17c478bd9Sstevel@tonic-gate %{ 27c478bd9Sstevel@tonic-gate /* 37c478bd9Sstevel@tonic-gate * Copyright (C) 2003 by Darren Reed. 47c478bd9Sstevel@tonic-gate * 57c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing. 67c478bd9Sstevel@tonic-gate * 7*1b47e080Sdr * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 87c478bd9Sstevel@tonic-gate * Use is subject to license terms. 97c478bd9Sstevel@tonic-gate */ 107c478bd9Sstevel@tonic-gate 117663b816Sml #pragma ident "%Z%%M% %I% %E% SMI" 127c478bd9Sstevel@tonic-gate 137c478bd9Sstevel@tonic-gate #include "ipf.h" 147c478bd9Sstevel@tonic-gate #include <sys/ioctl.h> 157c478bd9Sstevel@tonic-gate #include <syslog.h> 167c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 17ab25eeb5Syz # include "pcap-bpf.h" 18ab25eeb5Syz # define _NET_BPF_H_ 197c478bd9Sstevel@tonic-gate # include <pcap.h> 207c478bd9Sstevel@tonic-gate #endif 217c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h" 227c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h" 237c478bd9Sstevel@tonic-gate #include "netinet/ipl.h" 247c478bd9Sstevel@tonic-gate #include "ipf_l.h" 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #define YYDEBUG 1 277c478bd9Sstevel@tonic-gate #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 287c478bd9Sstevel@tonic-gate #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 297c478bd9Sstevel@tonic-gate 30ab25eeb5Syz #define OPTION_LOG 0x1 31ab25eeb5Syz #define OPTION_QUICK 0x2 32ab25eeb5Syz #define OPTION_DUP 0x4 33ab25eeb5Syz #define OPTION_PROUTE 0x8 34ab25eeb5Syz #define OPTION_ON 0x10 35ab25eeb5Syz #define OPTION_REPLYTO 0x20 36ab25eeb5Syz #define OPTION_FROUTE 0x40 377c478bd9Sstevel@tonic-gate 387c478bd9Sstevel@tonic-gate extern void yyerror __P((char *)); 397c478bd9Sstevel@tonic-gate extern int yyparse __P((void)); 407c478bd9Sstevel@tonic-gate extern int yylex __P((void)); 417c478bd9Sstevel@tonic-gate extern int yydebug; 427c478bd9Sstevel@tonic-gate extern FILE *yyin; 437c478bd9Sstevel@tonic-gate extern int yylineNum; 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate static void newrule __P((void)); 467c478bd9Sstevel@tonic-gate static void setipftype __P((void)); 479b4c7145Sjojemann static u_32_t lookuphost __P((char *, i6addr_t *)); 48ab25eeb5Syz static void dobpf __P((int, char *)); 497c478bd9Sstevel@tonic-gate static void resetaddr __P((void)); 507c478bd9Sstevel@tonic-gate static struct alist_s *newalist __P((struct alist_s *)); 517c478bd9Sstevel@tonic-gate static u_int makehash __P((struct alist_s *)); 527c478bd9Sstevel@tonic-gate static int makepool __P((struct alist_s *)); 537c478bd9Sstevel@tonic-gate static frentry_t *addrule __P((void)); 547c478bd9Sstevel@tonic-gate static void setsyslog __P((void)); 557c478bd9Sstevel@tonic-gate static void unsetsyslog __P((void)); 567c478bd9Sstevel@tonic-gate static void fillgroup __P((frentry_t *)); 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate static int ifpflag = 0; 617c478bd9Sstevel@tonic-gate static int nowith = 0; 627c478bd9Sstevel@tonic-gate static int dynamic = -1; 637c478bd9Sstevel@tonic-gate static int pooled = 0; 647c478bd9Sstevel@tonic-gate static int hashed = 0; 657c478bd9Sstevel@tonic-gate static int nrules = 0; 667c478bd9Sstevel@tonic-gate static int newlist = 0; 677c478bd9Sstevel@tonic-gate static int added = 0; 687c478bd9Sstevel@tonic-gate static int ipffd = -1; 69ab25eeb5Syz static int ruleopts = 0; 707c478bd9Sstevel@tonic-gate static int *yycont = 0; 717c478bd9Sstevel@tonic-gate static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 727c478bd9Sstevel@tonic-gate static addfunc_t ipfaddfunc = NULL; 73*1b47e080Sdr static struct wordtab ipfwords[96]; 74ab25eeb5Syz static struct wordtab addrwords[4]; 75ab25eeb5Syz static struct wordtab maskwords[5]; 76ab25eeb5Syz static struct wordtab icmpcodewords[17]; 77ab25eeb5Syz static struct wordtab icmptypewords[16]; 78ab25eeb5Syz static struct wordtab ipv4optwords[25]; 79ab25eeb5Syz static struct wordtab ipv4secwords[9]; 80ab25eeb5Syz static struct wordtab ipv6optwords[8]; 81ab25eeb5Syz static struct wordtab logwords[33]; 82ab25eeb5Syz static int set_ipv6_addr = 0; 837c478bd9Sstevel@tonic-gate 847c478bd9Sstevel@tonic-gate %} 857c478bd9Sstevel@tonic-gate %union { 867c478bd9Sstevel@tonic-gate char *str; 877c478bd9Sstevel@tonic-gate u_32_t num; 887c478bd9Sstevel@tonic-gate struct in_addr ipa; 897c478bd9Sstevel@tonic-gate frentry_t fr; 907c478bd9Sstevel@tonic-gate frtuc_t *frt; 917c478bd9Sstevel@tonic-gate struct alist_s *alist; 92ab25eeb5Syz u_short port; 937c478bd9Sstevel@tonic-gate struct { 947c478bd9Sstevel@tonic-gate u_short p1; 957c478bd9Sstevel@tonic-gate u_short p2; 967c478bd9Sstevel@tonic-gate int pc; 977c478bd9Sstevel@tonic-gate } pc; 987c478bd9Sstevel@tonic-gate struct { 997c478bd9Sstevel@tonic-gate union i6addr a; 1007c478bd9Sstevel@tonic-gate union i6addr m; 1017c478bd9Sstevel@tonic-gate } ipp; 1027c478bd9Sstevel@tonic-gate union i6addr ip6; 1037c478bd9Sstevel@tonic-gate }; 1047c478bd9Sstevel@tonic-gate 105ab25eeb5Syz %type <port> portnum 106ab25eeb5Syz %type <num> facility priority icmpcode seclevel secname icmptype 1077c478bd9Sstevel@tonic-gate %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 108ab25eeb5Syz %type <num> portc porteq 1099b4c7145Sjojemann %type <ipa> ipv4 ipv4_16 ipv4_24 1109b4c7145Sjojemann %type <ip6> hostname mask 1117c478bd9Sstevel@tonic-gate %type <ipp> addr ipaddr 1127c478bd9Sstevel@tonic-gate %type <str> servicename name interfacename 1137c478bd9Sstevel@tonic-gate %type <pc> portrange portcomp 1147c478bd9Sstevel@tonic-gate %type <alist> addrlist poollist 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate %token <num> YY_NUMBER YY_HEX 1177c478bd9Sstevel@tonic-gate %token <str> YY_STR 1187c478bd9Sstevel@tonic-gate %token YY_COMMENT 1197c478bd9Sstevel@tonic-gate %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 1207c478bd9Sstevel@tonic-gate %token YY_RANGE_OUT YY_RANGE_IN 1217c478bd9Sstevel@tonic-gate %token <ip6> YY_IPV6 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 1247c478bd9Sstevel@tonic-gate %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 1257c478bd9Sstevel@tonic-gate %token IPFY_IN IPFY_OUT 1267c478bd9Sstevel@tonic-gate %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 127ab25eeb5Syz %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO 1287c478bd9Sstevel@tonic-gate %token IPFY_TOS IPFY_TTL IPFY_PROTO 1297c478bd9Sstevel@tonic-gate %token IPFY_HEAD IPFY_GROUP 130ab25eeb5Syz %token IPFY_AUTH IPFY_PREAUTH 1317c478bd9Sstevel@tonic-gate %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK 132ab25eeb5Syz %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP 133ab25eeb5Syz %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH 1347c478bd9Sstevel@tonic-gate %token IPFY_PPS 1357c478bd9Sstevel@tonic-gate %token IPFY_ESP IPFY_AH 1367c478bd9Sstevel@tonic-gate %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 1377c478bd9Sstevel@tonic-gate %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 1387c478bd9Sstevel@tonic-gate %token IPFY_FLAGS IPFY_MULTICAST 1397c478bd9Sstevel@tonic-gate %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 1407c478bd9Sstevel@tonic-gate %token IPFY_PORT 1417c478bd9Sstevel@tonic-gate %token IPFY_NOW 1427c478bd9Sstevel@tonic-gate %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 1437c478bd9Sstevel@tonic-gate %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 1447c478bd9Sstevel@tonic-gate %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 1457c478bd9Sstevel@tonic-gate %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 146ab25eeb5Syz %token IPFY_SYNC IPFY_FRAGBODY 1477c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 1487c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 1497c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 1507c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 1517c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 1527c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 1537c478bd9Sstevel@tonic-gate %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 1547c478bd9Sstevel@tonic-gate %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 1577c478bd9Sstevel@tonic-gate %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 1607c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 1617c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 1627c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 1637c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_ROUTERSOL 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 1667c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 1677c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 1687c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 1697c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_CUTPRE 1707c478bd9Sstevel@tonic-gate 1717c478bd9Sstevel@tonic-gate %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 1727c478bd9Sstevel@tonic-gate %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 1737c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 1747c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 1757c478bd9Sstevel@tonic-gate %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 1767c478bd9Sstevel@tonic-gate %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 1797c478bd9Sstevel@tonic-gate %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 180381a2a9aSdr %token IPFY_SET_LOOPBACK IPFY_SET 1817c478bd9Sstevel@tonic-gate %% 1827c478bd9Sstevel@tonic-gate file: line 1837c478bd9Sstevel@tonic-gate | assign 1847c478bd9Sstevel@tonic-gate | file line 1857c478bd9Sstevel@tonic-gate | file assign 1867c478bd9Sstevel@tonic-gate ; 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate line: xx rule { while ((fr = frtop) != NULL) { 1897c478bd9Sstevel@tonic-gate frtop = fr->fr_next; 1907c478bd9Sstevel@tonic-gate fr->fr_next = NULL; 1917c478bd9Sstevel@tonic-gate (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); 1927c478bd9Sstevel@tonic-gate fr->fr_next = frold; 1937c478bd9Sstevel@tonic-gate frold = fr; 1947c478bd9Sstevel@tonic-gate } 1957c478bd9Sstevel@tonic-gate resetlexer(); 1967c478bd9Sstevel@tonic-gate } 1977c478bd9Sstevel@tonic-gate | YY_COMMENT 198381a2a9aSdr | set 1997c478bd9Sstevel@tonic-gate ; 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gate xx: { newrule(); } 2027c478bd9Sstevel@tonic-gate ; 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gate assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 2057c478bd9Sstevel@tonic-gate resetlexer(); 2067c478bd9Sstevel@tonic-gate free($1); 2077c478bd9Sstevel@tonic-gate free($3); 2087c478bd9Sstevel@tonic-gate } 2097c478bd9Sstevel@tonic-gate ; 2107c478bd9Sstevel@tonic-gate 2117c478bd9Sstevel@tonic-gate assigning: 2127c478bd9Sstevel@tonic-gate '=' { yyvarnext = 1; } 2137c478bd9Sstevel@tonic-gate ; 2147c478bd9Sstevel@tonic-gate 215381a2a9aSdr set: 216381a2a9aSdr IPFY_SET IPFY_SET_LOOPBACK YY_STR ';' 217381a2a9aSdr { 218381a2a9aSdr int data; 219381a2a9aSdr if (frold != NULL) { 220381a2a9aSdr yyerror("ipf rules before \"set\""); 221381a2a9aSdr return 0; 222381a2a9aSdr } 223381a2a9aSdr if (!strcmp($3, "true")) 224381a2a9aSdr data = 1; 225381a2a9aSdr else if (!strcmp($3, "false")) 226381a2a9aSdr data = 0; 227381a2a9aSdr else { 228381a2a9aSdr yyerror("invalid argument for ipf_loopback"); 229381a2a9aSdr return 0; 230381a2a9aSdr } 231381a2a9aSdr if (((opts & OPT_DONOTHING) == 0) && 232381a2a9aSdr (ioctl(ipffd, SIOCIPFLP, &data) == -1)) 233381a2a9aSdr perror("ioctl(SIOCIPFLP)"); 234381a2a9aSdr } 235381a2a9aSdr ; 236381a2a9aSdr 237ab25eeb5Syz rule: inrule eol 238ab25eeb5Syz | outrule eol 239ab25eeb5Syz ; 240ab25eeb5Syz 241ab25eeb5Syz eol: | ';' 2427c478bd9Sstevel@tonic-gate ; 2437c478bd9Sstevel@tonic-gate 2447c478bd9Sstevel@tonic-gate inrule: 245ab25eeb5Syz rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2 2467c478bd9Sstevel@tonic-gate ; 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gate outrule: 249ab25eeb5Syz rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2 2507c478bd9Sstevel@tonic-gate ; 2517c478bd9Sstevel@tonic-gate 2527c478bd9Sstevel@tonic-gate rulehead: 2537c478bd9Sstevel@tonic-gate collection action 2547c478bd9Sstevel@tonic-gate | insert collection action 2557c478bd9Sstevel@tonic-gate ; 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gate markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 2587c478bd9Sstevel@tonic-gate ; 2597c478bd9Sstevel@tonic-gate 2607c478bd9Sstevel@tonic-gate markout: 2617c478bd9Sstevel@tonic-gate IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 2627c478bd9Sstevel@tonic-gate ; 2637c478bd9Sstevel@tonic-gate 2647c478bd9Sstevel@tonic-gate rulemain: 2657c478bd9Sstevel@tonic-gate ipfrule 2667c478bd9Sstevel@tonic-gate | bpfrule 2677c478bd9Sstevel@tonic-gate ; 2687c478bd9Sstevel@tonic-gate 2697c478bd9Sstevel@tonic-gate ipfrule: 2707c478bd9Sstevel@tonic-gate tos ttl proto ip 2717c478bd9Sstevel@tonic-gate ; 2727c478bd9Sstevel@tonic-gate 2737c478bd9Sstevel@tonic-gate bpfrule: 274ab25eeb5Syz IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 275ab25eeb5Syz | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } 2767c478bd9Sstevel@tonic-gate ; 2777c478bd9Sstevel@tonic-gate 2787c478bd9Sstevel@tonic-gate ruletail: 279ab25eeb5Syz with keep head group 280ab25eeb5Syz ; 281ab25eeb5Syz 282ab25eeb5Syz ruletail2: 283ab25eeb5Syz pps age new 284ab25eeb5Syz ; 285ab25eeb5Syz 286ab25eeb5Syz intag: settagin matchtagin 287ab25eeb5Syz ; 288ab25eeb5Syz 289ab25eeb5Syz outtag: settagout matchtagout 2907c478bd9Sstevel@tonic-gate ; 2917c478bd9Sstevel@tonic-gate 2927c478bd9Sstevel@tonic-gate insert: 293ab25eeb5Syz '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } 2947c478bd9Sstevel@tonic-gate ; 2957c478bd9Sstevel@tonic-gate 2967c478bd9Sstevel@tonic-gate collection: 2977c478bd9Sstevel@tonic-gate | YY_NUMBER { fr->fr_collect = $1; } 2987c478bd9Sstevel@tonic-gate ; 2997c478bd9Sstevel@tonic-gate 