb5Syz155240 "Odd number of bytes in BPF code\n"); 2038ab25eeb5Syz155240 exit(1); 2039ab25eeb5Syz155240 } 2040ab25eeb5Syz155240 i--; 2041ab25eeb5Syz155240 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); 2042ab25eeb5Syz155240 fr->fr_data = fb; 20437c478bd9Sstevel@tonic-gate return; 20447c478bd9Sstevel@tonic-gate } 20457c478bd9Sstevel@tonic-gate 2046ab25eeb5Syz155240 #ifdef IPFILTER_BPF 20477c478bd9Sstevel@tonic-gate bzero((char *)&bpf, sizeof(bpf)); 20487c478bd9Sstevel@tonic-gate p = pcap_open_dead(DLT_RAW, 1); 20497c478bd9Sstevel@tonic-gate if (!p) { 20507c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap_open_dead failed\n"); 20517c478bd9Sstevel@tonic-gate return; 20527c478bd9Sstevel@tonic-gate } 20537c478bd9Sstevel@tonic-gate 2054ab25eeb5Syz155240 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { 20557c478bd9Sstevel@tonic-gate pcap_perror(p, "ipf"); 20567c478bd9Sstevel@tonic-gate pcap_close(p); 2057ab25eeb5Syz155240 fprintf(stderr, "pcap parsing failed (%s)\n", phrase); 20587c478bd9Sstevel@tonic-gate return; 20597c478bd9Sstevel@tonic-gate } 20607c478bd9Sstevel@tonic-gate pcap_close(p); 20617c478bd9Sstevel@tonic-gate 20627c478bd9Sstevel@tonic-gate fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 2063ab25eeb5Syz155240 fr->fr_data = malloc(fr->fr_dsize); 20645e985db5Sschuster if (fr->fr_data == NULL) 20655e985db5Sschuster yyerror("sorry, out of memory"); 2066ab25eeb5Syz155240 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); 20677c478bd9Sstevel@tonic-gate if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 20687c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF validation failed\n"); 20697c478bd9Sstevel@tonic-gate return; 20707c478bd9Sstevel@tonic-gate } 2071ab25eeb5Syz155240 #endif 20727c478bd9Sstevel@tonic-gate } 20737c478bd9Sstevel@tonic-gate 2074ab25eeb5Syz155240 #ifdef IPFILTER_BPF 20757c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) 20767c478bd9Sstevel@tonic-gate bpf_dump(&bpf, 0); 20777c478bd9Sstevel@tonic-gate #else 2078ab25eeb5Syz155240 fprintf(stderr, "BPF filter expressions not supported\n"); 2079ab25eeb5Syz155240 exit(1); 20807c478bd9Sstevel@tonic-gate #endif 20817c478bd9Sstevel@tonic-gate } 20827c478bd9Sstevel@tonic-gate 20837c478bd9Sstevel@tonic-gate 20847c478bd9Sstevel@tonic-gate static void resetaddr() 20857c478bd9Sstevel@tonic-gate { 20867c478bd9Sstevel@tonic-gate hashed = 0; 20877c478bd9Sstevel@tonic-gate pooled = 0; 20887c478bd9Sstevel@tonic-gate dynamic = -1; 20897c478bd9Sstevel@tonic-gate } 20907c478bd9Sstevel@tonic-gate 20917c478bd9Sstevel@tonic-gate 20927c478bd9Sstevel@tonic-gate static alist_t *newalist(ptr) 20937c478bd9Sstevel@tonic-gate alist_t *ptr; 20947c478bd9Sstevel@tonic-gate { 20957c478bd9Sstevel@tonic-gate alist_t *al; 20967c478bd9Sstevel@tonic-gate 20977c478bd9Sstevel@tonic-gate al = malloc(sizeof(*al)); 20987c478bd9Sstevel@tonic-gate if (al == NULL) 20997c478bd9Sstevel@tonic-gate return NULL; 21007c478bd9Sstevel@tonic-gate al->al_not = 0; 21017c478bd9Sstevel@tonic-gate al->al_next = ptr; 21027c478bd9Sstevel@tonic-gate return al; 21037c478bd9Sstevel@tonic-gate } 21047c478bd9Sstevel@tonic-gate 21057c478bd9Sstevel@tonic-gate 21067c478bd9Sstevel@tonic-gate static int makepool(list) 21077c478bd9Sstevel@tonic-gate alist_t *list; 21087c478bd9Sstevel@tonic-gate { 21097c478bd9Sstevel@tonic-gate ip_pool_node_t *n, *top; 21107c478bd9Sstevel@tonic-gate ip_pool_t pool; 21117c478bd9Sstevel@tonic-gate alist_t *a; 21127c478bd9Sstevel@tonic-gate int num; 