1*7c478bd9Sstevel@tonic-gate %{ 2*7c478bd9Sstevel@tonic-gate /* 3*7c478bd9Sstevel@tonic-gate * Copyright (C) 2003 by Darren Reed. 4*7c478bd9Sstevel@tonic-gate * 5*7c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing. 6*7c478bd9Sstevel@tonic-gate * 7*7c478bd9Sstevel@tonic-gate * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 8*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 9*7c478bd9Sstevel@tonic-gate */ 10*7c478bd9Sstevel@tonic-gate 11*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 12*7c478bd9Sstevel@tonic-gate 13*7c478bd9Sstevel@tonic-gate #include "ipf.h" 14*7c478bd9Sstevel@tonic-gate #include <netinet/ip_icmp.h> 15*7c478bd9Sstevel@tonic-gate #include <sys/ioctl.h> 16*7c478bd9Sstevel@tonic-gate #include <syslog.h> 17*7c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 18*7c478bd9Sstevel@tonic-gate # include <net/bpf.h> 19*7c478bd9Sstevel@tonic-gate # include <pcap-int.h> 20*7c478bd9Sstevel@tonic-gate # include <pcap.h> 21*7c478bd9Sstevel@tonic-gate #endif 22*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 23*7c478bd9Sstevel@tonic-gate #include "ip_pool.h" 24*7c478bd9Sstevel@tonic-gate #include "ip_htable.h" 25*7c478bd9Sstevel@tonic-gate #include "ipl.h" 26*7c478bd9Sstevel@tonic-gate #else 27*7c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h" 28*7c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h" 29*7c478bd9Sstevel@tonic-gate #include "netinet/ipl.h" 30*7c478bd9Sstevel@tonic-gate #endif 31*7c478bd9Sstevel@tonic-gate #include "ipf_l.h" 32*7c478bd9Sstevel@tonic-gate 33*7c478bd9Sstevel@tonic-gate #define YYDEBUG 1 34*7c478bd9Sstevel@tonic-gate #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 35*7c478bd9Sstevel@tonic-gate #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 36*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 37*7c478bd9Sstevel@tonic-gate #define VNI "vni" 38*7c478bd9Sstevel@tonic-gate #define VNISTRLEN 3 39*7c478bd9Sstevel@tonic-gate #endif 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate #define OPTION_LOG 0x1 42*7c478bd9Sstevel@tonic-gate #define OPTION_QUICK 0x2 43*7c478bd9Sstevel@tonic-gate #define OPTION_DUP 0x4 44*7c478bd9Sstevel@tonic-gate #define OPTION_PROUTE 0x8 45*7c478bd9Sstevel@tonic-gate #define OPTION_ON 0x10 46*7c478bd9Sstevel@tonic-gate #define OPTION_REPLYTO 0x20 47*7c478bd9Sstevel@tonic-gate #define OPTION_FROUTE 0x40 48*7c478bd9Sstevel@tonic-gate 49*7c478bd9Sstevel@tonic-gate extern void yyerror __P((char *)); 50*7c478bd9Sstevel@tonic-gate extern int yyparse __P((void)); 51*7c478bd9Sstevel@tonic-gate extern int yylex __P((void)); 52*7c478bd9Sstevel@tonic-gate extern int yydebug; 53*7c478bd9Sstevel@tonic-gate extern FILE *yyin; 54*7c478bd9Sstevel@tonic-gate extern int yylineNum; 55*7c478bd9Sstevel@tonic-gate 56*7c478bd9Sstevel@tonic-gate static void newrule __P((void)); 57*7c478bd9Sstevel@tonic-gate static void setipftype __P((void)); 58*7c478bd9Sstevel@tonic-gate static u_32_t lookuphost __P((char *)); 59*7c478bd9Sstevel@tonic-gate static void dobpf __P((char *)); 60*7c478bd9Sstevel@tonic-gate static void resetaddr __P((void)); 61*7c478bd9Sstevel@tonic-gate static struct alist_s *newalist __P((struct alist_s *)); 62*7c478bd9Sstevel@tonic-gate static u_int makehash __P((struct alist_s *)); 63*7c478bd9Sstevel@tonic-gate static int makepool __P((struct alist_s *)); 64*7c478bd9Sstevel@tonic-gate static frentry_t *addrule __P((void)); 65*7c478bd9Sstevel@tonic-gate static void setsyslog __P((void)); 66*7c478bd9Sstevel@tonic-gate static void unsetsyslog __P((void)); 67*7c478bd9Sstevel@tonic-gate static void fillgroup __P((frentry_t *)); 68*7c478bd9Sstevel@tonic-gate 69*7c478bd9Sstevel@tonic-gate frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 70*7c478bd9Sstevel@tonic-gate 71*7c478bd9Sstevel@tonic-gate static int ifpflag = 0; 72*7c478bd9Sstevel@tonic-gate static int nowith = 0; 73*7c478bd9Sstevel@tonic-gate static int dynamic = -1; 74*7c478bd9Sstevel@tonic-gate static int pooled = 0; 75*7c478bd9Sstevel@tonic-gate static int hashed = 0; 76*7c478bd9Sstevel@tonic-gate static int nrules = 0; 77*7c478bd9Sstevel@tonic-gate static int newlist = 0; 78*7c478bd9Sstevel@tonic-gate static int added = 0; 79*7c478bd9Sstevel@tonic-gate static int ipffd = -1; 80*7c478bd9Sstevel@tonic-gate static int *yycont = 0; 81*7c478bd9Sstevel@tonic-gate static int ruleopts = 0; 82*7c478bd9Sstevel@tonic-gate static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 83*7c478bd9Sstevel@tonic-gate static addfunc_t ipfaddfunc = NULL; 84*7c478bd9Sstevel@tonic-gate static wordtab_t addrwords[4]; 85*7c478bd9Sstevel@tonic-gate static wordtab_t maskwords[5]; 86*7c478bd9Sstevel@tonic-gate static wordtab_t *savewords; 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate %} 89*7c478bd9Sstevel@tonic-gate %union { 90*7c478bd9Sstevel@tonic-gate char *str; 91*7c478bd9Sstevel@tonic-gate u_32_t num; 92*7c478bd9Sstevel@tonic-gate struct in_addr ipa; 93*7c478bd9Sstevel@tonic-gate frentry_t fr; 94*7c478bd9Sstevel@tonic-gate frtuc_t *frt; 95*7c478bd9Sstevel@tonic-gate struct alist_s *alist; 96*7c478bd9Sstevel@tonic-gate struct { 97*7c478bd9Sstevel@tonic-gate u_short p1; 98*7c478bd9Sstevel@tonic-gate u_short p2; 99*7c478bd9Sstevel@tonic-gate int pc; 100*7c478bd9Sstevel@tonic-gate } pc; 101*7c478bd9Sstevel@tonic-gate struct { 102*7c478bd9Sstevel@tonic-gate union i6addr a; 103*7c478bd9Sstevel@tonic-gate union i6addr m; 104*7c478bd9Sstevel@tonic-gate } ipp; 105*7c478bd9Sstevel@tonic-gate union i6addr ip6; 106*7c478bd9Sstevel@tonic-gate }; 107*7c478bd9Sstevel@tonic-gate 108*7c478bd9Sstevel@tonic-gate %type <num> portnum facility priority icmpcode seclevel secname icmptype 109*7c478bd9Sstevel@tonic-gate %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 110*7c478bd9Sstevel@tonic-gate %type <num> portc porteq 111*7c478bd9Sstevel@tonic-gate %type <ipa> hostname ipv4 ipv4mask 112*7c478bd9Sstevel@tonic-gate %type <ip6> ipv6mask 113*7c478bd9Sstevel@tonic-gate %type <ipp> addr ipaddr 114*7c478bd9Sstevel@tonic-gate %type <str> servicename name interfacename 115*7c478bd9Sstevel@tonic-gate %type <pc> portrange portcomp 116*7c478bd9Sstevel@tonic-gate %type <alist> addrlist poollist 117*7c478bd9Sstevel@tonic-gate 118*7c478bd9Sstevel@tonic-gate %token <num> YY_NUMBER YY_HEX 119*7c478bd9Sstevel@tonic-gate %token <str> YY_STR 120*7c478bd9Sstevel@tonic-gate %token YY_COMMENT 121*7c478bd9Sstevel@tonic-gate %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 122*7c478bd9Sstevel@tonic-gate %token YY_RANGE_OUT YY_RANGE_IN 123*7c478bd9Sstevel@tonic-gate %token <ip6> YY_IPV6 124*7c478bd9Sstevel@tonic-gate 125*7c478bd9Sstevel@tonic-gate %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 126*7c478bd9Sstevel@tonic-gate %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 127*7c478bd9Sstevel@tonic-gate %token IPFY_IN IPFY_OUT 128*7c478bd9Sstevel@tonic-gate %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 129*7c478bd9Sstevel@tonic-gate %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO 130*7c478bd9Sstevel@tonic-gate %token IPFY_TOS IPFY_TTL IPFY_PROTO 131*7c478bd9Sstevel@tonic-gate %token IPFY_HEAD IPFY_GROUP 132*7c478bd9Sstevel@tonic-gate %token IPFY_AUTH IPFY_PREAUTH IPFY_DIVERT 133*7c478bd9Sstevel@tonic-gate %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK 134*7c478bd9Sstevel@tonic-gate %token IPFY_LOGTAG IPFY_TAG IPFY_SKIP 135*7c478bd9Sstevel@tonic-gate %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPF IPFY_POOL IPFY_HASH 136*7c478bd9Sstevel@tonic-gate %token IPFY_PPS 137*7c478bd9Sstevel@tonic-gate %token IPFY_ESP IPFY_AH 138*7c478bd9Sstevel@tonic-gate %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 139*7c478bd9Sstevel@tonic-gate %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 140*7c478bd9Sstevel@tonic-gate %token IPFY_FLAGS IPFY_MULTICAST 141*7c478bd9Sstevel@tonic-gate %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 142*7c478bd9Sstevel@tonic-gate %token IPFY_PORT 143*7c478bd9Sstevel@tonic-gate %token IPFY_NOW 144*7c478bd9Sstevel@tonic-gate %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 145*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 146*7c478bd9Sstevel@tonic-gate %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 147*7c478bd9Sstevel@tonic-gate %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 148*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 149*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 150*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 151*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 152*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 153*7c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 154*7c478bd9Sstevel@tonic-gate %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 155*7c478bd9Sstevel@tonic-gate %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 156*7c478bd9Sstevel@tonic-gate 157*7c478bd9Sstevel@tonic-gate %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 158*7c478bd9Sstevel@tonic-gate %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING 159*7c478bd9Sstevel@tonic-gate 160*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 161*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 162*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 163*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 164*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_ROUTERSOL 165*7c478bd9Sstevel@tonic-gate 166*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 167*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 168*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 169*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 170*7c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_CUTPRE 171*7c478bd9Sstevel@tonic-gate 172*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 173*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 174*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 175*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 176*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 177*7c478bd9Sstevel@tonic-gate %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 178*7c478bd9Sstevel@tonic-gate 179*7c478bd9Sstevel@tonic-gate %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 180*7c478bd9Sstevel@tonic-gate %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 181*7c478bd9Sstevel@tonic-gate %% 182*7c478bd9Sstevel@tonic-gate file: line 183*7c478bd9Sstevel@tonic-gate | assign 184*7c478bd9Sstevel@tonic-gate | file line 185*7c478bd9Sstevel@tonic-gate | file assign 186*7c478bd9Sstevel@tonic-gate ; 187*7c478bd9Sstevel@tonic-gate 188*7c478bd9Sstevel@tonic-gate line: xx rule { while ((fr = frtop) != NULL) { 189*7c478bd9Sstevel@tonic-gate frtop = fr->fr_next; 190*7c478bd9Sstevel@tonic-gate fr->fr_next = NULL; 191*7c478bd9Sstevel@tonic-gate (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); 192*7c478bd9Sstevel@tonic-gate fr->fr_next = frold; 193*7c478bd9Sstevel@tonic-gate frold = fr; 194*7c478bd9Sstevel@tonic-gate } 195*7c478bd9Sstevel@tonic-gate resetlexer(); 196*7c478bd9Sstevel@tonic-gate } 197*7c478bd9Sstevel@tonic-gate | YY_COMMENT 198*7c478bd9Sstevel@tonic-gate ; 199*7c478bd9Sstevel@tonic-gate 200*7c478bd9Sstevel@tonic-gate xx: { newrule(); } 201*7c478bd9Sstevel@tonic-gate ; 202*7c478bd9Sstevel@tonic-gate 203*7c478bd9Sstevel@tonic-gate assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 204*7c478bd9Sstevel@tonic-gate resetlexer(); 205*7c478bd9Sstevel@tonic-gate free($1); 206*7c478bd9Sstevel@tonic-gate free($3); 207*7c478bd9Sstevel@tonic-gate } 208*7c478bd9Sstevel@tonic-gate ; 209*7c478bd9Sstevel@tonic-gate 210*7c478bd9Sstevel@tonic-gate assigning: 211*7c478bd9Sstevel@tonic-gate '=' { yyvarnext = 1; } 212*7c478bd9Sstevel@tonic-gate ; 213*7c478bd9Sstevel@tonic-gate 214*7c478bd9Sstevel@tonic-gate rule: inrule 215*7c478bd9Sstevel@tonic-gate | outrule 216*7c478bd9Sstevel@tonic-gate ; 217*7c478bd9Sstevel@tonic-gate 218*7c478bd9Sstevel@tonic-gate inrule: 219*7c478bd9Sstevel@tonic-gate rulehead markin { ruleopts = 0; } inopts rulemain ruletail 220*7c478bd9Sstevel@tonic-gate ; 221*7c478bd9Sstevel@tonic-gate 222*7c478bd9Sstevel@tonic-gate outrule: 223*7c478bd9Sstevel@tonic-gate rulehead markout { ruleopts = 0; } outopts rulemain ruletail 224*7c478bd9Sstevel@tonic-gate ; 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate rulehead: 227*7c478bd9Sstevel@tonic-gate collection action 228*7c478bd9Sstevel@tonic-gate | insert collection action 229*7c478bd9Sstevel@tonic-gate ; 230*7c478bd9Sstevel@tonic-gate 231*7c478bd9Sstevel@tonic-gate markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 232*7c478bd9Sstevel@tonic-gate ; 233*7c478bd9Sstevel@tonic-gate 234*7c478bd9Sstevel@tonic-gate markout: 235*7c478bd9Sstevel@tonic-gate IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 236*7c478bd9Sstevel@tonic-gate ; 237*7c478bd9Sstevel@tonic-gate 238*7c478bd9Sstevel@tonic-gate rulemain: 239*7c478bd9Sstevel@tonic-gate ipfrule 240*7c478bd9Sstevel@tonic-gate | bpfrule 241*7c478bd9Sstevel@tonic-gate ; 242*7c478bd9Sstevel@tonic-gate 243*7c478bd9Sstevel@tonic-gate ipfrule: 244*7c478bd9Sstevel@tonic-gate tos ttl proto ip 245*7c478bd9Sstevel@tonic-gate ; 246*7c478bd9Sstevel@tonic-gate 247*7c478bd9Sstevel@tonic-gate bpfrule: 248*7c478bd9Sstevel@tonic-gate IPFY_BPF '{' YY_STR '}' { dobpf($3); free($3); } 249*7c478bd9Sstevel@tonic-gate ; 250*7c478bd9Sstevel@tonic-gate 251*7c478bd9Sstevel@tonic-gate ruletail: 252*7c478bd9Sstevel@tonic-gate keep head group tag pps age new 253*7c478bd9Sstevel@tonic-gate ; 254*7c478bd9Sstevel@tonic-gate 255*7c478bd9Sstevel@tonic-gate insert: 256*7c478bd9Sstevel@tonic-gate '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2; } 257*7c478bd9Sstevel@tonic-gate ; 258*7c478bd9Sstevel@tonic-gate 259*7c478bd9Sstevel@tonic-gate collection: 260*7c478bd9Sstevel@tonic-gate | YY_NUMBER { fr->fr_collect = $1; } 261*7c478bd9Sstevel@tonic-gate ; 262*7c478bd9Sstevel@tonic-gate 263*7c478bd9Sstevel@tonic-gate action: block 264*7c478bd9Sstevel@tonic-gate | IPFY_PASS { fr->fr_flags |= FR_PASS; } 265*7c478bd9Sstevel@tonic-gate | IPFY_DIVERT YY_NUMBER { fr->fr_flags |= FR_DIVERT; 