ipf_y.y (5e985db5) | ipf_y.y (ab25eeb5) |
---|---|
1%{ 2/* 3 * Copyright (C) 2003 by Darren Reed. 4 * 5 * See the IPFILTER.LICENCE file for details on licencing. 6 * | 1%{ 2/* 3 * Copyright (C) 2003 by Darren Reed. 4 * 5 * See the IPFILTER.LICENCE file for details on licencing. 6 * |
7 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. | 7 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. |
8 * Use is subject to license terms. 9 */ 10 11#pragma ident "%Z%%M% %I% %E% SMI" 12 13#include "ipf.h" | 8 * Use is subject to license terms. 9 */ 10 11#pragma ident "%Z%%M% %I% %E% SMI" 12 13#include "ipf.h" |
14#include <netinet/ip_icmp.h> | |
15#include <sys/ioctl.h> 16#include <syslog.h> 17#ifdef IPFILTER_BPF | 14#include <sys/ioctl.h> 15#include <syslog.h> 16#ifdef IPFILTER_BPF |
18# include <net/bpf.h> 19# include <pcap-int.h> | 17# include "pcap-bpf.h" 18# define _NET_BPF_H_ |
20# include <pcap.h> 21#endif | 19# include <pcap.h> 20#endif |
22#if SOLARIS2 >= 10 23#include "ip_pool.h" 24#include "ip_htable.h" 25#include "ipl.h" 26#else | |
27#include "netinet/ip_pool.h" 28#include "netinet/ip_htable.h" 29#include "netinet/ipl.h" | 21#include "netinet/ip_pool.h" 22#include "netinet/ip_htable.h" 23#include "netinet/ipl.h" |
30#endif | |
31#include "ipf_l.h" 32 33#define YYDEBUG 1 34#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 35#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } | 24#include "ipf_l.h" 25 26#define YYDEBUG 1 27#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 28#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } |
36#if SOLARIS2 >= 10 37#define VNI "vni" 38#define VNISTRLEN 3 39#endif | |
40 | 29 |
41#define OPTION_LOG 0x1 42#define OPTION_QUICK 0x2 43#define OPTION_DUP 0x4 44#define OPTION_PROUTE 0x8 45#define OPTION_ON 0x10 46#define OPTION_REPLYTO 0x20 47#define OPTION_FROUTE 0x40 | 30#define OPTION_LOG 0x1 31#define OPTION_QUICK 0x2 32#define OPTION_DUP 0x4 33#define OPTION_PROUTE 0x8 34#define OPTION_ON 0x10 35#define OPTION_REPLYTO 0x20 36#define OPTION_FROUTE 0x40 |
48 49extern void yyerror __P((char *)); 50extern int yyparse __P((void)); 51extern int yylex __P((void)); 52extern int yydebug; 53extern FILE *yyin; 54extern int yylineNum; 55 56static void newrule __P((void)); 57static void setipftype __P((void)); 58static u_32_t lookuphost __P((char *)); | 37 38extern void yyerror __P((char *)); 39extern int yyparse __P((void)); 40extern int yylex __P((void)); 41extern int yydebug; 42extern FILE *yyin; 43extern int yylineNum; 44 45static void newrule __P((void)); 46static void setipftype __P((void)); 47static u_32_t lookuphost __P((char *)); |
59static void dobpf __P((char *)); | 48static void dobpf __P((int, char *)); |
60static void resetaddr __P((void)); 61static struct alist_s *newalist __P((struct alist_s *)); 62static u_int makehash __P((struct alist_s *)); 63static int makepool __P((struct alist_s *)); 64static frentry_t *addrule __P((void)); 65static void setsyslog __P((void)); 66static void unsetsyslog __P((void)); 67static void fillgroup __P((frentry_t *)); --- 4 unchanged lines hidden (view full) --- 72static int nowith = 0; 73static int dynamic = -1; 74static int pooled = 0; 75static int hashed = 0; 76static int nrules = 0; 77static int newlist = 0; 78static int added = 0; 79static int ipffd = -1; | 49static void resetaddr __P((void)); 50static struct alist_s *newalist __P((struct alist_s *)); 51static u_int makehash __P((struct alist_s *)); 52static int makepool __P((struct alist_s *)); 53static frentry_t *addrule __P((void)); 54static void setsyslog __P((void)); 55static void unsetsyslog __P((void)); 56static void fillgroup __P((frentry_t *)); --- 4 unchanged lines hidden (view full) --- 61static int nowith = 0; 62static int dynamic = -1; 63static int pooled = 0; 64static int hashed = 0; 65static int nrules = 0; 66static int newlist = 0; 67static int added = 0; 68static int ipffd = -1; |
69static int ruleopts = 0; |
|
80static int *yycont = 0; | 70static int *yycont = 0; |
81static int ruleopts = 0; | |
82static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 83static addfunc_t ipfaddfunc = NULL; | 71static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 72static addfunc_t ipfaddfunc = NULL; |
84static wordtab_t addrwords[4]; 85static wordtab_t maskwords[5]; 86static wordtab_t *savewords; 87static int set_ipv6_addr = 0; | 73static struct wordtab ipfwords[95]; 74static struct wordtab addrwords[4]; 75static struct wordtab maskwords[5]; 76static struct wordtab icmpcodewords[17]; 77static struct wordtab icmptypewords[16]; 78static struct wordtab ipv4optwords[25]; 79static struct wordtab ipv4secwords[9]; 80static struct wordtab ipv6optwords[8]; 81static struct wordtab logwords[33]; 82static int set_ipv6_addr = 0; |
88 89%} 90%union { 91 char *str; 92 u_32_t num; 93 struct in_addr ipa; 94 frentry_t fr; 95 frtuc_t *frt; 96 struct alist_s *alist; | 83 84%} 85%union { 86 char *str; 87 u_32_t num; 88 struct in_addr ipa; 89 frentry_t fr; 90 frtuc_t *frt; 91 struct alist_s *alist; |
92 u_short port; |
|
97 struct { 98 u_short p1; 99 u_short p2; 100 int pc; 101 } pc; 102 struct { 103 union i6addr a; 104 union i6addr m; 105 } ipp; 106 union i6addr ip6; 107}; 108 | 93 struct { 94 u_short p1; 95 u_short p2; 96 int pc; 97 } pc; 98 struct { 99 union i6addr a; 100 union i6addr m; 101 } ipp; 102 union i6addr ip6; 103}; 104 |
109%type <num> portnum facility priority icmpcode seclevel secname icmptype | 105%type <port> portnum 106%type <num> facility priority icmpcode seclevel secname icmptype |
110%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr | 107%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr |
111%type <num> portc porteq 112%type <ipa> hostname ipv4 ipv4mask | 108%type <num> portc porteq 109%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24 |
113%type <ip6> ipv6mask 114%type <ipp> addr ipaddr 115%type <str> servicename name interfacename 116%type <pc> portrange portcomp 117%type <alist> addrlist poollist 118 119%token <num> YY_NUMBER YY_HEX 120%token <str> YY_STR 121%token YY_COMMENT 122%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 123%token YY_RANGE_OUT YY_RANGE_IN 124%token <ip6> YY_IPV6 125 126%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 127%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 128%token IPFY_IN IPFY_OUT 129%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA | 110%type <ip6> ipv6mask 111%type <ipp> addr ipaddr 112%type <str> servicename name interfacename 113%type <pc> portrange portcomp 114%type <alist> addrlist poollist 115 116%token <num> YY_NUMBER YY_HEX 117%token <str> YY_STR 118%token YY_COMMENT 119%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 120%token YY_RANGE_OUT YY_RANGE_IN 121%token <ip6> YY_IPV6 122 123%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 124%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 125%token IPFY_IN IPFY_OUT 126%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA |
130%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO | 127%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO |
131%token IPFY_TOS IPFY_TTL IPFY_PROTO 132%token IPFY_HEAD IPFY_GROUP | 128%token IPFY_TOS IPFY_TTL IPFY_PROTO 129%token IPFY_HEAD IPFY_GROUP |
133%token IPFY_AUTH IPFY_PREAUTH IPFY_DIVERT | 130%token IPFY_AUTH IPFY_PREAUTH |
134%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK | 131%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK |
135%token IPFY_LOGTAG IPFY_TAG IPFY_SKIP 136%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPF IPFY_POOL IPFY_HASH | 132%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP 133%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH |
137%token IPFY_PPS 138%token IPFY_ESP IPFY_AH 139%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 140%token IPFY_TCPUDP IPFY_TCP IPFY_UDP 141%token IPFY_FLAGS IPFY_MULTICAST 142%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 143%token IPFY_PORT 144%token IPFY_NOW 145%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 146%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 147%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 148%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE | 134%token IPFY_PPS 135%token IPFY_ESP IPFY_AH 136%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 137%token IPFY_TCPUDP IPFY_TCP IPFY_UDP 138%token IPFY_FLAGS IPFY_MULTICAST 139%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 140%token IPFY_PORT 141%token IPFY_NOW 142%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 143%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 144%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 145%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE |
146%token IPFY_SYNC IPFY_FRAGBODY |
|
149%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 150%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 151%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 152%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 153%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 154%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 155%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 156%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 --- 50 unchanged lines hidden (view full) --- 207 free($3); 208 } 209 ; 210 211assigning: 212 '=' { yyvarnext = 1; } 213 ; 214 | 147%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 148%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 149%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 150%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 151%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 152%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 153%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 154%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 --- 50 unchanged lines hidden (view full) --- 205 free($3); 206 } 207 ; 208 209assigning: 210 '=' { yyvarnext = 1; } 211 ; 212 |
215rule: inrule 216 | outrule | 213rule: inrule eol 214 | outrule eol |
217 ; 218 | 215 ; 216 |
217eol: | ';' 218 ; 219 |
|
219inrule: | 220inrule: |
220 rulehead markin { ruleopts = 0; } inopts rulemain ruletail | 221 rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2 |
221 ; 222 223outrule: | 222 ; 223 224outrule: |
224 rulehead markout { ruleopts = 0; } outopts rulemain ruletail | 225 rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2 |
225 ; 226 227rulehead: 228 collection action 229 | insert collection action 230 ; 231 232markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } --- 8 unchanged lines hidden (view full) --- 241 | bpfrule 242 ; 243 244ipfrule: 245 tos ttl proto ip 246 ; 247 248bpfrule: | 226 ; 227 228rulehead: 229 collection action 230 | insert collection action 231 ; 232 233markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } --- 8 unchanged lines hidden (view full) --- 242 | bpfrule 243 ; 244 245ipfrule: 246 tos ttl proto ip 247 ; 248 249bpfrule: |
249 IPFY_BPF '{' YY_STR '}' { dobpf($3); free($3); } | 250 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 251 | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } |
250 ; 251 252ruletail: | 252 ; 253 254ruletail: |
253 keep head group tag pps age new | 255 with keep head group |
254 ; 255 | 256 ; 257 |
258ruletail2: 259 pps age new 260 ; 261 262intag: settagin matchtagin 263 ; 264 265outtag: settagout matchtagout 266 ; 267 |
|
256insert: | 268insert: |
257 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2; } | 269 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } |
258 ; 259 260collection: 261 | YY_NUMBER { fr->fr_collect = $1; } 262 ; 263 264action: block 265 | IPFY_PASS { fr->fr_flags |= FR_PASS; } | 270 ; 271 272collection: 273 | YY_NUMBER { fr->fr_collect = $1; } 274 ; 275 276action: block 277 | IPFY_PASS { fr->fr_flags |= FR_PASS; } |
266 | IPFY_DIVERT YY_NUMBER { fr->fr_flags |= FR_DIVERT; 267 fr->fr_arg = $2; } | |
268 | log 269 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 270 | auth 271 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 272 fr->fr_arg = $2; } 273 | IPFY_CALL func 274 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 275 ; --- 148 unchanged lines hidden (view full) --- 424lend: ')' { nrules += added; } 425 ; 426 427lmore: lanother { if (newlist == 1) { 428 newlist = 0; 429 } 430 fr = addrule(); 431 if (yycont != NULL) | 278 | log 279 | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 280 | auth 281 | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 282 fr->fr_arg = $2; } 283 | IPFY_CALL func 284 | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 285 ; --- 148 unchanged lines hidden (view full) --- 434lend: ')' { nrules += added; } 435 ; 436 437lmore: lanother { if (newlist == 1) { 438 newlist = 0; 439 } 440 fr = addrule(); 441 if (yycont != NULL) |
432 *yycont = 1; | 442 *yycont = 1; |
433 } 434 ; 435 436lanother: 437 | ',' 438 ; 439 440setttl: IPFY_TTL { setipftype(); } --- 8 unchanged lines hidden (view full) --- 449proto: | protox protocol { yyresetdict(); } 450 ; 451 452protox: IPFY_PROTO { setipftype(); 453 fr = frc; 454 yysetdict(NULL); } 455 ; 456 | 443 } 444 ; 445 446lanother: 447 | ',' 448 ; 449 450setttl: IPFY_TTL { setipftype(); } --- 8 unchanged lines hidden (view full) --- 459proto: | protox protocol { yyresetdict(); } 460 ; 461 462protox: IPFY_PROTO { setipftype(); 463 fr = frc; 464 yysetdict(NULL); } 465 ; 466 |
457ip: srcdst flags with icmp | 467ip: srcdst flags icmp |
458 ; 459 460group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 461 FR_GROUPLEN); \ 462 fillgroup(fr);); 463 free($2); } 464 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 465 $2); \ 466 fillgroup(fr);) } 467 ; 468 469head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 470 FR_GROUPLEN);); 471 free($2); } 472 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 473 $2);) } 474 ; 475 | 468 ; 469 470group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 471 FR_GROUPLEN); \ 472 fillgroup(fr);); 473 free($2); } 474 | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 475 $2); \ 476 fillgroup(fr);) } 477 ; 478 479head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 480 FR_GROUPLEN);); 481 free($2); } 482 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 483 $2);) } 484 ; 485 |
476tag: | IPFY_TAG YY_NUMBER { DOALL(fr->fr_logtag = $2;) } 477 | IPFY_TAG '(' taglist ')' | 486settagin: 487 | IPFY_SETTAG '(' taginlist ')' 488 ; |
478 | 489 |
479taglist: 480 tagspec 481 | taglist ',' tagspec | 490taginlist: 491 taginspec 492 | taginlist ',' taginspec |
482 ; 483 | 493 ; 494 |
484tagspec: 485 IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 486 $3, 16);); | 495taginspec: 496 logtag 497 |nattag 498 ; 499 500nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 501 $3, IPFTAG_LEN);); |
487 free($3); } 488 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ | 502 free($3); } 503 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ |
489 "%15d", $3);) } 490 | IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } | 504 "%d", $3 & 0xffffffff);) } |
491 ; 492 | 505 ; 506 |
507logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 508 ; 509 510settagout: 511 | IPFY_SETTAG '(' tagoutlist ')' 512 ; 513 514tagoutlist: 515 tagoutspec 516 | tagoutlist ',' tagoutspec 517 ; 518 519tagoutspec: 520 logtag 521 | nattag 522 ; 523 524matchtagin: 525 | IPFY_MATCHTAG '(' tagoutlist ')' 526 ; 527 528matchtagout: 529 | IPFY_MATCHTAG '(' taginlist ')' 530 ; 531 |