21137c478bd9Sstevel@tonic-gate 21147c478bd9Sstevel@tonic-gate if (list == NULL) 21157c478bd9Sstevel@tonic-gate return 0; 21167c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 21177c478bd9Sstevel@tonic-gate if (top == NULL) 21187c478bd9Sstevel@tonic-gate return 0; 21197c478bd9Sstevel@tonic-gate 21207c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 21217663b816Sml37995 n->ipn_addr.adf_family = a->al_family; 21227663b816Sml37995 n->ipn_mask.adf_family = a->al_family; 21237663b816Sml37995 (void *)bcopy((void *)&a->al_i6addr, 21247663b816Sml37995 (void *)&n->ipn_addr.adf_addr, 21257663b816Sml37995 sizeof(n->ipn_addr.adf_addr)); 21267663b816Sml37995 (void *)bcopy((void *)&a->al_i6mask, 21277663b816Sml37995 (void *)&n->ipn_mask.adf_addr, 21287663b816Sml37995 sizeof(n->ipn_mask.adf_addr)); 21297c478bd9Sstevel@tonic-gate n->ipn_info = a->al_not; 21307c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 21317c478bd9Sstevel@tonic-gate n->ipn_next = calloc(1, sizeof(*n)); 21325e985db5Sschuster if (n->ipn_next == NULL) 21335e985db5Sschuster yyerror("sorry, out of memory"); 21347c478bd9Sstevel@tonic-gate n = n->ipn_next; 21357c478bd9Sstevel@tonic-gate } 21367c478bd9Sstevel@tonic-gate } 21377c478bd9Sstevel@tonic-gate 21387c478bd9Sstevel@tonic-gate bzero((char *)&pool, sizeof(pool)); 21397c478bd9Sstevel@tonic-gate pool.ipo_unit = IPL_LOGIPF; 21407c478bd9Sstevel@tonic-gate pool.ipo_list = top; 21417c478bd9Sstevel@tonic-gate num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); 21427c478bd9Sstevel@tonic-gate 21437c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21447c478bd9Sstevel@tonic-gate top = n->ipn_next; 21457c478bd9Sstevel@tonic-gate free(n); 21467c478bd9Sstevel@tonic-gate } 21477c478bd9Sstevel@tonic-gate return num; 21487c478bd9Sstevel@tonic-gate } 21497c478bd9Sstevel@tonic-gate 21507c478bd9Sstevel@tonic-gate 21517c478bd9Sstevel@tonic-gate static u_int makehash(list) 21527c478bd9Sstevel@tonic-gate alist_t *list; 21537c478bd9Sstevel@tonic-gate { 21547c478bd9Sstevel@tonic-gate iphtent_t *n, *top; 21557c478bd9Sstevel@tonic-gate iphtable_t iph; 21567c478bd9Sstevel@tonic-gate alist_t *a; 21577c478bd9Sstevel@tonic-gate int num; 21587c478bd9Sstevel@tonic-gate 21597c478bd9Sstevel@tonic-gate if (list == NULL) 21607c478bd9Sstevel@tonic-gate return 0; 21617c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 21627c478bd9Sstevel@tonic-gate if (top == NULL) 21637c478bd9Sstevel@tonic-gate return 0; 21647c478bd9Sstevel@tonic-gate 21657c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 21667663b816Sml37995 n->ipe_family = a->al_family; 21677663b816Sml37995 (void *)bcopy((void *)&a->al_i6addr, 21687663b816Sml37995 (void *)&n->ipe_addr, 21697663b816Sml37995 sizeof(n->ipe_addr)); 21707663b816Sml37995 (void *)bcopy((void *)&a->al_i6mask, 21717663b816Sml37995 (void *)&n->ipe_mask, 21727663b816Sml37995 sizeof(n->ipe_mask)); 21737c478bd9Sstevel@tonic-gate n->ipe_value = 0; 21747c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 21757c478bd9Sstevel@tonic-gate n->ipe_next = calloc(1, sizeof(*n)); 21765e985db5Sschuster if (n->ipe_next == NULL) 21775e985db5Sschuster yyerror("sorry, out of memory"); 21787c478bd9Sstevel@tonic-gate n = n->ipe_next; 21797c478bd9Sstevel@tonic-gate } 21807c478bd9Sstevel@tonic-gate } 21817c478bd9Sstevel@tonic-gate 21827c478bd9Sstevel@tonic-gate bzero((char *)&iph, sizeof(iph)); 21837c478bd9Sstevel@tonic-gate iph.iph_unit = IPL_LOGIPF; 21847c478bd9Sstevel@tonic-gate iph.iph_type = IPHASH_LOOKUP; 