17c478bd9Sstevel@tonic-gate %{ 27c478bd9Sstevel@tonic-gate /* 37c478bd9Sstevel@tonic-gate * Copyright (C) 2003 by Darren Reed. 47c478bd9Sstevel@tonic-gate * 57c478bd9Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing. 67c478bd9Sstevel@tonic-gate * 7*ab25eeb5Syz * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 87c478bd9Sstevel@tonic-gate * Use is subject to license terms. 97c478bd9Sstevel@tonic-gate */ 107c478bd9Sstevel@tonic-gate 117663b816Sml #pragma ident "%Z%%M% %I% %E% SMI" 127c478bd9Sstevel@tonic-gate 137c478bd9Sstevel@tonic-gate #include "ipf.h" 147c478bd9Sstevel@tonic-gate #include <sys/ioctl.h> 157c478bd9Sstevel@tonic-gate #include <syslog.h> 167c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 17*ab25eeb5Syz # include "pcap-bpf.h" 18*ab25eeb5Syz # define _NET_BPF_H_ 197c478bd9Sstevel@tonic-gate # include <pcap.h> 207c478bd9Sstevel@tonic-gate #endif 217c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h" 227c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h" 237c478bd9Sstevel@tonic-gate #include "netinet/ipl.h" 247c478bd9Sstevel@tonic-gate #include "ipf_l.h" 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #define YYDEBUG 1 277c478bd9Sstevel@tonic-gate #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } 287c478bd9Sstevel@tonic-gate #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } 297c478bd9Sstevel@tonic-gate 30*ab25eeb5Syz #define OPTION_LOG 0x1 31*ab25eeb5Syz #define OPTION_QUICK 0x2 32*ab25eeb5Syz #define OPTION_DUP 0x4 33*ab25eeb5Syz #define OPTION_PROUTE 0x8 34*ab25eeb5Syz #define OPTION_ON 0x10 35*ab25eeb5Syz #define OPTION_REPLYTO 0x20 36*ab25eeb5Syz #define OPTION_FROUTE 0x40 377c478bd9Sstevel@tonic-gate 387c478bd9Sstevel@tonic-gate extern void yyerror __P((char *)); 397c478bd9Sstevel@tonic-gate extern int yyparse __P((void)); 407c478bd9Sstevel@tonic-gate extern int yylex __P((void)); 417c478bd9Sstevel@tonic-gate extern int yydebug; 427c478bd9Sstevel@tonic-gate extern FILE *yyin; 437c478bd9Sstevel@tonic-gate extern int yylineNum; 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate static void newrule __P((void)); 467c478bd9Sstevel@tonic-gate static void setipftype __P((void)); 477c478bd9Sstevel@tonic-gate static u_32_t lookuphost __P((char *)); 48*ab25eeb5Syz static void dobpf __P((int, char *)); 497c478bd9Sstevel@tonic-gate static void resetaddr __P((void)); 507c478bd9Sstevel@tonic-gate static struct alist_s *newalist __P((struct alist_s *)); 517c478bd9Sstevel@tonic-gate static u_int makehash __P((struct alist_s *)); 527c478bd9Sstevel@tonic-gate static int makepool __P((struct alist_s *)); 537c478bd9Sstevel@tonic-gate static frentry_t *addrule __P((void)); 547c478bd9Sstevel@tonic-gate static void setsyslog __P((void)); 557c478bd9Sstevel@tonic-gate static void unsetsyslog __P((void)); 567c478bd9Sstevel@tonic-gate static void fillgroup __P((frentry_t *)); 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate frentry_t *fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL; 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate static int ifpflag = 0; 617c478bd9Sstevel@tonic-gate static int nowith = 0; 627c478bd9Sstevel@tonic-gate static int dynamic = -1; 637c478bd9Sstevel@tonic-gate static int pooled = 0; 647c478bd9Sstevel@tonic-gate static int hashed = 0; 657c478bd9Sstevel@tonic-gate static int nrules = 0; 667c478bd9Sstevel@tonic-gate static int newlist = 0; 677c478bd9Sstevel@tonic-gate static int added = 0; 687c478bd9Sstevel@tonic-gate static int ipffd = -1; 69*ab25eeb5Syz static int ruleopts = 0; 707c478bd9Sstevel@tonic-gate static int *yycont = 0; 717c478bd9Sstevel@tonic-gate static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; 727c478bd9Sstevel@tonic-gate static addfunc_t ipfaddfunc = NULL; 73*ab25eeb5Syz static struct wordtab ipfwords[95]; 74*ab25eeb5Syz static struct wordtab addrwords[4]; 75*ab25eeb5Syz static struct wordtab maskwords[5]; 76*ab25eeb5Syz static struct wordtab icmpcodewords[17]; 77*ab25eeb5Syz static struct wordtab icmptypewords[16]; 78*ab25eeb5Syz static struct wordtab ipv4optwords[25]; 79*ab25eeb5Syz static struct wordtab ipv4secwords[9]; 80*ab25eeb5Syz static struct wordtab ipv6optwords[8]; 81*ab25eeb5Syz static struct wordtab logwords[33]; 82*ab25eeb5Syz static int set_ipv6_addr = 0; 837c478bd9Sstevel@tonic-gate 847c478bd9Sstevel@tonic-gate %} 857c478bd9Sstevel@tonic-gate %union { 867c478bd9Sstevel@tonic-gate char *str; 877c478bd9Sstevel@tonic-gate u_32_t num; 887c478bd9Sstevel@tonic-gate struct in_addr ipa; 897c478bd9Sstevel@tonic-gate frentry_t fr; 907c478bd9Sstevel@tonic-gate frtuc_t *frt; 917c478bd9Sstevel@tonic-gate struct alist_s *alist; 92*ab25eeb5Syz u_short port; 937c478bd9Sstevel@tonic-gate struct { 947c478bd9Sstevel@tonic-gate u_short p1; 957c478bd9Sstevel@tonic-gate u_short p2; 967c478bd9Sstevel@tonic-gate int pc; 977c478bd9Sstevel@tonic-gate } pc; 987c478bd9Sstevel@tonic-gate struct { 997c478bd9Sstevel@tonic-gate union i6addr a; 1007c478bd9Sstevel@tonic-gate union i6addr m; 1017c478bd9Sstevel@tonic-gate } ipp; 1027c478bd9Sstevel@tonic-gate union i6addr ip6; 1037c478bd9Sstevel@tonic-gate }; 1047c478bd9Sstevel@tonic-gate 105*ab25eeb5Syz %type <port> portnum 106*ab25eeb5Syz %type <num> facility priority icmpcode seclevel secname icmptype 1077c478bd9Sstevel@tonic-gate %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr 108*ab25eeb5Syz %type <num> portc porteq 109*ab25eeb5Syz %type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24 1107c478bd9Sstevel@tonic-gate %type <ip6> ipv6mask 1117c478bd9Sstevel@tonic-gate %type <ipp> addr ipaddr 1127c478bd9Sstevel@tonic-gate %type <str> servicename name interfacename 1137c478bd9Sstevel@tonic-gate %type <pc> portrange portcomp 1147c478bd9Sstevel@tonic-gate %type <alist> addrlist poollist 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate %token <num> YY_NUMBER YY_HEX 1177c478bd9Sstevel@tonic-gate %token <str> YY_STR 1187c478bd9Sstevel@tonic-gate %token YY_COMMENT 1197c478bd9Sstevel@tonic-gate %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT 1207c478bd9Sstevel@tonic-gate %token YY_RANGE_OUT YY_RANGE_IN 1217c478bd9Sstevel@tonic-gate %token <ip6> YY_IPV6 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL 1247c478bd9Sstevel@tonic-gate %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST 1257c478bd9Sstevel@tonic-gate %token IPFY_IN IPFY_OUT 1267c478bd9Sstevel@tonic-gate %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA 127*ab25eeb5Syz %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO 1287c478bd9Sstevel@tonic-gate %token IPFY_TOS IPFY_TTL IPFY_PROTO 1297c478bd9Sstevel@tonic-gate %token IPFY_HEAD IPFY_GROUP 130*ab25eeb5Syz %token IPFY_AUTH IPFY_PREAUTH 1317c478bd9Sstevel@tonic-gate %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK 132*ab25eeb5Syz %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP 133*ab25eeb5Syz %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH 1347c478bd9Sstevel@tonic-gate %token IPFY_PPS 1357c478bd9Sstevel@tonic-gate %token IPFY_ESP IPFY_AH 1367c478bd9Sstevel@tonic-gate %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT 1377c478bd9Sstevel@tonic-gate %token IPFY_TCPUDP IPFY_TCP IPFY_UDP 1387c478bd9Sstevel@tonic-gate %token IPFY_FLAGS IPFY_MULTICAST 1397c478bd9Sstevel@tonic-gate %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER 1407c478bd9Sstevel@tonic-gate %token IPFY_PORT 1417c478bd9Sstevel@tonic-gate %token IPFY_NOW 1427c478bd9Sstevel@tonic-gate %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE 1437c478bd9Sstevel@tonic-gate %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG 1447c478bd9Sstevel@tonic-gate %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR 1457c478bd9Sstevel@tonic-gate %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE 146*ab25eeb5Syz %token IPFY_SYNC IPFY_FRAGBODY 1477c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP 1487c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR 1497c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO 1507c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA 1517c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS 1527c478bd9Sstevel@tonic-gate %token IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP 1537c478bd9Sstevel@tonic-gate %token IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2 1547c478bd9Sstevel@tonic-gate %token IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate %token IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS 1577c478bd9Sstevel@tonic-gate %token IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH 1607c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST 1617c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP 1627c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD 1637c478bd9Sstevel@tonic-gate %token IPFY_ICMPT_ROUTERSOL 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR 1667c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK 1677c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO 1687c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE 1697c478bd9Sstevel@tonic-gate %token IPFY_ICMPC_CUTPRE 1707c478bd9Sstevel@tonic-gate 1717c478bd9Sstevel@tonic-gate %token IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH 1727c478bd9Sstevel@tonic-gate %token IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON 1737c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3 1747c478bd9Sstevel@tonic-gate %token IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7 1757c478bd9Sstevel@tonic-gate %token IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT 1767c478bd9Sstevel@tonic-gate %token IPFY_FAC_LFMT IPFY_FAC_CONSOLE 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate %token IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN 1797c478bd9Sstevel@tonic-gate %token IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG 1807c478bd9Sstevel@tonic-gate %% 1817c478bd9Sstevel@tonic-gate file: line 1827c478bd9Sstevel@tonic-gate | assign 1837c478bd9Sstevel@tonic-gate | file line 1847c478bd9Sstevel@tonic-gate | file assign 1857c478bd9Sstevel@tonic-gate ; 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate line: xx rule { while ((fr = frtop) != NULL) { 1887c478bd9Sstevel@tonic-gate frtop = fr->fr_next; 1897c478bd9Sstevel@tonic-gate fr->fr_next = NULL; 1907c478bd9Sstevel@tonic-gate (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); 1917c478bd9Sstevel@tonic-gate fr->fr_next = frold; 1927c478bd9Sstevel@tonic-gate frold = fr; 1937c478bd9Sstevel@tonic-gate } 1947c478bd9Sstevel@tonic-gate resetlexer(); 1957c478bd9Sstevel@tonic-gate } 1967c478bd9Sstevel@tonic-gate | YY_COMMENT 1977c478bd9Sstevel@tonic-gate ; 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate xx: { newrule(); } 2007c478bd9Sstevel@tonic-gate ; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); 2037c478bd9Sstevel@tonic-gate resetlexer(); 2047c478bd9Sstevel@tonic-gate free($1); 2057c478bd9Sstevel@tonic-gate free($3); 2067c478bd9Sstevel@tonic-gate } 2077c478bd9Sstevel@tonic-gate ; 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate assigning: 2107c478bd9Sstevel@tonic-gate '=' { yyvarnext = 1; } 2117c478bd9Sstevel@tonic-gate ; 2127c478bd9Sstevel@tonic-gate 213*ab25eeb5Syz rule: inrule eol 214*ab25eeb5Syz | outrule eol 215*ab25eeb5Syz ; 216*ab25eeb5Syz 217*ab25eeb5Syz eol: | ';' 2187c478bd9Sstevel@tonic-gate ; 2197c478bd9Sstevel@tonic-gate 2207c478bd9Sstevel@tonic-gate inrule: 221*ab25eeb5Syz rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2 2227c478bd9Sstevel@tonic-gate ; 2237c478bd9Sstevel@tonic-gate 2247c478bd9Sstevel@tonic-gate outrule: 225*ab25eeb5Syz rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2 2267c478bd9Sstevel@tonic-gate ; 2277c478bd9Sstevel@tonic-gate 2287c478bd9Sstevel@tonic-gate rulehead: 2297c478bd9Sstevel@tonic-gate collection action 2307c478bd9Sstevel@tonic-gate | insert collection action 2317c478bd9Sstevel@tonic-gate ; 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } 2347c478bd9Sstevel@tonic-gate ; 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate markout: 2377c478bd9Sstevel@tonic-gate IPFY_OUT { fr->fr_flags |= FR_OUTQUE; } 2387c478bd9Sstevel@tonic-gate ; 2397c478bd9Sstevel@tonic-gate 2407c478bd9Sstevel@tonic-gate rulemain: 2417c478bd9Sstevel@tonic-gate ipfrule 2427c478bd9Sstevel@tonic-gate | bpfrule 2437c478bd9Sstevel@tonic-gate ; 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gate ipfrule: 2467c478bd9Sstevel@tonic-gate tos ttl proto ip 2477c478bd9Sstevel@tonic-gate ; 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate bpfrule: 250*ab25eeb5Syz IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } 251*ab25eeb5Syz | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } 2527c478bd9Sstevel@tonic-gate ; 2537c478bd9Sstevel@tonic-gate 2547c478bd9Sstevel@tonic-gate ruletail: 255*ab25eeb5Syz with keep head group 256*ab25eeb5Syz ; 257*ab25eeb5Syz 258*ab25eeb5Syz ruletail2: 259*ab25eeb5Syz pps age new 260*ab25eeb5Syz ; 261*ab25eeb5Syz 262*ab25eeb5Syz intag: settagin matchtagin 263*ab25eeb5Syz ; 264*ab25eeb5Syz 265*ab25eeb5Syz outtag: settagout matchtagout 2667c478bd9Sstevel@tonic-gate ; 2677c478bd9Sstevel@tonic-gate 2687c478bd9Sstevel@tonic-gate insert: 269*ab25eeb5Syz '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } 2707c478bd9Sstevel@tonic-gate ; 2717c478bd9Sstevel@tonic-gate 2727c478bd9Sstevel@tonic-gate collection: 2737c478bd9Sstevel@tonic-gate | YY_NUMBER { fr->fr_collect = $1; } 2747c478bd9Sstevel@tonic-gate ; 2757c478bd9Sstevel@tonic-gate 2767c478bd9Sstevel@tonic-gate action: block 2777c478bd9Sstevel@tonic-gate | IPFY_PASS { fr->fr_flags |= FR_PASS; } 2787c478bd9Sstevel@tonic-gate | log 2797c478bd9Sstevel@tonic-gate | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } 2807c478bd9Sstevel@tonic-gate | auth 2817c478bd9Sstevel@tonic-gate | IPFY_SKIP YY_NUMBER { fr->fr_flags |= FR_SKIP; 2827c478bd9Sstevel@tonic-gate fr->fr_arg = $2; } 2837c478bd9Sstevel@tonic-gate | IPFY_CALL func 2847c478bd9Sstevel@tonic-gate | IPFY_CALL IPFY_NOW func { fr->fr_flags |= FR_CALLNOW; } 2857c478bd9Sstevel@tonic-gate ; 2867c478bd9Sstevel@tonic-gate 2877c478bd9Sstevel@tonic-gate block: blocked 