3007c478bd9Sstevel@tonic-gate action: block 3017c478bd9Sstevel@tonic-gate | IPFY_PASS { fr->fr_flags |= FR_PASS; } 3027c478bd9Sstevel@tonic-gate | log 3037c478bd9Sstevel@tonic-gate | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 3047c478bd9Sstevel@tonic-gate | auth 3057c478bd9Sstevel@tonic-gate | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 3067c478bd9Sstevel@tonic-gate fr->fr_arg = $2; } 3077c478bd9Sstevel@tonic-gate | IPFY_CALL func 3087c478bd9Sstevel@tonic-gate | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 3097c478bd9Sstevel@tonic-gate ; 3107c478bd9Sstevel@tonic-gate 3117c478bd9Sstevel@tonic-gate block: blocked 3127c478bd9Sstevel@tonic-gate | blocked blockreturn 3137c478bd9Sstevel@tonic-gate ; 3147c478bd9Sstevel@tonic-gate 3157c478bd9Sstevel@tonic-gate blocked: 3167c478bd9Sstevel@tonic-gate IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 3177c478bd9Sstevel@tonic-gate ; 3187c478bd9Sstevel@tonic-gate blockreturn: 3197c478bd9Sstevel@tonic-gate IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 3207c478bd9Sstevel@tonic-gate | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 3217c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 3227c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 3237c478bd9Sstevel@tonic-gate | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 3247c478bd9Sstevel@tonic-gate ; 3257c478bd9Sstevel@tonic-gate 3267c478bd9Sstevel@tonic-gate log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 3277c478bd9Sstevel@tonic-gate | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 3287c478bd9Sstevel@tonic-gate ; 3297c478bd9Sstevel@tonic-gate 3307c478bd9Sstevel@tonic-gate auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 3317c478bd9Sstevel@tonic-gate | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} 3327c478bd9Sstevel@tonic-gate | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 3337c478bd9Sstevel@tonic-gate ; 3347c478bd9Sstevel@tonic-gate 3357c478bd9Sstevel@tonic-gate func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, 3367c478bd9Sstevel@tonic-gate ipfioctl[IPL_LOGIPF]); 3377c478bd9Sstevel@tonic-gate fr->fr_arg = $3; 3387c478bd9Sstevel@tonic-gate free($1); } 3397c478bd9Sstevel@tonic-gate ; 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gate inopts: 3427c478bd9Sstevel@tonic-gate | inopts inopt 3437c478bd9Sstevel@tonic-gate ; 3447c478bd9Sstevel@tonic-gate 3457c478bd9Sstevel@tonic-gate inopt: 3467c478bd9Sstevel@tonic-gate logopt 3477c478bd9Sstevel@tonic-gate { 3487c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3497c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3507c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 3517c478bd9Sstevel@tonic-gate } 3527c478bd9Sstevel@tonic-gate | quick 3537c478bd9Sstevel@tonic-gate { 3547c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 3557c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 3567c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 3577c478bd9Sstevel@tonic-gate } 3587c478bd9Sstevel@tonic-gate | on 3597c478bd9Sstevel@tonic-gate { 3607c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 3617c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 3627c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 3637c478bd9Sstevel@tonic-gate } 3647c478bd9Sstevel@tonic-gate | dup 3657c478bd9Sstevel@tonic-gate { 3667c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 3677c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 3687c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 3697c478bd9Sstevel@tonic-gate } 3707c478bd9Sstevel@tonic-gate | froute 3717c478bd9Sstevel@tonic-gate { 3727c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_FROUTE ) 3737c478bd9Sstevel@tonic-gate yyerror("Duplicate froute option"); 3747c478bd9Sstevel@tonic-gate ruleopts |= OPTION_FROUTE; 3757c478bd9Sstevel@tonic-gate } 3767c478bd9Sstevel@tonic-gate | proute 3777c478bd9Sstevel@tonic-gate { 3787c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 3797c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 3807c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 3817c478bd9Sstevel@tonic-gate } 3827c478bd9Sstevel@tonic-gate | replyto 3837c478bd9Sstevel@tonic-gate { 3847c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 3857c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 3867c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 3877c478bd9Sstevel@tonic-gate } 3887c478bd9Sstevel@tonic-gate ; 3897c478bd9Sstevel@tonic-gate 3907c478bd9Sstevel@tonic-gate outopts: 3917c478bd9Sstevel@tonic-gate | outopts outopt 3927c478bd9Sstevel@tonic-gate ; 3937c478bd9Sstevel@tonic-gate 3947c478bd9Sstevel@tonic-gate outopt: 3957c478bd9Sstevel@tonic-gate logopt 3967c478bd9Sstevel@tonic-gate { 3977c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3987c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3997c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 4007c478bd9Sstevel@tonic-gate } 4017c478bd9Sstevel@tonic-gate | quick 4027c478bd9Sstevel@tonic-gate { 4037c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 4047c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 4057c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 4067c478bd9Sstevel@tonic-gate } 4077c478bd9Sstevel@tonic-gate | on 4087c478bd9Sstevel@tonic-gate { 4097c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 4107c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 4117c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 4127c478bd9Sstevel@tonic-gate } 4137c478bd9Sstevel@tonic-gate | dup 4147c478bd9Sstevel@tonic-gate { 4157c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 4167c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 4177c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 4187c478bd9Sstevel@tonic-gate } 4197c478bd9Sstevel@tonic-gate | proute 4207c478bd9Sstevel@tonic-gate { 4217c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 4227c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 4237c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 4247c478bd9Sstevel@tonic-gate } 4257c478bd9Sstevel@tonic-gate | replyto 4267c478bd9Sstevel@tonic-gate { 4277c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 4287c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 4297c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 4307c478bd9Sstevel@tonic-gate } 4317c478bd9Sstevel@tonic-gate ; 4327c478bd9Sstevel@tonic-gate 4337c478bd9Sstevel@tonic-gate tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4347c478bd9Sstevel@tonic-gate | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4357c478bd9Sstevel@tonic-gate | settos lstart toslist lend 4367c478bd9Sstevel@tonic-gate ; 4377c478bd9Sstevel@tonic-gate 4387c478bd9Sstevel@tonic-gate settos: IPFY_TOS { setipftype(); } 4397c478bd9Sstevel@tonic-gate ; 4407c478bd9Sstevel@tonic-gate 4417c478bd9Sstevel@tonic-gate toslist: 4427c478bd9Sstevel@tonic-gate YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4437c478bd9Sstevel@tonic-gate | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4447c478bd9Sstevel@tonic-gate | toslist lmore YY_NUMBER 4457c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4467c478bd9Sstevel@tonic-gate | toslist lmore YY_HEX 4477c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4487c478bd9Sstevel@tonic-gate ; 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate ttl: | setttl YY_NUMBER 4517c478bd9Sstevel@tonic-gate { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 4527c478bd9Sstevel@tonic-gate | setttl lstart ttllist lend 4537c478bd9Sstevel@tonic-gate ; 4547c478bd9Sstevel@tonic-gate 4557c478bd9Sstevel@tonic-gate lstart: '(' { newlist = 1; fr = frc; added = 0; } 4567c478bd9Sstevel@tonic-gate ; 4577c478bd9Sstevel@tonic-gate 4587c478bd9Sstevel@tonic-gate lend: ')' { nrules += added; } 4597c478bd9Sstevel@tonic-gate ; 4607c478bd9Sstevel@tonic-gate 4617c478bd9Sstevel@tonic-gate lmore: lanother { if (newlist == 1) { 4627c478bd9Sstevel@tonic-gate newlist = 0; 4637c478bd9Sstevel@tonic-gate } 4647c478bd9Sstevel@tonic-gate fr = addrule(); 4657c478bd9Sstevel@tonic-gate if (yycont != NULL) 466ab25eeb5Syz *yycont = 1; 4677c478bd9Sstevel@tonic-gate } 4687c478bd9Sstevel@tonic-gate ; 4697c478bd9Sstevel@tonic-gate 4707c478bd9Sstevel@tonic-gate lanother: 4717c478bd9Sstevel@tonic-gate | ',' 4727c478bd9Sstevel@tonic-gate ; 4737c478bd9Sstevel@tonic-gate 4747c478bd9Sstevel@tonic-gate setttl: IPFY_TTL { setipftype(); } 4757c478bd9Sstevel@tonic-gate ; 4767c478bd9Sstevel@tonic-gate 4777c478bd9Sstevel@tonic-gate ttllist: 4787c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 4797c478bd9Sstevel@tonic-gate | ttllist lmore YY_NUMBER 4807c478bd9Sstevel@tonic-gate { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 4817c478bd9Sstevel@tonic-gate ; 4827c478bd9Sstevel@tonic-gate 4837c478bd9Sstevel@tonic-gate proto: | protox protocol { yyresetdict(); } 4847c478bd9Sstevel@tonic-gate ; 4857c478bd9Sstevel@tonic-gate 4867c478bd9Sstevel@tonic-gate protox: IPFY_PROTO { setipftype(); 4877c478bd9Sstevel@tonic-gate fr = frc; 4887c478bd9Sstevel@tonic-gate yysetdict(NULL); } 4897c478bd9Sstevel@tonic-gate ; 4907c478bd9Sstevel@tonic-gate 491ab25eeb5Syz ip: srcdst flags icmp 4927c478bd9Sstevel@tonic-gate ; 4937c478bd9Sstevel@tonic-gate 4947c478bd9Sstevel@tonic-gate group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 4957c478bd9Sstevel@tonic-gate FR_GROUPLEN); \ 4967c478bd9Sstevel@tonic-gate fillgroup(fr);); 4977c478bd9Sstevel@tonic-gate free($2); } 4987c478bd9Sstevel@tonic-gate | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 4997c478bd9Sstevel@tonic-gate $2); \ 5007c478bd9Sstevel@tonic-gate fillgroup(fr);) } 5017c478bd9Sstevel@tonic-gate ; 5027c478bd9Sstevel@tonic-gate 5037c478bd9Sstevel@tonic-gate head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 5047c478bd9Sstevel@tonic-gate FR_GROUPLEN);); 5057c478bd9Sstevel@tonic-gate free($2); } 5067c478bd9Sstevel@tonic-gate | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 5077c478bd9Sstevel@tonic-gate $2);) } 5087c478bd9Sstevel@tonic-gate ; 5097c478bd9Sstevel@tonic-gate 510ab25eeb5Syz settagin: 511ab25eeb5Syz | IPFY_SETTAG '(' taginlist ')' 512ab25eeb5Syz ; 5137c478bd9Sstevel@tonic-gate 514ab25eeb5Syz taginlist: 515ab25eeb5Syz taginspec 516ab25eeb5Syz | taginlist ',' taginspec 5177c478bd9Sstevel@tonic-gate ; 5187c478bd9Sstevel@tonic-gate 519ab25eeb5Syz taginspec: 520ab25eeb5Syz logtag 521ab25eeb5Syz |nattag 522ab25eeb5Syz ; 523ab25eeb5Syz 524ab25eeb5Syz nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 525ab25eeb5Syz $3, IPFTAG_LEN);); 5267c478bd9Sstevel@tonic-gate free($3); } 5277c478bd9Sstevel@tonic-gate | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 528ab25eeb5Syz "%d", $3 & 0xffffffff);) } 529ab25eeb5Syz ; 530ab25eeb5Syz 531ab25eeb5Syz logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 532ab25eeb5Syz ; 533ab25eeb5Syz 534ab25eeb5Syz settagout: 535ab25eeb5Syz | IPFY_SETTAG '(' tagoutlist ')' 536ab25eeb5Syz ; 537ab25eeb5Syz 538ab25eeb5Syz tagoutlist: 539ab25eeb5Syz tagoutspec 540ab25eeb5Syz | tagoutlist ',' tagoutspec 541ab25eeb5Syz ; 542ab25eeb5Syz 543ab25eeb5Syz tagoutspec: 544ab25eeb5Syz logtag 545ab25eeb5Syz | nattag 546ab25eeb5Syz ; 547ab25eeb5Syz 548ab25eeb5Syz matchtagin: 549ab25eeb5Syz | IPFY_MATCHTAG '(' tagoutlist ')' 550ab25eeb5Syz ; 551ab25eeb5Syz 552ab25eeb5Syz matchtagout: 553ab25eeb5Syz | IPFY_MATCHTAG '(' taginlist ')' 5547c478bd9Sstevel@tonic-gate ; 5557c478bd9Sstevel@tonic-gate 5567c478bd9Sstevel@tonic-gate pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 5577c478bd9Sstevel@tonic-gate ; 5587c478bd9Sstevel@tonic-gate 5597c478bd9Sstevel@tonic-gate new: | savegroup file restoregroup 5607c478bd9Sstevel@tonic-gate ; 5617c478bd9Sstevel@tonic-gate 5627c478bd9Sstevel@tonic-gate savegroup: 5637c478bd9Sstevel@tonic-gate '{' 5647c478bd9Sstevel@tonic-gate ; 5657c478bd9Sstevel@tonic-gate 5667c478bd9Sstevel@tonic-gate restoregroup: 5677c478bd9Sstevel@tonic-gate '}' 5687c478bd9Sstevel@tonic-gate ; 5697c478bd9Sstevel@tonic-gate 5707c478bd9Sstevel@tonic-gate logopt: log 5717c478bd9Sstevel@tonic-gate ; 5727c478bd9Sstevel@tonic-gate 5737c478bd9Sstevel@tonic-gate quick: 5747c478bd9Sstevel@tonic-gate IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 5757c478bd9Sstevel@tonic-gate ; 5767c478bd9Sstevel@tonic-gate 5777c478bd9Sstevel@tonic-gate on: IPFY_ON onname 5787c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_INVIA vianame 5797c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_OUTVIA vianame 5807c478bd9Sstevel@tonic-gate ; 5817c478bd9Sstevel@tonic-gate 5827c478bd9Sstevel@tonic-gate onname: interfacename 583ab25eeb5Syz { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5847c478bd9Sstevel@tonic-gate free($1); 5857c478bd9Sstevel@tonic-gate } 586ab25eeb5Syz | interfacename ',' interfacename 587ab25eeb5Syz { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5887c478bd9Sstevel@tonic-gate free($1); 5897c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); 5907c478bd9Sstevel@tonic-gate free($3); 5917c478bd9Sstevel@tonic-gate } 5927c478bd9Sstevel@tonic-gate ; 5937c478bd9Sstevel@tonic-gate 5947c478bd9Sstevel@tonic-gate vianame: 595ab25eeb5Syz name 596ab25eeb5Syz { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 5977c478bd9Sstevel@tonic-gate free($1); 5987c478bd9Sstevel@tonic-gate } 599ab25eeb5Syz | name ',' name 600ab25eeb5Syz { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 6017c478bd9Sstevel@tonic-gate free($1); 6027c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); 6037c478bd9Sstevel@tonic-gate free($3); 6047c478bd9Sstevel@tonic-gate } 6057c478bd9Sstevel@tonic-gate ; 6067c478bd9Sstevel@tonic-gate 6077c478bd9Sstevel@tonic-gate dup: IPFY_DUPTO name 6087c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 6097c478bd9Sstevel@tonic-gate free($2); 6107c478bd9Sstevel@tonic-gate } 611ab25eeb5Syz | IPFY_DUPTO name duptoseparator hostname 6127c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 6139b4c7145Sjojemann