ipf_y.y - OpenGrok cross reference for /illumos-gate/usr/src/cmd/ipf/tools/ipf

Deleted Added

sdiffudifftextold ( 5e985db5 )new ( ab25eeb5 )

ipf_y.y (5e985db5)	ipf_y.y (ab25eeb5)
1%{ 2/* 3 * Copyright (C) 2003 by Darren Reed. 4 * 5 * See the IPFILTER.LICENCE file for details on licencing. 6 *	1%{ 2/* 3 * Copyright (C) 2003 by Darren Reed. 4 * 5 * See the IPFILTER.LICENCE file for details on licencing. 6 *
7 * Copyright 2005 Sun Microsystems, Inc. All rights reserved.	7 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
8 * Use is subject to license terms. 9 */ 10 11#pragma ident "%Z%%M% %I% %E% SMI" 12 13#include "ipf.h"	8 * Use is subject to license terms. 9 */ 10 11#pragma ident "%Z%%M% %I% %E% SMI" 12 13#include "ipf.h"
14#include <netinet/ip_icmp.h>
15#include <sys/ioctl.h> 16#include <syslog.h> 17#ifdef IPFILTER_BPF	14#include <sys/ioctl.h> 15#include <syslog.h> 16#ifdef IPFILTER_BPF
18# include <net/bpf.h> 19# include <pcap-int.h>	17# include "pcap-bpf.h" 18# define _NET_BPF_H_
20# include <pcap.h> 21#endif	19# include <pcap.h> 20#endif
22#if SOLARIS2 >= 10 23#include "ip_pool.h" 24#include "ip_htable.h" 25#include "ipl.h" 26#else
27#include "netinet/ip_pool.h" 28#include "netinet/ip_htable.h" 29#include "netinet/ipl.h"	21#include "netinet/ip_pool.h" 22#include "netinet/ip_htable.h" 23#include "netinet/ipl.h"
30#endif
31#include "ipf_l.h" 32 33#define YYDEBUG 1 34#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 35#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }	24#include "ipf_l.h" 25 26#define YYDEBUG 1 27#define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 28#define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
36#if SOLARIS2 >= 10 37#define VNI "vni" 38#define VNISTRLEN 3 39#endif
40	29
41#define OPTION_LOG 0x1 42#define OPTION_QUICK 0x2 43#define OPTION_DUP 0x4 44#define OPTION_PROUTE 0x8 45#define OPTION_ON 0x10 46#define OPTION_REPLYTO 0x20 47#define OPTION_FROUTE 0x40	30#define OPTION_LOG 0x1 31#define OPTION_QUICK 0x2 32#define OPTION_DUP 0x4 33#define OPTION_PROUTE 0x8 34#define OPTION_ON 0x10 35#define OPTION_REPLYTO 0x20 36#define OPTION_FROUTE 0x40
48 49extern void yyerror __P((char )); 50extern int yyparse __P((void)); 51extern int yylex __P((void)); 52extern int yydebug; 53extern FILE yyin; 54extern int yylineNum; 55 56static void newrule __P((void)); 57static void setipftype __P((void)); 58static u_32_t lookuphost __P((char *));	37 38extern void yyerror __P((char )); 39extern int yyparse __P((void)); 40extern int yylex __P((void)); 41extern int yydebug; 42extern FILE yyin; 43extern int yylineNum; 44 45static void newrule __P((void)); 46static void setipftype __P((void)); 47static u_32_t lookuphost __P((char *));
59static void dobpf __P((char *));	48static void dobpf __P((int, char *));
60static void resetaddr __P((void)); 61static struct alist_s newalist __P((struct alist_s )); 62static u_int makehash __P((struct alist_s )); 63static int makepool __P((struct alist_s )); 64static frentry_t addrule __P((void)); 65static void setsyslog __P((void)); 66static void unsetsyslog __P((void)); 67static void fillgroup __P((frentry_t )); --- 4 unchanged lines hidden (view full) --- 72static int nowith = 0; 73static int dynamic = -1; 74static int pooled = 0; 75static int hashed = 0; 76static int nrules = 0; 77static int newlist = 0; 78static int added = 0; 79static int ipffd = -1;	49static void resetaddr __P((void)); 50static struct alist_s newalist __P((struct alist_s )); 51static u_int makehash __P((struct alist_s )); 52static int makepool __P((struct alist_s )); 53static frentry_t addrule __P((void)); 54static void setsyslog __P((void)); 55static void unsetsyslog __P((void)); 56static void fillgroup __P((frentry_t )); --- 4 unchanged lines hidden (view full) --- 61static int nowith = 0; 62static int dynamic = -1; 63static int pooled = 0; 64static int hashed = 0; 65static int nrules = 0; 66static int newlist = 0; 67static int added = 0; 68static int ipffd = -1;
	69static int ruleopts = 0;
80static int *yycont = 0;	70static int *yycont = 0;
81static int ruleopts = 0;
82static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 83static addfunc_t ipfaddfunc = NULL;	71static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 72static addfunc_t ipfaddfunc = NULL;
84static wordtab_t addrwords[4]; 85static wordtab_t maskwords[5]; 86static wordtab_t *savewords; 87static int set_ipv6_addr = 0;	73static struct wordtab ipfwords[95]; 74static struct wordtab addrwords[4]; 75static struct wordtab maskwords[5]; 76static struct wordtab icmpcodewords[17]; 77static struct wordtab icmptypewords[16]; 78static struct wordtab ipv4optwords[25]; 79static struct wordtab ipv4secwords[9]; 80static struct wordtab ipv6optwords[8]; 81static struct wordtab logwords[33]; 82static int set_ipv6_addr = 0;
88 89%} 90%union { 91 char str; 92 u_32_t num; 93 struct in_addr ipa; 94 frentry_t fr; 95 frtuc_t frt; 96 struct alist_s *alist;	83 84%} 85%union { 86 char str; 87 u_32_t num; 88 struct in_addr ipa; 89 frentry_t fr; 90 frtuc_t frt; 91 struct alist_s *alist;
	92 u_short port;
97 struct { 98 u_short p1; 99 u_short p2; 100 int pc; 101 } pc; 102 struct { 103 union i6addr a; 104 union i6addr m; 105 } ipp; 106 union i6addr ip6; 107}; 108	93 struct { 94 u_short p1; 95 u_short p2; 96 int pc; 97 } pc; 98 struct { 99 union i6addr a; 100 union i6addr m; 101 } ipp; 102 union i6addr ip6; 103}; 104
109%type <num> portnum facility priority icmpcode seclevel secname icmptype	105%type <port> portnum 106%type <num> facility priority icmpcode seclevel secname icmptype
110%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr	107%type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
111%type <num> portc porteq 112%type <ipa> hostname ipv4 ipv4mask	108%type <num> portc porteq 109%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24
113%type <ip6> ipv6mask 114%type <ipp> addr ipaddr 115%type <str> servicename name interfacename 116%type <pc> portrange portcomp 117%type <alist> addrlist poollist 118 119%token <num> YY_NUMBER YY_HEX 120%token <str> YY_STR 121%token YY_COMMENT 122%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 123%token YY_RANGE_OUT YY_RANGE_IN 124%token <ip6> YY_IPV6 125 126%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 127%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 128%token IPFY_IN IPFY_OUT 129%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA	110%type <ip6> ipv6mask 111%type <ipp> addr ipaddr 112%type <str> servicename name interfacename 113%type <pc> portrange portcomp 114%type <alist> addrlist poollist 115 116%token <num> YY_NUMBER YY_HEX 117%token <str> YY_STR 118%token YY_COMMENT 119%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 120%token YY_RANGE_OUT YY_RANGE_IN 121%token <ip6> YY_IPV6 122 123%token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 124%token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 125%token IPFY_IN IPFY_OUT 126%token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
130%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO	127%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
131%token IPFY_TOS IPFY_TTL IPFY_PROTO 132%token IPFY_HEAD IPFY_GROUP	128%token IPFY_TOS IPFY_TTL IPFY_PROTO 129%token IPFY_HEAD IPFY_GROUP
133%token IPFY_AUTH IPFY_PREAUTH IPFY_DIVERT	130%token IPFY_AUTH IPFY_PREAUTH
134%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK	131%token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
135%token IPFY_LOGTAG IPFY_TAG IPFY_SKIP 136%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPF IPFY_POOL IPFY_HASH	132%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP 133%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