2887c478bd9Sstevel@tonic-gate | blocked blockreturn 2897c478bd9Sstevel@tonic-gate ; 2907c478bd9Sstevel@tonic-gate 2917c478bd9Sstevel@tonic-gate blocked: 2927c478bd9Sstevel@tonic-gate IPFY_BLOCK { fr->fr_flags = FR_BLOCK; } 2937c478bd9Sstevel@tonic-gate ; 2947c478bd9Sstevel@tonic-gate blockreturn: 2957c478bd9Sstevel@tonic-gate IPFY_RETICMP { fr->fr_flags |= FR_RETICMP; } 2967c478bd9Sstevel@tonic-gate | IPFY_RETICMP returncode { fr->fr_flags |= FR_RETICMP; } 2977c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST { fr->fr_flags |= FR_FAKEICMP; } 2987c478bd9Sstevel@tonic-gate | IPFY_RETICMPASDST returncode { fr->fr_flags |= FR_FAKEICMP; } 2997c478bd9Sstevel@tonic-gate | IPFY_RETRST { fr->fr_flags |= FR_RETRST; } 3007c478bd9Sstevel@tonic-gate ; 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gate log: IPFY_LOG { fr->fr_flags |= FR_LOG; } 3037c478bd9Sstevel@tonic-gate | IPFY_LOG logoptions { fr->fr_flags |= FR_LOG; } 3047c478bd9Sstevel@tonic-gate ; 3057c478bd9Sstevel@tonic-gate 3067c478bd9Sstevel@tonic-gate auth: IPFY_AUTH { fr->fr_flags |= FR_AUTH; } 3077c478bd9Sstevel@tonic-gate | IPFY_AUTH IPFY_RETRST { fr->fr_flags |= (FR_AUTH|FR_RETRST);} 3087c478bd9Sstevel@tonic-gate | IPFY_PREAUTH { fr->fr_flags |= FR_PREAUTH; } 3097c478bd9Sstevel@tonic-gate ; 3107c478bd9Sstevel@tonic-gate 3117c478bd9Sstevel@tonic-gate func: YY_STR '/' YY_NUMBER { fr->fr_func = nametokva($1, 3127c478bd9Sstevel@tonic-gate ipfioctl[IPL_LOGIPF]); 3137c478bd9Sstevel@tonic-gate fr->fr_arg = $3; 3147c478bd9Sstevel@tonic-gate free($1); } 3157c478bd9Sstevel@tonic-gate ; 3167c478bd9Sstevel@tonic-gate 3177c478bd9Sstevel@tonic-gate inopts: 3187c478bd9Sstevel@tonic-gate | inopts inopt 3197c478bd9Sstevel@tonic-gate ; 3207c478bd9Sstevel@tonic-gate 3217c478bd9Sstevel@tonic-gate inopt: 3227c478bd9Sstevel@tonic-gate logopt 3237c478bd9Sstevel@tonic-gate { 3247c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3257c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3267c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 3277c478bd9Sstevel@tonic-gate } 3287c478bd9Sstevel@tonic-gate | quick 3297c478bd9Sstevel@tonic-gate { 3307c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 3317c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 3327c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 3337c478bd9Sstevel@tonic-gate } 3347c478bd9Sstevel@tonic-gate | on 3357c478bd9Sstevel@tonic-gate { 3367c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 3377c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 3387c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 3397c478bd9Sstevel@tonic-gate } 3407c478bd9Sstevel@tonic-gate | dup 3417c478bd9Sstevel@tonic-gate { 3427c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 3437c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 3447c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 3457c478bd9Sstevel@tonic-gate } 3467c478bd9Sstevel@tonic-gate | froute 3477c478bd9Sstevel@tonic-gate { 3487c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_FROUTE ) 3497c478bd9Sstevel@tonic-gate yyerror("Duplicate froute option"); 3507c478bd9Sstevel@tonic-gate ruleopts |= OPTION_FROUTE; 3517c478bd9Sstevel@tonic-gate } 3527c478bd9Sstevel@tonic-gate | proute 3537c478bd9Sstevel@tonic-gate { 3547c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 3557c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 3567c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 3577c478bd9Sstevel@tonic-gate } 3587c478bd9Sstevel@tonic-gate | replyto 3597c478bd9Sstevel@tonic-gate { 3607c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 3617c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 3627c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 3637c478bd9Sstevel@tonic-gate } 3647c478bd9Sstevel@tonic-gate ; 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gate outopts: 3677c478bd9Sstevel@tonic-gate | outopts outopt 3687c478bd9Sstevel@tonic-gate ; 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gate outopt: 3717c478bd9Sstevel@tonic-gate logopt 3727c478bd9Sstevel@tonic-gate { 3737c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_LOG ) 3747c478bd9Sstevel@tonic-gate yyerror("Duplicate log option"); 3757c478bd9Sstevel@tonic-gate ruleopts |= OPTION_LOG; 3767c478bd9Sstevel@tonic-gate } 3777c478bd9Sstevel@tonic-gate | quick 3787c478bd9Sstevel@tonic-gate { 3797c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_QUICK ) 3807c478bd9Sstevel@tonic-gate yyerror("Duplicate quick option"); 3817c478bd9Sstevel@tonic-gate ruleopts |= OPTION_QUICK; 3827c478bd9Sstevel@tonic-gate } 3837c478bd9Sstevel@tonic-gate | on 3847c478bd9Sstevel@tonic-gate { 3857c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_ON ) 3867c478bd9Sstevel@tonic-gate yyerror("Duplicate on option"); 3877c478bd9Sstevel@tonic-gate ruleopts |= OPTION_ON; 3887c478bd9Sstevel@tonic-gate } 3897c478bd9Sstevel@tonic-gate | dup 3907c478bd9Sstevel@tonic-gate { 3917c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_DUP ) 3927c478bd9Sstevel@tonic-gate yyerror("Duplicate dup option"); 3937c478bd9Sstevel@tonic-gate ruleopts |= OPTION_DUP; 3947c478bd9Sstevel@tonic-gate } 3957c478bd9Sstevel@tonic-gate | proute 3967c478bd9Sstevel@tonic-gate { 3977c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_PROUTE ) 3987c478bd9Sstevel@tonic-gate yyerror("Duplicate proute option"); 3997c478bd9Sstevel@tonic-gate ruleopts |= OPTION_PROUTE; 4007c478bd9Sstevel@tonic-gate } 4017c478bd9Sstevel@tonic-gate | replyto 4027c478bd9Sstevel@tonic-gate { 4037c478bd9Sstevel@tonic-gate if ( ruleopts & OPTION_REPLYTO ) 4047c478bd9Sstevel@tonic-gate yyerror("Duplicate replyto option"); 4057c478bd9Sstevel@tonic-gate ruleopts |= OPTION_REPLYTO; 4067c478bd9Sstevel@tonic-gate } 4077c478bd9Sstevel@tonic-gate ; 4087c478bd9Sstevel@tonic-gate 4097c478bd9Sstevel@tonic-gate tos: | settos YY_NUMBER { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4107c478bd9Sstevel@tonic-gate | settos YY_HEX { DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) } 4117c478bd9Sstevel@tonic-gate | settos lstart toslist lend 4127c478bd9Sstevel@tonic-gate ; 4137c478bd9Sstevel@tonic-gate 4147c478bd9Sstevel@tonic-gate settos: IPFY_TOS { setipftype(); } 4157c478bd9Sstevel@tonic-gate ; 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate toslist: 4187c478bd9Sstevel@tonic-gate YY_NUMBER { DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4197c478bd9Sstevel@tonic-gate | YY_HEX { DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) } 4207c478bd9Sstevel@tonic-gate | toslist lmore YY_NUMBER 4217c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4227c478bd9Sstevel@tonic-gate | toslist lmore YY_HEX 4237c478bd9Sstevel@tonic-gate { DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) } 4247c478bd9Sstevel@tonic-gate ; 4257c478bd9Sstevel@tonic-gate 4267c478bd9Sstevel@tonic-gate ttl: | setttl YY_NUMBER 4277c478bd9Sstevel@tonic-gate { DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) } 4287c478bd9Sstevel@tonic-gate | setttl lstart ttllist lend 4297c478bd9Sstevel@tonic-gate ; 4307c478bd9Sstevel@tonic-gate 4317c478bd9Sstevel@tonic-gate lstart: '(' { newlist = 1; fr = frc; added = 0; } 4327c478bd9Sstevel@tonic-gate ; 4337c478bd9Sstevel@tonic-gate 4347c478bd9Sstevel@tonic-gate lend: ')' { nrules += added; } 4357c478bd9Sstevel@tonic-gate ; 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate lmore: lanother { if (newlist == 1) { 4387c478bd9Sstevel@tonic-gate newlist = 0; 4397c478bd9Sstevel@tonic-gate } 4407c478bd9Sstevel@tonic-gate fr = addrule(); 4417c478bd9Sstevel@tonic-gate if (yycont != NULL) 442*ab25eeb5Syz *yycont = 1; 4437c478bd9Sstevel@tonic-gate } 4447c478bd9Sstevel@tonic-gate ; 4457c478bd9Sstevel@tonic-gate 4467c478bd9Sstevel@tonic-gate lanother: 4477c478bd9Sstevel@tonic-gate | ',' 4487c478bd9Sstevel@tonic-gate ; 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate setttl: IPFY_TTL { setipftype(); } 4517c478bd9Sstevel@tonic-gate ; 4527c478bd9Sstevel@tonic-gate 4537c478bd9Sstevel@tonic-gate ttllist: 4547c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) } 4557c478bd9Sstevel@tonic-gate | ttllist lmore YY_NUMBER 4567c478bd9Sstevel@tonic-gate { DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) } 4577c478bd9Sstevel@tonic-gate ; 4587c478bd9Sstevel@tonic-gate 4597c478bd9Sstevel@tonic-gate proto: | protox protocol { yyresetdict(); } 4607c478bd9Sstevel@tonic-gate ; 4617c478bd9Sstevel@tonic-gate 4627c478bd9Sstevel@tonic-gate protox: IPFY_PROTO { setipftype(); 4637c478bd9Sstevel@tonic-gate fr = frc; 4647c478bd9Sstevel@tonic-gate yysetdict(NULL); } 4657c478bd9Sstevel@tonic-gate ; 4667c478bd9Sstevel@tonic-gate 467*ab25eeb5Syz ip: srcdst flags icmp 4687c478bd9Sstevel@tonic-gate ; 4697c478bd9Sstevel@tonic-gate 4707c478bd9Sstevel@tonic-gate group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ 4717c478bd9Sstevel@tonic-gate FR_GROUPLEN); \ 4727c478bd9Sstevel@tonic-gate fillgroup(fr);); 4737c478bd9Sstevel@tonic-gate free($2); } 4747c478bd9Sstevel@tonic-gate | IPFY_GROUP YY_NUMBER { DOALL(sprintf(fr->fr_group, "%d", \ 4757c478bd9Sstevel@tonic-gate $2); \ 4767c478bd9Sstevel@tonic-gate fillgroup(fr);) } 4777c478bd9Sstevel@tonic-gate ; 4787c478bd9Sstevel@tonic-gate 4797c478bd9Sstevel@tonic-gate head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ 4807c478bd9Sstevel@tonic-gate FR_GROUPLEN);); 4817c478bd9Sstevel@tonic-gate free($2); } 4827c478bd9Sstevel@tonic-gate | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \ 4837c478bd9Sstevel@tonic-gate $2);) } 4847c478bd9Sstevel@tonic-gate ; 4857c478bd9Sstevel@tonic-gate 486*ab25eeb5Syz settagin: 487*ab25eeb5Syz | IPFY_SETTAG '(' taginlist ')' 488*ab25eeb5Syz ; 4897c478bd9Sstevel@tonic-gate 490*ab25eeb5Syz taginlist: 491*ab25eeb5Syz taginspec 492*ab25eeb5Syz | taginlist ',' taginspec 4937c478bd9Sstevel@tonic-gate ; 4947c478bd9Sstevel@tonic-gate 495*ab25eeb5Syz taginspec: 496*ab25eeb5Syz logtag 497*ab25eeb5Syz |nattag 498*ab25eeb5Syz ; 499*ab25eeb5Syz 500*ab25eeb5Syz nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ 501*ab25eeb5Syz $3, IPFTAG_LEN);); 5027c478bd9Sstevel@tonic-gate free($3); } 5037c478bd9Sstevel@tonic-gate | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ 504*ab25eeb5Syz "%d", $3 & 0xffffffff);) } 505*ab25eeb5Syz ; 506*ab25eeb5Syz 507*ab25eeb5Syz logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } 508*ab25eeb5Syz ; 509*ab25eeb5Syz 510*ab25eeb5Syz settagout: 511*ab25eeb5Syz | IPFY_SETTAG '(' tagoutlist ')' 512*ab25eeb5Syz ; 513*ab25eeb5Syz 514*ab25eeb5Syz tagoutlist: 515*ab25eeb5Syz tagoutspec 516*ab25eeb5Syz | tagoutlist ',' tagoutspec 517*ab25eeb5Syz ; 518*ab25eeb5Syz 519*ab25eeb5Syz tagoutspec: 520*ab25eeb5Syz logtag 521*ab25eeb5Syz | nattag 522*ab25eeb5Syz ; 523*ab25eeb5Syz 524*ab25eeb5Syz matchtagin: 525*ab25eeb5Syz | IPFY_MATCHTAG '(' tagoutlist ')' 526*ab25eeb5Syz ; 527*ab25eeb5Syz 528*ab25eeb5Syz matchtagout: 529*ab25eeb5Syz | IPFY_MATCHTAG '(' taginlist ')' 5307c478bd9Sstevel@tonic-gate ; 5317c478bd9Sstevel@tonic-gate 5327c478bd9Sstevel@tonic-gate pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } 5337c478bd9Sstevel@tonic-gate ; 5347c478bd9Sstevel@tonic-gate 5357c478bd9Sstevel@tonic-gate new: | savegroup file restoregroup 5367c478bd9Sstevel@tonic-gate ; 5377c478bd9Sstevel@tonic-gate 5387c478bd9Sstevel@tonic-gate savegroup: 5397c478bd9Sstevel@tonic-gate '{' 5407c478bd9Sstevel@tonic-gate ; 5417c478bd9Sstevel@tonic-gate 5427c478bd9Sstevel@tonic-gate restoregroup: 5437c478bd9Sstevel@tonic-gate '}' 5447c478bd9Sstevel@tonic-gate ; 5457c478bd9Sstevel@tonic-gate 5467c478bd9Sstevel@tonic-gate logopt: log 5477c478bd9Sstevel@tonic-gate ; 5487c478bd9Sstevel@tonic-gate 5497c478bd9Sstevel@tonic-gate quick: 5507c478bd9Sstevel@tonic-gate IPFY_QUICK { fr->fr_flags |= FR_QUICK; } 5517c478bd9Sstevel@tonic-gate ; 5527c478bd9Sstevel@tonic-gate 5537c478bd9Sstevel@tonic-gate on: IPFY_ON onname 5547c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_INVIA vianame 5557c478bd9Sstevel@tonic-gate | IPFY_ON onname IPFY_OUTVIA vianame 5567c478bd9Sstevel@tonic-gate ; 5577c478bd9Sstevel@tonic-gate 5587c478bd9Sstevel@tonic-gate onname: interfacename 559*ab25eeb5Syz { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5607c478bd9Sstevel@tonic-gate free($1); 5617c478bd9Sstevel@tonic-gate } 562*ab25eeb5Syz | interfacename ',' interfacename 563*ab25eeb5Syz { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); 5647c478bd9Sstevel@tonic-gate free($1); 5657c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); 5667c478bd9Sstevel@tonic-gate free($3); 5677c478bd9Sstevel@tonic-gate } 5687c478bd9Sstevel@tonic-gate ; 5697c478bd9Sstevel@tonic-gate 5707c478bd9Sstevel@tonic-gate vianame: 571*ab25eeb5Syz name 572*ab25eeb5Syz { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 5737c478bd9Sstevel@tonic-gate free($1); 5747c478bd9Sstevel@tonic-gate } 575*ab25eeb5Syz | name ',' name 576*ab25eeb5Syz { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); 5777c478bd9Sstevel@tonic-gate free($1); 5787c478bd9Sstevel@tonic-gate strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); 5797c478bd9Sstevel@tonic-gate free($3); 5807c478bd9Sstevel@tonic-gate } 5817c478bd9Sstevel@tonic-gate ; 5827c478bd9Sstevel@tonic-gate 5837c478bd9Sstevel@tonic-gate dup: IPFY_DUPTO name 5847c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 5857c478bd9Sstevel@tonic-gate free($2); 5867c478bd9Sstevel@tonic-gate } 587*ab25eeb5Syz | IPFY_DUPTO name duptoseparator hostname 5887c478bd9Sstevel@tonic-gate { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 5897c478bd9Sstevel@tonic-gate fr->fr_dif.fd_ip = $4; 590*ab25eeb5Syz yyexpectaddr = 0; 591*ab25eeb5Syz free($2); 592*ab25eeb5Syz } 593*ab25eeb5Syz | IPFY_DUPTO name duptoseparator YY_IPV6 594*ab25eeb5Syz { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); 595*ab25eeb5Syz bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); 596*ab25eeb5Syz yyexpectaddr = 0; 5977c478bd9Sstevel@tonic-gate free($2); 5987c478bd9Sstevel@tonic-gate } 5997c478bd9Sstevel@tonic-gate ; 6007c478bd9Sstevel@tonic-gate 601*ab25eeb5Syz duptoseparator: 602*ab25eeb5Syz ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } 603*ab25eeb5Syz ; 