xref: /illumos-gate/usr/src/cmd/ipf/tools/ipf_y.y (revision 22929378)
17c478bd9Sstevel@tonic-gate %{
27c478bd9Sstevel@tonic-gate /*
37c478bd9Sstevel@tonic-gate  * Copyright (C) 2003 by Darren Reed.
47c478bd9Sstevel@tonic-gate  *
57c478bd9Sstevel@tonic-gate  * See the IPFILTER.LICENCE file for details on licencing.
67c478bd9Sstevel@tonic-gate  *
7*22929378SDarren Reed  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
87c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
97c478bd9Sstevel@tonic-gate  */
107c478bd9Sstevel@tonic-gate 
117c478bd9Sstevel@tonic-gate #include "ipf.h"
127c478bd9Sstevel@tonic-gate #include <sys/ioctl.h>
137c478bd9Sstevel@tonic-gate #include <syslog.h>
147c478bd9Sstevel@tonic-gate #ifdef IPFILTER_BPF
15ab25eeb5Syz # include "pcap-bpf.h"
16ab25eeb5Syz # define _NET_BPF_H_
177c478bd9Sstevel@tonic-gate # include <pcap.h>
187c478bd9Sstevel@tonic-gate #endif
197c478bd9Sstevel@tonic-gate #include "netinet/ip_pool.h"
207c478bd9Sstevel@tonic-gate #include "netinet/ip_htable.h"
217c478bd9Sstevel@tonic-gate #include "netinet/ipl.h"
227c478bd9Sstevel@tonic-gate #include "ipf_l.h"
237c478bd9Sstevel@tonic-gate 
247c478bd9Sstevel@tonic-gate #define	YYDEBUG	1
257c478bd9Sstevel@tonic-gate #define	DOALL(x)	for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
267c478bd9Sstevel@tonic-gate #define	DOREM(x)	for (; fr != NULL; fr = fr->fr_next) { x }
277c478bd9Sstevel@tonic-gate 
28ab25eeb5Syz #define OPTION_LOG              0x1
29ab25eeb5Syz #define OPTION_QUICK            0x2
30ab25eeb5Syz #define OPTION_DUP              0x4
31ab25eeb5Syz #define OPTION_PROUTE           0x8
32ab25eeb5Syz #define OPTION_ON               0x10
33ab25eeb5Syz #define OPTION_REPLYTO          0x20
34ab25eeb5Syz #define OPTION_FROUTE           0x40
357c478bd9Sstevel@tonic-gate 
367c478bd9Sstevel@tonic-gate extern	void	yyerror __P((char *));
377c478bd9Sstevel@tonic-gate extern	int	yyparse __P((void));
387c478bd9Sstevel@tonic-gate extern	int	yylex __P((void));
397c478bd9Sstevel@tonic-gate extern	int	yydebug;
407c478bd9Sstevel@tonic-gate extern	FILE	*yyin;
417c478bd9Sstevel@tonic-gate extern	int	yylineNum;
427c478bd9Sstevel@tonic-gate 
437c478bd9Sstevel@tonic-gate static	void	newrule __P((void));
447c478bd9Sstevel@tonic-gate static	void	setipftype __P((void));
459b4c7145Sjojemann static	u_32_t	lookuphost __P((char *, i6addr_t *));
46ab25eeb5Syz static	void	dobpf __P((int, char *));
477c478bd9Sstevel@tonic-gate static	void	resetaddr __P((void));
487c478bd9Sstevel@tonic-gate static	struct	alist_s	*newalist __P((struct alist_s *));
497c478bd9Sstevel@tonic-gate static	u_int	makehash __P((struct alist_s *));
507c478bd9Sstevel@tonic-gate static	int	makepool __P((struct alist_s *));
517c478bd9Sstevel@tonic-gate static	frentry_t *addrule __P((void));
527c478bd9Sstevel@tonic-gate static	void	setsyslog __P((void));
537c478bd9Sstevel@tonic-gate static	void	unsetsyslog __P((void));
547c478bd9Sstevel@tonic-gate static	void	fillgroup __P((frentry_t *));
557c478bd9Sstevel@tonic-gate 
567c478bd9Sstevel@tonic-gate frentry_t	*fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
577c478bd9Sstevel@tonic-gate 
587c478bd9Sstevel@tonic-gate static	int		ifpflag = 0;
597c478bd9Sstevel@tonic-gate static	int		nowith = 0;
607c478bd9Sstevel@tonic-gate static	int		dynamic = -1;
617c478bd9Sstevel@tonic-gate static	int		pooled = 0;
