xref: /illumos-gate/usr/src/cmd/ipf/tools/ipf_y.y (revision 22929378)
1 %{
2 /*
3  * Copyright (C) 2003 by Darren Reed.
4  *
5  * See the IPFILTER.LICENCE file for details on licencing.
6  *
7  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
8  * Use is subject to license terms.
9  */
10 
11 #include "ipf.h"
12 #include <sys/ioctl.h>
13 #include <syslog.h>
14 #ifdef IPFILTER_BPF
15 # include "pcap-bpf.h"
16 # define _NET_BPF_H_
17 # include <pcap.h>
18 #endif
19 #include "netinet/ip_pool.h"
20 #include "netinet/ip_htable.h"
21 #include "netinet/ipl.h"
22 #include "ipf_l.h"
23 
24 #define	YYDEBUG	1
25 #define	DOALL(x)	for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
26 #define	DOREM(x)	for (; fr != NULL; fr = fr->fr_next) { x }
27 
28 #define OPTION_LOG              0x1
29 #define OPTION_QUICK            0x2
30 #define OPTION_DUP              0x4
31 #define OPTION_PROUTE           0x8
32 #define OPTION_ON               0x10
33 #define OPTION_REPLYTO          0x20
34 #define OPTION_FROUTE           0x40
35 
36 extern	void	yyerror __P((char *));
37 extern	int	yyparse __P((void));
38 extern	int	yylex __P((void));
39 extern	int	yydebug;
40 extern	FILE	*yyin;
41 extern	int	yylineNum;
42 
43 static	void	newrule __P((void));
44 static	void	setipftype __P((void));
45 static	u_32_t	lookuphost __P((char *, i6addr_t *));
46 static	void	dobpf __P((int, char *));
47 static	void	resetaddr __P((void));
48 static	struct	alist_s	*newalist __P((struct alist_s *));
49 static	u_int	makehash __P((struct alist_s *));
50 static	int	makepool __P((struct alist_s *));
51 static	frentry_t *addrule __P((void));
52 static	void	setsyslog __P((void));
53 static	void	unsetsyslog __P((void));
54 static	void	fillgroup __P((frentry_t *));
55 
56 frentry_t	*fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
57 
58 static	int		ifpflag = 0;
59 static	int		nowith = 0;
60 static	int		dynamic = -1;
61 static	int		pooled = 0;
62 static	int		hashed = 0;
63 static	int		nrules = 0;
64 static	int		newlist = 0;
65 static	int		added = 0;
66 static	int		ipffd = -1;
67 static  int             ruleopts = 0;
68 static	int		*yycont = 0;
69 static	ioctlfunc_t	ipfioctl[IPL_LOGSIZE];
70 static	addfunc_t	ipfaddfunc = NULL;
71 static	struct	wordtab ipfwords[96];
72 static	struct	wordtab	addrwords[4];
73 static	struct	wordtab	maskwords[5];
74 static	struct	wordtab icmpcodewords[17];
75 static	struct	wordtab icmptypewords[16];
76 static	struct	wordtab ipv4optwords[25];
77 static	struct	wordtab ipv4secwords[9];
78 static	struct	wordtab ipv6optwords[8];
79 static	struct	wordtab logwords[33];
80 static  int             set_ipv6_addr = 0;
81 
82 %}
83 %union	{
84 	char	*str;
85 	u_32_t	num;
86 	struct	in_addr	ipa;
87 	frentry_t	fr;
88 	frtuc_t	*frt;
89 	struct	alist_s	*alist;
90 	u_short	port;
91 	struct	{
92 		u_short	p1;
93 		u_short	p2;
94 		int	pc;
95 	} pc;
96 	struct	{
97 		union	i6addr	a;
98 		union	i6addr	m;
99 	} ipp;
100 	union	i6addr	ip6;
101 };
102 
103 %type	<port>	portnum
104 %type	<num>	facility priority icmpcode seclevel secname icmptype
105 %type	<num>	opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
106 %type	<num>	portc porteq
107 %type	<ipa>	ipv4 ipv4_16 ipv4_24
108 %type	<ip6>	hostname mask
109 %type	<ipp>	addr ipaddr
110 %type	<str>	servicename name interfacename
111 %type	<pc>	portrange portcomp
112 %type	<alist>	addrlist poollist
113 
114 %token	<num>	YY_NUMBER YY_HEX
115 %token	<str>	YY_STR
116 %token		YY_COMMENT
117 %token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
118 %token		YY_RANGE_OUT YY_RANGE_IN
119 %token	<ip6>	YY_IPV6
120 
121 %token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
122 %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
123 %token	IPFY_IN IPFY_OUT
124 %token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
125 %token	IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
126 %token	IPFY_TOS IPFY_TTL IPFY_PROTO
127 %token	IPFY_HEAD IPFY_GROUP
128 %token	IPFY_AUTH IPFY_PREAUTH
129 %token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
130 %token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
131 %token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
132 %token	IPFY_PPS
133 %token	IPFY_ESP IPFY_AH
134 %token	IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
135 %token	IPFY_TCPUDP IPFY_TCP IPFY_UDP
136 %token	IPFY_FLAGS IPFY_MULTICAST
137 %token	IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
138 %token	IPFY_PORT
139 %token	IPFY_NOW
140 %token	IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
141 %token	IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
142 %token	IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
143 %token	IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
144 %token	IPFY_SYNC IPFY_FRAGBODY
145 %token	IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
146 %token	IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
147 %token	IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
148 %token	IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
149 %token	IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
150 %token	IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
151 %token	IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
152 %token	IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
153 
154 %token	IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
155 %token	IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
156 
157 %token	IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
158 %token	IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
159 %token	IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
160 %token	IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
161 %token	IPFY_ICMPT_ROUTERSOL
162 
163 %token	IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
164 %token	IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
165 %token	IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
166 %token	IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
167 %token	IPFY_ICMPC_CUTPRE
168 
169 %token	IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
170 %token	IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
171 %token	IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
172 %token	IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
173 %token	IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
174 %token	IPFY_FAC_LFMT IPFY_FAC_CONSOLE
175 
176 %token	IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
177 %token	IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
178 %token	IPFY_SET_LOOPBACK IPFY_SET
179 %%
180 file:	line
181 	| assign
182 	| file line
183 	| file assign
184 	;
185 
186 line:	xx rule		{ while ((fr = frtop) != NULL) {
187 				frtop = fr->fr_next;
188 				fr->fr_next = NULL;
189 				(*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
190 				fr->fr_next = frold;
191 				frold = fr;
192 			  }
193 			  resetlexer();
194 			}
195 	| YY_COMMENT
196 	| set
197 	;
198 
199 xx:	{ newrule(); }
200 	;
201 
202 assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
203 					  resetlexer();
204 					  free($1);
205 					  free($3);
206 					  yyvarnext = 0;
207 					}
208 	;
209 
210 assigning:
211 	'='				{ yyvarnext = 1; }
212 	;
213 
214 set:
215 	IPFY_SET IPFY_SET_LOOPBACK YY_STR ';'
216 			{
217 			  int data;
218 			  if (frold != NULL) {
219 				yyerror("ipf rules before \"set\"");
220 				return 0;
221 			  }
222 			  if (!strcmp($3, "true"))
223 				data = 1;
224 			  else if (!strcmp($3, "false"))
225 				data = 0;
226 			  else {
227 				yyerror("invalid argument for ipf_loopback");
228 				return 0;
229 			  }
230 			  if (((opts & OPT_DONOTHING) == 0) &&
231 			      (ioctl(ipffd, SIOCIPFLP, &data) == -1))
232 				perror("ioctl(SIOCIPFLP)");
233 			}
234 	;
235 
236 rule:	inrule eol
237 	| outrule eol
238 	;
239 
240 eol:	| ';'
241 	;
242 
243 inrule:
244 	rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2
245 	;
246 
247 outrule:
248 	rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2
249 	;
250 
251 rulehead:
252 	collection action
253 	| insert collection action
254 	;
255 
256 markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
257 	;
258 
259 markout:
260 	IPFY_OUT			{ fr->fr_flags |= FR_OUTQUE; }
261 	;
262 
263 rulemain:
264 	ipfrule