137%token IPFY_PPS 138%token IPFY_ESP IPFY_AH 139%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 140%token IPFY_TCPUDP IPFY_TCP IPFY_UDP 141%token IPFY_FLAGS IPFY_MULTICAST 142%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 143%token IPFY_PORT 144%token IPFY_NOW 145%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 146%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 147%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 148%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE	134%token IPFY_PPS 135%token IPFY_ESP IPFY_AH 136%token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 137%token IPFY_TCPUDP IPFY_TCP IPFY_UDP 138%token IPFY_FLAGS IPFY_MULTICAST 139%token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 140%token IPFY_PORT 141%token IPFY_NOW 142%token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 143%token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 144%token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 145%token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
	146%token IPFY_SYNC IPFY_FRAGBODY
149%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 150%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 151%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 152%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 153%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 154%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 155%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 156%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 --- 50 unchanged lines hidden (view full) --- 207 free($3); 208 } 209 ; 210 211assigning: 212 '=' { yyvarnext = 1; } 213 ; 214	147%token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 148%token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 149%token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 150%token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 151%token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 152%token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 153%token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 154%token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 --- 50 unchanged lines hidden (view full) --- 205 free($3); 206 } 207 ; 208 209assigning: 210 '=' { yyvarnext = 1; } 211 ; 212
215rule: inrule 216 \| outrule	213rule: inrule eol 214 \| outrule eol
217 ; 218	215 ; 216
	217eol: \| ';' 218 ; 219
219inrule:	220inrule:
220 rulehead markin { ruleopts = 0; } inopts rulemain ruletail	221 rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2
221 ; 222 223outrule:	222 ; 223 224outrule:
224 rulehead markout { ruleopts = 0; } outopts rulemain ruletail	225 rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2
225 ; 226 227rulehead: 228 collection action 229 \| insert collection action 230 ; 231 232markin: IPFY_IN { fr->fr_flags \|= FR_INQUE; } --- 8 unchanged lines hidden (view full) --- 241 \| bpfrule 242 ; 243 244ipfrule: 245 tos ttl proto ip 246 ; 247 248bpfrule:	226 ; 227 228rulehead: 229 collection action 230 \| insert collection action 231 ; 232 233markin: IPFY_IN { fr->fr_flags \|= FR_INQUE; } --- 8 unchanged lines hidden (view full) --- 242 \| bpfrule 243 ; 244 245ipfrule: 246 tos ttl proto ip 247 ; 248 249bpfrule:
249 IPFY_BPF '{' YY_STR '}' { dobpf($3); free($3); }	250 IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 251 \| IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); }
250 ; 251 252ruletail:	252 ; 253 254ruletail:
253 keep head group tag pps age new	255 with keep head group
254 ; 255	256 ; 257
	258ruletail2: 259 pps age new 260 ; 261 262intag: settagin matchtagin 263 ; 264 265outtag: settagout matchtagout 266 ; 267
256insert:	268insert:
257 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2; }	269 '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; }
258 ; 259 260collection: 261 \| YY_NUMBER { fr->fr_collect = $1; } 262 ; 263 264action: block 265 \| IPFY_PASS { fr->fr_flags \|= FR_PASS; }	270 ; 271 272collection: 273 \| YY_NUMBER { fr->fr_collect = $1; } 274 ; 275 276action: block 277 \| IPFY_PASS { fr->fr_flags \|= FR_PASS; }
266 \| IPFY_DIVERT YY_NUMBER { fr->fr_flags \|= FR_DIVERT; 267 fr->fr_arg = $2; }
268 \| log 269 \| IPFY_COUNT { fr->fr_flags \|= FR_ACCOUNT; } 270 \| auth 271 \| IPFY_SKIP YY_NUMBER { fr->fr_flags \|= FR_SKIP; 272 fr->fr_arg = $2; } 273 \| IPFY_CALL func 274 \| IPFY_CALL IPFY_NOW func { fr->fr_flags \|= FR_CALLNOW; } 275 ; --- 148 unchanged lines hidden (view full) --- 424lend: ')' { nrules += added; } 425 ; 426 427lmore: lanother { if (newlist == 1) { 428 newlist = 0; 429 } 430 fr = addrule(); 431 if (yycont != NULL)	278 \| log 279 \| IPFY_COUNT { fr->fr_flags \|= FR_ACCOUNT; } 280 \| auth 281 \| IPFY_SKIP YY_NUMBER { fr->fr_flags \|= FR_SKIP; 282 fr->fr_arg = $2; } 283 \| IPFY_CALL func 284 \| IPFY_CALL IPFY_NOW func { fr->fr_flags \|= FR_CALLNOW; } 285 ; --- 148 unchanged lines hidden (view full) --- 434lend: ')' { nrules += added; } 435 ; 436 437lmore: lanother { if (newlist == 1) { 438 newlist = 0; 439 } 440 fr = addrule(); 441 if (yycont != NULL)
432 *yycont = 1;	442 *yycont = 1;
433 } 434 ; 435 436lanother: 437 \| ',' 438 ; 439 440setttl: IPFY_TTL { setipftype(); } --- 8 unchanged lines hidden (view full) --- 449proto: \| protox protocol { yyresetdict(); } 450 ; 451 452protox: IPFY_PROTO { setipftype(); 453 fr = frc; 454 yysetdict(NULL); } 455 ; 456	443 } 444 ; 445 446lanother: 447 \| ',' 448 ; 449 450setttl: IPFY_TTL { setipftype(); } --- 8 unchanged lines hidden (view full) --- 459proto: \| protox protocol { yyresetdict(); } 460 ; 461 462protox: IPFY_PROTO { setipftype(); 463 fr = frc; 464 yysetdict(NULL); } 465 ; 466
457ip: srcdst flags with icmp	467ip: srcdst flags icmp
458 ; 459 460group: \| IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 461 FR_GROUPLEN); \ 462 fillgroup(fr);); 463 free($2); } 464 \| IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 465 $2); \ 466 fillgroup(fr);) } 467 ; 468 469head: \| IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 470 FR_GROUPLEN);); 471 free($2); } 472 \| IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 473 $2);) } 474 ; 475	468 ; 469 470group: \| IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 471 FR_GROUPLEN); \ 472 fillgroup(fr);); 473 free($2); } 474 \| IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 475 $2); \ 476 fillgroup(fr);) } 477 ; 478 479head: \| IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 480 FR_GROUPLEN);); 481 free($2); } 482 \| IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 483 $2);) } 484 ; 485
476tag: \| IPFY_TAG YY_NUMBER { DOALL(fr->fr_logtag = $2;) } 477 \| IPFY_TAG '(' taglist ')'	486settagin: 487 \| IPFY_SETTAG '(' taginlist ')' 488 ;
478	489
479taglist: 480 tagspec 481 \| taglist ',' tagspec	490taginlist: 491 taginspec 492 \| taginlist ',' taginspec
482 ; 483	493 ; 494
484tagspec: 485 IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 486 $3, 16););	495taginspec: 496 logtag 497 \|nattag 498 ; 499 500nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 501 $3, IPFTAG_LEN););
487 free($3); } 488 \| IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\	502 free($3); } 503 \| IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
489 "%15d", $3);) } 490 \| IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }	504 "%d", $3 & 0xffffffff);) }
491 ; 492	505 ; 506