266*7c478bd9Sstevel@tonic-gate fr->fr_arg = $2; } 267*7c478bd9Sstevel@tonic-gate | log 268*7c478bd9Sstevel@tonic-gate | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 269*7c478bd9Sstevel@tonic-gate | auth 270*7c478bd9Sstevel@tonic-gate | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 271*7c478bd9Sstevel@tonic-gate fr->fr_arg = $2; } 272*7c478bd9Sstevel@tonic-gate | IPFY_CALL func 273*7c478bd9Sstevel@tonic-gate | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 274*7c478bd9Sstevel@tonic-gate ; 275*7c478bd9Sstevel@tonic-gate 276*7c478bd9Sstevel@tonic-gate block: blocked 277*7c478bd9Sstevel@tonic-gate | blocked blockreturn 278*7c478bd9Sstevel@tonic-gate ; 279*7c478bd9Sstevel@tonic-gate 280*7c478bd9Sstevel@tonic-gate blocked: 281*7c478bd9Sstevel@tonic-gate IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 282*7c478bd9Sstevel@tonic-gate ; 283*7c478bd9Sstevel@tonic-gate blockreturn: 284*7c478bd9Sstevel@tonic-gate IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 285*7c478bd9Sstevel@tonic-gate | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 286*7c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 287*7c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 288*7c478bd9Sstevel@tonic-gate | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 289*7c478bd9Sstevel@tonic-gate ; 290*7c478bd9Sstevel@tonic-gate 291*7c478bd9Sstevel@tonic-gate log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 292*7c478bd9Sstevel@tonic-gate | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 293*7c478bd9Sstevel@tonic-gate ; 294*7c478bd9Sstevel@tonic-gate 295*7c478bd9Sstevel@tonic-gate auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 296*7c478bd9Sstevel@tonic-gate | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} 297*7c478bd9Sstevel@tonic-gate | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 298*7c478bd9Sstevel@tonic-gate ; 299*7c478bd9Sstevel@tonic-gate 300*7c478bd9Sstevel@tonic-gate func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, 301*7c478bd9Sstevel@tonic-gate ipfioctl[IPL_LOGIPF]); 302*7c478bd9Sstevel@tonic-gate fr->fr_arg = $3; 303*7c478bd9Sstevel@tonic-gate free($1); } 304*7c478bd9Sstevel@tonic-gate ; 305*7c478bd9Sstevel@tonic-gate 306*7c478bd9Sstevel@tonic-gate inopts: 307*7c478bd9Sstevel@tonic-gate | inopts inopt 308*7c478bd9Sstevel@tonic-gate ; 309*7c478bd9Sstevel@tonic-gate 310*7c478bd9Sstevel@tonic-gate inopt: 311*7c478bd9Sstevel@tonic-gate logopt 312*7c478bd9Sstevel@tonic-gate { 313*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 314*7c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 315*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 316*7c478bd9Sstevel@tonic-gate } 317*7c478bd9Sstevel@tonic-gate | quick 318*7c478bd9Sstevel@tonic-gate { 319*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 320*7c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 321*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 322*7c478bd9Sstevel@tonic-gate } 323*7c478bd9Sstevel@tonic-gate | on 324*7c478bd9Sstevel@tonic-gate { 325*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 326*7c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 327*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 328*7c478bd9Sstevel@tonic-gate } 329*7c478bd9Sstevel@tonic-gate | dup 330*7c478bd9Sstevel@tonic-gate { 331*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 332*7c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 333*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 334*7c478bd9Sstevel@tonic-gate } 335*7c478bd9Sstevel@tonic-gate | froute 336*7c478bd9Sstevel@tonic-gate { 337*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_FROUTE ) 338*7c478bd9Sstevel@tonic-gate yyerror("Duplicate froute option"); 339*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_FROUTE; 340*7c478bd9Sstevel@tonic-gate } 341*7c478bd9Sstevel@tonic-gate | proute 342*7c478bd9Sstevel@tonic-gate { 343*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 344*7c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 345*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 346*7c478bd9Sstevel@tonic-gate } 347*7c478bd9Sstevel@tonic-gate | replyto 348*7c478bd9Sstevel@tonic-gate { 349*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 350*7c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 351*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 352*7c478bd9Sstevel@tonic-gate } 353*7c478bd9Sstevel@tonic-gate ; 354*7c478bd9Sstevel@tonic-gate 355*7c478bd9Sstevel@tonic-gate outopts: 356*7c478bd9Sstevel@tonic-gate | outopts outopt 357*7c478bd9Sstevel@tonic-gate ; 358*7c478bd9Sstevel@tonic-gate 359*7c478bd9Sstevel@tonic-gate outopt: 360*7c478bd9Sstevel@tonic-gate logopt 361*7c478bd9Sstevel@tonic-gate { 362*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 363*7c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 364*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 365*7c478bd9Sstevel@tonic-gate } 366*7c478bd9Sstevel@tonic-gate | quick 367*7c478bd9Sstevel@tonic-gate { 368*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 369*7c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 370*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 371*7c478bd9Sstevel@tonic-gate } 372*7c478bd9Sstevel@tonic-gate | on 373*7c478bd9Sstevel@tonic-gate { 374*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 375*7c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 376*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 377*7c478bd9Sstevel@tonic-gate } 378*7c478bd9Sstevel@tonic-gate | dup 379*7c478bd9Sstevel@tonic-gate { 380*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 381*7c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 382*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 383*7c478bd9Sstevel@tonic-gate } 384*7c478bd9Sstevel@tonic-gate | proute 385*7c478bd9Sstevel@tonic-gate { 386*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 387*7c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 388*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 389*7c478bd9Sstevel@tonic-gate } 390*7c478bd9Sstevel@tonic-gate | replyto 391*7c478bd9Sstevel@tonic-gate { 392*7c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 393*7c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 394*7c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 395*7c478bd9Sstevel@tonic-gate } 396*7c478bd9Sstevel@tonic-gate ; 397*7c478bd9Sstevel@tonic-gate 398*7c478bd9Sstevel@tonic-gate tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 399*7c478bd9Sstevel@tonic-gate | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 400*7c478bd9Sstevel@tonic-gate | settos lstart toslist lend 401*7c478bd9Sstevel@tonic-gate ; 402*7c478bd9Sstevel@tonic-gate 403*7c478bd9Sstevel@tonic-gate settos: IPFY_TOS { setipftype(); } 404*7c478bd9Sstevel@tonic-gate ; 405*7c478bd9Sstevel@tonic-gate 406*7c478bd9Sstevel@tonic-gate toslist: 407*7c478bd9Sstevel@tonic-gate YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 408*7c478bd9Sstevel@tonic-gate | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 409*7c478bd9Sstevel@tonic-gate | toslist lmore YY_NUMBER 410*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 411*7c478bd9Sstevel@tonic-gate | toslist lmore YY_HEX 412*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 413*7c478bd9Sstevel@tonic-gate ; 414*7c478bd9Sstevel@tonic-gate 415*7c478bd9Sstevel@tonic-gate ttl: | setttl YY_NUMBER 416*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 417*7c478bd9Sstevel@tonic-gate | setttl lstart ttllist lend 418*7c478bd9Sstevel@tonic-gate ; 419*7c478bd9Sstevel@tonic-gate 420*7c478bd9Sstevel@tonic-gate lstart: '(' { newlist = 1; fr = frc; added = 0; } 421*7c478bd9Sstevel@tonic-gate ; 422*7c478bd9Sstevel@tonic-gate 423*7c478bd9Sstevel@tonic-gate lend: ')' { nrules += added; } 424*7c478bd9Sstevel@tonic-gate ; 425*7c478bd9Sstevel@tonic-gate 426*7c478bd9Sstevel@tonic-gate lmore: lanother { if (newlist == 1) { 427*7c478bd9Sstevel@tonic-gate newlist = 0; 428*7c478bd9Sstevel@tonic-gate } 429*7c478bd9Sstevel@tonic-gate fr = addrule(); 430*7c478bd9Sstevel@tonic-gate if (yycont != NULL) 431*7c478bd9Sstevel@tonic-gate *yycont = 1; 432*7c478bd9Sstevel@tonic-gate } 433*7c478bd9Sstevel@tonic-gate ; 434*7c478bd9Sstevel@tonic-gate 435*7c478bd9Sstevel@tonic-gate lanother: 436*7c478bd9Sstevel@tonic-gate | ',' 437*7c478bd9Sstevel@tonic-gate ; 438*7c478bd9Sstevel@tonic-gate 439*7c478bd9Sstevel@tonic-gate setttl: IPFY_TTL { setipftype(); } 440*7c478bd9Sstevel@tonic-gate ; 441*7c478bd9Sstevel@tonic-gate 442*7c478bd9Sstevel@tonic-gate ttllist: 443*7c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 444*7c478bd9Sstevel@tonic-gate | ttllist lmore YY_NUMBER 445*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 446*7c478bd9Sstevel@tonic-gate ; 447*7c478bd9Sstevel@tonic-gate 448*7c478bd9Sstevel@tonic-gate proto: | protox protocol { yyresetdict(); } 449*7c478bd9Sstevel@tonic-gate ; 450*7c478bd9Sstevel@tonic-gate 451*7c478bd9Sstevel@tonic-gate protox: IPFY_PROTO { setipftype(); 452*7c478bd9Sstevel@tonic-gate fr = frc; 453*7c478bd9Sstevel@tonic-gate yysetdict(NULL); } 454*7c478bd9Sstevel@tonic-gate ; 455*7c478bd9Sstevel@tonic-gate 456*7c478bd9Sstevel@tonic-gate ip: srcdst flags with icmp 457*7c478bd9Sstevel@tonic-gate ; 458*7c478bd9Sstevel@tonic-gate 459*7c478bd9Sstevel@tonic-gate group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 460*7c478bd9Sstevel@tonic-gate FR_GROUPLEN); \ 461*7c478bd9Sstevel@tonic-gate fillgroup(fr);); 462*7c478bd9Sstevel@tonic-gate free($2); } 463*7c478bd9Sstevel@tonic-gate | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 464*7c478bd9Sstevel@tonic-gate $2); \ 465*7c478bd9Sstevel@tonic-gate fillgroup(fr);) } 466*7c478bd9Sstevel@tonic-gate ; 467*7c478bd9Sstevel@tonic-gate 468*7c478bd9Sstevel@tonic-gate head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 469*7c478bd9Sstevel@tonic-gate FR_GROUPLEN);); 470*7c478bd9Sstevel@tonic-gate free($2); } 471*7c478bd9Sstevel@tonic-gate | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 472*7c478bd9Sstevel@tonic-gate $2);) } 473*7c478bd9Sstevel@tonic-gate ; 474*7c478bd9Sstevel@tonic-gate 475*7c478bd9Sstevel@tonic-gate tag: | IPFY_TAG YY_NUMBER { DOALL(fr->fr_logtag = $2;) } 476*7c478bd9Sstevel@tonic-gate | IPFY_TAG '(' taglist ')' 477*7c478bd9Sstevel@tonic-gate 478*7c478bd9Sstevel@tonic-gate taglist: 479*7c478bd9Sstevel@tonic-gate tagspec 480*7c478bd9Sstevel@tonic-gate | taglist ',' tagspec 481*7c478bd9Sstevel@tonic-gate ; 482*7c478bd9Sstevel@tonic-gate 483*7c478bd9Sstevel@tonic-gate tagspec: 484*7c478bd9Sstevel@tonic-gate IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 485*7c478bd9Sstevel@tonic-gate $3, 16);); 486*7c478bd9Sstevel@tonic-gate free($3); } 487*7c478bd9Sstevel@tonic-gate | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 488*7c478bd9Sstevel@tonic-gate "%15d", $3);) } 489*7c478bd9Sstevel@tonic-gate | IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 490*7c478bd9Sstevel@tonic-gate ; 491*7c478bd9Sstevel@tonic-gate 492*7c478bd9Sstevel@tonic-gate pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 493*7c478bd9Sstevel@tonic-gate ; 494*7c478bd9Sstevel@tonic-gate 495*7c478bd9Sstevel@tonic-gate new: | savegroup file restoregroup 496*7c478bd9Sstevel@tonic-gate ; 497*7c478bd9Sstevel@tonic-gate 498*7c478bd9Sstevel@tonic-gate savegroup: 499*7c478bd9Sstevel@tonic-gate '{' 500*7c478bd9Sstevel@tonic-gate ; 501*7c478bd9Sstevel@tonic-gate 502*7c478bd9Sstevel@tonic-gate restoregroup: 503*7c478bd9Sstevel@tonic-gate '}' 504*7c478bd9Sstevel@tonic-gate ; 505*7c478bd9Sstevel@tonic-gate 506*7c478bd9Sstevel@tonic-gate logopt: log 507*7c478bd9Sstevel@tonic-gate ; 508*7c478bd9Sstevel@tonic-gate 509*7c478bd9Sstevel@tonic-gate quick: 510*7c478bd9Sstevel@tonic-gate IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 511*7c478bd9Sstevel@tonic-gate ; 512*7c478bd9Sstevel@tonic-gate 513*7c478bd9Sstevel@tonic-gate on: IPFY_ON onname 514*7c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_INVIA vianame 515*7c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_OUTVIA vianame 516*7c478bd9Sstevel@tonic-gate ; 517*7c478bd9Sstevel@tonic-gate 518*7c478bd9Sstevel@tonic-gate onname: interfacename 519*7c478bd9Sstevel@tonic-gate { 520*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >=10 521*7c478bd9Sstevel@tonic-gate char *cp; 522*7c478bd9Sstevel@tonic-gate #endif 523*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 524*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 525*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $1, VNISTRLEN) == 0) { 526*7c478bd9Sstevel@tonic-gate cp = $1 + VNISTRLEN; 527*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 528*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 529*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 530*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 531*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 532*7c478bd9Sstevel@tonic-gate yylineNum, $1); 533*7c478bd9Sstevel@tonic-gate } 534*7c478bd9Sstevel@tonic-gate } 535*7c478bd9Sstevel@tonic-gate #endif 536*7c478bd9Sstevel@tonic-gate free($1); 537*7c478bd9Sstevel@tonic-gate } 538*7c478bd9Sstevel@tonic-gate | interfacename ',' name 539*7c478bd9Sstevel@tonic-gate { 540*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 541*7c478bd9Sstevel@tonic-gate char *cp; 542*7c478bd9Sstevel@tonic-gate #endif 543*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 544*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 545*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $1, VNISTRLEN) == 0) { 546*7c478bd9Sstevel@tonic-gate cp = $1 + VNISTRLEN; 547*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 548*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 549*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 550*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 551*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 552*7c478bd9Sstevel@tonic-gate yylineNum, $1); 553*7c478bd9Sstevel@tonic-gate } 554*7c478bd9Sstevel@tonic-gate } 555*7c478bd9Sstevel@tonic-gate #endif 556*7c478bd9Sstevel@tonic-gate free($1); 