627c478bd9Sstevel@tonic-gate static	int		hashed = 0;
637c478bd9Sstevel@tonic-gate static	int		nrules = 0;
647c478bd9Sstevel@tonic-gate static	int		newlist = 0;
657c478bd9Sstevel@tonic-gate static	int		added = 0;
667c478bd9Sstevel@tonic-gate static	int		ipffd = -1;
67ab25eeb5Syz static  int             ruleopts = 0;
687c478bd9Sstevel@tonic-gate static	int		*yycont = 0;
697c478bd9Sstevel@tonic-gate static	ioctlfunc_t	ipfioctl[IPL_LOGSIZE];
707c478bd9Sstevel@tonic-gate static	addfunc_t	ipfaddfunc = NULL;
711b47e080Sdr static	struct	wordtab ipfwords[96];
72ab25eeb5Syz static	struct	wordtab	addrwords[4];
73ab25eeb5Syz static	struct	wordtab	maskwords[5];
74ab25eeb5Syz static	struct	wordtab icmpcodewords[17];
75ab25eeb5Syz static	struct	wordtab icmptypewords[16];
76ab25eeb5Syz static	struct	wordtab ipv4optwords[25];
77ab25eeb5Syz static	struct	wordtab ipv4secwords[9];
78ab25eeb5Syz static	struct	wordtab ipv6optwords[8];
79ab25eeb5Syz static	struct	wordtab logwords[33];
80ab25eeb5Syz static  int             set_ipv6_addr = 0;
817c478bd9Sstevel@tonic-gate 
827c478bd9Sstevel@tonic-gate %}
837c478bd9Sstevel@tonic-gate %union	{
847c478bd9Sstevel@tonic-gate 	char	*str;
857c478bd9Sstevel@tonic-gate 	u_32_t	num;
867c478bd9Sstevel@tonic-gate 	struct	in_addr	ipa;
877c478bd9Sstevel@tonic-gate 	frentry_t	fr;
887c478bd9Sstevel@tonic-gate 	frtuc_t	*frt;
897c478bd9Sstevel@tonic-gate 	struct	alist_s	*alist;
90ab25eeb5Syz 	u_short	port;
917c478bd9Sstevel@tonic-gate 	struct	{
927c478bd9Sstevel@tonic-gate 		u_short	p1;
937c478bd9Sstevel@tonic-gate 		u_short	p2;
947c478bd9Sstevel@tonic-gate 		int	pc;
957c478bd9Sstevel@tonic-gate 	} pc;
967c478bd9Sstevel@tonic-gate 	struct	{
977c478bd9Sstevel@tonic-gate 		union	i6addr	a;
987c478bd9Sstevel@tonic-gate 		union	i6addr	m;
997c478bd9Sstevel@tonic-gate 	} ipp;
1007c478bd9Sstevel@tonic-gate 	union	i6addr	ip6;
1017c478bd9Sstevel@tonic-gate };
1027c478bd9Sstevel@tonic-gate 
103ab25eeb5Syz %type	<port>	portnum
104ab25eeb5Syz %type	<num>	facility priority icmpcode seclevel secname icmptype
1057c478bd9Sstevel@tonic-gate %type	<num>	opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
106ab25eeb5Syz %type	<num>	portc porteq
1079b4c7145Sjojemann %type	<ipa>	ipv4 ipv4_16 ipv4_24
1089b4c7145Sjojemann %type	<ip6>	hostname mask
1097c478bd9Sstevel@tonic-gate %type	<ipp>	addr ipaddr
1107c478bd9Sstevel@tonic-gate %type	<str>	servicename name interfacename
1117c478bd9Sstevel@tonic-gate %type	<pc>	portrange portcomp
1127c478bd9Sstevel@tonic-gate %type	<alist>	addrlist poollist
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate %token	<num>	YY_NUMBER YY_HEX
1157c478bd9Sstevel@tonic-gate %token	<str>	YY_STR
1167c478bd9Sstevel@tonic-gate %token		YY_COMMENT
1177c478bd9Sstevel@tonic-gate %token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
1187c478bd9Sstevel@tonic-gate %token		YY_RANGE_OUT YY_RANGE_IN
1197c478bd9Sstevel@tonic-gate %token	<ip6>	YY_IPV6
1207c478bd9Sstevel@tonic-gate 
1217c478bd9Sstevel@tonic-gate %token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
1227c478bd9Sstevel@tonic-gate %token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
1237c478bd9Sstevel@tonic-gate %token	IPFY_IN IPFY_OUT
1247c478bd9Sstevel@tonic-gate %token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
125ab25eeb5Syz %token	IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
1267c478bd9Sstevel@tonic-gate %token	IPFY_TOS IPFY_TTL IPFY_PROTO