265 	| bpfrule
266 	;
267 
268 ipfrule:
269 	tos ttl proto ip
270 	;
271 
272 bpfrule:
273 	IPFY_BPFV4 '{' YY_STR '}' 	{ dobpf(4, $3); free($3); }
274 	| IPFY_BPFV6 '{' YY_STR '}' 	{ dobpf(6, $3); free($3); }
275 	;
276 
277 ruletail:
278 	with keep head group
279 	;
280 
281 ruletail2:
282 	pps age new
283 	;
284 
285 intag:	settagin matchtagin
286 	;
287 
288 outtag:	settagout matchtagout
289 	;
290 
291 insert:
292 	'@' YY_NUMBER			{ fr->fr_hits = (U_QUAD_T)$2 + 1; }
293 	;
294 
295 collection:
296 	| YY_NUMBER			{ fr->fr_collect = $1; }
297 	;
298 
299 action:	block
300 	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
301 	| log
302 	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
303 	| auth
304 	| IPFY_SKIP YY_NUMBER		{ fr->fr_flags |= FR_SKIP;
305 					  fr->fr_arg = $2; }
306 	| IPFY_CALL func
307 	| IPFY_CALL IPFY_NOW func	{ fr->fr_flags |= FR_CALLNOW; }
308 	;
309 
310 block:	blocked
311 	| blocked blockreturn
312 	;
313 
314 blocked:
315 	IPFY_BLOCK			{ fr->fr_flags = FR_BLOCK; }
316 	;
317 blockreturn:
318 	IPFY_RETICMP			{ fr->fr_flags |= FR_RETICMP; }
319 	| IPFY_RETICMP returncode	{ fr->fr_flags |= FR_RETICMP; }
320 	| IPFY_RETICMPASDST		{ fr->fr_flags |= FR_FAKEICMP; }
321 	| IPFY_RETICMPASDST returncode	{ fr->fr_flags |= FR_FAKEICMP; }
322 	| IPFY_RETRST			{ fr->fr_flags |= FR_RETRST; }
323 	;
324 
325 log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
326 	| IPFY_LOG logoptions		{ fr->fr_flags |= FR_LOG; }
327 	;
328 
329 auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
330 	| IPFY_AUTH IPFY_RETRST		{ fr->fr_flags |= (FR_AUTH|FR_RETRST);}
331 	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
332 	;
333 
334 func:	YY_STR '/' YY_NUMBER	{ fr->fr_func = nametokva($1,
335 							  ipfioctl[IPL_LOGIPF]);
336 				  fr->fr_arg = $3;
337 				  free($1); }
338 	;
339 
340 inopts:
341 	| inopts inopt
342 	;
343 
344 inopt:
345 	logopt
346 	{
347 		if ( ruleopts & OPTION_LOG )
348 			yyerror("Duplicate log option");
349 		ruleopts |= OPTION_LOG;
350 	}
351 	| quick
352 	{
353 		if ( ruleopts & OPTION_QUICK )
354 			yyerror("Duplicate quick option");
355 		ruleopts |= OPTION_QUICK;
356 	}
357 	| on
358 	{
359 		if ( ruleopts & OPTION_ON )
360 			yyerror("Duplicate on option");
361 		ruleopts |= OPTION_ON;
362 	}
363 	| dup
364 	{
365 		if ( ruleopts & OPTION_DUP )
366 			yyerror("Duplicate dup option");
367 		ruleopts |= OPTION_DUP;
368 	}
369 	| froute
370 	{
371 		if ( ruleopts & OPTION_FROUTE )
372 			yyerror("Duplicate froute option");
373 		ruleopts |= OPTION_FROUTE;
374 	}
375 	| proute
376 	{
377 		if ( ruleopts & OPTION_PROUTE )
378 			yyerror("Duplicate proute option");
379 		ruleopts |= OPTION_PROUTE;
380 	}
381 	| replyto
382 	{
383 		if ( ruleopts & OPTION_REPLYTO )
384 			yyerror("Duplicate replyto option");
385 		ruleopts |= OPTION_REPLYTO;
386 	}
387 	;
388 
389 outopts:
390 	| outopts outopt
391 	;
392 
393 outopt:
394 	logopt
395 	{
396 		if ( ruleopts & OPTION_LOG )
397 			yyerror("Duplicate log option");
398 		ruleopts |= OPTION_LOG;
399 	}
400 	| quick
401 	{
402 		if ( ruleopts & OPTION_QUICK )
403 			yyerror("Duplicate quick option");
404 		ruleopts |= OPTION_QUICK;
405 	}
406 	| on
407 	{
408 		if ( ruleopts & OPTION_ON )
409 			yyerror("Duplicate on option");
410 		ruleopts |= OPTION_ON;
411 	}
412 	| dup
413 	{
414 		if ( ruleopts & OPTION_DUP )
415 			yyerror("Duplicate dup option");
416 		ruleopts |= OPTION_DUP;
417 	}
418 	| proute
419 	{
420 		if ( ruleopts & OPTION_PROUTE )
421 			yyerror("Duplicate proute option");
422 		ruleopts |= OPTION_PROUTE;
423 	}
424 	| replyto
425 	{
426 		if ( ruleopts & OPTION_REPLYTO )
427 			yyerror("Duplicate replyto option");
428 		ruleopts |= OPTION_REPLYTO;
429 	}
430 	;
431 
432 tos:	| settos YY_NUMBER	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
433 	| settos YY_HEX	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
434 	| settos lstart toslist lend
435 	;
436 
437 settos:	IPFY_TOS			{ setipftype(); }
438 	;
439 
440 toslist:
441 	YY_NUMBER	{ DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
442 	| YY_HEX	{ DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
443 	| toslist lmore YY_NUMBER
444 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
445 	| toslist lmore YY_HEX
446 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
447 	;
448 
449 ttl:	| setttl YY_NUMBER
450 			{ DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
451 	| setttl lstart ttllist lend
452 	;
453 
454 lstart:	'('				{ newlist = 1; fr = frc; added = 0; }
455 	;
456 
457 lend:	')'				{ nrules += added; }
458 	;
459 
460 lmore:	lanother			{ if (newlist == 1) {
461 						newlist = 0;
462 					  }
463 					  fr = addrule();
464 					  if (yycont != NULL)
465 						*yycont = 1;
466 					}
467 	;
468 
469 lanother:
470 	| ','
471 	;
472 
473 setttl:	IPFY_TTL			{ setipftype(); }
474 	;
475 
476 ttllist:
477 	YY_NUMBER	{ DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
478 	| ttllist lmore YY_NUMBER
479 			{ DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
480 	;
481 
482 proto:	| protox protocol		{ yyresetdict(); }
483 	;
484 
485 protox:	IPFY_PROTO			{ setipftype();
486 					  fr = frc;
487 					  yysetdict(NULL); }
488 	;
489 
490 ip:	srcdst flags icmp
491 	;
492 
493 group:	| IPFY_GROUP YY_STR		{ DOALL(strncpy(fr->fr_group, $2, \
494 							FR_GROUPLEN); \
495 							fillgroup(fr););
496 					  free($2); }
497 	| IPFY_GROUP YY_NUMBER		{ DOALL(sprintf(fr->fr_group, "%d", \
498 							$2); \
499 							fillgroup(fr);) }
500 	;
501 
502 head:	| IPFY_HEAD YY_STR		{ DOALL(strncpy(fr->fr_grhead, $2, \
503 							FR_GROUPLEN););
504 					  free($2); }
505 	| IPFY_HEAD YY_NUMBER		{ DOALL(sprintf(fr->fr_grhead, "%d", \
506 							$2);) }
507 	;
508 
509 settagin:
510 	| IPFY_SETTAG '(' taginlist ')'
511 	;
512 
513 taginlist:
514 	taginspec
515 	| taginlist ',' taginspec
516 	;
517 
518 taginspec:
519 	logtag
520 	|nattag
521 	;
522 
523 nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
524 						$3, IPFTAG_LEN););
525 					  free($3); }
526 	| IPFY_NAT '=' YY_NUMBER	{ DOALL(sprintf(fr->fr_nattag.ipt_tag,\
527 						"%d", $3 & 0xffffffff);) }
528 	;
529 
530 logtag:	IPFY_LOG '=' YY_NUMBER		{ DOALL(fr->fr_logtag = $3;) }
531 	;
532 
533 settagout:
534 	| IPFY_SETTAG '(' tagoutlist ')'
535 	;
536 
537 tagoutlist:
538 	tagoutspec
539 	| tagoutlist ',' tagoutspec
540 	;
541 
542 tagoutspec:
543 	logtag
544 	| nattag
545 	;
546 
547 matchtagin:
548 	| IPFY_MATCHTAG '(' tagoutlist ')'
549 	;
550 
551 matchtagout:
552 	| IPFY_MATCHTAG '(' taginlist ')'
553 	;
554 
555 pps:	| IPFY_PPS YY_NUMBER		{ DOALL(fr->fr_pps = $2;) }
556 	;
557 
558 new:	| savegroup file restoregroup
559 	;
560 
561 savegroup:
562 	'{'
563 	;
564 
565 restoregroup:
566 	'}'
567 	;
568 
569 logopt:	log
570 	;
571 
572 quick:
573 	IPFY_QUICK			{ fr->fr_flags |= FR_QUICK; }
574 	;
575 
576 on:	IPFY_ON onname
577 	| IPFY_ON onname IPFY_INVIA vianame
578 	| IPFY_ON onname IPFY_OUTVIA vianame
579 	;
580 
581 onname:	interfacename
582 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
583 		  free($1);
584 		}
585 	| interfacename ',' interfacename
586 		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
587 		  free($1);
588 		  strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
589 		  free($3);
590 		}
591 	;
592 
593 vianame:
594 	name
595 		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
596 		  free($1);
597 		}
598 	| name ',' name
599 		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
600 		  free($1);
601 		  strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
602 		  free($3);
603 		}
604 	;
605 
606 dup:	IPFY_DUPTO name
607 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
608 	  free($2);
609 	  fr->fr_flags |= FR_DUP;
610 	}
611 	| IPFY_DUPTO name duptoseparator hostname
612 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
613 	  if (use_inet6 == 0)
614 		fr->fr_dif.fd_ip = $4.in4;
615 	  else
616 	  	bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
617 	  yyexpectaddr = 0;
618 	  fr->fr_flags |= FR_DUP;
619 	  free($2);
620 	}
621 	| IPFY_DUPTO name duptoseparator YY_IPV6
622 	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
623 	  bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
624 	  yyexpectaddr = 0;
625 	  fr->fr_flags |= FR_DUP;