604*ab25eeb5Syz 6057c478bd9Sstevel@tonic-gate froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } 6067c478bd9Sstevel@tonic-gate ; 6077c478bd9Sstevel@tonic-gate 608*ab25eeb5Syz proute: routeto name 6097c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6107c478bd9Sstevel@tonic-gate free($2); 6117c478bd9Sstevel@tonic-gate } 612*ab25eeb5Syz | routeto name duptoseparator hostname 6137c478bd9Sstevel@tonic-gate { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 6147c478bd9Sstevel@tonic-gate fr->fr_tif.fd_ip = $4; 615*ab25eeb5Syz yyexpectaddr = 0; 616*ab25eeb5Syz free($2); 617*ab25eeb5Syz } 618*ab25eeb5Syz | routeto name duptoseparator YY_IPV6 619*ab25eeb5Syz { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); 620*ab25eeb5Syz bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); 621*ab25eeb5Syz yyexpectaddr = 0; 6227c478bd9Sstevel@tonic-gate free($2); 6237c478bd9Sstevel@tonic-gate } 6247c478bd9Sstevel@tonic-gate ; 6257c478bd9Sstevel@tonic-gate 626*ab25eeb5Syz routeto: 627*ab25eeb5Syz IPFY_TO 628*ab25eeb5Syz | IPFY_ROUTETO 629*ab25eeb5Syz ; 630*ab25eeb5Syz 6317c478bd9Sstevel@tonic-gate replyto: 6327c478bd9Sstevel@tonic-gate IPFY_REPLY_TO name 6337c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6347c478bd9Sstevel@tonic-gate free($2); 6357c478bd9Sstevel@tonic-gate } 636*ab25eeb5Syz | IPFY_REPLY_TO name duptoseparator hostname 6377c478bd9Sstevel@tonic-gate { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); 6387c478bd9Sstevel@tonic-gate fr->fr_rif.fd_ip = $4; 6397c478bd9Sstevel@tonic-gate free($2); 6407c478bd9Sstevel@tonic-gate } 6417c478bd9Sstevel@tonic-gate ; 6427c478bd9Sstevel@tonic-gate 6437c478bd9Sstevel@tonic-gate logoptions: 6447c478bd9Sstevel@tonic-gate logoption 6457c478bd9Sstevel@tonic-gate | logoptions logoption 6467c478bd9Sstevel@tonic-gate ; 6477c478bd9Sstevel@tonic-gate 6487c478bd9Sstevel@tonic-gate logoption: 6497c478bd9Sstevel@tonic-gate IPFY_BODY { fr->fr_flags |= FR_LOGBODY; } 6507c478bd9Sstevel@tonic-gate | IPFY_FIRST { fr->fr_flags |= FR_LOGFIRST; } 6517c478bd9Sstevel@tonic-gate | IPFY_ORBLOCK { fr->fr_flags |= FR_LOGORBLOCK; } 6527c478bd9Sstevel@tonic-gate | level loglevel { unsetsyslog(); } 6537c478bd9Sstevel@tonic-gate ; 6547c478bd9Sstevel@tonic-gate 6557c478bd9Sstevel@tonic-gate returncode: 6567c478bd9Sstevel@tonic-gate starticmpcode icmpcode ')' { fr->fr_icode = $2; yyresetdict(); } 6577c478bd9Sstevel@tonic-gate ; 6587c478bd9Sstevel@tonic-gate 6597c478bd9Sstevel@tonic-gate starticmpcode: 6607c478bd9Sstevel@tonic-gate '(' { yysetdict(icmpcodewords); } 6617c478bd9Sstevel@tonic-gate ; 6627c478bd9Sstevel@tonic-gate 663*ab25eeb5Syz srcdst: | IPFY_ALL 6647c478bd9Sstevel@tonic-gate | fromto 6657c478bd9Sstevel@tonic-gate ; 6667c478bd9Sstevel@tonic-gate 6677c478bd9Sstevel@tonic-gate protocol: 6687c478bd9Sstevel@tonic-gate YY_NUMBER { DOREM(fr->fr_proto = $1; \ 6697c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) } 6707c478bd9Sstevel@tonic-gate | YY_STR { if (!strcmp($1, "tcp-udp")) { 6717c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 6727c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 6737c478bd9Sstevel@tonic-gate } else { 6747c478bd9Sstevel@tonic-gate int p = getproto($1); 6757c478bd9Sstevel@tonic-gate if (p == -1) 676*ab25eeb5Syz yyerror("protocol unknown"); 6777c478bd9Sstevel@tonic-gate DOREM(fr->fr_proto = p; \ 6787c478bd9Sstevel@tonic-gate fr->fr_mproto = 0xff;) 6797c478bd9Sstevel@tonic-gate } 6807c478bd9Sstevel@tonic-gate free($1); 6817c478bd9Sstevel@tonic-gate } 6827c478bd9Sstevel@tonic-gate | YY_STR nextstring YY_STR 6837c478bd9Sstevel@tonic-gate { if (!strcmp($1, "tcp") && 6847c478bd9Sstevel@tonic-gate !strcmp($3, "udp")) { 6857c478bd9Sstevel@tonic-gate DOREM(fr->fr_flx |= FI_TCPUDP; \ 6867c478bd9Sstevel@tonic-gate fr->fr_mflx |= FI_TCPUDP;) 6877c478bd9Sstevel@tonic-gate } else 6887c478bd9Sstevel@tonic-gate YYERROR; 6897c478bd9Sstevel@tonic-gate free($1); 6907c478bd9Sstevel@tonic-gate free($3); 6917c478bd9Sstevel@tonic-gate } 6927c478bd9Sstevel@tonic-gate ; 6937c478bd9Sstevel@tonic-gate 6947c478bd9Sstevel@tonic-gate nextstring: 6957c478bd9Sstevel@tonic-gate '/' { yysetdict(NULL); } 6967c478bd9Sstevel@tonic-gate ; 6977c478bd9Sstevel@tonic-gate 6987c478bd9Sstevel@tonic-gate fromto: from srcobject to dstobject { yyexpectaddr = 0; yycont = NULL; } 6997c478bd9Sstevel@tonic-gate | to dstobject { yyexpectaddr = 0; yycont = NULL; } 7007c478bd9Sstevel@tonic-gate | from srcobject { yyexpectaddr = 0; yycont = NULL; } 7017c478bd9Sstevel@tonic-gate ; 7027c478bd9Sstevel@tonic-gate 7037c478bd9Sstevel@tonic-gate from: IPFY_FROM { setipftype(); 7047c478bd9Sstevel@tonic-gate if (fr == NULL) 7057c478bd9Sstevel@tonic-gate fr = frc; 7067c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 707*ab25eeb5Syz if (yydebug) 708*ab25eeb5Syz printf("set yyexpectaddr\n"); 7097c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7107c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7117c478bd9Sstevel@tonic-gate resetaddr(); } 7127c478bd9Sstevel@tonic-gate ; 7137c478bd9Sstevel@tonic-gate 7147c478bd9Sstevel@tonic-gate to: IPFY_TO { if (fr == NULL) 7157c478bd9Sstevel@tonic-gate fr = frc; 7167c478bd9Sstevel@tonic-gate yyexpectaddr = 1; 717*ab25eeb5Syz if (yydebug) 718*ab25eeb5Syz printf("set yyexpectaddr\n"); 7197c478bd9Sstevel@tonic-gate yycont = &yyexpectaddr; 7207c478bd9Sstevel@tonic-gate yysetdict(addrwords); 7217c478bd9Sstevel@tonic-gate resetaddr(); } 7227c478bd9Sstevel@tonic-gate ; 7237c478bd9Sstevel@tonic-gate 7247c478bd9Sstevel@tonic-gate with: | andwith withlist 7257c478bd9Sstevel@tonic-gate ; 7267c478bd9Sstevel@tonic-gate 7277c478bd9Sstevel@tonic-gate andwith: 7287c478bd9Sstevel@tonic-gate IPFY_WITH { nowith = 0; setipftype(); } 7297c478bd9Sstevel@tonic-gate | IPFY_AND { nowith = 0; setipftype(); } 7307c478bd9Sstevel@tonic-gate ; 7317c478bd9Sstevel@tonic-gate 732*ab25eeb5Syz flags: | startflags flagset 7337c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 734*ab25eeb5Syz | startflags flagset '/' flagset 7357c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 736*ab25eeb5Syz | startflags '/' flagset 7377c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 738*ab25eeb5Syz | startflags YY_NUMBER 7397c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } 740*ab25eeb5Syz | startflags '/' YY_NUMBER 7417c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } 742*ab25eeb5Syz | startflags YY_NUMBER '/' YY_NUMBER 7437c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 744*ab25eeb5Syz | startflags flagset '/' YY_NUMBER 7457c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 746*ab25eeb5Syz | startflags YY_NUMBER '/' flagset 7477c478bd9Sstevel@tonic-gate { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } 7487c478bd9Sstevel@tonic-gate ; 7497c478bd9Sstevel@tonic-gate 750*ab25eeb5Syz startflags: 751*ab25eeb5Syz IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) 752*ab25eeb5Syz yyerror("flags with non-ipf type rule"); 753*ab25eeb5Syz if (frc->fr_proto != IPPROTO_TCP) 754*ab25eeb5Syz yyerror("flags with non-TCP rule"); 755*ab25eeb5Syz } 756*ab25eeb5Syz ; 757*ab25eeb5Syz 7587c478bd9Sstevel@tonic-gate flagset: 7597c478bd9Sstevel@tonic-gate YY_STR { $$ = tcpflags($1); free($1); } 7607c478bd9Sstevel@tonic-gate | YY_HEX { $$ = $1; } 7617c478bd9Sstevel@tonic-gate ; 7627c478bd9Sstevel@tonic-gate 7637c478bd9Sstevel@tonic-gate srcobject: 764*ab25eeb5Syz { yyresetdict(); } fromport 765*ab25eeb5Syz | srcaddr srcport 7667c478bd9Sstevel@tonic-gate | '!' srcaddr srcport 7677c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } 7687c478bd9Sstevel@tonic-gate ; 7697c478bd9Sstevel@tonic-gate 7707c478bd9Sstevel@tonic-gate srcaddr: 7717c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 7727c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 7737c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 7747c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 7757c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 7767c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 7777c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 7787c478bd9Sstevel@tonic-gate } 7797c478bd9Sstevel@tonic-gate | lstart srcaddrlist lend 7807c478bd9Sstevel@tonic-gate ; 7817c478bd9Sstevel@tonic-gate 7827c478bd9Sstevel@tonic-gate srcaddrlist: 7837c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \ 7847c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \ 7857c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 7867c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 7877c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 7887c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 7897c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 7907c478bd9Sstevel@tonic-gate } 7917c478bd9Sstevel@tonic-gate | srcaddrlist lmore addr 7927c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \ 7937c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \ 7947c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 7957c478bd9Sstevel@tonic-gate fr->fr_satype = ifpflag; \ 7967c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = dynamic; \ 7977c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 7987c478bd9Sstevel@tonic-gate fr->fr_satype = FRI_LOOKUP;) 7997c478bd9Sstevel@tonic-gate } 8007c478bd9Sstevel@tonic-gate ; 8017c478bd9Sstevel@tonic-gate 8027c478bd9Sstevel@tonic-gate srcport: 8037c478bd9Sstevel@tonic-gate | portcomp 8047c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8057c478bd9Sstevel@tonic-gate | portrange 8067c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8077c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8087c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8097c478bd9Sstevel@tonic-gate { yyresetdict(); } 8107c478bd9Sstevel@tonic-gate ; 8117c478bd9Sstevel@tonic-gate 8127c478bd9Sstevel@tonic-gate fromport: 8137c478bd9Sstevel@tonic-gate portcomp 8147c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) } 8157c478bd9Sstevel@tonic-gate | portrange 8167c478bd9Sstevel@tonic-gate { DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \ 8177c478bd9Sstevel@tonic-gate fr->fr_stop = $1.p2;) } 8187c478bd9Sstevel@tonic-gate | porteq lstart srcportlist lend 8197c478bd9Sstevel@tonic-gate { yyresetdict(); } 8207c478bd9Sstevel@tonic-gate ; 8217c478bd9Sstevel@tonic-gate 8227c478bd9Sstevel@tonic-gate srcportlist: 8237c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) } 8247c478bd9Sstevel@tonic-gate | srcportlist lmore portnum 8257c478bd9Sstevel@tonic-gate { DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) } 8267c478bd9Sstevel@tonic-gate ; 8277c478bd9Sstevel@tonic-gate 8287c478bd9Sstevel@tonic-gate dstobject: 829*ab25eeb5Syz { yyresetdict(); } toport 8307c478bd9Sstevel@tonic-gate | dstaddr dstport 8317c478bd9Sstevel@tonic-gate | '!' dstaddr dstport 8327c478bd9Sstevel@tonic-gate { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } 8337c478bd9Sstevel@tonic-gate ; 8347c478bd9Sstevel@tonic-gate 8357c478bd9Sstevel@tonic-gate dstaddr: 8367c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8377c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8387c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8397c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8407c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8417c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8427c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8437c478bd9Sstevel@tonic-gate } 8447c478bd9Sstevel@tonic-gate | lstart dstaddrlist lend 8457c478bd9Sstevel@tonic-gate ; 8467c478bd9Sstevel@tonic-gate 8477c478bd9Sstevel@tonic-gate dstaddrlist: 8487c478bd9Sstevel@tonic-gate addr { DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \ 8497c478bd9Sstevel@tonic-gate bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \ 8507c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8517c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8527c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8537c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8547c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8557c478bd9Sstevel@tonic-gate } 8567c478bd9Sstevel@tonic-gate | dstaddrlist lmore addr 8577c478bd9Sstevel@tonic-gate { DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \ 8587c478bd9Sstevel@tonic-gate bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \ 8597c478bd9Sstevel@tonic-gate if (dynamic != -1) { \ 8607c478bd9Sstevel@tonic-gate fr->fr_datype = ifpflag; \ 8617c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = dynamic; \ 8627c478bd9Sstevel@tonic-gate } else if (pooled || hashed) \ 8637c478bd9Sstevel@tonic-gate fr->fr_datype = FRI_LOOKUP;) 8647c478bd9Sstevel@tonic-gate } 8657c478bd9Sstevel@tonic-gate ; 8667c478bd9Sstevel@tonic-gate 8677c478bd9Sstevel@tonic-gate 8687c478bd9Sstevel@tonic-gate dstport: 8697c478bd9Sstevel@tonic-gate | portcomp 8707c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 8717c478bd9Sstevel@tonic-gate | portrange 8727c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 8737c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 8747c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 8757c478bd9Sstevel@tonic-gate { yyresetdict(); } 8767c478bd9Sstevel@tonic-gate ; 8777c478bd9Sstevel@tonic-gate 8787c478bd9Sstevel@tonic-gate toport: 8797c478bd9Sstevel@tonic-gate portcomp 8807c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) } 8817c478bd9Sstevel@tonic-gate | portrange 8827c478bd9Sstevel@tonic-gate { DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \ 8837c478bd9Sstevel@tonic-gate fr->fr_dtop = $1.p2;) } 8847c478bd9Sstevel@tonic-gate | porteq lstart dstportlist lend 8857c478bd9Sstevel@tonic-gate { yyresetdict(); } 8867c478bd9Sstevel@tonic-gate ; 8877c478bd9Sstevel@tonic-gate 8887c478bd9Sstevel@tonic-gate dstportlist: 8897c478bd9Sstevel@tonic-gate portnum { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) } 8907c478bd9Sstevel@tonic-gate | dstportlist lmore portnum 8917c478bd9Sstevel@tonic-gate { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } 8927c478bd9Sstevel@tonic-gate ; 8937c478bd9Sstevel@tonic-gate 8947c478bd9Sstevel@tonic-gate addr: pool '/' YY_NUMBER { pooled = 1; 8957c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 