557*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); 558*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 559*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $3, VNISTRLEN) == 0) { 560*7c478bd9Sstevel@tonic-gate cp = $3 + VNISTRLEN; 561*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 562*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 563*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 564*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 565*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 566*7c478bd9Sstevel@tonic-gate yylineNum, $3); 567*7c478bd9Sstevel@tonic-gate } 568*7c478bd9Sstevel@tonic-gate } 569*7c478bd9Sstevel@tonic-gate #endif 570*7c478bd9Sstevel@tonic-gate free($3); 571*7c478bd9Sstevel@tonic-gate } 572*7c478bd9Sstevel@tonic-gate ; 573*7c478bd9Sstevel@tonic-gate 574*7c478bd9Sstevel@tonic-gate vianame: 575*7c478bd9Sstevel@tonic-gate interfacename 576*7c478bd9Sstevel@tonic-gate { 577*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 578*7c478bd9Sstevel@tonic-gate char *cp; 579*7c478bd9Sstevel@tonic-gate #endif 580*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 581*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 582*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $1, VNISTRLEN) == 0) { 583*7c478bd9Sstevel@tonic-gate cp = $1 + VNISTRLEN; 584*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 585*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 586*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 587*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 588*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 589*7c478bd9Sstevel@tonic-gate yylineNum, $1); 590*7c478bd9Sstevel@tonic-gate } 591*7c478bd9Sstevel@tonic-gate } 592*7c478bd9Sstevel@tonic-gate #endif 593*7c478bd9Sstevel@tonic-gate free($1); 594*7c478bd9Sstevel@tonic-gate } 595*7c478bd9Sstevel@tonic-gate | interfacename ',' name 596*7c478bd9Sstevel@tonic-gate { 597*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 598*7c478bd9Sstevel@tonic-gate char *cp; 599*7c478bd9Sstevel@tonic-gate #endif 600*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 601*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 602*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $1, VNISTRLEN) == 0) { 603*7c478bd9Sstevel@tonic-gate cp = $1 + VNISTRLEN; 604*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 605*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 606*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 607*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 608*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 609*7c478bd9Sstevel@tonic-gate yylineNum, $1); 610*7c478bd9Sstevel@tonic-gate } 611*7c478bd9Sstevel@tonic-gate } 612*7c478bd9Sstevel@tonic-gate #endif 613*7c478bd9Sstevel@tonic-gate free($1); 614*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); 615*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 616*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $3, VNISTRLEN) == 0) { 617*7c478bd9Sstevel@tonic-gate cp = $3 + VNISTRLEN; 618*7c478bd9Sstevel@tonic-gate cp += strspn(cp, "0123456789"); 619*7c478bd9Sstevel@tonic-gate if (*cp == '\0' || *cp == ':') { 620*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Warning- %s specified. vni" 621*7c478bd9Sstevel@tonic-gate " is a virtual interface, use a physical" 622*7c478bd9Sstevel@tonic-gate " interface instead. See vni(7D)\n", 623*7c478bd9Sstevel@tonic-gate yylineNum, $3); 624*7c478bd9Sstevel@tonic-gate } 625*7c478bd9Sstevel@tonic-gate } 626*7c478bd9Sstevel@tonic-gate #endif 627*7c478bd9Sstevel@tonic-gate free($3); 628*7c478bd9Sstevel@tonic-gate } 629*7c478bd9Sstevel@tonic-gate ; 630*7c478bd9Sstevel@tonic-gate 631*7c478bd9Sstevel@tonic-gate dup: IPFY_DUPTO name 632*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 633*7c478bd9Sstevel@tonic-gate free($2); 634*7c478bd9Sstevel@tonic-gate } 635*7c478bd9Sstevel@tonic-gate | IPFY_DUPTO name ':' hostname 636*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 637*7c478bd9Sstevel@tonic-gate fr->fr_dif.fd_ip = $4; 638*7c478bd9Sstevel@tonic-gate free($2); 639*7c478bd9Sstevel@tonic-gate } 640*7c478bd9Sstevel@tonic-gate ; 641*7c478bd9Sstevel@tonic-gate 642*7c478bd9Sstevel@tonic-gate froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 643*7c478bd9Sstevel@tonic-gate ; 644*7c478bd9Sstevel@tonic-gate 645*7c478bd9Sstevel@tonic-gate proute: IPFY_TO name 646*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 647*7c478bd9Sstevel@tonic-gate free($2); 648*7c478bd9Sstevel@tonic-gate } 649*7c478bd9Sstevel@tonic-gate | IPFY_TO name ':' hostname 650*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 651*7c478bd9Sstevel@tonic-gate fr->fr_tif.fd_ip = $4; 652*7c478bd9Sstevel@tonic-gate free($2); 653*7c478bd9Sstevel@tonic-gate } 654*7c478bd9Sstevel@tonic-gate ; 655*7c478bd9Sstevel@tonic-gate 656*7c478bd9Sstevel@tonic-gate replyto: 657*7c478bd9Sstevel@tonic-gate IPFY_REPLY_TO name 658*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 659*7c478bd9Sstevel@tonic-gate free($2); 660*7c478bd9Sstevel@tonic-gate } 661*7c478bd9Sstevel@tonic-gate | IPFY_REPLY_TO name ':' hostname 662*7c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 663*7c478bd9Sstevel@tonic-gate fr->fr_rif.fd_ip = $4; 664*7c478bd9Sstevel@tonic-gate free($2); 665*7c478bd9Sstevel@tonic-gate } 666*7c478bd9Sstevel@tonic-gate ; 667*7c478bd9Sstevel@tonic-gate 668*7c478bd9Sstevel@tonic-gate logoptions: 669*7c478bd9Sstevel@tonic-gate logoption 670*7c478bd9Sstevel@tonic-gate | logoptions logoption 671*7c478bd9Sstevel@tonic-gate ; 672*7c478bd9Sstevel@tonic-gate 673*7c478bd9Sstevel@tonic-gate logoption: 674*7c478bd9Sstevel@tonic-gate IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 675*7c478bd9Sstevel@tonic-gate | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 676*7c478bd9Sstevel@tonic-gate | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 677*7c478bd9Sstevel@tonic-gate | level loglevel { unsetsyslog(); } 678*7c478bd9Sstevel@tonic-gate ; 679*7c478bd9Sstevel@tonic-gate 680*7c478bd9Sstevel@tonic-gate returncode: 681*7c478bd9Sstevel@tonic-gate starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 682*7c478bd9Sstevel@tonic-gate ; 683*7c478bd9Sstevel@tonic-gate 684*7c478bd9Sstevel@tonic-gate starticmpcode: 685*7c478bd9Sstevel@tonic-gate '(' { yysetdict(icmpcodewords); } 686*7c478bd9Sstevel@tonic-gate ; 687*7c478bd9Sstevel@tonic-gate 688*7c478bd9Sstevel@tonic-gate srcdst: IPFY_ALL 689*7c478bd9Sstevel@tonic-gate | fromto 690*7c478bd9Sstevel@tonic-gate ; 691*7c478bd9Sstevel@tonic-gate 692*7c478bd9Sstevel@tonic-gate protocol: 693*7c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_proto = $1; \ 694*7c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) } 695*7c478bd9Sstevel@tonic-gate | YY_STR { if (!strcmp($1, "tcp-udp")) { 696*7c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 697*7c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 698*7c478bd9Sstevel@tonic-gate } else { 699*7c478bd9Sstevel@tonic-gate int p = getproto($1); 700*7c478bd9Sstevel@tonic-gate if (p == -1) 701*7c478bd9Sstevel@tonic-gate fprintf(stderr, "protocol unknown: %s, line %d\n", $1, yylineNum); 702*7c478bd9Sstevel@tonic-gate DOREM(fr->fr_proto = p; \ 703*7c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) 704*7c478bd9Sstevel@tonic-gate } 705*7c478bd9Sstevel@tonic-gate free($1); 706*7c478bd9Sstevel@tonic-gate } 707*7c478bd9Sstevel@tonic-gate | YY_STR nextstring YY_STR 708*7c478bd9Sstevel@tonic-gate { if (!strcmp($1, "tcp") && 709*7c478bd9Sstevel@tonic-gate !strcmp($3, "udp")) { 710*7c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 711*7c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 712*7c478bd9Sstevel@tonic-gate } else 713*7c478bd9Sstevel@tonic-gate YYERROR; 714*7c478bd9Sstevel@tonic-gate free($1); 715*7c478bd9Sstevel@tonic-gate free($3); 716*7c478bd9Sstevel@tonic-gate } 717*7c478bd9Sstevel@tonic-gate ; 718*7c478bd9Sstevel@tonic-gate 719*7c478bd9Sstevel@tonic-gate nextstring: 720*7c478bd9Sstevel@tonic-gate '/' { yysetdict(NULL); } 721*7c478bd9Sstevel@tonic-gate ; 722*7c478bd9Sstevel@tonic-gate 723*7c478bd9Sstevel@tonic-gate fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 724*7c478bd9Sstevel@tonic-gate | to dstobject { yyexpectaddr = 0; yycont = NULL; } 725*7c478bd9Sstevel@tonic-gate | from srcobject { yyexpectaddr = 0; yycont = NULL; } 726*7c478bd9Sstevel@tonic-gate ; 727*7c478bd9Sstevel@tonic-gate 728*7c478bd9Sstevel@tonic-gate from: IPFY_FROM { setipftype(); 729*7c478bd9Sstevel@tonic-gate if (fr == NULL) 730*7c478bd9Sstevel@tonic-gate fr = frc; 731*7c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 732*7c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 733*7c478bd9Sstevel@tonic-gate yysetdict(addrwords); 734*7c478bd9Sstevel@tonic-gate resetaddr(); } 735*7c478bd9Sstevel@tonic-gate ; 736*7c478bd9Sstevel@tonic-gate 737*7c478bd9Sstevel@tonic-gate to: IPFY_TO { if (fr == NULL) 738*7c478bd9Sstevel@tonic-gate fr = frc; 739*7c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 740*7c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 741*7c478bd9Sstevel@tonic-gate yysetdict(addrwords); 742*7c478bd9Sstevel@tonic-gate resetaddr(); } 743*7c478bd9Sstevel@tonic-gate ; 744*7c478bd9Sstevel@tonic-gate 745*7c478bd9Sstevel@tonic-gate with: | andwith withlist 746*7c478bd9Sstevel@tonic-gate ; 747*7c478bd9Sstevel@tonic-gate 748*7c478bd9Sstevel@tonic-gate andwith: 749*7c478bd9Sstevel@tonic-gate IPFY_WITH { nowith = 0; setipftype(); } 750*7c478bd9Sstevel@tonic-gate | IPFY_AND { nowith = 0; setipftype(); } 751*7c478bd9Sstevel@tonic-gate ; 752*7c478bd9Sstevel@tonic-gate 753*7c478bd9Sstevel@tonic-gate flags: | IPFY_FLAGS flagset 754*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 755*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS flagset '/' flagset 756*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 757*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS '/' flagset 758*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 759*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS YY_NUMBER 760*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 761*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS '/' YY_NUMBER 762*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 763*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS YY_NUMBER '/' YY_NUMBER 764*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 765*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS flagset '/' YY_NUMBER 766*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 767*7c478bd9Sstevel@tonic-gate | IPFY_FLAGS YY_NUMBER '/' flagset 768*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 769*7c478bd9Sstevel@tonic-gate ; 770*7c478bd9Sstevel@tonic-gate 771*7c478bd9Sstevel@tonic-gate flagset: 772*7c478bd9Sstevel@tonic-gate YY_STR { $$ = tcpflags($1); free($1); } 773*7c478bd9Sstevel@tonic-gate | YY_HEX { $$ = $1; } 774*7c478bd9Sstevel@tonic-gate ; 775*7c478bd9Sstevel@tonic-gate 776*7c478bd9Sstevel@tonic-gate srcobject: 777*7c478bd9Sstevel@tonic-gate srcaddr srcport 778*7c478bd9Sstevel@tonic-gate | '!' srcaddr srcport 779*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 780*7c478bd9Sstevel@tonic-gate | fromport 781*7c478bd9Sstevel@tonic-gate ; 782*7c478bd9Sstevel@tonic-gate 783*7c478bd9Sstevel@tonic-gate srcaddr: 784*7c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 785*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 786*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 787*7c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 788*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 789*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 790*7c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 791*7c478bd9Sstevel@tonic-gate } 792*7c478bd9Sstevel@tonic-gate | lstart srcaddrlist lend 793*7c478bd9Sstevel@tonic-gate ; 794*7c478bd9Sstevel@tonic-gate 795*7c478bd9Sstevel@tonic-gate srcaddrlist: 796*7c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 797*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 798*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 799*7c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 800*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 801*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 802*7c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 803*7c478bd9Sstevel@tonic-gate } 804*7c478bd9Sstevel@tonic-gate | srcaddrlist lmore addr 805*7c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ 806*7c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ 807*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 808*7c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 809*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 810*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 811*7c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 812*7c478bd9Sstevel@tonic-gate } 813*7c478bd9Sstevel@tonic-gate ; 814*7c478bd9Sstevel@tonic-gate 815*7c478bd9Sstevel@tonic-gate srcport: 816*7c478bd9Sstevel@tonic-gate | portcomp 817*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 818*7c478bd9Sstevel@tonic-gate | portrange 819*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 820*7c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 821*7c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 822*7c478bd9Sstevel@tonic-gate { yyresetdict(); } 823*7c478bd9Sstevel@tonic-gate ; 824*7c478bd9Sstevel@tonic-gate 825*7c478bd9Sstevel@tonic-gate fromport: 826*7c478bd9Sstevel@tonic-gate portcomp 827*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 828*7c478bd9Sstevel@tonic-gate | portrange 829*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 830*7c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 831*7c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 832*7c478bd9Sstevel@tonic-gate { yyresetdict(); } 833*7c478bd9Sstevel@tonic-gate ; 834*7c478bd9Sstevel@tonic-gate 835*7c478bd9Sstevel@tonic-gate srcportlist: 836*7c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 837*7c478bd9Sstevel@tonic-gate | srcportlist lmore portnum 838*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 