626 	  free($2);
627 	}
628 	;
629 
630 duptoseparator:
631 	':'	{ yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
632 	;
633 
634 froute:	IPFY_FROUTE			{ fr->fr_flags |= FR_FASTROUTE; }
635 	;
636 
637 proute:	routeto name
638 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
639 	  free($2);
640 	}
641 	| routeto name duptoseparator hostname
642 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
643 	  if (use_inet6 == 0)
644 		fr->fr_tif.fd_ip = $4.in4;
645 	  else
646 	  	bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
647 	  yyexpectaddr = 0;
648 	  free($2);
649 	}
650 	| routeto name duptoseparator YY_IPV6
651 	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
652 	  bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
653 	  yyexpectaddr = 0;
654 	  free($2);
655 	}
656 	;
657 
658 routeto:
659 	IPFY_TO
660 	| IPFY_ROUTETO
661 	;
662 
663 replyto:
664 	IPFY_REPLY_TO name
665 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
666 	  free($2);
667 	}
668 	| IPFY_REPLY_TO name duptoseparator hostname
669 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
670 	  if (use_inet6 == 0)
671 		fr->fr_rif.fd_ip = $4.in4;
672 	  else
673 		bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
674 	  yyexpectaddr = 0;
675 	  free($2);
676 	}
677 	| IPFY_REPLY_TO name duptoseparator YY_IPV6
678 	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
679 	  bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6));
680 	  yyexpectaddr = 0;
681 	  free($2);
682 	}
683 	;
684 
685 logoptions:
686 	logoption
687 	| logoptions logoption
688 	;
689 
690 logoption:
691 	IPFY_BODY			{ fr->fr_flags |= FR_LOGBODY; }
692 	| IPFY_FIRST			{ fr->fr_flags |= FR_LOGFIRST; }
693 	| IPFY_ORBLOCK			{ fr->fr_flags |= FR_LOGORBLOCK; }
694 	| level loglevel		{ unsetsyslog(); }
695 	;
696 
697 returncode:
698 	starticmpcode icmpcode ')'	{ fr->fr_icode = $2; yyresetdict(); }
699 	;
700 
701 starticmpcode:
702 	'('				{ yysetdict(icmpcodewords); }
703 	;
704 
705 srcdst:	| IPFY_ALL
706 	| fromto
707 	;
708 
709 protocol:
710 	YY_NUMBER		{ DOREM(fr->fr_proto = $1; \
711 					fr->fr_mproto = 0xff;) }
712 	| YY_STR		{ if (!strcmp($1, "tcp-udp")) {
713 					DOREM(fr->fr_flx |= FI_TCPUDP; \
714 					      fr->fr_mflx |= FI_TCPUDP;)
715 				  } else {
716 					int p = getproto($1);
717 					if (p == -1)
718 						yyerror("protocol unknown");
719 					DOREM(fr->fr_proto = p; \
720 						fr->fr_mproto = 0xff;)
721 				  }
722 				  free($1);
723 				}
724 	| YY_STR nextstring YY_STR
725 				{ if (!strcmp($1, "tcp") &&
726 				      !strcmp($3, "udp")) {
727 					DOREM(fr->fr_flx |= FI_TCPUDP; \
728 					      fr->fr_mflx |= FI_TCPUDP;)
729 				  } else
730 					YYERROR;
731 				  free($1);
732 				  free($3);
733 				}
734 	;
735 
736 nextstring:
737 	'/'			{ yysetdict(NULL); }
738 	;
739 
740 fromto:	from srcobject to dstobject	{ yyexpectaddr = 0; yycont = NULL; }
741 	| to dstobject			{ yyexpectaddr = 0; yycont = NULL; }
742 	| from srcobject		{ yyexpectaddr = 0; yycont = NULL; }
743 	;
744 
745 from:	IPFY_FROM			{ setipftype();
746 					  if (fr == NULL)
747 						fr = frc;
748 					  yyexpectaddr = 1;
749 					  if (yydebug)
750 						printf("set yyexpectaddr\n");
751 					  yycont = &yyexpectaddr;
752 					  yysetdict(addrwords);
753 					  resetaddr(); }
754 	;
755 
756 to:	IPFY_TO				{ if (fr == NULL)
757 						fr = frc;
758 					  yyexpectaddr = 1;
759 					  if (yydebug)
760 						printf("set yyexpectaddr\n");
761 					  yycont = &yyexpectaddr;
762 					  yysetdict(addrwords);
763 					  resetaddr(); }
764 	;
765 
766 with:	| andwith withlist
767 	;
768 
769 andwith:
770 	IPFY_WITH			{ nowith = 0; setipftype(); }
771 	| IPFY_AND			{ nowith = 0; setipftype(); }
772 	;
773 
774 flags:	| startflags flagset
775 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
776 	| startflags flagset '/' flagset
777 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
778 	| startflags '/' flagset
779 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
780 	| startflags YY_NUMBER
781 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
782 	| startflags '/' YY_NUMBER
783 		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
784 	| startflags YY_NUMBER '/' YY_NUMBER
785 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
786 	| startflags flagset '/' YY_NUMBER
787 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
788 	| startflags YY_NUMBER '/' flagset
789 		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
790 	;
791 
792 startflags:
793 	IPFY_FLAGS	{ if (frc->fr_type != FR_T_IPF)
794 				yyerror("flags with non-ipf type rule");
795 			  if (frc->fr_proto != IPPROTO_TCP)
796 				yyerror("flags with non-TCP rule");
797 			}
798 	;
799 
800 flagset:
801 	YY_STR				{ $$ = tcpflags($1); free($1); }
802 	| YY_HEX			{ $$ = $1; }
803 	;
804 
805 srcobject:
806 	{ yyresetdict(); } fromport
807 	| srcaddr srcport
808 	| '!' srcaddr srcport
809 		{ DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
810 	;
811 
812 srcaddr:
813 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
814 			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
815 			if (dynamic != -1) { \
816 				fr->fr_satype = ifpflag; \
817 				fr->fr_ipf->fri_sifpidx = dynamic; \
818 			} else if (pooled || hashed) \
819 				fr->fr_satype = FRI_LOOKUP;)
820 		}
821 	| lstart srcaddrlist lend
822 	;
823 
824 srcaddrlist:
825 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
826 			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
827 			if (dynamic != -1) { \
828 				fr->fr_satype = ifpflag; \
829 				fr->fr_ipf->fri_sifpidx = dynamic; \
830 			} else if (pooled || hashed) \
831 				fr->fr_satype = FRI_LOOKUP;)
832 		}
833 	| srcaddrlist lmore addr
834 		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
835 			bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
836 			if (dynamic != -1) { \
837 				fr->fr_satype = ifpflag; \
838 				fr->fr_ipf->fri_sifpidx = dynamic; \
839 			} else if (pooled || hashed) \
840 				fr->fr_satype = FRI_LOOKUP;)
841 		}
842 	;
843 
844 srcport:
845 	| portcomp
846 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
847 	| portrange
848 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
849 			fr->fr_stop = $1.p2;) }
850 	| porteq lstart srcportlist lend
851 		{ yyresetdict(); }
852 	;
853 
854 fromport:
855 	portcomp
856 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
857 	| portrange
858 		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
859 			fr->fr_stop = $1.p2;) }
860 	| porteq lstart srcportlist lend
861 		{ yyresetdict(); }
862 	;
863 
864 srcportlist:
865 	portnum		{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
866 	| srcportlist lmore portnum
867 			{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
868 	;
869 
870 dstobject:
871 	{ yyresetdict(); } toport
872 	| dstaddr dstport
873 	| '!' dstaddr dstport
874 			{ DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
875 	;
876 
877 dstaddr:
878 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
879 			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
880 			if (dynamic != -1) { \
881 				fr->fr_datype = ifpflag; \
882 				fr->fr_ipf->fri_difpidx = dynamic; \
883 			  } else if (pooled || hashed) \
884 				fr->fr_datype = FRI_LOOKUP;)
885 		}
886 	| lstart dstaddrlist lend
887 	;
888 
889 dstaddrlist:
890 	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
891 			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
892 			if (dynamic != -1) { \
893 				fr->fr_datype = ifpflag; \
894 				fr->fr_ipf->fri_difpidx = dynamic; \
895 			} else if (pooled || hashed) \
896 				fr->fr_datype = FRI_LOOKUP;)
897 		}
898 	| dstaddrlist lmore addr
899 		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
900 			bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
901 			if (dynamic != -1) { \
902 				fr->fr_datype = ifpflag; \
903 				fr->fr_ipf->fri_difpidx = dynamic; \
904 			} else if (pooled || hashed) \
905 				fr->fr_datype = FRI_LOOKUP;)
906 		}
907 	;
908 
909 
910 dstport:
911 	| portcomp
912 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
913 	| portrange
914 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
915 			fr->fr_dtop = $1.p2;) }
916 	| porteq lstart dstportlist lend
917 		{ yyresetdict(); }
918 	;
919 