8967c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 8977c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 8987c478bd9Sstevel@tonic-gate | pool '=' '(' poollist ')' { pooled = 1; 8997c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9007c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_POOL; 9017c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makepool($4); } 9027c478bd9Sstevel@tonic-gate | hash '/' YY_NUMBER { hashed = 1; 9037c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9047c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9057c478bd9Sstevel@tonic-gate $$.a.iplookupnum = $3; } 9067c478bd9Sstevel@tonic-gate | hash '=' '(' addrlist ')' { hashed = 1; 9077c478bd9Sstevel@tonic-gate yyexpectaddr = 0; 9087c478bd9Sstevel@tonic-gate $$.a.iplookuptype = IPLT_HASH; 9097c478bd9Sstevel@tonic-gate $$.a.iplookupnum = makehash($4); } 9107c478bd9Sstevel@tonic-gate | ipaddr { bcopy(&$1, &$$, sizeof($$)); 9117c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9127c478bd9Sstevel@tonic-gate ; 9137c478bd9Sstevel@tonic-gate 9147c478bd9Sstevel@tonic-gate ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); 9157c478bd9Sstevel@tonic-gate yyresetdict(); 9167c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9177c478bd9Sstevel@tonic-gate | hostname { $$.a.in4 = $1; 9187c478bd9Sstevel@tonic-gate $$.m.in4_addr = 0xffffffff; 9197c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9207c478bd9Sstevel@tonic-gate | hostname { yyresetdict(); 9217c478bd9Sstevel@tonic-gate $$.a.in4_addr = $1.s_addr; } 9227c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 9237c478bd9Sstevel@tonic-gate ipv4mask { $$.m.in4_addr = $5.s_addr; 9247c478bd9Sstevel@tonic-gate $$.a.in4_addr &= $5.s_addr; 9257c478bd9Sstevel@tonic-gate yyresetdict(); 9267c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9277663b816Sml | YY_IPV6 { set_ipv6_addr = 1; 9287663b816Sml bcopy(&$1, &$$.a, sizeof($$.a)); 9297c478bd9Sstevel@tonic-gate fill6bits(128, (u_32_t *)&$$.m); 9307c478bd9Sstevel@tonic-gate yyresetdict(); 9317c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9327663b816Sml | YY_IPV6 { set_ipv6_addr = 1; 9337663b816Sml yyresetdict(); 9347c478bd9Sstevel@tonic-gate bcopy(&$1, &$$.a, sizeof($$.a)); } 9357c478bd9Sstevel@tonic-gate maskspace { yysetdict(maskwords); } 9367c478bd9Sstevel@tonic-gate ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); 9377c478bd9Sstevel@tonic-gate yyresetdict(); 9387c478bd9Sstevel@tonic-gate yyexpectaddr = 0; } 9397c478bd9Sstevel@tonic-gate ; 9407c478bd9Sstevel@tonic-gate 9417c478bd9Sstevel@tonic-gate maskspace: 9427c478bd9Sstevel@tonic-gate '/' 9437c478bd9Sstevel@tonic-gate | IPFY_MASK 9447c478bd9Sstevel@tonic-gate ; 9457c478bd9Sstevel@tonic-gate 9467c478bd9Sstevel@tonic-gate ipv4mask: 9477c478bd9Sstevel@tonic-gate ipv4 { $$ = $1; } 9487c478bd9Sstevel@tonic-gate | YY_HEX { $$.s_addr = htonl($1); } 949*ab25eeb5Syz | YY_NUMBER { if (($1 >= 0) && ($1 <= 32)) { 950*ab25eeb5Syz ntomask(4, $1, (u_32_t *)&$$); 951*ab25eeb5Syz } else 952*ab25eeb5Syz yyerror("invalid mask"); 953*ab25eeb5Syz } 9547c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 9557c478bd9Sstevel@tonic-gate $$.s_addr = 0; 9567c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 9577c478bd9Sstevel@tonic-gate } else 9587c478bd9Sstevel@tonic-gate YYERROR; 9597c478bd9Sstevel@tonic-gate } 9607c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 9617c478bd9Sstevel@tonic-gate $$.s_addr = 0; 9627c478bd9Sstevel@tonic-gate ifpflag = FRI_NETWORK; 9637c478bd9Sstevel@tonic-gate } else 9647c478bd9Sstevel@tonic-gate YYERROR; 9657c478bd9Sstevel@tonic-gate } 9667c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 9677c478bd9Sstevel@tonic-gate $$.s_addr = 0; 9687c478bd9Sstevel@tonic-gate ifpflag = FRI_NETMASKED; 9697c478bd9Sstevel@tonic-gate } else 9707c478bd9Sstevel@tonic-gate YYERROR; 9717c478bd9Sstevel@tonic-gate } 9727c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 9737c478bd9Sstevel@tonic-gate $$.s_addr = 0; 9747c478bd9Sstevel@tonic-gate ifpflag = FRI_PEERADDR; 9757c478bd9Sstevel@tonic-gate } else 9767c478bd9Sstevel@tonic-gate YYERROR; 9777c478bd9Sstevel@tonic-gate } 9787c478bd9Sstevel@tonic-gate ; 9797c478bd9Sstevel@tonic-gate 9807c478bd9Sstevel@tonic-gate ipv6mask: 981*ab25eeb5Syz YY_NUMBER { if (($1 >= 0) && ($1 <= 128)) { 982*ab25eeb5Syz ntomask(6, $1, $$.i6); 983*ab25eeb5Syz } else 984*ab25eeb5Syz yyerror("invalid mask"); 985*ab25eeb5Syz } 9867c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { 9877c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 9887c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 9897c478bd9Sstevel@tonic-gate } else 9907c478bd9Sstevel@tonic-gate YYERROR; 9917c478bd9Sstevel@tonic-gate } 9927c478bd9Sstevel@tonic-gate | IPFY_NETWORK { if (ifpflag == FRI_DYNAMIC) { 9937c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 9947c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 9957c478bd9Sstevel@tonic-gate } else 9967c478bd9Sstevel@tonic-gate YYERROR; 9977c478bd9Sstevel@tonic-gate } 9987c478bd9Sstevel@tonic-gate | IPFY_NETMASKED { if (ifpflag == FRI_DYNAMIC) { 9997c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10007c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 10017c478bd9Sstevel@tonic-gate } else 10027c478bd9Sstevel@tonic-gate YYERROR; 10037c478bd9Sstevel@tonic-gate } 10047c478bd9Sstevel@tonic-gate | IPFY_PEER { if (ifpflag == FRI_DYNAMIC) { 10057c478bd9Sstevel@tonic-gate bzero(&$$, sizeof($$)); 10067c478bd9Sstevel@tonic-gate ifpflag = FRI_BROADCAST; 10077c478bd9Sstevel@tonic-gate } else 10087c478bd9Sstevel@tonic-gate YYERROR; 10097c478bd9Sstevel@tonic-gate } 10107c478bd9Sstevel@tonic-gate ; 10117c478bd9Sstevel@tonic-gate 10127c478bd9Sstevel@tonic-gate hostname: 10137c478bd9Sstevel@tonic-gate ipv4 { $$ = $1; } 10147c478bd9Sstevel@tonic-gate | YY_NUMBER { $$.s_addr = $1; } 10157c478bd9Sstevel@tonic-gate | YY_HEX { $$.s_addr = $1; } 10167c478bd9Sstevel@tonic-gate | YY_STR { $$.s_addr = lookuphost($1); 10177c478bd9Sstevel@tonic-gate free($1); 10187c478bd9Sstevel@tonic-gate if ($$.s_addr == 0 && 10197c478bd9Sstevel@tonic-gate ifpflag != FRI_DYNAMIC) 10207c478bd9Sstevel@tonic-gate yyerror("Unknown hostname"); 10217c478bd9Sstevel@tonic-gate } 10227c478bd9Sstevel@tonic-gate ; 10237c478bd9Sstevel@tonic-gate 10247c478bd9Sstevel@tonic-gate addrlist: 10257c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10267663b816Sml if (set_ipv6_addr) 10277663b816Sml $$->al_family = AF_INET6; 10287663b816Sml else 10297663b816Sml $$->al_family = AF_INET; 10307663b816Sml set_ipv6_addr = 0; 10317c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10327c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10337c478bd9Sstevel@tonic-gate | addrlist ',' ipaddr 10347c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10357663b816Sml if (set_ipv6_addr) 10367663b816Sml $$->al_family = AF_INET6; 10377663b816Sml else 10387663b816Sml $$->al_family = AF_INET; 10397663b816Sml set_ipv6_addr = 0; 10407c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 10417c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 10427c478bd9Sstevel@tonic-gate ; 10437c478bd9Sstevel@tonic-gate 10447c478bd9Sstevel@tonic-gate pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10457c478bd9Sstevel@tonic-gate ; 10467c478bd9Sstevel@tonic-gate 10477c478bd9Sstevel@tonic-gate hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } 10487c478bd9Sstevel@tonic-gate ; 10497c478bd9Sstevel@tonic-gate 10507c478bd9Sstevel@tonic-gate poollist: 10517c478bd9Sstevel@tonic-gate ipaddr { $$ = newalist(NULL); 10527663b816Sml if (set_ipv6_addr) 10537663b816Sml $$->al_family = AF_INET6; 10547663b816Sml else 10557663b816Sml $$->al_family = AF_INET; 10567663b816Sml set_ipv6_addr = 0; 10577c478bd9Sstevel@tonic-gate bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); 10587c478bd9Sstevel@tonic-gate bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } 10597c478bd9Sstevel@tonic-gate | '!' ipaddr { $$ = newalist(NULL); 10607c478bd9Sstevel@tonic-gate $$->al_not = 1; 10617663b816Sml if (set_ipv6_addr) 10627663b816Sml $$->al_family = AF_INET6; 10637663b816Sml else 10647663b816Sml $$->al_family = AF_INET; 10657663b816Sml set_ipv6_addr = 0; 10667c478bd9Sstevel@tonic-gate bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); 10677c478bd9Sstevel@tonic-gate bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } 10687c478bd9Sstevel@tonic-gate | poollist ',' ipaddr 10697c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10707663b816Sml if (set_ipv6_addr) 10717663b816Sml $$->al_family = AF_INET6; 10727663b816Sml else 10737663b816Sml $$->al_family = AF_INET; 10747663b816Sml set_ipv6_addr = 0; 10757c478bd9Sstevel@tonic-gate bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); 10767c478bd9Sstevel@tonic-gate bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } 10777c478bd9Sstevel@tonic-gate | poollist ',' '!' ipaddr 10787c478bd9Sstevel@tonic-gate { $$ = newalist($1); 10797c478bd9Sstevel@tonic-gate $$->al_not = 1; 10807663b816Sml if (set_ipv6_addr) 10817663b816Sml $$->al_family = AF_INET6; 10827663b816Sml else 10837663b816Sml $$->al_family = AF_INET; 10847663b816Sml set_ipv6_addr = 0; 10857c478bd9Sstevel@tonic-gate bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); 10867c478bd9Sstevel@tonic-gate bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); } 10877c478bd9Sstevel@tonic-gate ; 10887c478bd9Sstevel@tonic-gate 10897c478bd9Sstevel@tonic-gate port: IPFY_PORT { yyexpectaddr = 0; 10907c478bd9Sstevel@tonic-gate yycont = NULL; 10917c478bd9Sstevel@tonic-gate } 10927c478bd9Sstevel@tonic-gate ; 10937c478bd9Sstevel@tonic-gate 10947c478bd9Sstevel@tonic-gate portc: port compare { $$ = $2; 10957c478bd9Sstevel@tonic-gate yysetdict(NULL); } 10967c478bd9Sstevel@tonic-gate | porteq { $$ = $1; } 10977c478bd9Sstevel@tonic-gate ; 10987c478bd9Sstevel@tonic-gate 10997c478bd9Sstevel@tonic-gate porteq: port '=' { $$ = FR_EQUAL; 11007c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11017c478bd9Sstevel@tonic-gate ; 11027c478bd9Sstevel@tonic-gate 11037c478bd9Sstevel@tonic-gate portr: IPFY_PORT { yyexpectaddr = 0; 11047c478bd9Sstevel@tonic-gate yycont = NULL; 11057c478bd9Sstevel@tonic-gate yysetdict(NULL); } 11067c478bd9Sstevel@tonic-gate ; 11077c478bd9Sstevel@tonic-gate 11087c478bd9Sstevel@tonic-gate portcomp: 11097c478bd9Sstevel@tonic-gate portc portnum { $$.pc = $1; 11107c478bd9Sstevel@tonic-gate $$.p1 = $2; 11117c478bd9Sstevel@tonic-gate yyresetdict(); } 11127c478bd9Sstevel@tonic-gate ; 11137c478bd9Sstevel@tonic-gate 11147c478bd9Sstevel@tonic-gate portrange: 11157c478bd9Sstevel@tonic-gate portr portnum range portnum { $$.p1 = $2; 11167c478bd9Sstevel@tonic-gate $$.pc = $3; 11177c478bd9Sstevel@tonic-gate $$.p2 = $4; 11187c478bd9Sstevel@tonic-gate yyresetdict(); } 11197c478bd9Sstevel@tonic-gate ; 11207c478bd9Sstevel@tonic-gate 11217c478bd9Sstevel@tonic-gate icmp: | itype icode 11227c478bd9Sstevel@tonic-gate ; 11237c478bd9Sstevel@tonic-gate 11247c478bd9Sstevel@tonic-gate itype: seticmptype icmptype 11257c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00);); 11267c478bd9Sstevel@tonic-gate yyresetdict(); 11277c478bd9Sstevel@tonic-gate } 11287c478bd9Sstevel@tonic-gate | seticmptype lstart typelist lend { yyresetdict(); } 11297c478bd9Sstevel@tonic-gate ; 11307c478bd9Sstevel@tonic-gate 11317c478bd9Sstevel@tonic-gate seticmptype: 11327c478bd9Sstevel@tonic-gate IPFY_ICMPTYPE { setipftype(); 11337c478bd9Sstevel@tonic-gate yysetdict(icmptypewords); } 11347c478bd9Sstevel@tonic-gate ; 11357c478bd9Sstevel@tonic-gate 11367c478bd9Sstevel@tonic-gate icode: | seticmpcode icmpcode 11377c478bd9Sstevel@tonic-gate { DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff);); 11387c478bd9Sstevel@tonic-gate yyresetdict(); 11397c478bd9Sstevel@tonic-gate } 11407c478bd9Sstevel@tonic-gate | seticmpcode lstart codelist lend { yyresetdict(); } 11417c478bd9Sstevel@tonic-gate ; 11427c478bd9Sstevel@tonic-gate 11437c478bd9Sstevel@tonic-gate seticmpcode: 11447c478bd9Sstevel@tonic-gate IPFY_ICMPCODE { yysetdict(icmpcodewords); } 11457c478bd9Sstevel@tonic-gate ; 11467c478bd9Sstevel@tonic-gate 11477c478bd9Sstevel@tonic-gate typelist: 11487c478bd9Sstevel@tonic-gate icmptype 11497c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) } 11507c478bd9Sstevel@tonic-gate | typelist lmore icmptype 11517c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) } 11527c478bd9Sstevel@tonic-gate ; 11537c478bd9Sstevel@tonic-gate 11547c478bd9Sstevel@tonic-gate codelist: 11557c478bd9Sstevel@tonic-gate icmpcode 11567c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) } 11577c478bd9Sstevel@tonic-gate | codelist lmore icmpcode 11587c478bd9Sstevel@tonic-gate { DOREM(fr->fr_icmp |= htons($3); fr->fr_icmpm |= htons(0xff);) } 11597c478bd9Sstevel@tonic-gate ; 11607c478bd9Sstevel@tonic-gate 11617c478bd9Sstevel@tonic-gate age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ 11627c478bd9Sstevel@tonic-gate fr->fr_age[1] = $2;) } 11637c478bd9Sstevel@tonic-gate | IPFY_AGE YY_NUMBER '/' YY_NUMBER 11647c478bd9Sstevel@tonic-gate { DOALL(fr->fr_age[0] = $2; \ 11657c478bd9Sstevel@tonic-gate fr->fr_age[1] = $4;) } 11667c478bd9Sstevel@tonic-gate ; 11677c478bd9Sstevel@tonic-gate 11687c478bd9Sstevel@tonic-gate keep: | IPFY_KEEP keepstate 11697c478bd9Sstevel@tonic-gate | IPFY_KEEP keepfrag 11707c478bd9Sstevel@tonic-gate | IPFY_KEEP keepstate IPFY_KEEP keepfrag 1171*ab25eeb5Syz | IPFY_KEEP keepfrag IPFY_KEEP keepstate 11727c478bd9Sstevel@tonic-gate ; 11737c478bd9Sstevel@tonic-gate 11747c478bd9Sstevel@tonic-gate keepstate: 11757c478bd9Sstevel@tonic-gate IPFY_STATE stateoptlist { DOALL(fr->fr_flags |= FR_KEEPSTATE;)} 11767c478bd9Sstevel@tonic-gate ; 11777c478bd9Sstevel@tonic-gate 11787c478bd9Sstevel@tonic-gate keepfrag: 11797c478bd9Sstevel@tonic-gate IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 1180*ab25eeb5Syz | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } 11817c478bd9Sstevel@tonic-gate ; 11827c478bd9Sstevel@tonic-gate 11837c478bd9Sstevel@tonic-gate fragoptlist: 11847c478bd9Sstevel@tonic-gate | '(' fragopts ')' 11857c478bd9Sstevel@tonic-gate ; 11867c478bd9Sstevel@tonic-gate 