	507logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 508 ; 509 510settagout: 511 \| IPFY_SETTAG '(' tagoutlist ')' 512 ; 513 514tagoutlist: 515 tagoutspec 516 \| tagoutlist ',' tagoutspec 517 ; 518 519tagoutspec: 520 logtag 521 \| nattag 522 ; 523 524matchtagin: 525 \| IPFY_MATCHTAG '(' tagoutlist ')' 526 ; 527 528matchtagout: 529 \| IPFY_MATCHTAG '(' taginlist ')' 530 ; 531
493pps: \| IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 494 ; 495 496new: \| savegroup file restoregroup 497 ; 498 499savegroup: 500 '{' --- 11 unchanged lines hidden (view full) --- 512 ; 513 514on: IPFY_ON onname 515 \| IPFY_ON onname IPFY_INVIA vianame 516 \| IPFY_ON onname IPFY_OUTVIA vianame 517 ; 518 519onname: interfacename	532pps: \| IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 533 ; 534 535new: \| savegroup file restoregroup 536 ; 537 538savegroup: 539 '{' --- 11 unchanged lines hidden (view full) --- 551 ; 552 553on: IPFY_ON onname 554 \| IPFY_ON onname IPFY_INVIA vianame 555 \| IPFY_ON onname IPFY_OUTVIA vianame 556 ; 557 558onname: interfacename
520 { 521#if SOLARIS2 >=10 522 char cp; 523#endif 524* strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 525#if SOLARIS2 >= 10 526 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 527 cp = $1 + VNISTRLEN; 528 cp += strspn(cp, "0123456789"); 529 if (cp == '\0' \|\| cp == ':') { 530 fprintf(stderr, "%d: Warning- %s specified. vni" 531 " is a virtual interface, use a physical" 532 " interface instead. See vni(7D)\n", 533 yylineNum, $1); 534 } 535 } 536#endif	559 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
537 free($1); 538 }	560 free($1); 561 }
539 \| interfacename ',' name 540 { 541#if SOLARIS2 >= 10 542 char cp; 543#endif 544* strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 545#if SOLARIS2 >= 10 546 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 547 cp = $1 + VNISTRLEN; 548 cp += strspn(cp, "0123456789"); 549 if (cp == '\0' \|\| cp == ':') { 550 fprintf(stderr, "%d: Warning- %s specified. vni" 551 " is a virtual interface, use a physical" 552 " interface instead. See vni(7D)\n", 553 yylineNum, $1); 554 } 555 } 556#endif	562 \| interfacename ',' interfacename 563 { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
557 free($1); 558 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));	564 free($1); 565 strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
559#if SOLARIS2 >= 10 560 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 561 cp = $3 + VNISTRLEN; 562 cp += strspn(cp, "0123456789"); 563 if (cp == '\0' \|\| cp == ':') { 564 fprintf(stderr, "%d: Warning- %s specified. vni" 565 " is a virtual interface, use a physical" 566 " interface instead. See vni(7D)\n", 567 yylineNum, $3); 568 } 569 } 570#endif
571 free($3); 572 } 573 ; 574 575vianame:	566 free($3); 567 } 568 ; 569 570vianame:
576 interfacename 577 { 578#if SOLARIS2 >= 10 579 char cp; 580#endif 581* strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 582#if SOLARIS2 >= 10 583 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 584 cp = $1 + VNISTRLEN; 585 cp += strspn(cp, "0123456789"); 586 if (cp == '\0' \|\| cp == ':') { 587 fprintf(stderr, "%d: Warning- %s specified. vni" 588 " is a virtual interface, use a physical" 589 " interface instead. See vni(7D)\n", 590 yylineNum, $1); 591 } 592 } 593#endif	571 name 572 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
594 free($1); 595 }	573 free($1); 574 }
596 \| interfacename ',' name 597 { 598#if SOLARIS2 >= 10 599 char cp; 600#endif 601* strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 602#if SOLARIS2 >= 10 603 if (strncmp(VNI, $1, VNISTRLEN) == 0) { 604 cp = $1 + VNISTRLEN; 605 cp += strspn(cp, "0123456789"); 606 if (cp == '\0' \|\| cp == ':') { 607 fprintf(stderr, "%d: Warning- %s specified. vni" 608 " is a virtual interface, use a physical" 609 " interface instead. See vni(7D)\n", 610 yylineNum, $1); 611 } 612 } 613#endif	575 \| name ',' name 576 { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
614 free($1); 615 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));	577 free($1); 578 strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
616#if SOLARIS2 >= 10 617 if (strncmp(VNI, $3, VNISTRLEN) == 0) { 618 cp = $3 + VNISTRLEN; 619 cp += strspn(cp, "0123456789"); 620 if (cp == '\0' \|\| cp == ':') { 621 fprintf(stderr, "%d: Warning- %s specified. vni" 622 " is a virtual interface, use a physical" 623 " interface instead. See vni(7D)\n", 624 yylineNum, $3); 625 } 626 } 627#endif
628 free($3); 629 } 630 ; 631 632dup: IPFY_DUPTO name 633 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 634 free($2); 635 }	579 free($3); 580 } 581 ; 582 583dup: IPFY_DUPTO name 584 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 585 free($2); 586 }
636 \| IPFY_DUPTO name ':' hostname	587 \| IPFY_DUPTO name duptoseparator hostname
637 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 638 fr->fr_dif.fd_ip = $4;	588 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 589 fr->fr_dif.fd_ip = $4;
	590 yyexpectaddr = 0;
639 free($2); 640 }	591 free($2); 592 }
	593 \| IPFY_DUPTO name duptoseparator YY_IPV6 594 { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 595 bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 596 yyexpectaddr = 0; 597 free($2); 598 }
641 ; 642	599 ; 600
	601duptoseparator: 602 ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 603 ; 604
643froute: IPFY_FROUTE { fr->fr_flags \|= FR_FASTROUTE; } 644 ; 645	605froute: IPFY_FROUTE { fr->fr_flags \|= FR_FASTROUTE; } 606 ; 607
646proute: IPFY_TO name	608proute: routeto name
647 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 648 free($2); 649 }	609 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 610 free($2); 611 }
650 \| IPFY_TO name ':' hostname	612 \| routeto name duptoseparator hostname
651 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 652 fr->fr_tif.fd_ip = $4;	613 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 614 fr->fr_tif.fd_ip = $4;
	615 yyexpectaddr = 0;
653 free($2); 654 }	616 free($2); 617 }
	618 \| routeto name duptoseparator YY_IPV6 619 { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 620 bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 621 yyexpectaddr = 0; 622 free($2); 623 }
655 ; 656	624 ; 625
	626routeto: 627 IPFY_TO 628 \| IPFY_ROUTETO 629 ; 630
657replyto: 658 IPFY_REPLY_TO name 659 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 660 free($2); 661 }	631replyto: 632 IPFY_REPLY_TO name 633 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 634 free($2); 635 }
662 \| IPFY_REPLY_TO name ':' hostname	636 \| IPFY_REPLY_TO name duptoseparator hostname
663 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 664 fr->fr_rif.fd_ip = $4; 665 free($2); 666 } 667 ; 668 669logoptions: 670 logoption --- 10 unchanged lines hidden (view full) --- 681returncode: 682 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 683 ; 684 685starticmpcode: 686 '(' { yysetdict(icmpcodewords); } 687 ; 688	637 { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 638 fr->fr_rif.fd_ip = $4; 639 free($2); 640 } 641 ; 642 643logoptions: 644 logoption --- 10 unchanged lines hidden (view full) --- 655returncode: 656 starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 657 ; 658 659starticmpcode: 660 '(' { yysetdict(icmpcodewords); } 661 ; 662
689srcdst: IPFY_ALL	663srcdst: \| IPFY_ALL
690 \| fromto 691 ; 692 693protocol: 694 YY_NUMBER { DOREM(fr->fr_proto = $1; \ 695 fr->fr_mproto = 0xff;) } 696 \| YY_STR { if (!strcmp($1, "tcp-udp")) { 697 DOREM(fr->fr_flx \|= FI_TCPUDP; \ 698 fr->fr_mflx \|= FI_TCPUDP;) 699 } else { 700 int p = getproto($1); 701 if (p == -1)	664 \| fromto 665 ; 666 667protocol: 668 YY_NUMBER { DOREM(fr->fr_proto = $1; \ 669 fr->fr_mproto = 0xff;) } 670 \| YY_STR { if (!strcmp($1, "tcp-udp")) { 671 DOREM(fr->fr_flx \|= FI_TCPUDP; \ 672 fr->fr_mflx \|= FI_TCPUDP;) 673 } else { 674 int p = getproto($1); 675 if (p == -1)