21857c478bd9Sstevel@tonic-gate *iph.iph_name = '\0'; 21867c478bd9Sstevel@tonic-gate 21877c478bd9Sstevel@tonic-gate if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) 21887c478bd9Sstevel@tonic-gate sscanf(iph.iph_name, "%u", &num); 21897c478bd9Sstevel@tonic-gate else 21907c478bd9Sstevel@tonic-gate num = 0; 21917c478bd9Sstevel@tonic-gate 21927c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21937c478bd9Sstevel@tonic-gate top = n->ipe_next; 21947c478bd9Sstevel@tonic-gate free(n); 21957c478bd9Sstevel@tonic-gate } 21967c478bd9Sstevel@tonic-gate return num; 21977c478bd9Sstevel@tonic-gate } 21987c478bd9Sstevel@tonic-gate 21997c478bd9Sstevel@tonic-gate 22007c478bd9Sstevel@tonic-gate void ipf_addrule(fd, ioctlfunc, ptr) 22017c478bd9Sstevel@tonic-gate int fd; 22027c478bd9Sstevel@tonic-gate ioctlfunc_t ioctlfunc; 22037c478bd9Sstevel@tonic-gate void *ptr; 22047c478bd9Sstevel@tonic-gate { 2205ab25eeb5Syz155240 ioctlcmd_t add, del; 22067c478bd9Sstevel@tonic-gate frentry_t *fr; 22077c478bd9Sstevel@tonic-gate ipfobj_t obj; 22087c478bd9Sstevel@tonic-gate 22097c478bd9Sstevel@tonic-gate fr = ptr; 22107c478bd9Sstevel@tonic-gate add = 0; 22117c478bd9Sstevel@tonic-gate del = 0; 22127c478bd9Sstevel@tonic-gate 22137c478bd9Sstevel@tonic-gate bzero((char *)&obj, sizeof(obj)); 22147c478bd9Sstevel@tonic-gate obj.ipfo_rev = IPFILTER_VERSION; 22157c478bd9Sstevel@tonic-gate obj.ipfo_size = sizeof(*fr); 22167c478bd9Sstevel@tonic-gate obj.ipfo_type = IPFOBJ_FRENTRY; 22177c478bd9Sstevel@tonic-gate obj.ipfo_ptr = ptr; 22187c478bd9Sstevel@tonic-gate 22197c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) 22207c478bd9Sstevel@tonic-gate fd = -1; 22217c478bd9Sstevel@tonic-gate 22227c478bd9Sstevel@tonic-gate if (opts & OPT_ZERORULEST) { 22237c478bd9Sstevel@tonic-gate add = SIOCZRLST; 22247c478bd9Sstevel@tonic-gate } else if (opts & OPT_INACTIVE) { 22257c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINIFR : 22267c478bd9Sstevel@tonic-gate SIOCADIFR; 22277c478bd9Sstevel@tonic-gate del = SIOCRMIFR; 22287c478bd9Sstevel@tonic-gate } else { 22297c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINAFR : 22307c478bd9Sstevel@tonic-gate SIOCADAFR; 22317c478bd9Sstevel@tonic-gate del = SIOCRMAFR; 22327c478bd9Sstevel@tonic-gate } 22337c478bd9Sstevel@tonic-gate 22347c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_OUTQUE)) 22357c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_OUTQUE; 22367c478bd9Sstevel@tonic-gate if (fr->fr_hits) 22377c478bd9Sstevel@tonic-gate fr->fr_hits--; 22387c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_VERBOSE)) 22397c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22407c478bd9Sstevel@tonic-gate 22417c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) { 22427c478bd9Sstevel@tonic-gate binprint(fr, sizeof(*fr)); 22437c478bd9Sstevel@tonic-gate if (fr->fr_data != NULL) 22447c478bd9Sstevel@tonic-gate binprint(fr->fr_data, fr->fr_dsize); 22457c478bd9Sstevel@tonic-gate } 22467c478bd9Sstevel@tonic-gate 22477c478bd9Sstevel@tonic-gate if ((opts & OPT_ZERORULEST) != 0) { 22487c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22496aed92a9Syx160601 if ((opts & OPT_DONOTHING) == 0) { 22507c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22517c478bd9Sstevel@tonic-gate perror("ioctl(SIOCZRLST)"); 22527c478bd9Sstevel@tonic-gate } 22537c478bd9Sstevel@tonic-gate } else { 22547c478bd9Sstevel@tonic-gate #ifdef USE_QUAD_T 22557c478bd9Sstevel@tonic-gate printf("hits %qd bytes %qd ", 22567c478bd9Sstevel@tonic-gate (long