11877c478bd9Sstevel@tonic-gate fragopts: 11887c478bd9Sstevel@tonic-gate fragopt lanother fragopts 11897c478bd9Sstevel@tonic-gate | fragopt 11907c478bd9Sstevel@tonic-gate ; 11917c478bd9Sstevel@tonic-gate 11927c478bd9Sstevel@tonic-gate fragopt: 11937c478bd9Sstevel@tonic-gate IPFY_STRICT { DOALL(fr->fr_flags |= FR_FRSTRICT;) } 11947c478bd9Sstevel@tonic-gate ; 11957c478bd9Sstevel@tonic-gate 11967c478bd9Sstevel@tonic-gate stateoptlist: 11977c478bd9Sstevel@tonic-gate | '(' stateopts ')' 11987c478bd9Sstevel@tonic-gate ; 11997c478bd9Sstevel@tonic-gate 12007c478bd9Sstevel@tonic-gate stateopts: 12017c478bd9Sstevel@tonic-gate stateopt lanother stateopts 12027c478bd9Sstevel@tonic-gate | stateopt 12037c478bd9Sstevel@tonic-gate ; 12047c478bd9Sstevel@tonic-gate 12057c478bd9Sstevel@tonic-gate stateopt: 12067c478bd9Sstevel@tonic-gate IPFY_LIMIT YY_NUMBER { DOALL(fr->fr_statemax = $2;) } 12077c478bd9Sstevel@tonic-gate | IPFY_STRICT { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12087c478bd9Sstevel@tonic-gate YYERROR; \ 12097c478bd9Sstevel@tonic-gate } else \ 12107c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_STSTRICT;) 12117c478bd9Sstevel@tonic-gate } 12127c478bd9Sstevel@tonic-gate | IPFY_NEWISN { DOALL(if (fr->fr_proto != IPPROTO_TCP) { \ 12137c478bd9Sstevel@tonic-gate YYERROR; \ 12147c478bd9Sstevel@tonic-gate } else \ 12157c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_NEWISN;) 12167c478bd9Sstevel@tonic-gate } 12177c478bd9Sstevel@tonic-gate | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } 1218*ab25eeb5Syz 1219*ab25eeb5Syz | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } 12207c478bd9Sstevel@tonic-gate ; 12217c478bd9Sstevel@tonic-gate 12227c478bd9Sstevel@tonic-gate portnum: 1223*ab25eeb5Syz servicename { if (getport(frc, $1, &($$)) == -1) 1224*ab25eeb5Syz yyerror("service unknown"); 1225*ab25eeb5Syz else 1226*ab25eeb5Syz $$ = ntohs($$); 12277c478bd9Sstevel@tonic-gate free($1); 12287c478bd9Sstevel@tonic-gate } 1229*ab25eeb5Syz | YY_NUMBER { if ($1 > 65535) /* Unsigned */ 1230*ab25eeb5Syz yyerror("invalid port number"); 1231*ab25eeb5Syz else 1232*ab25eeb5Syz $$ = $1; 1233*ab25eeb5Syz } 12347c478bd9Sstevel@tonic-gate ; 12357c478bd9Sstevel@tonic-gate 12367c478bd9Sstevel@tonic-gate withlist: 12377c478bd9Sstevel@tonic-gate withopt 12387c478bd9Sstevel@tonic-gate | withlist withopt 1239*ab25eeb5Syz | withlist ',' withopt 12407c478bd9Sstevel@tonic-gate ; 12417c478bd9Sstevel@tonic-gate 12427c478bd9Sstevel@tonic-gate withopt: 12437c478bd9Sstevel@tonic-gate opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } 12447c478bd9Sstevel@tonic-gate | notwith opttype 1245*ab25eeb5Syz { DOALL(fr->fr_mflx |= $2;) } 1246*ab25eeb5Syz | ipopt ipopts { yyresetdict(); } 1247*ab25eeb5Syz | notwith ipopt ipopts { yyresetdict(); } 1248*ab25eeb5Syz | startv6hdrs ipv6hdrs { yyresetdict(); } 1249*ab25eeb5Syz ; 1250*ab25eeb5Syz 1251*ab25eeb5Syz ipopt: IPFY_OPT { yysetdict(ipv4optwords); } 12527c478bd9Sstevel@tonic-gate ; 12537c478bd9Sstevel@tonic-gate 12547c478bd9Sstevel@tonic-gate startv6hdrs: 12557c478bd9Sstevel@tonic-gate IPF6_V6HDRS { if (use_inet6 == 0) 12567c478bd9Sstevel@tonic-gate yyerror("only available with IPv6"); 1257*ab25eeb5Syz yysetdict(ipv6optwords); 12587c478bd9Sstevel@tonic-gate } 12597c478bd9Sstevel@tonic-gate ; 12607c478bd9Sstevel@tonic-gate 12617c478bd9Sstevel@tonic-gate notwith: 12627c478bd9Sstevel@tonic-gate IPFY_NOT { nowith = 1; } 12637c478bd9Sstevel@tonic-gate | IPFY_NO { nowith = 1; } 12647c478bd9Sstevel@tonic-gate ; 12657c478bd9Sstevel@tonic-gate 12667c478bd9Sstevel@tonic-gate opttype: 12677c478bd9Sstevel@tonic-gate IPFY_IPOPTS { $$ = FI_OPTIONS; } 12687c478bd9Sstevel@tonic-gate | IPFY_SHORT { $$ = FI_SHORT; } 12697c478bd9Sstevel@tonic-gate | IPFY_NAT { $$ = FI_NATED; } 12707c478bd9Sstevel@tonic-gate | IPFY_BAD { $$ = FI_BAD; } 12717c478bd9Sstevel@tonic-gate | IPFY_BADNAT { $$ = FI_BADNAT; } 12727c478bd9Sstevel@tonic-gate | IPFY_BADSRC { $$ = FI_BADSRC; } 12737c478bd9Sstevel@tonic-gate | IPFY_LOWTTL { $$ = FI_LOWTTL; } 12747c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = FI_FRAG; } 1275*ab25eeb5Syz | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } 1276*ab25eeb5Syz | IPFY_FRAGS { $$ = FI_FRAG; } 12777c478bd9Sstevel@tonic-gate | IPFY_MBCAST { $$ = FI_MBCAST; } 12787c478bd9Sstevel@tonic-gate | IPFY_MULTICAST { $$ = FI_MULTICAST; } 12797c478bd9Sstevel@tonic-gate | IPFY_BROADCAST { $$ = FI_BROADCAST; } 12807c478bd9Sstevel@tonic-gate | IPFY_STATE { $$ = FI_STATE; } 12817c478bd9Sstevel@tonic-gate | IPFY_OOW { $$ = FI_OOW; } 12827c478bd9Sstevel@tonic-gate ; 12837c478bd9Sstevel@tonic-gate 12847c478bd9Sstevel@tonic-gate ipopts: optlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 12857c478bd9Sstevel@tonic-gate if (!nowith) 12867c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 12877c478bd9Sstevel@tonic-gate } 12887c478bd9Sstevel@tonic-gate ; 12897c478bd9Sstevel@tonic-gate 12907c478bd9Sstevel@tonic-gate optlist: 12917c478bd9Sstevel@tonic-gate opt { $$ |= $1; } 12927c478bd9Sstevel@tonic-gate | optlist ',' opt { $$ |= $1 | $3; } 12937c478bd9Sstevel@tonic-gate ; 12947c478bd9Sstevel@tonic-gate 12957c478bd9Sstevel@tonic-gate ipv6hdrs: 12967c478bd9Sstevel@tonic-gate ipv6hdrlist { DOALL(fr->fr_mip.fi_optmsk |= $1; 12977c478bd9Sstevel@tonic-gate if (!nowith) 12987c478bd9Sstevel@tonic-gate fr->fr_ip.fi_optmsk |= $1;) 12997c478bd9Sstevel@tonic-gate } 13007c478bd9Sstevel@tonic-gate ; 13017c478bd9Sstevel@tonic-gate 13027c478bd9Sstevel@tonic-gate ipv6hdrlist: 13037c478bd9Sstevel@tonic-gate ipv6hdr { $$ |= $1; } 13047c478bd9Sstevel@tonic-gate | ipv6hdrlist ',' ipv6hdr { $$ |= $1 | $3; } 13057c478bd9Sstevel@tonic-gate ; 13067c478bd9Sstevel@tonic-gate 13077c478bd9Sstevel@tonic-gate secname: 13087c478bd9Sstevel@tonic-gate seclevel { $$ |= $1; } 13097c478bd9Sstevel@tonic-gate | secname ',' seclevel { $$ |= $1 | $3; } 13107c478bd9Sstevel@tonic-gate ; 13117c478bd9Sstevel@tonic-gate 13127c478bd9Sstevel@tonic-gate seclevel: 13137c478bd9Sstevel@tonic-gate IPFY_SEC_UNC { $$ = secbit(IPSO_CLASS_UNCL); } 13147c478bd9Sstevel@tonic-gate | IPFY_SEC_CONF { $$ = secbit(IPSO_CLASS_CONF); } 13157c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV1 { $$ = secbit(IPSO_CLASS_RES1); } 13167c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV2 { $$ = secbit(IPSO_CLASS_RES2); } 13177c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV3 { $$ = secbit(IPSO_CLASS_RES3); } 13187c478bd9Sstevel@tonic-gate | IPFY_SEC_RSV4 { $$ = secbit(IPSO_CLASS_RES4); } 13197c478bd9Sstevel@tonic-gate | IPFY_SEC_SEC { $$ = secbit(IPSO_CLASS_SECR); } 13207c478bd9Sstevel@tonic-gate | IPFY_SEC_TS { $$ = secbit(IPSO_CLASS_TOPS); } 13217c478bd9Sstevel@tonic-gate ; 13227c478bd9Sstevel@tonic-gate 13237c478bd9Sstevel@tonic-gate icmptype: 13247c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13257c478bd9Sstevel@tonic-gate | IPFY_ICMPT_UNR { $$ = ICMP_UNREACH; } 13267c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHO { $$ = ICMP_ECHO; } 13277c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ECHOR { $$ = ICMP_ECHOREPLY; } 13287c478bd9Sstevel@tonic-gate | IPFY_ICMPT_SQUENCH { $$ = ICMP_SOURCEQUENCH; } 13297c478bd9Sstevel@tonic-gate | IPFY_ICMPT_REDIR { $$ = ICMP_REDIRECT; } 13307c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEX { $$ = ICMP_TIMXCEED; } 13317c478bd9Sstevel@tonic-gate | IPFY_ICMPT_PARAMP { $$ = ICMP_PARAMPROB; } 13327c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMEST { $$ = ICMP_TSTAMP; } 13337c478bd9Sstevel@tonic-gate | IPFY_ICMPT_TIMESTREP { $$ = ICMP_TSTAMPREPLY; } 13347c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREQ { $$ = ICMP_IREQ; } 13357c478bd9Sstevel@tonic-gate | IPFY_ICMPT_INFOREP { $$ = ICMP_IREQREPLY; } 13367c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREQ { $$ = ICMP_MASKREQ; } 13377c478bd9Sstevel@tonic-gate | IPFY_ICMPT_MASKREP { $$ = ICMP_MASKREPLY; } 13387c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERAD { $$ = ICMP_ROUTERADVERT; } 13397c478bd9Sstevel@tonic-gate | IPFY_ICMPT_ROUTERSOL { $$ = ICMP_ROUTERSOLICIT; } 13407c478bd9Sstevel@tonic-gate ; 13417c478bd9Sstevel@tonic-gate 13427c478bd9Sstevel@tonic-gate icmpcode: 13437c478bd9Sstevel@tonic-gate YY_NUMBER { $$ = $1; } 13447c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNR { $$ = ICMP_UNREACH_NET; } 13457c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNR { $$ = ICMP_UNREACH_HOST; } 13467c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PROUNR { $$ = ICMP_UNREACH_PROTOCOL; } 13477c478bd9Sstevel@tonic-gate | IPFY_ICMPC_PORUNR { $$ = ICMP_UNREACH_PORT; } 13487c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NEEDF { $$ = ICMP_UNREACH_NEEDFRAG; } 13497c478bd9Sstevel@tonic-gate | IPFY_ICMPC_SRCFAIL { $$ = ICMP_UNREACH_SRCFAIL; } 13507c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETUNK { $$ = ICMP_UNREACH_NET_UNKNOWN; } 13517c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTUNK { $$ = ICMP_UNREACH_HOST_UNKNOWN; } 13527c478bd9Sstevel@tonic-gate | IPFY_ICMPC_ISOLATE { $$ = ICMP_UNREACH_ISOLATED; } 13537c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETPRO { $$ = ICMP_UNREACH_NET_PROHIB; } 13547c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRO { $$ = ICMP_UNREACH_HOST_PROHIB; } 13557c478bd9Sstevel@tonic-gate | IPFY_ICMPC_NETTOS { $$ = ICMP_UNREACH_TOSNET; } 13567c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTTOS { $$ = ICMP_UNREACH_TOSHOST; } 13577c478bd9Sstevel@tonic-gate | IPFY_ICMPC_FLTPRO { $$ = ICMP_UNREACH_ADMIN_PROHIBIT; } 13587c478bd9Sstevel@tonic-gate | IPFY_ICMPC_HSTPRE { $$ = 14; } 13597c478bd9Sstevel@tonic-gate | IPFY_ICMPC_CUTPRE { $$ = 15; } 13607c478bd9Sstevel@tonic-gate ; 13617c478bd9Sstevel@tonic-gate 13627c478bd9Sstevel@tonic-gate opt: 13637c478bd9Sstevel@tonic-gate IPFY_IPOPT_NOP { $$ = getoptbyvalue(IPOPT_NOP); } 13647c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RR { $$ = getoptbyvalue(IPOPT_RR); } 13657c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ZSU { $$ = getoptbyvalue(IPOPT_ZSU); } 13667c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUP { $$ = getoptbyvalue(IPOPT_MTUP); } 13677c478bd9Sstevel@tonic-gate | IPFY_IPOPT_MTUR { $$ = getoptbyvalue(IPOPT_MTUR); } 13687c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ENCODE { $$ = getoptbyvalue(IPOPT_ENCODE); } 13697c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TS { $$ = getoptbyvalue(IPOPT_TS); } 13707c478bd9Sstevel@tonic-gate | IPFY_IPOPT_TR { $$ = getoptbyvalue(IPOPT_TR); } 13717c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SEC { $$ = getoptbyvalue(IPOPT_SECURITY); } 13727c478bd9Sstevel@tonic-gate | IPFY_IPOPT_LSRR { $$ = getoptbyvalue(IPOPT_LSRR); } 13737c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ESEC { $$ = getoptbyvalue(IPOPT_E_SEC); } 13747c478bd9Sstevel@tonic-gate | IPFY_IPOPT_CIPSO { $$ = getoptbyvalue(IPOPT_CIPSO); } 13757c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SATID { $$ = getoptbyvalue(IPOPT_SATID); } 13767c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SSRR { $$ = getoptbyvalue(IPOPT_SSRR); } 13777c478bd9Sstevel@tonic-gate | IPFY_IPOPT_ADDEXT { $$ = getoptbyvalue(IPOPT_ADDEXT); } 13787c478bd9Sstevel@tonic-gate | IPFY_IPOPT_VISA { $$ = getoptbyvalue(IPOPT_VISA); } 13797c478bd9Sstevel@tonic-gate | IPFY_IPOPT_IMITD { $$ = getoptbyvalue(IPOPT_IMITD); } 13807c478bd9Sstevel@tonic-gate | IPFY_IPOPT_EIP { $$ = getoptbyvalue(IPOPT_EIP); } 13817c478bd9Sstevel@tonic-gate | IPFY_IPOPT_FINN { $$ = getoptbyvalue(IPOPT_FINN); } 13827c478bd9Sstevel@tonic-gate | IPFY_IPOPT_DPS { $$ = getoptbyvalue(IPOPT_DPS); } 13837c478bd9Sstevel@tonic-gate | IPFY_IPOPT_SDB { $$ = getoptbyvalue(IPOPT_SDB); } 13847c478bd9Sstevel@tonic-gate | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } 13857c478bd9Sstevel@tonic-gate | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } 13867c478bd9Sstevel@tonic-gate | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } 1387*ab25eeb5Syz | setsecclass secname 13887c478bd9Sstevel@tonic-gate { DOALL(fr->fr_mip.fi_secmsk |= $2; 13897c478bd9Sstevel@tonic-gate if (!nowith) 13907c478bd9Sstevel@tonic-gate fr->fr_ip.fi_secmsk |= $2;) 13917c478bd9Sstevel@tonic-gate $$ = 0; 1392*ab25eeb5Syz yyresetdict(); 13937c478bd9Sstevel@tonic-gate } 13947c478bd9Sstevel@tonic-gate ; 13957c478bd9Sstevel@tonic-gate 1396*ab25eeb5Syz setsecclass: 1397*ab25eeb5Syz IPFY_SECCLASS { yysetdict(ipv4secwords); } 1398*ab25eeb5Syz ; 1399*ab25eeb5Syz 14007c478bd9Sstevel@tonic-gate ipv6hdr: 14017c478bd9Sstevel@tonic-gate IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } 14027c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } 14037c478bd9Sstevel@tonic-gate | IPFY_ESP { $$ = getv6optbyvalue(IPPROTO_ESP); } 14047c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_HOPOPTS { $$ = getv6optbyvalue(IPPROTO_HOPOPTS); } 14057c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_IPV6 { $$ = getv6optbyvalue(IPPROTO_IPV6); } 14067c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_NONE { $$ = getv6optbyvalue(IPPROTO_NONE); } 14077c478bd9Sstevel@tonic-gate | IPFY_IPV6OPT_ROUTING { $$ = getv6optbyvalue(IPPROTO_ROUTING); } 14087c478bd9Sstevel@tonic-gate | IPFY_FRAG { $$ = getv6optbyvalue(IPPROTO_FRAGMENT); } 14097c478bd9Sstevel@tonic-gate ; 14107c478bd9Sstevel@tonic-gate 14117c478bd9Sstevel@tonic-gate level: IPFY_LEVEL { setsyslog(); } 14127c478bd9Sstevel@tonic-gate ; 14137c478bd9Sstevel@tonic-gate 14147c478bd9Sstevel@tonic-gate loglevel: 14157c478bd9Sstevel@tonic-gate priority { fr->fr_loglevel = LOG_LOCAL0|$1; } 14167c478bd9Sstevel@tonic-gate | facility '.' priority { fr->fr_loglevel = $1 | $3; } 14177c478bd9Sstevel@tonic-gate ; 14187c478bd9Sstevel@tonic-gate 14197c478bd9Sstevel@tonic-gate facility: 14207c478bd9Sstevel@tonic-gate IPFY_FAC_KERN { $$ = LOG_KERN; } 14217c478bd9Sstevel@tonic-gate | IPFY_FAC_USER { $$ = LOG_USER; } 14227c478bd9Sstevel@tonic-gate | IPFY_FAC_MAIL { $$ = LOG_MAIL; } 14237c478bd9Sstevel@tonic-gate | IPFY_FAC_DAEMON { $$ = LOG_DAEMON; } 14247c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTH { $$ = LOG_AUTH; } 14257c478bd9Sstevel@tonic-gate | IPFY_FAC_SYSLOG { $$ = LOG_SYSLOG; } 