920 toport:
921 	portcomp
922 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
923 	| portrange
924 		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
925 			fr->fr_dtop = $1.p2;) }
926 	| porteq lstart dstportlist lend
927 		{ yyresetdict(); }
928 	;
929 
930 dstportlist:
931 	portnum		{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
932 	| dstportlist lmore portnum
933 			{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
934 	;
935 
936 addr:	pool '/' YY_NUMBER		{ pooled = 1;
937 					  yyexpectaddr = 0;
938 					  $$.a.iplookuptype = IPLT_POOL;
939 					  $$.a.iplookupnum = $3; }
940 	| pool '=' '(' poollist ')'	{ pooled = 1;
941 					  yyexpectaddr = 0;
942 					  $$.a.iplookuptype = IPLT_POOL;
943 					  $$.a.iplookupnum = makepool($4); }
944 	| hash '/' YY_NUMBER		{ hashed = 1;
945 					  yyexpectaddr = 0;
946 					  $$.a.iplookuptype = IPLT_HASH;
947 					  $$.a.iplookupnum = $3; }
948 	| hash '=' '(' addrlist ')'	{ hashed = 1;
949 					  yyexpectaddr = 0;
950 					  $$.a.iplookuptype = IPLT_HASH;
951 					  $$.a.iplookupnum = makehash($4); }
952 	| ipaddr			{ bcopy(&$1, &$$, sizeof($$));
953 					  yyexpectaddr = 0; }
954 	;
955 
956 ipaddr:	IPFY_ANY			{ bzero(&($$), sizeof($$));
957 					  yyresetdict();
958 					  yyexpectaddr = 0; }
959 	| hostname                      { if (use_inet6 == 0) {
960 						$$.a.in4 = $1.in4;
961 						$$.m.in4_addr = 0xffffffff;
962 					  } else {
963 						set_ipv6_addr = 1;
964 						bcopy(&$1, &$$.a, sizeof($$.a));
965 						fill6bits(128, (u_32_t *)&$$.m);
966 					  }
967 					  yyexpectaddr = 0; }
968 	| hostname                      { yyresetdict();
969 					  if (use_inet6 == 0)
970 						$$.a.in4 = $1.in4;
971 					  else {
972 						set_ipv6_addr = 1;
973 						bcopy(&$1, &$$.a, sizeof($$.a));
974 					  }
975 					}
976 		maskspace               { yysetdict(maskwords); }
977 		mask                    { if (use_inet6 == 0) {
978 						$$.m.in4_addr = $5.in4.s_addr;
979 						$$.a.in4_addr &= $5.in4.s_addr;
980 					  } else
981 						bcopy(&$5, &$$.m, sizeof($$.m));
982 					  yyresetdict();
983 					  yyexpectaddr = 0; }
984 	| YY_IPV6			{ set_ipv6_addr = 1;
985 					  bcopy(&$1, &$$.a, sizeof($$.a));
986 					  fill6bits(128, (u_32_t *)&$$.m);
987 					  yyresetdict();
988 					  yyexpectaddr = 0; }
989 	| YY_IPV6			{ set_ipv6_addr = 1;
990 					  yyresetdict();
991 					  bcopy(&$1, &$$.a, sizeof($$.a)); }
992 		maskspace               { yysetdict(maskwords); }
993 		mask                    { bcopy(&$5, &$$.m, sizeof($$.m));
994 					  yyresetdict();
995 					  yyexpectaddr = 0; }
996 	;
997 
998 maskspace:
999 	'/'
1000 	| IPFY_MASK
1001 	;
1002 
1003 mask:
1004 	ipv4				{ $$.in4 = $1; }
1005 	| YY_HEX			{ $$.in4.s_addr = htonl($1); }
1006 	| YY_NUMBER                     { if ((use_inet6 == 0) && ($1 <= 32))
1007 						ntomask(4, $1, (u_32_t *)&$$.in4);
1008 					  else if ((use_inet6 != 0) && ($1 <= 128))
1009 						ntomask(6, $1, $$.i6);
1010 					  else {
1011 						yyerror("Bad value specified for netmask");
1012 						return 0;
1013 					  }
1014 					}
1015 	| IPFY_BROADCAST		{ if (ifpflag == FRI_DYNAMIC) {
1016 						bzero(&$$, sizeof($$));
1017 						ifpflag = FRI_BROADCAST;
1018 					  } else
1019 						YYERROR;
1020 					}
1021 	| IPFY_NETWORK			{ if (ifpflag == FRI_DYNAMIC) {
1022 						bzero(&$$, sizeof($$));
1023 						ifpflag = FRI_NETWORK;
1024 					  } else
1025 						YYERROR;
1026 					}
1027 	| IPFY_NETMASKED		{ if (ifpflag == FRI_DYNAMIC) {
1028 						bzero(&$$, sizeof($$));
1029 						ifpflag = FRI_NETMASKED;
1030 					  } else
1031 						YYERROR;
1032 					}
1033 	| IPFY_PEER			{ if (ifpflag == FRI_DYNAMIC) {
1034 						bzero(&$$, sizeof($$));
1035 						ifpflag = FRI_PEERADDR;
1036 					  } else
1037 						YYERROR;
1038 					}
1039 	;
1040 
1041 hostname:
1042 	ipv4				{ $$.in4 = $1; }
1043 	| YY_NUMBER			{ $$.in4.s_addr = $1; }
1044 	| YY_HEX			{ $$.in4.s_addr = $1; }
1045 	| YY_STR                        { if (lookuphost($1, &$$) == 1)
1046 						free($1);
1047 					  else {
1048 						free($1);
1049 						if (ifpflag != FRI_DYNAMIC)
1050 							yyerror("Unknown hostname");
1051 					  }
1052 					}
1053 	;
1054 
1055 addrlist:
1056 	ipaddr		{ $$ = newalist(NULL);
1057 			  if (set_ipv6_addr)
1058 				  $$->al_family = AF_INET6;
1059 			  else
1060 				  $$->al_family = AF_INET;
1061 			  set_ipv6_addr = 0;
1062 			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1063 			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1064 	| addrlist ',' ipaddr
1065 			{ $$ = newalist($1);
1066 			  if (set_ipv6_addr)
1067 				  $$->al_family = AF_INET6;
1068 			  else
1069 				  $$->al_family = AF_INET;
1070 			  set_ipv6_addr = 0;
1071 			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1072 			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1073 	;
1074 
1075 pool:	IPFY_POOL	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1076 	;
1077 
1078 hash:	IPFY_HASH	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
1079 	;
1080 
1081 poollist:
1082 	ipaddr		{ $$ = newalist(NULL);
1083 			  if (set_ipv6_addr)
1084 				  $$->al_family = AF_INET6;
1085 			  else
1086 				  $$->al_family = AF_INET;
1087 			  set_ipv6_addr = 0;
1088 			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
1089 			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
1090 	| '!' ipaddr	{ $$ = newalist(NULL);
1091 			  $$->al_not = 1;
1092 			  if (set_ipv6_addr)
1093 				  $$->al_family = AF_INET6;
1094 			  else
1095 				  $$->al_family = AF_INET;
1096 			  set_ipv6_addr = 0;
1097 			  bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
1098 			  bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
1099 	| poollist ',' ipaddr
1100 			{ $$ = newalist($1);
1101 			  if (set_ipv6_addr)
1102 				  $$->al_family = AF_INET6;
1103 			  else
1104 				  $$->al_family = AF_INET;
1105 			  set_ipv6_addr = 0;
1106 			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
1107 			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
1108 	| poollist ',' '!' ipaddr
1109 			{ $$ = newalist($1);
1110 			  $$->al_not = 1;
1111 			  if (set_ipv6_addr)
1112 				  $$->al_family = AF_INET6;
1113 			  else
1114 				  $$->al_family = AF_INET;
1115 			  set_ipv6_addr = 0;
1116 			  bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
1117 			  bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
1118 	;
1119 
1120 port:	IPFY_PORT			{ yyexpectaddr = 0;
1121 					  yycont = NULL;
1122 					}
1123 	;
1124 
1125 portc:	port compare			{ $$ = $2;
1126 					  yysetdict(NULL); }
1127 	| porteq			{ $$ = $1; }
1128 	;
1129 
1130 porteq:	port '='			{ $$ = FR_EQUAL;
1131 					  yysetdict(NULL); }
1132 	;
1133 
1134 portr:	IPFY_PORT			{ yyexpectaddr = 0;
1135 					  yycont = NULL;
1136 					  yysetdict(NULL); }
1137 	;
1138 
1139 portcomp:
1140 	portc portnum			{ $$.pc = $1;
1141 					  $$.p1 = $2;
1142 					  yyresetdict(); }
1143 	;
1144 
1145 portrange:
1146 	portr portnum range portnum	{ $$.p1 = $2;
1147 					  $$.pc = $3;
1148 					  $$.p2 = $4;
1149 					  yyresetdict(); }
1150 	;
1151 
1152 icmp:	| itype icode
1153 	;
1154 
1155 itype:	seticmptype icmptype
1156 	{ DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
1157 	  yyresetdict();
1158 	}
1159 	| seticmptype lstart typelist lend	{ yyresetdict(); }
1160 	;
1161 
1162 seticmptype:
1163 	IPFY_ICMPTYPE				{ setipftype();
1164 						  yysetdict(icmptypewords); }
1165 	;
1166 
1167 icode:	| seticmpcode icmpcode
1168 	{ DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
1169 	  yyresetdict();
1170 	}
1171 	| seticmpcode lstart codelist lend	{ yyresetdict(); }
1172 	;
1173 
1174 seticmpcode:
1175 	IPFY_ICMPCODE				{ yysetdict(icmpcodewords); }
1176 	;
1177 
1178 typelist:
1179 	icmptype
1180 	{ DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
1181 	| typelist lmore icmptype
1182 	{ DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
1183 	;
1184 
1185 codelist:
1186 	icmpcode
1187 	{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
1188 	| codelist lmore icmpcode
1189 	{ DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) }
1190 	;
1191 
1192 age:	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
1193 						fr->fr_age[1] = $2;) }
1194 	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
1195 					{ DOALL(fr->fr_age[0] = $2; \