702 fprintf(stderr, "protocol unknown: %s, line %d\n", $1, yylineNum);	676 yyerror("protocol unknown");
703 DOREM(fr->fr_proto = p; \ 704 fr->fr_mproto = 0xff;) 705 } 706 free($1); 707 } 708 \| YY_STR nextstring YY_STR 709 { if (!strcmp($1, "tcp") && 710 !strcmp($3, "udp")) { --- 14 unchanged lines hidden (view full) --- 725 \| to dstobject { yyexpectaddr = 0; yycont = NULL; } 726 \| from srcobject { yyexpectaddr = 0; yycont = NULL; } 727 ; 728 729from: IPFY_FROM { setipftype(); 730 if (fr == NULL) 731 fr = frc; 732 yyexpectaddr = 1;	677 DOREM(fr->fr_proto = p; \ 678 fr->fr_mproto = 0xff;) 679 } 680 free($1); 681 } 682 \| YY_STR nextstring YY_STR 683 { if (!strcmp($1, "tcp") && 684 !strcmp($3, "udp")) { --- 14 unchanged lines hidden (view full) --- 699 \| to dstobject { yyexpectaddr = 0; yycont = NULL; } 700 \| from srcobject { yyexpectaddr = 0; yycont = NULL; } 701 ; 702 703from: IPFY_FROM { setipftype(); 704 if (fr == NULL) 705 fr = frc; 706 yyexpectaddr = 1;
	707 if (yydebug) 708 printf("set yyexpectaddr\n");
733 yycont = &yyexpectaddr; 734 yysetdict(addrwords); 735 resetaddr(); } 736 ; 737 738to: IPFY_TO { if (fr == NULL) 739 fr = frc; 740 yyexpectaddr = 1;	709 yycont = &yyexpectaddr; 710 yysetdict(addrwords); 711 resetaddr(); } 712 ; 713 714to: IPFY_TO { if (fr == NULL) 715 fr = frc; 716 yyexpectaddr = 1;
	717 if (yydebug) 718 printf("set yyexpectaddr\n");
741 yycont = &yyexpectaddr; 742 yysetdict(addrwords); 743 resetaddr(); } 744 ; 745 746with: \| andwith withlist 747 ; 748 749andwith: 750 IPFY_WITH { nowith = 0; setipftype(); } 751 \| IPFY_AND { nowith = 0; setipftype(); } 752 ; 753	719 yycont = &yyexpectaddr; 720 yysetdict(addrwords); 721 resetaddr(); } 722 ; 723 724with: \| andwith withlist 725 ; 726 727andwith: 728 IPFY_WITH { nowith = 0; setipftype(); } 729 \| IPFY_AND { nowith = 0; setipftype(); } 730 ; 731
754flags: \| IPFY_FLAGS flagset	732flags: \| startflags flagset
755 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }	733 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
756 \| IPFY_FLAGS flagset '/' flagset	734 \| startflags flagset '/' flagset
757 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }	735 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
758 \| IPFY_FLAGS '/' flagset	736 \| startflags '/' flagset
759 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }	737 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
760 \| IPFY_FLAGS YY_NUMBER	738 \| startflags YY_NUMBER
761 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }	739 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
762 \| IPFY_FLAGS '/' YY_NUMBER	740 \| startflags '/' YY_NUMBER
763 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }	741 { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
764 \| IPFY_FLAGS YY_NUMBER '/' YY_NUMBER	742 \| startflags YY_NUMBER '/' YY_NUMBER
765 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }	743 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
766 \| IPFY_FLAGS flagset '/' YY_NUMBER	744 \| startflags flagset '/' YY_NUMBER
767 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }	745 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
768 \| IPFY_FLAGS YY_NUMBER '/' flagset	746 \| startflags YY_NUMBER '/' flagset
769 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 770 ; 771	747 { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 748 ; 749
	750startflags: 751 IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 752 yyerror("flags with non-ipf type rule"); 753 if (frc->fr_proto != IPPROTO_TCP) 754 yyerror("flags with non-TCP rule"); 755 } 756 ; 757
772flagset: 773 YY_STR { $$ = tcpflags($1); free($1); } 774 \| YY_HEX { $$ = $1; } 775 ; 776 777srcobject:	758flagset: 759 YY_STR { $$ = tcpflags($1); free($1); } 760 \| YY_HEX { $$ = $1; } 761 ; 762 763srcobject:
778 srcaddr srcport	764 { yyresetdict(); } fromport 765 \| srcaddr srcport
779 \| '!' srcaddr srcport 780 { DOALL(fr->fr_flags \|= FR_NOTSRCIP;) }	766 \| '!' srcaddr srcport 767 { DOALL(fr->fr_flags \|= FR_NOTSRCIP;) }
781 \| fromport
782 ; 783 784srcaddr: 785 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 786 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 787 if (dynamic != -1) { \ 788 fr->fr_satype = ifpflag; \ 789 fr->fr_ipf->fri_sifpidx = dynamic; \ --- 45 unchanged lines hidden (view full) --- 835 836srcportlist: 837 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 838 \| srcportlist lmore portnum 839 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 840 ; 841 842dstobject:	768 ; 769 770srcaddr: 771 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 772 bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 773 if (dynamic != -1) { \ 774 fr->fr_satype = ifpflag; \ 775 fr->fr_ipf->fri_sifpidx = dynamic; \ --- 45 unchanged lines hidden (view full) --- 821 822srcportlist: 823 portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 824 \| srcportlist lmore portnum 825 { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 826 ; 827 828dstobject:
843 toport	829 { yyresetdict(); } toport
844 \| dstaddr dstport 845 \| '!' dstaddr dstport 846 { DOALL(fr->fr_flags \|= FR_NOTDSTIP;) } 847 ; 848 849dstaddr: 850 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 851 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ --- 103 unchanged lines hidden (view full) --- 955maskspace: 956 '/' 957 \| IPFY_MASK 958 ; 959 960ipv4mask: 961 ipv4 { $$ = $1; } 962 \| YY_HEX { $$.s_addr = htonl($1); }	830 \| dstaddr dstport 831 \| '!' dstaddr dstport 832 { DOALL(fr->fr_flags \|= FR_NOTDSTIP;) } 833 ; 834 835dstaddr: 836 addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 837 bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ --- 103 unchanged lines hidden (view full) --- 941maskspace: 942 '/' 943 \| IPFY_MASK 944 ; 945 946ipv4mask: 947 ipv4 { $$ = $1; } 948 \| YY_HEX { $$.s_addr = htonl($1); }
963 \| YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); }	949 \| YY_NUMBER { if (($1 >= 0) && ($1 <= 32)) { 950 ntomask(4, $1, (u_32_t )&$$); 951* } else 952 yyerror("invalid mask"); 953 }
964 \| IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 965 $$.s_addr = 0; 966 ifpflag = FRI_BROADCAST; 967 } else 968 YYERROR; 969 } 970 \| IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 971 $$.s_addr = 0; --- 11 unchanged lines hidden (view full) --- 983 $$.s_addr = 0; 984 ifpflag = FRI_PEERADDR; 985 } else 986 YYERROR; 987 } 988 ; 989 990ipv6mask:	954 \| IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 955 $$.s_addr = 0; 956 ifpflag = FRI_BROADCAST; 957 } else 958 YYERROR; 959 } 960 \| IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 961 $$.s_addr = 0; --- 11 unchanged lines hidden (view full) --- 973 $$.s_addr = 0; 974 ifpflag = FRI_PEERADDR; 975 } else 976 YYERROR; 977 } 978 ; 979 980ipv6mask:
991 YY_NUMBER { ntomask(6, $1, $$.i6); }	981 YY_NUMBER { if (($1 >= 0) && ($1 <= 128)) { 982 ntomask(6, $1, $$.i6); 983 } else 984 yyerror("invalid mask"); 985 }