839*7c478bd9Sstevel@tonic-gate ; 840*7c478bd9Sstevel@tonic-gate 841*7c478bd9Sstevel@tonic-gate dstobject: 842*7c478bd9Sstevel@tonic-gate toport 843*7c478bd9Sstevel@tonic-gate | dstaddr dstport 844*7c478bd9Sstevel@tonic-gate | '!' dstaddr dstport 845*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 846*7c478bd9Sstevel@tonic-gate ; 847*7c478bd9Sstevel@tonic-gate 848*7c478bd9Sstevel@tonic-gate dstaddr: 849*7c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 850*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 851*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 852*7c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 853*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 854*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 855*7c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 856*7c478bd9Sstevel@tonic-gate } 857*7c478bd9Sstevel@tonic-gate | lstart dstaddrlist lend 858*7c478bd9Sstevel@tonic-gate ; 859*7c478bd9Sstevel@tonic-gate 860*7c478bd9Sstevel@tonic-gate dstaddrlist: 861*7c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 862*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 863*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 864*7c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 865*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 866*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 867*7c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 868*7c478bd9Sstevel@tonic-gate } 869*7c478bd9Sstevel@tonic-gate | dstaddrlist lmore addr 870*7c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ 871*7c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ 872*7c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 873*7c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 874*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 875*7c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 876*7c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 877*7c478bd9Sstevel@tonic-gate } 878*7c478bd9Sstevel@tonic-gate ; 879*7c478bd9Sstevel@tonic-gate 880*7c478bd9Sstevel@tonic-gate 881*7c478bd9Sstevel@tonic-gate dstport: 882*7c478bd9Sstevel@tonic-gate | portcomp 883*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 884*7c478bd9Sstevel@tonic-gate | portrange 885*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 886*7c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 887*7c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 888*7c478bd9Sstevel@tonic-gate { yyresetdict(); } 889*7c478bd9Sstevel@tonic-gate ; 890*7c478bd9Sstevel@tonic-gate 891*7c478bd9Sstevel@tonic-gate toport: 892*7c478bd9Sstevel@tonic-gate portcomp 893*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 894*7c478bd9Sstevel@tonic-gate | portrange 895*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 896*7c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 897*7c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 898*7c478bd9Sstevel@tonic-gate { yyresetdict(); } 899*7c478bd9Sstevel@tonic-gate ; 900*7c478bd9Sstevel@tonic-gate 901*7c478bd9Sstevel@tonic-gate dstportlist: 902*7c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 903*7c478bd9Sstevel@tonic-gate | dstportlist lmore portnum 904*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 905*7c478bd9Sstevel@tonic-gate ; 906*7c478bd9Sstevel@tonic-gate 907*7c478bd9Sstevel@tonic-gate addr: pool '/' YY_NUMBER { pooled = 1; 908*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 909*7c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 910*7c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 911*7c478bd9Sstevel@tonic-gate | pool '=' '(' poollist ')' { pooled = 1; 912*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 913*7c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 914*7c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makepool($4); } 915*7c478bd9Sstevel@tonic-gate | hash '/' YY_NUMBER { hashed = 1; 916*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 917*7c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 918*7c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 919*7c478bd9Sstevel@tonic-gate | hash '=' '(' addrlist ')' { hashed = 1; 920*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 921*7c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 922*7c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makehash($4); } 923*7c478bd9Sstevel@tonic-gate | ipaddr { bcopy(&$1, &$$, sizeof($$)); 924*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 925*7c478bd9Sstevel@tonic-gate ; 926*7c478bd9Sstevel@tonic-gate 927*7c478bd9Sstevel@tonic-gate ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 928*7c478bd9Sstevel@tonic-gate yyresetdict(); 929*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 930*7c478bd9Sstevel@tonic-gate | hostname { $$.a.in4 = $1; 931*7c478bd9Sstevel@tonic-gate $$.m.in4_addr = 0xffffffff; 932*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 933*7c478bd9Sstevel@tonic-gate | hostname { yyresetdict(); 934*7c478bd9Sstevel@tonic-gate $$.a.in4_addr = $1.s_addr; } 935*7c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 936*7c478bd9Sstevel@tonic-gate ipv4mask { $$.m.in4_addr = $5.s_addr; 937*7c478bd9Sstevel@tonic-gate $$.a.in4_addr &= $5.s_addr; 938*7c478bd9Sstevel@tonic-gate yyresetdict(); 939*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 940*7c478bd9Sstevel@tonic-gate | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); 941*7c478bd9Sstevel@tonic-gate fill6bits(128, (u_32_t *)&$$.m); 942*7c478bd9Sstevel@tonic-gate yyresetdict(); 943*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 944*7c478bd9Sstevel@tonic-gate | YY_IPV6 { yyresetdict(); 945*7c478bd9Sstevel@tonic-gate bcopy(&$1, &$$.a, sizeof($$.a)); } 946*7c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 947*7c478bd9Sstevel@tonic-gate ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); 948*7c478bd9Sstevel@tonic-gate yyresetdict(); 949*7c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 950*7c478bd9Sstevel@tonic-gate ; 951*7c478bd9Sstevel@tonic-gate 952*7c478bd9Sstevel@tonic-gate maskspace: 953*7c478bd9Sstevel@tonic-gate '/' 954*7c478bd9Sstevel@tonic-gate | IPFY_MASK 955*7c478bd9Sstevel@tonic-gate ; 956*7c478bd9Sstevel@tonic-gate 957*7c478bd9Sstevel@tonic-gate ipv4mask: 958*7c478bd9Sstevel@tonic-gate ipv4 { $$ = $1; } 959*7c478bd9Sstevel@tonic-gate | YY_HEX { $$.s_addr = htonl($1); } 960*7c478bd9Sstevel@tonic-gate | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } 961*7c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 962*7c478bd9Sstevel@tonic-gate $$.s_addr = 0; 963*7c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 964*7c478bd9Sstevel@tonic-gate } else 965*7c478bd9Sstevel@tonic-gate YYERROR; 966*7c478bd9Sstevel@tonic-gate } 967*7c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 968*7c478bd9Sstevel@tonic-gate $$.s_addr = 0; 969*7c478bd9Sstevel@tonic-gate ifpflag = FRI_NETWORK; 970*7c478bd9Sstevel@tonic-gate } else 971*7c478bd9Sstevel@tonic-gate YYERROR; 972*7c478bd9Sstevel@tonic-gate } 973*7c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 974*7c478bd9Sstevel@tonic-gate $$.s_addr = 0; 975*7c478bd9Sstevel@tonic-gate ifpflag = FRI_NETMASKED; 976*7c478bd9Sstevel@tonic-gate } else 977*7c478bd9Sstevel@tonic-gate YYERROR; 978*7c478bd9Sstevel@tonic-gate } 979*7c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 980*7c478bd9Sstevel@tonic-gate $$.s_addr = 0; 981*7c478bd9Sstevel@tonic-gate ifpflag = FRI_PEERADDR; 982*7c478bd9Sstevel@tonic-gate } else 983*7c478bd9Sstevel@tonic-gate YYERROR; 984*7c478bd9Sstevel@tonic-gate } 985*7c478bd9Sstevel@tonic-gate ; 986*7c478bd9Sstevel@tonic-gate 987*7c478bd9Sstevel@tonic-gate ipv6mask: 988*7c478bd9Sstevel@tonic-gate YY_NUMBER { ntomask(6, $1, $$.i6); } 989*7c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 990*7c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 991*7c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 992*7c478bd9Sstevel@tonic-gate } else 993*7c478bd9Sstevel@tonic-gate YYERROR; 994*7c478bd9Sstevel@tonic-gate } 995*7c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 996*7c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 997*7c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 998*7c478bd9Sstevel@tonic-gate } else 999*7c478bd9Sstevel@tonic-gate YYERROR; 1000*7c478bd9Sstevel@tonic-gate } 1001*7c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 1002*7c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 1003*7c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 1004*7c478bd9Sstevel@tonic-gate } else 1005*7c478bd9Sstevel@tonic-gate YYERROR; 1006*7c478bd9Sstevel@tonic-gate } 1007*7c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 1008*7c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 1009*7c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 1010*7c478bd9Sstevel@tonic-gate } else 1011*7c478bd9Sstevel@tonic-gate YYERROR; 1012*7c478bd9Sstevel@tonic-gate } 1013*7c478bd9Sstevel@tonic-gate ; 1014*7c478bd9Sstevel@tonic-gate 1015*7c478bd9Sstevel@tonic-gate hostname: 1016*7c478bd9Sstevel@tonic-gate ipv4 { $$ = $1; } 1017*7c478bd9Sstevel@tonic-gate | YY_NUMBER { $$.s_addr = $1; } 1018*7c478bd9Sstevel@tonic-gate | YY_HEX { $$.s_addr = $1; } 1019*7c478bd9Sstevel@tonic-gate | YY_STR { $$.s_addr = lookuphost($1); 1020*7c478bd9Sstevel@tonic-gate free($1); 1021*7c478bd9Sstevel@tonic-gate if ($$.s_addr == 0 && 1022*7c478bd9Sstevel@tonic-gate ifpflag != FRI_DYNAMIC) 1023*7c478bd9Sstevel@tonic-gate yyerror("Unknown hostname"); 1024*7c478bd9Sstevel@tonic-gate } 1025*7c478bd9Sstevel@tonic-gate ; 1026*7c478bd9Sstevel@tonic-gate 1027*7c478bd9Sstevel@tonic-gate addrlist: 1028*7c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 1029*7c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 1030*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 1031*7c478bd9Sstevel@tonic-gate | addrlist ',' ipaddr 1032*7c478bd9Sstevel@tonic-gate { $$ = newalist($1); 1033*7c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 1034*7c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 1035*7c478bd9Sstevel@tonic-gate ; 1036*7c478bd9Sstevel@tonic-gate 1037*7c478bd9Sstevel@tonic-gate pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1038*7c478bd9Sstevel@tonic-gate ; 1039*7c478bd9Sstevel@tonic-gate 1040*7c478bd9Sstevel@tonic-gate hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 1041*7c478bd9Sstevel@tonic-gate ; 1042*7c478bd9Sstevel@tonic-gate 1043*7c478bd9Sstevel@tonic-gate poollist: 1044*7c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 1045*7c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 1046*7c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 1047*7c478bd9Sstevel@tonic-gate | '!' ipaddr { $$ = newalist(NULL); 1048*7c478bd9Sstevel@tonic-gate $$->al_not = 1; 1049*7c478bd9Sstevel@tonic-gate bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); 1050*7c478bd9Sstevel@tonic-gate bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } 1051*7c478bd9Sstevel@tonic-gate | poollist ',' ipaddr 1052*7c478bd9Sstevel@tonic-gate { $$ = newalist($1); 1053*7c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 1054*7c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 1055*7c478bd9Sstevel@tonic-gate | poollist ',' '!' ipaddr 1056*7c478bd9Sstevel@tonic-gate { $$ = newalist($1); 1057*7c478bd9Sstevel@tonic-gate $$->al_not = 1; 1058*7c478bd9Sstevel@tonic-gate bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); 1059*7c478bd9Sstevel@tonic-gate bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } 1060*7c478bd9Sstevel@tonic-gate ; 1061*7c478bd9Sstevel@tonic-gate 1062*7c478bd9Sstevel@tonic-gate port: IPFY_PORT { yyexpectaddr = 0; 1063*7c478bd9Sstevel@tonic-gate yycont = NULL; 1064*7c478bd9Sstevel@tonic-gate } 1065*7c478bd9Sstevel@tonic-gate ; 1066*7c478bd9Sstevel@tonic-gate 1067*7c478bd9Sstevel@tonic-gate portc: port compare { $$ = $2; 1068*7c478bd9Sstevel@tonic-gate yysetdict(NULL); } 1069*7c478bd9Sstevel@tonic-gate | porteq { $$ = $1; } 1070*7c478bd9Sstevel@tonic-gate ; 1071*7c478bd9Sstevel@tonic-gate 1072*7c478bd9Sstevel@tonic-gate porteq: port '=' { $$ = FR_EQUAL; 1073*7c478bd9Sstevel@tonic-gate yysetdict(NULL); } 1074*7c478bd9Sstevel@tonic-gate ; 1075*7c478bd9Sstevel@tonic-gate 1076*7c478bd9Sstevel@tonic-gate portr: IPFY_PORT { yyexpectaddr = 0; 1077*7c478bd9Sstevel@tonic-gate yycont = NULL; 1078*7c478bd9Sstevel@tonic-gate yysetdict(NULL); } 1079*7c478bd9Sstevel@tonic-gate ; 1080*7c478bd9Sstevel@tonic-gate 1081*7c478bd9Sstevel@tonic-gate portcomp: 1082*7c478bd9Sstevel@tonic-gate portc portnum { $$.pc = $1; 1083*7c478bd9Sstevel@tonic-gate $$.p1 = $2; 1084*7c478bd9Sstevel@tonic-gate yyresetdict(); } 1085*7c478bd9Sstevel@tonic-gate ; 1086*7c478bd9Sstevel@tonic-gate 1087*7c478bd9Sstevel@tonic-gate portrange: 1088*7c478bd9Sstevel@tonic-gate portr portnum range portnum { $$.p1 = $2; 1089*7c478bd9Sstevel@tonic-gate $$.pc = $3; 1090*7c478bd9Sstevel@tonic-gate $$.p2 = $4; 1091*7c478bd9Sstevel@tonic-gate yyresetdict(); } 1092*7c478bd9Sstevel@tonic-gate ; 1093*7c478bd9Sstevel@tonic-gate 1094*7c478bd9Sstevel@tonic-gate icmp: | itype icode 1095*7c478bd9Sstevel@tonic-gate ; 1096*7c478bd9Sstevel@tonic-gate 1097*7c478bd9Sstevel@tonic-gate itype: seticmptype icmptype 1098*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 1099*7c478bd9Sstevel@tonic-gate yyresetdict(); 1100*7c478bd9Sstevel@tonic-gate } 1101*7c478bd9Sstevel@tonic-gate | seticmptype lstart typelist lend { yyresetdict(); } 1102*7c478bd9Sstevel@tonic-gate ; 1103*7c478bd9Sstevel@tonic-gate 1104*7c478bd9Sstevel@tonic-gate seticmptype: 1105*7c478bd9Sstevel@tonic-gate IPFY_ICMPTYPE { setipftype(); 1106*7c478bd9Sstevel@tonic-gate yysetdict(icmptypewords); } 1107*7c478bd9Sstevel@tonic-gate ; 1108*7c478bd9Sstevel@tonic-gate 1109*7c478bd9Sstevel@tonic-gate icode: | seticmpcode icmpcode 1110*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 1111*7c478bd9Sstevel@tonic-gate yyresetdict(); 1112*7c478bd9Sstevel@tonic-gate } 1113*7c478bd9Sstevel@tonic-gate | seticmpcode lstart codelist lend { yyresetdict(); } 1114*7c478bd9Sstevel@tonic-gate ; 1115*7c478bd9Sstevel@tonic-gate 1116*7c478bd9Sstevel@tonic-gate seticmpcode: 