|
493pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 494 ; 495 496new: | savegroup file restoregroup 497 ; 498 499savegroup: 500 '{' --- 11 unchanged lines hidden (view full) --- 512 ; 513 514on: IPFY_ON onname 515 | IPFY_ON onname IPFY_INVIA vianame 516 | IPFY_ON onname IPFY_OUTVIA vianame 517 ; 518 519onname: interfacename | 532pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 533 ; 534 535new: | savegroup file restoregroup 536 ; 537 538savegroup: 539 '{' --- 11 unchanged lines hidden (view full) --- 551 ; 552 553on: IPFY_ON onname 554 | IPFY_ON onname IPFY_INVIA vianame 555 | IPFY_ON onname IPFY_OUTVIA vianame 556 ; 557 558onname: interfacename |
520 { 521#if SOLARIS2 >=10 522 char *cp; 523#endif 524 strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 525#if SOLARIS2 >= 10 526 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 527 cp = $1 + VNISTRLEN; 528 cp += strspn(cp, "0123456789"); 529 if (*cp == '\0' || *cp == ':') { 530 fprintf(stderr, "%d: Warning- %s specified. vni" 531 " is a virtual interface, use a physical" 532 " interface instead. See vni(7D)\n", 533 yylineNum, $1); 534 } 535 } 536#endif | 559 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); |
537 free($1); 538 } | 560 free($1); 561 } |
539 | interfacename ',' name 540 { 541#if SOLARIS2 >= 10 542 char *cp; 543#endif 544 strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 545#if SOLARIS2 >= 10 546 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 547 cp = $1 + VNISTRLEN; 548 cp += strspn(cp, "0123456789"); 549 if (*cp == '\0' || *cp == ':') { 550 fprintf(stderr, "%d: Warning- %s specified. vni" 551 " is a virtual interface, use a physical" 552 " interface instead. See vni(7D)\n", 553 yylineNum, $1); 554 } 555 } 556#endif | 562 | interfacename ',' interfacename 563 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); |
557 free($1); 558 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); | 564 free($1); 565 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); |
559#if SOLARIS2 >= 10 560 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 561 cp = $3 + VNISTRLEN; 562 cp += strspn(cp, "0123456789"); 563 if (*cp == '\0' || *cp == ':') { 564 fprintf(stderr, "%d: Warning- %s specified. vni" 565 " is a virtual interface, use a physical" 566 " interface instead. See vni(7D)\n", 567 yylineNum, $3); 568 } 569 } 570#endif | |
571 free($3); 572 } 573 ; 574 575vianame: | 566 free($3); 567 } 568 ; 569 570vianame: |
576 interfacename 577 { 578#if SOLARIS2 >= 10 579 char *cp; 580#endif 581 strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 582#if SOLARIS2 >= 10 583 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 584 cp = $1 + VNISTRLEN; 585 cp += strspn(cp, "0123456789"); 586 if (*cp == '\0' || *cp == ':') { 587 fprintf(stderr, "%d: Warning- %s specified. vni" 588 " is a virtual interface, use a physical" 589 " interface instead. See vni(7D)\n", 590 yylineNum, $1); 591 } 592 } 593#endif | 571 name 572 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); |
594 free($1); 595 } | 573 free($1); 574 } |
596 | interfacename ',' name 597 { 598#if SOLARIS2 >= 10 599 char *cp; 600#endif 601 strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 602#if SOLARIS2 >= 10 603 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 604 cp = $1 + VNISTRLEN; 605 cp += strspn(cp, "0123456789"); 606 if (*cp == '\0' || *cp == ':') { 607 fprintf(stderr, "%d: Warning- %s specified. vni" 608 " is a virtual interface, use a physical" 609 " interface instead. See vni(7D)\n", 610 yylineNum, $1); 611 } 612 } 613#endif | 575 | name ',' name 576 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); |
614 free($1); 615 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); | 577 free($1); 578 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); |
616#if SOLARIS2 >= 10 617 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 618 cp = $3 + VNISTRLEN; 619 cp += strspn(cp, "0123456789"); 620 if (*cp == '\0' || *cp == ':') { 621 fprintf(stderr, "%d: Warning- %s specified. vni" 622 " is a virtual interface, use a physical" 623 " interface instead. See vni(7D)\n", 624 yylineNum, $3); 625 } 626 } 627#endif | |
628 free($3); 629 } 630 ; 631 632dup: IPFY_DUPTO name 633 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 634 free($2); 635 } | 579 free($3); 580 } 581 ; 582 583dup: IPFY_DUPTO name 584 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 585 free($2); 586 } |
636 | IPFY_DUPTO name ':' hostname | 587 | IPFY_DUPTO name duptoseparator hostname |
637 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 638 fr->fr_dif.fd_ip = $4; | 588 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 589 fr->fr_dif.fd_ip = $4; |
590 yyexpectaddr = 0; |
|
639 free($2); 640 } | 591 free($2); 592 } |
593 | IPFY_DUPTO name duptoseparator YY_IPV6 594 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 595 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 596 yyexpectaddr = 0; 597 free($2); 598 } |
|
641 ; 642 | 599 ; 600 |
601duptoseparator: 602 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 603 ; 604 |
|
643froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 644 ; 645 | 605froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 606 ; 607 |
646proute: IPFY_TO name | 608proute: routeto name |
647 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 648 free($2); 649 } | 609 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 610 free($2); 611 } |
650 | IPFY_TO name ':' hostname | 612 | routeto name duptoseparator hostname |
651 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 652 fr->fr_tif.fd_ip = $4; | 613 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 614 fr->fr_tif.fd_ip = $4; |
615 yyexpectaddr = 0; |
|
653 free($2); 654 } | 616 free($2); 617 } |
618 | routeto name duptoseparator YY_IPV6 619 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 620 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 621 yyexpectaddr = 0; 622 free($2); 623 } |
|
655 ; 656 | 624 ; 625 |
626routeto: 627 IPFY_TO 628 | IPFY_ROUTETO 629 ; 630 |
|
657replyto: 658 IPFY_REPLY_TO name 659 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 660 free($2); 661 } | 631replyto: 632 IPFY_REPLY_TO name 633 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 634 free($2); 635 } |
662 | IPFY_REPLY_TO name ':' hostname | 636 | IPFY_REPLY_TO name duptoseparator hostname |
663 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 664 fr->fr_rif.fd_ip = $4; 665 free($2); 666 } 667 ; 668 669logoptions: 670 logoption --- 10 unchanged lines hidden (view full) --- 681returncode: 682 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 683 ; 684 685starticmpcode: 686 '(' { yysetdict(icmpcodewords); } 687 ; 688 | 637 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 638 fr->fr_rif.fd_ip = $4; 639 free($2); 640 } 641 ; 642 643logoptions: 644 logoption --- 10 unchanged lines hidden (view full) --- 655returncode: 656 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 657 ; 658 659starticmpcode: 660 '(' { yysetdict(icmpcodewords); } 661 ; 662 |
689srcdst: IPFY_ALL | 663srcdst: | IPFY_ALL |
690 | fromto 691 ; 692 693protocol: 694 YY_NUMBER { DOREM(fr->fr_proto = $1; \ 695 fr->fr_mproto = 0xff;) } 696 | YY_STR { if (!strcmp($1, "tcp-udp")) { 697 DOREM(fr->fr_flx |= FI_TCPUDP; \ 698 fr->fr_mflx |= FI_TCPUDP;) 699 } else { 700 int p = getproto($1); 701 if (p == -1) | 664 | fromto 665 ; 666 667protocol: 668 YY_NUMBER { DOREM(fr->fr_proto = $1; \ 669 fr->fr_mproto = 0xff;) } 670 | YY_STR { if (!strcmp($1, "tcp-udp")) { 671 DOREM(fr->fr_flx |= FI_TCPUDP; \ 672 fr->fr_mflx |= FI_TCPUDP;) 673 } else { 674 int p = getproto($1); 675 if (p == -1) |