if (use_inet6 == 0) 6149b4c7145Sjojemann fr->fr_dif.fd_ip = $4.in4; 6159b4c7145Sjojemann else 6169b4c7145Sjojemann bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 617ab25eeb5Syz yyexpectaddr = 0; 618ab25eeb5Syz free($2); 619ab25eeb5Syz } 620ab25eeb5Syz | IPFY_DUPTO name duptoseparator YY_IPV6 621ab25eeb5Syz { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 622ab25eeb5Syz bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 623ab25eeb5Syz yyexpectaddr = 0; 6247c478bd9Sstevel@tonic-gate free($2); 6257c478bd9Sstevel@tonic-gate } 6267c478bd9Sstevel@tonic-gate ; 6277c478bd9Sstevel@tonic-gate 628ab25eeb5Syz duptoseparator: 629ab25eeb5Syz ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 630ab25eeb5Syz ; 631ab25eeb5Syz 6327c478bd9Sstevel@tonic-gate froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 6337c478bd9Sstevel@tonic-gate ; 6347c478bd9Sstevel@tonic-gate 635ab25eeb5Syz proute: routeto name 6367c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6377c478bd9Sstevel@tonic-gate free($2); 6387c478bd9Sstevel@tonic-gate } 639ab25eeb5Syz | routeto name duptoseparator hostname 6407c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6419b4c7145Sjojemann if (use_inet6 == 0) 6429b4c7145Sjojemann fr->fr_tif.fd_ip = $4.in4; 6439b4c7145Sjojemann else 6449b4c7145Sjojemann bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 645ab25eeb5Syz yyexpectaddr = 0; 646ab25eeb5Syz free($2); 647ab25eeb5Syz } 648ab25eeb5Syz | routeto name duptoseparator YY_IPV6 649ab25eeb5Syz { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 650ab25eeb5Syz bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 651ab25eeb5Syz yyexpectaddr = 0; 6527c478bd9Sstevel@tonic-gate free($2); 6537c478bd9Sstevel@tonic-gate } 6547c478bd9Sstevel@tonic-gate ; 6557c478bd9Sstevel@tonic-gate 656ab25eeb5Syz routeto: 657ab25eeb5Syz IPFY_TO 658ab25eeb5Syz | IPFY_ROUTETO 659ab25eeb5Syz ; 660ab25eeb5Syz 6617c478bd9Sstevel@tonic-gate replyto: 6627c478bd9Sstevel@tonic-gate IPFY_REPLY_TO name 6637c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6647c478bd9Sstevel@tonic-gate free($2); 6657c478bd9Sstevel@tonic-gate } 666ab25eeb5Syz | IPFY_REPLY_TO name duptoseparator hostname 6677c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6689b4c7145Sjojemann if (use_inet6 == 0) 6699b4c7145Sjojemann fr->fr_rif.fd_ip = $4.in4; 6709b4c7145Sjojemann else 6719b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6)); 6729b4c7145Sjojemann yyexpectaddr = 0; 6739b4c7145Sjojemann free($2); 6749b4c7145Sjojemann } 6759b4c7145Sjojemann | IPFY_REPLY_TO name duptoseparator YY_IPV6 6769b4c7145Sjojemann { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6779b4c7145Sjojemann bcopy(&$4, &fr->fr_rif.fd_ip6, sizeof(fr->fr_rif.fd_ip6)); 6789b4c7145Sjojemann yyexpectaddr = 0; 6797c478bd9Sstevel@tonic-gate free($2); 6807c478bd9Sstevel@tonic-gate } 6817c478bd9Sstevel@tonic-gate ; 6827c478bd9Sstevel@tonic-gate 6837c478bd9Sstevel@tonic-gate logoptions: 6847c478bd9Sstevel@tonic-gate logoption 6857c478bd9Sstevel@tonic-gate | logoptions logoption 6867c478bd9Sstevel@tonic-gate ; 6877c478bd9Sstevel@tonic-gate 6887c478bd9Sstevel@tonic-gate logoption: 6897c478bd9Sstevel@tonic-gate IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 6907c478bd9Sstevel@tonic-gate | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 6917c478bd9Sstevel@tonic-gate | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 6927c478bd9Sstevel@tonic-gate | level loglevel { unsetsyslog(); } 6937c478bd9Sstevel@tonic-gate ; 6947c478bd9Sstevel@tonic-gate 6957c478bd9Sstevel@tonic-gate returncode: 6967c478bd9Sstevel@tonic-gate starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 6977c478bd9Sstevel@tonic-gate ; 6987c478bd9Sstevel@tonic-gate 6997c478bd9Sstevel@tonic-gate starticmpcode: 7007c478bd9Sstevel@tonic-gate '(' { yysetdict(icmpcodewords); } 7017c478bd9Sstevel@tonic-gate ; 7027c478bd9Sstevel@tonic-gate 703ab25eeb5Syz srcdst: | IPFY_ALL 7047c478bd9Sstevel@tonic-gate | fromto 7057c478bd9Sstevel@tonic-gate ; 7067c478bd9Sstevel@tonic-gate 7077c478bd9Sstevel@tonic-gate protocol: 7087c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_proto = $1; \ 7097c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) } 7107c478bd9Sstevel@tonic-gate | YY_STR { if (!strcmp($1, "tcp-udp")) { 7117c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 7127c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 7137c478bd9Sstevel@tonic-gate } else { 7147c478bd9Sstevel@tonic-gate int p = getproto($1); 7157c478bd9Sstevel@tonic-gate if (p == -1) 716ab25eeb5Syz yyerror("protocol unknown"); 7177c478bd9Sstevel@tonic-gate DOREM(fr->fr_proto = p; \ 7187c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) 7197c478bd9Sstevel@tonic-gate } 7207c478bd9Sstevel@tonic-gate free($1); 7217c478bd9Sstevel@tonic-gate } 7227c478bd9Sstevel@tonic-gate | YY_STR nextstring YY_STR 7237c478bd9Sstevel@tonic-gate { if (!strcmp($1, "tcp") && 7247c478bd9Sstevel@tonic-gate !strcmp($3, "udp")) { 7257c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 7267c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 7277c478bd9Sstevel@tonic-gate } else 7287c478bd9Sstevel@tonic-gate YYERROR; 7297c478bd9Sstevel@tonic-gate free($1); 7307c478bd9Sstevel@tonic-gate free($3); 7317c478bd9Sstevel@tonic-gate } 7327c478bd9Sstevel@tonic-gate ; 7337c478bd9Sstevel@tonic-gate 7347c478bd9Sstevel@tonic-gate nextstring: 7357c478bd9Sstevel@tonic-gate '/' { yysetdict(NULL); } 7367c478bd9Sstevel@tonic-gate ; 7377c478bd9Sstevel@tonic-gate 7387c478bd9Sstevel@tonic-gate fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 7397c478bd9Sstevel@tonic-gate | to dstobject { yyexpectaddr = 0; yycont = NULL; } 7407c478bd9Sstevel@tonic-gate | from srcobject { yyexpectaddr = 0; yycont = NULL; } 7417c478bd9Sstevel@tonic-gate ; 7427c478bd9Sstevel@tonic-gate 7437c478bd9Sstevel@tonic-gate from: IPFY_FROM { setipftype(); 7447c478bd9Sstevel@tonic-gate if (fr == NULL) 7457c478bd9Sstevel@tonic-gate fr = frc; 7467c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 747ab25eeb5Syz if (yydebug) 748ab25eeb5Syz printf("set yyexpectaddr\n"); 7497c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7507c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7517c478bd9Sstevel@tonic-gate resetaddr(); } 7527c478bd9Sstevel@tonic-gate ; 7537c478bd9Sstevel@tonic-gate 7547c478bd9Sstevel@tonic-gate to: IPFY_TO { if (fr == NULL) 7557c478bd9Sstevel@tonic-gate fr = frc; 7567c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 757ab25eeb5Syz if (yydebug) 758ab25eeb5Syz printf("set yyexpectaddr\n"); 7597c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7607c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7617c478bd9Sstevel@tonic-gate resetaddr(); } 7627c478bd9Sstevel@tonic-gate ; 7637c478bd9Sstevel@tonic-gate 7647c478bd9Sstevel@tonic-gate with: | andwith withlist 7657c478bd9Sstevel@tonic-gate ; 7667c478bd9Sstevel@tonic-gate 7677c478bd9Sstevel@tonic-gate andwith: 7687c478bd9Sstevel@tonic-gate IPFY_WITH { nowith = 0; setipftype(); } 7697c478bd9Sstevel@tonic-gate | IPFY_AND { nowith = 0; setipftype(); } 7707c478bd9Sstevel@tonic-gate ; 7717c478bd9Sstevel@tonic-gate 772ab25eeb5Syz flags: | startflags flagset 7737c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 774ab25eeb5Syz | startflags flagset '/' flagset 7757c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 776ab25eeb5Syz | startflags '/' flagset 7777c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 778ab25eeb5Syz | startflags YY_NUMBER 7797c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 780ab25eeb5Syz | startflags '/' YY_NUMBER 7817c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 782ab25eeb5Syz | startflags YY_NUMBER '/' YY_NUMBER 7837c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 784ab25eeb5Syz | startflags flagset '/' YY_NUMBER 7857c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 786ab25eeb5Syz | startflags YY_NUMBER '/' flagset 7877c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 7887c478bd9Sstevel@tonic-gate ; 7897c478bd9Sstevel@tonic-gate 790ab25eeb5Syz startflags: 791ab25eeb5Syz IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 792ab25eeb5Syz yyerror("flags with non-ipf type rule"); 793ab25eeb5Syz if (frc->fr_proto != IPPROTO_TCP) 794ab25eeb5Syz yyerror("flags with non-TCP rule"); 795ab25eeb5Syz } 796ab25eeb5Syz ; 797ab25eeb5Syz 7987c478bd9Sstevel@tonic-gate flagset: 7997c478bd9Sstevel@tonic-gate YY_STR { $$ = tcpflags($1); free($1); } 8007c478bd9Sstevel@tonic-gate | YY_HEX { $$ = $1; } 8017c478bd9Sstevel@tonic-gate ; 8027c478bd9Sstevel@tonic-gate 8037c478bd9Sstevel@tonic-gate srcobject: 804ab25eeb5Syz { yyresetdict(); } fromport 805ab25eeb5Syz | srcaddr srcport 8067c478bd9Sstevel@tonic-gate | '!' srcaddr srcport 8077c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 8087c478bd9Sstevel@tonic-gate ; 8097c478bd9Sstevel@tonic-gate 8107c478bd9Sstevel@tonic-gate srcaddr: 8117c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 8127c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 8137c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8147c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8157c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8167c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8177c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8187c478bd9Sstevel@tonic-gate } 8197c478bd9Sstevel@tonic-gate | lstart srcaddrlist lend 8207c478bd9Sstevel@tonic-gate ; 8217c478bd9Sstevel@tonic-gate 8227c478bd9Sstevel@tonic-gate srcaddrlist: 8237c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 8247c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 8257c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8267c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8277c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8287c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8297c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8307c478bd9Sstevel@tonic-gate } 8317c478bd9Sstevel@tonic-gate | srcaddrlist lmore addr 8327c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ 8337c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ 8347c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8357c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 8367c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 8377c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8387c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 8397c478bd9Sstevel@tonic-gate } 8407c478bd9Sstevel@tonic-gate ; 8417c478bd9Sstevel@tonic-gate 8427c478bd9Sstevel@tonic-gate srcport: 8437c478bd9Sstevel@tonic-gate | portcomp 8447c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8457c478bd9Sstevel@tonic-gate | portrange 8467c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8477c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8487c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8497c478bd9Sstevel@tonic-gate { yyresetdict(); } 8507c478bd9Sstevel@tonic-gate ; 8517c478bd9Sstevel@tonic-gate 8527c478bd9Sstevel@tonic-gate fromport: 8537c478bd9Sstevel@tonic-gate portcomp 8547c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8557c478bd9Sstevel@tonic-gate | portrange 8567c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8577c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8587c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8597c478bd9Sstevel@tonic-gate { yyresetdict(); } 8607c478bd9Sstevel@tonic-gate ; 8617c478bd9Sstevel@tonic-gate 8627c478bd9Sstevel@tonic-gate srcportlist: 8637c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 8647c478bd9Sstevel@tonic-gate | srcportlist lmore portnum 8657c478bd9Sstevel@tonic-gate { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 8667c478bd9Sstevel@tonic-gate ; 8677c478bd9Sstevel@tonic-gate 8687c478bd9Sstevel@tonic-gate dstobject: 869ab25eeb5Syz { yyresetdict(); } toport 8707c478bd9Sstevel@tonic-gate | dstaddr dstport 8717c478bd9Sstevel@tonic-gate | '!' dstaddr dstport 8727c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 8737c478bd9Sstevel@tonic-gate ; 8747c478bd9Sstevel@tonic-gate 8757c478bd9Sstevel@tonic-gate dstaddr: 8767c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8777c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8787c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8797c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8807c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8817c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8827c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8837c478bd9Sstevel@tonic-gate } 8847c478bd9Sstevel@tonic-gate | lstart dstaddrlist lend 8857c478bd9Sstevel@tonic-gate ; 8867c478bd9Sstevel@tonic-gate 8877c478bd9Sstevel@tonic-gate dstaddrlist: 8887c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8897c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8907c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8917c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8927c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8937c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8947c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8957c478bd9Sstevel@tonic-gate } 8967c478bd9Sstevel@tonic-gate | dstaddrlist lmore addr 8977c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ 8987c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ 8997c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 9007c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 9017c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 9027c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 9037c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 9047c478bd9Sstevel@tonic-gate } 9057c478bd9Sstevel@tonic-gate ; 9067c478bd9Sstevel@tonic-gate 9077c478bd9Sstevel@tonic-gate 9087c478bd9Sstevel@tonic-gate dstport: 9097c478bd9Sstevel@tonic-gate | portcomp 9107c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 9117c478bd9Sstevel@tonic-gate | portrange 