1196 						fr->fr_age[1] = $4;) }
1197 	;
1198 
1199 keep:	| IPFY_KEEP keepstate
1200 	| IPFY_KEEP keepfrag
1201 	| IPFY_KEEP keepstate IPFY_KEEP keepfrag
1202 	| IPFY_KEEP keepfrag IPFY_KEEP keepstate
1203 	;
1204 
1205 keepstate:
1206 	IPFY_STATE stateoptlist		{ DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
1207 	;
1208 
1209 keepfrag:
1210 	IPFY_FRAGS fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1211 	| IPFY_FRAG fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
1212 	;
1213 
1214 fragoptlist:
1215 	| '(' fragopts ')'
1216 	;
1217 
1218 fragopts:
1219 	fragopt lanother fragopts
1220 	| fragopt
1221 	;
1222 
1223 fragopt:
1224 	IPFY_STRICT			{ DOALL(fr->fr_flags |= FR_FRSTRICT;) }
1225 	;
1226 
1227 stateoptlist:
1228 	| '(' stateopts ')'
1229 	;
1230 
1231 stateopts:
1232 	stateopt lanother stateopts
1233 	| stateopt
1234 	;
1235 
1236 stateopt:
1237 	IPFY_LIMIT YY_NUMBER	{ DOALL(fr->fr_statemax = $2;) }
1238 	| IPFY_STRICT		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1239 						YYERROR; \
1240 					  } else \
1241 						fr->fr_flags |= FR_STSTRICT;)
1242 				}
1243 	| IPFY_NEWISN		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
1244 						YYERROR; \
1245 					  } else \
1246 						fr->fr_flags |= FR_NEWISN;)
1247 				}
1248 	| IPFY_NOICMPERR	{ DOALL(fr->fr_flags |= FR_NOICMPERR;) }
1249 
1250 	| IPFY_SYNC		{ DOALL(fr->fr_flags |= FR_STATESYNC;) }
1251 	;
1252 
1253 portnum:
1254 	servicename			{ if (getport(frc, $1, &($$)) == -1)
1255 						yyerror("service unknown");
1256 					  else
1257 						$$ = ntohs($$);
1258 					  free($1);
1259 					}
1260 	| YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
1261 						yyerror("invalid port number");
1262 					  else
1263 						$$ = $1;
1264 					}
1265 	;
1266 
1267 withlist:
1268 	withopt
1269 	| withlist withopt
1270 	| withlist ',' withopt
1271 	;
1272 
1273 withopt:
1274 	opttype		{ DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
1275 	| notwith opttype
1276 					{ DOALL(fr->fr_mflx |= $2;) }
1277 	| ipopt ipopts			{ yyresetdict(); }
1278 	| notwith ipopt ipopts		{ yyresetdict(); }
1279 	| startv6hdrs ipv6hdrs		{ yyresetdict(); }
1280 	;
1281 
1282 ipopt:	IPFY_OPT			{ yysetdict(ipv4optwords); }
1283 	;
1284 
1285 startv6hdrs:
1286 	IPF6_V6HDRS	{ if (use_inet6 == 0)
1287 				yyerror("only available with IPv6");
1288 			  yysetdict(ipv6optwords);
1289 			}
1290 	;
1291 
1292 notwith:
1293 	IPFY_NOT			{ nowith = 1; }
1294 	| IPFY_NO			{ nowith = 1; }
1295 	;
1296 
1297 opttype:
1298 	IPFY_IPOPTS			{ $$ = FI_OPTIONS; }
1299 	| IPFY_SHORT			{ $$ = FI_SHORT; }
1300 	| IPFY_NAT			{ $$ = FI_NATED; }
1301 	| IPFY_BAD			{ $$ = FI_BAD; }
1302 	| IPFY_BADNAT			{ $$ = FI_BADNAT; }
1303 	| IPFY_BADSRC			{ $$ = FI_BADSRC; }
1304 	| IPFY_LOWTTL			{ $$ = FI_LOWTTL; }
1305 	| IPFY_FRAG			{ $$ = FI_FRAG; }
1306 	| IPFY_FRAGBODY			{ $$ = FI_FRAGBODY; }
1307 	| IPFY_FRAGS			{ $$ = FI_FRAG; }
1308 	| IPFY_MBCAST			{ $$ = FI_MBCAST; }
1309 	| IPFY_MULTICAST		{ $$ = FI_MULTICAST; }
1310 	| IPFY_BROADCAST		{ $$ = FI_BROADCAST; }
1311 	| IPFY_STATE			{ $$ = FI_STATE; }
1312 	| IPFY_OOW			{ $$ = FI_OOW; }
1313 	;
1314 
1315 ipopts:	optlist		{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1316 				if (!nowith)
1317 					fr->fr_ip.fi_optmsk |= $1;)
1318 			}
1319 	;
1320 
1321 optlist:
1322 	opt				{ $$ |= $1; }
1323 	| optlist ',' opt		{ $$ |= $1 | $3; }
1324 	;
1325 
1326 ipv6hdrs:
1327 	ipv6hdrlist	{ DOALL(fr->fr_mip.fi_optmsk |= $1;
1328 				if (!nowith)
1329 					fr->fr_ip.fi_optmsk |= $1;)
1330 			}
1331 	;
1332 
1333 ipv6hdrlist:
1334 	ipv6hdr				{ $$ |= $1; }
1335 	| ipv6hdrlist ',' ipv6hdr	{ $$ |= $1 | $3; }
1336 	;
1337 
1338 secname:
1339 	seclevel			{ $$ |= $1; }
1340 	| secname ',' seclevel		{ $$ |= $1 | $3; }
1341 	;
1342 
1343 seclevel:
1344 	IPFY_SEC_UNC			{ $$ = secbit(IPSO_CLASS_UNCL); }
1345 	| IPFY_SEC_CONF			{ $$ = secbit(IPSO_CLASS_CONF); }
1346 	| IPFY_SEC_RSV1			{ $$ = secbit(IPSO_CLASS_RES1); }
1347 	| IPFY_SEC_RSV2			{ $$ = secbit(IPSO_CLASS_RES2); }
1348 	| IPFY_SEC_RSV3			{ $$ = secbit(IPSO_CLASS_RES3); }
1349 	| IPFY_SEC_RSV4			{ $$ = secbit(IPSO_CLASS_RES4); }
1350 	| IPFY_SEC_SEC			{ $$ = secbit(IPSO_CLASS_SECR); }
1351 	| IPFY_SEC_TS			{ $$ = secbit(IPSO_CLASS_TOPS); }
1352 	;
1353 
1354 icmptype:
1355 	YY_NUMBER			{ $$ = $1; }
1356 	| IPFY_ICMPT_UNR		{ $$ = ICMP_UNREACH; }
1357 	| IPFY_ICMPT_ECHO		{ $$ = ICMP_ECHO; }
1358 	| IPFY_ICMPT_ECHOR		{ $$ = ICMP_ECHOREPLY; }
1359 	| IPFY_ICMPT_SQUENCH		{ $$ = ICMP_SOURCEQUENCH; }
1360 	| IPFY_ICMPT_REDIR		{ $$ = ICMP_REDIRECT; }
1361 	| IPFY_ICMPT_TIMEX		{ $$ = ICMP_TIMXCEED; }
1362 	| IPFY_ICMPT_PARAMP		{ $$ = ICMP_PARAMPROB; }
1363 	| IPFY_ICMPT_TIMEST		{ $$ = ICMP_TSTAMP; }
1364 	| IPFY_ICMPT_TIMESTREP		{ $$ = ICMP_TSTAMPREPLY; }
1365 	| IPFY_ICMPT_INFOREQ		{ $$ = ICMP_IREQ; }
1366 	| IPFY_ICMPT_INFOREP		{ $$ = ICMP_IREQREPLY; }
1367 	| IPFY_ICMPT_MASKREQ		{ $$ = ICMP_MASKREQ; }
1368 	| IPFY_ICMPT_MASKREP		{ $$ = ICMP_MASKREPLY; }
1369 	| IPFY_ICMPT_ROUTERAD		{ $$ = ICMP_ROUTERADVERT; }
1370 	| IPFY_ICMPT_ROUTERSOL		{ $$ = ICMP_ROUTERSOLICIT; }
1371 	;
1372 
1373 icmpcode:
1374 	YY_NUMBER			{ $$ = $1; }
1375 	| IPFY_ICMPC_NETUNR		{ $$ = ICMP_UNREACH_NET; }
1376 	| IPFY_ICMPC_HSTUNR		{ $$ = ICMP_UNREACH_HOST; }
1377 	| IPFY_ICMPC_PROUNR		{ $$ = ICMP_UNREACH_PROTOCOL; }
1378 	| IPFY_ICMPC_PORUNR		{ $$ = ICMP_UNREACH_PORT; }
1379 	| IPFY_ICMPC_NEEDF		{ $$ = ICMP_UNREACH_NEEDFRAG; }
1380 	| IPFY_ICMPC_SRCFAIL		{ $$ = ICMP_UNREACH_SRCFAIL; }
1381 	| IPFY_ICMPC_NETUNK		{ $$ = ICMP_UNREACH_NET_UNKNOWN; }
1382 	| IPFY_ICMPC_HSTUNK		{ $$ = ICMP_UNREACH_HOST_UNKNOWN; }
1383 	| IPFY_ICMPC_ISOLATE		{ $$ = ICMP_UNREACH_ISOLATED; }
1384 	| IPFY_ICMPC_NETPRO		{ $$ = ICMP_UNREACH_NET_PROHIB; }
1385 	| IPFY_ICMPC_HSTPRO		{ $$ = ICMP_UNREACH_HOST_PROHIB; }
1386 	| IPFY_ICMPC_NETTOS		{ $$ = ICMP_UNREACH_TOSNET; }
1387 	| IPFY_ICMPC_HSTTOS		{ $$ = ICMP_UNREACH_TOSHOST; }
1388 	| IPFY_ICMPC_FLTPRO		{ $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
1389 	| IPFY_ICMPC_HSTPRE		{ $$ = 14; }
1390 	| IPFY_ICMPC_CUTPRE		{ $$ = 15; }
1391 	;
1392 
1393 opt:
1394 	IPFY_IPOPT_NOP			{ $$ = getoptbyvalue(IPOPT_NOP); }
1395 	| IPFY_IPOPT_RR			{ $$ = getoptbyvalue(IPOPT_RR); }
1396 	| IPFY_IPOPT_ZSU		{ $$ = getoptbyvalue(IPOPT_ZSU); }
1397 	| IPFY_IPOPT_MTUP		{ $$ = getoptbyvalue(IPOPT_MTUP); }
1398 	| IPFY_IPOPT_MTUR		{ $$ = getoptbyvalue(IPOPT_MTUR); }
1399 	| IPFY_IPOPT_ENCODE		{ $$ = getoptbyvalue(IPOPT_ENCODE); }
1400 	| IPFY_IPOPT_TS			{ $$ = getoptbyvalue(IPOPT_TS); }
1401 	| IPFY_IPOPT_TR			{ $$ = getoptbyvalue(IPOPT_TR); }
1402 	| IPFY_IPOPT_SEC		{ $$ = getoptbyvalue(IPOPT_SECURITY); }
1403 	| IPFY_IPOPT_LSRR		{ $$ = getoptbyvalue(IPOPT_LSRR); }
1404 	| IPFY_IPOPT_ESEC		{ $$ = getoptbyvalue(IPOPT_E_SEC); }
1405 	| IPFY_IPOPT_CIPSO		{ $$ = getoptbyvalue(IPOPT_CIPSO); }
1406 	| IPFY_IPOPT_SATID		{ $$ = getoptbyvalue(IPOPT_SATID); }
1407 	| IPFY_IPOPT_SSRR		{ $$ = getoptbyvalue(IPOPT_SSRR); }
1408 	| IPFY_IPOPT_ADDEXT		{ $$ = getoptbyvalue(IPOPT_ADDEXT); }
1409 	| IPFY_IPOPT_VISA		{ $$ = getoptbyvalue(IPOPT_VISA); }
1410 	| IPFY_IPOPT_IMITD		{ $$ = getoptbyvalue(IPOPT_IMITD); }
1411 	| IPFY_IPOPT_EIP		{ $$ = getoptbyvalue(IPOPT_EIP); }
1412 	| IPFY_IPOPT_FINN		{ $$ = getoptbyvalue(IPOPT_FINN); }
1413 	| IPFY_IPOPT_DPS		{ $$ = getoptbyvalue(IPOPT_DPS); }
1414 	| IPFY_IPOPT_SDB		{ $$ = getoptbyvalue(IPOPT_SDB); }
1415 	| IPFY_IPOPT_NSAPA		{ $$ = getoptbyvalue(IPOPT_NSAPA); }
1416 	| IPFY_IPOPT_RTRALRT		{ $$ = getoptbyvalue(IPOPT_RTRALRT); }
1417 	| IPFY_IPOPT_UMP		{ $$ = getoptbyvalue(IPOPT_UMP); }
1418 	| setsecclass secname
1419 			{ DOALL(fr->fr_mip.fi_secmsk |= $2;
1420 				if (!nowith)
1421 					fr->fr_ip.fi_secmsk |= $2;)
1422 			  $$ = 0;
1423 			  yyresetdict();
1424 			}
1425 	;
1426 
1427 setsecclass:
1428 	IPFY_SECCLASS	{ yysetdict(ipv4secwords); }
1429 	;
1430 
1431 ipv6hdr:
1432 	IPFY_AH			{ $$ = getv6optbyvalue(IPPROTO_AH); }
1433 	| IPFY_IPV6OPT_DSTOPTS	{ $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
1434 	| IPFY_ESP		{ $$ = getv6optbyvalue(IPPROTO_ESP); }
1435 	| IPFY_IPV6OPT_HOPOPTS	{ $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
1436 	| IPFY_IPV6OPT_IPV6	{ $$ = getv6optbyvalue(IPPROTO_IPV6); }
1437 	| IPFY_IPV6OPT_NONE	{ $$ = getv6optbyvalue(IPPROTO_NONE); }