992 \| IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 993 bzero(&$$, sizeof($$)); 994 ifpflag = FRI_BROADCAST; 995 } else 996 YYERROR; 997 } 998 \| IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 999 bzero(&$$, sizeof($$)); --- 169 unchanged lines hidden (view full) --- 1169 \| IPFY_AGE YY_NUMBER '/' YY_NUMBER 1170 { DOALL(fr->fr_age[0] = $2; \ 1171 fr->fr_age[1] = $4;) } 1172 ; 1173 1174keep: \| IPFY_KEEP keepstate 1175 \| IPFY_KEEP keepfrag 1176 \| IPFY_KEEP keepstate IPFY_KEEP keepfrag	986 \| IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 987 bzero(&$$, sizeof($$)); 988 ifpflag = FRI_BROADCAST; 989 } else 990 YYERROR; 991 } 992 \| IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 993 bzero(&$$, sizeof($$)); --- 169 unchanged lines hidden (view full) --- 1163 \| IPFY_AGE YY_NUMBER '/' YY_NUMBER 1164 { DOALL(fr->fr_age[0] = $2; \ 1165 fr->fr_age[1] = $4;) } 1166 ; 1167 1168keep: \| IPFY_KEEP keepstate 1169 \| IPFY_KEEP keepfrag 1170 \| IPFY_KEEP keepstate IPFY_KEEP keepfrag
	1171 \| IPFY_KEEP keepfrag IPFY_KEEP keepstate
1177 ; 1178 1179keepstate: 1180 IPFY_STATE stateoptlist { DOALL(fr->fr_flags \|= FR_KEEPSTATE;)} 1181 ; 1182 1183keepfrag: 1184 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags \|= FR_KEEPFRAG;) }	1172 ; 1173 1174keepstate: 1175 IPFY_STATE stateoptlist { DOALL(fr->fr_flags \|= FR_KEEPSTATE;)} 1176 ; 1177 1178keepfrag: 1179 IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags \|= FR_KEEPFRAG;) }
	1180 \| IPFY_FRAG fragoptlist { DOALL(fr->fr_flags \|= FR_KEEPFRAG;) }
1185 ; 1186 1187fragoptlist: 1188 \| '(' fragopts ')' 1189 ; 1190 1191fragopts: 1192 fragopt lanother fragopts --- 21 unchanged lines hidden (view full) --- 1214 fr->fr_flags \|= FR_STSTRICT;) 1215 } 1216 \| IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1217 YYERROR; \ 1218 } else \ 1219 fr->fr_flags \|= FR_NEWISN;) 1220 } 1221 \| IPFY_NOICMPERR { DOALL(fr->fr_flags \|= FR_NOICMPERR;) }	1181 ; 1182 1183fragoptlist: 1184 \| '(' fragopts ')' 1185 ; 1186 1187fragopts: 1188 fragopt lanother fragopts --- 21 unchanged lines hidden (view full) --- 1210 fr->fr_flags \|= FR_STSTRICT;) 1211 } 1212 \| IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1213 YYERROR; \ 1214 } else \ 1215 fr->fr_flags \|= FR_NEWISN;) 1216 } 1217 \| IPFY_NOICMPERR { DOALL(fr->fr_flags \|= FR_NOICMPERR;) }
	1218 1219 \| IPFY_SYNC { DOALL(fr->fr_flags \|= FR_STATESYNC;) }
1222 ; 1223 1224portnum:	1220 ; 1221 1222portnum:
1225 servicename { $$ = ntohs(getport(frc, $1)); 1226 if ($$ == -1) 1227 fprintf(stderr, "service unknown: %s, line %d\n", $1, yylineNum);	1223 servicename { if (getport(frc, $1, &($$)) == -1) 1224 yyerror("service unknown"); 1225 else 1226 $$ = ntohs($$);
1228 free($1); 1229 }	1227 free($1); 1228 }
1230 \| YY_NUMBER { $$ = $1; }	1229 \| YY_NUMBER { if ($1 > 65535) /* Unsigned / 1230* yyerror("invalid port number"); 1231 else 1232 $$ = $1; 1233 }
1231 ; 1232 1233withlist: 1234 withopt 1235 \| withlist withopt	1234 ; 1235 1236withlist: 1237 withopt 1238 \| withlist withopt
	1239 \| withlist ',' withopt
1236 ; 1237 1238withopt: 1239 opttype { DOALL(fr->fr_flx \|= $1; fr->fr_mflx \|= $1;) } 1240 \| notwith opttype	1240 ; 1241 1242withopt: 1243 opttype { DOALL(fr->fr_flx \|= $1; fr->fr_mflx \|= $1;) } 1244 \| notwith opttype
1241 { DOALL(fr->fr_mflx \|= $2;) } 1242 \| IPFY_OPT ipopts 1243 \| notwith IPFY_OPT ipopts 1244 \| startv6hdrs ipv6hdrs	1245 { DOALL(fr->fr_mflx \|= $2;) } 1246 \| ipopt ipopts { yyresetdict(); } 1247 \| notwith ipopt ipopts { yyresetdict(); } 1248 \| startv6hdrs ipv6hdrs { yyresetdict(); }
1245 ; 1246	1249 ; 1250
	1251ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 1252 ; 1253
1247startv6hdrs: 1248 IPF6_V6HDRS { if (use_inet6 == 0) 1249 yyerror("only available with IPv6");	1254startv6hdrs: 1255 IPF6_V6HDRS { if (use_inet6 == 0) 1256 yyerror("only available with IPv6");
	1257 yysetdict(ipv6optwords);
1250 } 1251 ; 1252 1253notwith: 1254 IPFY_NOT { nowith = 1; } 1255 \| IPFY_NO { nowith = 1; } 1256 ; 1257 1258opttype: 1259 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1260 \| IPFY_SHORT { $$ = FI_SHORT; } 1261 \| IPFY_NAT { $$ = FI_NATED; } 1262 \| IPFY_BAD { $$ = FI_BAD; } 1263 \| IPFY_BADNAT { $$ = FI_BADNAT; } 1264 \| IPFY_BADSRC { $$ = FI_BADSRC; } 1265 \| IPFY_LOWTTL { $$ = FI_LOWTTL; } 1266 \| IPFY_FRAG { $$ = FI_FRAG; }	1258 } 1259 ; 1260 1261notwith: 1262 IPFY_NOT { nowith = 1; } 1263 \| IPFY_NO { nowith = 1; } 1264 ; 1265 1266opttype: 1267 IPFY_IPOPTS { $$ = FI_OPTIONS; } 1268 \| IPFY_SHORT { $$ = FI_SHORT; } 1269 \| IPFY_NAT { $$ = FI_NATED; } 1270 \| IPFY_BAD { $$ = FI_BAD; } 1271 \| IPFY_BADNAT { $$ = FI_BADNAT; } 1272 \| IPFY_BADSRC { $$ = FI_BADSRC; } 1273 \| IPFY_LOWTTL { $$ = FI_LOWTTL; } 1274 \| IPFY_FRAG { $$ = FI_FRAG; }
	1275 \| IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1276 \| IPFY_FRAGS { $$ = FI_FRAG; }
1267 \| IPFY_MBCAST { $$ = FI_MBCAST; } 1268 \| IPFY_MULTICAST { $$ = FI_MULTICAST; } 1269 \| IPFY_BROADCAST { $$ = FI_BROADCAST; } 1270 \| IPFY_STATE { $$ = FI_STATE; } 1271 \| IPFY_OOW { $$ = FI_OOW; } 1272 ; 1273 1274ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk \|= $1; --- 94 unchanged lines hidden (view full) --- 1369 \| IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1370 \| IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1371 \| IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1372 \| IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1373 \| IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1374 \| IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1375 \| IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1376 \| IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }	1277 \| IPFY_MBCAST { $$ = FI_MBCAST; } 1278 \| IPFY_MULTICAST { $$ = FI_MULTICAST; } 1279 \| IPFY_BROADCAST { $$ = FI_BROADCAST; } 1280 \| IPFY_STATE { $$ = FI_STATE; } 1281 \| IPFY_OOW { $$ = FI_OOW; } 1282 ; 1283 1284ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk \|= $1; --- 94 unchanged lines hidden (view full) --- 1379 \| IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1380 \| IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1381 \| IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1382 \| IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1383 \| IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1384 \| IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1385 \| IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1386 \| IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); }
1377 \| IPFY_SECCLASS secname	1387 \| setsecclass secname
1378 { DOALL(fr->fr_mip.fi_secmsk \|= $2; 1379 if (!nowith) 1380 fr->fr_ip.fi_secmsk \|= $2;) 1381 $$ = 0;	1388 { DOALL(fr->fr_mip.fi_secmsk \|= $2; 1389 if (!nowith) 1390 fr->fr_ip.fi_secmsk \|= $2;) 1391 $$ = 0;
	1392 yyresetdict();
1382 } 1383 ; 1384	1393 } 1394 ; 1395
	1396setsecclass: 1397 IPFY_SECCLASS { yysetdict(ipv4secwords); } 1398 ; 1399
1385ipv6hdr: 1386 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1387 \| IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1388 \| IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1389 \| IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1390 \| IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1391 \| IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1392 \| IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } --- 41 unchanged lines hidden (view full) --- 1434 \| IPFY_PRI_ERR { $$ = LOG_ERR; } 1435 \| IPFY_PRI_WARN { $$ = LOG_WARNING; } 1436 \| IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1437 \| IPFY_PRI_INFO { $$ = LOG_INFO; } 1438 \| IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1439 ; 1440 1441compare:	1400ipv6hdr: 1401 IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1402 \| IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1403 \| IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1404 \| IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1405 \| IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1406 \| IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1407 \| IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } --- 41 unchanged lines hidden (view full) --- 1449 \| IPFY_PRI_ERR { $$ = LOG_ERR; } 1450 \| IPFY_PRI_WARN { $$ = LOG_WARNING; } 1451 \| IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1452 \| IPFY_PRI_INFO { $$ = LOG_INFO; } 1453 \| IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1454 ; 1455 1456compare:
1442 '=' { $$ = FR_EQUAL; } 1443 \| YY_CMP_EQ { $$ = FR_EQUAL; }	1457 YY_CMP_EQ { $$ = FR_EQUAL; }
1444 \| YY_CMP_NE { $$ = FR_NEQUAL; } 1445 \| YY_CMP_LT { $$ = FR_LESST; } 1446 \| YY_CMP_LE { $$ = FR_LESSTE; } 1447 \| YY_CMP_GT { $$ = FR_GREATERT; } 1448 \| YY_CMP_GE { $$ = FR_GREATERTE; } 1449 ; 1450 1451range: YY_RANGE_IN { $$ = FR_INRANGE; } 1452 \| YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1453 \| ':' { $$ = FR_INCRANGE; } 1454 ; 1455 1456servicename: 1457 YY_STR { $$ = $1; } 1458 ; 1459 1460interfacename: YY_STR { $$ = $1; } 1461 \| YY_STR ':' YY_NUMBER 1462 { $$ = $1;	1458 \| YY_CMP_NE { $$ = FR_NEQUAL; } 1459 \| YY_CMP_LT { $$ = FR_LESST; } 1460 \| YY_CMP_LE { $$ = FR_LESSTE; } 1461 \| YY_CMP_GT { $$ = FR_GREATERT; } 1462 \| YY_CMP_GE { $$ = FR_GREATERTE; } 1463 ; 1464 1465range: YY_RANGE_IN { $$ = FR_INRANGE; } 1466 \| YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1467 \| ':' { $$ = FR_INCRANGE; } 1468 ; 1469 1470servicename: 1471 YY_STR { $$ = $1; } 1472 ; 1473 1474interfacename: YY_STR { $$ = $1; } 1475 \| YY_STR ':' YY_NUMBER 1476 { $$ = $1;
1463#if SOLARIS2 >= 10 1464 if (strncmp(VNI, $1, VNISTRLEN) != 0) 1465#endif
1466 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "	1477 fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1467 "use the physical interface %s instead.\n", 1468 yylineNum, $1, $3, $1);	1478 "use the physical interface %s instead.\n", 1479 yylineNum, $1, $3, $1);
1469 } 1470 ; 1471 1472name: YY_STR { $$ = $1; } 1473 ; 1474	1480 } 1481 ; 1482 1483name: YY_STR { $$ = $1; } 1484 ; 1485
1475ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER 1476 { if ($1 > 255 \|\| $3 > 255 \|\| $5 > 255 \|\| $7 > 255) {	1486ipv4_16: 1487 YY_NUMBER '.' YY_NUMBER 1488 { if ($1 > 255 \|\| $3 > 255) {
1477 yyerror("Invalid octet string for IP address"); 1478 return 0; 1479 }	1489 yyerror("Invalid octet string for IP address"); 1490 return 0; 1491 }
1480 $$.s_addr = ($1 << 24) \| ($3 << 16) \| ($5 << 8) \| $7;	1492 $$.s_addr = ($1 << 24) \| ($3 << 16);
1481 $$.s_addr = htonl($$.s_addr); 1482 } 1483 ;	1493 $$.s_addr = htonl($$.s_addr); 1494 } 1495 ;
	1496 1497ipv4_24: 1498 ipv4_16 '.' YY_NUMBER 1499 { if ($3 > 255) { 1500 yyerror("Invalid octet string for IP address"); 1501 return 0; 1502 } 1503 $$.s_addr \|= htonl($3 << 8); 1504 } 1505 ; 1506 1507ipv4: ipv4_24 '.' YY_NUMBER 1508 { if ($3 > 255) { 1509 yyerror("Invalid octet string for IP address"); 1510 return 0; 1511 } 1512 $$.s_addr \|= htonl($3); 1513 } 1514 \| ipv4_24 1515 \| ipv4_16 1516 ; 1517
1484%% 1485 1486	1518%% 1519 1520
1487static struct wordtab ipfwords[] = { 1488 { "addext", IPFY_IPOPT_ADDEXT },	1521static struct wordtab ipfwords[95] = {
1489 { "age", IPFY_AGE }, 1490 { "ah", IPFY_AH }, 1491 { "all", IPFY_ALL }, 1492 { "and", IPFY_AND }, 1493 { "auth", IPFY_AUTH }, 1494 { "bad", IPFY_BAD }, 1495 { "bad-nat", IPFY_BADNAT }, 1496 { "bad-src", IPFY_BADSRC }, 1497 { "bcast", IPFY_BROADCAST }, 1498 { "block", IPFY_BLOCK }, 1499 { "body", IPFY_BODY },	1522 { "age", IPFY_AGE }, 1523 { "ah", IPFY_AH }, 1524 { "all", IPFY_ALL }, 1525 { "and", IPFY_AND }, 1526 { "auth", IPFY_AUTH }, 1527 { "bad", IPFY_BAD }, 1528 { "bad-nat", IPFY_BADNAT }, 1529 { "bad-src", IPFY_BADSRC }, 1530 { "bcast", IPFY_BROADCAST }, 1531 { "block", IPFY_BLOCK }, 1532 { "body", IPFY_BODY },
1500 { "bpf", IPFY_BPF },	1533 { "bpf-v4", IPFY_BPFV4 }, 1534#ifdef USE_INET6 1535 { "bpf-v6", IPFY_BPFV6 }, 1536#endif
1501 { "call", IPFY_CALL },	1537 { "call", IPFY_CALL },
1502 { "cipso", IPFY_IPOPT_CIPSO },
1503 { "code", IPFY_ICMPCODE },	1538 { "code", IPFY_ICMPCODE },
1504 { "confid", IPFY_SEC_CONF },
1505 { "count", IPFY_COUNT },	1539 { "count", IPFY_COUNT },
1506 { "divert", IPFY_DIVERT }, 1507 { "dps", IPFY_IPOPT_DPS }, 1508 { "dstopts", IPFY_IPV6OPT_DSTOPTS },
1509 { "dup-to", IPFY_DUPTO },	1540 { "dup-to", IPFY_DUPTO },
1510 { "e-sec", IPFY_IPOPT_ESEC }, 1511 { "eip", IPFY_IPOPT_EIP }, 1512 { "encode", IPFY_IPOPT_ENCODE },
1513 { "eq", YY_CMP_EQ }, 1514 { "esp", IPFY_ESP }, 1515 { "fastroute", IPFY_FROUTE }, 1516 { "first", IPFY_FIRST },	1541 { "eq", YY_CMP_EQ }, 1542 { "esp", IPFY_ESP }, 1543 { "fastroute", IPFY_FROUTE }, 1544 { "first", IPFY_FIRST },
1517 { "finn", IPFY_IPOPT_FINN }, 1518 { "frag", IPFY_FRAG },
1519 { "flags", IPFY_FLAGS },	1545 { "flags", IPFY_FLAGS },
	1546 { "frag", IPFY_FRAG }, 1547 { "frag-body", IPFY_FRAGBODY },
1520 { "frags", IPFY_FRAGS }, 1521 { "from", IPFY_FROM }, 1522 { "ge", YY_CMP_GE }, 1523 { "group", IPFY_GROUP }, 1524 { "gt", YY_CMP_GT }, 1525 { "head", IPFY_HEAD },	1548 { "frags", IPFY_FRAGS }, 1549 { "from", IPFY_FROM }, 1550 { "ge", YY_CMP_GE }, 1551 { "group", IPFY_GROUP }, 1552 { "gt", YY_CMP_GT }, 1553 { "head", IPFY_HEAD },
1526 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1527 { "host-preced", IPFY_ICMPC_HSTPRE }, 1528 { "host-prohib", IPFY_ICMPC_HSTPRO }, 1529 { "host-tos", IPFY_ICMPC_HSTTOS }, 1530 { "host-unk", IPFY_ICMPC_HSTUNK }, 1531 { "host-unr", IPFY_ICMPC_HSTUNR },
1532 { "icmp", IPFY_ICMP }, 1533 { "icmp-type", IPFY_ICMPTYPE },	1554 { "icmp", IPFY_ICMP }, 1555 { "icmp-type", IPFY_ICMPTYPE },
1534 { "imitd", IPFY_IPOPT_IMITD },
1535 { "in", IPFY_IN }, 1536 { "in-via", IPFY_INVIA }, 1537 { "ipopt", IPFY_IPOPTS }, 1538 { "ipopts", IPFY_IPOPTS },	1556 { "in", IPFY_IN }, 1557 { "in-via", IPFY_INVIA }, 1558 { "ipopt", IPFY_IPOPTS }, 1559 { "ipopts", IPFY_IPOPTS },
1539 { "ipv6", IPFY_IPV6OPT_IPV6 },
1540 { "keep", IPFY_KEEP }, 1541 { "le", YY_CMP_LE }, 1542 { "level", IPFY_LEVEL }, 1543 { "limit", IPFY_LIMIT }, 1544 { "log", IPFY_LOG }, 1545 { "lowttl", IPFY_LOWTTL },	1560 { "keep", IPFY_KEEP }, 1561 { "le", YY_CMP_LE }, 1562 { "level", IPFY_LEVEL }, 1563 { "limit", IPFY_LIMIT }, 1564 { "log", IPFY_LOG }, 1565 { "lowttl", IPFY_LOWTTL },
1546 { "lsrr", IPFY_IPOPT_LSRR },
1547 { "lt", YY_CMP_LT }, 1548 { "mask", IPFY_MASK },	1566 { "lt", YY_CMP_LT }, 1567 { "mask", IPFY_MASK },
	1568 { "match-tag", IPFY_MATCHTAG },
1549 { "mbcast", IPFY_MBCAST },	1569 { "mbcast", IPFY_MBCAST },
1550 { "mtup", IPFY_IPOPT_MTUP }, 1551 { "mtur", IPFY_IPOPT_MTUR },
1552 { "multicast", IPFY_MULTICAST }, 1553 { "nat", IPFY_NAT }, 1554 { "ne", YY_CMP_NE }, 1555 { "net", IPFY_NETWORK }, 1556 { "newisn", IPFY_NEWISN }, 1557 { "no", IPFY_NO }, 1558 { "no-icmp-err", IPFY_NOICMPERR },	1570 { "multicast", IPFY_MULTICAST }, 1571 { "nat", IPFY_NAT }, 1572 { "ne", YY_CMP_NE }, 1573 { "net", IPFY_NETWORK }, 1574 { "newisn", IPFY_NEWISN }, 1575 { "no", IPFY_NO }, 1576 { "no-icmp-err", IPFY_NOICMPERR },
1559 { "none", IPFY_IPV6OPT_NONE }, 1560 { "nop", IPFY_IPOPT_NOP },
1561 { "now", IPFY_NOW }, 1562 { "not", IPFY_NOT },	1577 { "now", IPFY_NOW }, 1578 { "not", IPFY_NOT },
1563 { "nsapa", IPFY_IPOPT_NSAPA },
1564 { "oow", IPFY_OOW }, 1565 { "on", IPFY_ON }, 1566 { "opt", IPFY_OPT }, 1567 { "or-block", IPFY_ORBLOCK }, 1568 { "out", IPFY_OUT }, 1569 { "out-via", IPFY_OUTVIA }, 1570 { "pass", IPFY_PASS }, 1571 { "port", IPFY_PORT }, 1572 { "pps", IPFY_PPS }, 1573 { "preauth", IPFY_PREAUTH }, 1574 { "proto", IPFY_PROTO }, 1575 { "quick", IPFY_QUICK }, 1576 { "reply-to", IPFY_REPLY_TO },	1579 { "oow", IPFY_OOW }, 1580 { "on", IPFY_ON }, 1581 { "opt", IPFY_OPT }, 1582 { "or-block", IPFY_ORBLOCK }, 1583 { "out", IPFY_OUT }, 1584 { "out-via", IPFY_OUTVIA }, 1585 { "pass", IPFY_PASS }, 1586 { "port", IPFY_PORT }, 1587 { "pps", IPFY_PPS }, 1588 { "preauth", IPFY_PREAUTH }, 1589 { "proto", IPFY_PROTO }, 1590 { "quick", IPFY_QUICK }, 1591 { "reply-to", IPFY_REPLY_TO },