9127c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 9137c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 9147c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 9157c478bd9Sstevel@tonic-gate { yyresetdict(); } 9167c478bd9Sstevel@tonic-gate ; 9177c478bd9Sstevel@tonic-gate 9187c478bd9Sstevel@tonic-gate toport: 9197c478bd9Sstevel@tonic-gate portcomp 9207c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 9217c478bd9Sstevel@tonic-gate | portrange 9227c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 9237c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 9247c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 9257c478bd9Sstevel@tonic-gate { yyresetdict(); } 9267c478bd9Sstevel@tonic-gate ; 9277c478bd9Sstevel@tonic-gate 9287c478bd9Sstevel@tonic-gate dstportlist: 9297c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 9307c478bd9Sstevel@tonic-gate | dstportlist lmore portnum 9317c478bd9Sstevel@tonic-gate { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 9327c478bd9Sstevel@tonic-gate ; 9337c478bd9Sstevel@tonic-gate 9347c478bd9Sstevel@tonic-gate addr: pool '/' YY_NUMBER { pooled = 1; 9357c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9367c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 9377c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 9387c478bd9Sstevel@tonic-gate | pool '=' '(' poollist ')' { pooled = 1; 9397c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9407c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 9417c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makepool($4); } 9427c478bd9Sstevel@tonic-gate | hash '/' YY_NUMBER { hashed = 1; 9437c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9447c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9457c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 9467c478bd9Sstevel@tonic-gate | hash '=' '(' addrlist ')' { hashed = 1; 9477c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9487c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9497c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makehash($4); } 9507c478bd9Sstevel@tonic-gate | ipaddr { bcopy(&$1, &$$, sizeof($$)); 9517c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9527c478bd9Sstevel@tonic-gate ; 9537c478bd9Sstevel@tonic-gate 9547c478bd9Sstevel@tonic-gate ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 9557c478bd9Sstevel@tonic-gate yyresetdict(); 9567c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9579b4c7145Sjojemann | hostname { if (use_inet6 == 0) { 9589b4c7145Sjojemann $$.a.in4 = $1.in4; 9599b4c7145Sjojemann $$.m.in4_addr = 0xffffffff; 9609b4c7145Sjojemann } else { 9619b4c7145Sjojemann set_ipv6_addr = 1; 9629b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a)); 9639b4c7145Sjojemann fill6bits(128, (u_32_t *)&$$.m); 9649b4c7145Sjojemann } 9657c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9669b4c7145Sjojemann | hostname { yyresetdict(); 9679b4c7145Sjojemann if (use_inet6 == 0) 9689b4c7145Sjojemann $$.a.in4 = $1.in4; 9699b4c7145Sjojemann else { 9709b4c7145Sjojemann set_ipv6_addr = 1; 9719b4c7145Sjojemann bcopy(&$1, &$$.a, sizeof($$.a)); 9729b4c7145Sjojemann } 9739b4c7145Sjojemann } 9749b4c7145Sjojemann maskspace { yysetdict(maskwords); } 9759b4c7145Sjojemann mask { if (use_inet6 == 0) { 9769b4c7145Sjojemann $$.m.in4_addr = $5.in4.s_addr; 9779b4c7145Sjojemann $$.a.in4_addr &= $5.in4.s_addr; 9789b4c7145Sjojemann } else 9799b4c7145Sjojemann bcopy(&$5, &$$.m, sizeof($$.m)); 9807c478bd9Sstevel@tonic-gate yyresetdict(); 9817c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9827663b816Sml | YY_IPV6 { set_ipv6_addr = 1; 9837663b816Sml bcopy(&$1, &$$.a, sizeof($$.a)); 9847c478bd9Sstevel@tonic-gate fill6bits(128, (u_32_t *)&$$.m); 9857c478bd9Sstevel@tonic-gate yyresetdict(); 9867c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9877663b816Sml | YY_IPV6 { set_ipv6_addr = 1; 9887663b816Sml yyresetdict(); 9897c478bd9Sstevel@tonic-gate bcopy(&$1, &$$.a, sizeof($$.a)); } 9909b4c7145Sjojemann maskspace { yysetdict(maskwords); } 9919b4c7145Sjojemann mask { bcopy(&$5, &$$.m, sizeof($$.m)); 9927c478bd9Sstevel@tonic-gate yyresetdict(); 9937c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9947c478bd9Sstevel@tonic-gate ; 9957c478bd9Sstevel@tonic-gate 9967c478bd9Sstevel@tonic-gate maskspace: 9977c478bd9Sstevel@tonic-gate '/' 9987c478bd9Sstevel@tonic-gate | IPFY_MASK 9997c478bd9Sstevel@tonic-gate ; 10007c478bd9Sstevel@tonic-gate 10019b4c7145Sjojemann mask: 10029b4c7145Sjojemann ipv4 { $$.in4 = $1; } 10039b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = htonl($1); } 10049b4c7145Sjojemann | YY_NUMBER { if ((use_inet6 == 0) && ($1 <= 32)) 10059b4c7145Sjojemann ntomask(4, $1, (u_32_t *)&$$.in4); 10069b4c7145Sjojemann else if ((use_inet6 != 0) && ($1 <= 128)) 10079b4c7145Sjojemann ntomask(6, $1, $$.i6); 10089b4c7145Sjojemann else { 10099b4c7145Sjojemann yyerror("Bad value specified for netmask"); 10109b4c7145Sjojemann return 0; 10119b4c7145Sjojemann } 1012ab25eeb5Syz } 10137c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 10147c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10157c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 10167c478bd9Sstevel@tonic-gate } else 10177c478bd9Sstevel@tonic-gate YYERROR; 10187c478bd9Sstevel@tonic-gate } 10197c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 10207c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10219b4c7145Sjojemann ifpflag = FRI_NETWORK; 10227c478bd9Sstevel@tonic-gate } else 10237c478bd9Sstevel@tonic-gate YYERROR; 10247c478bd9Sstevel@tonic-gate } 10257c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 10267c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10279b4c7145Sjojemann ifpflag = FRI_NETMASKED; 10287c478bd9Sstevel@tonic-gate } else 10297c478bd9Sstevel@tonic-gate YYERROR; 10307c478bd9Sstevel@tonic-gate } 10317c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 10327c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10339b4c7145Sjojemann ifpflag = FRI_PEERADDR; 10347c478bd9Sstevel@tonic-gate } else 10357c478bd9Sstevel@tonic-gate YYERROR; 10367c478bd9Sstevel@tonic-gate } 10377c478bd9Sstevel@tonic-gate ; 10387c478bd9Sstevel@tonic-gate 10397c478bd9Sstevel@tonic-gate hostname: 10409b4c7145Sjojemann ipv4 { $$.in4 = $1; } 10419b4c7145Sjojemann | YY_NUMBER { $$.in4.s_addr = $1; } 10429b4c7145Sjojemann | YY_HEX { $$.in4.s_addr = $1; } 10439b4c7145Sjojemann | YY_STR { if (lookuphost($1, &$$) == 1) 10449b4c7145Sjojemann free($1); 10459b4c7145Sjojemann else { 10469b4c7145Sjojemann free($1); 10479b4c7145Sjojemann if (ifpflag != FRI_DYNAMIC) 10489b4c7145Sjojemann yyerror("Unknown hostname"); 10499b4c7145Sjojemann } 10507c478bd9Sstevel@tonic-gate } 10517c478bd9Sstevel@tonic-gate ; 10527c478bd9Sstevel@tonic-gate 10537c478bd9Sstevel@tonic-gate addrlist: 10547c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10557663b816Sml if (set_ipv6_addr) 10567663b816Sml $$->al_family = AF_INET6; 10577663b816Sml else 10587663b816Sml $$->al_family = AF_INET; 10597663b816Sml set_ipv6_addr = 0; 10607c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10617c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10627c478bd9Sstevel@tonic-gate | addrlist ',' ipaddr 10637c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10647663b816Sml if (set_ipv6_addr) 10657663b816Sml $$->al_family = AF_INET6; 10667663b816Sml else 10677663b816Sml $$->al_family = AF_INET; 10687663b816Sml set_ipv6_addr = 0; 10697c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 10707c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 10717c478bd9Sstevel@tonic-gate ; 10727c478bd9Sstevel@tonic-gate 10737c478bd9Sstevel@tonic-gate pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10747c478bd9Sstevel@tonic-gate ; 10757c478bd9Sstevel@tonic-gate 10767c478bd9Sstevel@tonic-gate hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10777c478bd9Sstevel@tonic-gate ; 10787c478bd9Sstevel@tonic-gate 10797c478bd9Sstevel@tonic-gate poollist: 10807c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10817663b816Sml if (set_ipv6_addr) 10827663b816Sml $$->al_family = AF_INET6; 10837663b816Sml else 10847663b816Sml $$->al_family = AF_INET; 10857663b816Sml set_ipv6_addr = 0; 10867c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10877c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10887c478bd9Sstevel@tonic-gate | '!' ipaddr { $$ = newalist(NULL); 10897c478bd9Sstevel@tonic-gate $$->al_not = 1; 10907663b816Sml if (set_ipv6_addr) 10917663b816Sml $$->al_family = AF_INET6; 10927663b816Sml else 10937663b816Sml $$->al_family = AF_INET; 10947663b816Sml set_ipv6_addr = 0; 10957c478bd9Sstevel@tonic-gate bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); 10967c478bd9Sstevel@tonic-gate bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } 10977c478bd9Sstevel@tonic-gate | poollist ',' ipaddr 10987c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10997663b816Sml if (set_ipv6_addr) 11007663b816Sml $$->al_family = AF_INET6; 11017663b816Sml else 11027663b816Sml $$->al_family = AF_INET; 11037663b816Sml set_ipv6_addr = 0; 11047c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 11057c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 11067c478bd9Sstevel@tonic-gate | poollist ',' '!' ipaddr 11077c478bd9Sstevel@tonic-gate { $$ = newalist($1); 11087c478bd9Sstevel@tonic-gate $$->al_not = 1; 11097663b816Sml if (set_ipv6_addr) 11107663b816Sml $$->al_family = AF_INET6; 11117663b816Sml else 11127663b816Sml $$->al_family = AF_INET; 11137663b816Sml set_ipv6_addr = 0; 11147c478bd9Sstevel@tonic-gate bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); 11157c478bd9Sstevel@tonic-gate bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } 11167c478bd9Sstevel@tonic-gate ; 11177c478bd9Sstevel@tonic-gate 11187c478bd9Sstevel@tonic-gate port: IPFY_PORT { yyexpectaddr = 0; 11197c478bd9Sstevel@tonic-gate yycont = NULL; 11207c478bd9Sstevel@tonic-gate } 11217c478bd9Sstevel@tonic-gate ; 11227c478bd9Sstevel@tonic-gate 11237c478bd9Sstevel@tonic-gate portc: port compare { $$ = $2; 11247c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11257c478bd9Sstevel@tonic-gate | porteq { $$ = $1; } 11267c478bd9Sstevel@tonic-gate ; 11277c478bd9Sstevel@tonic-gate 11287c478bd9Sstevel@tonic-gate porteq: port '=' { $$ = FR_EQUAL; 11297c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11307c478bd9Sstevel@tonic-gate ; 11317c478bd9Sstevel@tonic-gate 11327c478bd9Sstevel@tonic-gate portr: IPFY_PORT { yyexpectaddr = 0; 11337c478bd9Sstevel@tonic-gate yycont = NULL; 11347c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11357c478bd9Sstevel@tonic-gate ; 11367c478bd9Sstevel@tonic-gate 11377c478bd9Sstevel@tonic-gate portcomp: 11387c478bd9Sstevel@tonic-gate portc portnum { $$.pc = $1; 11397c478bd9Sstevel@tonic-gate $$.p1 = $2; 11407c478bd9Sstevel@tonic-gate yyresetdict(); } 11417c478bd9Sstevel@tonic-gate ; 11427c478bd9Sstevel@tonic-gate 11437c478bd9Sstevel@tonic-gate portrange: 11447c478bd9Sstevel@tonic-gate portr portnum range portnum { $$.p1 = $2; 11457c478bd9Sstevel@tonic-gate $$.pc = $3; 11467c478bd9Sstevel@tonic-gate $$.p2 = $4; 11477c478bd9Sstevel@tonic-gate yyresetdict(); } 11487c478bd9Sstevel@tonic-gate ; 11497c478bd9Sstevel@tonic-gate 11507c478bd9Sstevel@tonic-gate icmp: | itype icode 11517c478bd9Sstevel@tonic-gate ; 11527c478bd9Sstevel@tonic-gate 11537c478bd9Sstevel@tonic-gate itype: seticmptype icmptype 11547c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 11557c478bd9Sstevel@tonic-gate yyresetdict(); 11567c478bd9Sstevel@tonic-gate } 11577c478bd9Sstevel@tonic-gate | seticmptype lstart typelist lend { yyresetdict(); } 11587c478bd9Sstevel@tonic-gate ; 11597c478bd9Sstevel@tonic-gate 11607c478bd9Sstevel@tonic-gate seticmptype: 11617c478bd9Sstevel@tonic-gate IPFY_ICMPTYPE { setipftype(); 11627c478bd9Sstevel@tonic-gate yysetdict(icmptypewords); } 11637c478bd9Sstevel@tonic-gate ; 11647c478bd9Sstevel@tonic-gate 11657c478bd9Sstevel@tonic-gate icode: | seticmpcode icmpcode 11667c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 11677c478bd9Sstevel@tonic-gate yyresetdict(); 11687c478bd9Sstevel@tonic-gate } 11697c478bd9Sstevel@tonic-gate | seticmpcode lstart codelist lend { yyresetdict(); } 11707c478bd9Sstevel@tonic-gate ; 11717c478bd9Sstevel@tonic-gate 11727c478bd9Sstevel@tonic-gate seticmpcode: 11737c478bd9Sstevel@tonic-gate IPFY_ICMPCODE { yysetdict(icmpcodewords); } 11747c478bd9Sstevel@tonic-gate ; 11757c478bd9Sstevel@tonic-gate 11767c478bd9Sstevel@tonic-gate typelist: 11777c478bd9Sstevel@tonic-gate icmptype 11787c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 11797c478bd9Sstevel@tonic-gate | typelist lmore icmptype 11807c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 11817c478bd9Sstevel@tonic-gate ; 11827c478bd9Sstevel@tonic-gate 11837c478bd9Sstevel@tonic-gate codelist: 11847c478bd9Sstevel@tonic-gate icmpcode 11857c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 11867c478bd9Sstevel@tonic-gate | codelist lmore icmpcode 11877c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } 11887c478bd9Sstevel@tonic-gate ; 11897c478bd9Sstevel@tonic-gate 11907c478bd9Sstevel@tonic-gate age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 11917c478bd9Sstevel@tonic-gate fr->fr_age[1] = $2;) } 11927c478bd9Sstevel@tonic-gate | IPFY_AGE YY_NUMBER '/' YY_NUMBER 11937c478bd9Sstevel@tonic-gate { DOALL(fr->fr_age[0] = $2; \ 11947c478bd9Sstevel@tonic-gate fr->fr_age[1] = $4;) } 11957c478bd9Sstevel@tonic-gate ; 11967c478bd9Sstevel@tonic-gate 11977c478bd9Sstevel@tonic-gate keep: | IPFY_KEEP keepstate 11987c478bd9Sstevel@tonic-gate | IPFY_KEEP keepfrag 11997c478bd9Sstevel@tonic-gate | IPFY_KEEP keepstate IPFY_KEEP keepfrag 1200ab25eeb5Syz | IPFY_KEEP keepfrag IPFY_KEEP keepstate 12017c478bd9Sstevel@tonic-gate ; 12027c478bd9Sstevel@tonic-gate 12037c478bd9Sstevel@tonic-gate keepstate: 12047c478bd9Sstevel@tonic-gate IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 