702 fprintf(stderr, "protocol unknown: %s, line %d\n", $1, yylineNum); | 676 yyerror("protocol unknown"); |
703 DOREM(fr->fr_proto = p; \ 704 fr->fr_mproto = 0xff;) 705 } 706 free($1); 707 } 708 | YY_STR nextstring YY_STR 709 { if (!strcmp($1, "tcp") && 710 !strcmp($3, "udp")) { --- 14 unchanged lines hidden (view full) --- 725 | to dstobject { yyexpectaddr = 0; yycont = NULL; } 726 | from srcobject { yyexpectaddr = 0; yycont = NULL; } 727 ; 728 729from: IPFY_FROM { setipftype(); 730 if (fr == NULL) 731 fr = frc; 732 yyexpectaddr = 1; | 677 DOREM(fr->fr_proto = p; \ 678 fr->fr_mproto = 0xff;) 679 } 680 free($1); 681 } 682 | YY_STR nextstring YY_STR 683 { if (!strcmp($1, "tcp") && 684 !strcmp($3, "udp")) { --- 14 unchanged lines hidden (view full) --- 699 | to dstobject { yyexpectaddr = 0; yycont = NULL; } 700 | from srcobject { yyexpectaddr = 0; yycont = NULL; } 701 ; 702 703from: IPFY_FROM { setipftype(); 704 if (fr == NULL) 705 fr = frc; 706 yyexpectaddr = 1; |
707 if (yydebug) 708 printf("set yyexpectaddr\n"); |
|
733 yycont = &yyexpectaddr; 734 yysetdict(addrwords); 735 resetaddr(); } 736 ; 737 738to: IPFY_TO { if (fr == NULL) 739 fr = frc; 740 yyexpectaddr = 1; | 709 yycont = &yyexpectaddr; 710 yysetdict(addrwords); 711 resetaddr(); } 712 ; 713 714to: IPFY_TO { if (fr == NULL) 715 fr = frc; 716 yyexpectaddr = 1; |
717 if (yydebug) 718 printf("set yyexpectaddr\n"); |
|
741 yycont = &yyexpectaddr; 742 yysetdict(addrwords); 743 resetaddr(); } 744 ; 745 746with: | andwith withlist 747 ; 748 749andwith: 750 IPFY_WITH { nowith = 0; setipftype(); } 751 | IPFY_AND { nowith = 0; setipftype(); } 752 ; 753 | 719 yycont = &yyexpectaddr; 720 yysetdict(addrwords); 721 resetaddr(); } 722 ; 723 724with: | andwith withlist 725 ; 726 727andwith: 728 IPFY_WITH { nowith = 0; setipftype(); } 729 | IPFY_AND { nowith = 0; setipftype(); } 730 ; 731 |
754flags: | IPFY_FLAGS flagset | 732flags: | startflags flagset |
755 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } | 733 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } |
756 | IPFY_FLAGS flagset '/' flagset | 734 | startflags flagset '/' flagset |
757 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } | 735 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } |
758 | IPFY_FLAGS '/' flagset | 736 | startflags '/' flagset |
759 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } | 737 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } |
760 | IPFY_FLAGS YY_NUMBER | 738 | startflags YY_NUMBER |
761 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } | 739 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } |
762 | IPFY_FLAGS '/' YY_NUMBER | 740 | startflags '/' YY_NUMBER |
763 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } | 741 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } |
764 | IPFY_FLAGS YY_NUMBER '/' YY_NUMBER | 742 | startflags YY_NUMBER '/' YY_NUMBER |
765 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } | 743 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } |
766 | IPFY_FLAGS flagset '/' YY_NUMBER | 744 | startflags flagset '/' YY_NUMBER |
767 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } | 745 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } |
768 | IPFY_FLAGS YY_NUMBER '/' flagset | 746 | startflags YY_NUMBER '/' flagset |
769 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 770 ; 771 | 747 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 748 ; 749 |
750startflags: 751 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 752 yyerror("flags with non-ipf type rule"); 753 if (frc->fr_proto != IPPROTO_TCP) 754 yyerror("flags with non-TCP rule"); 755 } 756 ; 757 |
|
772flagset: 773 YY_STR { $$ = tcpflags($1); free($1); } 774 | YY_HEX { $$ = $1; } 775 ; 776 777srcobject: | 758flagset: 759 YY_STR { $$ = tcpflags($1); free($1); } 760 | YY_HEX { $$ = $1; } 761 ; 762 763srcobject: |
778 srcaddr srcport | 764 { yyresetdict(); } fromport 765 | srcaddr srcport |
779 | '!' srcaddr srcport 780 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } | 766 | '!' srcaddr srcport 767 { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } |
781 | fromport | |
782 ; 783 784srcaddr: 785 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 786 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 787 if (dynamic != -1) { \ 788 fr->fr_satype = ifpflag; \ 789 fr->fr_ipf->fri_sifpidx = dynamic; \ --- 45 unchanged lines hidden (view full) --- 835 836srcportlist: 837 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 838 | srcportlist lmore portnum 839 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 840 ; 841 842dstobject: | 768 ; 769 770srcaddr: 771 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 772 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 773 if (dynamic != -1) { \ 774 fr->fr_satype = ifpflag; \ 775 fr->fr_ipf->fri_sifpidx = dynamic; \ --- 45 unchanged lines hidden (view full) --- 821 822srcportlist: 823 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 824 | srcportlist lmore portnum 825 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 826 ; 827 828dstobject: |
843 toport | 829 { yyresetdict(); } toport |
844 | dstaddr dstport 845 | '!' dstaddr dstport 846 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 847 ; 848 849dstaddr: 850 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 851 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ --- 103 unchanged lines hidden (view full) --- 955maskspace: 956 '/' 957 | IPFY_MASK 958 ; 959 960ipv4mask: 961 ipv4 { $$ = $1; } 962 | YY_HEX { $$.s_addr = htonl($1); } | 830 | dstaddr dstport 831 | '!' dstaddr dstport 832 { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 833 ; 834 835dstaddr: 836 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 837 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ --- 103 unchanged lines hidden (view full) --- 941maskspace: 942 '/' 943 | IPFY_MASK 944 ; 945 946ipv4mask: 947 ipv4 { $$ = $1; } 948 | YY_HEX { $$.s_addr = htonl($1); } |
963 | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } | 949 | YY_NUMBER { if (($1 >= 0) && ($1 <= 32)) { 950 ntomask(4, $1, (u_32_t *)&$$); 951 } else 952 yyerror("invalid mask"); 953 } |
964 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 965 $$.s_addr = 0; 966 ifpflag = FRI_BROADCAST; 967 } else 968 YYERROR; 969 } 970 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 971 $$.s_addr = 0; --- 11 unchanged lines hidden (view full) --- 983 $$.s_addr = 0; 984 ifpflag = FRI_PEERADDR; 985 } else 986 YYERROR; 987 } 988 ; 989 990ipv6mask: | 954 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 955 $$.s_addr = 0; 956 ifpflag = FRI_BROADCAST; 957 } else 958 YYERROR; 959 } 960 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 961 $$.s_addr = 0; --- 11 unchanged lines hidden (view full) --- 973 $$.s_addr = 0; 974 ifpflag = FRI_PEERADDR; 975 } else 976 YYERROR; 977 } 978 ; 979 980ipv6mask: |
991 YY_NUMBER { ntomask(6, $1, $$.i6); } | 981 YY_NUMBER { if (($1 >= 0) && ($1 <= 128)) { 982 ntomask(6, $1, $$.i6); 983 } else 984 yyerror("invalid mask"); 985 } |
992 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 993 bzero(&$$, sizeof($$)); 994 ifpflag = FRI_BROADCAST; 995 } else 996 YYERROR; 997 } 998 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 999 bzero(&$$, sizeof($$)); --- 169 unchanged lines hidden (view full) --- 1169 | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1170 { DOALL(fr->fr_age[0] = $2; \ 1171 fr->fr_age[1] = $4;) } 1172 ; 1173 1174keep: | IPFY_KEEP keepstate 1175 | IPFY_KEEP keepfrag 1176 | IPFY_KEEP keepstate IPFY_KEEP keepfrag | 986 | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 987 bzero(&$$, sizeof($$)); 988 ifpflag = FRI_BROADCAST; 989 } else 990 YYERROR; 991 } 992 | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 993 bzero(&$$, sizeof($$)); --- 169 unchanged lines hidden (view full) --- 1163 | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1164 { DOALL(fr->fr_age[0] = $2; \ 1165 fr->fr_age[1] = $4;) } 1166 ; 1167 1168keep: | IPFY_KEEP keepstate 1169 | IPFY_KEEP keepfrag 1170 | IPFY_KEEP keepstate IPFY_KEEP keepfrag |