1577 { "reserv-1", IPFY_SEC_RSV1 }, 1578 { "reserv-2", IPFY_SEC_RSV2 }, 1579 { "reserv-3", IPFY_SEC_RSV3 }, 1580 { "reserv-4", IPFY_SEC_RSV4 },
1581 { "return-icmp", IPFY_RETICMP }, 1582 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1583 { "return-rst", IPFY_RETRST },	1592 { "return-icmp", IPFY_RETICMP }, 1593 { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1594 { "return-rst", IPFY_RETRST },
1584 { "routing", IPFY_IPV6OPT_ROUTING }, 1585 { "rr", IPFY_IPOPT_RR }, 1586 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1587 { "satid", IPFY_IPOPT_SATID }, 1588 { "sdb", IPFY_IPOPT_SDB }, 1589 { "sec", IPFY_IPOPT_SEC },	1595 { "route-to", IPFY_ROUTETO },
1590 { "sec-class", IPFY_SECCLASS },	1596 { "sec-class", IPFY_SECCLASS },
1591 { "secret", IPFY_SEC_SEC },	1597 { "set-tag", IPFY_SETTAG },
1592 { "skip", IPFY_SKIP }, 1593 { "short", IPFY_SHORT },	1598 { "skip", IPFY_SKIP }, 1599 { "short", IPFY_SHORT },
1594 { "ssrr", IPFY_IPOPT_SSRR },
1595 { "state", IPFY_STATE },	1600 { "state", IPFY_STATE },
	1601 { "state-age", IPFY_AGE },
1596 { "strict", IPFY_STRICT },	1602 { "strict", IPFY_STRICT },
1597 { "tag", IPFY_TAG },	1603 { "sync", IPFY_SYNC },
1598 { "tcp", IPFY_TCP }, 1599 { "tcp-udp", IPFY_TCPUDP }, 1600 { "tos", IPFY_TOS },	1604 { "tcp", IPFY_TCP }, 1605 { "tcp-udp", IPFY_TCPUDP }, 1606 { "tos", IPFY_TOS },
1601 { "topsecret", IPFY_SEC_TS },
1602 { "to", IPFY_TO },	1607 { "to", IPFY_TO },
1603 { "tr", IPFY_IPOPT_TR }, 1604 { "ts", IPFY_IPOPT_TS },
1605 { "ttl", IPFY_TTL }, 1606 { "udp", IPFY_UDP },	1608 { "ttl", IPFY_TTL }, 1609 { "udp", IPFY_UDP },
1607 { "ump", IPFY_IPOPT_UMP }, 1608 { "unclass", IPFY_SEC_UNC },
1609 { "v6hdrs", IPF6_V6HDRS },	1610 { "v6hdrs", IPF6_V6HDRS },
1610 { "visa", IPFY_IPOPT_VISA },
1611 { "with", IPFY_WITH },	1611 { "with", IPFY_WITH },
1612 { "zsu", IPFY_IPOPT_ZSU },
1613 { NULL, 0 } 1614}; 1615 1616static struct wordtab addrwords[4] = { 1617 { "any", IPFY_ANY }, 1618 { "hash", IPFY_HASH }, 1619 { "pool", IPFY_POOL }, 1620 { NULL, 0 } --- 41 unchanged lines hidden (view full) --- 1662 { "net-unk", IPFY_ICMPC_NETUNK }, 1663 { "net-unr", IPFY_ICMPC_NETUNR }, 1664 { "port-unr", IPFY_ICMPC_PORUNR }, 1665 { "proto-unr", IPFY_ICMPC_PROUNR }, 1666 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1667 { NULL, 0 }, 1668}; 1669	1612 { NULL, 0 } 1613}; 1614 1615static struct wordtab addrwords[4] = { 1616 { "any", IPFY_ANY }, 1617 { "hash", IPFY_HASH }, 1618 { "pool", IPFY_POOL }, 1619 { NULL, 0 } --- 41 unchanged lines hidden (view full) --- 1661 { "net-unk", IPFY_ICMPC_NETUNK }, 1662 { "net-unr", IPFY_ICMPC_NETUNR }, 1663 { "port-unr", IPFY_ICMPC_PORUNR }, 1664 { "proto-unr", IPFY_ICMPC_PROUNR }, 1665 { "srcfail", IPFY_ICMPC_SRCFAIL }, 1666 { NULL, 0 }, 1667}; 1668
1670static struct wordtab logwords[] = {	1669static struct wordtab ipv4optwords[25] = { 1670 { "addext", IPFY_IPOPT_ADDEXT }, 1671 { "cipso", IPFY_IPOPT_CIPSO }, 1672 { "dps", IPFY_IPOPT_DPS }, 1673 { "e-sec", IPFY_IPOPT_ESEC }, 1674 { "eip", IPFY_IPOPT_EIP }, 1675 { "encode", IPFY_IPOPT_ENCODE }, 1676 { "finn", IPFY_IPOPT_FINN }, 1677 { "imitd", IPFY_IPOPT_IMITD }, 1678 { "lsrr", IPFY_IPOPT_LSRR }, 1679 { "mtup", IPFY_IPOPT_MTUP }, 1680 { "mtur", IPFY_IPOPT_MTUR }, 1681 { "nop", IPFY_IPOPT_NOP }, 1682 { "nsapa", IPFY_IPOPT_NSAPA }, 1683 { "rr", IPFY_IPOPT_RR }, 1684 { "rtralrt", IPFY_IPOPT_RTRALRT }, 1685 { "satid", IPFY_IPOPT_SATID }, 1686 { "sdb", IPFY_IPOPT_SDB }, 1687 { "sec", IPFY_IPOPT_SEC }, 1688 { "ssrr", IPFY_IPOPT_SSRR }, 1689 { "tr", IPFY_IPOPT_TR }, 1690 { "ts", IPFY_IPOPT_TS }, 1691 { "ump", IPFY_IPOPT_UMP }, 1692 { "visa", IPFY_IPOPT_VISA }, 1693 { "zsu", IPFY_IPOPT_ZSU }, 1694 { NULL, 0 }, 1695}; 1696 1697static struct wordtab ipv4secwords[9] = { 1698 { "confid", IPFY_SEC_CONF }, 1699 { "reserv-1", IPFY_SEC_RSV1 }, 1700 { "reserv-2", IPFY_SEC_RSV2 }, 1701 { "reserv-3", IPFY_SEC_RSV3 }, 1702 { "reserv-4", IPFY_SEC_RSV4 }, 1703 { "secret", IPFY_SEC_SEC }, 1704 { "topsecret", IPFY_SEC_TS }, 1705 { "unclass", IPFY_SEC_UNC }, 1706 { NULL, 0 }, 1707}; 1708 1709static struct wordtab ipv6optwords[8] = { 1710 { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1711 { "esp", IPFY_ESP }, 1712 { "frag", IPFY_FRAG }, 1713 { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1714 { "ipv6", IPFY_IPV6OPT_IPV6 }, 1715 { "none", IPFY_IPV6OPT_NONE }, 1716 { "routing", IPFY_IPV6OPT_ROUTING }, 1717 { NULL, 0 }, 1718}; 1719 1720static struct wordtab logwords[33] = {
1671 { "kern", IPFY_FAC_KERN }, 1672 { "user", IPFY_FAC_USER }, 1673 { "mail", IPFY_FAC_MAIL }, 1674 { "daemon", IPFY_FAC_DAEMON }, 1675 { "auth", IPFY_FAC_AUTH }, 1676 { "syslog", IPFY_FAC_SYSLOG }, 1677 { "lpr", IPFY_FAC_LPR }, 1678 { "news", IPFY_FAC_NEWS }, --- 208 unchanged lines hidden (view full) --- 1887 sizeof(frc->fr_ifnames[i])) == 0) { 1888 ifpflag = FRI_DYNAMIC; 1889 dynamic = i; 1890 return 0; 1891 } 1892 } 1893 1894 if (gethost(name, &addr) == -1) {	1721 { "kern", IPFY_FAC_KERN }, 1722 { "user", IPFY_FAC_USER }, 1723 { "mail", IPFY_FAC_MAIL }, 1724 { "daemon", IPFY_FAC_DAEMON }, 1725 { "auth", IPFY_FAC_AUTH }, 1726 { "syslog", IPFY_FAC_SYSLOG }, 1727 { "lpr", IPFY_FAC_LPR }, 1728 { "news", IPFY_FAC_NEWS }, --- 208 unchanged lines hidden (view full) --- 1937 sizeof(frc->fr_ifnames[i])) == 0) { 1938 ifpflag = FRI_DYNAMIC; 1939 dynamic = i; 1940 return 0; 1941 } 1942 } 1943 1944 if (gethost(name, &addr) == -1) {
	1945 fprintf(stderr, "unknown name \"%s\"\n", name);
1895 return 0; 1896 } 1897 return addr; 1898} 1899 1900	1946 return 0; 1947 } 1948 return addr; 1949} 1950 1951
1901static void dobpf(phrase)	1952static void dobpf(v, phrase) 1953int v;
1902char phrase; 1903{ 1904#ifdef IPFILTER_BPF 1905* struct bpf_program bpf; 1906 struct pcap *p;	1954char phrase; 1955{ 1956#ifdef IPFILTER_BPF 1957* struct bpf_program bpf; 1958 struct pcap *p;
	1959#endif 1960 fakebpf_t *fb;
1907 u_32_t l; 1908 char s; 1909* int i; 1910 1911 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1912 if (fr->fr_type != FR_T_NONE) {	1961 u_32_t l; 1962 char s; 1963* int i; 1964 1965 for (fr = frc; fr != NULL; fr = fr->fr_next) { 1966 if (fr->fr_type != FR_T_NONE) {
1913 fprintf(stderr, "cannoy mix IPF and BPF matching\n");	1967 fprintf(stderr, "cannot mix IPF and BPF matching\n");
1914 return; 1915 }	1968 return; 1969 }
1916 fr->fr_type = FR_T_IPF;	1970 fr->fr_v = v; 1971 fr->fr_type = FR_T_BPFOPC;
1917 1918 if (!strncmp(phrase, "\"0x", 2)) { 1919 phrase++;	1972 1973 if (!strncmp(phrase, "\"0x", 2)) { 1974 phrase++;
1920 fr->fr_data = malloc(4); 1921 if (fr->fr_data == NULL)	1975 fb = malloc(sizeof(fakebpf_t)); 1976 if (fb == NULL)
1922 yyerror("sorry, out of memory"); 1923	1977 yyerror("sorry, out of memory"); 1978
1924 for (i = 0, s = strtok(phrase, " \r\n\t"; s != NULL;	1979 for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
1925 s = strtok(NULL, " \r\n\t"), i++) {	1980 s = strtok(NULL, " \r\n\t"), i++) {
1926 fr->fr_data = realloc(fr->fr_data, (i + 1) * 4); 1927 if (fr->fr_data == NULL)	1981 fb = realloc(fb, (i / 4 + 1) * sizeof(fb)); 1982* if (fb == NULL)
1928 yyerror("sorry, out of memory"); 1929 l = (u_32_t)strtol(s, NULL, 0);	1983 yyerror("sorry, out of memory"); 1984 l = (u_32_t)strtol(s, NULL, 0);