long)fr->fr_hits, 22577c478bd9Sstevel@tonic-gate (long long)fr->fr_bytes); 22587c478bd9Sstevel@tonic-gate #else 22597c478bd9Sstevel@tonic-gate printf("hits %ld bytes %ld ", 22607c478bd9Sstevel@tonic-gate fr->fr_hits, fr->fr_bytes); 22617c478bd9Sstevel@tonic-gate #endif 22627c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22637c478bd9Sstevel@tonic-gate } 22647c478bd9Sstevel@tonic-gate } else if ((opts & OPT_REMOVE) != 0) { 22657c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2266ab25eeb5Syz155240 if ((opts & OPT_DONOTHING) != 0) { 22677c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22687c478bd9Sstevel@tonic-gate perror("ioctl(delete rule)"); 22697c478bd9Sstevel@tonic-gate } 22707c478bd9Sstevel@tonic-gate } 22717c478bd9Sstevel@tonic-gate } else { 22727c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22737c478bd9Sstevel@tonic-gate if (!(opts & OPT_DONOTHING)) { 22747c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2275ab25eeb5Syz155240 perror("ioctl(add/insert rule)"); 22767c478bd9Sstevel@tonic-gate } 22777c478bd9Sstevel@tonic-gate } 22787c478bd9Sstevel@tonic-gate } 22797c478bd9Sstevel@tonic-gate } 22807c478bd9Sstevel@tonic-gate 22817c478bd9Sstevel@tonic-gate static void setsyslog() 22827c478bd9Sstevel@tonic-gate { 2283ab25eeb5Syz155240 yysetdict(logwords); 22847c478bd9Sstevel@tonic-gate yybreakondot = 1; 22857c478bd9Sstevel@tonic-gate } 22867c478bd9Sstevel@tonic-gate 22877c478bd9Sstevel@tonic-gate 22887c478bd9Sstevel@tonic-gate static void unsetsyslog() 22897c478bd9Sstevel@tonic-gate { 2290ab25eeb5Syz155240 yyresetdict(); 22917c478bd9Sstevel@tonic-gate yybreakondot = 0; 22927c478bd9Sstevel@tonic-gate } 22937c478bd9Sstevel@tonic-gate 22947c478bd9Sstevel@tonic-gate 22957c478bd9Sstevel@tonic-gate static void fillgroup(fr) 22967c478bd9Sstevel@tonic-gate frentry_t *fr; 22977c478bd9Sstevel@tonic-gate { 22987c478bd9Sstevel@tonic-gate frentry_t *f; 22997c478bd9Sstevel@tonic-gate 23007c478bd9Sstevel@tonic-gate for (f = frold; f != NULL; f = f->fr_next) 23017c478bd9Sstevel@tonic-gate if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 23027c478bd9Sstevel@tonic-gate break; 23037c478bd9Sstevel@tonic-gate if (f == NULL) 23047c478bd9Sstevel@tonic-gate return; 23057c478bd9Sstevel@tonic-gate 23067c478bd9Sstevel@tonic-gate /* 23077c478bd9Sstevel@tonic-gate * Only copy down matching fields if the rules are of the same type 2308ab25eeb5Syz155240 * and are of ipf type. The only fields that are copied are those 2309ab25eeb5Syz155240 * that impact the rule parsing itself, eg. need for knowing what the 2310ab25eeb5Syz155240 * protocol should be for rules with port comparisons in them. 23117c478bd9Sstevel@tonic-gate */ 23127c478bd9Sstevel@tonic-gate if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 23137c478bd9Sstevel@tonic-gate return; 23147c478bd9Sstevel@tonic-gate 23157c478bd9Sstevel@tonic-gate if (fr->fr_v == 0 && f->fr_v != 0) 23167c478bd9Sstevel@tonic-gate fr->fr_v = f->fr_v; 23177c478bd9Sstevel@tonic-gate 23187c478bd9Sstevel@tonic-gate if (fr->fr_mproto == 0 && f->fr_mproto != 0) 23197c478bd9Sstevel@tonic-gate fr->fr_mproto = f->fr_mproto; 23207c478bd9Sstevel@tonic-gate if (fr->fr_proto == 0 && f->fr_proto != 0) 23217c478bd9Sstevel@tonic-gate fr->fr_proto = f->fr_proto; 23227c478bd9Sstevel@tonic-gate 2323ab25eeb5Syz155240 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2324ab25eeb5Syz155240 ((f->fr_flx & FI_TCPUDP) != 0)) 2325ab25eeb5Syz155240 fr->fr_flx |= FI_TCPUDP; 23267c478bd9Sstevel@tonic-gate } 2327