12057c478bd9Sstevel@tonic-gate ; 12067c478bd9Sstevel@tonic-gate 12077c478bd9Sstevel@tonic-gate keepfrag: 12087c478bd9Sstevel@tonic-gate IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1209ab25eeb5Syz | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 12107c478bd9Sstevel@tonic-gate ; 12117c478bd9Sstevel@tonic-gate 12127c478bd9Sstevel@tonic-gate fragoptlist: 12137c478bd9Sstevel@tonic-gate | '(' fragopts ')' 12147c478bd9Sstevel@tonic-gate ; 12157c478bd9Sstevel@tonic-gate 12167c478bd9Sstevel@tonic-gate fragopts: 12177c478bd9Sstevel@tonic-gate fragopt lanother fragopts 12187c478bd9Sstevel@tonic-gate | fragopt 12197c478bd9Sstevel@tonic-gate ; 12207c478bd9Sstevel@tonic-gate 12217c478bd9Sstevel@tonic-gate fragopt: 12227c478bd9Sstevel@tonic-gate IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 12237c478bd9Sstevel@tonic-gate ; 12247c478bd9Sstevel@tonic-gate 12257c478bd9Sstevel@tonic-gate stateoptlist: 12267c478bd9Sstevel@tonic-gate | '(' stateopts ')' 12277c478bd9Sstevel@tonic-gate ; 12287c478bd9Sstevel@tonic-gate 12297c478bd9Sstevel@tonic-gate stateopts: 12307c478bd9Sstevel@tonic-gate stateopt lanother stateopts 12317c478bd9Sstevel@tonic-gate | stateopt 12327c478bd9Sstevel@tonic-gate ; 12337c478bd9Sstevel@tonic-gate 12347c478bd9Sstevel@tonic-gate stateopt: 12357c478bd9Sstevel@tonic-gate IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 12367c478bd9Sstevel@tonic-gate | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12377c478bd9Sstevel@tonic-gate YYERROR; \ 12387c478bd9Sstevel@tonic-gate } else \ 12397c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_STSTRICT;) 12407c478bd9Sstevel@tonic-gate } 12417c478bd9Sstevel@tonic-gate | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12427c478bd9Sstevel@tonic-gate YYERROR; \ 12437c478bd9Sstevel@tonic-gate } else \ 12447c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_NEWISN;) 12457c478bd9Sstevel@tonic-gate } 12467c478bd9Sstevel@tonic-gate | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1247ab25eeb5Syz 1248ab25eeb5Syz | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } 12497c478bd9Sstevel@tonic-gate ; 12507c478bd9Sstevel@tonic-gate 12517c478bd9Sstevel@tonic-gate portnum: 1252ab25eeb5Syz servicename { if (getport(frc, $1, &($$)) == -1) 1253ab25eeb5Syz yyerror("service unknown"); 1254ab25eeb5Syz else 1255ab25eeb5Syz $$ = ntohs($$); 12567c478bd9Sstevel@tonic-gate free($1); 12577c478bd9Sstevel@tonic-gate } 1258ab25eeb5Syz | YY_NUMBER { if ($1 > 65535) /* Unsigned */ 1259ab25eeb5Syz yyerror("invalid port number"); 1260ab25eeb5Syz else 1261ab25eeb5Syz $$ = $1; 1262ab25eeb5Syz } 12637c478bd9Sstevel@tonic-gate ; 12647c478bd9Sstevel@tonic-gate 12657c478bd9Sstevel@tonic-gate withlist: 12667c478bd9Sstevel@tonic-gate withopt 12677c478bd9Sstevel@tonic-gate | withlist withopt 1268ab25eeb5Syz | withlist ',' withopt 12697c478bd9Sstevel@tonic-gate ; 12707c478bd9Sstevel@tonic-gate 12717c478bd9Sstevel@tonic-gate withopt: 12727c478bd9Sstevel@tonic-gate opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 12737c478bd9Sstevel@tonic-gate | notwith opttype 1274ab25eeb5Syz { DOALL(fr->fr_mflx |= $2;) } 1275ab25eeb5Syz | ipopt ipopts { yyresetdict(); } 1276ab25eeb5Syz | notwith ipopt ipopts { yyresetdict(); } 1277ab25eeb5Syz | startv6hdrs ipv6hdrs { yyresetdict(); } 1278ab25eeb5Syz ; 1279ab25eeb5Syz 1280ab25eeb5Syz ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 12817c478bd9Sstevel@tonic-gate ; 12827c478bd9Sstevel@tonic-gate 12837c478bd9Sstevel@tonic-gate startv6hdrs: 12847c478bd9Sstevel@tonic-gate IPF6_V6HDRS { if (use_inet6 == 0) 12857c478bd9Sstevel@tonic-gate yyerror("only available with IPv6"); 1286ab25eeb5Syz yysetdict(ipv6optwords); 12877c478bd9Sstevel@tonic-gate } 12887c478bd9Sstevel@tonic-gate ; 12897c478bd9Sstevel@tonic-gate 12907c478bd9Sstevel@tonic-gate notwith: 12917c478bd9Sstevel@tonic-gate IPFY_NOT { nowith = 1; } 12927c478bd9Sstevel@tonic-gate | IPFY_NO { nowith = 1; } 12937c478bd9Sstevel@tonic-gate ; 12947c478bd9Sstevel@tonic-gate 12957c478bd9Sstevel@tonic-gate opttype: 12967c478bd9Sstevel@tonic-gate IPFY_IPOPTS { $$ = FI_OPTIONS; } 12977c478bd9Sstevel@tonic-gate | IPFY_SHORT { $$ = FI_SHORT; } 12987c478bd9Sstevel@tonic-gate | IPFY_NAT { $$ = FI_NATED; } 12997c478bd9Sstevel@tonic-gate | IPFY_BAD { $$ = FI_BAD; } 13007c478bd9Sstevel@tonic-gate | IPFY_BADNAT { $$ = FI_BADNAT; } 13017c478bd9Sstevel@tonic-gate | IPFY_BADSRC { $$ = FI_BADSRC; } 13027c478bd9Sstevel@tonic-gate | IPFY_LOWTTL { $$ = FI_LOWTTL; } 13037c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = FI_FRAG; } 1304ab25eeb5Syz | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1305ab25eeb5Syz | IPFY_FRAGS { $$ = FI_FRAG; } 13067c478bd9Sstevel@tonic-gate | IPFY_MBCAST { $$ = FI_MBCAST; } 13077c478bd9Sstevel@tonic-gate | IPFY_MULTICAST { $$ = FI_MULTICAST; } 13087c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { $$ = FI_BROADCAST; } 13097c478bd9Sstevel@tonic-gate | IPFY_STATE { $$ = FI_STATE; } 13107c478bd9Sstevel@tonic-gate | IPFY_OOW { $$ = FI_OOW; } 13117c478bd9Sstevel@tonic-gate ; 13127c478bd9Sstevel@tonic-gate 13137c478bd9Sstevel@tonic-gate ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 13147c478bd9Sstevel@tonic-gate if (!nowith) 13157c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 13167c478bd9Sstevel@tonic-gate } 13177c478bd9Sstevel@tonic-gate ; 13187c478bd9Sstevel@tonic-gate 13197c478bd9Sstevel@tonic-gate optlist: 13207c478bd9Sstevel@tonic-gate opt { $$ |= $1; } 13217c478bd9Sstevel@tonic-gate | optlist ',' opt { $$ |= $1 | $3; } 13227c478bd9Sstevel@tonic-gate ; 13237c478bd9Sstevel@tonic-gate 13247c478bd9Sstevel@tonic-gate ipv6hdrs: 13257c478bd9Sstevel@tonic-gate ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 13267c478bd9Sstevel@tonic-gate if (!nowith) 13277c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 13287c478bd9Sstevel@tonic-gate } 13297c478bd9Sstevel@tonic-gate ; 13307c478bd9Sstevel@tonic-gate 13317c478bd9Sstevel@tonic-gate ipv6hdrlist: 13327c478bd9Sstevel@tonic-gate ipv6hdr { $$ |= $1; } 13337c478bd9Sstevel@tonic-gate | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 13347c478bd9Sstevel@tonic-gate ; 13357c478bd9Sstevel@tonic-gate 13367c478bd9Sstevel@tonic-gate secname: 13377c478bd9Sstevel@tonic-gate seclevel { $$ |= $1; } 13387c478bd9Sstevel@tonic-gate | secname ',' seclevel { $$ |= $1 | $3; } 13397c478bd9Sstevel@tonic-gate ; 13407c478bd9Sstevel@tonic-gate 13417c478bd9Sstevel@tonic-gate seclevel: 13427c478bd9Sstevel@tonic-gate IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 13437c478bd9Sstevel@tonic-gate | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 13447c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 13457c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 13467c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 13477c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 13487c478bd9Sstevel@tonic-gate | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 13497c478bd9Sstevel@tonic-gate | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 13507c478bd9Sstevel@tonic-gate ; 13517c478bd9Sstevel@tonic-gate 13527c478bd9Sstevel@tonic-gate icmptype: 13537c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13547c478bd9Sstevel@tonic-gate | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } 13557c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } 13567c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } 13577c478bd9Sstevel@tonic-gate | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } 13587c478bd9Sstevel@tonic-gate | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } 13597c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } 13607c478bd9Sstevel@tonic-gate | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } 13617c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } 13627c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } 13637c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } 13647c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } 13657c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } 13667c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } 13677c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } 13687c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } 13697c478bd9Sstevel@tonic-gate ; 13707c478bd9Sstevel@tonic-gate 13717c478bd9Sstevel@tonic-gate icmpcode: 13727c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13737c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 13747c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 13757c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 13767c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 13777c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 13787c478bd9Sstevel@tonic-gate | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 13797c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 13807c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 13817c478bd9Sstevel@tonic-gate | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 13827c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 13837c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 13847c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 13857c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 13867c478bd9Sstevel@tonic-gate | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 13877c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRE { $$ = 14; } 13887c478bd9Sstevel@tonic-gate | IPFY_ICMPC_CUTPRE { $$ = 15; } 13897c478bd9Sstevel@tonic-gate ; 13907c478bd9Sstevel@tonic-gate 13917c478bd9Sstevel@tonic-gate opt: 13927c478bd9Sstevel@tonic-gate IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 13937c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 13947c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 13957c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 13967c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 13977c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 13987c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 13997c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 14007c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 14017c478bd9Sstevel@tonic-gate | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 14027c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 14037c478bd9Sstevel@tonic-gate | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 14047c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 14057c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 14067c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 14077c478bd9Sstevel@tonic-gate | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 14087c478bd9Sstevel@tonic-gate | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 14097c478bd9Sstevel@tonic-gate | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 14107c478bd9Sstevel@tonic-gate | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 14117c478bd9Sstevel@tonic-gate | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 14127c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 14137c478bd9Sstevel@tonic-gate | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 14147c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 14157c478bd9Sstevel@tonic-gate | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1416ab25eeb5Syz | setsecclass secname 14177c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mip.fi_secmsk |= $2; 14187c478bd9Sstevel@tonic-gate if (!nowith) 14197c478bd9Sstevel@tonic-gate fr->fr_ip.fi_secmsk |= $2;) 14207c478bd9Sstevel@tonic-gate $$ = 0; 1421ab25eeb5Syz yyresetdict(); 14227c478bd9Sstevel@tonic-gate } 14237c478bd9Sstevel@tonic-gate ; 14247c478bd9Sstevel@tonic-gate 1425ab25eeb5Syz setsecclass: 1426ab25eeb5Syz IPFY_SECCLASS { yysetdict(ipv4secwords); } 1427ab25eeb5Syz ; 1428ab25eeb5Syz 14297c478bd9Sstevel@tonic-gate ipv6hdr: 14307c478bd9Sstevel@tonic-gate IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 14317c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 14327c478bd9Sstevel@tonic-gate | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 14337c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 14347c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 14357c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 14367c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 14377c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 14387c478bd9Sstevel@tonic-gate ; 14397c478bd9Sstevel@tonic-gate 14407c478bd9Sstevel@tonic-gate level: IPFY_LEVEL { setsyslog(); } 14417c478bd9Sstevel@tonic-gate ; 14427c478bd9Sstevel@tonic-gate 14437c478bd9Sstevel@tonic-gate loglevel: 14447c478bd9Sstevel@tonic-gate priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 14457c478bd9Sstevel@tonic-gate | facility '.' priority { fr->fr_loglevel = $1 | $3; } 14467c478bd9Sstevel@tonic-gate ; 14477c478bd9Sstevel@tonic-gate 14487c478bd9Sstevel@tonic-gate facility: 14497c478bd9Sstevel@tonic-gate IPFY_FAC_KERN { $$ = LOG_KERN; } 14507c478bd9Sstevel@tonic-gate | IPFY_FAC_USER { $$ = LOG_USER; } 14517c478bd9Sstevel@tonic-gate | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 14527c478bd9Sstevel@tonic-gate | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 14537c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 14547c478bd9Sstevel@tonic-gate | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 14557c478bd9Sstevel@tonic-gate | IPFY_FAC_LPR { $$ = LOG_LPR; } 14567c478bd9Sstevel@tonic-gate | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 14577c478bd9Sstevel@tonic-gate | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 14587c478bd9Sstevel@tonic-gate | IPFY_FAC_CRON { $$ = LOG_CRON; } 14597c478bd9Sstevel@tonic-gate | IPFY_FAC_FTP { $$ = LOG_FTP; } 14607c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 14617c478bd9Sstevel@tonic-gate | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 14627c478bd9Sstevel@tonic-gate | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 