1171 | IPFY_KEEP keepfrag IPFY_KEEP keepstate |
|
1177 ; 1178 1179keepstate: 1180 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 1181 ; 1182 1183keepfrag: 1184 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } | 1172 ; 1173 1174keepstate: 1175 IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 1176 ; 1177 1178keepfrag: 1179 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } |
1180 | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } |
|
1185 ; 1186 1187fragoptlist: 1188 | '(' fragopts ')' 1189 ; 1190 1191fragopts: 1192 fragopt lanother fragopts --- 21 unchanged lines hidden (view full) --- 1214 fr->fr_flags |= FR_STSTRICT;) 1215 } 1216 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1217 YYERROR; \ 1218 } else \ 1219 fr->fr_flags |= FR_NEWISN;) 1220 } 1221 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } | 1181 ; 1182 1183fragoptlist: 1184 | '(' fragopts ')' 1185 ; 1186 1187fragopts: 1188 fragopt lanother fragopts --- 21 unchanged lines hidden (view full) --- 1210 fr->fr_flags |= FR_STSTRICT;) 1211 } 1212 | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1213 YYERROR; \ 1214 } else \ 1215 fr->fr_flags |= FR_NEWISN;) 1216 } 1217 | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } |
1218 1219 | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } |
|
1222 ; 1223 1224portnum: | 1220 ; 1221 1222portnum: |
1225 servicename { $$ = ntohs(getport(frc, $1)); 1226 if ($$ == -1) 1227 fprintf(stderr, "service unknown: %s, line %d\n", $1, yylineNum); | 1223 servicename { if (getport(frc, $1, &($$)) == -1) 1224 yyerror("service unknown"); 1225 else 1226 $$ = ntohs($$); |
1228 free($1); 1229 } | 1227 free($1); 1228 } |
1230 | YY_NUMBER { $$ = $1; } | 1229 | YY_NUMBER { if ($1 > 65535) /* Unsigned */ 1230 yyerror("invalid port number"); 1231 else 1232 $$ = $1; 1233 } |
1231 ; 1232 1233withlist: 1234 withopt 1235 | withlist withopt | 1234 ; 1235 1236withlist: 1237 withopt 1238 | withlist withopt |
1239 | withlist ',' withopt |
|
1236 ; 1237 1238withopt: 1239 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 1240 | notwith opttype | 1240 ; 1241 1242withopt: 1243 opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 1244 | notwith opttype |
1241 { DOALL(fr->fr_mflx |= $2;) } 1242 | IPFY_OPT ipopts 1243 | notwith IPFY_OPT ipopts 1244 | startv6hdrs ipv6hdrs | 1245 { DOALL(fr->fr_mflx |= $2;) } 1246 | ipopt ipopts { yyresetdict(); } 1247 | notwith ipopt ipopts { yyresetdict(); } 1248 | startv6hdrs ipv6hdrs { yyresetdict(); } |
1245 ; 1246 | 1249 ; 1250 |
1251ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 1252 ; 1253 |
|
1247startv6hdrs: 1248 IPF6_V6HDRS { if (use_inet6 == 0) 1249 yyerror("only available with IPv6"); | 1254startv6hdrs: 1255 IPF6_V6HDRS { if (use_inet6 == 0) 1256 yyerror("only available with IPv6"); |
1257 yysetdict(ipv6optwords); |
|
1250 } 1251 ; 1252 1253notwith: 1254 IPFY_NOT { nowith = 1; } 1255 | IPFY_NO { nowith = 1; } 1256 ; 1257 1258opttype: 1259 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1260 | IPFY_SHORT { $$ = FI_SHORT; } 1261 | IPFY_NAT { $$ = FI_NATED; } 1262 | IPFY_BAD { $$ = FI_BAD; } 1263 | IPFY_BADNAT { $$ = FI_BADNAT; } 1264 | IPFY_BADSRC { $$ = FI_BADSRC; } 1265 | IPFY_LOWTTL { $$ = FI_LOWTTL; } 1266 | IPFY_FRAG { $$ = FI_FRAG; } | 1258 } 1259 ; 1260 1261notwith: 1262 IPFY_NOT { nowith = 1; } 1263 | IPFY_NO { nowith = 1; } 1264 ; 1265 1266opttype: 1267 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1268 | IPFY_SHORT { $$ = FI_SHORT; } 1269 | IPFY_NAT { $$ = FI_NATED; } 1270 | IPFY_BAD { $$ = FI_BAD; } 1271 | IPFY_BADNAT { $$ = FI_BADNAT; } 1272 | IPFY_BADSRC { $$ = FI_BADSRC; } 1273 | IPFY_LOWTTL { $$ = FI_LOWTTL; } 1274 | IPFY_FRAG { $$ = FI_FRAG; } |
1275 | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1276 | IPFY_FRAGS { $$ = FI_FRAG; } |
|
1267 | IPFY_MBCAST { $$ = FI_MBCAST; } 1268 | IPFY_MULTICAST { $$ = FI_MULTICAST; } 1269 | IPFY_BROADCAST { $$ = FI_BROADCAST; } 1270 | IPFY_STATE { $$ = FI_STATE; } 1271 | IPFY_OOW { $$ = FI_OOW; } 1272 ; 1273 1274ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; --- 94 unchanged lines hidden (view full) --- 1369 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1370 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1371 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1372 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1373 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1374 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1375 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1376 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } | 1277 | IPFY_MBCAST { $$ = FI_MBCAST; } 1278 | IPFY_MULTICAST { $$ = FI_MULTICAST; } 1279 | IPFY_BROADCAST { $$ = FI_BROADCAST; } 1280 | IPFY_STATE { $$ = FI_STATE; } 1281 | IPFY_OOW { $$ = FI_OOW; } 1282 ; 1283 1284ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; --- 94 unchanged lines hidden (view full) --- 1379 | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1380 | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1381 | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1382 | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1383 | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1384 | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1385 | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1386 | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } |
1377 | IPFY_SECCLASS secname | 1387 | setsecclass secname |
1378 { DOALL(fr->fr_mip.fi_secmsk |= $2; 1379 if (!nowith) 1380 fr->fr_ip.fi_secmsk |= $2;) 1381 $$ = 0; | 1388 { DOALL(fr->fr_mip.fi_secmsk |= $2; 1389 if (!nowith) 1390 fr->fr_ip.fi_secmsk |= $2;) 1391 $$ = 0; |
1392 yyresetdict(); |
|
1382 } 1383 ; 1384 | 1393 } 1394 ; 1395 |
1396setsecclass: 1397 IPFY_SECCLASS { yysetdict(ipv4secwords); } 1398 ; 1399 |
|
1385ipv6hdr: 1386 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1387 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1388 | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1389 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1390 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1391 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1392 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } --- 41 unchanged lines hidden (view full) --- 1434 | IPFY_PRI_ERR { $$ = LOG_ERR; } 1435 | IPFY_PRI_WARN { $$ = LOG_WARNING; } 1436 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1437 | IPFY_PRI_INFO { $$ = LOG_INFO; } 1438 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1439 ; 1440 1441compare: | 1400ipv6hdr: 1401 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1402 | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1403 | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1404 | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1405 | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1406 | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1407 | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } --- 41 unchanged lines hidden (view full) --- 1449 | IPFY_PRI_ERR { $$ = LOG_ERR; } 1450 | IPFY_PRI_WARN { $$ = LOG_WARNING; } 1451 | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1452 | IPFY_PRI_INFO { $$ = LOG_INFO; } 1453 | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1454 ; 1455 1456compare: |
