diff options
| author | ngie <ngie@FreeBSD.org> | 2015-10-05 03:25:30 +0000 |
|---|---|---|
| committer | ngie <ngie@FreeBSD.org> | 2015-10-05 03:25:30 +0000 |
| commit | 115d008392113efc6f844baa7cc407e9eaae63db (patch) | |
| tree | 6cb521ad03ca5b254c0873d2b9f27a92482207c3 /contrib/ipfilter/tools/ipf_y.y | |
| parent | a9fe170df1126a5dccd5dea163934fb04a95b5b8 (diff) | |
| download | FreeBSD-src-115d008392113efc6f844baa7cc407e9eaae63db.zip FreeBSD-src-115d008392113efc6f844baa7cc407e9eaae63db.tar.gz | |
Remove some paths preparing for a re-copy from head
Diffstat (limited to 'contrib/ipfilter/tools/ipf_y.y')
| -rw-r--r-- | contrib/ipfilter/tools/ipf_y.y | 2749 |
1 files changed, 0 insertions, 2749 deletions
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y deleted file mode 100644 index e0dc847..0000000 --- a/contrib/ipfilter/tools/ipf_y.y +++ /dev/null @@ -1,2749 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -%{ -#include "ipf.h" -#include <sys/ioctl.h> -#include <syslog.h> -#ifdef IPFILTER_BPF -# include <pcap.h> -#endif -#include "netinet/ip_pool.h" -#include "netinet/ip_htable.h" -#include "netinet/ipl.h" -#include "ipf_l.h" - -#define YYDEBUG 1 -#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } -#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } - -extern void yyerror __P((char *)); -extern int yyparse __P((void)); -extern int yylex __P((void)); -extern int yydebug; -extern FILE *yyin; -extern int yylineNum; - -static int addname __P((frentry_t **, char *)); -static frentry_t *addrule __P((void)); -static frentry_t *allocfr __P((void)); -static void build_dstaddr_af __P((frentry_t *, void *)); -static void build_srcaddr_af __P((frentry_t *, void *)); -static void dobpf __P((int, char *)); -static void doipfexpr __P((char *)); -static void do_tuneint __P((char *, int)); -static void do_tunestr __P((char *, char *)); -static void fillgroup __P((frentry_t *)); -static int lookuphost __P((char *, i6addr_t *)); -static u_int makehash __P((struct alist_s *)); -static int makepool __P((struct alist_s *)); -static struct alist_s *newalist __P((struct alist_s *)); -static void newrule __P((void)); -static void resetaddr __P((void)); -static void setgroup __P((frentry_t **, char *)); -static void setgrhead __P((frentry_t **, char *)); -static void seticmphead __P((frentry_t **, char *)); -static void setifname __P((frentry_t **, int, char *)); -static void setipftype __P((void)); -static void setsyslog __P((void)); -static void unsetsyslog __P((void)); - -frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; - -static int ifpflag = 0; -static int nowith = 0; -static int dynamic = -1; -static int pooled = 0; -static int hashed = 0; -static int nrules = 0; -static int newlist = 0; -static int added = 0; -static int ipffd = -1; -static int *yycont = NULL; -static ioctlfunc_t ipfioctls[IPL_LOGSIZE]; -static addfunc_t ipfaddfunc = NULL; - -%} -%union { - char *str; - u_32_t num; - frentry_t fr; - frtuc_t *frt; - struct alist_s *alist; - u_short port; - struct in_addr ip4; - struct { - u_short p1; - u_short p2; - int pc; - } pc; - struct ipp_s { - int type; - int ifpos; - int f; - int v; - int lif; - union i6addr a; - union i6addr m; - char *name; - } ipp; - struct { - i6addr_t adr; - int f; - } adr; - i6addr_t ip6; - struct { - char *if1; - char *if2; - } ifs; - char gname[FR_GROUPLEN]; -}; - -%type <port> portnum -%type <num> facility priority icmpcode seclevel secname icmptype -%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr -%type <num> portc porteq ipmask maskopts -%type <ip4> ipv4 ipv4_16 ipv4_24 -%type <adr> hostname -%type <ipp> addr ipaddr -%type <str> servicename name interfacename groupname -%type <pc> portrange portcomp -%type <alist> addrlist poollist -%type <ifs> onname - -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 - -%token IPFY_SET -%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH -%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST -%token IPFY_IN IPFY_OUT -%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA -%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO -%token IPFY_TOS IPFY_TTL IPFY_PROTO IPFY_INET IPFY_INET6 -%token IPFY_HEAD IPFY_GROUP -%token IPFY_AUTH IPFY_PREAUTH -%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK IPFY_L5AS -%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP IPFY_DECAPS -%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH -%token IPFY_IPFEXPR IPFY_PPS IPFY_FAMILY IPFY_DSTLIST -%token IPFY_ESP IPFY_AH -%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT -%token IPFY_TCPUDP IPFY_TCP IPFY_UDP -%token IPFY_FLAGS IPFY_MULTICAST -%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER -%token IPFY_RPC IPFY_PORT -%token IPFY_NOW IPFY_COMMENT IPFY_RULETTL -%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE -%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG -%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR -%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE -%token IPFY_SYNC IPFY_FRAGBODY IPFY_ICMPHEAD IPFY_NOLOG IPFY_LOOSE -%token IPFY_MAX_SRCS IPFY_MAX_PER_SRC -%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP -%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR -%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO -%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA -%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS -%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP -%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 -%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 IPFY_DOI - -%token IPFY_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS -%token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING IPFY_V6HDR -%token IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG - -%token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH -%token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST -%token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP -%token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD -%token IPFY_ICMPT_ROUTERSOL - -%token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR -%token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK -%token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO -%token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE -%token IPFY_ICMPC_CUTPRE - -%token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH -%token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON -%token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 -%token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 -%token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT -%token IPFY_FAC_LFMT IPFY_FAC_CONSOLE - -%token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN -%token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG -%% -file: settings rules - | rules - ; - -settings: - YY_COMMENT - | setting - | settings setting - ; - -rules: line - | assign - | rules line - | rules assign - ; - -setting: - IPFY_SET YY_STR YY_NUMBER ';' { do_tuneint($2, $3); } - | IPFY_SET YY_STR YY_HEX ';' { do_tuneint($2, $3); } - | IPFY_SET YY_STR YY_STR ';' { do_tunestr($2, $3); } - ; - -line: rule { while ((fr = frtop) != NULL) { - frtop = fr->fr_next; - fr->fr_next = NULL; - if ((fr->fr_type == FR_T_IPF) && - (fr->fr_ip.fi_v == 0)) - fr->fr_mip.fi_v = 0; - /* XXX validate ? */ - (*ipfaddfunc)(ipffd, ipfioctls[IPL_LOGIPF], fr); - fr->fr_next = frold; - frold = fr; - } - resetlexer(); - } - | YY_COMMENT - ; - -xx: { newrule(); } - ; - -assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); - resetlexer(); - free($1); - free($3); - yyvarnext = 0; - } - ; - -assigning: - '=' { yyvarnext = 1; } - ; - -rule: inrule eol - | outrule eol - ; - -eol: | ';' - ; - -inrule: - rulehead markin