14267c478bd9Sstevel@tonic-gate | IPFY_FAC_LPR { $$ = LOG_LPR; } 14277c478bd9Sstevel@tonic-gate | IPFY_FAC_NEWS { $$ = LOG_NEWS; } 14287c478bd9Sstevel@tonic-gate | IPFY_FAC_UUCP { $$ = LOG_UUCP; } 14297c478bd9Sstevel@tonic-gate | IPFY_FAC_CRON { $$ = LOG_CRON; } 14307c478bd9Sstevel@tonic-gate | IPFY_FAC_FTP { $$ = LOG_FTP; } 14317c478bd9Sstevel@tonic-gate | IPFY_FAC_AUTHPRIV { $$ = LOG_AUTHPRIV; } 14327c478bd9Sstevel@tonic-gate | IPFY_FAC_AUDIT { $$ = LOG_AUDIT; } 14337c478bd9Sstevel@tonic-gate | IPFY_FAC_LFMT { $$ = LOG_LFMT; } 14347c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL0 { $$ = LOG_LOCAL0; } 14357c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL1 { $$ = LOG_LOCAL1; } 14367c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL2 { $$ = LOG_LOCAL2; } 14377c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL3 { $$ = LOG_LOCAL3; } 14387c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL4 { $$ = LOG_LOCAL4; } 14397c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL5 { $$ = LOG_LOCAL5; } 14407c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL6 { $$ = LOG_LOCAL6; } 14417c478bd9Sstevel@tonic-gate | IPFY_FAC_LOCAL7 { $$ = LOG_LOCAL7; } 14427c478bd9Sstevel@tonic-gate | IPFY_FAC_SECURITY { $$ = LOG_SECURITY; } 14437c478bd9Sstevel@tonic-gate ; 14447c478bd9Sstevel@tonic-gate 14457c478bd9Sstevel@tonic-gate priority: 14467c478bd9Sstevel@tonic-gate IPFY_PRI_EMERG { $$ = LOG_EMERG; } 14477c478bd9Sstevel@tonic-gate | IPFY_PRI_ALERT { $$ = LOG_ALERT; } 14487c478bd9Sstevel@tonic-gate | IPFY_PRI_CRIT { $$ = LOG_CRIT; } 14497c478bd9Sstevel@tonic-gate | IPFY_PRI_ERR { $$ = LOG_ERR; } 14507c478bd9Sstevel@tonic-gate | IPFY_PRI_WARN { $$ = LOG_WARNING; } 14517c478bd9Sstevel@tonic-gate | IPFY_PRI_NOTICE { $$ = LOG_NOTICE; } 14527c478bd9Sstevel@tonic-gate | IPFY_PRI_INFO { $$ = LOG_INFO; } 14537c478bd9Sstevel@tonic-gate | IPFY_PRI_DEBUG { $$ = LOG_DEBUG; } 14547c478bd9Sstevel@tonic-gate ; 14557c478bd9Sstevel@tonic-gate 14567c478bd9Sstevel@tonic-gate compare: 1457*ab25eeb5Syz YY_CMP_EQ { $$ = FR_EQUAL; } 14587c478bd9Sstevel@tonic-gate | YY_CMP_NE { $$ = FR_NEQUAL; } 14597c478bd9Sstevel@tonic-gate | YY_CMP_LT { $$ = FR_LESST; } 14607c478bd9Sstevel@tonic-gate | YY_CMP_LE { $$ = FR_LESSTE; } 14617c478bd9Sstevel@tonic-gate | YY_CMP_GT { $$ = FR_GREATERT; } 14627c478bd9Sstevel@tonic-gate | YY_CMP_GE { $$ = FR_GREATERTE; } 14637c478bd9Sstevel@tonic-gate ; 14647c478bd9Sstevel@tonic-gate 14657c478bd9Sstevel@tonic-gate range: YY_RANGE_IN { $$ = FR_INRANGE; } 14667c478bd9Sstevel@tonic-gate | YY_RANGE_OUT { $$ = FR_OUTRANGE; } 14677c478bd9Sstevel@tonic-gate | ':' { $$ = FR_INCRANGE; } 14687c478bd9Sstevel@tonic-gate ; 14697c478bd9Sstevel@tonic-gate 14707c478bd9Sstevel@tonic-gate servicename: 14717c478bd9Sstevel@tonic-gate YY_STR { $$ = $1; } 14727c478bd9Sstevel@tonic-gate ; 14737c478bd9Sstevel@tonic-gate 14747c478bd9Sstevel@tonic-gate interfacename: YY_STR { $$ = $1; } 14757c478bd9Sstevel@tonic-gate | YY_STR ':' YY_NUMBER 14767c478bd9Sstevel@tonic-gate { $$ = $1; 14777c478bd9Sstevel@tonic-gate fprintf(stderr, "%d: Logical interface %s:%d unsupported, " 1478*ab25eeb5Syz "use the physical interface %s instead.\n", 1479*ab25eeb5Syz yylineNum, $1, $3, $1); 14807c478bd9Sstevel@tonic-gate } 14817c478bd9Sstevel@tonic-gate ; 14827c478bd9Sstevel@tonic-gate 14837c478bd9Sstevel@tonic-gate name: YY_STR { $$ = $1; } 14847c478bd9Sstevel@tonic-gate ; 14857c478bd9Sstevel@tonic-gate 1486*ab25eeb5Syz ipv4_16: 1487*ab25eeb5Syz YY_NUMBER '.' YY_NUMBER 1488*ab25eeb5Syz { if ($1 > 255 || $3 > 255) { 14897c478bd9Sstevel@tonic-gate yyerror("Invalid octet string for IP address"); 14907c478bd9Sstevel@tonic-gate return 0; 14917c478bd9Sstevel@tonic-gate } 1492*ab25eeb5Syz $$.s_addr = ($1 << 24) | ($3 << 16); 14937c478bd9Sstevel@tonic-gate $$.s_addr = htonl($$.s_addr); 14947c478bd9Sstevel@tonic-gate } 14957c478bd9Sstevel@tonic-gate ; 1496*ab25eeb5Syz 1497*ab25eeb5Syz ipv4_24: 1498*ab25eeb5Syz ipv4_16 '.' YY_NUMBER 1499*ab25eeb5Syz { if ($3 > 255) { 1500*ab25eeb5Syz yyerror("Invalid octet string for IP address"); 1501*ab25eeb5Syz return 0; 1502*ab25eeb5Syz } 1503*ab25eeb5Syz $$.s_addr |= htonl($3 << 8); 1504*ab25eeb5Syz } 1505*ab25eeb5Syz ; 1506*ab25eeb5Syz 1507*ab25eeb5Syz ipv4: ipv4_24 '.' YY_NUMBER 1508*ab25eeb5Syz { if ($3 > 255) { 1509*ab25eeb5Syz yyerror("Invalid octet string for IP address"); 1510*ab25eeb5Syz return 0; 1511*ab25eeb5Syz } 1512*ab25eeb5Syz $$.s_addr |= htonl($3); 1513*ab25eeb5Syz } 1514*ab25eeb5Syz | ipv4_24 1515*ab25eeb5Syz | ipv4_16 1516*ab25eeb5Syz ; 1517*ab25eeb5Syz 15187c478bd9Sstevel@tonic-gate %% 15197c478bd9Sstevel@tonic-gate 15207c478bd9Sstevel@tonic-gate 1521*ab25eeb5Syz static struct wordtab ipfwords[95] = { 15227c478bd9Sstevel@tonic-gate { "age", IPFY_AGE }, 15237c478bd9Sstevel@tonic-gate { "ah", IPFY_AH }, 15247c478bd9Sstevel@tonic-gate { "all", IPFY_ALL }, 15257c478bd9Sstevel@tonic-gate { "and", IPFY_AND }, 15267c478bd9Sstevel@tonic-gate { "auth", IPFY_AUTH }, 15277c478bd9Sstevel@tonic-gate { "bad", IPFY_BAD }, 15287c478bd9Sstevel@tonic-gate { "bad-nat", IPFY_BADNAT }, 15297c478bd9Sstevel@tonic-gate { "bad-src", IPFY_BADSRC }, 15307c478bd9Sstevel@tonic-gate { "bcast", IPFY_BROADCAST }, 15317c478bd9Sstevel@tonic-gate { "block", IPFY_BLOCK }, 15327c478bd9Sstevel@tonic-gate { "body", IPFY_BODY }, 1533*ab25eeb5Syz { "bpf-v4", IPFY_BPFV4 }, 1534*ab25eeb5Syz #ifdef USE_INET6 1535*ab25eeb5Syz { "bpf-v6", IPFY_BPFV6 }, 1536*ab25eeb5Syz #endif 15377c478bd9Sstevel@tonic-gate { "call", IPFY_CALL }, 15387c478bd9Sstevel@tonic-gate { "code", IPFY_ICMPCODE }, 15397c478bd9Sstevel@tonic-gate { "count", IPFY_COUNT }, 15407c478bd9Sstevel@tonic-gate { "dup-to", IPFY_DUPTO }, 15417c478bd9Sstevel@tonic-gate { "eq", YY_CMP_EQ }, 15427c478bd9Sstevel@tonic-gate { "esp", IPFY_ESP }, 15437c478bd9Sstevel@tonic-gate { "fastroute", IPFY_FROUTE }, 15447c478bd9Sstevel@tonic-gate { "first", IPFY_FIRST }, 15457c478bd9Sstevel@tonic-gate { "flags", IPFY_FLAGS }, 1546*ab25eeb5Syz { "frag", IPFY_FRAG }, 1547*ab25eeb5Syz { "frag-body", IPFY_FRAGBODY }, 15487c478bd9Sstevel@tonic-gate { "frags", IPFY_FRAGS }, 15497c478bd9Sstevel@tonic-gate { "from", IPFY_FROM }, 15507c478bd9Sstevel@tonic-gate { "ge", YY_CMP_GE }, 15517c478bd9Sstevel@tonic-gate { "group", IPFY_GROUP }, 15527c478bd9Sstevel@tonic-gate { "gt", YY_CMP_GT }, 15537c478bd9Sstevel@tonic-gate { "head", IPFY_HEAD }, 15547c478bd9Sstevel@tonic-gate { "icmp", IPFY_ICMP }, 15557c478bd9Sstevel@tonic-gate { "icmp-type", IPFY_ICMPTYPE }, 15567c478bd9Sstevel@tonic-gate { "in", IPFY_IN }, 15577c478bd9Sstevel@tonic-gate { "in-via", IPFY_INVIA }, 15587c478bd9Sstevel@tonic-gate { "ipopt", IPFY_IPOPTS }, 15597c478bd9Sstevel@tonic-gate { "ipopts", IPFY_IPOPTS }, 15607c478bd9Sstevel@tonic-gate { "keep", IPFY_KEEP }, 15617c478bd9Sstevel@tonic-gate { "le", YY_CMP_LE }, 15627c478bd9Sstevel@tonic-gate { "level", IPFY_LEVEL }, 15637c478bd9Sstevel@tonic-gate { "limit", IPFY_LIMIT }, 15647c478bd9Sstevel@tonic-gate { "log", IPFY_LOG }, 15657c478bd9Sstevel@tonic-gate { "lowttl", IPFY_LOWTTL }, 15667c478bd9Sstevel@tonic-gate { "lt", YY_CMP_LT }, 15677c478bd9Sstevel@tonic-gate { "mask", IPFY_MASK }, 1568*ab25eeb5Syz { "match-tag", IPFY_MATCHTAG }, 15697c478bd9Sstevel@tonic-gate { "mbcast", IPFY_MBCAST }, 15707c478bd9Sstevel@tonic-gate { "multicast", IPFY_MULTICAST }, 15717c478bd9Sstevel@tonic-gate { "nat", IPFY_NAT }, 15727c478bd9Sstevel@tonic-gate { "ne", YY_CMP_NE }, 15737c478bd9Sstevel@tonic-gate { "net", IPFY_NETWORK }, 15747c478bd9Sstevel@tonic-gate { "newisn", IPFY_NEWISN }, 15757c478bd9Sstevel@tonic-gate { "no", IPFY_NO }, 15767c478bd9Sstevel@tonic-gate { "no-icmp-err", IPFY_NOICMPERR }, 15777c478bd9Sstevel@tonic-gate { "now", IPFY_NOW }, 15787c478bd9Sstevel@tonic-gate { "not", IPFY_NOT }, 15797c478bd9Sstevel@tonic-gate { "oow", IPFY_OOW }, 15807c478bd9Sstevel@tonic-gate { "on", IPFY_ON }, 15817c478bd9Sstevel@tonic-gate { "opt", IPFY_OPT }, 15827c478bd9Sstevel@tonic-gate { "or-block", IPFY_ORBLOCK }, 15837c478bd9Sstevel@tonic-gate { "out", IPFY_OUT }, 15847c478bd9Sstevel@tonic-gate { "out-via", IPFY_OUTVIA }, 15857c478bd9Sstevel@tonic-gate { "pass", IPFY_PASS }, 15867c478bd9Sstevel@tonic-gate { "port", IPFY_PORT }, 15877c478bd9Sstevel@tonic-gate { "pps", IPFY_PPS }, 15887c478bd9Sstevel@tonic-gate { "preauth", IPFY_PREAUTH }, 15897c478bd9Sstevel@tonic-gate { "proto", IPFY_PROTO }, 15907c478bd9Sstevel@tonic-gate { "quick", IPFY_QUICK }, 15917c478bd9Sstevel@tonic-gate { "reply-to", IPFY_REPLY_TO }, 15927c478bd9Sstevel@tonic-gate { "return-icmp", IPFY_RETICMP }, 15937c478bd9Sstevel@tonic-gate { "return-icmp-as-dest", IPFY_RETICMPASDST }, 15947c478bd9Sstevel@tonic-gate { "return-rst", IPFY_RETRST }, 1595*ab25eeb5Syz { "route-to", IPFY_ROUTETO }, 15967c478bd9Sstevel@tonic-gate { "sec-class", IPFY_SECCLASS }, 1597*ab25eeb5Syz { "set-tag", IPFY_SETTAG }, 15987c478bd9Sstevel@tonic-gate { "skip", IPFY_SKIP }, 15997c478bd9Sstevel@tonic-gate { "short", IPFY_SHORT }, 16007c478bd9Sstevel@tonic-gate { "state", IPFY_STATE }, 1601*ab25eeb5Syz { "state-age", IPFY_AGE }, 16027c478bd9Sstevel@tonic-gate { "strict", IPFY_STRICT }, 1603*ab25eeb5Syz { "sync", IPFY_SYNC }, 16047c478bd9Sstevel@tonic-gate { "tcp", IPFY_TCP }, 16057c478bd9Sstevel@tonic-gate { "tcp-udp", IPFY_TCPUDP }, 16067c478bd9Sstevel@tonic-gate { "tos", IPFY_TOS }, 16077c478bd9Sstevel@tonic-gate { "to", IPFY_TO }, 16087c478bd9Sstevel@tonic-gate { "ttl", IPFY_TTL }, 16097c478bd9Sstevel@tonic-gate { "udp", IPFY_UDP }, 16107c478bd9Sstevel@tonic-gate { "v6hdrs", IPF6_V6HDRS }, 16117c478bd9Sstevel@tonic-gate { "with", IPFY_WITH }, 16127c478bd9Sstevel@tonic-gate { NULL, 0 } 16137c478bd9Sstevel@tonic-gate }; 16147c478bd9Sstevel@tonic-gate 16157c478bd9Sstevel@tonic-gate static struct wordtab addrwords[4] = { 16167c478bd9Sstevel@tonic-gate { "any", IPFY_ANY }, 16177c478bd9Sstevel@tonic-gate { "hash", IPFY_HASH }, 16187c478bd9Sstevel@tonic-gate { "pool", IPFY_POOL }, 16197c478bd9Sstevel@tonic-gate { NULL, 0 } 16207c478bd9Sstevel@tonic-gate }; 16217c478bd9Sstevel@tonic-gate 16227c478bd9Sstevel@tonic-gate static struct wordtab maskwords[5] = { 16237c478bd9Sstevel@tonic-gate { "broadcast", IPFY_BROADCAST }, 16247c478bd9Sstevel@tonic-gate { "netmasked", IPFY_NETMASKED }, 16257c478bd9Sstevel@tonic-gate { "network", IPFY_NETWORK }, 16267c478bd9Sstevel@tonic-gate { "peer", IPFY_PEER }, 16277c478bd9Sstevel@tonic-gate { NULL, 0 } 16287c478bd9Sstevel@tonic-gate }; 16297c478bd9Sstevel@tonic-gate 16307c478bd9Sstevel@tonic-gate static struct wordtab icmptypewords[16] = { 16317c478bd9Sstevel@tonic-gate { "echo", IPFY_ICMPT_ECHO }, 16327c478bd9Sstevel@tonic-gate { "echorep", IPFY_ICMPT_ECHOR }, 16337c478bd9Sstevel@tonic-gate { "inforeq", IPFY_ICMPT_INFOREQ }, 16347c478bd9Sstevel@tonic-gate { "inforep", IPFY_ICMPT_INFOREP }, 16357c478bd9Sstevel@tonic-gate { "maskrep", IPFY_ICMPT_MASKREP }, 16367c478bd9Sstevel@tonic-gate { "maskreq", IPFY_ICMPT_MASKREQ }, 16377c478bd9Sstevel@tonic-gate { "paramprob", IPFY_ICMPT_PARAMP }, 16387c478bd9Sstevel@tonic-gate { "redir", IPFY_ICMPT_REDIR }, 16397c478bd9Sstevel@tonic-gate { "unreach", IPFY_ICMPT_UNR }, 16407c478bd9Sstevel@tonic-gate { "routerad", IPFY_ICMPT_ROUTERAD }, 16417c478bd9Sstevel@tonic-gate { "routersol", IPFY_ICMPT_ROUTERSOL }, 16427c478bd9Sstevel@tonic-gate { "squench", IPFY_ICMPT_SQUENCH }, 16437c478bd9Sstevel@tonic-gate { "timest", IPFY_ICMPT_TIMEST }, 16447c478bd9Sstevel@tonic-gate { "timestrep", IPFY_ICMPT_TIMESTREP }, 16457c478bd9Sstevel@tonic-gate { "timex", IPFY_ICMPT_TIMEX }, 16467c478bd9Sstevel@tonic-gate { NULL, 0 }, 16477c478bd9Sstevel@tonic-gate }; 16487c478bd9Sstevel@tonic-gate 16497c478bd9Sstevel@tonic-gate static struct wordtab icmpcodewords[17] = { 16507c478bd9Sstevel@tonic-gate { "cutoff-preced", IPFY_ICMPC_CUTPRE }, 16517c478bd9Sstevel@tonic-gate { "filter-prohib", IPFY_ICMPC_FLTPRO }, 16527c478bd9Sstevel@tonic-gate { "isolate", IPFY_ICMPC_ISOLATE }, 16537c478bd9Sstevel@tonic-gate { "needfrag", IPFY_ICMPC_NEEDF }, 16547c478bd9Sstevel@tonic-gate { "net-prohib", IPFY_ICMPC_NETPRO }, 16557c478bd9Sstevel@tonic-gate { "net-tos", IPFY_ICMPC_NETTOS }, 16567c478bd9Sstevel@tonic-gate { "host-preced", IPFY_ICMPC_HSTPRE }, 16577c478bd9Sstevel@tonic-gate { "host-prohib", IPFY_ICMPC_HSTPRO }, 16587c478bd9Sstevel@tonic-gate { "host-tos", IPFY_ICMPC_HSTTOS }, 16597c478bd9Sstevel@tonic-gate { "host-unk", IPFY_ICMPC_HSTUNK }, 16607c478bd9Sstevel@tonic-gate { "host-unr", IPFY_ICMPC_HSTUNR }, 16617c478bd9Sstevel@tonic-gate { "net-unk", IPFY_ICMPC_NETUNK }, 16627c478bd9Sstevel@tonic-gate { "net-unr", IPFY_ICMPC_NETUNR }, 16637c478bd9Sstevel@tonic-gate { "port-unr", IPFY_ICMPC_PORUNR }, 16647c478bd9Sstevel@tonic-gate { "proto-unr", IPFY_ICMPC_PROUNR }, 16657c478bd9Sstevel@tonic-gate { "srcfail", IPFY_ICMPC_SRCFAIL }, 16667c478bd9Sstevel@tonic-gate { NULL, 0 }, 16677c478bd9Sstevel@tonic-gate }; 16687c478bd9Sstevel@tonic-gate 1669*ab25eeb5Syz static struct wordtab ipv4optwords[25] = { 1670*ab25eeb5Syz { "addext", IPFY_IPOPT_ADDEXT }, 1671*ab25eeb5Syz { "cipso", IPFY_IPOPT_CIPSO }, 1672*ab25eeb5Syz { "dps", IPFY_IPOPT_DPS }, 1673*ab25eeb5Syz { "e-sec", IPFY_IPOPT_ESEC }, 1674*ab25eeb5Syz { "eip", IPFY_IPOPT_EIP }, 1675*ab25eeb5Syz { "encode", IPFY_IPOPT_ENCODE }, 1676*ab25eeb5Syz { "finn", IPFY_IPOPT_FINN }, 1677*ab25eeb5Syz { "imitd", IPFY_IPOPT_IMITD }, 1678*ab25eeb5Syz { "lsrr", IPFY_IPOPT_LSRR }, 1679*ab25eeb5Syz { "mtup", IPFY_IPOPT_MTUP }, 1680*ab25eeb5Syz { "mtur", IPFY_IPOPT_MTUR }, 1681*ab25eeb5Syz { "nop", IPFY_IPOPT_NOP }, 1682*ab25eeb5Syz { "nsapa", IPFY_IPOPT_NSAPA }, 1683*ab25eeb5Syz { "rr", IPFY_IPOPT_RR }, 1684*ab25eeb5Syz { "rtralrt", IPFY_IPOPT_RTRALRT }, 1685*ab25eeb5Syz { "satid", IPFY_IPOPT_SATID }, 1686*ab25eeb5Syz { "sdb", IPFY_IPOPT_SDB }, 1687*ab25eeb5Syz { "sec", IPFY_IPOPT_SEC }, 1688*ab25eeb5Syz { "ssrr", IPFY_IPOPT_SSRR }, 1689*ab25eeb5Syz { "tr", IPFY_IPOPT_TR }, 1690*ab25eeb5Syz { "ts", IPFY_IPOPT_TS }, 1691*ab25eeb5Syz { "ump", IPFY_IPOPT_UMP }, 1692*ab25eeb5Syz { "visa", IPFY_IPOPT_VISA }, 1693*ab25eeb5Syz { "zsu", IPFY_IPOPT_ZSU }, 1694*ab25eeb5Syz { NULL, 0 }, 1695*ab25eeb5Syz }; 1696*ab25eeb5Syz 