1442 '=' { $$ = FR_EQUAL; } 1443 | YY_CMP_EQ { $$ = FR_EQUAL; } | 1457 YY_CMP_EQ { $$ = FR_EQUAL; } |
1444 | YY_CMP_NE { $$ = FR_NEQUAL; } 1445 | YY_CMP_LT { $$ = FR_LESST; } 1446 | YY_CMP_LE { $$ = FR_LESSTE; } 1447 | YY_CMP_GT { $$ = FR_GREATERT; } 1448 | YY_CMP_GE { $$ = FR_GREATERTE; } 1449 ; 1450 1451range: YY_RANGE_IN { $$ = FR_INRANGE; } 1452 | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1453 | ':' { $$ = FR_INCRANGE; } 1454 ; 1455 1456servicename: 1457 YY_STR { $$ = $1; } 1458 ; 1459 1460interfacename: YY_STR { $$ = $1; } 1461 | YY_STR ':' YY_NUMBER 1462 { $$ = $1; | 1458 | YY_CMP_NE { $$ = FR_NEQUAL; } 1459 | YY_CMP_LT { $$ = FR_LESST; } 1460 | YY_CMP_LE { $$ = FR_LESSTE; } 1461 | YY_CMP_GT { $$ = FR_GREATERT; } 1462 | YY_CMP_GE { $$ = FR_GREATERTE; } 1463 ; 1464 1465range: YY_RANGE_IN { $$ = FR_INRANGE; } 1466 | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1467 | ':' { $$ = FR_INCRANGE; } 1468 ; 1469 1470servicename: 1471 YY_STR { $$ = $1; } 1472 ; 1473 1474interfacename: YY_STR { $$ = $1; } 1475 | YY_STR ':' YY_NUMBER 1476 { $$ = $1; |
1463#if SOLARIS2 >= 10 1464 if (strncmp(VNI, $1, VNISTRLEN) != 0) 1465#endif | |
1466 fprintf(stderr, "%d: Logical interface %s:%d unsupported, " | 1477 fprintf(stderr, "%d: Logical interface %s:%d unsupported, " |
1467 "use the physical interface %s instead.\n", 1468 yylineNum, $1, $3, $1); | 1478 "use the physical interface %s instead.\n", 1479 yylineNum, $1, $3, $1); |
1469 } 1470 ; 1471 1472name: YY_STR { $$ = $1; } 1473 ; 1474 | 1480 } 1481 ; 1482 1483name: YY_STR { $$ = $1; } 1484 ; 1485 |
1475ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER 1476 { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { | 1486ipv4_16: 1487 YY_NUMBER '.' YY_NUMBER 1488 { if ($1 > 255 || $3 > 255) { |
1477 yyerror("Invalid octet string for IP address"); 1478 return 0; 1479 } | 1489 yyerror("Invalid octet string for IP address"); 1490 return 0; 1491 } |
1480 $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; | 1492 $$.s_addr = ($1 << 24) | ($3 << 16); |
1481 $$.s_addr = htonl($$.s_addr); 1482 } 1483 ; | 1493 $$.s_addr = htonl($$.s_addr); 1494 } 1495 ; |
1496 1497ipv4_24: 1498 ipv4_16 '.' YY_NUMBER 1499 { if ($3 > 255) { 1500 yyerror("Invalid octet string for IP address"); 1501 return 0; 1502 } 1503 $$.s_addr |= htonl($3 << 8); 1504 } 1505 ; 1506 1507ipv4: ipv4_24 '.' YY_NUMBER 1508 { if ($3 > 255) { 1509 yyerror("Invalid octet string for IP address"); 1510 return 0; 1511 } 1512 $$.s_addr |= htonl($3); 1513 } 1514 | ipv4_24 1515 | ipv4_16 1516 ; 1517 |
|
1484%% 1485 1486 | 1518%% 1519 1520 |
1487static struct wordtab ipfwords[] = { 1488 { "addext", IPFY_IPOPT_ADDEXT }, | 1521static struct wordtab ipfwords[95] = { |
1489 { "age", IPFY_AGE }, 1490 { "ah", IPFY_AH }, 1491 { "all", IPFY_ALL }, 1492 { "and", IPFY_AND }, 1493 { "auth", IPFY_AUTH }, 1494 { "bad", IPFY_BAD }, 1495 { "bad-nat", IPFY_BADNAT }, 1496 { "bad-src", IPFY_BADSRC }, 1497 { "bcast", IPFY_BROADCAST }, 1498 { "block", IPFY_BLOCK }, 1499 { "body", IPFY_BODY }, | 1522 { "age", IPFY_AGE }, 1523 { "ah", IPFY_AH }, 1524 { "all", IPFY_ALL }, 1525 { "and", IPFY_AND }, 1526 { "auth", IPFY_AUTH }, 1527 { "bad", IPFY_BAD }, 1528 { "bad-nat", IPFY_BADNAT }, 1529 { "bad-src", IPFY_BADSRC }, 1530 { "bcast", IPFY_BROADCAST }, 1531 { "block", IPFY_BLOCK }, 1532 { "body", IPFY_BODY }, |
1500 { "bpf", IPFY_BPF }, | 1533 { "bpf-v4", IPFY_BPFV4 }, 1534#ifdef USE_INET6 1535 { "bpf-v6", IPFY_BPFV6 }, 1536#endif |
1501 { "call", IPFY_CALL }, | 1537 { "call", IPFY_CALL }, |
1502 { "cipso", IPFY_IPOPT_CIPSO }, | |
1503 { "code", IPFY_ICMPCODE }, | 1538 { "code", IPFY_ICMPCODE }, |
1504 { "confid", IPFY_SEC_CONF }, | |
1505 { "count", IPFY_COUNT }, | 1539 { "count", IPFY_COUNT }, |
1506 { "divert", IPFY_DIVERT }, 1507 { "dps", IPFY_IPOPT_DPS }, 1508 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, | |
1509 { "dup-to", IPFY_DUPTO }, | 1540 { "dup-to", IPFY_DUPTO }, |
1510 { "e-sec", IPFY_IPOPT_ESEC }, 1511 { "eip", IPFY_IPOPT_EIP }, 1512 { "encode", IPFY_IPOPT_ENCODE }, | |
1513 { "eq", YY_CMP_EQ }, 1514 { "esp", IPFY_ESP }, 1515 { "fastroute", IPFY_FROUTE }, 1516 { "first", IPFY_FIRST }, | 1541 { "eq", YY_CMP_EQ }, 1542 { "esp", IPFY_ESP }, 1543 { "fastroute", IPFY_FROUTE }, 1544 { "first", IPFY_FIRST }, |
1517 { "finn", IPFY_IPOPT_FINN }, 1518 { "frag", IPFY_FRAG }, | |
1519 { "flags", IPFY_FLAGS }, | 1545 { "flags", IPFY_FLAGS }, |
1546 { "frag", IPFY_FRAG }, 1547 { "frag-body", IPFY_FRAGBODY }, |
|
1520 { "frags", IPFY_FRAGS }, 1521 { "from", IPFY_FROM }, 1522 { "ge", YY_CMP_GE }, 1523 { "group", IPFY_GROUP }, 1524 { "gt", YY_CMP_GT }, 1525 { "head", IPFY_HEAD }, | 1548 { "frags", IPFY_FRAGS }, 1549 { "from", IPFY_FROM }, 1550 { "ge", YY_CMP_GE }, 1551 { "group", IPFY_GROUP }, 1552 { "gt", YY_CMP_GT }, 1553 { "head", IPFY_HEAD }, |
1526 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1527 { "host-preced", IPFY_ICMPC_HSTPRE }, 1528 { "host-prohib", IPFY_ICMPC_HSTPRO }, 1529 { "host-tos", IPFY_ICMPC_HSTTOS }, 1530 { "host-unk", IPFY_ICMPC_HSTUNK }, 1531 { "host-unr", IPFY_ICMPC_HSTUNR }, | |
1532 { "icmp", IPFY_ICMP }, 1533 { "icmp-type", IPFY_ICMPTYPE }, | 1554 { "icmp", IPFY_ICMP }, 1555 { "icmp-type", IPFY_ICMPTYPE }, |
1534 { "imitd", IPFY_IPOPT_IMITD }, | |
1535 { "in", IPFY_IN }, 1536 { "in-via", IPFY_INVIA }, 1537 { "ipopt", IPFY_IPOPTS }, 1538 { "ipopts", IPFY_IPOPTS }, | 1556 { "in", IPFY_IN }, 1557 { "in-via", IPFY_INVIA }, 1558 { "ipopt", IPFY_IPOPTS }, 1559 { "ipopts", IPFY_IPOPTS }, |
1539 { "ipv6", IPFY_IPV6OPT_IPV6 }, | |
1540 { "keep", IPFY_KEEP }, 1541 { "le", YY_CMP_LE }, 1542 { "level", IPFY_LEVEL }, 1543 { "limit", IPFY_LIMIT }, 1544 { "log", IPFY_LOG }, 1545 { "lowttl", IPFY_LOWTTL }, | 1560 { "keep", IPFY_KEEP }, 1561 { "le", YY_CMP_LE }, 1562 { "level", IPFY_LEVEL }, 1563 { "limit", IPFY_LIMIT }, 1564 { "log", IPFY_LOG }, 1565 { "lowttl", IPFY_LOWTTL }, |
1546 { "lsrr", IPFY_IPOPT_LSRR }, | |
1547 { "lt", YY_CMP_LT }, 1548 { "mask", IPFY_MASK }, | 1566 { "lt", YY_CMP_LT }, 1567 { "mask", IPFY_MASK }, |
1568 { "match-tag", IPFY_MATCHTAG }, |
|
1549 { "mbcast", IPFY_MBCAST }, | 1569 { "mbcast", IPFY_MBCAST }, |
1550 { "mtup", IPFY_IPOPT_MTUP }, 1551 { "mtur", IPFY_IPOPT_MTUR }, | |
1552 { "multicast", IPFY_MULTICAST }, 1553 { "nat", IPFY_NAT }, 1554 { "ne", YY_CMP_NE }, 1555 { "net", IPFY_NETWORK }, 1556 { "newisn", IPFY_NEWISN }, 1557 { "no", IPFY_NO }, 1558 { "no-icmp-err", IPFY_NOICMPERR }, | 1570 { "multicast", IPFY_MULTICAST }, 1571 { "nat", IPFY_NAT }, 1572 { "ne", YY_CMP_NE }, 1573 { "net", IPFY_NETWORK }, 1574 { "newisn", IPFY_NEWISN }, 1575 { "no", IPFY_NO }, 1576 { "no-icmp-err", IPFY_NOICMPERR }, |
1559 { "none", IPFY_IPV6OPT_NONE }, 1560 { "nop", IPFY_IPOPT_NOP }, | |
1561 { "now", IPFY_NOW }, 1562 { "not", IPFY_NOT }, | 1577 { "now", IPFY_NOW }, 1578 { "not", IPFY_NOT }, |
1563 { "nsapa", IPFY_IPOPT_NSAPA }, | |
1564 { "oow", IPFY_OOW }, 1565 { "on", IPFY_ON }, 1566 { "opt", IPFY_OPT }, 1567 { "or-block", IPFY_ORBLOCK }, 1568 { "out", IPFY_OUT }, 1569 { "out-via", IPFY_OUTVIA }, 1570 { "pass", IPFY_PASS }, 1571 { "port", IPFY_PORT }, 1572 { "pps", IPFY_PPS }, 1573 { "preauth", IPFY_PREAUTH }, 1574 { "proto", IPFY_PROTO }, 1575 { "quick", IPFY_QUICK }, 1576 { "reply-to", IPFY_REPLY_TO }, | 1579 { "oow", IPFY_OOW }, 1580 { "on", IPFY_ON }, 1581 { "opt", IPFY_OPT }, 1582 { "or-block", IPFY_ORBLOCK }, 1583 { "out", IPFY_OUT }, 1584 { "out-via", IPFY_OUTVIA }, 1585 { "pass", IPFY_PASS }, 1586 { "port", IPFY_PORT }, 1587 { "pps", IPFY_PPS }, 1588 { "preauth", IPFY_PREAUTH }, 1589 { "proto", IPFY_PROTO }, 1590 { "quick", IPFY_QUICK }, 1591 { "reply-to", IPFY_REPLY_TO }, |