14637c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 14647c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 14657c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 14667c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 14677c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 14687c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 14697c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 14707c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 14717c478bd9Sstevel@tonic-gate | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 14727c478bd9Sstevel@tonic-gate ; 14737c478bd9Sstevel@tonic-gate 14747c478bd9Sstevel@tonic-gate priority: 14757c478bd9Sstevel@tonic-gate IPFY_PRI_EMERG { $$ = LOG_EMERG; } 14767c478bd9Sstevel@tonic-gate | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 14777c478bd9Sstevel@tonic-gate | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 14787c478bd9Sstevel@tonic-gate | IPFY_PRI_ERR { $$ = LOG_ERR; } 14797c478bd9Sstevel@tonic-gate | IPFY_PRI_WARN { $$ = LOG_WARNING; } 14807c478bd9Sstevel@tonic-gate | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 14817c478bd9Sstevel@tonic-gate | IPFY_PRI_INFO { $$ = LOG_INFO; } 14827c478bd9Sstevel@tonic-gate | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 14837c478bd9Sstevel@tonic-gate ; 14847c478bd9Sstevel@tonic-gate 14857c478bd9Sstevel@tonic-gate compare: 1486ab25eeb5Syz YY_CMP_EQ { $$ = FR_EQUAL; } 14877c478bd9Sstevel@tonic-gate | YY_CMP_NE { $$ = FR_NEQUAL; } 14887c478bd9Sstevel@tonic-gate | YY_CMP_LT { $$ = FR_LESST; } 14897c478bd9Sstevel@tonic-gate | YY_CMP_LE { $$ = FR_LESSTE; } 14907c478bd9Sstevel@tonic-gate | YY_CMP_GT { $$ = FR_GREATERT; } 14917c478bd9Sstevel@tonic-gate | YY_CMP_GE { $$ = FR_GREATERTE; } 14927c478bd9Sstevel@tonic-gate ; 14937c478bd9Sstevel@tonic-gate 14947c478bd9Sstevel@tonic-gate range: YY_RANGE_IN { $$ = FR_INRANGE; } 14957c478bd9Sstevel@tonic-gate | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 14967c478bd9Sstevel@tonic-gate | ':' { $$ = FR_INCRANGE; } 14977c478bd9Sstevel@tonic-gate ; 14987c478bd9Sstevel@tonic-gate 14997c478bd9Sstevel@tonic-gate servicename: 15007c478bd9Sstevel@tonic-gate YY_STR { $$ = $1; } 15017c478bd9Sstevel@tonic-gate ; 15027c478bd9Sstevel@tonic-gate 15037c478bd9Sstevel@tonic-gate interfacename: YY_STR { $$ = $1; } 15047c478bd9Sstevel@tonic-gate | YY_STR ':' YY_NUMBER 15057c478bd9Sstevel@tonic-gate { $$ = $1; 15067c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 1507ab25eeb5Syz "use the physical interface %s instead.\n", 1508ab25eeb5Syz yylineNum, $1, $3, $1); 15097c478bd9Sstevel@tonic-gate } 15107c478bd9Sstevel@tonic-gate ; 15117c478bd9Sstevel@tonic-gate 15127c478bd9Sstevel@tonic-gate name: YY_STR { $$ = $1; } 15137c478bd9Sstevel@tonic-gate ; 15147c478bd9Sstevel@tonic-gate 1515ab25eeb5Syz ipv4_16: 1516ab25eeb5Syz YY_NUMBER '.' YY_NUMBER 1517ab25eeb5Syz { if ($1 > 255 || $3 > 255) { 15187c478bd9Sstevel@tonic-gate yyerror("Invalid octet string for IP address"); 15197c478bd9Sstevel@tonic-gate return 0; 15207c478bd9Sstevel@tonic-gate } 1521ab25eeb5Syz $$.s_addr = ($1 << 24) | ($3 << 16); 15227c478bd9Sstevel@tonic-gate $$.s_addr = htonl($$.s_addr); 15237c478bd9Sstevel@tonic-gate } 15247c478bd9Sstevel@tonic-gate ; 1525ab25eeb5Syz 1526ab25eeb5Syz ipv4_24: 1527ab25eeb5Syz ipv4_16 '.' YY_NUMBER 1528ab25eeb5Syz { if ($3 > 255) { 1529ab25eeb5Syz yyerror("Invalid octet string for IP address"); 1530ab25eeb5Syz return 0; 1531ab25eeb5Syz } 1532ab25eeb5Syz $$.s_addr |= htonl($3 << 8); 1533ab25eeb5Syz } 1534ab25eeb5Syz ; 1535ab25eeb5Syz 1536ab25eeb5Syz ipv4: ipv4_24 '.' YY_NUMBER 1537ab25eeb5Syz { if ($3 > 255) { 1538ab25eeb5Syz yyerror("Invalid octet string for IP address"); 1539ab25eeb5Syz return 0; 1540ab25eeb5Syz } 1541ab25eeb5Syz $$.s_addr |= htonl($3); 1542ab25eeb5Syz } 1543ab25eeb5Syz | ipv4_24 1544ab25eeb5Syz | ipv4_16 1545ab25eeb5Syz ; 1546ab25eeb5Syz 15477c478bd9Sstevel@tonic-gate %% 15487c478bd9Sstevel@tonic-gate 15497c478bd9Sstevel@tonic-gate 1550*1b47e080Sdr static struct wordtab ipfwords[96] = { 15517c478bd9Sstevel@tonic-gate { "age", IPFY_AGE }, 15527c478bd9Sstevel@tonic-gate { "ah", IPFY_AH }, 15537c478bd9Sstevel@tonic-gate { "all", IPFY_ALL }, 15547c478bd9Sstevel@tonic-gate { "and", IPFY_AND }, 15557c478bd9Sstevel@tonic-gate { "auth", IPFY_AUTH }, 15567c478bd9Sstevel@tonic-gate { "bad", IPFY_BAD }, 15577c478bd9Sstevel@tonic-gate { "bad-nat", IPFY_BADNAT }, 15587c478bd9Sstevel@tonic-gate { "bad-src", IPFY_BADSRC }, 15597c478bd9Sstevel@tonic-gate { "bcast", IPFY_BROADCAST }, 15607c478bd9Sstevel@tonic-gate { "block", IPFY_BLOCK }, 15617c478bd9Sstevel@tonic-gate { "body", IPFY_BODY }, 1562ab25eeb5Syz { "bpf-v4", IPFY_BPFV4 }, 1563ab25eeb5Syz #ifdef USE_INET6 1564ab25eeb5Syz { "bpf-v6", IPFY_BPFV6 }, 1565ab25eeb5Syz #endif 15667c478bd9Sstevel@tonic-gate { "call", IPFY_CALL }, 15677c478bd9Sstevel@tonic-gate { "code", IPFY_ICMPCODE }, 15687c478bd9Sstevel@tonic-gate { "count", IPFY_COUNT }, 15697c478bd9Sstevel@tonic-gate { "dup-to", IPFY_DUPTO }, 15707c478bd9Sstevel@tonic-gate { "eq", YY_CMP_EQ }, 15717c478bd9Sstevel@tonic-gate { "esp", IPFY_ESP }, 15727c478bd9Sstevel@tonic-gate { "fastroute", IPFY_FROUTE }, 15737c478bd9Sstevel@tonic-gate { "first", IPFY_FIRST }, 15747c478bd9Sstevel@tonic-gate { "flags", IPFY_FLAGS }, 1575ab25eeb5Syz { "frag", IPFY_FRAG }, 1576ab25eeb5Syz { "frag-body", IPFY_FRAGBODY }, 15777c478bd9Sstevel@tonic-gate { "frags", IPFY_FRAGS }, 15787c478bd9Sstevel@tonic-gate { "from", IPFY_FROM }, 15797c478bd9Sstevel@tonic-gate { "ge", YY_CMP_GE }, 15807c478bd9Sstevel@tonic-gate { "group", IPFY_GROUP }, 15817c478bd9Sstevel@tonic-gate { "gt", YY_CMP_GT }, 15827c478bd9Sstevel@tonic-gate { "head", IPFY_HEAD }, 15837c478bd9Sstevel@tonic-gate { "icmp", IPFY_ICMP }, 15847c478bd9Sstevel@tonic-gate { "icmp-type", IPFY_ICMPTYPE }, 15857c478bd9Sstevel@tonic-gate { "in", IPFY_IN }, 15867c478bd9Sstevel@tonic-gate { "in-via", IPFY_INVIA }, 1587381a2a9aSdr { "intercept_loopback", IPFY_SET_LOOPBACK }, 15887c478bd9Sstevel@tonic-gate { "ipopt", IPFY_IPOPTS }, 15897c478bd9Sstevel@tonic-gate { "ipopts", IPFY_IPOPTS }, 15907c478bd9Sstevel@tonic-gate { "keep", IPFY_KEEP }, 15917c478bd9Sstevel@tonic-gate { "le", YY_CMP_LE }, 15927c478bd9Sstevel@tonic-gate { "level", IPFY_LEVEL }, 15937c478bd9Sstevel@tonic-gate { "limit", IPFY_LIMIT }, 15947c478bd9Sstevel@tonic-gate { "log", IPFY_LOG }, 15957c478bd9Sstevel@tonic-gate { "lowttl", IPFY_LOWTTL }, 15967c478bd9Sstevel@tonic-gate { "lt", YY_CMP_LT }, 15977c478bd9Sstevel@tonic-gate { "mask", IPFY_MASK }, 1598ab25eeb5Syz { "match-tag", IPFY_MATCHTAG }, 15997c478bd9Sstevel@tonic-gate { "mbcast", IPFY_MBCAST }, 1600*1b47e080Sdr { "mcast", IPFY_MULTICAST }, 16017c478bd9Sstevel@tonic-gate { "multicast", IPFY_MULTICAST }, 16027c478bd9Sstevel@tonic-gate { "nat", IPFY_NAT }, 16037c478bd9Sstevel@tonic-gate { "ne", YY_CMP_NE }, 16047c478bd9Sstevel@tonic-gate { "net", IPFY_NETWORK }, 16057c478bd9Sstevel@tonic-gate { "newisn", IPFY_NEWISN }, 16067c478bd9Sstevel@tonic-gate { "no", IPFY_NO }, 16077c478bd9Sstevel@tonic-gate { "no-icmp-err", IPFY_NOICMPERR }, 16087c478bd9Sstevel@tonic-gate { "now", IPFY_NOW }, 16097c478bd9Sstevel@tonic-gate { "not", IPFY_NOT }, 16107c478bd9Sstevel@tonic-gate { "oow", IPFY_OOW }, 16117c478bd9Sstevel@tonic-gate { "on", IPFY_ON }, 16127c478bd9Sstevel@tonic-gate { "opt", IPFY_OPT }, 16137c478bd9Sstevel@tonic-gate { "or-block", IPFY_ORBLOCK }, 16147c478bd9Sstevel@tonic-gate { "out", IPFY_OUT }, 16157c478bd9Sstevel@tonic-gate { "out-via", IPFY_OUTVIA }, 16167c478bd9Sstevel@tonic-gate { "pass", IPFY_PASS }, 16177c478bd9Sstevel@tonic-gate { "port", IPFY_PORT }, 16187c478bd9Sstevel@tonic-gate { "pps", IPFY_PPS }, 16197c478bd9Sstevel@tonic-gate { "preauth", IPFY_PREAUTH }, 16207c478bd9Sstevel@tonic-gate { "proto", IPFY_PROTO }, 16217c478bd9Sstevel@tonic-gate { "quick", IPFY_QUICK }, 16227c478bd9Sstevel@tonic-gate { "reply-to", IPFY_REPLY_TO }, 16237c478bd9Sstevel@tonic-gate { "return-icmp", IPFY_RETICMP }, 16247c478bd9Sstevel@tonic-gate { "return-icmp-as-dest", IPFY_RETICMPASDST }, 16257c478bd9Sstevel@tonic-gate { "return-rst", IPFY_RETRST }, 1626ab25eeb5Syz { "route-to", IPFY_ROUTETO }, 16277c478bd9Sstevel@tonic-gate { "sec-class", IPFY_SECCLASS }, 1628ab25eeb5Syz { "set-tag", IPFY_SETTAG }, 1629381a2a9aSdr { "set", IPFY_SET }, 16307c478bd9Sstevel@tonic-gate { "skip", IPFY_SKIP }, 16317c478bd9Sstevel@tonic-gate { "short", IPFY_SHORT }, 16327c478bd9Sstevel@tonic-gate { "state", IPFY_STATE }, 1633ab25eeb5Syz { "state-age", IPFY_AGE }, 16347c478bd9Sstevel@tonic-gate { "strict", IPFY_STRICT }, 1635ab25eeb5Syz { "sync", IPFY_SYNC }, 16367c478bd9Sstevel@tonic-gate { "tcp", IPFY_TCP }, 16377c478bd9Sstevel@tonic-gate { "tcp-udp", IPFY_TCPUDP }, 16387c478bd9Sstevel@tonic-gate { "tos", IPFY_TOS }, 16397c478bd9Sstevel@tonic-gate { "to", IPFY_TO }, 16407c478bd9Sstevel@tonic-gate { "ttl", IPFY_TTL }, 16417c478bd9Sstevel@tonic-gate { "udp", IPFY_UDP }, 16427c478bd9Sstevel@tonic-gate { "v6hdrs", IPF6_V6HDRS }, 16437c478bd9Sstevel@tonic-gate { "with", IPFY_WITH }, 16447c478bd9Sstevel@tonic-gate { NULL, 0 } 16457c478bd9Sstevel@tonic-gate }; 16467c478bd9Sstevel@tonic-gate 16477c478bd9Sstevel@tonic-gate static struct wordtab addrwords[4] = { 16487c478bd9Sstevel@tonic-gate { "any", IPFY_ANY }, 16497c478bd9Sstevel@tonic-gate { "hash", IPFY_HASH }, 16507c478bd9Sstevel@tonic-gate { "pool", IPFY_POOL }, 16517c478bd9Sstevel@tonic-gate { NULL, 0 } 16527c478bd9Sstevel@tonic-gate }; 16537c478bd9Sstevel@tonic-gate 16547c478bd9Sstevel@tonic-gate static struct wordtab maskwords[5] = { 16557c478bd9Sstevel@tonic-gate { "broadcast", IPFY_BROADCAST }, 16567c478bd9Sstevel@tonic-gate { "netmasked", IPFY_NETMASKED }, 16577c478bd9Sstevel@tonic-gate { "network", IPFY_NETWORK }, 16587c478bd9Sstevel@tonic-gate { "peer", IPFY_PEER }, 16597c478bd9Sstevel@tonic-gate { NULL, 0 } 16607c478bd9Sstevel@tonic-gate }; 16617c478bd9Sstevel@tonic-gate 16627c478bd9Sstevel@tonic-gate static struct wordtab icmptypewords[16] = { 16637c478bd9Sstevel@tonic-gate { "echo", IPFY_ICMPT_ECHO }, 16647c478bd9Sstevel@tonic-gate { "echorep", IPFY_ICMPT_ECHOR }, 16657c478bd9Sstevel@tonic-gate { "inforeq", IPFY_ICMPT_INFOREQ }, 16667c478bd9Sstevel@tonic-gate { "inforep", IPFY_ICMPT_INFOREP }, 16677c478bd9Sstevel@tonic-gate { "maskrep", IPFY_ICMPT_MASKREP }, 16687c478bd9Sstevel@tonic-gate { "maskreq", IPFY_ICMPT_MASKREQ }, 16697c478bd9Sstevel@tonic-gate { "paramprob", IPFY_ICMPT_PARAMP }, 16707c478bd9Sstevel@tonic-gate { "redir", IPFY_ICMPT_REDIR }, 16717c478bd9Sstevel@tonic-gate { "unreach", IPFY_ICMPT_UNR }, 16727c478bd9Sstevel@tonic-gate { "routerad", IPFY_ICMPT_ROUTERAD }, 16737c478bd9Sstevel@tonic-gate { "routersol", IPFY_ICMPT_ROUTERSOL }, 16747c478bd9Sstevel@tonic-gate { "squench", IPFY_ICMPT_SQUENCH }, 16757c478bd9Sstevel@tonic-gate { "timest", IPFY_ICMPT_TIMEST }, 16767c478bd9Sstevel@tonic-gate { "timestrep", IPFY_ICMPT_TIMESTREP }, 16777c478bd9Sstevel@tonic-gate { "timex", IPFY_ICMPT_TIMEX }, 16787c478bd9Sstevel@tonic-gate { NULL, 0 }, 16797c478bd9Sstevel@tonic-gate }; 16807c478bd9Sstevel@tonic-gate 16817c478bd9Sstevel@tonic-gate static struct wordtab icmpcodewords[17] = { 16827c478bd9Sstevel@tonic-gate { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 16837c478bd9Sstevel@tonic-gate { "filter-prohib", IPFY_ICMPC_FLTPRO }, 16847c478bd9Sstevel@tonic-gate { "isolate", IPFY_ICMPC_ISOLATE }, 16857c478bd9Sstevel@tonic-gate { "needfrag", IPFY_ICMPC_NEEDF }, 16867c478bd9Sstevel@tonic-gate { "net-prohib", IPFY_ICMPC_NETPRO }, 16877c478bd9Sstevel@tonic-gate { "net-tos", IPFY_ICMPC_NETTOS }, 16887c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE }, 16897c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO }, 16907c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS }, 16917c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK }, 16927c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR }, 16937c478bd9Sstevel@tonic-gate { "net-unk", IPFY_ICMPC_NETUNK }, 16947c478bd9Sstevel@tonic-gate { "net-unr", IPFY_ICMPC_NETUNR }, 16957c478bd9Sstevel@tonic-gate { "port-unr", IPFY_ICMPC_PORUNR }, 16967c478bd9Sstevel@tonic-gate { "proto-unr", IPFY_ICMPC_PROUNR }, 16977c478bd9Sstevel@tonic-gate { "srcfail", IPFY_ICMPC_SRCFAIL }, 16987c478bd9Sstevel@tonic-gate { NULL, 0 }, 16997c478bd9Sstevel@tonic-gate }; 17007c478bd9Sstevel@tonic-gate 1701ab25eeb5Syz static struct wordtab ipv4optwords[25] = { 1702ab25eeb5Syz { "addext", IPFY_IPOPT_ADDEXT }, 1703ab25eeb5Syz { "cipso", IPFY_IPOPT_CIPSO }, 1704ab25eeb5Syz { "dps", IPFY_IPOPT_DPS }, 1705ab25eeb5Syz { "e-sec", IPFY_IPOPT_ESEC }, 1706ab25eeb5Syz { "eip", IPFY_IPOPT_EIP }, 1707ab25eeb5Syz { "encode", IPFY_IPOPT_ENCODE }, 1708ab25eeb5Syz { "finn", IPFY_IPOPT_FINN }, 1709ab25eeb5Syz { "imitd", IPFY_IPOPT_IMITD }, 1710ab25eeb5Syz { "lsrr", IPFY_IPOPT_LSRR }, 1711ab25eeb5Syz { "mtup", IPFY_IPOPT_MTUP }, 1712ab25eeb5Syz { "mtur", IPFY_IPOPT_MTUR }, 1713ab25eeb5Syz { "nop", IPFY_IPOPT_NOP }, 1714ab25eeb5Syz { "nsapa", IPFY_IPOPT_NSAPA }, 1715ab25eeb5Syz { "rr", IPFY_IPOPT_RR }, 1716ab25eeb5Syz { "rtralrt", IPFY_IPOPT_RTRALRT }, 1717ab25eeb5Syz { "satid", IPFY_IPOPT_SATID }, 1718ab25eeb5Syz { "sdb", IPFY_IPOPT_SDB }, 1719ab25eeb5Syz { "sec", IPFY_IPOPT_SEC }, 1720ab25eeb5Syz { "ssrr", IPFY_IPOPT_SSRR }, 1721ab25eeb5Syz { "tr", IPFY_IPOPT_TR }, 1722ab25eeb5Syz { "ts", IPFY_IPOPT_TS }, 1723ab25eeb5Syz { "ump", IPFY_IPOPT_UMP }, 1724ab25eeb5Syz { "visa", IPFY_IPOPT_VISA }, 1725ab25eeb5Syz { "zsu", IPFY_IPOPT_ZSU }, 1726ab25eeb5Syz { NULL, 0 }, 1727ab25eeb5Syz }; 1728ab25eeb5Syz 1729ab25eeb5Syz static struct wordtab ipv4secwords[9] = { 1730ab25eeb5Syz { "confid", IPFY_SEC_CONF }, 1731ab25eeb5Syz { "reserv-1", IPFY_SEC_RSV1 }, 1732ab25eeb5Syz { "reserv-2", IPFY_SEC_RSV2 }, 1733ab25eeb5Syz { "reserv-3", IPFY_SEC_RSV3 }, 1734ab25eeb5Syz { "reserv-4", IPFY_SEC_RSV4 }, 1735ab25eeb5Syz { "secret", IPFY_SEC_SEC }, 1736ab25eeb5Syz { "topsecret", IPFY_SEC_TS }, 1737ab25eeb5Syz { "unclass", IPFY_SEC_UNC }, 1738ab25eeb5Syz { NULL, 0 }, 1739ab25eeb5Syz }; 1740ab25eeb5Syz 1741ab25eeb5Syz static struct wordtab ipv6optwords[8] = { 1742ab25eeb5Syz { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1743ab25eeb5Syz { "esp", IPFY_ESP }, 1744ab25eeb5Syz { "frag", IPFY_FRAG }, 1745ab25eeb5Syz { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1746ab25eeb5Syz { "ipv6", IPFY_IPV6OPT_IPV6 }, 1747ab25eeb5Syz { "none", IPFY_IPV6OPT_NONE }, 1748ab25eeb5Syz { "routing", IPFY_IPV6OPT_ROUTING }, 1749ab25eeb5Syz { NULL, 0 }, 1750ab25eeb5Syz }; 1751ab25eeb5Syz 1752ab25eeb5Syz static struct wordtab logwords[33] = { 17537c478bd9Sstevel@tonic-gate { "kern", IPFY_FAC_KERN }, 17547c478bd9Sstevel@tonic-gate { "user", IPFY_FAC_USER }, 17557c478bd9Sstevel@tonic-gate { "mail", IPFY_FAC_MAIL }, 17567c478bd9Sstevel@tonic-gate { "daemon", IPFY_FAC_DAEMON }, 17577c478bd9Sstevel@tonic-gate { "auth", IPFY_FAC_AUTH }, 17587c478bd9Sstevel@tonic-gate { "syslog", IPFY_FAC_SYSLOG }, 17597c478bd9Sstevel@tonic-gate { "lpr", IPFY_FAC_LPR }, 17607c478bd9Sstevel@tonic-gate { "news", IPFY_FAC_NEWS }, 17617c478bd9Sstevel@tonic-gate { "uucp", IPFY_FAC_UUCP }, 17627c478bd9Sstevel@tonic-gate { "cron", IPFY_FAC_CRON }, 17637c478bd9Sstevel@tonic-gate { "ftp", IPFY_FAC_FTP }, 17647c478bd9Sstevel@tonic-gate { "authpriv", IPFY_FAC_AUTHPRIV }, 17657c478bd9Sstevel@tonic-gate { "audit", IPFY_FAC_AUDIT }, 17667c478bd9Sstevel@tonic-gate { "logalert", IPFY_FAC_LFMT }, 17677c478bd9Sstevel@tonic-gate { "console", IPFY_FAC_CONSOLE }, 17687c478bd9Sstevel@tonic-gate { "security", IPFY_FAC_SECURITY }, 17697c478bd9Sstevel@tonic-gate { "local0", IPFY_FAC_LOCAL0 }, 17707c478bd9Sstevel@tonic-gate { "local1", IPFY_FAC_LOCAL1 }, 17717c478bd9Sstevel@tonic-gate { "local2", IPFY_FAC_LOCAL2 }, 17727c478bd9Sstevel@tonic-gate { "local3", IPFY_FAC_LOCAL3 }, 17737c478bd9Sstevel@tonic-gate { "local4", IPFY_FAC_LOCAL4 }, 17747c478bd9Sstevel@tonic-gate { "local5", IPFY_FAC_LOCAL5 }, 17757c478bd9Sstevel@tonic-gate { "local6", IPFY_FAC_LOCAL6 }, 17767c478bd9Sstevel@tonic-gate { "local7", IPFY_FAC_LOCAL7 }, 17777c478bd9Sstevel@tonic-gate { "emerg", IPFY_PRI_EMERG }, 17787c478bd9Sstevel@tonic-gate { "alert", IPFY_PRI_ALERT }, 17797c478bd9Sstevel@tonic-gate { "crit", IPFY_PRI_CRIT }, 17807c478bd9Sstevel@tonic-gate { "err", IPFY_PRI_ERR }, 17817c478bd9Sstevel@tonic-gate { "warn", IPFY_PRI_WARN }, 17827c478bd9Sstevel@tonic-gate { "notice", IPFY_PRI_NOTICE }, 17837c478bd9Sstevel@tonic-gate { "info", IPFY_PRI_INFO }, 17847c478bd9Sstevel@tonic-gate { "debug", IPFY_PRI_DEBUG }, 17857c478bd9Sstevel@tonic-gate { NULL, 0 }, 17867c478bd9Sstevel@tonic-gate }; 17877c478bd9Sstevel@tonic-gate 17887c478bd9Sstevel@tonic-gate 17897c478bd9Sstevel@tonic-gate 17907c478bd9Sstevel@tonic-gate 17917c478bd9Sstevel@tonic-gate int ipf_parsefile(fd, addfunc, iocfuncs, filename) 17927c478bd9Sstevel@tonic-gate int fd; 17937c478bd9Sstevel@tonic-gate addfunc_t addfunc; 17947c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 17957c478bd9Sstevel@tonic-gate char *filename; 17967c478bd9Sstevel@tonic-gate { 17977c478bd9Sstevel@tonic-gate FILE *fp = NULL; 17987c478bd9Sstevel@tonic-gate char *s; 17997c478bd9Sstevel@tonic-gate 18007c478bd9Sstevel@tonic-gate yylineNum = 1; 18017c478bd9Sstevel@tonic-gate yysettab(ipfwords); 18027c478bd9Sstevel@tonic-gate 18037c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 18047c478bd9Sstevel@tonic-gate if (s != NULL) 18057c478bd9Sstevel@tonic-gate yydebug = atoi(s); 18067c478bd9Sstevel@tonic-gate else 18077c478bd9Sstevel@tonic-gate yydebug = 0; 18087c478bd9Sstevel@tonic-gate 18097c478bd9Sstevel@tonic-gate if (strcmp(filename, "-")) { 18107c478bd9Sstevel@tonic-gate fp = fopen(filename, "r"); 18117c478bd9Sstevel@tonic-gate if (fp == NULL) { 18127c478bd9Sstevel@tonic-gate fprintf(stderr, "fopen(%s) failed: %s\n", filename, 18137c478bd9Sstevel@tonic-gate STRERROR(errno)); 18147c478bd9Sstevel@tonic-gate return -1; 18157c478bd9Sstevel@tonic-gate } 18167c478bd9Sstevel@tonic-gate } else 18177c478bd9Sstevel@tonic-gate fp = stdin; 18187c478bd9Sstevel@tonic-gate 18197c478bd9Sstevel@tonic-gate while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 18207c478bd9Sstevel@tonic-gate ; 18217c478bd9Sstevel@tonic-gate if (fp != NULL) 18227c478bd9Sstevel@tonic-gate fclose(fp); 18237c478bd9Sstevel@tonic-gate return 0; 18247c478bd9Sstevel@tonic-gate } 18257c478bd9Sstevel@tonic-gate 18267c478bd9Sstevel@tonic-gate 18277c478bd9Sstevel@tonic-gate int ipf_parsesome(fd, addfunc, iocfuncs, fp) 18287c478bd9Sstevel@tonic-gate int fd; 18297c478bd9Sstevel@tonic-gate addfunc_t addfunc; 18307c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 18317c478bd9Sstevel@tonic-gate FILE *fp; 18327c478bd9Sstevel@tonic-gate { 18337c478bd9Sstevel@tonic-gate char *s; 18347c478bd9Sstevel@tonic-gate int i; 18357c478bd9Sstevel@tonic-gate 18367c478bd9Sstevel@tonic-gate ipffd = fd; 18377c478bd9Sstevel@tonic-gate for (i = 0; i <= IPL_LOGMAX; i++) 18387c478bd9Sstevel@tonic-gate ipfioctl[i] = iocfuncs[i]; 18397c478bd9Sstevel@tonic-gate ipfaddfunc = addfunc; 18407c478bd9Sstevel@tonic-gate 18417c478bd9Sstevel@tonic-gate if (feof(fp)) 18427c478bd9Sstevel@tonic-gate return 0; 18437c478bd9Sstevel@tonic-gate i = fgetc(fp); 18447c478bd9Sstevel@tonic-gate if (i == EOF) 18457c478bd9Sstevel@tonic-gate return 0; 18467c478bd9Sstevel@tonic-gate if (ungetc(i, fp) == 0) 18477c478bd9Sstevel@tonic-gate return 0; 18487c478bd9Sstevel@tonic-gate if (feof(fp)) 18497c478bd9Sstevel@tonic-gate return 0; 18507c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 18517c478bd9Sstevel@tonic-gate if (s != NULL) 18527c478bd9Sstevel@tonic-gate yydebug = atoi(s); 18537c478bd9Sstevel@tonic-gate else 18547c478bd9Sstevel@tonic-gate yydebug = 0; 18557c478bd9Sstevel@tonic-gate 18567c478bd9Sstevel@tonic-gate yyin = fp; 18577c478bd9Sstevel@tonic-gate yyparse(); 18587c478bd9Sstevel@tonic-gate return 1; 18597c478bd9Sstevel@tonic-gate } 18607c478bd9Sstevel@tonic-gate 18617c478bd9Sstevel@tonic-gate 18627c478bd9Sstevel@tonic-gate static void newrule() 18637c478bd9Sstevel@tonic-gate { 18647c478bd9Sstevel@tonic-gate frentry_t *frn; 18657c478bd9Sstevel@tonic-gate 18667c478bd9Sstevel@tonic-gate frn = (frentry_t *)calloc(1, sizeof(frentry_t)); 18675e985db5Sschuster if (frn == NULL) 18685e985db5Sschuster yyerror("sorry, out of memory"); 18697c478bd9Sstevel@tonic-gate for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 18707c478bd9Sstevel@tonic-gate ; 18717c478bd9Sstevel@tonic-gate if (fr != NULL) 18727c478bd9Sstevel@tonic-gate fr->fr_next = frn; 18737c478bd9Sstevel@tonic-gate if (frtop == NULL) 18747c478bd9Sstevel@tonic-gate frtop = frn; 18757c478bd9Sstevel@tonic-gate fr = frn; 18767c478bd9Sstevel@tonic-gate frc = frn; 18777c478bd9Sstevel@tonic-gate fr->fr_loglevel = 0xffff; 18787c478bd9Sstevel@tonic-gate fr->fr_isc = (void *)-1; 18797c478bd9Sstevel@tonic-gate fr->fr_logtag = FR_NOLOGTAG; 18807c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_NONE; 18817c478bd9Sstevel@tonic-gate if (use_inet6 != 0) 18827c478bd9Sstevel@tonic-gate fr->fr_v = 6; 18837c478bd9Sstevel@tonic-gate else 18847c478bd9Sstevel@tonic-gate fr->fr_v = 4; 18857c478bd9Sstevel@tonic-gate 18867c478bd9Sstevel@tonic-gate nrules = 1; 18877c478bd9Sstevel@tonic-gate } 18887c478bd9Sstevel@tonic-gate 18897c478bd9Sstevel@tonic-gate 18907c478bd9Sstevel@tonic-gate static void setipftype() 18917c478bd9Sstevel@tonic-gate { 18927c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 18937c478bd9Sstevel@tonic-gate if (fr->fr_type == FR_T_NONE) { 18947c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF; 18957c478bd9Sstevel@tonic-gate fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 18965e985db5Sschuster if (fr->fr_data == NULL) 18975e985db5Sschuster yyerror("sorry, out of memory"); 18987c478bd9Sstevel@tonic-gate fr->fr_dsize = sizeof(fripf_t); 18997c478bd9Sstevel@tonic-gate fr->fr_ip.fi_v = frc->fr_v; 19007c478bd9Sstevel@tonic-gate fr->fr_mip.fi_v = 0xf; 19017c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = -1; 19027c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = -1; 19037c478bd9Sstevel@tonic-gate } 19047c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_IPF) { 19057c478bd9Sstevel@tonic-gate fprintf(stderr, "IPF Type not set\n"); 19067c478bd9Sstevel@tonic-gate } 19077c478bd9Sstevel@tonic-gate } 19087c478bd9Sstevel@tonic-gate } 19097c478bd9Sstevel@tonic-gate 19107c478bd9Sstevel@tonic-gate 19117c478bd9Sstevel@tonic-gate static frentry_t *addrule() 19127c478bd9Sstevel@tonic-gate { 19137c478bd9Sstevel@tonic-gate frentry_t *f, *f1, *f2; 19147c478bd9Sstevel@tonic-gate int count; 19157c478bd9Sstevel@tonic-gate 19167c478bd9Sstevel@tonic-gate for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 19177c478bd9Sstevel@tonic-gate ; 19187c478bd9Sstevel@tonic-gate 19197c478bd9Sstevel@tonic-gate count = nrules; 19207c478bd9Sstevel@tonic-gate if (count == 0) { 19217c478bd9Sstevel@tonic-gate f = (frentry_t *)calloc(sizeof(*f), 1); 19225e985db5Sschuster if (f == NULL) 19235e985db5Sschuster yyerror("sorry, out of memory"); 19247c478bd9Sstevel@tonic-gate added++; 19257c478bd9Sstevel@tonic-gate f2->fr_next = f; 19267c478bd9Sstevel@tonic-gate bcopy(f2, f, sizeof(*f)); 19277c478bd9Sstevel@tonic-gate if (f2->fr_caddr != NULL) { 19287c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 19295e985db5Sschuster if (f->fr_caddr == NULL) 19305e985db5Sschuster yyerror("sorry, out of memory"); 19317c478bd9Sstevel@tonic-gate bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); 19327c478bd9Sstevel@tonic-gate } 19337c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19347c478bd9Sstevel@tonic-gate return f; 19357c478bd9Sstevel@tonic-gate } 19367c478bd9Sstevel@tonic-gate f = f2; 19377c478bd9Sstevel@tonic-gate for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 19387c478bd9Sstevel@tonic-gate f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); 19395e985db5Sschuster if (f->fr_next == NULL) 19405e985db5Sschuster yyerror("sorry, out of memory"); 19417c478bd9Sstevel@tonic-gate added++; 19427c478bd9Sstevel@tonic-gate f = f->fr_next; 19437c478bd9Sstevel@tonic-gate bcopy(f1, f, sizeof(*f)); 19447c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19457c478bd9Sstevel@tonic-gate if (f->fr_caddr != NULL) { 19467c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 19475e985db5Sschuster if (f->fr_caddr == NULL) 19485e985db5Sschuster yyerror("sorry, out of memory"); 19497c478bd9Sstevel@tonic-gate bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 19507c478bd9Sstevel@tonic-gate } 19517c478bd9Sstevel@tonic-gate } 19527c478bd9Sstevel@tonic-gate 19537c478bd9Sstevel@tonic-gate return f2->fr_next; 19547c478bd9Sstevel@tonic-gate } 19557c478bd9Sstevel@tonic-gate 19567c478bd9Sstevel@tonic-gate 19579b4c7145Sjojemann static u_32_t lookuphost(name, addr) 19587c478bd9Sstevel@tonic-gate char *name; 19599b4c7145Sjojemann i6addr_t *addr; 19607c478bd9Sstevel@tonic-gate { 19617c478bd9Sstevel@tonic-gate int i; 19627c478bd9Sstevel@tonic-gate 19637c478bd9Sstevel@tonic-gate hashed = 0; 19647c478bd9Sstevel@tonic-gate pooled = 0; 19657c478bd9Sstevel@tonic-gate dynamic = -1; 19667c478bd9Sstevel@tonic-gate 19677c478bd9Sstevel@tonic-gate for (i = 0; i < 4; i++) { 19687c478bd9Sstevel@tonic-gate if (strncmp(name, frc->fr_ifnames[i], 19697c478bd9Sstevel@tonic-gate sizeof(frc->fr_ifnames[i])) == 0) { 19707c478bd9Sstevel@tonic-gate ifpflag = FRI_DYNAMIC; 19717c478bd9Sstevel@tonic-gate dynamic = i; 19727c478bd9Sstevel@tonic-gate return 0; 19737c478bd9Sstevel@tonic-gate } 19747c478bd9Sstevel@tonic-gate } 19757c478bd9Sstevel@tonic-gate 19769b4c7145Sjojemann if (gethost(name, addr, use_inet6) == -1) { 1977ab25eeb5Syz fprintf(stderr, "unknown name \"%s\"\n", name); 19787c478bd9Sstevel@tonic-gate return 0; 19797c478bd9Sstevel@tonic-gate } 19809b4c7145Sjojemann return 1; 19817c478bd9Sstevel@tonic-gate } 19827c478bd9Sstevel@tonic-gate 19837c478bd9Sstevel@tonic-gate 1984ab25eeb5Syz static void dobpf(v, phrase) 1985ab25eeb5Syz int v; 19867c478bd9Sstevel@tonic-gate char *phrase; 19877c478bd9Sstevel@tonic-gate { 19887c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 19897c478bd9Sstevel@tonic-gate struct bpf_program bpf; 19907c478bd9Sstevel@tonic-gate struct pcap *p; 1991ab25eeb5Syz #endif 1992ab25eeb5Syz fakebpf_t *fb; 19937c478bd9Sstevel@tonic-gate u_32_t l; 19947c478bd9Sstevel@tonic-gate char *s; 19957c478bd9Sstevel@tonic-gate int i; 19967c478bd9Sstevel@tonic-gate 19977c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 19987c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_NONE) { 1999ab25eeb5Syz fprintf(stderr, "cannot mix IPF and BPF matching\n"); 20007c478bd9Sstevel@tonic-gate return; 20017c478bd9Sstevel@tonic-gate } 2002ab25eeb5Syz fr->fr_v = v; 2003ab25eeb5Syz fr->fr_type = FR_T_BPFOPC; 20047c478bd9Sstevel@tonic-gate 20057c478bd9Sstevel@tonic-gate if (!strncmp(phrase, "\"0x", 2)) { 20067c478bd9Sstevel@tonic-gate phrase++; 2007ab25eeb5Syz fb = malloc(sizeof(fakebpf_t)); 2008ab25eeb5Syz if (fb == NULL) 20095e985db5Sschuster yyerror("sorry, out of memory"); 20107c478bd9Sstevel@tonic-gate 2011ab25eeb5Syz for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; 20127c478bd9Sstevel@tonic-gate s = strtok(NULL, " \r\n\t"), i++) { 2013ab25eeb5Syz fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); 2014ab25eeb5Syz if (fb == NULL) 20155e985db5Sschuster yyerror("sorry, out of memory"); 20167c478bd9Sstevel@tonic-gate l = (u_32_t)strtol(s, NULL, 0); 2017ab25eeb5Syz switch (i & 3) 2018ab25eeb5Syz { 2019ab25eeb5Syz case 0 : 2020ab25eeb5Syz fb[i / 4].fb_c = l & 0xffff; 2021ab25eeb5Syz break; 2022ab25eeb5Syz case 1 : 2023ab25eeb5Syz fb[i / 4].fb_t = l & 0xff; 2024ab25eeb5Syz break; 2025ab25eeb5Syz case 2 : 2026ab25eeb5Syz fb[i / 4].fb_f = l & 0xff; 2027ab25eeb5Syz break; 2028ab25eeb5Syz case 3 : 2029ab25eeb5Syz fb[i / 4].fb_k = l; 2030ab25eeb5Syz break; 