1438 	| IPFY_IPV6OPT_ROUTING	{ $$ = getv6optbyvalue(IPPROTO_ROUTING); }
1439 	| IPFY_FRAG		{ $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
1440 	;
1441 
1442 level:	IPFY_LEVEL			{ setsyslog(); }
1443 	;
1444 
1445 loglevel:
1446 	priority			{ fr->fr_loglevel = LOG_LOCAL0|$1; }
1447 	| facility '.' priority		{ fr->fr_loglevel = $1 | $3; }
1448 	;
1449 
1450 facility:
1451 	IPFY_FAC_KERN			{ $$ = LOG_KERN; }
1452 	| IPFY_FAC_USER			{ $$ = LOG_USER; }
1453 	| IPFY_FAC_MAIL			{ $$ = LOG_MAIL; }
1454 	| IPFY_FAC_DAEMON		{ $$ = LOG_DAEMON; }
1455 	| IPFY_FAC_AUTH			{ $$ = LOG_AUTH; }
1456 	| IPFY_FAC_SYSLOG		{ $$ = LOG_SYSLOG; }
1457 	| IPFY_FAC_LPR			{ $$ = LOG_LPR; }
1458 	| IPFY_FAC_NEWS			{ $$ = LOG_NEWS; }
1459 	| IPFY_FAC_UUCP			{ $$ = LOG_UUCP; }
1460 	| IPFY_FAC_CRON			{ $$ = LOG_CRON; }
1461 	| IPFY_FAC_FTP			{ $$ = LOG_FTP; }
1462 	| IPFY_FAC_AUTHPRIV		{ $$ = LOG_AUTHPRIV; }
1463 	| IPFY_FAC_AUDIT		{ $$ = LOG_AUDIT; }
1464 	| IPFY_FAC_LFMT			{ $$ = LOG_LFMT; }
1465 	| IPFY_FAC_LOCAL0		{ $$ = LOG_LOCAL0; }
1466 	| IPFY_FAC_LOCAL1		{ $$ = LOG_LOCAL1; }
1467 	| IPFY_FAC_LOCAL2		{ $$ = LOG_LOCAL2; }
1468 	| IPFY_FAC_LOCAL3		{ $$ = LOG_LOCAL3; }
1469 	| IPFY_FAC_LOCAL4		{ $$ = LOG_LOCAL4; }
1470 	| IPFY_FAC_LOCAL5		{ $$ = LOG_LOCAL5; }
1471 	| IPFY_FAC_LOCAL6		{ $$ = LOG_LOCAL6; }
1472 	| IPFY_FAC_LOCAL7		{ $$ = LOG_LOCAL7; }
1473 	| IPFY_FAC_SECURITY		{ $$ = LOG_SECURITY; }
1474 	;
1475 
1476 priority:
1477 	IPFY_PRI_EMERG			{ $$ = LOG_EMERG; }
1478 	| IPFY_PRI_ALERT		{ $$ = LOG_ALERT; }
1479 	| IPFY_PRI_CRIT			{ $$ = LOG_CRIT; }
1480 	| IPFY_PRI_ERR			{ $$ = LOG_ERR; }
1481 	| IPFY_PRI_WARN			{ $$ = LOG_WARNING; }
1482 	| IPFY_PRI_NOTICE		{ $$ = LOG_NOTICE; }
1483 	| IPFY_PRI_INFO			{ $$ = LOG_INFO; }
1484 	| IPFY_PRI_DEBUG		{ $$ = LOG_DEBUG; }
1485 	;
1486 
1487 compare:
1488 	YY_CMP_EQ			{ $$ = FR_EQUAL; }
1489 	| YY_CMP_NE			{ $$ = FR_NEQUAL; }
1490 	| YY_CMP_LT			{ $$ = FR_LESST; }
1491 	| YY_CMP_LE			{ $$ = FR_LESSTE; }
1492 	| YY_CMP_GT			{ $$ = FR_GREATERT; }
1493 	| YY_CMP_GE			{ $$ = FR_GREATERTE; }
1494 	;
1495 
1496 range:	YY_RANGE_IN			{ $$ = FR_INRANGE; }
1497 	| YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
1498 	| ':'				{ $$ = FR_INCRANGE; }
1499 	;
1500 
1501 servicename:
1502 	YY_STR				{ $$ = $1; }
1503 	;
1504 
1505 interfacename:	YY_STR			{ $$ = $1; }
1506 	| YY_STR ':' YY_NUMBER
1507 		{ $$ = $1;
1508 		  fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
1509 			  "use the physical interface %s instead.\n",
1510 			  yylineNum, $1, $3, $1);
1511 		}
1512 	;
1513 
1514 name:	YY_STR				{ $$ = $1; }
1515 	;
1516 
1517 ipv4_16:
1518 	YY_NUMBER '.' YY_NUMBER
1519 		{ if ($1 > 255 || $3 > 255) {
1520 			yyerror("Invalid octet string for IP address");
1521 			return 0;
1522 		  }
1523 		  $$.s_addr = ($1 << 24) | ($3 << 16);
1524 		  $$.s_addr = htonl($$.s_addr);
1525 		}
1526 	;
1527 
1528 ipv4_24:
1529 	ipv4_16 '.' YY_NUMBER
1530 		{ if ($3 > 255) {
1531 			yyerror("Invalid octet string for IP address");
1532 			return 0;
1533 		  }
1534 		  $$.s_addr |= htonl($3 << 8);
1535 		}
1536 	;
1537 
1538 ipv4:	ipv4_24 '.' YY_NUMBER
1539 		{ if ($3 > 255) {
1540 			yyerror("Invalid octet string for IP address");
1541 			return 0;
1542 		  }
1543 		  $$.s_addr |= htonl($3);
1544 		}
1545 	| ipv4_24
1546 	| ipv4_16
1547 	;
1548 
1549 %%
1550 
1551 
1552 static	struct	wordtab ipfwords[96] = {
1553 	{ "age",			IPFY_AGE },
1554 	{ "ah",				IPFY_AH },
1555 	{ "all",			IPFY_ALL },
1556 	{ "and",			IPFY_AND },
1557 	{ "auth",			IPFY_AUTH },
1558 	{ "bad",			IPFY_BAD },
1559 	{ "bad-nat",			IPFY_BADNAT },
1560 	{ "bad-src",			IPFY_BADSRC },
1561 	{ "bcast",			IPFY_BROADCAST },
1562 	{ "block",			IPFY_BLOCK },
1563 	{ "body",			IPFY_BODY },
1564 	{ "bpf-v4",			IPFY_BPFV4 },
1565 #ifdef USE_INET6
1566 	{ "bpf-v6",			IPFY_BPFV6 },
1567 #endif
1568 	{ "call",			IPFY_CALL },
1569 	{ "code",			IPFY_ICMPCODE },
1570 	{ "count",			IPFY_COUNT },
1571 	{ "dup-to",			IPFY_DUPTO },
1572 	{ "eq",				YY_CMP_EQ },
1573 	{ "esp",			IPFY_ESP },
1574 	{ "fastroute",			IPFY_FROUTE },
1575 	{ "first",			IPFY_FIRST },
1576 	{ "flags",			IPFY_FLAGS },
1577 	{ "frag",			IPFY_FRAG },
1578 	{ "frag-body",			IPFY_FRAGBODY },
1579 	{ "frags",			IPFY_FRAGS },
1580 	{ "from",			IPFY_FROM },
1581 	{ "ge",				YY_CMP_GE },
1582 	{ "group",			IPFY_GROUP },
1583 	{ "gt",				YY_CMP_GT },
1584 	{ "head",			IPFY_HEAD },
1585 	{ "icmp",			IPFY_ICMP },
1586 	{ "icmp-type",			IPFY_ICMPTYPE },
1587 	{ "in",				IPFY_IN },
1588 	{ "in-via",			IPFY_INVIA },
1589 	{ "intercept_loopback",		IPFY_SET_LOOPBACK },
1590 	{ "ipopt",			IPFY_IPOPTS },
1591 	{ "ipopts",			IPFY_IPOPTS },
1592 	{ "keep",			IPFY_KEEP },
1593 	{ "le",				YY_CMP_LE },
1594 	{ "level",			IPFY_LEVEL },
1595 	{ "limit",			IPFY_LIMIT },
1596 	{ "log",			IPFY_LOG },
1597 	{ "lowttl",			IPFY_LOWTTL },
1598 	{ "lt",				YY_CMP_LT },
1599 	{ "mask",			IPFY_MASK },
1600 	{ "match-tag",			IPFY_MATCHTAG },
1601 	{ "mbcast",			IPFY_MBCAST },
1602 	{ "mcast",			IPFY_MULTICAST },
1603 	{ "multicast",			IPFY_MULTICAST },
1604 	{ "nat",			IPFY_NAT },
1605 	{ "ne",				YY_CMP_NE },
1606 	{ "net",			IPFY_NETWORK },
1607 	{ "newisn",			IPFY_NEWISN },
1608 	{ "no",				IPFY_NO },
1609 	{ "no-icmp-err",		IPFY_NOICMPERR },
1610 	{ "now",			IPFY_NOW },
1611 	{ "not",			IPFY_NOT },
1612 	{ "oow",			IPFY_OOW },
1613 	{ "on",				IPFY_ON },
1614 	{ "opt",			IPFY_OPT },
1615 	{ "or-block",			IPFY_ORBLOCK },
1616 	{ "out",			IPFY_OUT },
1617 	{ "out-via",			IPFY_OUTVIA },
1618 	{ "pass",			IPFY_PASS },
1619 	{ "port",			IPFY_PORT },
1620 	{ "pps",			IPFY_PPS },
1621 	{ "preauth",			IPFY_PREAUTH },
1622 	{ "proto",			IPFY_PROTO },
1623 	{ "quick",			IPFY_QUICK },
1624 	{ "reply-to",			IPFY_REPLY_TO },
1625 	{ "return-icmp",		IPFY_RETICMP },
1626 	{ "return-icmp-as-dest",	IPFY_RETICMPASDST },
1627 	{ "return-rst",			IPFY_RETRST },
1628 	{ "route-to",			IPFY_ROUTETO },
1629 	{ "sec-class",			IPFY_SECCLASS },
1630 	{ "set-tag",			IPFY_SETTAG },
1631 	{ "set",			IPFY_SET },
1632 	{ "skip",			IPFY_SKIP },
1633 	{ "short",			IPFY_SHORT },
1634 	{ "state",			IPFY_STATE },
1635 	{ "state-age",			IPFY_AGE },
1636 	{ "strict",			IPFY_STRICT },
1637 	{ "sync",			IPFY_SYNC },
1638 	{ "tcp",			IPFY_TCP },
1639 	{ "tcp-udp",			IPFY_TCPUDP },
1640 	{ "tos",			IPFY_TOS },
1641 	{ "to",				IPFY_TO },
1642 	{ "ttl",			IPFY_TTL },
1643 	{ "udp",			IPFY_UDP },
1644 	{ "v6hdrs",			IPF6_V6HDRS },
1645 	{ "with",			IPFY_WITH },
1646 	{ NULL,				0 }
1647 };
1648 
1649 static	struct	wordtab	addrwords[4] = {
1650 	{ "any",			IPFY_ANY },
1651 	{ "hash",			IPFY_HASH },
1652 	{ "pool",			IPFY_POOL },
1653 	{ NULL,				0 }
1654 };
1655 
1656 static	struct	wordtab	maskwords[5] = {
1657 	{ "broadcast",			IPFY_BROADCAST },
1658 	{ "netmasked",			IPFY_NETMASKED },
1659 	{ "network",			IPFY_NETWORK },
1660 	{ "peer",			IPFY_PEER },
1661 	{ NULL,				0 }
1662 };
1663 
1664 static	struct	wordtab icmptypewords[16] = {
1665 	{ "echo",			IPFY_ICMPT_ECHO },
1666 	{ "echorep",			IPFY_ICMPT_ECHOR },
1667 	{ "inforeq",			IPFY_ICMPT_INFOREQ },
1668 	{ "inforep",			IPFY_ICMPT_INFOREP },
1669 	{ "maskrep",			IPFY_ICMPT_MASKREP },
1670 	{ "maskreq",			IPFY_ICMPT_MASKREQ },
1671 	{ "paramprob",			IPFY_ICMPT_PARAMP },
1672 	{ "redir",			IPFY_ICMPT_REDIR },
1673 	{ "unreach",			IPFY_ICMPT_UNR },
1674 	{ "routerad",			IPFY_ICMPT_ROUTERAD },
1675 	{ "routersol",			IPFY_ICMPT_ROUTERSOL },
1676 	{ "squench",			IPFY_ICMPT_SQUENCH },
1677 	{ "timest",			IPFY_ICMPT_TIMEST },
1678 	{ "timestrep",			IPFY_ICMPT_TIMESTREP },
1679 	{ "timex",			IPFY_ICMPT_TIMEX },
1680 	{ NULL,				0 },
1681 };
1682 
1683 static	struct	wordtab icmpcodewords[17] = {
1684 	{ "cutoff-preced",		IPFY_ICMPC_CUTPRE },
1685 	{ "filter-prohib",		IPFY_ICMPC_FLTPRO },
1686 	{ "isolate",			IPFY_ICMPC_ISOLATE },
1687 	{ "needfrag",			IPFY_ICMPC_NEEDF },
1688 	{ "net-prohib",			IPFY_ICMPC_NETPRO },
1689 	{ "net-tos",			IPFY_ICMPC_NETTOS },
1690 	{ "host-preced",		IPFY_ICMPC_HSTPRE },
1691 	{ "host-prohib",		IPFY_ICMPC_HSTPRO },
1692 	{ "host-tos",			IPFY_ICMPC_HSTTOS },
1693 	{ "host-unk",			IPFY_ICMPC_HSTUNK },
1694 	{ "host-unr",			IPFY_ICMPC_HSTUNR },
1695 	{ "net-unk",			IPFY_ICMPC_NETUNK },
1696 	{ "net-unr",			IPFY_ICMPC_NETUNR },
1697 	{ "port-unr",			IPFY_ICMPC_PORUNR },
1698 	{ "proto-unr",			IPFY_ICMPC_PROUNR },