1577 { "reserv-1", IPFY_SEC_RSV1 }, 1578 { "reserv-2", IPFY_SEC_RSV2 }, 1579 { "reserv-3", IPFY_SEC_RSV3 }, 1580 { "reserv-4", IPFY_SEC_RSV4 }, | |
1581 { "return-icmp", IPFY_RETICMP }, 1582 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1583 { "return-rst", IPFY_RETRST }, | 1592 { "return-icmp", IPFY_RETICMP }, 1593 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1594 { "return-rst", IPFY_RETRST }, |
1584 { "routing", IPFY_IPV6OPT_ROUTING }, 1585 { "rr", IPFY_IPOPT_RR }, 1586 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1587 { "satid", IPFY_IPOPT_SATID }, 1588 { "sdb", IPFY_IPOPT_SDB }, 1589 { "sec", IPFY_IPOPT_SEC }, | 1595 { "route-to", IPFY_ROUTETO }, |
1590 { "sec-class", IPFY_SECCLASS }, | 1596 { "sec-class", IPFY_SECCLASS }, |
1591 { "secret", IPFY_SEC_SEC }, | 1597 { "set-tag", IPFY_SETTAG }, |
1592 { "skip", IPFY_SKIP }, 1593 { "short", IPFY_SHORT }, | 1598 { "skip", IPFY_SKIP }, 1599 { "short", IPFY_SHORT }, |
1594 { "ssrr", IPFY_IPOPT_SSRR }, | |
1595 { "state", IPFY_STATE }, | 1600 { "state", IPFY_STATE }, |
1601 { "state-age", IPFY_AGE }, |
|
1596 { "strict", IPFY_STRICT }, | 1602 { "strict", IPFY_STRICT }, |
1597 { "tag", IPFY_TAG }, | 1603 { "sync", IPFY_SYNC }, |
1598 { "tcp", IPFY_TCP }, 1599 { "tcp-udp", IPFY_TCPUDP }, 1600 { "tos", IPFY_TOS }, | 1604 { "tcp", IPFY_TCP }, 1605 { "tcp-udp", IPFY_TCPUDP }, 1606 { "tos", IPFY_TOS }, |
1601 { "topsecret", IPFY_SEC_TS }, | |
1602 { "to", IPFY_TO }, | 1607 { "to", IPFY_TO }, |
1603 { "tr", IPFY_IPOPT_TR }, 1604 { "ts", IPFY_IPOPT_TS }, | |
1605 { "ttl", IPFY_TTL }, 1606 { "udp", IPFY_UDP }, | 1608 { "ttl", IPFY_TTL }, 1609 { "udp", IPFY_UDP }, |
1607 { "ump", IPFY_IPOPT_UMP }, 1608 { "unclass", IPFY_SEC_UNC }, | |
1609 { "v6hdrs", IPF6_V6HDRS }, | 1610 { "v6hdrs", IPF6_V6HDRS }, |
1610 { "visa", IPFY_IPOPT_VISA }, | |
1611 { "with", IPFY_WITH }, | 1611 { "with", IPFY_WITH }, |
1612 { "zsu", IPFY_IPOPT_ZSU }, | |
1613 { NULL, 0 } 1614}; 1615 1616static struct wordtab addrwords[4] = { 1617 { "any", IPFY_ANY }, 1618 { "hash", IPFY_HASH }, 1619 { "pool", IPFY_POOL }, 1620 { NULL, 0 } --- 41 unchanged lines hidden (view full) --- 1662 { "net-unk", IPFY_ICMPC_NETUNK }, 1663 { "net-unr", IPFY_ICMPC_NETUNR }, 1664 { "port-unr", IPFY_ICMPC_PORUNR }, 1665 { "proto-unr", IPFY_ICMPC_PROUNR }, 1666 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1667 { NULL, 0 }, 1668}; 1669 | 1612 { NULL, 0 } 1613}; 1614 1615static struct wordtab addrwords[4] = { 1616 { "any", IPFY_ANY }, 1617 { "hash", IPFY_HASH }, 1618 { "pool", IPFY_POOL }, 1619 { NULL, 0 } --- 41 unchanged lines hidden (view full) --- 1661 { "net-unk", IPFY_ICMPC_NETUNK }, 1662 { "net-unr", IPFY_ICMPC_NETUNR }, 1663 { "port-unr", IPFY_ICMPC_PORUNR }, 1664 { "proto-unr", IPFY_ICMPC_PROUNR }, 1665 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1666 { NULL, 0 }, 1667}; 1668 |
1670static struct wordtab logwords[] = { | 1669static struct wordtab ipv4optwords[25] = { 1670 { "addext", IPFY_IPOPT_ADDEXT }, 1671 { "cipso", IPFY_IPOPT_CIPSO }, 1672 { "dps", IPFY_IPOPT_DPS }, 1673 { "e-sec", IPFY_IPOPT_ESEC }, 1674 { "eip", IPFY_IPOPT_EIP }, 1675 { "encode", IPFY_IPOPT_ENCODE }, 1676 { "finn", IPFY_IPOPT_FINN }, 1677 { "imitd", IPFY_IPOPT_IMITD }, 1678 { "lsrr", IPFY_IPOPT_LSRR }, 1679 { "mtup", IPFY_IPOPT_MTUP }, 1680 { "mtur", IPFY_IPOPT_MTUR }, 1681 { "nop", IPFY_IPOPT_NOP }, 1682 { "nsapa", IPFY_IPOPT_NSAPA }, 1683 { "rr", IPFY_IPOPT_RR }, 1684 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1685 { "satid", IPFY_IPOPT_SATID }, 1686 { "sdb", IPFY_IPOPT_SDB }, 1687 { "sec", IPFY_IPOPT_SEC }, 1688 { "ssrr", IPFY_IPOPT_SSRR }, 1689 { "tr", IPFY_IPOPT_TR }, 1690 { "ts", IPFY_IPOPT_TS }, 1691 { "ump", IPFY_IPOPT_UMP }, 1692 { "visa", IPFY_IPOPT_VISA }, 1693 { "zsu", IPFY_IPOPT_ZSU }, 1694 { NULL, 0 }, 1695}; 1696 1697static struct wordtab ipv4secwords[9] = { 1698 { "confid", IPFY_SEC_CONF }, 1699 { "reserv-1", IPFY_SEC_RSV1 }, 1700 { "reserv-2", IPFY_SEC_RSV2 }, 1701 { "reserv-3", IPFY_SEC_RSV3 }, 1702 { "reserv-4", IPFY_SEC_RSV4 }, 1703 { "secret", IPFY_SEC_SEC }, 1704 { "topsecret", IPFY_SEC_TS }, 1705 { "unclass", IPFY_SEC_UNC }, 1706 { NULL, 0 }, 1707}; 1708 1709static struct wordtab ipv6optwords[8] = { 1710 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1711 { "esp", IPFY_ESP }, 1712 { "frag", IPFY_FRAG }, 1713 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1714 { "ipv6", IPFY_IPV6OPT_IPV6 }, 1715 { "none", IPFY_IPV6OPT_NONE }, 1716 { "routing", IPFY_IPV6OPT_ROUTING }, 1717 { NULL, 0 }, 1718}; 1719 1720static struct wordtab logwords[33] = { |
1671 { "kern", IPFY_FAC_KERN }, 1672 { "user", IPFY_FAC_USER }, 1673 { "mail", IPFY_FAC_MAIL }, 1674 { "daemon", IPFY_FAC_DAEMON }, 1675 { "auth", IPFY_FAC_AUTH }, 1676 { "syslog", IPFY_FAC_SYSLOG }, 1677 { "lpr", IPFY_FAC_LPR }, 1678 { "news", IPFY_FAC_NEWS }, --- 208 unchanged lines hidden (view full) --- 1887 sizeof(frc->fr_ifnames[i])) == 0) { 1888 ifpflag = FRI_DYNAMIC; 1889 dynamic = i; 1890 return 0; 1891 } 1892 } 1893 1894 if (gethost(name, &addr) == -1) { | 1721 { "kern", IPFY_FAC_KERN }, 1722 { "user", IPFY_FAC_USER }, 1723 { "mail", IPFY_FAC_MAIL }, 1724 { "daemon", IPFY_FAC_DAEMON }, 1725 { "auth", IPFY_FAC_AUTH }, 1726 { "syslog", IPFY_FAC_SYSLOG }, 1727 { "lpr", IPFY_FAC_LPR }, 1728 { "news", IPFY_FAC_NEWS }, --- 208 unchanged lines hidden (view full) --- 1937 sizeof(frc->fr_ifnames[i])) == 0) { 1938 ifpflag = FRI_DYNAMIC; 1939 dynamic = i; 1940 return 0; 1941 } 1942 } 1943 1944 if (gethost(name, &addr) == -1) { |
1945 fprintf(stderr, "unknown name \"%s\"\n", name); |
|
1895 return 0; 1896 } 1897 return addr; 1898} 1899 1900 | 1946 return 0; 1947 } 1948 return addr; 1949} 1950 1951 |
1901static void dobpf(phrase) | 1952static void dobpf(v, phrase) 1953int v; |
1902char *phrase; 1903{ 1904#ifdef IPFILTER_BPF 1905 struct bpf_program bpf; 1906 struct pcap *p; | 1954char *phrase; 1955{ 1956#ifdef IPFILTER_BPF 1957 struct bpf_program bpf; 1958 struct pcap *p; |
1959#endif 1960 fakebpf_t *fb; |
|
1907 u_32_t l; 1908 char *s; 1909 int i; 1910 1911 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1912 if (fr->fr_type != FR_T_NONE) { | 1961 u_32_t l; 1962 char *s; 1963 int i; 1964 1965 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1966 if (fr->fr_type != FR_T_NONE) { |
1913 fprintf(stderr, "cannoy mix IPF and BPF matching\n"); | 1967 fprintf(stderr, "cannot mix IPF and BPF matching\n"); |
1914 return; 1915 } | 1968 return; 1969 } |
1916 fr->fr_type = FR_T_IPF; | 1970 fr->fr_v = v; 1971 fr->fr_type = FR_T_BPFOPC; |
1917 1918 if (!strncmp(phrase, "\"0x", 2)) { 1919 phrase++; | 1972 1973 if (!strncmp(phrase, "\"0x", 2)) { 1974 phrase++; |
1920 fr->fr_data = malloc(4); 1921 if (fr->fr_data == NULL) | 1975 fb = malloc(sizeof(fakebpf_t)); 1976 if (fb == NULL) |
1922 yyerror("sorry, out of memory"); 1923 | 1977 yyerror("sorry, out of memory"); 1978 |
1924 for (i = 0, s = strtok(phrase, " \r\n\t"; s != NULL; | 1979 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; |
1925 s = strtok(NULL, " \r\n\t"), i++) { | 1980 s = strtok(NULL, " \r\n\t"), i++) { |
1926 fr->fr_data = realloc(fr->fr_data, (i + 1) * 4); 1927 if (fr->fr_data == NULL) | 1981 fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); 1982 if (fb == NULL) |
1928 yyerror("sorry, out of memory"); 1929 l = (u_32_t)strtol(s, NULL, 0); | 1983 yyerror("sorry, out of memory"); 1984 l = (u_32_t)strtol(s, NULL, 0); |
1930 ((u_32_t *)fr->fr_data)[i] = l; | 1985 switch (i & 3) 1986 { 1987 case 0 : 1988 fb[i / 4].fb_c = l & 0xffff; 1989 break; 1990 case 1 : 1991 fb[i / 4].fb_t = l & 0xff; 1992 break; 1993 case 2 : 1994 fb[i / 4].fb_f = l & 0xff; 1995 break; 1996 case 3 : 1997 fb[i / 4].fb_k = l; 1998 break; 1999 } |