inopts rulemain ruletail intag ruletail2 - ; - -outrule: - rulehead markout outopts rulemain ruletail outtag ruletail2 - ; - -rulehead: - xx collection action - | xx insert collection action - ; - -markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } - ; - -markout: - IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } - ; - -rulemain: - ipfrule - | bpfrule - | exprrule - ; - -ipfrule: - family tos ttl proto ip - ; - -family: | IPFY_FAMILY IPFY_INET { if (use_inet6 == 1) { - YYERROR; - } else { - frc->fr_family = AF_INET; - } - } - | IPFY_INET { if (use_inet6 == 1) { - YYERROR; - } else { - frc->fr_family = AF_INET; - } - } - | IPFY_FAMILY IPFY_INET6 { if (use_inet6 == -1) { - YYERROR; - } else { - frc->fr_family = AF_INET6; - } - } - | IPFY_INET6 { if (use_inet6 == -1) { - YYERROR; - } else { - frc->fr_family = AF_INET6; - } - } - ; - -bpfrule: - IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } - | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } - ; - -exprrule: - IPFY_IPFEXPR '{' YY_STR '}' { doipfexpr($3); } - ; - -ruletail: - with keep head group - ; - -ruletail2: - pps age new rulettl comment - ; - -intag: settagin matchtagin - ; - -outtag: settagout matchtagout - ; - -insert: - '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } - ; - -collection: - | YY_NUMBER { fr->fr_collect = $1; } - ; - -action: block - | IPFY_PASS { fr->fr_flags |= FR_PASS; } - | IPFY_NOMATCH { fr->fr_flags |= FR_NOMATCH; } - | log - | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } - | decaps { fr->fr_flags |= FR_DECAPSULATE; } - | auth - | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; - fr->fr_arg = $2; } - | IPFY_CALL func - | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } - ; - -block: blocked - | blocked blockreturn - ; - -blocked: - IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } - ; -blockreturn: - IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } - | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } - | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } - | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } - | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } - ; - -decaps: IPFY_DECAPS - | IPFY_DECAPS IPFY_L5AS '(' YY_STR ')' - { fr->fr_icode = atoi($4); } - ; - -log: IPFY_LOG { fr->fr_flags |= FR_LOG; } - | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } - ; - -auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } - | IPFY_AUTH blockreturn { fr->fr_flags |= FR_AUTH;} - | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } - ; - -func: YY_STR '/' YY_NUMBER - { fr->fr_func = nametokva($1, ipfioctls[IPL_LOGIPF]); - fr->fr_arg = $3; - free($1); - } - ; - -inopts: - | inopts inopt - ; - -inopt: - logopt - | quick - | on - | dup - | froute - | proute - | replyto - ; - -outopts: - | outopts outopt - ; - -outopt: - logopt - | quick - | on - | dup - | proute - | froute - | replyto - ; - -tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } - | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } - | settos lstart toslist lend - ; - -settos: IPFY_TOS { setipftype(); } - ; - -toslist: - YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } - | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } - | toslist lmore YY_NUMBER - { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } - | toslist lmore YY_HEX - { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } - ; - -ttl: | setttl YY_NUMBER - { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } - | setttl lstart ttllist lend - ; - -lstart: '{' { newlist = 1; fr = frc; added = 0; } - ; - -lend: '}' { nrules += added; } - ; - -lmore: lanother { if (newlist == 1) { - newlist = 0; - } - fr = addrule(); - if (yycont != NULL) - *yycont = 1; - } - ; - -lanother: - | ',' - ; - -setttl: IPFY_TTL { setipftype(); } - ; - -ttllist: - YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } - | ttllist lmore YY_NUMBER - { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } - ; - -proto: | protox protocol { yyresetdict(); } - ; - -protox: IPFY_PROTO { setipftype(); - fr = frc; - yysetdict(NULL); } - ; - -ip: srcdst flags icmp - ; - -group: | IPFY_GROUP groupname { DOALL(setgroup(&fr, $2); \ - fillgroup(fr);); - free($2); - } - ; - -head: | IPFY_HEAD groupname { DOALL(setgrhead(&fr, $2);); - free($2); - } - ; - -groupname: - YY_STR { $$ = $1; - if (strlen($$) >= FR_GROUPLEN) - $$[FR_GROUPLEN - 1] = '\0'; - } - | YY_NUMBER { $$ = malloc(16); - sprintf($$, "%d", $1); - } - ; - -settagin: - | IPFY_SETTAG '(' taginlist ')' - ; - -taginlist: - taginspec - | taginlist ',' taginspec - ; - -taginspec: - logtag - ; - -nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ - $3, IPFTAG_LEN);); - free($3); } - | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ - "%d", $3 & 0xffffffff);) } - ; - -logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } - ; - -settagout: - | IPFY_SETTAG '(' tagoutlist ')' - ; - -tagoutlist: - tagoutspec - | tagoutlist ',' tagoutspec - ; - -tagoutspec: - logtag - | nattag - ; - -matchtagin: - | IPFY_MATCHTAG '(' tagoutlist ')' - ; - -matchtagout: - | IPFY_MATCHTAG '(' taginlist ')' - ; - -pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } - ; - -new: | savegroup file restoregroup - ; - -rulettl: - | IPFY_RULETTL YY_NUMBER { DOALL(fr->fr_die = $2;) } - ; - -comment: - | IPFY_COMMENT YY_STR { DOALL(fr->fr_comment = addname(&fr, \ - $2);) } - ; - -savegroup: - '{' - ; - -restoregroup: - '}' - ; - -logopt: log - ; - -quick: IPFY_QUICK { fr->fr_flags |= FR_QUICK; } - ; - -on: IPFY_ON onname { setifname(&fr, 0, $2.if1); - free($2.if1); - if ($2.if2 != NULL) { - setifname(&fr, 1, - $2.if2); - free($2.if2); - } - } - | IPFY_ON lstart onlist lend - | IPFY_ON onname IPFY_INVIA vianame { setifname(&fr, 0, $2.if1); - free($2.if1); - if ($2.if2 != NULL) { - setifname(&fr, 1, - $2.if2); - free($2.if2); - } - } - | IPFY_ON onname IPFY_OUTVIA vianame { setifname(&fr, 0, $2.if1); - free($2.if1); - if ($2.if2 != NULL) { - setifname(&fr, 1, - $2.if2); - free($2.if2); - } - } - ; - -onlist: onname { DOREM(setifname(&fr, 0, $1.if1); \ - if ($1.if2 != NULL) \ - setifname(&fr, 1, $1.if2); \ - ) - free($1.if1); - if ($1.if2 != NULL) - free($1.if2); - } - | onlist lmore onname { DOREM(setifname(&fr, 0, $3.if1); \ - if ($3.if2 != NULL) \ - setifname(&fr, 1, $3.if2); \ - ) - free($3.if1); - if ($3.if2 != NULL) - free($3.if2); - } - ; - -onname: interfacename { $$.if1 = $1; - $$.if2 = NULL; - } - | interfacename ',' interfacename - { $$.if1 = $1; - $$.if2 = $3; - } - ; - -vianame: - name { setifname(&fr, 2, $1); - free($1); - } - | name ',' name { setifname(&fr, 2, $1); - free($1); - setifname(&fr, 3, $3); - free($3); - } - ; - -dup: IPFY_DUPTO name - { int idx = addname(&fr, $2); - fr->fr_dif.fd_name = idx; - free($2); - } - | IPFY_DUPTO IPFY_DSTLIST '/' name - { int idx = addname(&fr, $4); - fr->fr_dif.fd_name = idx; - fr->fr_dif.fd_type = FRD_DSTLIST; - free($4); - } - | IPFY_DUPTO name duptoseparator hostname - { int idx = addname(&fr, $2); - fr->fr_dif.fd_name = idx; - fr->fr_dif.fd_ptr = (void *)-1; - fr->fr_dif.fd_ip6 = $4.adr; - if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) - fr->fr_family = $4.f; - yyexpectaddr = 0; - free($2); - } - ; - -duptoseparator: - ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } - ; - -froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } - ; - -proute: routeto name - { int idx = addname(&fr, $2); - fr->fr_tif.fd_name = idx; - free($2); - } - | routeto IPFY_DSTLIST '/' name - { int idx = addname(&fr, $4); - fr->fr_tif.fd_name = idx; - fr->fr_tif.fd_type = FRD_DSTLIST; - free($4); - } - | routeto name duptoseparator hostname - { int idx = addname(&fr, $2); - fr->fr_tif.fd_name = idx; - fr->fr_tif.fd_ptr = (void *)-1; - fr->fr_tif.fd_ip6 = $4.adr; - if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) - fr->fr_family = $4.f; - yyexpectaddr = 0; - free($2); - } - ; - -routeto: - IPFY_TO - | IPFY_ROUTETO - ; - -replyto: - IPFY_REPLY_TO name - { int idx = addname(&fr, $2); - fr->fr_rif.fd_name = idx; - free($2); - } - | IPFY_REPLY_TO IPFY_DSTLIST '/' name - { fr->fr_rif.fd_name = addname(&fr, $4); - fr->fr_rif.fd_type = FRD_DSTLIST; - free($4); - } - | IPFY_REPLY_TO name duptoseparator hostname - { int idx = addname(&fr, $2); - fr->fr_rif.fd_name = idx; - fr->fr_rif.fd_ptr = (void *)-1; - fr->fr_rif.fd_ip6 = $4.adr; - if (fr->fr_family == AF_UNSPEC && $4.f != AF_UNSPEC) - fr->fr_family = $4.f; - free($2); - } - ; - -logoptions: - logoption - | logoptions logoption - ; - -logoption: - IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } - | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } - | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } - | level loglevel { unsetsyslog(); } - ; - -returncode: - starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } - ; - -starticmpcode: - '(' { yysetdict(icmpcodewords); } - ; - -srcdst: | IPFY_ALL - | fromto - ; - -protocol: - YY_NUMBER { DOALL(fr->fr_proto = $1; \ - fr->fr_mproto = 0xff;) - } - | YY_STR { if (!strcmp($1, "tcp-udp")) { - DOALL(fr->fr_flx |= FI_TCPUDP; \ - fr->fr_mflx |= FI_TCPUDP;) - } else { - int p = getproto($1); - if (p == -1) - yyerror("protocol unknown"); - DOALL(fr->fr_proto = p; \ - fr->fr_mproto = 0xff;) - } - free($1); - } - | YY_STR nextstring YY_STR - { if (!strcmp($1, "tcp") && - !strcmp($3, "udp")) { - DOREM(fr->fr_flx |= FI_TCPUDP; \ - fr->fr_mflx |= FI_TCPUDP;) - } else { - YYERROR; - } - free($1); - free($3); - } - ; - -nextstring: - '/' { yysetdict(NULL); } - ; - -fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } - | to dstobject { yyexpectaddr = 0; yycont = NULL; } - | from srcobject { yyexpectaddr = 0; yycont = NULL; } - ; - -from: IPFY_FROM { setipftype(); - if (fr == NULL) - fr = frc; - yyexpectaddr = 1; - if (yydebug) - printf("set yyexpectaddr\n"); - yycont = &yyexpectaddr; - yysetdict(addrwords); - resetaddr(); } - ; - -to: IPFY_TO { if (fr == NULL) - fr = frc; - yyexpectaddr = 1; - if (yydebug) - printf("set yyexpectaddr\n"); - yycont = &yyexpectaddr; - yysetdict(addrwords); - resetaddr(); - } - ; - -with: | andwith withlist - ; - -andwith: - IPFY_WITH { nowith = 0; setipftype(); } - | IPFY_AND { nowith = 0; setipftype(); } - ; - -flags: | startflags flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | startflags flagset '/' flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags '/' flagset - { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | startflags YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | startflags '/' YY_NUMBER - { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | startflags YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags flagset '/' YY_NUMBER - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | startflags YY_NUMBER '/' flagset - { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - ; - -startflags: - IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) - yyerror("flags with non-ipf type rule"); - if (frc->fr_proto != IPPROTO_TCP) - yyerror("flags with non-TCP rule"); - } - ; - -flagset: - YY_STR { $$ = tcpflags($1); free($1); } - | YY_HEX { $$ = $1; } - ; - -srcobject: - { yyresetdict(); } fromport - | srcaddr srcport - | '!' srcaddr srcport - { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } - ; - -srcaddr: - addr { build_srcaddr_af(fr, &$1); } - | lstart srcaddrlist lend - ; - -srcaddrlist: - addr { build_srcaddr_af(fr, &$1); } - | srcaddrlist lmore addr - { build_srcaddr_af(fr, &$3); } - ; - -srcport: - | portcomp - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } - | portrange - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ - fr->fr_stop = $1.p2;) } - | porteq lstart srcportlist lend - { yyresetdict(); } - ; - -fromport: - portcomp - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } - | portrange - { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ - fr->fr_stop = $1.p2;) } - | porteq lstart srcportlist lend - { yyresetdict(); } - ; - -srcportlist: - portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } - | portnum ':' portnum - { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \ - fr->fr_stop = $3;) } - | portnum YY_RANGE_IN portnum - { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \ - fr->fr_stop = $3;) } - | srcportlist lmore portnum - { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } - | srcportlist lmore portnum ':' portnum - { DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \ - fr->fr_stop = $5;) } - | srcportlist lmore portnum YY_RANGE_IN portnum - { DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \ - fr->fr_stop = $5;) } - ; - -dstobject: - { yyresetdict(); } toport - | dstaddr dstport - | '!' dstaddr dstport - { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } - ; - -dstaddr: - addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && - ($1.f != frc->fr_family)) - yyerror("1.src/dst address family mismatch"); - build_dstaddr_af(fr, &$1); - } - | lstart dstaddrlist lend - ; - -dstaddrlist: - addr { if (($1.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && - ($1.f != frc->fr_family)) - yyerror("2.src/dst address family mismatch"); - build_dstaddr_af(fr, &$1); - } - | dstaddrlist lmore addr - { if (($3.f != AF_UNSPEC) && (frc->fr_family != AF_UNSPEC) && - ($3.f != frc->fr_family)) - yyerror("3.src/dst address family mismatch"); - build_dstaddr_af(fr, &$3); - } - ; - - -dstport: - | portcomp - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } - | portrange - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ - fr->fr_dtop = $1.p2;) } - | porteq lstart dstportlist lend - { yyresetdict(); } - ; - -toport: - portcomp - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } - | portrange - { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ - fr->fr_dtop = $1.p2;) } - | porteq lstart dstportlist lend - { yyresetdict(); } - ; - -dstportlist: - portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } - | portnum ':' portnum - { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \ - fr->fr_dtop = $3;) } - | portnum YY_RANGE_IN portnum - { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \ - fr->fr_dtop = $3;) } - | dstportlist lmore portnum - { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } - | dstportlist lmore portnum ':' portnum - { DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \ - fr->fr_dtop = $5;) } - | dstportlist lmore portnum YY_RANGE_IN portnum - { DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \ - fr->fr_dtop = $5;) } - ; - -addr: pool '/' YY_NUMBER { pooled = 1; - yyexpectaddr = 0; - $$.type = FRI_LOOKUP; - $$.v = 0; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = $3; } - | pool '/' YY_STR { pooled = 1; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.type = FRI_LOOKUP; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 1; - $$.a.iplookupname = addname(&fr, $3); - } - | pool '=' '(' { yyexpectaddr = 1; - pooled = 1; - } - poollist ')' { yyexpectaddr = 0; - $$.v = 0; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.type = FRI_LOOKUP; - $$.a.iplookuptype = IPLT_POOL; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makepool($5); - } - | hash '/' YY_NUMBER { hashed = 1; - yyexpectaddr = 0; - $$.v = 0; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.type = FRI_LOOKUP; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = $3; - } - | hash '/' YY_STR { hashed = 1; - $$.type = FRI_LOOKUP; - $$.v = 0; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 1; - $$.a.iplookupname = addname(&fr, $3); - } - | hash '=' '(' { hashed = 1; - yyexpectaddr = 1; - } - addrlist ')' { yyexpectaddr = 0; - $$.v = 0; - $$.ifpos = -1; - $$.f = AF_UNSPEC; - $$.type = FRI_LOOKUP; - $$.a.iplookuptype = IPLT_HASH; - $$.a.iplookupsubtype = 0; - $$.a.iplookupnum = makehash($5); - } - | ipaddr { $$ = $1; - yyexpectaddr = 0; } - ; - -ipaddr: IPFY_ANY { memset(&($$), 0, sizeof($$)); - $$.type = FRI_NORMAL; - $$.ifpos = -1; - yyexpectaddr = 0; - } - | hostname { memset(&($$), 0, sizeof($$)); - $$.a = $1.adr; - $$.f = $1.f; - if ($1.f == AF_INET6) - fill6bits(128, $$.m.i6); - else if ($1.f == AF_INET) - fill6bits(32, $$.m.i6); - $$.v = ftov($1.f); - $$.ifpos = dynamic; - $$.type = FRI_NORMAL; - } - | hostname { yyresetdict(); } - maskspace { yysetdict(maskwords); - yyexpectaddr = 2; } - ipmask { memset(&($$), 0, sizeof($$)); - ntomask($1.f, $5, $$.m.i6); - $$.a = $1.adr; - $$.a.i6[0] &= $$.m.i6[0]; - $$.a.i6[1] &= $$.m.i6[1]; - $$.a.i6[2] &= $$.m.i6[2]; - $$.a.i6[3] &= $$.m.i6[3]; - $$.f = $1.f; - $$.v = ftov($1.f); - $$.type = ifpflag; - $$.ifpos = dynamic; - if (ifpflag != 0 && $$.v == 0) { - if (frc->fr_family == AF_INET6){ - $$.v = 6; - $$.f = AF_INET6; - } else { - $$.v = 4; - $$.f = AF_INET; - } - } - yyresetdict(); - yyexpectaddr = 0; - } - | '(' YY_STR ')' { memset(&($$), 0, sizeof($$)); - $$.type = FRI_DYNAMIC; - ifpflag = FRI_DYNAMIC; - $$.ifpos = addname(&fr, $2); - $$.lif = 0; - } - | '(' YY_STR ')' '/' - { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } - maskopts - { memset(&($$), 0, sizeof($$)); - $$.type = ifpflag; - $$.ifpos = addname(&fr, $2); - $$.lif = 0; - if (frc->fr_family == AF_UNSPEC) - frc->fr_family = AF_INET; - if (ifpflag == FRI_DYNAMIC) { - ntomask(frc->fr_family, - $6, $$.m.i6); - } - yyresetdict(); - yyexpectaddr = 0; - } - | '(' YY_STR ':' YY_NUMBER ')' '/' - { ifpflag = FRI_DYNAMIC; yysetdict(maskwords); } - maskopts - { memset(&($$), 0, sizeof($$)); - $$.type = ifpflag; - $$.ifpos = addname(&fr, $2); - $$.lif = $4; - if (frc->fr_family == AF_UNSPEC) - frc->fr_family = AF_INET; - if (ifpflag == FRI_DYNAMIC) { - ntomask(frc->fr_family, - $8, $$.m.i6); - } - yyresetdict(); - yyexpectaddr = 0; - } - ; - -maskspace: - '/' - | IPFY_MASK - ; - -ipmask: ipv4 { $$ = count4bits($1.s_addr); } - | YY_HEX { $$ = count4bits(htonl($1)); } - | YY_NUMBER { $$ = $1; } - | YY_IPV6 { $$ = count6bits($1.i6); } - | maskopts { $$ = $1; } - ; - -maskopts: - IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { - ifpflag = FRI_BROADCAST; - } else { - YYERROR; - } - $$ = 0; - } - | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { - ifpflag = FRI_NETWORK; - } else { - YYERROR; - } - $$ = 0; - } - | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { - ifpflag = FRI_NETMASKED; - } else { - YYERROR; - } - $$ = 0; - } - | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { - ifpflag = FRI_PEERADDR; - } else { - YYERROR; - } - $$ = 0; - } - | YY_NUMBER { $$ = $1; } - ; - -hostname: - ipv4 { memset(&($$), 0, sizeof($$)); - $$.adr.in4 = $1; - if (frc->fr_family == AF_INET6) - YYERROR; - $$.f = AF_INET; - yyexpectaddr = 2; - } - | YY_NUMBER { memset(&($$), 0, sizeof($$)); - if (frc->fr_family == AF_INET6) - YYERROR; - $$.adr.in4_addr = $1; - $$.f = AF_INET; - yyexpectaddr = 2; - } - | YY_HEX { memset(&($$), 0, sizeof($$)); - if (frc->fr_family == AF_INET6) - YYERROR; - $$.adr.in4_addr = $1; - $$.f = AF_INET; - yyexpectaddr = 2; - } - | YY_STR { memset(&($$), 0, sizeof($$)); - if (lookuphost($1, &$$.adr) == 0) - $$.f = AF_INET; - free($1); - yyexpectaddr = 2; - } - | YY_IPV6 { memset(&($$), 0, sizeof($$)); - if (frc->fr_family == AF_INET) - YYERROR; - $$.adr = $1; - $$.f = AF_INET6; - yyexpectaddr = 2; - } - ; - -addrlist: - ipaddr { $$ = newalist(NULL); - $$->al_family = $1.f; - $$->al_i6addr = $1.a; - $$->al_i6mask = $1.m; - } - | ipaddr ',' { yyexpectaddr = 1; } addrlist - { $$ = newalist($4); - $$->al_family = $1.f; - $$->al_i6addr = $1.a; - $$->al_i6mask = $1.m; - } - ; - -pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } - ; - -hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } - ; - -poollist: - ipaddr { $$ = newalist(NULL); - $$->al_family = $1.f; - $$->al_i6addr = $1.a; - $$->al_i6mask = $1.m; - } - | '!' ipaddr { $$ = newalist(NULL); - $$->al_not = 1; - $$->al_family = $2.f; - $$->al_i6addr = $2.a; - $$->al_i6mask = $2.m; - } - | poollist ',' ipaddr - { $$ = newalist($1); - $$->al_family = $3.f; - $$->al_i6addr = $3.a; - $$->al_i6mask = $3.m; - } - | poollist ',' '!' ipaddr - { $$ = newalist($1); - $$->al_not = 1; - $$->al_family = $4.f; - $$->al_i6addr = $4.a; - $$->al_i6mask = $4.m; - } - ; - -port: IPFY_PORT { yyexpectaddr = 0; - yycont = NULL; - if (frc->fr_proto != 0 && - frc->fr_proto != IPPROTO_UDP && - frc->fr_proto != IPPROTO_TCP) - yyerror("port use incorrect"); - } - ; - -portc: port compare { $$ = $2; - yysetdict(NULL); - } - | porteq { $$ = $1; } - ; - -porteq: port '=' { $$ = FR_EQUAL; - yysetdict(NULL); - } - ; - -portr: IPFY_PORT { yyexpectaddr = 0; - yycont = NULL; - yysetdict(NULL); - } - ; - -portcomp: - portc portnum { $$.pc = $1; - $$.p1 = $2; - yyresetdict(); - } - ; - -portrange: - portr portnum range portnum { $$.p1 = $2; - $$.pc = $3; - $$.p2 = $4; - yyresetdict(); - } - ; - -icmp: | itype icode - ; - -itype: seticmptype icmptype - { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); - yyresetdict(); - } - | seticmptype lstart typelist lend { yyresetdict(); } - ; - -seticmptype: - IPFY_ICMPTYPE { if (frc->fr_family == AF_UNSPEC) - frc->fr_family = AF_INET; - if (frc->fr_family == AF_INET && - frc->fr_type == FR_T_IPF && - frc->fr_proto != IPPROTO_ICMP) { - yyerror("proto not icmp"); - } - if (frc->fr_family == AF_INET6 && - frc->fr_type == FR_T_IPF && - frc->fr_proto != IPPROTO_ICMPV6) { - yyerror("proto not ipv6-icmp"); - } - setipftype(); - DOALL(if (fr->fr_family == AF_INET) { \ - fr->fr_ip.fi_v = 4; \ - fr->fr_mip.fi_v = 0xf; \ - } - if (fr->fr_family == AF_INET6) { \ - fr->fr_ip.fi_v = 6; \ - fr->fr_mip.fi_v = 0xf; \ - } - ) - yysetdict(NULL); - } - ; - -icode: | seticmpcode icmpcode - { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); - yyresetdict(); - } - | seticmpcode lstart codelist lend { yyresetdict(); } - ; - -seticmpcode: - IPFY_ICMPCODE { yysetdict(icmpcodewords); } - ; - -typelist: - icmptype - { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } - | typelist lmore icmptype - { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } - ; - -codelist: - icmpcode - { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } - | codelist lmore icmpcode - { DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \ - fr->fr_icmpm |= htons(0xff);) } - ; - -age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $2;) } - | IPFY_AGE YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $4;) } - ; - -keep: | IPFY_KEEP keepstate keep - | IPFY_KEEP keepfrag keep - ; - -keepstate: - IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} - ; - -keepfrag: - IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } - | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } - ; - -fragoptlist: - | '(' fragopts ')' - ; - -fragopts: - fragopt lanother fragopts - | fragopt - ; - -fragopt: - IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } - ; - -stateoptlist: - | '(' stateopts ')' - ; - -stateopts: - stateopt lanother stateopts - | stateopt - ; - -stateopt: - IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } - | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ - YYERROR; \ - } else if (fr->fr_flags & FR_STLOOSE) {\ - YYERROR; \ - } else \ - fr->fr_flags |= FR_STSTRICT;) - } - | IPFY_LOOSE { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ - YYERROR; \ - } else if (fr->fr_flags & FR_STSTRICT){\ - YYERROR; \ - } else \ - fr->fr_flags |= FR_STLOOSE;) - } - | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ - YYERROR; \ - } else \ - fr->fr_flags |= FR_NEWISN;) - } - | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } - - | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } - | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $2;) } - | IPFY_AGE YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_age[0] = $2; \ - fr->fr_age[1] = $4;) } - | IPFY_ICMPHEAD groupname - { DOALL(seticmphead(&fr, $2);) - free($2); - } - | IPFY_NOLOG - { DOALL(fr->fr_nostatelog = 1;) } - | IPFY_RPC - { DOALL(fr->fr_rpc = 1;) } - | IPFY_RPC IPFY_IN YY_STR - { DOALL(fr->fr_rpc = 1;) } - | IPFY_MAX_SRCS YY_NUMBER - { DOALL(fr->fr_srctrack.ht_max_nodes = $2;) } - | IPFY_MAX_PER_SRC YY_NUMBER - { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ - fr->fr_srctrack.ht_netmask = \ - fr->fr_family == AF_INET ? 