1117*7c478bd9Sstevel@tonic-gate IPFY_ICMPCODE { yysetdict(icmpcodewords); } 1118*7c478bd9Sstevel@tonic-gate ; 1119*7c478bd9Sstevel@tonic-gate 1120*7c478bd9Sstevel@tonic-gate typelist: 1121*7c478bd9Sstevel@tonic-gate icmptype 1122*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 1123*7c478bd9Sstevel@tonic-gate | typelist lmore icmptype 1124*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 1125*7c478bd9Sstevel@tonic-gate ; 1126*7c478bd9Sstevel@tonic-gate 1127*7c478bd9Sstevel@tonic-gate codelist: 1128*7c478bd9Sstevel@tonic-gate icmpcode 1129*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 1130*7c478bd9Sstevel@tonic-gate | codelist lmore icmpcode 1131*7c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } 1132*7c478bd9Sstevel@tonic-gate ; 1133*7c478bd9Sstevel@tonic-gate 1134*7c478bd9Sstevel@tonic-gate age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 1135*7c478bd9Sstevel@tonic-gate fr->fr_age[1] = $2;) } 1136*7c478bd9Sstevel@tonic-gate | IPFY_AGE YY_NUMBER '/' YY_NUMBER 1137*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_age[0] = $2; \ 1138*7c478bd9Sstevel@tonic-gate fr->fr_age[1] = $4;) } 1139*7c478bd9Sstevel@tonic-gate ; 1140*7c478bd9Sstevel@tonic-gate 1141*7c478bd9Sstevel@tonic-gate keep: | IPFY_KEEP keepstate 1142*7c478bd9Sstevel@tonic-gate | IPFY_KEEP keepfrag 1143*7c478bd9Sstevel@tonic-gate | IPFY_KEEP keepstate IPFY_KEEP keepfrag 1144*7c478bd9Sstevel@tonic-gate ; 1145*7c478bd9Sstevel@tonic-gate 1146*7c478bd9Sstevel@tonic-gate keepstate: 1147*7c478bd9Sstevel@tonic-gate IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 1148*7c478bd9Sstevel@tonic-gate ; 1149*7c478bd9Sstevel@tonic-gate 1150*7c478bd9Sstevel@tonic-gate keepfrag: 1151*7c478bd9Sstevel@tonic-gate IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1152*7c478bd9Sstevel@tonic-gate ; 1153*7c478bd9Sstevel@tonic-gate 1154*7c478bd9Sstevel@tonic-gate fragoptlist: 1155*7c478bd9Sstevel@tonic-gate | '(' fragopts ')' 1156*7c478bd9Sstevel@tonic-gate ; 1157*7c478bd9Sstevel@tonic-gate 1158*7c478bd9Sstevel@tonic-gate fragopts: 1159*7c478bd9Sstevel@tonic-gate fragopt lanother fragopts 1160*7c478bd9Sstevel@tonic-gate | fragopt 1161*7c478bd9Sstevel@tonic-gate ; 1162*7c478bd9Sstevel@tonic-gate 1163*7c478bd9Sstevel@tonic-gate fragopt: 1164*7c478bd9Sstevel@tonic-gate IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 1165*7c478bd9Sstevel@tonic-gate ; 1166*7c478bd9Sstevel@tonic-gate 1167*7c478bd9Sstevel@tonic-gate stateoptlist: 1168*7c478bd9Sstevel@tonic-gate | '(' stateopts ')' 1169*7c478bd9Sstevel@tonic-gate ; 1170*7c478bd9Sstevel@tonic-gate 1171*7c478bd9Sstevel@tonic-gate stateopts: 1172*7c478bd9Sstevel@tonic-gate stateopt lanother stateopts 1173*7c478bd9Sstevel@tonic-gate | stateopt 1174*7c478bd9Sstevel@tonic-gate ; 1175*7c478bd9Sstevel@tonic-gate 1176*7c478bd9Sstevel@tonic-gate stateopt: 1177*7c478bd9Sstevel@tonic-gate IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 1178*7c478bd9Sstevel@tonic-gate | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1179*7c478bd9Sstevel@tonic-gate YYERROR; \ 1180*7c478bd9Sstevel@tonic-gate } else \ 1181*7c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_STSTRICT;) 1182*7c478bd9Sstevel@tonic-gate } 1183*7c478bd9Sstevel@tonic-gate | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 1184*7c478bd9Sstevel@tonic-gate YYERROR; \ 1185*7c478bd9Sstevel@tonic-gate } else \ 1186*7c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_NEWISN;) 1187*7c478bd9Sstevel@tonic-gate } 1188*7c478bd9Sstevel@tonic-gate | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1189*7c478bd9Sstevel@tonic-gate ; 1190*7c478bd9Sstevel@tonic-gate 1191*7c478bd9Sstevel@tonic-gate portnum: 1192*7c478bd9Sstevel@tonic-gate servicename { $$ = ntohs(getport(frc, $1)); 1193*7c478bd9Sstevel@tonic-gate if ($$ == -1) 1194*7c478bd9Sstevel@tonic-gate fprintf(stderr, "service unknown: %s, line %d\n", $1, yylineNum); 1195*7c478bd9Sstevel@tonic-gate free($1); 1196*7c478bd9Sstevel@tonic-gate } 1197*7c478bd9Sstevel@tonic-gate | YY_NUMBER { $$ = $1; } 1198*7c478bd9Sstevel@tonic-gate ; 1199*7c478bd9Sstevel@tonic-gate 1200*7c478bd9Sstevel@tonic-gate withlist: 1201*7c478bd9Sstevel@tonic-gate withopt 1202*7c478bd9Sstevel@tonic-gate | withlist withopt 1203*7c478bd9Sstevel@tonic-gate ; 1204*7c478bd9Sstevel@tonic-gate 1205*7c478bd9Sstevel@tonic-gate withopt: 1206*7c478bd9Sstevel@tonic-gate opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 1207*7c478bd9Sstevel@tonic-gate | notwith opttype 1208*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mflx |= $2;) } 1209*7c478bd9Sstevel@tonic-gate | IPFY_OPT ipopts 1210*7c478bd9Sstevel@tonic-gate | notwith IPFY_OPT ipopts 1211*7c478bd9Sstevel@tonic-gate | startv6hdrs ipv6hdrs 1212*7c478bd9Sstevel@tonic-gate ; 1213*7c478bd9Sstevel@tonic-gate 1214*7c478bd9Sstevel@tonic-gate startv6hdrs: 1215*7c478bd9Sstevel@tonic-gate IPF6_V6HDRS { if (use_inet6 == 0) 1216*7c478bd9Sstevel@tonic-gate yyerror("only available with IPv6"); 1217*7c478bd9Sstevel@tonic-gate } 1218*7c478bd9Sstevel@tonic-gate ; 1219*7c478bd9Sstevel@tonic-gate 1220*7c478bd9Sstevel@tonic-gate notwith: 1221*7c478bd9Sstevel@tonic-gate IPFY_NOT { nowith = 1; } 1222*7c478bd9Sstevel@tonic-gate | IPFY_NO { nowith = 1; } 1223*7c478bd9Sstevel@tonic-gate ; 1224*7c478bd9Sstevel@tonic-gate 1225*7c478bd9Sstevel@tonic-gate opttype: 1226*7c478bd9Sstevel@tonic-gate IPFY_IPOPTS { $$ = FI_OPTIONS; } 1227*7c478bd9Sstevel@tonic-gate | IPFY_SHORT { $$ = FI_SHORT; } 1228*7c478bd9Sstevel@tonic-gate | IPFY_NAT { $$ = FI_NATED; } 1229*7c478bd9Sstevel@tonic-gate | IPFY_BAD { $$ = FI_BAD; } 1230*7c478bd9Sstevel@tonic-gate | IPFY_BADNAT { $$ = FI_BADNAT; } 1231*7c478bd9Sstevel@tonic-gate | IPFY_BADSRC { $$ = FI_BADSRC; } 1232*7c478bd9Sstevel@tonic-gate | IPFY_LOWTTL { $$ = FI_LOWTTL; } 1233*7c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = FI_FRAG; } 1234*7c478bd9Sstevel@tonic-gate | IPFY_MBCAST { $$ = FI_MBCAST; } 1235*7c478bd9Sstevel@tonic-gate | IPFY_MULTICAST { $$ = FI_MULTICAST; } 1236*7c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { $$ = FI_BROADCAST; } 1237*7c478bd9Sstevel@tonic-gate | IPFY_STATE { $$ = FI_STATE; } 1238*7c478bd9Sstevel@tonic-gate | IPFY_OOW { $$ = FI_OOW; } 1239*7c478bd9Sstevel@tonic-gate ; 1240*7c478bd9Sstevel@tonic-gate 1241*7c478bd9Sstevel@tonic-gate ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1242*7c478bd9Sstevel@tonic-gate if (!nowith) 1243*7c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 1244*7c478bd9Sstevel@tonic-gate } 1245*7c478bd9Sstevel@tonic-gate ; 1246*7c478bd9Sstevel@tonic-gate 1247*7c478bd9Sstevel@tonic-gate optlist: 1248*7c478bd9Sstevel@tonic-gate opt { $$ |= $1; } 1249*7c478bd9Sstevel@tonic-gate | optlist ',' opt { $$ |= $1 | $3; } 1250*7c478bd9Sstevel@tonic-gate ; 1251*7c478bd9Sstevel@tonic-gate 1252*7c478bd9Sstevel@tonic-gate ipv6hdrs: 1253*7c478bd9Sstevel@tonic-gate ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 1254*7c478bd9Sstevel@tonic-gate if (!nowith) 1255*7c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 1256*7c478bd9Sstevel@tonic-gate } 1257*7c478bd9Sstevel@tonic-gate ; 1258*7c478bd9Sstevel@tonic-gate 1259*7c478bd9Sstevel@tonic-gate ipv6hdrlist: 1260*7c478bd9Sstevel@tonic-gate ipv6hdr { $$ |= $1; } 1261*7c478bd9Sstevel@tonic-gate | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 1262*7c478bd9Sstevel@tonic-gate ; 1263*7c478bd9Sstevel@tonic-gate 1264*7c478bd9Sstevel@tonic-gate secname: 1265*7c478bd9Sstevel@tonic-gate seclevel { $$ |= $1; } 1266*7c478bd9Sstevel@tonic-gate | secname ',' seclevel { $$ |= $1 | $3; } 1267*7c478bd9Sstevel@tonic-gate ; 1268*7c478bd9Sstevel@tonic-gate 1269*7c478bd9Sstevel@tonic-gate seclevel: 1270*7c478bd9Sstevel@tonic-gate IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 1271*7c478bd9Sstevel@tonic-gate | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 1272*7c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 1273*7c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 1274*7c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 1275*7c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 1276*7c478bd9Sstevel@tonic-gate | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 1277*7c478bd9Sstevel@tonic-gate | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 1278*7c478bd9Sstevel@tonic-gate ; 1279*7c478bd9Sstevel@tonic-gate 1280*7c478bd9Sstevel@tonic-gate icmptype: 1281*7c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 1282*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } 1283*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } 1284*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } 1285*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } 1286*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } 1287*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } 1288*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } 1289*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } 1290*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } 1291*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } 1292*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } 1293*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } 1294*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } 1295*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } 1296*7c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } 1297*7c478bd9Sstevel@tonic-gate ; 1298*7c478bd9Sstevel@tonic-gate 1299*7c478bd9Sstevel@tonic-gate icmpcode: 1300*7c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 1301*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 1302*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 1303*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 1304*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 1305*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 1306*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 1307*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 1308*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 1309*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 1310*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 1311*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 1312*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 1313*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 1314*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 1315*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRE { $$ = 14; } 1316*7c478bd9Sstevel@tonic-gate | IPFY_ICMPC_CUTPRE { $$ = 15; } 1317*7c478bd9Sstevel@tonic-gate ; 1318*7c478bd9Sstevel@tonic-gate 1319*7c478bd9Sstevel@tonic-gate opt: 1320*7c478bd9Sstevel@tonic-gate IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 1321*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 1322*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 1323*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 1324*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 1325*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 1326*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 1327*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 1328*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 1329*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 1330*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 1331*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 1332*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 1333*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 1334*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 1335*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 1336*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 1337*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 1338*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 1339*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 1340*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 1341*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 1342*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 1343*7c478bd9Sstevel@tonic-gate | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1344*7c478bd9Sstevel@tonic-gate | IPFY_SECCLASS secname 1345*7c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mip.fi_secmsk |= $2; 1346*7c478bd9Sstevel@tonic-gate if (!nowith) 1347*7c478bd9Sstevel@tonic-gate fr->fr_ip.fi_secmsk |= $2;) 1348*7c478bd9Sstevel@tonic-gate $$ = 0; 1349*7c478bd9Sstevel@tonic-gate } 1350*7c478bd9Sstevel@tonic-gate ; 1351*7c478bd9Sstevel@tonic-gate 1352*7c478bd9Sstevel@tonic-gate ipv6hdr: 1353*7c478bd9Sstevel@tonic-gate IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 1354*7c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 1355*7c478bd9Sstevel@tonic-gate | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 1356*7c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 1357*7c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 1358*7c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 1359*7c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 1360*7c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 1361*7c478bd9Sstevel@tonic-gate ; 1362*7c478bd9Sstevel@tonic-gate 1363*7c478bd9Sstevel@tonic-gate level: IPFY_LEVEL { setsyslog(); } 1364*7c478bd9Sstevel@tonic-gate ; 1365*7c478bd9Sstevel@tonic-gate 1366*7c478bd9Sstevel@tonic-gate loglevel: 1367*7c478bd9Sstevel@tonic-gate priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 1368*7c478bd9Sstevel@tonic-gate | facility '.' priority { fr->fr_loglevel = $1 | $3; } 1369*7c478bd9Sstevel@tonic-gate ; 1370*7c478bd9Sstevel@tonic-gate 1371*7c478bd9Sstevel@tonic-gate facility: 1372*7c478bd9Sstevel@tonic-gate IPFY_FAC_KERN { $$ = LOG_KERN; } 1373*7c478bd9Sstevel@tonic-gate | IPFY_FAC_USER { $$ = LOG_USER; } 1374*7c478bd9Sstevel@tonic-gate | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 1375*7c478bd9Sstevel@tonic-gate | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 1376*7c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 1377*7c478bd9Sstevel@tonic-gate | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 1378*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LPR { $$ = LOG_LPR; } 1379*7c478bd9Sstevel@tonic-gate | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 1380*7c478bd9Sstevel@tonic-gate | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 1381*7c478bd9Sstevel@tonic-gate | IPFY_FAC_CRON { $$ = LOG_CRON; } 1382*7c478bd9Sstevel@tonic-gate | IPFY_FAC_FTP { $$ = LOG_FTP; } 1383*7c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 1384*7c478bd9Sstevel@tonic-gate | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 1385*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 1386*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 1387*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 1388*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 1389*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 1390*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 1391*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 1392*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 1393*7c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 1394*7c478bd9Sstevel@tonic-gate | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 1395*7c478bd9Sstevel@tonic-gate ; 1396*7c478bd9Sstevel@tonic-gate 1397*7c478bd9Sstevel@tonic-gate priority: 1398*7c478bd9Sstevel@tonic-gate IPFY_PRI_EMERG { $$ = LOG_EMERG; } 1399*7c478bd9Sstevel@tonic-gate | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 1400*7c478bd9Sstevel@tonic-gate | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 1401*7c478bd9Sstevel@tonic-gate | IPFY_PRI_ERR { $$ = LOG_ERR; } 1402*7c478bd9Sstevel@tonic-gate | IPFY_PRI_WARN { $$ = LOG_WARNING; } 1403*7c478bd9Sstevel@tonic-gate | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 1404*7c478bd9Sstevel@tonic-gate | IPFY_PRI_INFO { $$ = LOG_INFO; } 1405*7c478bd9Sstevel@tonic-gate | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 1406*7c478bd9Sstevel@tonic-gate ; 1407*7c478bd9Sstevel@tonic-gate 1408*7c478bd9Sstevel@tonic-gate compare: 1409*7c478bd9Sstevel@tonic-gate '=' { $$ = FR_EQUAL; } 1410*7c478bd9Sstevel@tonic-gate | YY_CMP_EQ { $$ = FR_EQUAL; } 1411*7c478bd9Sstevel@tonic-gate | YY_CMP_NE { $$ = FR_NEQUAL; } 1412*7c478bd9Sstevel@tonic-gate | YY_CMP_LT { $$ = FR_LESST; } 1413*7c478bd9Sstevel@tonic-gate | YY_CMP_LE { $$ = FR_LESSTE; } 1414*7c478bd9Sstevel@tonic-gate | YY_CMP_GT { $$ = FR_GREATERT; } 1415*7c478bd9Sstevel@tonic-gate | YY_CMP_GE { $$ = FR_GREATERTE; } 1416*7c478bd9Sstevel@tonic-gate ; 1417*7c478bd9Sstevel@tonic-gate 1418*7c478bd9Sstevel@tonic-gate range: YY_RANGE_IN { $$ = FR_INRANGE; } 1419*7c478bd9Sstevel@tonic-gate | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 1420*7c478bd9Sstevel@tonic-gate | ':' { $$ = FR_INCRANGE; } 1421*7c478bd9Sstevel@tonic-gate ; 1422*7c478bd9Sstevel@tonic-gate 1423*7c478bd9Sstevel@tonic-gate servicename: 1424*7c478bd9Sstevel@tonic-gate YY_STR { $$ = $1; } 1425*7c478bd9Sstevel@tonic-gate ; 1426*7c478bd9Sstevel@tonic-gate 1427*7c478bd9Sstevel@tonic-gate interfacename: YY_STR { $$ = $1; } 1428*7c478bd9Sstevel@tonic-gate | YY_STR ':' YY_NUMBER 1429*7c478bd9Sstevel@tonic-gate { $$ = $1; 1430*7c478bd9Sstevel@tonic-gate #if SOLARIS2 >= 10 1431*7c478bd9Sstevel@tonic-gate if (strncmp(VNI, $1, VNISTRLEN) != 0) 1432*7c478bd9Sstevel@tonic-gate #endif 1433*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 1434*7c478bd9Sstevel@tonic-gate "use the physical interface %s instead.\n", 1435*7c478bd9Sstevel@tonic-gate yylineNum, $1, $3, $1); 1436*7c478bd9Sstevel@tonic-gate } 1437*7c478bd9Sstevel@tonic-gate ; 1438*7c478bd9Sstevel@tonic-gate 1439*7c478bd9Sstevel@tonic-gate name: YY_STR { $$ = $1; } 1440*7c478bd9Sstevel@tonic-gate ; 1441*7c478bd9Sstevel@tonic-gate 1442*7c478bd9Sstevel@tonic-gate ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER 1443*7c478bd9Sstevel@tonic-gate { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { 1444*7c478bd9Sstevel@tonic-gate yyerror("Invalid octet string for IP address"); 1445*7c478bd9Sstevel@tonic-gate return 0; 1446*7c478bd9Sstevel@tonic-gate } 1447*7c478bd9Sstevel@tonic-gate $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; 1448*7c478bd9Sstevel@tonic-gate $$.s_addr = htonl($$.s_addr); 1449*7c478bd9Sstevel@tonic-gate } 1450*7c478bd9Sstevel@tonic-gate ; 1451*7c478bd9Sstevel@tonic-gate %% 1452*7c478bd9Sstevel@tonic-gate 1453*7c478bd9Sstevel@tonic-gate 1454*7c478bd9Sstevel@tonic-gate static struct wordtab ipfwords[] = { 1455*7c478bd9Sstevel@tonic-gate { "addext", IPFY_IPOPT_ADDEXT }, 1456*7c478bd9Sstevel@tonic-gate { "age", IPFY_AGE }, 1457*7c478bd9Sstevel@tonic-gate { "ah", IPFY_AH }, 1458*7c478bd9Sstevel@tonic-gate { "all", IPFY_ALL }, 1459*7c478bd9Sstevel@tonic-gate { "and", IPFY_AND }, 1460*7c478bd9Sstevel@tonic-gate { "auth", IPFY_AUTH }, 1461*7c478bd9Sstevel@tonic-gate { "bad", IPFY_BAD }, 1462*7c478bd9Sstevel@tonic-gate { "bad-nat", IPFY_BADNAT }, 1463*7c478bd9Sstevel@tonic-gate { "bad-src", IPFY_BADSRC }, 1464*7c478bd9Sstevel@tonic-gate { "bcast", IPFY_BROADCAST }, 1465*7c478bd9Sstevel@tonic-gate { "block", IPFY_BLOCK }, 1466*7c478bd9Sstevel@tonic-gate { "body", IPFY_BODY }, 1467*7c478bd9Sstevel@tonic-gate { "bpf", IPFY_BPF }, 1468*7c478bd9Sstevel@tonic-gate { "call", IPFY_CALL }, 1469*7c478bd9Sstevel@tonic-gate { "cipso", IPFY_IPOPT_CIPSO }, 1470*7c478bd9Sstevel@tonic-gate { "code", IPFY_ICMPCODE }, 1471*7c478bd9Sstevel@tonic-gate { "confid", IPFY_SEC_CONF }, 1472*7c478bd9Sstevel@tonic-gate { "count", IPFY_COUNT }, 1473*7c478bd9Sstevel@tonic-gate { "divert", IPFY_DIVERT }, 1474*7c478bd9Sstevel@tonic-gate { "dps", IPFY_IPOPT_DPS }, 1475*7c478bd9Sstevel@tonic-gate { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1476*7c478bd9Sstevel@tonic-gate { "dup-to", IPFY_DUPTO }, 1477*7c478bd9Sstevel@tonic-gate { "e-sec", IPFY_IPOPT_ESEC }, 1478*7c478bd9Sstevel@tonic-gate { "eip", IPFY_IPOPT_EIP }, 1479*7c478bd9Sstevel@tonic-gate { "encode", IPFY_IPOPT_ENCODE }, 1480*7c478bd9Sstevel@tonic-gate { "eq", YY_CMP_EQ }, 1481*7c478bd9Sstevel@tonic-gate { "esp", IPFY_ESP }, 1482*7c478bd9Sstevel@tonic-gate { "fastroute", IPFY_FROUTE }, 1483*7c478bd9Sstevel@tonic-gate { "first", IPFY_FIRST }, 1484*7c478bd9Sstevel@tonic-gate { "finn", IPFY_IPOPT_FINN }, 1485*7c478bd9Sstevel@tonic-gate { "frag", IPFY_FRAG }, 1486*7c478bd9Sstevel@tonic-gate { "flags", IPFY_FLAGS }, 1487*7c478bd9Sstevel@tonic-gate { "frags", IPFY_FRAGS }, 1488*7c478bd9Sstevel@tonic-gate { "from", IPFY_FROM }, 1489*7c478bd9Sstevel@tonic-gate { "ge", YY_CMP_GE }, 1490*7c478bd9Sstevel@tonic-gate { "group", IPFY_GROUP }, 1491*7c478bd9Sstevel@tonic-gate { "gt", YY_CMP_GT }, 1492*7c478bd9Sstevel@tonic-gate { "head", IPFY_HEAD }, 1493*7c478bd9Sstevel@tonic-gate { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1494*7c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE }, 1495*7c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO }, 1496*7c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS }, 1497*7c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK }, 1498*7c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR }, 1499*7c478bd9Sstevel@tonic-gate { "icmp", IPFY_ICMP }, 1500*7c478bd9Sstevel@tonic-gate { "icmp-type", IPFY_ICMPTYPE }, 1501*7c478bd9Sstevel@tonic-gate { "imitd", IPFY_IPOPT_IMITD }, 1502*7c478bd9Sstevel@tonic-gate { "in", IPFY_IN }, 1503*7c478bd9Sstevel@tonic-gate { "in-via", IPFY_INVIA }, 1504*7c478bd9Sstevel@tonic-gate { "ipopt", IPFY_IPOPTS }, 1505*7c478bd9Sstevel@tonic-gate { "ipopts", IPFY_IPOPTS }, 1506*7c478bd9Sstevel@tonic-gate { "ipv6", IPFY_IPV6OPT_IPV6 }, 1507*7c478bd9Sstevel@tonic-gate { "keep", IPFY_KEEP }, 1508*7c478bd9Sstevel@tonic-gate { "le", YY_CMP_LE }, 1509*7c478bd9Sstevel@tonic-gate { "level", IPFY_LEVEL }, 1510*7c478bd9Sstevel@tonic-gate { "limit", IPFY_LIMIT }, 1511*7c478bd9Sstevel@tonic-gate { "log", IPFY_LOG }, 1512*7c478bd9Sstevel@tonic-gate { "lowttl", IPFY_LOWTTL }, 1513*7c478bd9Sstevel@tonic-gate { "lsrr", IPFY_IPOPT_LSRR }, 1514*7c478bd9Sstevel@tonic-gate { "lt", YY_CMP_LT }, 1515*7c478bd9Sstevel@tonic-gate { "mask", IPFY_MASK }, 1516*7c478bd9Sstevel@tonic-gate { "mbcast", IPFY_MBCAST }, 1517*7c478bd9Sstevel@tonic-gate { "mtup", IPFY_IPOPT_MTUP }, 1518*7c478bd9Sstevel@tonic-gate { "mtur", IPFY_IPOPT_MTUR }, 1519*7c478bd9Sstevel@tonic-gate { "multicast", IPFY_MULTICAST }, 1520*7c478bd9Sstevel@tonic-gate { "nat", IPFY_NAT }, 1521*7c478bd9Sstevel@tonic-gate { "ne", YY_CMP_NE }, 1522*7c478bd9Sstevel@tonic-gate { "net", IPFY_NETWORK }, 1523*7c478bd9Sstevel@tonic-gate { "newisn", IPFY_NEWISN }, 1524*7c478bd9Sstevel@tonic-gate { "no", IPFY_NO }, 1525*7c478bd9Sstevel@tonic-gate { "no-icmp-err", IPFY_NOICMPERR }, 1526*7c478bd9Sstevel@tonic-gate { "none", IPFY_IPV6OPT_NONE }, 1527*7c478bd9Sstevel@tonic-gate { "nop", IPFY_IPOPT_NOP }, 1528*7c478bd9Sstevel@tonic-gate { "now", IPFY_NOW }, 1529*7c478bd9Sstevel@tonic-gate { "not", IPFY_NOT }, 1530*7c478bd9Sstevel@tonic-gate { "nsapa", IPFY_IPOPT_NSAPA }, 1531*7c478bd9Sstevel@tonic-gate { "oow", IPFY_OOW }, 1532*7c478bd9Sstevel@tonic-gate { "on", IPFY_ON }, 1533*7c478bd9Sstevel@tonic-gate { "opt", IPFY_OPT }, 1534*7c478bd9Sstevel@tonic-gate { "or-block", IPFY_ORBLOCK }, 1535*7c478bd9Sstevel@tonic-gate { "out", IPFY_OUT }, 1536*7c478bd9Sstevel@tonic-gate { "out-via", IPFY_OUTVIA }, 1537*7c478bd9Sstevel@tonic-gate { "pass", IPFY_PASS }, 1538*7c478bd9Sstevel@tonic-gate { "port", IPFY_PORT }, 1539*7c478bd9Sstevel@tonic-gate { "pps", IPFY_PPS }, 1540*7c478bd9Sstevel@tonic-gate { "preauth", IPFY_PREAUTH }, 1541*7c478bd9Sstevel@tonic-gate { "proto", IPFY_PROTO }, 1542*7c478bd9Sstevel@tonic-gate { "quick", IPFY_QUICK }, 1543*7c478bd9Sstevel@tonic-gate { "reply-to", IPFY_REPLY_TO }, 1544*7c478bd9Sstevel@tonic-gate { "reserv-1", IPFY_SEC_RSV1 }, 1545*7c478bd9Sstevel@tonic-gate { "reserv-2", IPFY_SEC_RSV2 }, 1546*7c478bd9Sstevel@tonic-gate { "reserv-3", IPFY_SEC_RSV3 }, 1547*7c478bd9Sstevel@tonic-gate { "reserv-4", IPFY_SEC_RSV4 }, 1548*7c478bd9Sstevel@tonic-gate { "return-icmp", IPFY_RETICMP }, 1549*7c478bd9Sstevel@tonic-gate { "return-icmp-as-dest", IPFY_RETICMPASDST }, 1550*7c478bd9Sstevel@tonic-gate { "return-rst", IPFY_RETRST }, 1551*7c478bd9Sstevel@tonic-gate { "routing", IPFY_IPV6OPT_ROUTING }, 1552*7c478bd9Sstevel@tonic-gate { "rr", IPFY_IPOPT_RR }, 1553*7c478bd9Sstevel@tonic-gate { "rtralrt", IPFY_IPOPT_RTRALRT }, 1554*7c478bd9Sstevel@tonic-gate { "satid", IPFY_IPOPT_SATID }, 1555*7c478bd9Sstevel@tonic-gate { "sdb", IPFY_IPOPT_SDB }, 1556*7c478bd9Sstevel@tonic-gate { "sec", IPFY_IPOPT_SEC }, 1557*7c478bd9Sstevel@tonic-gate { "sec-class", IPFY_SECCLASS }, 1558*7c478bd9Sstevel@tonic-gate { "secret", IPFY_SEC_SEC }, 1559*7c478bd9Sstevel@tonic-gate { "skip", IPFY_SKIP }, 1560*7c478bd9Sstevel@tonic-gate { "short", IPFY_SHORT }, 1561*7c478bd9Sstevel@tonic-gate { "ssrr", IPFY_IPOPT_SSRR }, 1562*7c478bd9Sstevel@tonic-gate { "state", IPFY_STATE }, 1563*7c478bd9Sstevel@tonic-gate { "strict", IPFY_STRICT }, 1564*7c478bd9Sstevel@tonic-gate { "tag", IPFY_TAG }, 1565*7c478bd9Sstevel@tonic-gate { "tcp", IPFY_TCP }, 1566*7c478bd9Sstevel@tonic-gate { "tcp-udp", IPFY_TCPUDP }, 1567*7c478bd9Sstevel@tonic-gate { "tos", IPFY_TOS }, 1568*7c478bd9Sstevel@tonic-gate { "topsecret", IPFY_SEC_TS }, 1569*7c478bd9Sstevel@tonic-gate { "to", IPFY_TO }, 1570*7c478bd9Sstevel@tonic-gate { "tr", IPFY_IPOPT_TR }, 1571*7c478bd9Sstevel@tonic-gate { "ts", IPFY_IPOPT_TS }, 1572*7c478bd9Sstevel@tonic-gate { "ttl", IPFY_TTL }, 1573*7c478bd9Sstevel@tonic-gate { "udp", IPFY_UDP }, 1574*7c478bd9Sstevel@tonic-gate { "ump", IPFY_IPOPT_UMP }, 1575*7c478bd9Sstevel@tonic-gate { "unclass", IPFY_SEC_UNC }, 1576*7c478bd9Sstevel@tonic-gate { "v6hdrs", IPF6_V6HDRS }, 1577*7c478bd9Sstevel@tonic-gate { "visa", IPFY_IPOPT_VISA }, 1578*7c478bd9Sstevel@tonic-gate { "with", IPFY_WITH }, 1579*7c478bd9Sstevel@tonic-gate { "zsu", IPFY_IPOPT_ZSU }, 1580*7c478bd9Sstevel@tonic-gate { NULL, 0 } 1581*7c478bd9Sstevel@tonic-gate }; 1582*7c478bd9Sstevel@tonic-gate 1583*7c478bd9Sstevel@tonic-gate static struct wordtab addrwords[4] = { 1584*7c478bd9Sstevel@tonic-gate { "any", IPFY_ANY }, 1585*7c478bd9Sstevel@tonic-gate { "hash", IPFY_HASH }, 1586*7c478bd9Sstevel@tonic-gate { "pool", IPFY_POOL }, 1587*7c478bd9Sstevel@tonic-gate { NULL, 0 } 1588*7c478bd9Sstevel@tonic-gate }; 1589*7c478bd9Sstevel@tonic-gate 1590*7c478bd9Sstevel@tonic-gate static struct wordtab maskwords[5] = { 1591*7c478bd9Sstevel@tonic-gate { "broadcast", IPFY_BROADCAST }, 1592*7c478bd9Sstevel@tonic-gate { "netmasked", IPFY_NETMASKED }, 1593*7c478bd9Sstevel@tonic-gate { "network", IPFY_NETWORK }, 1594*7c478bd9Sstevel@tonic-gate { "peer", IPFY_PEER }, 1595*7c478bd9Sstevel@tonic-gate { NULL, 0 } 1596*7c478bd9Sstevel@tonic-gate }; 1597*7c478bd9Sstevel@tonic-gate 1598*7c478bd9Sstevel@tonic-gate static struct wordtab icmptypewords[16] = { 1599*7c478bd9Sstevel@tonic-gate { "echo", IPFY_ICMPT_ECHO }, 1600*7c478bd9Sstevel@tonic-gate { "echorep", IPFY_ICMPT_ECHOR }, 1601*7c478bd9Sstevel@tonic-gate { "inforeq", IPFY_ICMPT_INFOREQ }, 1602*7c478bd9Sstevel@tonic-gate { "inforep", IPFY_ICMPT_INFOREP }, 1603*7c478bd9Sstevel@tonic-gate { "maskrep", IPFY_ICMPT_MASKREP }, 1604*7c478bd9Sstevel@tonic-gate { "maskreq", IPFY_ICMPT_MASKREQ }, 1605*7c478bd9Sstevel@tonic-gate { "paramprob", IPFY_ICMPT_PARAMP }, 1606*7c478bd9Sstevel@tonic-gate { "redir", IPFY_ICMPT_REDIR }, 1607*7c478bd9Sstevel@tonic-gate { "unreach", IPFY_ICMPT_UNR }, 1608*7c478bd9Sstevel@tonic-gate { "routerad", IPFY_ICMPT_ROUTERAD }, 1609*7c478bd9Sstevel@tonic-gate { "routersol", IPFY_ICMPT_ROUTERSOL }, 1610*7c478bd9Sstevel@tonic-gate { "squench", IPFY_ICMPT_SQUENCH }, 1611*7c478bd9Sstevel@tonic-gate { "timest", IPFY_ICMPT_TIMEST }, 1612*7c478bd9Sstevel@tonic-gate { "timestrep", IPFY_ICMPT_TIMESTREP }, 1613*7c478bd9Sstevel@tonic-gate { "timex", IPFY_ICMPT_TIMEX }, 1614*7c478bd9Sstevel@tonic-gate { NULL, 0 }, 1615*7c478bd9Sstevel@tonic-gate }; 1616*7c478bd9Sstevel@tonic-gate 1617*7c478bd9Sstevel@tonic-gate static struct wordtab icmpcodewords[17] = { 1618*7c478bd9Sstevel@tonic-gate { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 1619*7c478bd9Sstevel@tonic-gate { "filter-prohib", IPFY_ICMPC_FLTPRO }, 1620*7c478bd9Sstevel@tonic-gate { "isolate", IPFY_ICMPC_ISOLATE }, 1621*7c478bd9Sstevel@tonic-gate { "needfrag", IPFY_ICMPC_NEEDF }, 1622*7c478bd9Sstevel@tonic-gate { "net-prohib", IPFY_ICMPC_NETPRO }, 1623*7c478bd9Sstevel@tonic-gate { "net-tos", IPFY_ICMPC_NETTOS }, 1624*7c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE }, 1625*7c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO }, 1626*7c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS }, 1627*7c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK }, 1628*7c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR }, 1629*7c478bd9Sstevel@tonic-gate { "net-unk", IPFY_ICMPC_NETUNK }, 1630*7c478bd9Sstevel@tonic-gate { "net-unr", IPFY_ICMPC_NETUNR }, 1631*7c478bd9Sstevel@tonic-gate { "port-unr", IPFY_ICMPC_PORUNR }, 1632*7c478bd9Sstevel@tonic-gate { "proto-unr", IPFY_ICMPC_PROUNR }, 1633*7c478bd9Sstevel@tonic-gate { "srcfail", IPFY_ICMPC_SRCFAIL }, 1634*7c478bd9Sstevel@tonic-gate { NULL, 0 }, 1635*7c478bd9Sstevel@tonic-gate }; 1636*7c478bd9Sstevel@tonic-gate 1637*7c478bd9Sstevel@tonic-gate static struct wordtab logwords[] = { 1638*7c478bd9Sstevel@tonic-gate { "kern", IPFY_FAC_KERN }, 1639*7c478bd9Sstevel@tonic-gate { "user", IPFY_FAC_USER }, 1640*7c478bd9Sstevel@tonic-gate { "mail", IPFY_FAC_MAIL }, 1641*7c478bd9Sstevel@tonic-gate { "daemon", IPFY_FAC_DAEMON }, 1642*7c478bd9Sstevel@tonic-gate { "auth", IPFY_FAC_AUTH }, 1643*7c478bd9Sstevel@tonic-gate { "syslog", IPFY_FAC_SYSLOG }, 1644*7c478bd9Sstevel@tonic-gate { "lpr", IPFY_FAC_LPR }, 1645*7c478bd9Sstevel@tonic-gate { "news", IPFY_FAC_NEWS }, 1646*7c478bd9Sstevel@tonic-gate { "uucp", IPFY_FAC_UUCP }, 1647*7c478bd9Sstevel@tonic-gate { "cron", IPFY_FAC_CRON }, 1648*7c478bd9Sstevel@tonic-gate { "ftp", IPFY_FAC_FTP }, 1649*7c478bd9Sstevel@tonic-gate { "authpriv", IPFY_FAC_AUTHPRIV }, 1650*7c478bd9Sstevel@tonic-gate { "audit", IPFY_FAC_AUDIT }, 1651*7c478bd9Sstevel@tonic-gate { "logalert", IPFY_FAC_LFMT }, 1652*7c478bd9Sstevel@tonic-gate { "console", IPFY_FAC_CONSOLE }, 1653*7c478bd9Sstevel@tonic-gate { "security", IPFY_FAC_SECURITY }, 1654*7c478bd9Sstevel@tonic-gate { "local0", IPFY_FAC_LOCAL0 }, 1655*7c478bd9Sstevel@tonic-gate { "local1", IPFY_FAC_LOCAL1 }, 1656*7c478bd9Sstevel@tonic-gate { "local2", IPFY_FAC_LOCAL2 }, 1657*7c478bd9Sstevel@tonic-gate { "local3", IPFY_FAC_LOCAL3 }, 1658*7c478bd9Sstevel@tonic-gate { "local4", IPFY_FAC_LOCAL4 }, 1659*7c478bd9Sstevel@tonic-gate { "local5", IPFY_FAC_LOCAL5 }, 1660*7c478bd9Sstevel@tonic-gate { "local6", IPFY_FAC_LOCAL6 }, 1661*7c478bd9Sstevel@tonic-gate { "local7", IPFY_FAC_LOCAL7 }, 1662*7c478bd9Sstevel@tonic-gate { "emerg", IPFY_PRI_EMERG }, 1663*7c478bd9Sstevel@tonic-gate { "alert", IPFY_PRI_ALERT }, 1664*7c478bd9Sstevel@tonic-gate { "crit", IPFY_PRI_CRIT }, 1665*7c478bd9Sstevel@tonic-gate { "err", IPFY_PRI_ERR }, 1666*7c478bd9Sstevel@tonic-gate { "warn", IPFY_PRI_WARN }, 1667*7c478bd9Sstevel@tonic-gate { "notice", IPFY_PRI_NOTICE }, 1668*7c478bd9Sstevel@tonic-gate { "info", IPFY_PRI_INFO }, 1669*7c478bd9Sstevel@tonic-gate { "debug", IPFY_PRI_DEBUG }, 1670*7c478bd9Sstevel@tonic-gate { NULL, 0 }, 1671*7c478bd9Sstevel@tonic-gate }; 1672*7c478bd9Sstevel@tonic-gate 1673*7c478bd9Sstevel@tonic-gate 1674*7c478bd9Sstevel@tonic-gate 1675*7c478bd9Sstevel@tonic-gate 1676*7c478bd9Sstevel@tonic-gate int ipf_parsefile(fd, addfunc, iocfuncs, filename) 1677*7c478bd9Sstevel@tonic-gate int fd; 1678*7c478bd9Sstevel@tonic-gate addfunc_t addfunc; 1679*7c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 1680*7c478bd9Sstevel@tonic-gate char *filename; 1681*7c478bd9Sstevel@tonic-gate { 1682*7c478bd9Sstevel@tonic-gate FILE *fp = NULL; 1683*7c478bd9Sstevel@tonic-gate char *s; 1684*7c478bd9Sstevel@tonic-gate 1685*7c478bd9Sstevel@tonic-gate yylineNum = 1; 1686*7c478bd9Sstevel@tonic-gate yysettab(ipfwords); 1687*7c478bd9Sstevel@tonic-gate 1688*7c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 1689*7c478bd9Sstevel@tonic-gate if (s != NULL) 1690*7c478bd9Sstevel@tonic-gate yydebug = atoi(s); 1691*7c478bd9Sstevel@tonic-gate else 1692*7c478bd9Sstevel@tonic-gate yydebug = 0; 1693*7c478bd9Sstevel@tonic-gate 1694*7c478bd9Sstevel@tonic-gate if (strcmp(filename, "-")) { 1695*7c478bd9Sstevel@tonic-gate fp = fopen(filename, "r"); 1696*7c478bd9Sstevel@tonic-gate if (fp == NULL) { 1697*7c478bd9Sstevel@tonic-gate fprintf(stderr, "fopen(%s) failed: %s\n", filename, 1698*7c478bd9Sstevel@tonic-gate STRERROR(errno)); 1699*7c478bd9Sstevel@tonic-gate return -1; 1700*7c478bd9Sstevel@tonic-gate } 1701*7c478bd9Sstevel@tonic-gate } else 1702*7c478bd9Sstevel@tonic-gate fp = stdin; 1703*7c478bd9Sstevel@tonic-gate 1704*7c478bd9Sstevel@tonic-gate while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 1705*7c478bd9Sstevel@tonic-gate ; 1706*7c478bd9Sstevel@tonic-gate if (fp != NULL) 1707*7c478bd9Sstevel@tonic-gate fclose(fp); 1708*7c478bd9Sstevel@tonic-gate return 0; 1709*7c478bd9Sstevel@tonic-gate } 1710*7c478bd9Sstevel@tonic-gate 1711*7c478bd9Sstevel@tonic-gate 1712*7c478bd9Sstevel@tonic-gate int ipf_parsesome(fd, addfunc, iocfuncs, fp) 1713*7c478bd9Sstevel@tonic-gate int fd; 1714*7c478bd9Sstevel@tonic-gate addfunc_t addfunc; 1715*7c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 1716*7c478bd9Sstevel@tonic-gate FILE *fp; 1717*7c478bd9Sstevel@tonic-gate { 1718*7c478bd9Sstevel@tonic-gate char *s; 1719*7c478bd9Sstevel@tonic-gate int i; 1720*7c478bd9Sstevel@tonic-gate 1721*7c478bd9Sstevel@tonic-gate ipffd = fd; 1722*7c478bd9Sstevel@tonic-gate for (i = 0; i <= IPL_LOGMAX; i++) 1723*7c478bd9Sstevel@tonic-gate ipfioctl[i] = iocfuncs[i]; 1724*7c478bd9Sstevel@tonic-gate ipfaddfunc = addfunc; 1725*7c478bd9Sstevel@tonic-gate 1726*7c478bd9Sstevel@tonic-gate if (feof(fp)) 1727*7c478bd9Sstevel@tonic-gate return 0; 1728*7c478bd9Sstevel@tonic-gate i = fgetc(fp); 1729*7c478bd9Sstevel@tonic-gate if (i == EOF) 1730*7c478bd9Sstevel@tonic-gate return 0; 1731*7c478bd9Sstevel@tonic-gate if (ungetc(i, fp) == 0) 1732*7c478bd9Sstevel@tonic-gate return 0; 1733*7c478bd9Sstevel@tonic-gate if (feof(fp)) 1734*7c478bd9Sstevel@tonic-gate return 0; 1735*7c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 1736*7c478bd9Sstevel@tonic-gate if (s != NULL) 1737*7c478bd9Sstevel@tonic-gate yydebug = atoi(s); 1738*7c478bd9Sstevel@tonic-gate else 1739*7c478bd9Sstevel@tonic-gate yydebug = 0; 1740*7c478bd9Sstevel@tonic-gate 1741*7c478bd9Sstevel@tonic-gate yyin = fp; 1742*7c478bd9Sstevel@tonic-gate yyparse(); 1743*7c478bd9Sstevel@tonic-gate return 1; 1744*7c478bd9Sstevel@tonic-gate } 1745*7c478bd9Sstevel@tonic-gate 1746*7c478bd9Sstevel@tonic-gate 1747*7c478bd9Sstevel@tonic-gate static void newrule() 1748*7c478bd9Sstevel@tonic-gate { 1749*7c478bd9Sstevel@tonic-gate frentry_t *frn; 1750*7c478bd9Sstevel@tonic-gate 1751*7c478bd9Sstevel@tonic-gate frn = (frentry_t *)calloc(1, sizeof(frentry_t)); 1752*7c478bd9Sstevel@tonic-gate for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 1753*7c478bd9Sstevel@tonic-gate ; 1754*7c478bd9Sstevel@tonic-gate if (fr != NULL) 1755*7c478bd9Sstevel@tonic-gate fr->fr_next = frn; 1756*7c478bd9Sstevel@tonic-gate if (frtop == NULL) 1757*7c478bd9Sstevel@tonic-gate frtop = frn; 1758*7c478bd9Sstevel@tonic-gate fr = frn; 1759*7c478bd9Sstevel@tonic-gate frc = frn; 1760*7c478bd9Sstevel@tonic-gate fr->fr_loglevel = 0xffff; 1761*7c478bd9Sstevel@tonic-gate fr->fr_isc = (void *)-1; 1762*7c478bd9Sstevel@tonic-gate fr->fr_logtag = FR_NOLOGTAG; 1763*7c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_NONE; 1764*7c478bd9Sstevel@tonic-gate if (use_inet6 != 0) 1765*7c478bd9Sstevel@tonic-gate fr->fr_v = 6; 1766*7c478bd9Sstevel@tonic-gate else 1767*7c478bd9Sstevel@tonic-gate fr->fr_v = 4; 1768*7c478bd9Sstevel@tonic-gate 1769*7c478bd9Sstevel@tonic-gate nrules = 1; 1770*7c478bd9Sstevel@tonic-gate } 1771*7c478bd9Sstevel@tonic-gate 1772*7c478bd9Sstevel@tonic-gate 1773*7c478bd9Sstevel@tonic-gate static void setipftype() 1774*7c478bd9Sstevel@tonic-gate { 1775*7c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 1776*7c478bd9Sstevel@tonic-gate if (fr->fr_type == FR_T_NONE) { 1777*7c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF; 1778*7c478bd9Sstevel@tonic-gate fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 1779*7c478bd9Sstevel@tonic-gate fr->fr_dsize = sizeof(fripf_t); 1780*7c478bd9Sstevel@tonic-gate fr->fr_ip.fi_v = frc->fr_v; 1781*7c478bd9Sstevel@tonic-gate fr->fr_mip.fi_v = 0xf; 1782*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = -1; 1783*7c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = -1; 1784*7c478bd9Sstevel@tonic-gate } 1785*7c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_IPF) { 1786*7c478bd9Sstevel@tonic-gate fprintf(stderr, "IPF Type not set\n"); 1787*7c478bd9Sstevel@tonic-gate } 1788*7c478bd9Sstevel@tonic-gate } 1789*7c478bd9Sstevel@tonic-gate } 1790*7c478bd9Sstevel@tonic-gate 1791*7c478bd9Sstevel@tonic-gate 1792*7c478bd9Sstevel@tonic-gate static frentry_t *addrule() 1793*7c478bd9Sstevel@tonic-gate { 1794*7c478bd9Sstevel@tonic-gate frentry_t *f, *f1, *f2; 1795*7c478bd9Sstevel@tonic-gate int count; 1796*7c478bd9Sstevel@tonic-gate 1797*7c478bd9Sstevel@tonic-gate for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 1798*7c478bd9Sstevel@tonic-gate ; 1799*7c478bd9Sstevel@tonic-gate 1800*7c478bd9Sstevel@tonic-gate count = nrules; 1801*7c478bd9Sstevel@tonic-gate if (count == 0) { 1802*7c478bd9Sstevel@tonic-gate f = (frentry_t *)calloc(sizeof(*f), 1); 1803*7c478bd9Sstevel@tonic-gate added++; 1804*7c478bd9Sstevel@tonic-gate f2->fr_next = f; 1805*7c478bd9Sstevel@tonic-gate bcopy(f2, f, sizeof(*f)); 1806*7c478bd9Sstevel@tonic-gate if (f2->fr_caddr != NULL) { 1807*7c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 1808*7c478bd9Sstevel@tonic-gate bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); 1809*7c478bd9Sstevel@tonic-gate } 1810*7c478bd9Sstevel@tonic-gate f->fr_next = NULL; 1811*7c478bd9Sstevel@tonic-gate return f; 1812*7c478bd9Sstevel@tonic-gate } 1813*7c478bd9Sstevel@tonic-gate f = f2; 1814*7c478bd9Sstevel@tonic-gate for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 1815*7c478bd9Sstevel@tonic-gate f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); 1816*7c478bd9Sstevel@tonic-gate added++; 1817*7c478bd9Sstevel@tonic-gate f = f->fr_next; 1818*7c478bd9Sstevel@tonic-gate bcopy(f1, f, sizeof(*f)); 1819*7c478bd9Sstevel@tonic-gate f->fr_next = NULL; 1820*7c478bd9Sstevel@tonic-gate if (f->fr_caddr != NULL) { 1821*7c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 1822*7c478bd9Sstevel@tonic-gate bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 1823*7c478bd9Sstevel@tonic-gate } 1824*7c478bd9Sstevel@tonic-gate } 1825*7c478bd9Sstevel@tonic-gate 1826*7c478bd9Sstevel@tonic-gate return f2->fr_next; 1827*7c478bd9Sstevel@tonic-gate } 1828*7c478bd9Sstevel@tonic-gate 1829*7c478bd9Sstevel@tonic-gate 1830*7c478bd9Sstevel@tonic-gate static u_32_t lookuphost(name) 1831*7c478bd9Sstevel@tonic-gate char *name; 1832*7c478bd9Sstevel@tonic-gate { 1833*7c478bd9Sstevel@tonic-gate u_32_t addr; 1834*7c478bd9Sstevel@tonic-gate int i; 1835*7c478bd9Sstevel@tonic-gate 1836*7c478bd9Sstevel@tonic-gate hashed = 0; 1837*7c478bd9Sstevel@tonic-gate pooled = 0; 1838*7c478bd9Sstevel@tonic-gate dynamic = -1; 1839*7c478bd9Sstevel@tonic-gate 1840*7c478bd9Sstevel@tonic-gate for (i = 0; i < 4; i++) { 1841*7c478bd9Sstevel@tonic-gate if (strncmp(name, frc->fr_ifnames[i], 1842*7c478bd9Sstevel@tonic-gate sizeof(frc->fr_ifnames[i])) == 0) { 1843*7c478bd9Sstevel@tonic-gate ifpflag = FRI_DYNAMIC; 1844*7c478bd9Sstevel@tonic-gate dynamic = i; 1845*7c478bd9Sstevel@tonic-gate return 0; 1846*7c478bd9Sstevel@tonic-gate } 1847*7c478bd9Sstevel@tonic-gate } 1848*7c478bd9Sstevel@tonic-gate 1849*7c478bd9Sstevel@tonic-gate if (gethost(name, &addr) == -1) { 1850*7c478bd9Sstevel@tonic-gate return 0; 1851*7c478bd9Sstevel@tonic-gate } 1852*7c478bd9Sstevel@tonic-gate return addr; 1853*7c478bd9Sstevel@tonic-gate } 1854*7c478bd9Sstevel@tonic-gate 1855*7c478bd9Sstevel@tonic-gate 1856*7c478bd9Sstevel@tonic-gate static void dobpf(phrase) 1857*7c478bd9Sstevel@tonic-gate char *phrase; 1858*7c478bd9Sstevel@tonic-gate { 1859*7c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 1860*7c478bd9Sstevel@tonic-gate struct bpf_program bpf; 1861*7c478bd9Sstevel@tonic-gate struct pcap *p; 1862*7c478bd9Sstevel@tonic-gate u_32_t l; 1863*7c478bd9Sstevel@tonic-gate char *s; 1864*7c478bd9Sstevel@tonic-gate int i; 1865*7c478bd9Sstevel@tonic-gate 1866*7c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 1867*7c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_NONE) { 1868*7c478bd9Sstevel@tonic-gate fprintf(stderr, "cannoy mix IPF and BPF matching\n"); 1869*7c478bd9Sstevel@tonic-gate return; 1870*7c478bd9Sstevel@tonic-gate } 1871*7c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF; 1872*7c478bd9Sstevel@tonic-gate 1873*7c478bd9Sstevel@tonic-gate if (!strncmp(phrase, "\"0x", 2)) { 1874*7c478bd9Sstevel@tonic-gate phrase++; 1875*7c478bd9Sstevel@tonic-gate fr->fr_data = malloc(4); 1876*7c478bd9Sstevel@tonic-gate 1877*7c478bd9Sstevel@tonic-gate for (i = 0, s = strtok(phrase, " \r\n\t"; s != NULL; 1878*7c478bd9Sstevel@tonic-gate s = strtok(NULL, " \r\n\t"), i++) { 1879*7c478bd9Sstevel@tonic-gate fr->fr_data = realloc(fr->fr_data, (i + 1) * 4); 1880*7c478bd9Sstevel@tonic-gate l = (u_32_t)strtol(s, NULL, 0); 1881*7c478bd9Sstevel@tonic-gate ((u_32_t *)fr->fr_data)[i] = l; 1882*7c478bd9Sstevel@tonic-gate } 1883*7c478bd9Sstevel@tonic-gate return; 1884*7c478bd9Sstevel@tonic-gate } 1885*7c478bd9Sstevel@tonic-gate 1886*7c478bd9Sstevel@tonic-gate bzero((char *)&bpf, sizeof(bpf)); 1887*7c478bd9Sstevel@tonic-gate p = pcap_open_dead(DLT_RAW, 1); 1888*7c478bd9Sstevel@tonic-gate if (!p) { 1889*7c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap_open_dead failed\n"); 1890*7c478bd9Sstevel@tonic-gate return; 1891*7c478bd9Sstevel@tonic-gate } 1892*7c478bd9Sstevel@tonic-gate 1893*7c478bd9Sstevel@tonic-gate if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff) { 1894*7c478bd9Sstevel@tonic-gate pcap_perror(p, "ipf"); 1895*7c478bd9Sstevel@tonic-gate pcap_close(p); 1896*7c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap parsing failed\n"); 1897*7c478bd9Sstevel@tonic-gate return; 1898*7c478bd9Sstevel@tonic-gate } 1899*7c478bd9Sstevel@tonic-gate pcap_close(p); 1900*7c478bd9Sstevel@tonic-gate 1901*7c478bd9Sstevel@tonic-gate fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 1902*7c478bd9Sstevel@tonic-gate fr->fr_data = malloc(bpf.bf_len); 1903*7c478bd9Sstevel@tonic-gate bcopy((char *)bpf.bf_insns, fr->fr_data, bpf.bf_len); 1904*7c478bd9Sstevel@tonic-gate if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 1905*7c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF validation failed\n"); 1906*7c478bd9Sstevel@tonic-gate return; 1907*7c478bd9Sstevel@tonic-gate } 1908*7c478bd9Sstevel@tonic-gate } 1909*7c478bd9Sstevel@tonic-gate 1910*7c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) 1911*7c478bd9Sstevel@tonic-gate bpf_dump(&bpf, 0); 1912*7c478bd9Sstevel@tonic-gate #else 1913*7c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF expressions for matching not supported\n"); 1914*7c478bd9Sstevel@tonic-gate #endif 1915*7c478bd9Sstevel@tonic-gate } 1916*7c478bd9Sstevel@tonic-gate 1917*7c478bd9Sstevel@tonic-gate 1918*7c478bd9Sstevel@tonic-gate static void resetaddr() 1919*7c478bd9Sstevel@tonic-gate { 1920*7c478bd9Sstevel@tonic-gate hashed = 0; 1921*7c478bd9Sstevel@tonic-gate pooled = 0; 1922*7c478bd9Sstevel@tonic-gate dynamic = -1; 1923*7c478bd9Sstevel@tonic-gate } 1924*7c478bd9Sstevel@tonic-gate 1925*7c478bd9Sstevel@tonic-gate 1926*7c478bd9Sstevel@tonic-gate static alist_t *newalist(ptr) 1927*7c478bd9Sstevel@tonic-gate alist_t *ptr; 1928*7c478bd9Sstevel@tonic-gate { 1929*7c478bd9Sstevel@tonic-gate alist_t *al; 1930*7c478bd9Sstevel@tonic-gate 1931*7c478bd9Sstevel@tonic-gate al = malloc(sizeof(*al)); 1932*7c478bd9Sstevel@tonic-gate if (al == NULL) 1933*7c478bd9Sstevel@tonic-gate return NULL; 1934*7c478bd9Sstevel@tonic-gate al->al_not = 0; 1935*7c478bd9Sstevel@tonic-gate al->al_next = ptr; 1936*7c478bd9Sstevel@tonic-gate return al; 1937*7c478bd9Sstevel@tonic-gate } 1938*7c478bd9Sstevel@tonic-gate 1939*7c478bd9Sstevel@tonic-gate 1940*7c478bd9Sstevel@tonic-gate static int makepool(list) 1941*7c478bd9Sstevel@tonic-gate alist_t *list; 1942*7c478bd9Sstevel@tonic-gate { 1943*7c478bd9Sstevel@tonic-gate ip_pool_node_t *n, *top; 1944*7c478bd9Sstevel@tonic-gate ip_pool_t pool; 1945*7c478bd9Sstevel@tonic-gate alist_t *a; 1946*7c478bd9Sstevel@tonic-gate int num; 1947*7c478bd9Sstevel@tonic-gate 1948*7c478bd9Sstevel@tonic-gate if (list == NULL) 1949*7c478bd9Sstevel@tonic-gate return 0; 1950*7c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 1951*7c478bd9Sstevel@tonic-gate if (top == NULL) 1952*7c478bd9Sstevel@tonic-gate return 0; 1953*7c478bd9Sstevel@tonic-gate 1954*7c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 1955*7c478bd9Sstevel@tonic-gate n->ipn_addr.adf_addr.in4.s_addr = a->al_1; 1956*7c478bd9Sstevel@tonic-gate n->ipn_mask.adf_addr.in4.s_addr = a->al_2; 1957*7c478bd9Sstevel@tonic-gate n->ipn_info = a->al_not; 1958*7c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 1959*7c478bd9Sstevel@tonic-gate n->ipn_next = calloc(1, sizeof(*n)); 1960*7c478bd9Sstevel@tonic-gate n = n->ipn_next; 1961*7c478bd9Sstevel@tonic-gate } 1962*7c478bd9Sstevel@tonic-gate } 1963*7c478bd9Sstevel@tonic-gate 1964*7c478bd9Sstevel@tonic-gate bzero((char *)&pool, sizeof(pool)); 1965*7c478bd9Sstevel@tonic-gate pool.ipo_unit = IPL_LOGIPF; 1966*7c478bd9Sstevel@tonic-gate pool.ipo_list = top; 1967*7c478bd9Sstevel@tonic-gate num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); 1968*7c478bd9Sstevel@tonic-gate 1969*7c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 1970*7c478bd9Sstevel@tonic-gate top = n->ipn_next; 1971*7c478bd9Sstevel@tonic-gate free(n); 1972*7c478bd9Sstevel@tonic-gate } 1973*7c478bd9Sstevel@tonic-gate return num; 1974*7c478bd9Sstevel@tonic-gate } 1975*7c478bd9Sstevel@tonic-gate 1976*7c478bd9Sstevel@tonic-gate 1977*7c478bd9Sstevel@tonic-gate static u_int makehash(list) 1978*7c478bd9Sstevel@tonic-gate alist_t *list; 1979*7c478bd9Sstevel@tonic-gate { 1980*7c478bd9Sstevel@tonic-gate iphtent_t *n, *top; 1981*7c478bd9Sstevel@tonic-gate iphtable_t iph; 1982*7c478bd9Sstevel@tonic-gate alist_t *a; 1983*7c478bd9Sstevel@tonic-gate int num; 1984*7c478bd9Sstevel@tonic-gate 1985*7c478bd9Sstevel@tonic-gate if (list == NULL) 1986*7c478bd9Sstevel@tonic-gate return 0; 1987*7c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 1988*7c478bd9Sstevel@tonic-gate if (top == NULL) 1989*7c478bd9Sstevel@tonic-gate return 0; 1990*7c478bd9Sstevel@tonic-gate 1991*7c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 1992*7c478bd9Sstevel@tonic-gate n->ipe_addr.in4_addr = a->al_1; 1993*7c478bd9Sstevel@tonic-gate n->ipe_mask.in4_addr = a->al_2; 1994*7c478bd9Sstevel@tonic-gate n->ipe_value = 0; 1995*7c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 1996*7c478bd9Sstevel@tonic-gate n->ipe_next = calloc(1, sizeof(*n)); 1997*7c478bd9Sstevel@tonic-gate n = n->ipe_next; 1998*7c478bd9Sstevel@tonic-gate } 1999*7c478bd9Sstevel@tonic-gate } 2000*7c478bd9Sstevel@tonic-gate 2001*7c478bd9Sstevel@tonic-gate bzero((char *)&iph, sizeof(iph)); 2002*7c478bd9Sstevel@tonic-gate iph.iph_unit = IPL_LOGIPF; 2003*7c478bd9Sstevel@tonic-gate iph.iph_type = IPHASH_LOOKUP; 2004*7c478bd9Sstevel@tonic-gate *iph.iph_name = '\0'; 2005*7c478bd9Sstevel@tonic-gate 2006*7c478bd9Sstevel@tonic-gate if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) 2007*7c478bd9Sstevel@tonic-gate sscanf(iph.iph_name, "%u", &num); 2008*7c478bd9Sstevel@tonic-gate else 2009*7c478bd9Sstevel@tonic-gate num = 0; 2010*7c478bd9Sstevel@tonic-gate 2011*7c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 2012*7c478bd9Sstevel@tonic-gate top = n->ipe_next; 2013*7c478bd9Sstevel@tonic-gate free(n); 2014*7c478bd9Sstevel@tonic-gate } 2015*7c478bd9Sstevel@tonic-gate return num; 2016*7c478bd9Sstevel@tonic-gate } 2017*7c478bd9Sstevel@tonic-gate 2018*7c478bd9Sstevel@tonic-gate 2019*7c478bd9Sstevel@tonic-gate void ipf_addrule(fd, ioctlfunc, ptr) 2020*7c478bd9Sstevel@tonic-gate int fd; 2021*7c478bd9Sstevel@tonic-gate ioctlfunc_t ioctlfunc; 2022*7c478bd9Sstevel@tonic-gate void *ptr; 2023*7c478bd9Sstevel@tonic-gate { 2024*7c478bd9Sstevel@tonic-gate u_int add, del; 2025*7c478bd9Sstevel@tonic-gate frentry_t *fr; 2026*7c478bd9Sstevel@tonic-gate ipfobj_t obj; 2027*7c478bd9Sstevel@tonic-gate 2028*7c478bd9Sstevel@tonic-gate fr = ptr; 2029*7c478bd9Sstevel@tonic-gate add = 0; 2030*7c478bd9Sstevel@tonic-gate del = 0; 2031*7c478bd9Sstevel@tonic-gate 2032*7c478bd9Sstevel@tonic-gate bzero((char *)&obj, sizeof(obj)); 2033*7c478bd9Sstevel@tonic-gate obj.ipfo_rev = IPFILTER_VERSION; 2034*7c478bd9Sstevel@tonic-gate obj.ipfo_size = sizeof(*fr); 2035*7c478bd9Sstevel@tonic-gate obj.ipfo_type = IPFOBJ_FRENTRY; 2036*7c478bd9Sstevel@tonic-gate obj.ipfo_ptr = ptr; 2037*7c478bd9Sstevel@tonic-gate 2038*7c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) 2039*7c478bd9Sstevel@tonic-gate fd = -1; 2040*7c478bd9Sstevel@tonic-gate 2041*7c478bd9Sstevel@tonic-gate if (opts & OPT_ZERORULEST) { 2042*7c478bd9Sstevel@tonic-gate add = SIOCZRLST; 2043*7c478bd9Sstevel@tonic-gate } else if (opts & OPT_INACTIVE) { 2044*7c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINIFR : 2045*7c478bd9Sstevel@tonic-gate SIOCADIFR; 2046*7c478bd9Sstevel@tonic-gate del = SIOCRMIFR; 2047*7c478bd9Sstevel@tonic-gate } else { 2048*7c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINAFR : 2049*7c478bd9Sstevel@tonic-gate SIOCADAFR; 2050*7c478bd9Sstevel@tonic-gate del = SIOCRMAFR; 2051*7c478bd9Sstevel@tonic-gate } 2052*7c478bd9Sstevel@tonic-gate 2053*7c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_OUTQUE)) 2054*7c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_OUTQUE; 2055*7c478bd9Sstevel@tonic-gate if (fr->fr_hits) 2056*7c478bd9Sstevel@tonic-gate fr->fr_hits--; 2057*7c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_VERBOSE)) 2058*7c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 2059*7c478bd9Sstevel@tonic-gate 2060*7c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) { 2061*7c478bd9Sstevel@tonic-gate binprint(fr, sizeof(*fr)); 2062*7c478bd9Sstevel@tonic-gate if (fr->fr_data != NULL) 2063*7c478bd9Sstevel@tonic-gate binprint(fr->fr_data, fr->fr_dsize); 2064*7c478bd9Sstevel@tonic-gate } 2065*7c478bd9Sstevel@tonic-gate 2066*7c478bd9Sstevel@tonic-gate if ((opts & OPT_ZERORULEST) != 0) { 2067*7c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2068*7c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) { 2069*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2070*7c478bd9Sstevel@tonic-gate perror("ioctl(SIOCZRLST)"); 2071*7c478bd9Sstevel@tonic-gate } 2072*7c478bd9Sstevel@tonic-gate } else { 2073*7c478bd9Sstevel@tonic-gate #ifdef USE_QUAD_T 2074*7c478bd9Sstevel@tonic-gate printf("hits %qd bytes %qd ", 2075*7c478bd9Sstevel@tonic-gate (long long)fr->fr_hits, 2076*7c478bd9Sstevel@tonic-gate (long long)fr->fr_bytes); 2077*7c478bd9Sstevel@tonic-gate #else 2078*7c478bd9Sstevel@tonic-gate printf("hits %ld bytes %ld ", 2079*7c478bd9Sstevel@tonic-gate fr->fr_hits, fr->fr_bytes); 2080*7c478bd9Sstevel@tonic-gate #endif 2081*7c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 2082*7c478bd9Sstevel@tonic-gate } 2083*7c478bd9Sstevel@tonic-gate } else if ((opts & OPT_REMOVE) != 0) { 2084*7c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2085*7c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) { 2086*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2087*7c478bd9Sstevel@tonic-gate perror("ioctl(delete rule)"); 2088*7c478bd9Sstevel@tonic-gate } 2089*7c478bd9Sstevel@tonic-gate } 2090*7c478bd9Sstevel@tonic-gate } else { 2091*7c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 2092*7c478bd9Sstevel@tonic-gate if (!(opts & OPT_DONOTHING)) { 2093*7c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2094*7c478bd9Sstevel@tonic-gate fprintf(stderr,"ioctl(add/insert rule) failed: rule exists\n"); 2095*7c478bd9Sstevel@tonic-gate } 2096*7c478bd9Sstevel@tonic-gate } 2097*7c478bd9Sstevel@tonic-gate } 2098*7c478bd9Sstevel@tonic-gate } 2099*7c478bd9Sstevel@tonic-gate 2100*7c478bd9Sstevel@tonic-gate 2101*7c478bd9Sstevel@tonic-gate static void setsyslog() 2102*7c478bd9Sstevel@tonic-gate { 2103*7c478bd9Sstevel@tonic-gate savewords = yysettab(logwords); 2104*7c478bd9Sstevel@tonic-gate yybreakondot = 1; 2105*7c478bd9Sstevel@tonic-gate } 2106*7c478bd9Sstevel@tonic-gate 2107*7c478bd9Sstevel@tonic-gate 2108*7c478bd9Sstevel@tonic-gate static void unsetsyslog() 2109*7c478bd9Sstevel@tonic-gate { 2110*7c478bd9Sstevel@tonic-gate yysettab(savewords); 2111*7c478bd9Sstevel@tonic-gate yybreakondot = 0; 2112*7c478bd9Sstevel@tonic-gate } 2113*7c478bd9Sstevel@tonic-gate 2114*7c478bd9Sstevel@tonic-gate 2115*7c478bd9Sstevel@tonic-gate static void fillgroup(fr) 2116*7c478bd9Sstevel@tonic-gate frentry_t *fr; 2117*7c478bd9Sstevel@tonic-gate { 2118*7c478bd9Sstevel@tonic-gate frentry_t *f; 2119*7c478bd9Sstevel@tonic-gate int i; 2120*7c478bd9Sstevel@tonic-gate 2121*7c478bd9Sstevel@tonic-gate for (f = frold; f != NULL; f = f->fr_next) 2122*7c478bd9Sstevel@tonic-gate if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 2123*7c478bd9Sstevel@tonic-gate break; 2124*7c478bd9Sstevel@tonic-gate if (f == NULL) 2125*7c478bd9Sstevel@tonic-gate return; 2126*7c478bd9Sstevel@tonic-gate 2127*7c478bd9Sstevel@tonic-gate /* 2128*7c478bd9Sstevel@tonic-gate * Only copy down matching fields if the rules are of the same type 2129*7c478bd9Sstevel@tonic-gate * and are of ipf type. 2130*7c478bd9Sstevel@tonic-gate */ 2131*7c478bd9Sstevel@tonic-gate if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 2132*7c478bd9Sstevel@tonic-gate return; 2133*7c478bd9Sstevel@tonic-gate 2134*7c478bd9Sstevel@tonic-gate if (fr->fr_v == 0 && f->fr_v != 0) 2135*7c478bd9Sstevel@tonic-gate fr->fr_v = f->fr_v; 2136*7c478bd9Sstevel@tonic-gate 2137*7c478bd9Sstevel@tonic-gate if (fr->fr_mproto == 0 && f->fr_mproto != 0) 2138*7c478bd9Sstevel@tonic-gate fr->fr_mproto = f->fr_mproto; 2139*7c478bd9Sstevel@tonic-gate if (fr->fr_proto == 0 && f->fr_proto != 0) 2140*7c478bd9Sstevel@tonic-gate fr->fr_proto = f->fr_proto; 2141*7c478bd9Sstevel@tonic-gate 2142*7c478bd9Sstevel@tonic-gate if (fr->fr_proto == IPPROTO_TCP) { 2143*7c478bd9Sstevel@tonic-gate if (fr->fr_tcpfm == 0 && f->fr_tcpfm != 0) 2144*7c478bd9Sstevel@tonic-gate fr->fr_tcpfm = f->fr_tcpfm; 2145*7c478bd9Sstevel@tonic-gate if (fr->fr_tcpf == 0 && f->fr_tcpf != 0) 2146*7c478bd9Sstevel@tonic-gate fr->fr_tcpf = f->fr_tcpf; 2147*7c478bd9Sstevel@tonic-gate } 2148*7c478bd9Sstevel@tonic-gate 2149*7c478bd9Sstevel@tonic-gate if (fr->fr_proto == IPPROTO_ICMP) { 2150*7c478bd9Sstevel@tonic-gate if (fr->fr_icmpm == 0 && f->fr_icmpm != 0) 2151*7c478bd9Sstevel@tonic-gate fr->fr_icmpm = f->fr_icmpm; 2152*7c478bd9Sstevel@tonic-gate if (fr->fr_icmp == 0 && f->fr_icmp != 0) 2153*7c478bd9Sstevel@tonic-gate fr->fr_icmp = f->fr_icmp; 2154*7c478bd9Sstevel@tonic-gate } 2155*7c478bd9Sstevel@tonic-gate 2156*7c478bd9Sstevel@tonic-gate if (fr->fr_optbits == 0 && f->fr_optbits != 0) 2157*7c478bd9Sstevel@tonic-gate fr->fr_optbits = f->fr_optbits; 2158*7c478bd9Sstevel@tonic-gate if (fr->fr_optmask == 0 && f->fr_optmask != 0) 2159*7c478bd9Sstevel@tonic-gate fr->fr_optmask = f->fr_optmask; 2160*7c478bd9Sstevel@tonic-gate if (fr->fr_secbits == 0 && f->fr_secbits != 0) 2161*7c478bd9Sstevel@tonic-gate fr->fr_secbits = f->fr_secbits; 2162*7c478bd9Sstevel@tonic-gate if (fr->fr_secmask == 0 && f->fr_secmask != 0) 2163*7c478bd9Sstevel@tonic-gate fr->fr_secmask = f->fr_secmask; 2164*7c478bd9Sstevel@tonic-gate if (fr->fr_authbits == 0 && f->fr_authbits != 0) 2165*7c478bd9Sstevel@tonic-gate fr->fr_authbits = f->fr_authbits; 2166*7c478bd9Sstevel@tonic-gate if (fr->fr_authmask == 0 && f->fr_authmask != 0) 2167*7c478bd9Sstevel@tonic-gate fr->fr_authmask = f->fr_authmask; 2168*7c478bd9Sstevel@tonic-gate 2169*7c478bd9Sstevel@tonic-gate for (i = 0; i < 3; i++) { 2170*7c478bd9Sstevel@tonic-gate if (*f->fr_ifnames[i] != '\0' && *fr->fr_ifnames[i] == '\0') 2171*7c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[i], f->fr_ifnames[i], 2172*7c478bd9Sstevel@tonic-gate sizeof(f->fr_ifnames[i])); 2173*7c478bd9Sstevel@tonic-gate } 2174*7c478bd9Sstevel@tonic-gate } 2175