1699 	{ "srcfail",			IPFY_ICMPC_SRCFAIL },
1700 	{ NULL,				0 },
1701 };
1702 
1703 static	struct	wordtab ipv4optwords[25] = {
1704 	{ "addext",			IPFY_IPOPT_ADDEXT },
1705 	{ "cipso",			IPFY_IPOPT_CIPSO },
1706 	{ "dps",			IPFY_IPOPT_DPS },
1707 	{ "e-sec",			IPFY_IPOPT_ESEC },
1708 	{ "eip",			IPFY_IPOPT_EIP },
1709 	{ "encode",			IPFY_IPOPT_ENCODE },
1710 	{ "finn",			IPFY_IPOPT_FINN },
1711 	{ "imitd",			IPFY_IPOPT_IMITD },
1712 	{ "lsrr",			IPFY_IPOPT_LSRR },
1713 	{ "mtup",			IPFY_IPOPT_MTUP },
1714 	{ "mtur",			IPFY_IPOPT_MTUR },
1715 	{ "nop",			IPFY_IPOPT_NOP },
1716 	{ "nsapa",			IPFY_IPOPT_NSAPA },
1717 	{ "rr",				IPFY_IPOPT_RR },
1718 	{ "rtralrt",			IPFY_IPOPT_RTRALRT },
1719 	{ "satid",			IPFY_IPOPT_SATID },
1720 	{ "sdb",			IPFY_IPOPT_SDB },
1721 	{ "sec",			IPFY_IPOPT_SEC },
1722 	{ "ssrr",			IPFY_IPOPT_SSRR },
1723 	{ "tr",				IPFY_IPOPT_TR },
1724 	{ "ts",				IPFY_IPOPT_TS },
1725 	{ "ump",			IPFY_IPOPT_UMP },
1726 	{ "visa",			IPFY_IPOPT_VISA },
1727 	{ "zsu",			IPFY_IPOPT_ZSU },
1728 	{ NULL,				0 },
1729 };
1730 
1731 static	struct	wordtab ipv4secwords[9] = {
1732 	{ "confid",			IPFY_SEC_CONF },
1733 	{ "reserv-1",			IPFY_SEC_RSV1 },
1734 	{ "reserv-2",			IPFY_SEC_RSV2 },
1735 	{ "reserv-3",			IPFY_SEC_RSV3 },
1736 	{ "reserv-4",			IPFY_SEC_RSV4 },
1737 	{ "secret",			IPFY_SEC_SEC },
1738 	{ "topsecret",			IPFY_SEC_TS },
1739 	{ "unclass",			IPFY_SEC_UNC },
1740 	{ NULL,				0 },
1741 };
1742 
1743 static	struct	wordtab ipv6optwords[8] = {
1744 	{ "dstopts",			IPFY_IPV6OPT_DSTOPTS },
1745 	{ "esp",			IPFY_ESP },
1746 	{ "frag",			IPFY_FRAG },
1747 	{ "hopopts",			IPFY_IPV6OPT_HOPOPTS },
1748 	{ "ipv6",			IPFY_IPV6OPT_IPV6 },
1749 	{ "none",			IPFY_IPV6OPT_NONE },
1750 	{ "routing",			IPFY_IPV6OPT_ROUTING },
1751 	{ NULL,				0 },
1752 };
1753 
1754 static	struct	wordtab logwords[33] = {
1755 	{ "kern",			IPFY_FAC_KERN },
1756 	{ "user",			IPFY_FAC_USER },
1757 	{ "mail",			IPFY_FAC_MAIL },
1758 	{ "daemon",			IPFY_FAC_DAEMON },
1759 	{ "auth",			IPFY_FAC_AUTH },
1760 	{ "syslog",			IPFY_FAC_SYSLOG },
1761 	{ "lpr",			IPFY_FAC_LPR },
1762 	{ "news",			IPFY_FAC_NEWS },
1763 	{ "uucp",			IPFY_FAC_UUCP },
1764 	{ "cron",			IPFY_FAC_CRON },
1765 	{ "ftp",			IPFY_FAC_FTP },
1766 	{ "authpriv",			IPFY_FAC_AUTHPRIV },
1767 	{ "audit",			IPFY_FAC_AUDIT },
1768 	{ "logalert",			IPFY_FAC_LFMT },
1769 	{ "console",			IPFY_FAC_CONSOLE },
1770 	{ "security",			IPFY_FAC_SECURITY },
1771 	{ "local0",			IPFY_FAC_LOCAL0 },
1772 	{ "local1",			IPFY_FAC_LOCAL1 },
1773 	{ "local2",			IPFY_FAC_LOCAL2 },
1774 	{ "local3",			IPFY_FAC_LOCAL3 },
1775 	{ "local4",			IPFY_FAC_LOCAL4 },
1776 	{ "local5",			IPFY_FAC_LOCAL5 },
1777 	{ "local6",			IPFY_FAC_LOCAL6 },
1778 	{ "local7",			IPFY_FAC_LOCAL7 },
1779 	{ "emerg",			IPFY_PRI_EMERG },
1780 	{ "alert",			IPFY_PRI_ALERT },
1781 	{ "crit",			IPFY_PRI_CRIT },
1782 	{ "err",			IPFY_PRI_ERR },
1783 	{ "warn",			IPFY_PRI_WARN },
1784 	{ "notice",			IPFY_PRI_NOTICE },
1785 	{ "info",			IPFY_PRI_INFO },
1786 	{ "debug",			IPFY_PRI_DEBUG },
1787 	{ NULL,				0 },
1788 };
1789 
1790 
1791 
1792 
ipf_parsefile(fd,addfunc,iocfuncs,filename)1793 int ipf_parsefile(fd, addfunc, iocfuncs, filename)
1794 int fd;
1795 addfunc_t addfunc;
1796 ioctlfunc_t *iocfuncs;
1797 char *filename;
1798 {
1799 	FILE *fp = NULL;
1800 	char *s;
1801 
1802 	yylineNum = 1;
1803 	yysettab(ipfwords);
1804 
1805 	s = getenv("YYDEBUG");
1806 	if (s != NULL)
1807 		yydebug = atoi(s);
1808 	else
1809 		yydebug = 0;
1810 
1811 	if (strcmp(filename, "-")) {
1812 		fp = fopen(filename, "r");
1813 		if (fp == NULL) {
1814 			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
1815 				STRERROR(errno));
1816 			return -1;
1817 		}
1818 	} else
1819 		fp = stdin;
1820 
1821 	while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
1822 		;
1823 	if (fp != NULL)
1824 		fclose(fp);
1825 	return 0;
1826 }
1827 
1828 
ipf_parsesome(fd,addfunc,iocfuncs,fp)1829 int ipf_parsesome(fd, addfunc, iocfuncs, fp)
1830 int fd;
1831 addfunc_t addfunc;
1832 ioctlfunc_t *iocfuncs;
1833 FILE *fp;
1834 {
1835 	char *s;
1836 	int i;
1837 
1838 	ipffd = fd;
1839 	for (i = 0; i <= IPL_LOGMAX; i++)
1840 		ipfioctl[i] = iocfuncs[i];
1841 	ipfaddfunc = addfunc;
1842 
1843 	if (feof(fp))
1844 		return 0;
1845 	i = fgetc(fp);
1846 	if (i == EOF)
1847 		return 0;
1848 	if (ungetc(i, fp) == 0)
1849 		return 0;
1850 	if (feof(fp))
1851 		return 0;
1852 	s = getenv("YYDEBUG");
1853 	if (s != NULL)
1854 		yydebug = atoi(s);
1855 	else
1856 		yydebug = 0;
1857 
1858 	yyin = fp;
1859 	yyparse();
1860 	return 1;
1861 }
1862 
1863 
newrule()1864 static void newrule()
1865 {
1866 	frentry_t *frn;
1867 
1868 	frn = (frentry_t *)calloc(1, sizeof(frentry_t));
1869 	if (frn == NULL)
1870 		yyerror("sorry, out of memory");
1871 	for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
1872 		;
1873 	if (fr != NULL)
1874 		fr->fr_next = frn;
1875 	if (frtop == NULL)
1876 		frtop = frn;
1877 	fr = frn;
1878 	frc = frn;
1879 	fr->fr_loglevel = 0xffff;
1880 	fr->fr_isc = (void *)-1;
1881 	fr->fr_logtag = FR_NOLOGTAG;
1882 	fr->fr_type = FR_T_NONE;
1883 	if (use_inet6 != 0)
1884 		fr->fr_v = 6;
1885 	else
1886 		fr->fr_v = 4;
1887 
1888 	nrules = 1;
1889 }
1890 
1891 
setipftype()1892 static void setipftype()
1893 {
1894 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
1895 		if (fr->fr_type == FR_T_NONE) {
1896 			fr->fr_type = FR_T_IPF;
1897 			fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
1898 			if (fr->fr_data == NULL)
1899 				yyerror("sorry, out of memory");
1900 			fr->fr_dsize = sizeof(fripf_t);
1901 			fr->fr_ip.fi_v = frc->fr_v;
1902 			fr->fr_mip.fi_v = 0xf;
1903 			fr->fr_ipf->fri_sifpidx = -1;
1904 			fr->fr_ipf->fri_difpidx = -1;
1905 		}
1906 		if (fr->fr_type != FR_T_IPF) {
1907 			fprintf(stderr, "IPF Type not set\n");
1908 		}
1909 	}
1910 }
1911 
1912 
addrule()1913 static frentry_t *addrule()
1914 {
1915 	frentry_t *f, *f1, *f2;
1916 	int count;
1917 
1918 	for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
1919 		;
1920 
1921 	count = nrules;
1922 	if (count == 0) {
1923 		f = (frentry_t *)calloc(sizeof(*f), 1);
1924 		if (f == NULL)
1925 			yyerror("sorry, out of memory");
1926 		added++;
1927 		f2->fr_next = f;
1928 		bcopy(f2, f, sizeof(*f));
1929 		if (f2->fr_caddr != NULL) {
1930 			f->fr_caddr = malloc(f->fr_dsize);
1931 			if (f->fr_caddr == NULL)
1932 				yyerror("sorry, out of memory");
1933 			bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize);
1934 		}
1935 		f->fr_next = NULL;
1936 		return f;
1937 	}
1938 	f = f2;
1939 	for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
1940 		f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
1941 		if (f->fr_next == NULL)
1942 			yyerror("sorry, out of memory");
1943 		added++;
1944 		f = f->fr_next;
1945 		bcopy(f1, f, sizeof(*f));
1946 		f->fr_next = NULL;
1947 		if (f->fr_caddr != NULL) {
1948 			f->fr_caddr = malloc(f->fr_dsize);
1949 			if (f->fr_caddr == NULL)
1950 				yyerror("sorry, out of memory");
1951 			bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
1952 		}
1953 	}
1954 
1955 	return f2->fr_next;
1956 }
1957 
1958 
lookuphost(name,addr)1959 static u_32_t lookuphost(name, addr)
1960 char *name;
1961 i6addr_t *addr;
1962 {
1963 	int i;
1964 
1965 	hashed = 0;
1966 	pooled = 0;
1967 	dynamic = -1;
1968 
1969 	for (i = 0; i < 4; i++) {
1970 		if (strncmp(name, frc->fr_ifnames[i],
1971 			    sizeof(frc->fr_ifnames[i])) == 0) {
1972 			ifpflag = FRI_DYNAMIC;
1973 			dynamic = i;
1974 			return 0;
1975 		}
1976 	}
1977 
1978 	if (gethost(name, addr, use_inet6) == -1) {
1979 		fprintf(stderr, "unknown name \"%s\"\n", name);
1980 		return 0;
1981 	}
1982 	return 1;
1983 }
1984 
1985 
dobpf(v,phrase)1986 static void dobpf(v, phrase)
1987 int v;
1988 char *phrase;
1989 {
1990 #ifdef IPFILTER_BPF
1991 	struct bpf_program bpf;
1992 	struct pcap *p;
1993 #endif
1994 	fakebpf_t *fb;
1995 	u_32_t l;
1996 	char *s;
1997 	int i;
1998 
1999 	for (fr = frc; fr != NULL; fr = fr->fr_next) {
2000 		if (fr->fr_type != FR_T_NONE) {
2001 			fprintf(stderr, "cannot mix IPF and BPF matching\n");
2002 			return;
2003 		}
2004 		fr->fr_v = v;
2005 		fr->fr_type = FR_T_BPFOPC;
2006 
2007 		if (!strncmp(phrase, "\"0x", 2)) {
2008 			phrase++;
2009 			fb = malloc(sizeof(fakebpf_t));
2010 			if (fb == NULL)