1931 } | 2000 } |
2001 if ((i & 3) != 0) { 2002 fprintf(stderr, 2003 "Odd number of bytes in BPF code\n"); 2004 exit(1); 2005 } 2006 i--; 2007 fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); 2008 fr->fr_data = fb; |
|
1932 return; 1933 } 1934 | 2009 return; 2010 } 2011 |
2012#ifdef IPFILTER_BPF |
|
1935 bzero((char *)&bpf, sizeof(bpf)); 1936 p = pcap_open_dead(DLT_RAW, 1); 1937 if (!p) { 1938 fprintf(stderr, "pcap_open_dead failed\n"); 1939 return; 1940 } 1941 | 2013 bzero((char *)&bpf, sizeof(bpf)); 2014 p = pcap_open_dead(DLT_RAW, 1); 2015 if (!p) { 2016 fprintf(stderr, "pcap_open_dead failed\n"); 2017 return; 2018 } 2019 |
1942 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff) { | 2020 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { |
1943 pcap_perror(p, "ipf"); 1944 pcap_close(p); | 2021 pcap_perror(p, "ipf"); 2022 pcap_close(p); |
1945 fprintf(stderr, "pcap parsing failed\n"); | 2023 fprintf(stderr, "pcap parsing failed (%s)\n", phrase); |
1946 return; 1947 } 1948 pcap_close(p); 1949 1950 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); | 2024 return; 2025 } 2026 pcap_close(p); 2027 2028 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); |
1951 fr->fr_data = malloc(bpf.bf_len); | 2029 fr->fr_data = malloc(fr->fr_dsize); |
1952 if (fr->fr_data == NULL) 1953 yyerror("sorry, out of memory"); | 2030 if (fr->fr_data == NULL) 2031 yyerror("sorry, out of memory"); |
1954 bcopy((char *)bpf.bf_insns, fr->fr_data, bpf.bf_len); | 2032 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); |
1955 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 1956 fprintf(stderr, "BPF validation failed\n"); 1957 return; 1958 } | 2033 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 2034 fprintf(stderr, "BPF validation failed\n"); 2035 return; 2036 } |
2037#endif |
|
1959 } 1960 | 2038 } 2039 |
2040#ifdef IPFILTER_BPF |
|
1961 if (opts & OPT_DEBUG) 1962 bpf_dump(&bpf, 0); 1963#else | 2041 if (opts & OPT_DEBUG) 2042 bpf_dump(&bpf, 0); 2043#else |
1964 fprintf(stderr, "BPF expressions for matching not supported\n"); | 2044 fprintf(stderr, "BPF filter expressions not supported\n"); 2045 exit(1); |
1965#endif 1966} 1967 1968 1969static void resetaddr() 1970{ 1971 hashed = 0; 1972 pooled = 0; --- 109 unchanged lines hidden (view full) --- 2082} 2083 2084 2085void ipf_addrule(fd, ioctlfunc, ptr) 2086int fd; 2087ioctlfunc_t ioctlfunc; 2088void *ptr; 2089{ | 2046#endif 2047} 2048 2049 2050static void resetaddr() 2051{ 2052 hashed = 0; 2053 pooled = 0; --- 109 unchanged lines hidden (view full) --- 2163} 2164 2165 2166void ipf_addrule(fd, ioctlfunc, ptr) 2167int fd; 2168ioctlfunc_t ioctlfunc; 2169void *ptr; 2170{ |
2090 u_int add, del; | 2171 ioctlcmd_t add, del; |
2091 frentry_t *fr; 2092 ipfobj_t obj; 2093 2094 fr = ptr; 2095 add = 0; 2096 del = 0; 2097 2098 bzero((char *)&obj, sizeof(obj)); --- 44 unchanged lines hidden (view full) --- 2143#else 2144 printf("hits %ld bytes %ld ", 2145 fr->fr_hits, fr->fr_bytes); 2146#endif 2147 printfr(fr, ioctlfunc); 2148 } 2149 } else if ((opts & OPT_REMOVE) != 0) { 2150 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { | 2172 frentry_t *fr; 2173 ipfobj_t obj; 2174 2175 fr = ptr; 2176 add = 0; 2177 del = 0; 2178 2179 bzero((char *)&obj, sizeof(obj)); --- 44 unchanged lines hidden (view full) --- 2224#else 2225 printf("hits %ld bytes %ld ", 2226 fr->fr_hits, fr->fr_bytes); 2227#endif 2228 printfr(fr, ioctlfunc); 2229 } 2230 } else if ((opts & OPT_REMOVE) != 0) { 2231 if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { |
2151 if ((opts & OPT_DONOTHING) == 0) { | 2232 if ((opts & OPT_DONOTHING) != 0) { |
2152 fprintf(stderr, "%d:", yylineNum); 2153 perror("ioctl(delete rule)"); 2154 } 2155 } 2156 } else { 2157 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2158 if (!(opts & OPT_DONOTHING)) { 2159 fprintf(stderr, "%d:", yylineNum); | 2233 fprintf(stderr, "%d:", yylineNum); 2234 perror("ioctl(delete rule)"); 2235 } 2236 } 2237 } else { 2238 if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2239 if (!(opts & OPT_DONOTHING)) { 2240 fprintf(stderr, "%d:", yylineNum); |
2160 fprintf(stderr,"ioctl(add/insert rule) failed: rule exists\n"); | 2241 perror("ioctl(add/insert rule)"); |
2161 } 2162 } 2163 } 2164} 2165 | 2242 } 2243 } 2244 } 2245} 2246 |
2166 | |
2167static void setsyslog() 2168{ | 2247static void setsyslog() 2248{ |
2169 savewords = yysettab(logwords); | 2249 yysetdict(logwords); |
2170 yybreakondot = 1; 2171} 2172 2173 2174static void unsetsyslog() 2175{ | 2250 yybreakondot = 1; 2251} 2252 2253 2254static void unsetsyslog() 2255{ |
2176 yysettab(savewords); | 2256 yyresetdict(); |
2177 yybreakondot = 0; 2178} 2179 2180 2181static void fillgroup(fr) 2182frentry_t *fr; 2183{ 2184 frentry_t *f; | 2257 yybreakondot = 0; 2258} 2259 2260 2261static void fillgroup(fr) 2262frentry_t *fr; 2263{ 2264 frentry_t *f; |
2185 int i; | |
2186 2187 for (f = frold; f != NULL; f = f->fr_next) 2188 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2189 break; 2190 if (f == NULL) 2191 return; 2192 2193 /* 2194 * Only copy down matching fields if the rules are of the same type | 2265 2266 for (f = frold; f != NULL; f = f->fr_next) 2267 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2268 break; 2269 if (f == NULL) 2270 return; 2271 2272 /* 2273 * Only copy down matching fields if the rules are of the same type |
2195 * and are of ipf type. | 2274 * and are of ipf type. The only fields that are copied are those 2275 * that impact the rule parsing itself, eg. need for knowing what the 2276 * protocol should be for rules with port comparisons in them. |
2196 */ 2197 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 2198 return; 2199 2200 if (fr->fr_v == 0 && f->fr_v != 0) 2201 fr->fr_v = f->fr_v; 2202 2203 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2204 fr->fr_mproto = f->fr_mproto; 2205 if (fr->fr_proto == 0 && f->fr_proto != 0) 2206 fr->fr_proto = f->fr_proto; 2207 | 2277 */ 2278 if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 2279 return; 2280 2281 if (fr->fr_v == 0 && f->fr_v != 0) 2282 fr->fr_v = f->fr_v; 2283 2284 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2285 fr->fr_mproto = f->fr_mproto; 2286 if (fr->fr_proto == 0 && f->fr_proto != 0) 2287 fr->fr_proto = f->fr_proto; 2288 |
2208 if (fr->fr_proto == IPPROTO_TCP) { 2209 if (fr->fr_tcpfm == 0 && f->fr_tcpfm != 0) 2210 fr->fr_tcpfm = f->fr_tcpfm; 2211 if (fr->fr_tcpf == 0 && f->fr_tcpf != 0) 2212 fr->fr_tcpf = f->fr_tcpf; 2213 } 2214 2215 if (fr->fr_proto == IPPROTO_ICMP) { 2216 if (fr->fr_icmpm == 0 && f->fr_icmpm != 0) 2217 fr->fr_icmpm = f->fr_icmpm; 2218 if (fr->fr_icmp == 0 && f->fr_icmp != 0) 2219 fr->fr_icmp = f->fr_icmp; 2220 } 2221 2222 if (fr->fr_optbits == 0 && f->fr_optbits != 0) 2223 fr->fr_optbits = f->fr_optbits; 2224 if (fr->fr_optmask == 0 && f->fr_optmask != 0) 2225 fr->fr_optmask = f->fr_optmask; 2226 if (fr->fr_secbits == 0 && f->fr_secbits != 0) 2227 fr->fr_secbits = f->fr_secbits; 2228 if (fr->fr_secmask == 0 && f->fr_secmask != 0) 2229 fr->fr_secmask = f->fr_secmask; 2230 if (fr->fr_authbits == 0 && f->fr_authbits != 0) 2231 fr->fr_authbits = f->fr_authbits; 2232 if (fr->fr_authmask == 0 && f->fr_authmask != 0) 2233 fr->fr_authmask = f->fr_authmask; 2234 2235 for (i = 0; i < 3; i++) { 2236 if (*f->fr_ifnames[i] != '\0' && *fr->fr_ifnames[i] == '\0') 2237 strncpy(fr->fr_ifnames[i], f->fr_ifnames[i], 2238 sizeof(f->fr_ifnames[i])); 2239 } | 2289 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2290 ((f->fr_flx & FI_TCPUDP) != 0)) 2291 fr->fr_flx |= FI_TCPUDP; |
2240} | 2292} |