1697*ab25eeb5Syz static struct wordtab ipv4secwords[9] = { 1698*ab25eeb5Syz { "confid", IPFY_SEC_CONF }, 1699*ab25eeb5Syz { "reserv-1", IPFY_SEC_RSV1 }, 1700*ab25eeb5Syz { "reserv-2", IPFY_SEC_RSV2 }, 1701*ab25eeb5Syz { "reserv-3", IPFY_SEC_RSV3 }, 1702*ab25eeb5Syz { "reserv-4", IPFY_SEC_RSV4 }, 1703*ab25eeb5Syz { "secret", IPFY_SEC_SEC }, 1704*ab25eeb5Syz { "topsecret", IPFY_SEC_TS }, 1705*ab25eeb5Syz { "unclass", IPFY_SEC_UNC }, 1706*ab25eeb5Syz { NULL, 0 }, 1707*ab25eeb5Syz }; 1708*ab25eeb5Syz 1709*ab25eeb5Syz static struct wordtab ipv6optwords[8] = { 1710*ab25eeb5Syz { "dstopts", IPFY_IPV6OPT_DSTOPTS }, 1711*ab25eeb5Syz { "esp", IPFY_ESP }, 1712*ab25eeb5Syz { "frag", IPFY_FRAG }, 1713*ab25eeb5Syz { "hopopts", IPFY_IPV6OPT_HOPOPTS }, 1714*ab25eeb5Syz { "ipv6", IPFY_IPV6OPT_IPV6 }, 1715*ab25eeb5Syz { "none", IPFY_IPV6OPT_NONE }, 1716*ab25eeb5Syz { "routing", IPFY_IPV6OPT_ROUTING }, 1717*ab25eeb5Syz { NULL, 0 }, 1718*ab25eeb5Syz }; 1719*ab25eeb5Syz 1720*ab25eeb5Syz static struct wordtab logwords[33] = { 17217c478bd9Sstevel@tonic-gate { "kern", IPFY_FAC_KERN }, 17227c478bd9Sstevel@tonic-gate { "user", IPFY_FAC_USER }, 17237c478bd9Sstevel@tonic-gate { "mail", IPFY_FAC_MAIL }, 17247c478bd9Sstevel@tonic-gate { "daemon", IPFY_FAC_DAEMON }, 17257c478bd9Sstevel@tonic-gate { "auth", IPFY_FAC_AUTH }, 17267c478bd9Sstevel@tonic-gate { "syslog", IPFY_FAC_SYSLOG }, 17277c478bd9Sstevel@tonic-gate { "lpr", IPFY_FAC_LPR }, 17287c478bd9Sstevel@tonic-gate { "news", IPFY_FAC_NEWS }, 17297c478bd9Sstevel@tonic-gate { "uucp", IPFY_FAC_UUCP }, 17307c478bd9Sstevel@tonic-gate { "cron", IPFY_FAC_CRON }, 17317c478bd9Sstevel@tonic-gate { "ftp", IPFY_FAC_FTP }, 17327c478bd9Sstevel@tonic-gate { "authpriv", IPFY_FAC_AUTHPRIV }, 17337c478bd9Sstevel@tonic-gate { "audit", IPFY_FAC_AUDIT }, 17347c478bd9Sstevel@tonic-gate { "logalert", IPFY_FAC_LFMT }, 17357c478bd9Sstevel@tonic-gate { "console", IPFY_FAC_CONSOLE }, 17367c478bd9Sstevel@tonic-gate { "security", IPFY_FAC_SECURITY }, 17377c478bd9Sstevel@tonic-gate { "local0", IPFY_FAC_LOCAL0 }, 17387c478bd9Sstevel@tonic-gate { "local1", IPFY_FAC_LOCAL1 }, 17397c478bd9Sstevel@tonic-gate { "local2", IPFY_FAC_LOCAL2 }, 17407c478bd9Sstevel@tonic-gate { "local3", IPFY_FAC_LOCAL3 }, 17417c478bd9Sstevel@tonic-gate { "local4", IPFY_FAC_LOCAL4 }, 17427c478bd9Sstevel@tonic-gate { "local5", IPFY_FAC_LOCAL5 }, 17437c478bd9Sstevel@tonic-gate { "local6", IPFY_FAC_LOCAL6 }, 17447c478bd9Sstevel@tonic-gate { "local7", IPFY_FAC_LOCAL7 }, 17457c478bd9Sstevel@tonic-gate { "emerg", IPFY_PRI_EMERG }, 17467c478bd9Sstevel@tonic-gate { "alert", IPFY_PRI_ALERT }, 17477c478bd9Sstevel@tonic-gate { "crit", IPFY_PRI_CRIT }, 17487c478bd9Sstevel@tonic-gate { "err", IPFY_PRI_ERR }, 17497c478bd9Sstevel@tonic-gate { "warn", IPFY_PRI_WARN }, 17507c478bd9Sstevel@tonic-gate { "notice", IPFY_PRI_NOTICE }, 17517c478bd9Sstevel@tonic-gate { "info", IPFY_PRI_INFO }, 17527c478bd9Sstevel@tonic-gate { "debug", IPFY_PRI_DEBUG }, 17537c478bd9Sstevel@tonic-gate { NULL, 0 }, 17547c478bd9Sstevel@tonic-gate }; 17557c478bd9Sstevel@tonic-gate 17567c478bd9Sstevel@tonic-gate 17577c478bd9Sstevel@tonic-gate 17587c478bd9Sstevel@tonic-gate 17597c478bd9Sstevel@tonic-gate int ipf_parsefile(fd, addfunc, iocfuncs, filename) 17607c478bd9Sstevel@tonic-gate int fd; 17617c478bd9Sstevel@tonic-gate addfunc_t addfunc; 17627c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 17637c478bd9Sstevel@tonic-gate char *filename; 17647c478bd9Sstevel@tonic-gate { 17657c478bd9Sstevel@tonic-gate FILE *fp = NULL; 17667c478bd9Sstevel@tonic-gate char *s; 17677c478bd9Sstevel@tonic-gate 17687c478bd9Sstevel@tonic-gate yylineNum = 1; 17697c478bd9Sstevel@tonic-gate yysettab(ipfwords); 17707c478bd9Sstevel@tonic-gate 17717c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 17727c478bd9Sstevel@tonic-gate if (s != NULL) 17737c478bd9Sstevel@tonic-gate yydebug = atoi(s); 17747c478bd9Sstevel@tonic-gate else 17757c478bd9Sstevel@tonic-gate yydebug = 0; 17767c478bd9Sstevel@tonic-gate 17777c478bd9Sstevel@tonic-gate if (strcmp(filename, "-")) { 17787c478bd9Sstevel@tonic-gate fp = fopen(filename, "r"); 17797c478bd9Sstevel@tonic-gate if (fp == NULL) { 17807c478bd9Sstevel@tonic-gate fprintf(stderr, "fopen(%s) failed: %s\n", filename, 17817c478bd9Sstevel@tonic-gate STRERROR(errno)); 17827c478bd9Sstevel@tonic-gate return -1; 17837c478bd9Sstevel@tonic-gate } 17847c478bd9Sstevel@tonic-gate } else 17857c478bd9Sstevel@tonic-gate fp = stdin; 17867c478bd9Sstevel@tonic-gate 17877c478bd9Sstevel@tonic-gate while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1) 17887c478bd9Sstevel@tonic-gate ; 17897c478bd9Sstevel@tonic-gate if (fp != NULL) 17907c478bd9Sstevel@tonic-gate fclose(fp); 17917c478bd9Sstevel@tonic-gate return 0; 17927c478bd9Sstevel@tonic-gate } 17937c478bd9Sstevel@tonic-gate 17947c478bd9Sstevel@tonic-gate 17957c478bd9Sstevel@tonic-gate int ipf_parsesome(fd, addfunc, iocfuncs, fp) 17967c478bd9Sstevel@tonic-gate int fd; 17977c478bd9Sstevel@tonic-gate addfunc_t addfunc; 17987c478bd9Sstevel@tonic-gate ioctlfunc_t *iocfuncs; 17997c478bd9Sstevel@tonic-gate FILE *fp; 18007c478bd9Sstevel@tonic-gate { 18017c478bd9Sstevel@tonic-gate char *s; 18027c478bd9Sstevel@tonic-gate int i; 18037c478bd9Sstevel@tonic-gate 18047c478bd9Sstevel@tonic-gate ipffd = fd; 18057c478bd9Sstevel@tonic-gate for (i = 0; i <= IPL_LOGMAX; i++) 18067c478bd9Sstevel@tonic-gate ipfioctl[i] = iocfuncs[i]; 18077c478bd9Sstevel@tonic-gate ipfaddfunc = addfunc; 18087c478bd9Sstevel@tonic-gate 18097c478bd9Sstevel@tonic-gate if (feof(fp)) 18107c478bd9Sstevel@tonic-gate return 0; 18117c478bd9Sstevel@tonic-gate i = fgetc(fp); 18127c478bd9Sstevel@tonic-gate if (i == EOF) 18137c478bd9Sstevel@tonic-gate return 0; 18147c478bd9Sstevel@tonic-gate if (ungetc(i, fp) == 0) 18157c478bd9Sstevel@tonic-gate return 0; 18167c478bd9Sstevel@tonic-gate if (feof(fp)) 18177c478bd9Sstevel@tonic-gate return 0; 18187c478bd9Sstevel@tonic-gate s = getenv("YYDEBUG"); 18197c478bd9Sstevel@tonic-gate if (s != NULL) 18207c478bd9Sstevel@tonic-gate yydebug = atoi(s); 18217c478bd9Sstevel@tonic-gate else 18227c478bd9Sstevel@tonic-gate yydebug = 0; 18237c478bd9Sstevel@tonic-gate 18247c478bd9Sstevel@tonic-gate yyin = fp; 18257c478bd9Sstevel@tonic-gate yyparse(); 18267c478bd9Sstevel@tonic-gate return 1; 18277c478bd9Sstevel@tonic-gate } 18287c478bd9Sstevel@tonic-gate 18297c478bd9Sstevel@tonic-gate 18307c478bd9Sstevel@tonic-gate static void newrule() 18317c478bd9Sstevel@tonic-gate { 18327c478bd9Sstevel@tonic-gate frentry_t *frn; 18337c478bd9Sstevel@tonic-gate 18347c478bd9Sstevel@tonic-gate frn = (frentry_t *)calloc(1, sizeof(frentry_t)); 18355e985db5Sschuster if (frn == NULL) 18365e985db5Sschuster yyerror("sorry, out of memory"); 18377c478bd9Sstevel@tonic-gate for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next) 18387c478bd9Sstevel@tonic-gate ; 18397c478bd9Sstevel@tonic-gate if (fr != NULL) 18407c478bd9Sstevel@tonic-gate fr->fr_next = frn; 18417c478bd9Sstevel@tonic-gate if (frtop == NULL) 18427c478bd9Sstevel@tonic-gate frtop = frn; 18437c478bd9Sstevel@tonic-gate fr = frn; 18447c478bd9Sstevel@tonic-gate frc = frn; 18457c478bd9Sstevel@tonic-gate fr->fr_loglevel = 0xffff; 18467c478bd9Sstevel@tonic-gate fr->fr_isc = (void *)-1; 18477c478bd9Sstevel@tonic-gate fr->fr_logtag = FR_NOLOGTAG; 18487c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_NONE; 18497c478bd9Sstevel@tonic-gate if (use_inet6 != 0) 18507c478bd9Sstevel@tonic-gate fr->fr_v = 6; 18517c478bd9Sstevel@tonic-gate else 18527c478bd9Sstevel@tonic-gate fr->fr_v = 4; 18537c478bd9Sstevel@tonic-gate 18547c478bd9Sstevel@tonic-gate nrules = 1; 18557c478bd9Sstevel@tonic-gate } 18567c478bd9Sstevel@tonic-gate 18577c478bd9Sstevel@tonic-gate 18587c478bd9Sstevel@tonic-gate static void setipftype() 18597c478bd9Sstevel@tonic-gate { 18607c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 18617c478bd9Sstevel@tonic-gate if (fr->fr_type == FR_T_NONE) { 18627c478bd9Sstevel@tonic-gate fr->fr_type = FR_T_IPF; 18637c478bd9Sstevel@tonic-gate fr->fr_data = (void *)calloc(sizeof(fripf_t), 1); 18645e985db5Sschuster if (fr->fr_data == NULL) 18655e985db5Sschuster yyerror("sorry, out of memory"); 18667c478bd9Sstevel@tonic-gate fr->fr_dsize = sizeof(fripf_t); 18677c478bd9Sstevel@tonic-gate fr->fr_ip.fi_v = frc->fr_v; 18687c478bd9Sstevel@tonic-gate fr->fr_mip.fi_v = 0xf; 18697c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_sifpidx = -1; 18707c478bd9Sstevel@tonic-gate fr->fr_ipf->fri_difpidx = -1; 18717c478bd9Sstevel@tonic-gate } 18727c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_IPF) { 18737c478bd9Sstevel@tonic-gate fprintf(stderr, "IPF Type not set\n"); 18747c478bd9Sstevel@tonic-gate } 18757c478bd9Sstevel@tonic-gate } 18767c478bd9Sstevel@tonic-gate } 18777c478bd9Sstevel@tonic-gate 18787c478bd9Sstevel@tonic-gate 18797c478bd9Sstevel@tonic-gate static frentry_t *addrule() 18807c478bd9Sstevel@tonic-gate { 18817c478bd9Sstevel@tonic-gate frentry_t *f, *f1, *f2; 18827c478bd9Sstevel@tonic-gate int count; 18837c478bd9Sstevel@tonic-gate 18847c478bd9Sstevel@tonic-gate for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next) 18857c478bd9Sstevel@tonic-gate ; 18867c478bd9Sstevel@tonic-gate 18877c478bd9Sstevel@tonic-gate count = nrules; 18887c478bd9Sstevel@tonic-gate if (count == 0) { 18897c478bd9Sstevel@tonic-gate f = (frentry_t *)calloc(sizeof(*f), 1); 18905e985db5Sschuster if (f == NULL) 18915e985db5Sschuster yyerror("sorry, out of memory"); 18927c478bd9Sstevel@tonic-gate added++; 18937c478bd9Sstevel@tonic-gate f2->fr_next = f; 18947c478bd9Sstevel@tonic-gate bcopy(f2, f, sizeof(*f)); 18957c478bd9Sstevel@tonic-gate if (f2->fr_caddr != NULL) { 18967c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 18975e985db5Sschuster if (f->fr_caddr == NULL) 18985e985db5Sschuster yyerror("sorry, out of memory"); 18997c478bd9Sstevel@tonic-gate bcopy(f2->fr_caddr, f->fr_caddr, f->fr_dsize); 19007c478bd9Sstevel@tonic-gate } 19017c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19027c478bd9Sstevel@tonic-gate return f; 19037c478bd9Sstevel@tonic-gate } 19047c478bd9Sstevel@tonic-gate f = f2; 19057c478bd9Sstevel@tonic-gate for (f1 = frc; count > 0; count--, f1 = f1->fr_next) { 19067c478bd9Sstevel@tonic-gate f->fr_next = (frentry_t *)calloc(sizeof(*f), 1); 19075e985db5Sschuster if (f->fr_next == NULL) 19085e985db5Sschuster yyerror("sorry, out of memory"); 19097c478bd9Sstevel@tonic-gate added++; 19107c478bd9Sstevel@tonic-gate f = f->fr_next; 19117c478bd9Sstevel@tonic-gate bcopy(f1, f, sizeof(*f)); 19127c478bd9Sstevel@tonic-gate f->fr_next = NULL; 19137c478bd9Sstevel@tonic-gate if (f->fr_caddr != NULL) { 19147c478bd9Sstevel@tonic-gate f->fr_caddr = malloc(f->fr_dsize); 19155e985db5Sschuster if (f->fr_caddr == NULL) 19165e985db5Sschuster yyerror("sorry, out of memory"); 19177c478bd9Sstevel@tonic-gate bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize); 19187c478bd9Sstevel@tonic-gate } 19197c478bd9Sstevel@tonic-gate } 19207c478bd9Sstevel@tonic-gate 19217c478bd9Sstevel@tonic-gate return f2->fr_next; 19227c478bd9Sstevel@tonic-gate } 19237c478bd9Sstevel@tonic-gate 19247c478bd9Sstevel@tonic-gate 19257c478bd9Sstevel@tonic-gate static u_32_t lookuphost(name) 19267c478bd9Sstevel@tonic-gate char *name; 19277c478bd9Sstevel@tonic-gate { 19287c478bd9Sstevel@tonic-gate u_32_t addr; 19297c478bd9Sstevel@tonic-gate int i; 19307c478bd9Sstevel@tonic-gate 19317c478bd9Sstevel@tonic-gate hashed = 0; 19327c478bd9Sstevel@tonic-gate pooled = 0; 19337c478bd9Sstevel@tonic-gate dynamic = -1; 19347c478bd9Sstevel@tonic-gate 19357c478bd9Sstevel@tonic-gate for (i = 0; i < 4; i++) { 19367c478bd9Sstevel@tonic-gate if (strncmp(name, frc->fr_ifnames[i], 19377c478bd9Sstevel@tonic-gate sizeof(frc->fr_ifnames[i])) == 0) { 19387c478bd9Sstevel@tonic-gate ifpflag = FRI_DYNAMIC; 19397c478bd9Sstevel@tonic-gate dynamic = i; 19407c478bd9Sstevel@tonic-gate return 0; 19417c478bd9Sstevel@tonic-gate } 19427c478bd9Sstevel@tonic-gate } 19437c478bd9Sstevel@tonic-gate 19447c478bd9Sstevel@tonic-gate if (gethost(name, &addr) == -1) { 1945*ab25eeb5Syz fprintf(stderr, "unknown name \"%s\"\n", name); 19467c478bd9Sstevel@tonic-gate return 0; 19477c478bd9Sstevel@tonic-gate } 19487c478bd9Sstevel@tonic-gate return addr; 19497c478bd9Sstevel@tonic-gate } 19507c478bd9Sstevel@tonic-gate 19517c478bd9Sstevel@tonic-gate 1952*ab25eeb5Syz static void dobpf(v, phrase) 1953*ab25eeb5Syz int v; 19547c478bd9Sstevel@tonic-gate char *phrase; 19557c478bd9Sstevel@tonic-gate { 19567c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF 19577c478bd9Sstevel@tonic-gate struct bpf_program bpf; 19587c478bd9Sstevel@tonic-gate struct pcap *p; 1959*ab25eeb5Syz #endif 1960*ab25eeb5Syz fakebpf_t *fb; 19617c478bd9Sstevel@tonic-gate u_32_t l; 19627c478bd9Sstevel@tonic-gate char *s; 19637c478bd9Sstevel@tonic-gate int i; 19647c478bd9Sstevel@tonic-gate 19657c478bd9Sstevel@tonic-gate for (fr = frc; fr != NULL; fr = fr->fr_next) { 19667c478bd9Sstevel@tonic-gate if (fr->fr_type != FR_T_NONE) { 1967*ab25eeb5Syz fprintf(stderr, "cannot mix IPF and BPF matching\n"); 19687c478bd9Sstevel@tonic-gate return; 19697c478bd9Sstevel@tonic-gate } 1970*ab25eeb5Syz fr->fr_v = v; 1971*ab25eeb5Syz fr->fr_type = FR_T_BPFOPC; 19727c478bd9Sstevel@tonic-gate 19737c478bd9Sstevel@tonic-gate if (!strncmp(phrase, "\"0x", 2)) { 19747c478bd9Sstevel@tonic-gate phrase++; 1975*ab25eeb5Syz fb = malloc(sizeof(fakebpf_t)); 1976*ab25eeb5Syz if (fb == NULL) 19775e985db5Sschuster yyerror("sorry, out of memory"); 19787c478bd9Sstevel@tonic-gate 1979*ab25eeb5Syz for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; 19807c478bd9Sstevel@tonic-gate s = strtok(NULL, " \r\n\t"), i++) { 1981*ab25eeb5Syz fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); 1982*ab25eeb5Syz if (fb == NULL) 19835e985db5Sschuster yyerror("sorry, out of memory"); 19847c478bd9Sstevel@tonic-gate l = (u_32_t)strtol(s, NULL, 0); 1985*ab25eeb5Syz switch (i & 3) 1986*ab25eeb5Syz { 1987*ab25eeb5Syz case 0 : 1988*ab25eeb5Syz fb[i / 4].fb_c = l & 0xffff; 1989*ab25eeb5Syz break; 1990*ab25eeb5Syz case 1 : 1991*ab25eeb5Syz fb[i / 4].fb_t = l & 0xff; 1992*ab25eeb5Syz break; 1993*ab25eeb5Syz case 