2011 				yyerror("sorry, out of memory");
2012 
2013 			for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
2014 			     s = strtok(NULL, " \r\n\t"), i++) {
2015 				fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
2016 				if (fb == NULL)
2017 					yyerror("sorry, out of memory");
2018 				l = (u_32_t)strtol(s, NULL, 0);
2019 				switch (i & 3)
2020 				{
2021 				case 0 :
2022 					fb[i / 4].fb_c = l & 0xffff;
2023 					break;
2024 				case 1 :
2025 					fb[i / 4].fb_t = l & 0xff;
2026 					break;
2027 				case 2 :
2028 					fb[i / 4].fb_f = l & 0xff;
2029 					break;
2030 				case 3 :
2031 					fb[i / 4].fb_k = l;
2032 					break;
2033 				}
2034 			}
2035 			if ((i & 3) != 0) {
2036 				fprintf(stderr,
2037 					"Odd number of bytes in BPF code\n");
2038 				exit(1);
2039 			}
2040 			i--;
2041 			fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
2042 			fr->fr_data = fb;
2043 			return;
2044 		}
2045 
2046 #ifdef IPFILTER_BPF
2047 		bzero((char *)&bpf, sizeof(bpf));
2048 		p = pcap_open_dead(DLT_RAW, 1);
2049 		if (!p) {
2050 			fprintf(stderr, "pcap_open_dead failed\n");
2051 			return;
2052 		}
2053 
2054 		if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
2055 			pcap_perror(p, "ipf");
2056 			pcap_close(p);
2057 			fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
2058 			return;
2059 		}
2060 		pcap_close(p);
2061 
2062 		fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
2063 		fr->fr_data = malloc(fr->fr_dsize);
2064 		if (fr->fr_data == NULL)
2065 			yyerror("sorry, out of memory");
2066 		bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
2067 		if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
2068 			fprintf(stderr, "BPF validation failed\n");
2069 			return;
2070 		}
2071 #endif
2072 	}
2073 
2074 #ifdef IPFILTER_BPF
2075 	if (opts & OPT_DEBUG)
2076 		bpf_dump(&bpf, 0);
2077 #else
2078 	fprintf(stderr, "BPF filter expressions not supported\n");
2079 	exit(1);
2080 #endif
2081 }
2082 
2083 
resetaddr()2084 static void resetaddr()
2085 {
2086 	hashed = 0;
2087 	pooled = 0;
2088 	dynamic = -1;
2089 }
2090 
2091 
newalist(ptr)2092 static alist_t *newalist(ptr)
2093 alist_t *ptr;
2094 {
2095 	alist_t *al;
2096 
2097 	al = malloc(sizeof(*al));
2098 	if (al == NULL)
2099 		return NULL;
2100 	al->al_not = 0;
2101 	al->al_next = ptr;
2102 	return al;
2103 }
2104 
2105 
makepool(list)2106 static int makepool(list)
2107 alist_t *list;
2108 {
2109 	ip_pool_node_t *n, *top;
2110 	ip_pool_t pool;
2111 	alist_t *a;
2112 	int num;
2113 
2114 	if (list == NULL)
2115 		return 0;
2116 	top = calloc(1, sizeof(*top));
2117 	if (top == NULL)
2118 		return 0;
2119 
2120 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2121 		n->ipn_addr.adf_family = a->al_family;
2122 		n->ipn_mask.adf_family = a->al_family;
2123 		(void *)bcopy((void *)&a->al_i6addr,
2124 			      (void *)&n->ipn_addr.adf_addr,
2125 			      sizeof(n->ipn_addr.adf_addr));
2126 		(void *)bcopy((void *)&a->al_i6mask,
2127 			      (void *)&n->ipn_mask.adf_addr,
2128 			      sizeof(n->ipn_mask.adf_addr));
2129 		n->ipn_info = a->al_not;
2130 		if (a->al_next != NULL) {
2131 			n->ipn_next = calloc(1, sizeof(*n));
2132 			if (n->ipn_next == NULL)
2133 				yyerror("sorry, out of memory");
2134 			n = n->ipn_next;
2135 		}
2136 	}
2137 
2138 	bzero((char *)&pool, sizeof(pool));
2139 	pool.ipo_unit = IPL_LOGIPF;
2140 	pool.ipo_list = top;
2141 	num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
2142 
2143 	while ((n = top) != NULL) {
2144 		top = n->ipn_next;
2145 		free(n);
2146 	}
2147 	return num;
2148 }
2149 
2150 
makehash(list)2151 static u_int makehash(list)
2152 alist_t *list;
2153 {
2154 	iphtent_t *n, *top;
2155 	iphtable_t iph;
2156 	alist_t *a;
2157 	int num;
2158 
2159 	if (list == NULL)
2160 		return 0;
2161 	top = calloc(1, sizeof(*top));
2162 	if (top == NULL)
2163 		return 0;
2164 
2165 	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
2166 		n->ipe_family = a->al_family;
2167 		(void *)bcopy((void *)&a->al_i6addr,
2168 			      (void *)&n->ipe_addr,
2169 			      sizeof(n->ipe_addr));
2170 		(void *)bcopy((void *)&a->al_i6mask,
2171 			      (void *)&n->ipe_mask,
2172 			      sizeof(n->ipe_mask));
2173 		n->ipe_value = 0;
2174 		if (a->al_next != NULL) {
2175 			n->ipe_next = calloc(1, sizeof(*n));
2176 			if (n->ipe_next == NULL)
2177 				yyerror("sorry, out of memory");
2178 			n = n->ipe_next;
2179 		}
2180 	}
2181 
2182 	bzero((char *)&iph, sizeof(iph));
2183 	iph.iph_unit = IPL_LOGIPF;
2184 	iph.iph_type = IPHASH_LOOKUP;
2185 	*iph.iph_name = '\0';
2186 
2187 	if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
2188 		sscanf(iph.iph_name, "%u", &num);
2189 	else
2190 		num = 0;
2191 
2192 	while ((n = top) != NULL) {
2193 		top = n->ipe_next;
2194 		free(n);
2195 	}
2196 	return num;
2197 }
2198 
2199 
ipf_addrule(fd,ioctlfunc,ptr)2200 void ipf_addrule(fd, ioctlfunc, ptr)
2201 int fd;
2202 ioctlfunc_t ioctlfunc;
2203 void *ptr;
2204 {
2205 	ioctlcmd_t add, del;
2206 	frentry_t *fr;
2207 	ipfobj_t obj;
2208 
2209 	fr = ptr;
2210 	add = 0;
2211 	del = 0;
2212 
2213 	bzero((char *)&obj, sizeof(obj));
2214 	obj.ipfo_rev = IPFILTER_VERSION;
2215 	obj.ipfo_size = sizeof(*fr);
2216 	obj.ipfo_type = IPFOBJ_FRENTRY;
2217 	obj.ipfo_ptr = ptr;
2218 
2219 	if ((opts & OPT_DONOTHING) != 0)
2220 		fd = -1;
2221 
2222 	if (opts & OPT_ZERORULEST) {
2223 		add = SIOCZRLST;
2224 	} else if (opts & OPT_INACTIVE) {
2225 		add = (u_int)fr->fr_hits ? SIOCINIFR :
2226 					   SIOCADIFR;
2227 		del = SIOCRMIFR;
2228 	} else {
2229 		add = (u_int)fr->fr_hits ? SIOCINAFR :
2230 					   SIOCADAFR;
2231 		del = SIOCRMAFR;
2232 	}
2233 
2234 	if (fr && (opts & OPT_OUTQUE))
2235 		fr->fr_flags |= FR_OUTQUE;
2236 	if (fr->fr_hits)
2237 		fr->fr_hits--;
2238 	if (fr && (opts & OPT_VERBOSE))
2239 		printfr(fr, ioctlfunc);
2240 
2241 	if (opts & OPT_DEBUG) {
2242 		binprint(fr, sizeof(*fr));
2243 		if (fr->fr_data != NULL)
2244 			binprint(fr->fr_data, fr->fr_dsize);
2245 	}
2246 
2247 	if ((opts & OPT_ZERORULEST) != 0) {
2248 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2249 			if ((opts & OPT_DONOTHING) == 0) {
2250 				fprintf(stderr, "%d:", yylineNum);
2251 				perror("ioctl(SIOCZRLST)");
2252 			}
2253 		} else {
2254 #ifdef	USE_QUAD_T
2255 			printf("hits %qd bytes %qd ",
2256 				(long long)fr->fr_hits,
2257 				(long long)fr->fr_bytes);
2258 #else
2259 			printf("hits %ld bytes %ld ",
2260 				fr->fr_hits, fr->fr_bytes);
2261 #endif
2262 			printfr(fr, ioctlfunc);
2263 		}
2264 	} else if ((opts & OPT_REMOVE) != 0) {
2265 		if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
2266 			if ((opts & OPT_DONOTHING) != 0) {
2267 				fprintf(stderr, "%d:", yylineNum);
2268 				perror("ioctl(delete rule)");
2269 			}
2270 		}
2271 	} else {
2272 		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
2273 			if (!(opts & OPT_DONOTHING)) {
2274 				fprintf(stderr, "%d:", yylineNum);
2275 				perror("ioctl(add/insert rule)");
2276 			}
2277 		}
2278 	}
2279 }
2280 
setsyslog()2281 static void setsyslog()
2282 {
2283 	yysetdict(logwords);
2284 	yybreakondot = 1;
2285 }
2286 
2287 
unsetsyslog()2288 static void unsetsyslog()
2289 {
2290 	yyresetdict();
2291 	yybreakondot = 0;
2292 }
2293 
2294 
fillgroup(fr)2295 static void fillgroup(fr)
2296 frentry_t *fr;
2297 {
2298 	frentry_t *f;
2299 
2300 	for (f = frold; f != NULL; f = f->fr_next)
2301 		if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
2302 			break;
2303 	if (f == NULL)
2304 		return;
2305 
2306 	/*
2307 	 * Only copy down matching fields if the rules are of the same type
2308 	 * and are of ipf type.   The only fields that are copied are those
2309 	 * that impact the rule parsing itself, eg. need for knowing what the
2310 	 * protocol should be for rules with port comparisons in them.
2311 	 */
2312 	if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
2313 		return;
2314 
2315 	if (fr->fr_v == 0 && f->fr_v != 0)
2316 		fr->fr_v = f->fr_v;
2317 
2318 	if (fr->fr_mproto == 0 && f->fr_mproto != 0)
2319 		fr->fr_mproto = f->fr_mproto;
2320 	if (fr->fr_proto == 0 && f->fr_proto != 0)
2321 		fr->fr_proto = f->fr_proto;
2322 
2323 	if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
2324 	    ((f->fr_flx & FI_TCPUDP) != 0))
2325 		fr->fr_flx |= FI_TCPUDP;
2326 }
2327