2031ab25eeb5Syz } 20327c478bd9Sstevel@tonic-gate } 2033ab25eeb5Syz if ((i & 3) != 0) { 2034ab25eeb5Syz fprintf(stderr, 2035ab25eeb5Syz "Odd number of bytes in BPF code\n"); 2036ab25eeb5Syz exit(1); 2037ab25eeb5Syz } 2038ab25eeb5Syz i--; 2039ab25eeb5Syz fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); 2040ab25eeb5Syz fr->fr_data = fb; 20417c478bd9Sstevel@tonic-gate return; 20427c478bd9Sstevel@tonic-gate } 20437c478bd9Sstevel@tonic-gate 2044ab25eeb5Syz #ifdef IPFILTER_BPF 20457c478bd9Sstevel@tonic-gate bzero((char *)&bpf, sizeof(bpf)); 20467c478bd9Sstevel@tonic-gate p = pcap_open_dead(DLT_RAW, 1); 20477c478bd9Sstevel@tonic-gate if (!p) { 20487c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap_open_dead failed\n"); 20497c478bd9Sstevel@tonic-gate return; 20507c478bd9Sstevel@tonic-gate } 20517c478bd9Sstevel@tonic-gate 2052ab25eeb5Syz if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { 20537c478bd9Sstevel@tonic-gate pcap_perror(p, "ipf"); 20547c478bd9Sstevel@tonic-gate pcap_close(p); 2055ab25eeb5Syz fprintf(stderr, "pcap parsing failed (%s)\n", phrase); 20567c478bd9Sstevel@tonic-gate return; 20577c478bd9Sstevel@tonic-gate } 20587c478bd9Sstevel@tonic-gate pcap_close(p); 20597c478bd9Sstevel@tonic-gate 20607c478bd9Sstevel@tonic-gate fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 2061ab25eeb5Syz fr->fr_data = malloc(fr->fr_dsize); 20625e985db5Sschuster if (fr->fr_data == NULL) 20635e985db5Sschuster yyerror("sorry, out of memory"); 2064ab25eeb5Syz bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); 20657c478bd9Sstevel@tonic-gate if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 20667c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF validation failed\n"); 20677c478bd9Sstevel@tonic-gate return; 20687c478bd9Sstevel@tonic-gate } 2069ab25eeb5Syz #endif 20707c478bd9Sstevel@tonic-gate } 20717c478bd9Sstevel@tonic-gate 2072ab25eeb5Syz #ifdef IPFILTER_BPF 20737c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) 20747c478bd9Sstevel@tonic-gate bpf_dump(&bpf, 0); 20757c478bd9Sstevel@tonic-gate #else 2076ab25eeb5Syz fprintf(stderr, "BPF filter expressions not supported\n"); 2077ab25eeb5Syz exit(1); 20787c478bd9Sstevel@tonic-gate #endif 20797c478bd9Sstevel@tonic-gate } 20807c478bd9Sstevel@tonic-gate 20817c478bd9Sstevel@tonic-gate 20827c478bd9Sstevel@tonic-gate static void resetaddr() 20837c478bd9Sstevel@tonic-gate { 20847c478bd9Sstevel@tonic-gate hashed = 0; 20857c478bd9Sstevel@tonic-gate pooled = 0; 20867c478bd9Sstevel@tonic-gate dynamic = -1; 20877c478bd9Sstevel@tonic-gate } 20887c478bd9Sstevel@tonic-gate 20897c478bd9Sstevel@tonic-gate 20907c478bd9Sstevel@tonic-gate static alist_t *newalist(ptr) 20917c478bd9Sstevel@tonic-gate alist_t *ptr; 20927c478bd9Sstevel@tonic-gate { 20937c478bd9Sstevel@tonic-gate alist_t *al; 20947c478bd9Sstevel@tonic-gate 20957c478bd9Sstevel@tonic-gate al = malloc(sizeof(*al)); 20967c478bd9Sstevel@tonic-gate if (al == NULL) 20977c478bd9Sstevel@tonic-gate return NULL; 20987c478bd9Sstevel@tonic-gate al->al_not = 0; 20997c478bd9Sstevel@tonic-gate al->al_next = ptr; 21007c478bd9Sstevel@tonic-gate return al; 21017c478bd9Sstevel@tonic-gate } 21027c478bd9Sstevel@tonic-gate 21037c478bd9Sstevel@tonic-gate 21047c478bd9Sstevel@tonic-gate static int makepool(list) 21057c478bd9Sstevel@tonic-gate alist_t *list; 21067c478bd9Sstevel@tonic-gate { 21077c478bd9Sstevel@tonic-gate ip_pool_node_t *n, *top; 21087c478bd9Sstevel@tonic-gate ip_pool_t pool; 21097c478bd9Sstevel@tonic-gate alist_t *a; 21107c478bd9Sstevel@tonic-gate int num; 21117c478bd9Sstevel@tonic-gate 21127c478bd9Sstevel@tonic-gate if (list == NULL) 21137c478bd9Sstevel@tonic-gate return 0; 21147c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 21157c478bd9Sstevel@tonic-gate if (top == NULL) 21167c478bd9Sstevel@tonic-gate return 0; 21177c478bd9Sstevel@tonic-gate 21187c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 21197663b816Sml n->ipn_addr.adf_family = a->al_family; 21207663b816Sml n->ipn_mask.adf_family = a->al_family; 21217663b816Sml (void *)bcopy((void *)&a->al_i6addr, 21227663b816Sml (void *)&n->ipn_addr.adf_addr, 21237663b816Sml sizeof(n->ipn_addr.adf_addr)); 21247663b816Sml (void *)bcopy((void *)&a->al_i6mask, 21257663b816Sml (void *)&n->ipn_mask.adf_addr, 21267663b816Sml sizeof(n->ipn_mask.adf_addr)); 21277c478bd9Sstevel@tonic-gate n->ipn_info = a->al_not; 21287c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 21297c478bd9Sstevel@tonic-gate n->ipn_next = calloc(1, sizeof(*n)); 21305e985db5Sschuster if (n->ipn_next == NULL) 21315e985db5Sschuster yyerror("sorry, out of memory"); 21327c478bd9Sstevel@tonic-gate n = n->ipn_next; 21337c478bd9Sstevel@tonic-gate } 21347c478bd9Sstevel@tonic-gate } 21357c478bd9Sstevel@tonic-gate 21367c478bd9Sstevel@tonic-gate bzero((char *)&pool, sizeof(pool)); 21377c478bd9Sstevel@tonic-gate pool.ipo_unit = IPL_LOGIPF; 21387c478bd9Sstevel@tonic-gate pool.ipo_list = top; 21397c478bd9Sstevel@tonic-gate num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); 21407c478bd9Sstevel@tonic-gate 21417c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21427c478bd9Sstevel@tonic-gate top = n->ipn_next; 21437c478bd9Sstevel@tonic-gate free(n); 21447c478bd9Sstevel@tonic-gate } 21457c478bd9Sstevel@tonic-gate return num; 21467c478bd9Sstevel@tonic-gate } 21477c478bd9Sstevel@tonic-gate 21487c478bd9Sstevel@tonic-gate 21497c478bd9Sstevel@tonic-gate static u_int makehash(list) 21507c478bd9Sstevel@tonic-gate alist_t *list; 21517c478bd9Sstevel@tonic-gate { 21527c478bd9Sstevel@tonic-gate iphtent_t *n, *top; 21537c478bd9Sstevel@tonic-gate iphtable_t iph; 21547c478bd9Sstevel@tonic-gate alist_t *a; 21557c478bd9Sstevel@tonic-gate int num; 21567c478bd9Sstevel@tonic-gate 21577c478bd9Sstevel@tonic-gate if (list == NULL) 21587c478bd9Sstevel@tonic-gate return 0; 21597c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 21607c478bd9Sstevel@tonic-gate if (top == NULL) 21617c478bd9Sstevel@tonic-gate return 0; 21627c478bd9Sstevel@tonic-gate 21637c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 21647663b816Sml n->ipe_family = a->al_family; 21657663b816Sml (void *)bcopy((void *)&a->al_i6addr, 21667663b816Sml (void *)&n->ipe_addr, 21677663b816Sml sizeof(n->ipe_addr)); 21687663b816Sml (void *)bcopy((void *)&a->al_i6mask, 21697663b816Sml (void *)&n->ipe_mask, 21707663b816Sml sizeof(n->ipe_mask)); 21717c478bd9Sstevel@tonic-gate n->ipe_value = 0; 21727c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 21737c478bd9Sstevel@tonic-gate n->ipe_next = calloc(1, sizeof(*n)); 21745e985db5Sschuster if (n->ipe_next == NULL) 21755e985db5Sschuster yyerror("sorry, out of memory"); 21767c478bd9Sstevel@tonic-gate n = n->ipe_next; 21777c478bd9Sstevel@tonic-gate } 21787c478bd9Sstevel@tonic-gate } 21797c478bd9Sstevel@tonic-gate 21807c478bd9Sstevel@tonic-gate bzero((char *)&iph, sizeof(iph)); 21817c478bd9Sstevel@tonic-gate iph.iph_unit = IPL_LOGIPF; 21827c478bd9Sstevel@tonic-gate iph.iph_type = IPHASH_LOOKUP; 21837c478bd9Sstevel@tonic-gate *iph.iph_name = '\0'; 21847c478bd9Sstevel@tonic-gate 21857c478bd9Sstevel@tonic-gate if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) 21867c478bd9Sstevel@tonic-gate sscanf(iph.iph_name, "%u", &num); 21877c478bd9Sstevel@tonic-gate else 21887c478bd9Sstevel@tonic-gate num = 0; 21897c478bd9Sstevel@tonic-gate 21907c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21917c478bd9Sstevel@tonic-gate top = n->ipe_next; 21927c478bd9Sstevel@tonic-gate free(n); 21937c478bd9Sstevel@tonic-gate } 21947c478bd9Sstevel@tonic-gate return num; 21957c478bd9Sstevel@tonic-gate } 21967c478bd9Sstevel@tonic-gate 21977c478bd9Sstevel@tonic-gate 21987c478bd9Sstevel@tonic-gate void ipf_addrule(fd, ioctlfunc, ptr) 21997c478bd9Sstevel@tonic-gate int fd; 22007c478bd9Sstevel@tonic-gate ioctlfunc_t ioctlfunc; 22017c478bd9Sstevel@tonic-gate void *ptr; 22027c478bd9Sstevel@tonic-gate { 2203ab25eeb5Syz ioctlcmd_t add, del; 22047c478bd9Sstevel@tonic-gate frentry_t *fr; 22057c478bd9Sstevel@tonic-gate ipfobj_t obj; 22067c478bd9Sstevel@tonic-gate 22077c478bd9Sstevel@tonic-gate fr = ptr; 22087c478bd9Sstevel@tonic-gate add = 0; 22097c478bd9Sstevel@tonic-gate del = 0; 22107c478bd9Sstevel@tonic-gate 22117c478bd9Sstevel@tonic-gate bzero((char *)&obj, sizeof(obj)); 22127c478bd9Sstevel@tonic-gate obj.ipfo_rev = IPFILTER_VERSION; 22137c478bd9Sstevel@tonic-gate obj.ipfo_size = sizeof(*fr); 22147c478bd9Sstevel@tonic-gate obj.ipfo_type = IPFOBJ_FRENTRY; 22157c478bd9Sstevel@tonic-gate obj.ipfo_ptr = ptr; 22167c478bd9Sstevel@tonic-gate 22177c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) 22187c478bd9Sstevel@tonic-gate fd = -1; 22197c478bd9Sstevel@tonic-gate 22207c478bd9Sstevel@tonic-gate if (opts & OPT_ZERORULEST) { 22217c478bd9Sstevel@tonic-gate add = SIOCZRLST; 22227c478bd9Sstevel@tonic-gate } else if (opts & OPT_INACTIVE) { 22237c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINIFR : 22247c478bd9Sstevel@tonic-gate SIOCADIFR; 22257c478bd9Sstevel@tonic-gate del = SIOCRMIFR; 22267c478bd9Sstevel@tonic-gate } else { 22277c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINAFR : 22287c478bd9Sstevel@tonic-gate SIOCADAFR; 22297c478bd9Sstevel@tonic-gate del = SIOCRMAFR; 22307c478bd9Sstevel@tonic-gate } 22317c478bd9Sstevel@tonic-gate 22327c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_OUTQUE)) 22337c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_OUTQUE; 22347c478bd9Sstevel@tonic-gate if (fr->fr_hits) 22357c478bd9Sstevel@tonic-gate fr->fr_hits--; 22367c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_VERBOSE)) 22377c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22387c478bd9Sstevel@tonic-gate 22397c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) { 22407c478bd9Sstevel@tonic-gate binprint(fr, sizeof(*fr)); 22417c478bd9Sstevel@tonic-gate if (fr->fr_data != NULL) 22427c478bd9Sstevel@tonic-gate binprint(fr->fr_data, fr->fr_dsize); 22437c478bd9Sstevel@tonic-gate } 22447c478bd9Sstevel@tonic-gate 22457c478bd9Sstevel@tonic-gate if ((opts & OPT_ZERORULEST) != 0) { 22467c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22476aed92a9Syx if ((opts & OPT_DONOTHING) == 0) { 22487c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22497c478bd9Sstevel@tonic-gate perror("ioctl(SIOCZRLST)"); 22507c478bd9Sstevel@tonic-gate } 22517c478bd9Sstevel@tonic-gate } else { 22527c478bd9Sstevel@tonic-gate #ifdef USE_QUAD_T 22537c478bd9Sstevel@tonic-gate printf("hits %qd bytes %qd ", 22547c478bd9Sstevel@tonic-gate (long long)fr->fr_hits, 22557c478bd9Sstevel@tonic-gate (long long)fr->fr_bytes); 22567c478bd9Sstevel@tonic-gate #else 22577c478bd9Sstevel@tonic-gate printf("hits %ld bytes %ld ", 22587c478bd9Sstevel@tonic-gate fr->fr_hits, fr->fr_bytes); 22597c478bd9Sstevel@tonic-gate #endif 22607c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22617c478bd9Sstevel@tonic-gate } 22627c478bd9Sstevel@tonic-gate } else if ((opts & OPT_REMOVE) != 0) { 22637c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2264ab25eeb5Syz if ((opts & OPT_DONOTHING) != 0) { 22657c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22667c478bd9Sstevel@tonic-gate perror("ioctl(delete rule)"); 22677c478bd9Sstevel@tonic-gate } 22687c478bd9Sstevel@tonic-gate } 22697c478bd9Sstevel@tonic-gate } else { 22707c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22717c478bd9Sstevel@tonic-gate if (!(opts & OPT_DONOTHING)) { 22727c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2273ab25eeb5Syz perror("ioctl(add/insert rule)"); 22747c478bd9Sstevel@tonic-gate } 22757c478bd9Sstevel@tonic-gate } 22767c478bd9Sstevel@tonic-gate } 22777c478bd9Sstevel@tonic-gate } 22787c478bd9Sstevel@tonic-gate 22797c478bd9Sstevel@tonic-gate static void setsyslog() 22807c478bd9Sstevel@tonic-gate { 2281ab25eeb5Syz yysetdict(logwords); 22827c478bd9Sstevel@tonic-gate yybreakondot = 1; 22837c478bd9Sstevel@tonic-gate } 22847c478bd9Sstevel@tonic-gate 22857c478bd9Sstevel@tonic-gate 22867c478bd9Sstevel@tonic-gate static void unsetsyslog() 22877c478bd9Sstevel@tonic-gate { 2288ab25eeb5Syz yyresetdict(); 22897c478bd9Sstevel@tonic-gate yybreakondot = 0; 22907c478bd9Sstevel@tonic-gate } 22917c478bd9Sstevel@tonic-gate 22927c478bd9Sstevel@tonic-gate 22937c478bd9Sstevel@tonic-gate static void fillgroup(fr) 22947c478bd9Sstevel@tonic-gate frentry_t *fr; 22957c478bd9Sstevel@tonic-gate { 22967c478bd9Sstevel@tonic-gate frentry_t *f; 22977c478bd9Sstevel@tonic-gate 22987c478bd9Sstevel@tonic-gate for (f = frold; f != NULL; f = f->fr_next) 22997c478bd9Sstevel@tonic-gate if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 23007c478bd9Sstevel@tonic-gate break; 23017c478bd9Sstevel@tonic-gate if (f == NULL) 23027c478bd9Sstevel@tonic-gate return; 23037c478bd9Sstevel@tonic-gate 23047c478bd9Sstevel@tonic-gate /* 23057c478bd9Sstevel@tonic-gate * Only copy down matching fields if the rules are of the same type 2306ab25eeb5Syz * and are of ipf type. The only fields that are copied are those 2307ab25eeb5Syz * that impact the rule parsing itself, eg. need for knowing what the 2308ab25eeb5Syz * protocol should be for rules with port comparisons in them. 23097c478bd9Sstevel@tonic-gate */ 23107c478bd9Sstevel@tonic-gate if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 23117c478bd9Sstevel@tonic-gate return; 23127c478bd9Sstevel@tonic-gate 23137c478bd9Sstevel@tonic-gate if (fr->fr_v == 0 && f->fr_v != 0) 23147c478bd9Sstevel@tonic-gate fr->fr_v = f->fr_v; 23157c478bd9Sstevel@tonic-gate 23167c478bd9Sstevel@tonic-gate if (fr->fr_mproto == 0 && f->fr_mproto != 0) 23177c478bd9Sstevel@tonic-gate fr->fr_mproto = f->fr_mproto; 23187c478bd9Sstevel@tonic-gate if (fr->fr_proto == 0 && f->fr_proto != 0) 23197c478bd9Sstevel@tonic-gate fr->fr_proto = f->fr_proto; 23207c478bd9Sstevel@tonic-gate 2321ab25eeb5Syz if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2322ab25eeb5Syz ((f->fr_flx & FI_TCPUDP) != 0)) 2323ab25eeb5Syz fr->fr_flx |= FI_TCPUDP; 23247c478bd9Sstevel@tonic-gate } 2325