32: 128;) - } - | IPFY_MAX_PER_SRC YY_NUMBER '/' YY_NUMBER - { DOALL(fr->fr_srctrack.ht_max_per_node = $2; \ - fr->fr_srctrack.ht_netmask = $4;) - } - ; - -portnum: - servicename { if (getport(frc, $1, - &($$), NULL) == -1) - yyerror("service unknown"); - $$ = ntohs($$); - free($1); - } - | YY_NUMBER { if ($1 > 65535) /* Unsigned */ - yyerror("invalid port number"); - else - $$ = $1; - } - ; - -withlist: - withopt { nowith = 0; } - | withlist withopt { nowith = 0; } - | withlist ',' withopt { nowith = 0; } - ; - -withopt: - opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } - | notwith opttype { DOALL(fr->fr_mflx |= $2;) } - | ipopt ipopts { yyresetdict(); } - | notwith ipopt ipopts { yyresetdict(); } - | startv6hdr ipv6hdrs { yyresetdict(); } - ; - -ipopt: IPFY_OPT { yysetdict(ipv4optwords); } - ; - -startv6hdr: - IPFY_V6HDR { if (frc->fr_family != AF_INET6) - yyerror("only available with IPv6"); - yysetdict(ipv6optwords); - } - ; - -notwith: - IPFY_NOT { nowith = 1; } - | IPFY_NO { nowith = 1; } - ; - -opttype: - IPFY_IPOPTS { $$ = FI_OPTIONS; } - | IPFY_SHORT { $$ = FI_SHORT; } - | IPFY_NAT { $$ = FI_NATED; } - | IPFY_BAD { $$ = FI_BAD; } - | IPFY_BADNAT { $$ = FI_BADNAT; } - | IPFY_BADSRC { $$ = FI_BADSRC; } - | IPFY_LOWTTL { $$ = FI_LOWTTL; } - | IPFY_FRAG { $$ = FI_FRAG; } - | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } - | IPFY_FRAGS { $$ = FI_FRAG; } - | IPFY_MBCAST { $$ = FI_MBCAST; } - | IPFY_MULTICAST { $$ = FI_MULTICAST; } - | IPFY_BROADCAST { $$ = FI_BROADCAST; } - | IPFY_STATE { $$ = FI_STATE; } - | IPFY_OOW { $$ = FI_OOW; } - | IPFY_AH { $$ = FI_AH; } - | IPFY_V6HDRS { $$ = FI_V6EXTHDR; } - ; - -ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; - if (fr->fr_family == AF_UNSPEC) { - fr->fr_family = AF_INET; - fr->fr_ip.fi_v = 4; - fr->fr_mip.fi_v = 0xf; - } else if (fr->fr_family != AF_INET) { - YYERROR; - } - if (!nowith) - fr->fr_ip.fi_optmsk |= $1;) - } - ; - -optlist: - opt { $$ |= $1; } - | optlist ',' opt { $$ |= $1 | $3; } - ; - -ipv6hdrs: - ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; - if (!nowith) - fr->fr_ip.fi_optmsk |= $1;) - } - ; - -ipv6hdrlist: - ipv6hdr { $$ |= $1; } - | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } - ; - -secname: - seclevel { $$ |= $1; } - | secname ',' seclevel { $$ |= $1 | $3; } - ; - -seclevel: - IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } - | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } - | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } - | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } - | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } - | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } - | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } - | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } - ; - -icmptype: - YY_NUMBER { $$ = $1; } - | YY_STR { $$ = geticmptype(frc->fr_family, $1); - if ($$ == -1) - yyerror("unrecognised icmp type"); - } - ; - -icmpcode: - YY_NUMBER { $$ = $1; } - | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } - | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } - | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } - | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } - | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } - | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } - | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } - | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } - | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } - | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } - | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } - | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } - | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } - | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } - | IPFY_ICMPC_HSTPRE { $$ = 14; } - | IPFY_ICMPC_CUTPRE { $$ = 15; } - ; - -opt: - IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } - | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } - | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } - | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } - | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } - | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } - | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } - | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } - | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } - | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } - | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } - | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } - | IPFY_IPOPT_CIPSO doi { $$ = getoptbyvalue(IPOPT_CIPSO); } - | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } - | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } - | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } - | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } - | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } - | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } - | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } - | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } - | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } - | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } - | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } - | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } - | setsecclass secname - { DOALL(fr->fr_mip.fi_secmsk |= $2; - if (fr->fr_family == AF_UNSPEC) { - fr->fr_family = AF_INET; - fr->fr_ip.fi_v = 4; - fr->fr_mip.fi_v = 0xf; - } else if (fr->fr_family != AF_INET) { - YYERROR; - } - if (!nowith) - fr->fr_ip.fi_secmsk |= $2;) - $$ = 0; - yyresetdict(); - } - ; - -setsecclass: - IPFY_SECCLASS { yysetdict(ipv4secwords); } - ; - -doi: IPFY_DOI YY_NUMBER { DOALL(fr->fr_doimask = 0xffffffff; \ - if (!nowith) \ - fr->fr_doi = $2;) } - | IPFY_DOI YY_HEX { DOALL(fr->fr_doimask = 0xffffffff; \ - if (!nowith) \ - fr->fr_doi = $2;) } - ; - -ipv6hdr: - IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } - | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } - | IPFY_IPV6OPT_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } - | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } - | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } - | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } - | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } - | IPFY_IPV6OPT_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } - | IPFY_IPV6OPT_MOBILITY { $$ = getv6optbyvalue(IPPROTO_MOBILITY); } - ; - -level: IPFY_LEVEL { setsyslog(); } - ; - -loglevel: - priority { fr->fr_loglevel = LOG_LOCAL0|$1; } - | facility '.' priority { fr->fr_loglevel = $1 | $3; } - ; - -facility: - IPFY_FAC_KERN { $$ = LOG_KERN; } - | IPFY_FAC_USER { $$ = LOG_USER; } - | IPFY_FAC_MAIL { $$ = LOG_MAIL; } - | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } - | IPFY_FAC_AUTH { $$ = LOG_AUTH; } - | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } - | IPFY_FAC_LPR { $$ = LOG_LPR; } - | IPFY_FAC_NEWS { $$ = LOG_NEWS; } - | IPFY_FAC_UUCP { $$ = LOG_UUCP; } - | IPFY_FAC_CRON { $$ = LOG_CRON; } - | IPFY_FAC_FTP { $$ = LOG_FTP; } - | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } - | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } - | IPFY_FAC_LFMT { $$ = LOG_LFMT; } - | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } - | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } - | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } - | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } - | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } - | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } - | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } - | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } - | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } - ; - -priority: - IPFY_PRI_EMERG { $$ = LOG_EMERG; } - | IPFY_PRI_ALERT { $$ = LOG_ALERT; } - | IPFY_PRI_CRIT { $$ = LOG_CRIT; } - | IPFY_PRI_ERR { $$ = LOG_ERR; } - | IPFY_PRI_WARN { $$ = LOG_WARNING; } - | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } - | IPFY_PRI_INFO { $$ = LOG_INFO; } - | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } - ; - -compare: - YY_CMP_EQ { $$ = FR_EQUAL; } - | YY_CMP_NE { $$ = FR_NEQUAL; } - | YY_CMP_LT { $$ = FR_LESST; } - | YY_CMP_LE { $$ = FR_LESSTE; } - | YY_CMP_GT { $$ = FR_GREATERT; } - | YY_CMP_GE { $$ = FR_GREATERTE; } - ; - -range: YY_RANGE_IN { $$ = FR_INRANGE; } - | YY_RANGE_OUT { $$ = FR_OUTRANGE; } - | ':' { $$ = FR_INCRANGE; } - ; - -servicename: - YY_STR { $$ = $1; } - ; - -interfacename: name { $$ = $1; } - | name ':' YY_NUMBER - { $$ = $1; - fprintf(stderr, "%d: Logical interface %s:%d unsupported, " - "use the physical interface %s instead.\n", - yylineNum, $1, $3, $1); - } - ; - -name: YY_STR { $$ = $1; } - | '-' { $$ = strdup("-"); } - ; - -ipv4_16: - YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr = ($1 << 24) | ($3 << 16); - $$.s_addr = htonl($$.s_addr); - } - ; - -ipv4_24: - ipv4_16 '.' YY_NUMBER - { if ($3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr |= htonl($3 << 8); - } - ; - -ipv4: ipv4_24 '.' YY_NUMBER - { if ($3 > 255) { - yyerror("Invalid octet string for IP address"); - return 0; - } - $$.s_addr |= htonl($3); - } - | ipv4_24 - | ipv4_16 - ; - -%% - - -static struct wordtab ipfwords[] = { - { "age", IPFY_AGE }, - { "ah", IPFY_AH }, - { "all", IPFY_ALL }, - { "and", IPFY_AND }, - { "auth", IPFY_AUTH }, - { "bad", IPFY_BAD }, - { "bad-nat", IPFY_BADNAT }, - { "bad-src", IPFY_BADSRC }, - { "bcast", IPFY_BROADCAST }, - { "block", IPFY_BLOCK }, - { "body", IPFY_BODY }, - { "bpf-v4", IPFY_BPFV4 }, -#ifdef USE_INET6 - { "bpf-v6", IPFY_BPFV6 }, -#endif - { "call", IPFY_CALL }, - { "code", IPFY_ICMPCODE }, - { "comment", IPFY_COMMENT }, - { "count", IPFY_COUNT }, - { "decapsulate", IPFY_DECAPS }, - { "dstlist", IPFY_DSTLIST }, - { "doi", IPFY_DOI }, - { "dup-to", IPFY_DUPTO }, - { "eq", YY_CMP_EQ }, - { "esp", IPFY_ESP }, - { "exp", IPFY_IPFEXPR }, - { "family", IPFY_FAMILY }, - { "fastroute", IPFY_FROUTE }, - { "first", IPFY_FIRST }, - { "flags", IPFY_FLAGS }, - { "frag", IPFY_FRAG }, - { "frag-body", IPFY_FRAGBODY }, - { "frags", IPFY_FRAGS }, - { "from", IPFY_FROM }, - { "ge", YY_CMP_GE }, - { "group", IPFY_GROUP }, - { "gt", YY_CMP_GT }, - { "head", IPFY_HEAD }, - { "icmp", IPFY_ICMP }, - { "icmp-head", IPFY_ICMPHEAD }, - { "icmp-type", IPFY_ICMPTYPE }, - { "in", IPFY_IN }, - { "in-via", IPFY_INVIA }, - { "inet", IPFY_INET }, - { "inet6", IPFY_INET6 }, - { "ipopt", IPFY_IPOPTS }, - { "ipopts", IPFY_IPOPTS }, - { "keep", IPFY_KEEP }, - { "l5-as", IPFY_L5AS }, - { "le", YY_CMP_LE }, - { "level", IPFY_LEVEL }, - { "limit", IPFY_LIMIT }, - { "log", IPFY_LOG }, - { "loose", IPFY_LOOSE }, - { "lowttl", IPFY_LOWTTL }, - { "lt", YY_CMP_LT }, - { "mask", IPFY_MASK }, - { "match-tag", IPFY_MATCHTAG }, - { "max-per-src", IPFY_MAX_PER_SRC }, - { "max-srcs", IPFY_MAX_SRCS }, - { "mbcast", IPFY_MBCAST }, - { "mcast", IPFY_MULTICAST }, - { "multicast", IPFY_MULTICAST }, - { "nat", IPFY_NAT }, - { "ne", YY_CMP_NE }, - { "net", IPFY_NETWORK }, - { "newisn", IPFY_NEWISN }, - { "no", IPFY_NO }, - { "no-icmp-err", IPFY_NOICMPERR }, - { "nolog", IPFY_NOLOG }, - { "nomatch", IPFY_NOMATCH }, - { "now", IPFY_NOW }, - { "not", IPFY_NOT }, - { "oow", IPFY_OOW }, - { "on", IPFY_ON }, - { "opt", IPFY_OPT }, - { "or-block", IPFY_ORBLOCK }, - { "out", IPFY_OUT }, - { "out-via", IPFY_OUTVIA }, - { "pass", IPFY_PASS }, - { "port", IPFY_PORT }, - { "pps", IPFY_PPS }, - { "preauth", IPFY_PREAUTH }, - { "proto", IPFY_PROTO }, - { "quick", IPFY_QUICK }, - { "reply-to", IPFY_REPLY_TO }, - { "return-icmp", IPFY_RETICMP }, - { "return-icmp-as-dest", IPFY_RETICMPASDST }, - { "return-rst", IPFY_RETRST }, - { "route-to", IPFY_ROUTETO }, - { "rule-ttl", IPFY_RULETTL }, - { "rpc", IPFY_RPC }, - { "sec-class", IPFY_SECCLASS }, - { "set", IPFY_SET }, - { "set-tag", IPFY_SETTAG }, - { "skip", IPFY_SKIP }, - { "short", IPFY_SHORT }, - { "state", IPFY_STATE }, - { "state-age", IPFY_AGE }, - { "strict", IPFY_STRICT }, - { "sync", IPFY_SYNC }, - { "tcp", IPFY_TCP }, - { "tcp-udp", IPFY_TCPUDP }, - { "tos", IPFY_TOS }, - { "to", IPFY_TO }, - { "ttl", IPFY_TTL }, - { "udp", IPFY_UDP }, - { "v6hdr", IPFY_V6HDR }, - { "v6hdrs", IPFY_V6HDRS }, - { "with", IPFY_WITH }, - { NULL, 0 } -}; - -static struct wordtab addrwords[] = { - { "any", IPFY_ANY }, - { "hash", IPFY_HASH }, - { "pool", IPFY_POOL }, - { NULL, 0 } -}; - -static struct wordtab maskwords[] = { - { "broadcast", IPFY_BROADCAST }, - { "netmasked", IPFY_NETMASKED }, - { "network", IPFY_NETWORK }, - { "peer", IPFY_PEER }, - { NULL, 0 } -}; - -static struct wordtab icmpcodewords[] = { - { "cutoff-preced", IPFY_ICMPC_CUTPRE }, - { "filter-prohib", IPFY_ICMPC_FLTPRO }, - { "isolate", IPFY_ICMPC_ISOLATE }, - { "needfrag", IPFY_ICMPC_NEEDF }, - { "net-prohib", IPFY_ICMPC_NETPRO }, - { "net-tos", IPFY_ICMPC_NETTOS }, - { "host-preced", IPFY_ICMPC_HSTPRE }, - { "host-prohib", IPFY_ICMPC_HSTPRO }, - { "host-tos", IPFY_ICMPC_HSTTOS }, - { "host-unk", IPFY_ICMPC_HSTUNK }, - { "host-unr", IPFY_ICMPC_HSTUNR }, - { "net-unk", IPFY_ICMPC_NETUNK }, - { "net-unr", IPFY_ICMPC_NETUNR }, - { "port-unr", IPFY_ICMPC_PORUNR }, - { "proto-unr", IPFY_ICMPC_PROUNR }, - { "srcfail", IPFY_ICMPC_SRCFAIL }, - { NULL, 0 }, -}; - -static struct wordtab ipv4optwords[] = { - { "addext", IPFY_IPOPT_ADDEXT }, - { "cipso", IPFY_IPOPT_CIPSO }, - { "dps", IPFY_IPOPT_DPS }, - { "e-sec", IPFY_IPOPT_ESEC }, - { "eip", IPFY_IPOPT_EIP }, - { "encode", IPFY_IPOPT_ENCODE }, - { "finn", IPFY_IPOPT_FINN }, - { "imitd", IPFY_IPOPT_IMITD }, - { "lsrr", IPFY_IPOPT_LSRR }, - { "mtup", IPFY_IPOPT_MTUP }, - { "mtur", IPFY_IPOPT_MTUR }, - { "nop", IPFY_IPOPT_NOP }, - { "nsapa", IPFY_IPOPT_NSAPA }, - { "rr", IPFY_IPOPT_RR }, - { "rtralrt", IPFY_IPOPT_RTRALRT }, - { "satid", IPFY_IPOPT_SATID }, - { "sdb", IPFY_IPOPT_SDB }, - { "sec", IPFY_IPOPT_SEC }, - { "ssrr", IPFY_IPOPT_SSRR }, - { "tr", IPFY_IPOPT_TR }, - { "ts", IPFY_IPOPT_TS }, - { "ump", IPFY_IPOPT_UMP }, - { "visa", IPFY_IPOPT_VISA }, - { "zsu", IPFY_IPOPT_ZSU }, - { NULL, 0 }, -}; - -static struct wordtab ipv4secwords[] = { - { "confid", IPFY_SEC_CONF }, - { "reserv-1", IPFY_SEC_RSV1 }, - { "reserv-2", IPFY_SEC_RSV2 }, - { "reserv-3", IPFY_SEC_RSV3 }, - { "reserv-4", IPFY_SEC_RSV4 }, - { "secret", IPFY_SEC_SEC }, - { "topsecret", IPFY_SEC_TS }, - { "unclass", IPFY_SEC_UNC }, - { NULL, 0 }, -}; - -static struct wordtab ipv6optwords[] = { - { "dstopts", IPFY_IPV6OPT_DSTOPTS }, - { "esp", IPFY_IPV6OPT_ESP }, - { "frag", IPFY_IPV6OPT_FRAG }, - { "hopopts", IPFY_IPV6OPT_HOPOPTS }, - { "ipv6", IPFY_IPV6OPT_IPV6 }, - { "mobility", IPFY_IPV6OPT_MOBILITY }, - { "none", IPFY_IPV6OPT_NONE }, - { "routing", IPFY_IPV6OPT_ROUTING }, - { NULL, 0 }, -}; - -static struct wordtab logwords[] = { - { "kern", IPFY_FAC_KERN }, - { "user", IPFY_FAC_USER }, - { "mail", IPFY_FAC_MAIL }, - { "daemon", IPFY_FAC_DAEMON }, - { "auth", IPFY_FAC_AUTH }, - { "syslog", IPFY_FAC_SYSLOG }, - { "lpr", IPFY_FAC_LPR }, - { "news", IPFY_FAC_NEWS }, - { "uucp", IPFY_FAC_UUCP }, - { "cron", IPFY_FAC_CRON }, - { "ftp", IPFY_FAC_FTP }, - { "authpriv", IPFY_FAC_AUTHPRIV }, - { "audit", IPFY_FAC_AUDIT }, - { "logalert", IPFY_FAC_LFMT }, - { "console", IPFY_FAC_CONSOLE }, - { "security", IPFY_FAC_SECURITY }, - { "local0", IPFY_FAC_LOCAL0 }, - { "local1", IPFY_FAC_LOCAL1 }, - { "local2", IPFY_FAC_LOCAL2 }, - { "local3", IPFY_FAC_LOCAL3 }, - { "local4", IPFY_FAC_LOCAL4 }, - { "local5", IPFY_FAC_LOCAL5 }, - { "local6", IPFY_FAC_LOCAL6 }, - { "local7", IPFY_FAC_LOCAL7 }, - { "emerg", IPFY_PRI_EMERG }, - { "alert", IPFY_PRI_ALERT }, - { "crit", IPFY_PRI_CRIT }, - { "err", IPFY_PRI_ERR }, - { "warn", IPFY_PRI_WARN }, - { "notice", IPFY_PRI_NOTICE }, - { "info", IPFY_PRI_INFO }, - { "debug", IPFY_PRI_DEBUG }, - { NULL, 0 }, -}; - - - - -int ipf_parsefile(fd, addfunc, iocfuncs, filename) -int fd; -addfunc_t addfunc; -ioctlfunc_t *iocfuncs; -char *filename; -{ - FILE *fp = NULL; - char *s; - - yylineNum = 1; - yysettab(ipfwords); - - s = getenv("YYDEBUG"); - if (s != NULL) - yydebug = atoi(s); - else - yydebug = 0; - - if (strcmp(filename, "-")) { - fp = fopen(filename, "r"); - if (fp == NULL) { - fprintf(stderr, "fopen(%s) failed: %s\n", filename, - STRERROR(errno)); - return -1; - } - } else - fp = stdin; - - while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) - ; - if (fp != NULL) - fclose(fp); - return 0; -} - - -int ipf_parsesome(fd, addfunc, iocfuncs, fp) -int fd; -addfunc_t addfunc; -ioctlfunc_t *iocfuncs; -FILE *fp; -{ - char *s; - int i; - - ipffd = fd; - for (i = 0; i <= IPL_LOGMAX; i++) - ipfioctls[i] = iocfuncs[i]; - ipfaddfunc = addfunc; - - if (feof(fp)) - return 0; - i = fgetc(fp); - if (i == EOF) - return 0; - if (ungetc(i, fp) == 0) - return 0; - if (feof(fp)) - return 0; - s = getenv("YYDEBUG"); - if (s != NULL) - yydebug = atoi(s); - else - yydebug = 0; - - yyin = fp; - yyparse(); - return 1; -} - - -static void newrule() -{ - frentry_t *frn; - - frn = allocfr(); - for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) - ; - if (fr != NULL) { - fr->fr_next = frn; - frn->fr_pnext = &fr->fr_next; - } - if (frtop == NULL) { - frtop = frn; - frn->fr_pnext = &frtop; - } - fr = frn; - frc = frn; - fr->fr_loglevel = 0xffff; - fr->fr_isc = (void *)-1; - fr->fr_logtag = FR_NOLOGTAG; - fr->fr_type = FR_T_NONE; - fr->fr_flineno = yylineNum; - - if (use_inet6 == 1) - fr->fr_family = AF_INET6; - else if (use_inet6 == -1) - fr->fr_family = AF_INET; - - nrules = 1; -} - - -static void setipftype() -{ - for (fr = frc; fr != NULL; fr = fr->fr_next) { - if (fr->fr_type == FR_T_NONE) { - fr->fr_type = FR_T_IPF; - fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); - fr->fr_dsize = sizeof(fripf_t); - fr->fr_family = frc->fr_family; - if (fr->fr_family == AF_INET) { - fr->fr_ip.fi_v = 4; - } - else if (fr->fr_family == AF_INET6) { - fr->fr_ip.fi_v = 6; - } - fr->fr_mip.fi_v = 0xf; - fr->fr_ipf->fri_sifpidx = -1; - fr->fr_ipf->fri_difpidx = -1; - } - if (fr->fr_type != FR_T_IPF) { - fprintf(stderr, "IPF Type not set\n"); - } - } -} - - -static frentry_t *addrule() -{ - frentry_t *f, *f1, *f2; - int count; - - for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) - ; - - count = nrules; - f = f2; - for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { - f->fr_next = allocfr(); - if (f->fr_next == NULL) - return NULL; - f->fr_next->fr_pnext = &f->fr_next; - added++; - f = f->fr_next; - *f = *f1; - f->fr_next = NULL; - if (f->fr_caddr != NULL) { - f->fr_caddr = malloc(f->fr_dsize); - bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); - } - } - - return f2->fr_next; -} - - -static int -lookuphost(name, addrp) - char *name; - i6addr_t *addrp; -{ - int i; - - hashed = 0; - pooled = 0; - dynamic = -1; - - for (i = 0; i < 4; i++) { - if (fr->fr_ifnames[i] == -1) - continue; - if (strcmp(name, fr->fr_names + fr->fr_ifnames[i]) == 0) { - ifpflag = FRI_DYNAMIC; - dynamic = addname(&fr, name); - return 1; - } - } - - if (gethost(AF_INET, name, addrp) == -1) { - fprintf(stderr, "unknown name \"%s\"\n", name); - return -1; - } - return 0; -} - - -static void dobpf(v, phrase) -int v; -char *phrase; -{ -#ifdef IPFILTER_BPF - struct bpf_program bpf; - struct pcap *p; -#endif - fakebpf_t *fb; - u_32_t l; - char *s; - int i; - - for (fr = frc; fr != NULL; fr = fr->fr_next) { - if (fr->fr_type != FR_T_NONE) { - fprintf(stderr, "cannot mix IPF and BPF matching\n"); - return; - } - fr->fr_family = vtof(v); - fr->fr_type = FR_T_BPFOPC; - - if (!strncmp(phrase, "0x", 2)) { - fb = malloc(sizeof(fakebpf_t)); - - for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; - s = strtok(NULL, " \r\n\t"), i++) { - fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); - l = (u_32_t)strtol(s, NULL, 0); - switch (i & 3) - { - case 0 : - fb[i / 4].fb_c = l & 0xffff; - break; - case 1 : - fb[i / 4].fb_t = l & 0xff; - break; - case 2 : - fb[i / 4].fb_f = l & 0xff; - break; - case 3 : - fb[i / 4].fb_k = l; - break; - } - } - if ((i & 3) != 0) { - fprintf(stderr, - "Odd number of bytes in BPF code\n"); - exit(1); - } - i--; - fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); - fr->fr_data = fb; - return; - } - -#ifdef IPFILTER_BPF - bzero((char *)&bpf, sizeof(bpf)); - p = pcap_open_dead(DLT_RAW, 1); - if (!p) { - fprintf(stderr, "pcap_open_dead failed\n"); - return; - } - - if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { - pcap_perror(p, "ipf"); - pcap_close(p); - fprintf(stderr, "pcap parsing failed (%s)\n", phrase); - return; - } - pcap_close(p); - - fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); - fr->fr_data = malloc(fr->fr_dsize); - bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); - if (!bpf_validate(fr->fr_data, bpf.bf_len)) { - fprintf(stderr, "BPF validation failed\n"); - return; - } -#endif - } - -#ifdef IPFILTER_BPF - if (opts & OPT_DEBUG) - bpf_dump(&bpf, 0); -#else - fprintf(stderr, "BPF filter expressions not supported\n"); - exit(1); -#endif -} - - -static void resetaddr() -{ - hashed = 0; - pooled = 0; - dynamic = -1; -} - - -static alist_t *newalist(ptr) -alist_t *ptr; -{ - alist_t *al; - - al = malloc(sizeof(*al)); - if (al == NULL) - return NULL; - al->al_not = 0; - al->al_next = ptr; - return al; -} - - -static int -makepool(list) - alist_t *list; -{ - ip_pool_node_t *n, *top; - ip_pool_t pool; - alist_t *a; - int num; - - if (list == NULL) - return 0; - top = calloc(1, sizeof(*top)); - if (top == NULL) - return 0; - - for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - if (use_inet6 == 1) { -#ifdef AF_INET6 - n->ipn_addr.adf_family = AF_INET6; - n->ipn_addr.adf_addr = a->al_i6addr; - n->ipn_addr.adf_len = offsetof(addrfamily_t, - adf_addr) + 16; - n->ipn_mask.adf_family = AF_INET6; - n->ipn_mask.adf_addr = a->al_i6mask; - n->ipn_mask.adf_len = offsetof(addrfamily_t, - adf_addr) + 16; - -#endif - } else { - n->ipn_addr.adf_family = AF_INET; - n->ipn_addr.adf_addr.in4.s_addr = a->al_1; - n->ipn_addr.adf_len = offsetof(addrfamily_t, - adf_addr) + 4; - n->ipn_mask.adf_family = AF_INET; - n->ipn_mask.adf_addr.in4.s_addr = a->al_2; - n->ipn_mask.adf_len = offsetof(addrfamily_t, - adf_addr) + 4; - } - n->ipn_info = a->al_not; - if (a->al_next != NULL) { - n->ipn_next = calloc(1, sizeof(*n)); - n = n->ipn_next; - } - } - - bzero((char *)&pool, sizeof(pool)); - pool.ipo_unit = IPL_LOGIPF; - pool.ipo_list = top; - num = load_pool(&pool, ipfioctls[IPL_LOGLOOKUP]); - - while ((n = top) != NULL) { - top = n->ipn_next; - free(n); - } - return num; -} - - -static u_int makehash(list) -alist_t *list; -{ - iphtent_t *n, *top; - iphtable_t iph; - alist_t *a; - int num; - - if (list == NULL) - return 0; - top = calloc(1, sizeof(*top)); - if (top == NULL) - return 0; - - for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { - if (a->al_family == AF_INET6) { - n->ipe_family = AF_INET6; - n->ipe_addr = a->al_i6addr; - n->ipe_mask = a->al_i6mask; - } else { - n->ipe_family = AF_INET; - n->ipe_addr.in4_addr = a->al_1; - n->ipe_mask.in4_addr = a->al_2; - } - n->ipe_value = 0; - if (a->al_next != NULL) { - n->ipe_next = calloc(1, sizeof(*n)); - n = n->ipe_next; - } - } - - bzero((char *)&iph, sizeof(iph)); - iph.iph_unit = IPL_LOGIPF; - iph.iph_type = IPHASH_LOOKUP; - *iph.iph_name = '\0'; - - if (load_hash(&iph, top, ipfioctls[IPL_LOGLOOKUP]) == 0) - sscanf(iph.iph_name, "%u", &num); - else - num = 0; - - while ((n = top) != NULL) { - top = n->ipe_next; - free(n); - } - return num; -} - - -int ipf_addrule(fd, ioctlfunc, ptr) -int fd; -ioctlfunc_t ioctlfunc; -void *ptr; -{ - ioctlcmd_t add, del; - frentry_t *fr; - ipfobj_t obj; - - if (ptr == NULL) - return 0; - - fr = ptr; - add = 0; - del = 0; - - bzero((char *)&obj, sizeof(obj)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = fr->fr_size; - obj.ipfo_type = IPFOBJ_FRENTRY; - obj.ipfo_ptr = ptr; - - if ((opts & OPT_DONOTHING) != 0) - fd = -1; - - if (opts & OPT_ZERORULEST) { - add = SIOCZRLST; - } else if (opts & OPT_INACTIVE) { - add = (u_int)fr->fr_hits ? SIOCINIFR : - SIOCADIFR; - del = SIOCRMIFR; - } else { - add = (u_int)fr->fr_hits ? SIOCINAFR : - SIOCADAFR; - del = SIOCRMAFR; - } - - if ((opts & OPT_OUTQUE) != 0) - fr->fr_flags |= FR_OUTQUE; - if (fr->fr_hits) - fr->fr_hits--; - if ((opts & OPT_VERBOSE) != 0) - printfr(fr, ioctlfunc); - - if ((opts & OPT_DEBUG) != 0) { - binprint(fr, sizeof(*fr)); - if (fr->fr_data != NULL) - binprint(fr->fr_data, fr->fr_dsize); - } - - if ((opts & OPT_ZERORULEST) != 0) { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - char msg[80]; - - sprintf(msg, "%d:ioctl(zero rule)", - fr->fr_flineno); - return ipf_perror_fd(fd, ioctlfunc, msg); - } - } else { -#ifdef USE_QUAD_T - printf("hits %qd bytes %qd ", - (long long)fr->fr_hits, - (long long)fr->fr_bytes); -#else - printf("hits %ld bytes %ld ", - fr->fr_hits, fr->fr_bytes); -#endif - printfr(fr, ioctlfunc); - } - } else if ((opts & OPT_REMOVE) != 0) { - if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - char msg[80]; - - sprintf(msg, "%d:ioctl(delete rule)", - fr->fr_flineno); - return ipf_perror_fd(fd, ioctlfunc, msg); - } - } - } else { - if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { - char msg[80]; - - sprintf(msg, "%d:ioctl(add/insert rule)", - fr->fr_flineno); - return ipf_perror_fd(fd, ioctlfunc, msg); - } - } - } - return 0; -} - -static void setsyslog() -{ - yysetdict(logwords); - yybreakondot = 1; -} - - -static void unsetsyslog() -{ - yyresetdict(); - yybreakondot = 0; -} - - -static void fillgroup(fr) -frentry_t *fr; -{ - frentry_t *f; - - for (f = frold; f != NULL; f = f->fr_next) { - if (f->fr_grhead == -1 && fr->fr_group == -1) - break; - if (f->fr_grhead == -1 || fr->fr_group == -1) - continue; - if (strcmp(f->fr_names + f->fr_grhead, - fr->fr_names + fr->fr_group) == 0) - break; - } - - if (f == NULL) - return; - - /* - * Only copy down matching fields if the rules are of the same type - * and are of ipf type. The only fields that are copied are those - * that impact the rule parsing itself, eg. need for knowing what the - * protocol should be for rules with port comparisons in them. - */ - if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) - return; - - if (fr->fr_family == 0 && f->fr_family != 0) - fr->fr_family = f->fr_family; - - if (fr->fr_mproto == 0 && f->fr_mproto != 0) - fr->fr_mproto = f->fr_mproto; - if (fr->fr_proto == 0 && f->fr_proto != 0) - fr->fr_proto = f->fr_proto; - - if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && - ((f->fr_flx & FI_TCPUDP) != 0)) { - fr->fr_flx |= FI_TCPUDP; - fr->fr_mflx |= FI_TCPUDP; - } -} - - -static void doipfexpr(line) -char *line; -{ - int *array; - char *error; - - array = parseipfexpr(line, &error); - if (array == NULL) { - fprintf(stderr, "%s:", error); - yyerror("error parsing ipf matching expression"); - return; - } - - fr->fr_type = FR_T_IPFEXPR; - fr->fr_data = array; - fr->fr_dsize = array[0] * sizeof(*array); -} - - -static void do_tuneint(varname, value) -char *varname; -int value; -{ - char buffer[80]; - - strncpy(buffer, varname, 60); - buffer[59] = '\0'; - strcat(buffer, "="); - sprintf(buffer, "%u", value); - ipf_dotuning(ipffd, buffer, ioctl); -} - - -static void do_tunestr(varname, value) -char *varname, *value; -{ - - if (!strcasecmp(value, "true")) { - do_tuneint(varname, 1); - } else if (!strcasecmp(value, "false")) { - do_tuneint(varname, 0); - } else { - yyerror("did not find true/false where expected"); - } -} - - -static void setifname(frp, idx, name) -frentry_t **frp; -int idx; -char *name; -{ - int pos; - - pos = addname(frp, name); - if (pos == -1) - return; - (*frp)->fr_ifnames[idx] = pos; -} - - -static int addname(frp, name) -frentry_t **frp; -char *name; -{ - frentry_t *f; - int nlen; - int pos; - - nlen = strlen(name) + 1; - f = realloc(*frp, (*frp)->fr_size + nlen); - if (*frp == frc) - frc = f; - *frp = f; - if (f == NULL) - return -1; - if (f->fr_pnext != NULL) - *f->fr_pnext = f; - f->fr_size += nlen; - pos = f->fr_namelen; - f->fr_namelen += nlen; - strcpy(f->fr_names + pos, name); - f->fr_names[f->fr_namelen] = '\0'; - return pos; -} - - -static frentry_t *allocfr() -{ - frentry_t *fr; - - fr = calloc(1, sizeof(*fr)); - if (fr != NULL) { - fr->fr_size = sizeof(*fr); - fr->fr_comment = -1; - fr->fr_group = -1; - fr->fr_grhead = -1; - fr->fr_icmphead = -1; - fr->fr_ifnames[0] = -1; - fr->fr_ifnames[1] = -1; - fr->fr_ifnames[2] = -1; - fr->fr_ifnames[3] = -1; - fr->fr_tif.fd_name = -1; - fr->fr_rif.fd_name = -1; - fr->fr_dif.fd_name = -1; - } - return fr; -} - - -static void setgroup(frp, name) -frentry_t **frp; -char *name; -{ - int pos; - - pos = addname(frp, name); - if (pos == -1) - return; - (*frp)->fr_group = pos; -} - - -static void setgrhead(frp, name) -frentry_t **frp; -char *name; -{ - int pos; - - pos = addname(frp, name); - if (pos == -1) - return; - (*frp)->fr_grhead = pos; -} - - -static void seticmphead(frp, name) -frentry_t **frp; -char *name; -{ - int pos; - - pos = addname(frp, name); - if (pos == -1) - return; - (*frp)->fr_icmphead = pos; -} - - -static void -build_dstaddr_af(fp, ptr) - frentry_t *fp; - void *ptr; -{ - struct ipp_s *ipp = ptr; - frentry_t *f = fp; - - if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { - ipp->f = f->fr_family; - ipp->v = f->fr_ip.fi_v; - } - if (ipp->f == AF_INET) - ipp->v = 4; - else if (ipp->f == AF_INET6) - ipp->v = 6; - - for (; f != NULL; f = f->fr_next) { - f->fr_ip.fi_dst = ipp->a; - f->fr_mip.fi_dst = ipp->m; - f->fr_family = ipp->f; - f->fr_ip.fi_v = ipp->v; - f->fr_mip.fi_v = 0xf; - f->fr_datype = ipp->type; - if (ipp->ifpos != -1) - f->fr_ipf->fri_difpidx = ipp->ifpos; - } - fr = NULL; -} - - -static void -build_srcaddr_af(fp, ptr) - frentry_t *fp; - void *ptr; -{ - struct ipp_s *ipp = ptr; - frentry_t *f = fp; - - if (f->fr_family != AF_UNSPEC && ipp->f == AF_UNSPEC) { - ipp->f = f->fr_family; - ipp->v = f->fr_ip.fi_v; - } - if (ipp->f == AF_INET) - ipp->v = 4; - else if (ipp->f == AF_INET6) - ipp->v = 6; - - for (; f != NULL; f = f->fr_next) { - f->fr_ip.fi_src = ipp->a; - f->fr_mip.fi_src = ipp->m; - f->fr_family = ipp->f; - f->fr_ip.fi_v = ipp->v; - f->fr_mip.fi_v = 0xf; - f->fr_satype = ipp->type; - f->fr_ipf->fri_sifpidx = ipp->ifpos; - } - fr = NULL; -} |