1930 ((u_32_t *)fr->fr_data)[i] = l;	1985 switch (i & 3) 1986 { 1987 case 0 : 1988 fb[i / 4].fb_c = l & 0xffff; 1989 break; 1990 case 1 : 1991 fb[i / 4].fb_t = l & 0xff; 1992 break; 1993 case 2 : 1994 fb[i / 4].fb_f = l & 0xff; 1995 break; 1996 case 3 : 1997 fb[i / 4].fb_k = l; 1998 break; 1999 }
1931 }	2000 }
	2001 if ((i & 3) != 0) { 2002 fprintf(stderr, 2003 "Odd number of bytes in BPF code\n"); 2004 exit(1); 2005 } 2006 i--; 2007 fr->fr_dsize = (i / 4 + 1) * sizeof(fb); 2008* fr->fr_data = fb;
1932 return; 1933 } 1934	2009 return; 2010 } 2011
	2012#ifdef IPFILTER_BPF
1935 bzero((char )&bpf, sizeof(bpf)); 1936* p = pcap_open_dead(DLT_RAW, 1); 1937 if (!p) { 1938 fprintf(stderr, "pcap_open_dead failed\n"); 1939 return; 1940 } 1941	2013 bzero((char )&bpf, sizeof(bpf)); 2014* p = pcap_open_dead(DLT_RAW, 1); 2015 if (!p) { 2016 fprintf(stderr, "pcap_open_dead failed\n"); 2017 return; 2018 } 2019
1942 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff) {	2020 if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
1943 pcap_perror(p, "ipf"); 1944 pcap_close(p);	2021 pcap_perror(p, "ipf"); 2022 pcap_close(p);
1945 fprintf(stderr, "pcap parsing failed\n");	2023 fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
1946 return; 1947 } 1948 pcap_close(p); 1949 1950 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);	2024 return; 2025 } 2026 pcap_close(p); 2027 2028 fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
1951 fr->fr_data = malloc(bpf.bf_len);	2029 fr->fr_data = malloc(fr->fr_dsize);
1952 if (fr->fr_data == NULL) 1953 yyerror("sorry, out of memory");	2030 if (fr->fr_data == NULL) 2031 yyerror("sorry, out of memory");
1954 bcopy((char *)bpf.bf_insns, fr->fr_data, bpf.bf_len);	2032 bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
1955 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 1956 fprintf(stderr, "BPF validation failed\n"); 1957 return; 1958 }	2033 if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 2034 fprintf(stderr, "BPF validation failed\n"); 2035 return; 2036 }
	2037#endif
1959 } 1960	2038 } 2039
	2040#ifdef IPFILTER_BPF
1961 if (opts & OPT_DEBUG) 1962 bpf_dump(&bpf, 0); 1963#else	2041 if (opts & OPT_DEBUG) 2042 bpf_dump(&bpf, 0); 2043#else
1964 fprintf(stderr, "BPF expressions for matching not supported\n");	2044 fprintf(stderr, "BPF filter expressions not supported\n"); 2045 exit(1);
1965#endif 1966} 1967 1968 1969static void resetaddr() 1970{ 1971 hashed = 0; 1972 pooled = 0; --- 109 unchanged lines hidden (view full) --- 2082} 2083 2084 2085void ipf_addrule(fd, ioctlfunc, ptr) 2086int fd; 2087ioctlfunc_t ioctlfunc; 2088void ptr; 2089*{	2046#endif 2047} 2048 2049 2050static void resetaddr() 2051{ 2052 hashed = 0; 2053 pooled = 0; --- 109 unchanged lines hidden (view full) --- 2163} 2164 2165 2166void ipf_addrule(fd, ioctlfunc, ptr) 2167int fd; 2168ioctlfunc_t ioctlfunc; 2169void ptr; 2170*{
2090 u_int add, del;	2171 ioctlcmd_t add, del;
2091 frentry_t fr; 2092* ipfobj_t obj; 2093 2094 fr = ptr; 2095 add = 0; 2096 del = 0; 2097 2098 bzero((char )&obj, sizeof(obj)); --- 44 unchanged lines hidden* (view full) --- 2143#else 2144 printf("hits %ld bytes %ld ", 2145 fr->fr_hits, fr->fr_bytes); 2146#endif 2147 printfr(fr, ioctlfunc); 2148 } 2149 } else if ((opts & OPT_REMOVE) != 0) { 2150 if ((ioctlfunc)(fd, del, (void )&obj) == -1) {	2172 frentry_t fr; 2173* ipfobj_t obj; 2174 2175 fr = ptr; 2176 add = 0; 2177 del = 0; 2178 2179 bzero((char )&obj, sizeof(obj)); --- 44 unchanged lines hidden* (view full) --- 2224#else 2225 printf("hits %ld bytes %ld ", 2226 fr->fr_hits, fr->fr_bytes); 2227#endif 2228 printfr(fr, ioctlfunc); 2229 } 2230 } else if ((opts & OPT_REMOVE) != 0) { 2231 if ((ioctlfunc)(fd, del, (void )&obj) == -1) {
2151 if ((opts & OPT_DONOTHING) == 0) {	2232 if ((opts & OPT_DONOTHING) != 0) {
2152 fprintf(stderr, "%d:", yylineNum); 2153 perror("ioctl(delete rule)"); 2154 } 2155 } 2156 } else { 2157 if ((ioctlfunc)(fd, add, (void )&obj) == -1) { 2158 if (!(opts & OPT_DONOTHING)) { 2159 fprintf(stderr, "%d:", yylineNum);	2233 fprintf(stderr, "%d:", yylineNum); 2234 perror("ioctl(delete rule)"); 2235 } 2236 } 2237 } else { 2238 if ((ioctlfunc)(fd, add, (void )&obj) == -1) { 2239 if (!(opts & OPT_DONOTHING)) { 2240 fprintf(stderr, "%d:", yylineNum);
2160 fprintf(stderr,"ioctl(add/insert rule) failed: rule exists\n");	2241 perror("ioctl(add/insert rule)");
2161 } 2162 } 2163 } 2164} 2165	2242 } 2243 } 2244 } 2245} 2246
2166
2167static void setsyslog() 2168{	2247static void setsyslog() 2248{
2169 savewords = yysettab(logwords);	2249 yysetdict(logwords);
2170 yybreakondot = 1; 2171} 2172 2173 2174static void unsetsyslog() 2175{	2250 yybreakondot = 1; 2251} 2252 2253 2254static void unsetsyslog() 2255{
2176 yysettab(savewords);	2256 yyresetdict();
2177 yybreakondot = 0; 2178} 2179 2180 2181static void fillgroup(fr) 2182frentry_t fr; 2183{ 2184* frentry_t *f;	2257 yybreakondot = 0; 2258} 2259 2260 2261static void fillgroup(fr) 2262frentry_t fr; 2263{ 2264* frentry_t *f;
2185 int i;
2186 2187 for (f = frold; f != NULL; f = f->fr_next) 2188 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2189 break; 2190 if (f == NULL) 2191 return; 2192 2193 /* 2194 * Only copy down matching fields if the rules are of the same type	2265 2266 for (f = frold; f != NULL; f = f->fr_next) 2267 if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2268 break; 2269 if (f == NULL) 2270 return; 2271 2272 /* 2273 * Only copy down matching fields if the rules are of the same type
2195 * and are of ipf type.	2274 * and are of ipf type. The only fields that are copied are those 2275 * that impact the rule parsing itself, eg. need for knowing what the 2276 * protocol should be for rules with port comparisons in them.
2196 / 2197* if (f->fr_type != fr->fr_type \|\| f->fr_type != FR_T_IPF) 2198 return; 2199 2200 if (fr->fr_v == 0 && f->fr_v != 0) 2201 fr->fr_v = f->fr_v; 2202 2203 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2204 fr->fr_mproto = f->fr_mproto; 2205 if (fr->fr_proto == 0 && f->fr_proto != 0) 2206 fr->fr_proto = f->fr_proto; 2207	2277 / 2278* if (f->fr_type != fr->fr_type \|\| f->fr_type != FR_T_IPF) 2279 return; 2280 2281 if (fr->fr_v == 0 && f->fr_v != 0) 2282 fr->fr_v = f->fr_v; 2283 2284 if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2285 fr->fr_mproto = f->fr_mproto; 2286 if (fr->fr_proto == 0 && f->fr_proto != 0) 2287 fr->fr_proto = f->fr_proto; 2288
2208 if (fr->fr_proto == IPPROTO_TCP) { 2209 if (fr->fr_tcpfm == 0 && f->fr_tcpfm != 0) 2210 fr->fr_tcpfm = f->fr_tcpfm; 2211 if (fr->fr_tcpf == 0 && f->fr_tcpf != 0) 2212 fr->fr_tcpf = f->fr_tcpf; 2213 } 2214 2215 if (fr->fr_proto == IPPROTO_ICMP) { 2216 if (fr->fr_icmpm == 0 && f->fr_icmpm != 0) 2217 fr->fr_icmpm = f->fr_icmpm; 2218 if (fr->fr_icmp == 0 && f->fr_icmp != 0) 2219 fr->fr_icmp = f->fr_icmp; 2220 } 2221 2222 if (fr->fr_optbits == 0 && f->fr_optbits != 0) 2223 fr->fr_optbits = f->fr_optbits; 2224 if (fr->fr_optmask == 0 && f->fr_optmask != 0) 2225 fr->fr_optmask = f->fr_optmask; 2226 if (fr->fr_secbits == 0 && f->fr_secbits != 0) 2227 fr->fr_secbits = f->fr_secbits; 2228 if (fr->fr_secmask == 0 && f->fr_secmask != 0) 2229 fr->fr_secmask = f->fr_secmask; 2230 if (fr->fr_authbits == 0 && f->fr_authbits != 0) 2231 fr->fr_authbits = f->fr_authbits; 2232 if (fr->fr_authmask == 0 && f->fr_authmask != 0) 2233 fr->fr_authmask = f->fr_authmask; 2234 2235 for (i = 0; i < 3; i++) { 2236 if (f->fr_ifnames[i] != '\0' && fr->fr_ifnames[i] == '\0') 2237 strncpy(fr->fr_ifnames[i], f->fr_ifnames[i], 2238 sizeof(f->fr_ifnames[i])); 2239 }	2289 if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2290 ((f->fr_flx & FI_TCPUDP) != 0)) 2291 fr->fr_flx \|= FI_TCPUDP;
2240}	2292}