2 : 1994*ab25eeb5Syz fb[i / 4].fb_f = l & 0xff; 1995*ab25eeb5Syz break; 1996*ab25eeb5Syz case 3 : 1997*ab25eeb5Syz fb[i / 4].fb_k = l; 1998*ab25eeb5Syz break; 1999*ab25eeb5Syz } 20007c478bd9Sstevel@tonic-gate } 2001*ab25eeb5Syz if ((i & 3) != 0) { 2002*ab25eeb5Syz fprintf(stderr, 2003*ab25eeb5Syz "Odd number of bytes in BPF code\n"); 2004*ab25eeb5Syz exit(1); 2005*ab25eeb5Syz } 2006*ab25eeb5Syz i--; 2007*ab25eeb5Syz fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); 2008*ab25eeb5Syz fr->fr_data = fb; 20097c478bd9Sstevel@tonic-gate return; 20107c478bd9Sstevel@tonic-gate } 20117c478bd9Sstevel@tonic-gate 2012*ab25eeb5Syz #ifdef IPFILTER_BPF 20137c478bd9Sstevel@tonic-gate bzero((char *)&bpf, sizeof(bpf)); 20147c478bd9Sstevel@tonic-gate p = pcap_open_dead(DLT_RAW, 1); 20157c478bd9Sstevel@tonic-gate if (!p) { 20167c478bd9Sstevel@tonic-gate fprintf(stderr, "pcap_open_dead failed\n"); 20177c478bd9Sstevel@tonic-gate return; 20187c478bd9Sstevel@tonic-gate } 20197c478bd9Sstevel@tonic-gate 2020*ab25eeb5Syz if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { 20217c478bd9Sstevel@tonic-gate pcap_perror(p, "ipf"); 20227c478bd9Sstevel@tonic-gate pcap_close(p); 2023*ab25eeb5Syz fprintf(stderr, "pcap parsing failed (%s)\n", phrase); 20247c478bd9Sstevel@tonic-gate return; 20257c478bd9Sstevel@tonic-gate } 20267c478bd9Sstevel@tonic-gate pcap_close(p); 20277c478bd9Sstevel@tonic-gate 20287c478bd9Sstevel@tonic-gate fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); 2029*ab25eeb5Syz fr->fr_data = malloc(fr->fr_dsize); 20305e985db5Sschuster if (fr->fr_data == NULL) 20315e985db5Sschuster yyerror("sorry, out of memory"); 2032*ab25eeb5Syz bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); 20337c478bd9Sstevel@tonic-gate if (!bpf_validate(fr->fr_data, bpf.bf_len)) { 20347c478bd9Sstevel@tonic-gate fprintf(stderr, "BPF validation failed\n"); 20357c478bd9Sstevel@tonic-gate return; 20367c478bd9Sstevel@tonic-gate } 2037*ab25eeb5Syz #endif 20387c478bd9Sstevel@tonic-gate } 20397c478bd9Sstevel@tonic-gate 2040*ab25eeb5Syz #ifdef IPFILTER_BPF 20417c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) 20427c478bd9Sstevel@tonic-gate bpf_dump(&bpf, 0); 20437c478bd9Sstevel@tonic-gate #else 2044*ab25eeb5Syz fprintf(stderr, "BPF filter expressions not supported\n"); 2045*ab25eeb5Syz exit(1); 20467c478bd9Sstevel@tonic-gate #endif 20477c478bd9Sstevel@tonic-gate } 20487c478bd9Sstevel@tonic-gate 20497c478bd9Sstevel@tonic-gate 20507c478bd9Sstevel@tonic-gate static void resetaddr() 20517c478bd9Sstevel@tonic-gate { 20527c478bd9Sstevel@tonic-gate hashed = 0; 20537c478bd9Sstevel@tonic-gate pooled = 0; 20547c478bd9Sstevel@tonic-gate dynamic = -1; 20557c478bd9Sstevel@tonic-gate } 20567c478bd9Sstevel@tonic-gate 20577c478bd9Sstevel@tonic-gate 20587c478bd9Sstevel@tonic-gate static alist_t *newalist(ptr) 20597c478bd9Sstevel@tonic-gate alist_t *ptr; 20607c478bd9Sstevel@tonic-gate { 20617c478bd9Sstevel@tonic-gate alist_t *al; 20627c478bd9Sstevel@tonic-gate 20637c478bd9Sstevel@tonic-gate al = malloc(sizeof(*al)); 20647c478bd9Sstevel@tonic-gate if (al == NULL) 20657c478bd9Sstevel@tonic-gate return NULL; 20667c478bd9Sstevel@tonic-gate al->al_not = 0; 20677c478bd9Sstevel@tonic-gate al->al_next = ptr; 20687c478bd9Sstevel@tonic-gate return al; 20697c478bd9Sstevel@tonic-gate } 20707c478bd9Sstevel@tonic-gate 20717c478bd9Sstevel@tonic-gate 20727c478bd9Sstevel@tonic-gate static int makepool(list) 20737c478bd9Sstevel@tonic-gate alist_t *list; 20747c478bd9Sstevel@tonic-gate { 20757c478bd9Sstevel@tonic-gate ip_pool_node_t *n, *top; 20767c478bd9Sstevel@tonic-gate ip_pool_t pool; 20777c478bd9Sstevel@tonic-gate alist_t *a; 20787c478bd9Sstevel@tonic-gate int num; 20797c478bd9Sstevel@tonic-gate 20807c478bd9Sstevel@tonic-gate if (list == NULL) 20817c478bd9Sstevel@tonic-gate return 0; 20827c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 20837c478bd9Sstevel@tonic-gate if (top == NULL) 20847c478bd9Sstevel@tonic-gate return 0; 20857c478bd9Sstevel@tonic-gate 20867c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 20877663b816Sml n->ipn_addr.adf_family = a->al_family; 20887663b816Sml n->ipn_mask.adf_family = a->al_family; 20897663b816Sml (void *)bcopy((void *)&a->al_i6addr, 20907663b816Sml (void *)&n->ipn_addr.adf_addr, 20917663b816Sml sizeof(n->ipn_addr.adf_addr)); 20927663b816Sml (void *)bcopy((void *)&a->al_i6mask, 20937663b816Sml (void *)&n->ipn_mask.adf_addr, 20947663b816Sml sizeof(n->ipn_mask.adf_addr)); 20957c478bd9Sstevel@tonic-gate n->ipn_info = a->al_not; 20967c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 20977c478bd9Sstevel@tonic-gate n->ipn_next = calloc(1, sizeof(*n)); 20985e985db5Sschuster if (n->ipn_next == NULL) 20995e985db5Sschuster yyerror("sorry, out of memory"); 21007c478bd9Sstevel@tonic-gate n = n->ipn_next; 21017c478bd9Sstevel@tonic-gate } 21027c478bd9Sstevel@tonic-gate } 21037c478bd9Sstevel@tonic-gate 21047c478bd9Sstevel@tonic-gate bzero((char *)&pool, sizeof(pool)); 21057c478bd9Sstevel@tonic-gate pool.ipo_unit = IPL_LOGIPF; 21067c478bd9Sstevel@tonic-gate pool.ipo_list = top; 21077c478bd9Sstevel@tonic-gate num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]); 21087c478bd9Sstevel@tonic-gate 21097c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21107c478bd9Sstevel@tonic-gate top = n->ipn_next; 21117c478bd9Sstevel@tonic-gate free(n); 21127c478bd9Sstevel@tonic-gate } 21137c478bd9Sstevel@tonic-gate return num; 21147c478bd9Sstevel@tonic-gate } 21157c478bd9Sstevel@tonic-gate 21167c478bd9Sstevel@tonic-gate 21177c478bd9Sstevel@tonic-gate static u_int makehash(list) 21187c478bd9Sstevel@tonic-gate alist_t *list; 21197c478bd9Sstevel@tonic-gate { 21207c478bd9Sstevel@tonic-gate iphtent_t *n, *top; 21217c478bd9Sstevel@tonic-gate iphtable_t iph; 21227c478bd9Sstevel@tonic-gate alist_t *a; 21237c478bd9Sstevel@tonic-gate int num; 21247c478bd9Sstevel@tonic-gate 21257c478bd9Sstevel@tonic-gate if (list == NULL) 21267c478bd9Sstevel@tonic-gate return 0; 21277c478bd9Sstevel@tonic-gate top = calloc(1, sizeof(*top)); 21287c478bd9Sstevel@tonic-gate if (top == NULL) 21297c478bd9Sstevel@tonic-gate return 0; 21307c478bd9Sstevel@tonic-gate 21317c478bd9Sstevel@tonic-gate for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) { 21327663b816Sml n->ipe_family = a->al_family; 21337663b816Sml (void *)bcopy((void *)&a->al_i6addr, 21347663b816Sml (void *)&n->ipe_addr, 21357663b816Sml sizeof(n->ipe_addr)); 21367663b816Sml (void *)bcopy((void *)&a->al_i6mask, 21377663b816Sml (void *)&n->ipe_mask, 21387663b816Sml sizeof(n->ipe_mask)); 21397c478bd9Sstevel@tonic-gate n->ipe_value = 0; 21407c478bd9Sstevel@tonic-gate if (a->al_next != NULL) { 21417c478bd9Sstevel@tonic-gate n->ipe_next = calloc(1, sizeof(*n)); 21425e985db5Sschuster if (n->ipe_next == NULL) 21435e985db5Sschuster yyerror("sorry, out of memory"); 21447c478bd9Sstevel@tonic-gate n = n->ipe_next; 21457c478bd9Sstevel@tonic-gate } 21467c478bd9Sstevel@tonic-gate } 21477c478bd9Sstevel@tonic-gate 21487c478bd9Sstevel@tonic-gate bzero((char *)&iph, sizeof(iph)); 21497c478bd9Sstevel@tonic-gate iph.iph_unit = IPL_LOGIPF; 21507c478bd9Sstevel@tonic-gate iph.iph_type = IPHASH_LOOKUP; 21517c478bd9Sstevel@tonic-gate *iph.iph_name = '\0'; 21527c478bd9Sstevel@tonic-gate 21537c478bd9Sstevel@tonic-gate if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0) 21547c478bd9Sstevel@tonic-gate sscanf(iph.iph_name, "%u", &num); 21557c478bd9Sstevel@tonic-gate else 21567c478bd9Sstevel@tonic-gate num = 0; 21577c478bd9Sstevel@tonic-gate 21587c478bd9Sstevel@tonic-gate while ((n = top) != NULL) { 21597c478bd9Sstevel@tonic-gate top = n->ipe_next; 21607c478bd9Sstevel@tonic-gate free(n); 21617c478bd9Sstevel@tonic-gate } 21627c478bd9Sstevel@tonic-gate return num; 21637c478bd9Sstevel@tonic-gate } 21647c478bd9Sstevel@tonic-gate 21657c478bd9Sstevel@tonic-gate 21667c478bd9Sstevel@tonic-gate void ipf_addrule(fd, ioctlfunc, ptr) 21677c478bd9Sstevel@tonic-gate int fd; 21687c478bd9Sstevel@tonic-gate ioctlfunc_t ioctlfunc; 21697c478bd9Sstevel@tonic-gate void *ptr; 21707c478bd9Sstevel@tonic-gate { 2171*ab25eeb5Syz ioctlcmd_t add, del; 21727c478bd9Sstevel@tonic-gate frentry_t *fr; 21737c478bd9Sstevel@tonic-gate ipfobj_t obj; 21747c478bd9Sstevel@tonic-gate 21757c478bd9Sstevel@tonic-gate fr = ptr; 21767c478bd9Sstevel@tonic-gate add = 0; 21777c478bd9Sstevel@tonic-gate del = 0; 21787c478bd9Sstevel@tonic-gate 21797c478bd9Sstevel@tonic-gate bzero((char *)&obj, sizeof(obj)); 21807c478bd9Sstevel@tonic-gate obj.ipfo_rev = IPFILTER_VERSION; 21817c478bd9Sstevel@tonic-gate obj.ipfo_size = sizeof(*fr); 21827c478bd9Sstevel@tonic-gate obj.ipfo_type = IPFOBJ_FRENTRY; 21837c478bd9Sstevel@tonic-gate obj.ipfo_ptr = ptr; 21847c478bd9Sstevel@tonic-gate 21857c478bd9Sstevel@tonic-gate if ((opts & OPT_DONOTHING) != 0) 21867c478bd9Sstevel@tonic-gate fd = -1; 21877c478bd9Sstevel@tonic-gate 21887c478bd9Sstevel@tonic-gate if (opts & OPT_ZERORULEST) { 21897c478bd9Sstevel@tonic-gate add = SIOCZRLST; 21907c478bd9Sstevel@tonic-gate } else if (opts & OPT_INACTIVE) { 21917c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINIFR : 21927c478bd9Sstevel@tonic-gate SIOCADIFR; 21937c478bd9Sstevel@tonic-gate del = SIOCRMIFR; 21947c478bd9Sstevel@tonic-gate } else { 21957c478bd9Sstevel@tonic-gate add = (u_int)fr->fr_hits ? SIOCINAFR : 21967c478bd9Sstevel@tonic-gate SIOCADAFR; 21977c478bd9Sstevel@tonic-gate del = SIOCRMAFR; 21987c478bd9Sstevel@tonic-gate } 21997c478bd9Sstevel@tonic-gate 22007c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_OUTQUE)) 22017c478bd9Sstevel@tonic-gate fr->fr_flags |= FR_OUTQUE; 22027c478bd9Sstevel@tonic-gate if (fr->fr_hits) 22037c478bd9Sstevel@tonic-gate fr->fr_hits--; 22047c478bd9Sstevel@tonic-gate if (fr && (opts & OPT_VERBOSE)) 22057c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22067c478bd9Sstevel@tonic-gate 22077c478bd9Sstevel@tonic-gate if (opts & OPT_DEBUG) { 22087c478bd9Sstevel@tonic-gate binprint(fr, sizeof(*fr)); 22097c478bd9Sstevel@tonic-gate if (fr->fr_data != NULL) 22107c478bd9Sstevel@tonic-gate binprint(fr->fr_data, fr->fr_dsize); 22117c478bd9Sstevel@tonic-gate } 22127c478bd9Sstevel@tonic-gate 22137c478bd9Sstevel@tonic-gate if ((opts & OPT_ZERORULEST) != 0) { 22147c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22156aed92a9Syx if ((opts & OPT_DONOTHING) == 0) { 22167c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22177c478bd9Sstevel@tonic-gate perror("ioctl(SIOCZRLST)"); 22187c478bd9Sstevel@tonic-gate } 22197c478bd9Sstevel@tonic-gate } else { 22207c478bd9Sstevel@tonic-gate #ifdef USE_QUAD_T 22217c478bd9Sstevel@tonic-gate printf("hits %qd bytes %qd ", 22227c478bd9Sstevel@tonic-gate (long long)fr->fr_hits, 22237c478bd9Sstevel@tonic-gate (long long)fr->fr_bytes); 22247c478bd9Sstevel@tonic-gate #else 22257c478bd9Sstevel@tonic-gate printf("hits %ld bytes %ld ", 22267c478bd9Sstevel@tonic-gate fr->fr_hits, fr->fr_bytes); 22277c478bd9Sstevel@tonic-gate #endif 22287c478bd9Sstevel@tonic-gate printfr(fr, ioctlfunc); 22297c478bd9Sstevel@tonic-gate } 22307c478bd9Sstevel@tonic-gate } else if ((opts & OPT_REMOVE) != 0) { 22317c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { 2232*ab25eeb5Syz if ((opts & OPT_DONOTHING) != 0) { 22337c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 22347c478bd9Sstevel@tonic-gate perror("ioctl(delete rule)"); 22357c478bd9Sstevel@tonic-gate } 22367c478bd9Sstevel@tonic-gate } 22377c478bd9Sstevel@tonic-gate } else { 22387c478bd9Sstevel@tonic-gate if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { 22397c478bd9Sstevel@tonic-gate if (!(opts & OPT_DONOTHING)) { 22407c478bd9Sstevel@tonic-gate fprintf(stderr, "%d:", yylineNum); 2241*ab25eeb5Syz perror("ioctl(add/insert rule)"); 22427c478bd9Sstevel@tonic-gate } 22437c478bd9Sstevel@tonic-gate } 22447c478bd9Sstevel@tonic-gate } 22457c478bd9Sstevel@tonic-gate } 22467c478bd9Sstevel@tonic-gate 22477c478bd9Sstevel@tonic-gate static void setsyslog() 22487c478bd9Sstevel@tonic-gate { 2249*ab25eeb5Syz yysetdict(logwords); 22507c478bd9Sstevel@tonic-gate yybreakondot = 1; 22517c478bd9Sstevel@tonic-gate } 22527c478bd9Sstevel@tonic-gate 22537c478bd9Sstevel@tonic-gate 22547c478bd9Sstevel@tonic-gate static void unsetsyslog() 22557c478bd9Sstevel@tonic-gate { 2256*ab25eeb5Syz yyresetdict(); 22577c478bd9Sstevel@tonic-gate yybreakondot = 0; 22587c478bd9Sstevel@tonic-gate } 22597c478bd9Sstevel@tonic-gate 22607c478bd9Sstevel@tonic-gate 22617c478bd9Sstevel@tonic-gate static void fillgroup(fr) 22627c478bd9Sstevel@tonic-gate frentry_t *fr; 22637c478bd9Sstevel@tonic-gate { 22647c478bd9Sstevel@tonic-gate frentry_t *f; 22657c478bd9Sstevel@tonic-gate 22667c478bd9Sstevel@tonic-gate for (f = frold; f != NULL; f = f->fr_next) 22677c478bd9Sstevel@tonic-gate if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) 22687c478bd9Sstevel@tonic-gate break; 22697c478bd9Sstevel@tonic-gate if (f == NULL) 22707c478bd9Sstevel@tonic-gate return; 22717c478bd9Sstevel@tonic-gate 22727c478bd9Sstevel@tonic-gate /* 22737c478bd9Sstevel@tonic-gate * Only copy down matching fields if the rules are of the same type 2274*ab25eeb5Syz * and are of ipf type. The only fields that are copied are those 2275*ab25eeb5Syz * that impact the rule parsing itself, eg. need for knowing what the 2276*ab25eeb5Syz * protocol should be for rules with port comparisons in them. 22777c478bd9Sstevel@tonic-gate */ 22787c478bd9Sstevel@tonic-gate if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) 22797c478bd9Sstevel@tonic-gate return; 22807c478bd9Sstevel@tonic-gate 22817c478bd9Sstevel@tonic-gate if (fr->fr_v == 0 && f->fr_v != 0) 22827c478bd9Sstevel@tonic-gate fr->fr_v = f->fr_v; 22837c478bd9Sstevel@tonic-gate 22847c478bd9Sstevel@tonic-gate if (fr->fr_mproto == 0 && f->fr_mproto != 0) 22857c478bd9Sstevel@tonic-gate fr->fr_mproto = f->fr_mproto; 22867c478bd9Sstevel@tonic-gate if (fr->fr_proto == 0 && f->fr_proto != 0) 22877c478bd9Sstevel@tonic-gate fr->fr_proto = f->fr_proto; 22887c478bd9Sstevel@tonic-gate 2289*ab25eeb5Syz if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && 2290*ab25eeb5Syz ((f->fr_flx & FI_TCPUDP) != 0)) 2291*ab25eeb5Syz fr->fr_flx |= FI_TCPUDP; 22927c478bd9Sstevel@tonic-gate } 2293