1277c478bd9Sstevel@tonic-gate %token	IPFY_HEAD IPFY_GROUP
128ab25eeb5Syz %token	IPFY_AUTH IPFY_PREAUTH
1297c478bd9Sstevel@tonic-gate %token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
130ab25eeb5Syz %token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
131ab25eeb5Syz %token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
1327c478bd9Sstevel@tonic-gate %token	IPFY_PPS
1337c478bd9Sstevel@tonic-gate %token	IPFY_ESP IPFY_AH
1347c478bd9Sstevel@tonic-gate %token	IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
1357c478bd9Sstevel@tonic-gate %token	IPFY_TCPUDP IPFY_TCP IPFY_UDP
1367c478bd9Sstevel@tonic-gate %token	IPFY_FLAGS IPFY_MULTICAST
1377c478bd9Sstevel@tonic-gate %token	IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
1387c478bd9Sstevel@tonic-gate %token	IPFY_PORT
1397c478bd9Sstevel@tonic-gate %token	IPFY_NOW
1407c478bd9Sstevel@tonic-gate %token	IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
1417c478bd9Sstevel@tonic-gate %token	IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
1427c478bd9Sstevel@tonic-gate %token	IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
1437c478bd9Sstevel@tonic-gate %token	IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
144ab25eeb5Syz %token	IPFY_SYNC IPFY_FRAGBODY
1457c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
1467c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
1477c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
1487c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
1497c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
1507c478bd9Sstevel@tonic-gate %token	IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
1517c478bd9Sstevel@tonic-gate %token	IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
1527c478bd9Sstevel@tonic-gate %token	IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
1537c478bd9Sstevel@tonic-gate 
1547c478bd9Sstevel@tonic-gate %token	IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
1557c478bd9Sstevel@tonic-gate %token	IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
1567c478bd9Sstevel@tonic-gate 
1577c478bd9Sstevel@tonic-gate %token	IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
1587c478bd9Sstevel@tonic-gate %token	IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
1597c478bd9Sstevel@tonic-gate %token	IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
1607c478bd9Sstevel@tonic-gate %token	IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
1617c478bd9Sstevel@tonic-gate %token	IPFY_ICMPT_ROUTERSOL
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate %token	IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
1647c478bd9Sstevel@tonic-gate %token	IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
1657c478bd9Sstevel@tonic-gate %token	IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
1667c478bd9Sstevel@tonic-gate %token	IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
1677c478bd9Sstevel@tonic-gate %token	IPFY_ICMPC_CUTPRE
1687c478bd9Sstevel@tonic-gate 
1697c478bd9Sstevel@tonic-gate %token	IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
1707c478bd9Sstevel@tonic-gate %token	IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
1717c478bd9Sstevel@tonic-gate %token	IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
1727c478bd9Sstevel@tonic-gate %token	IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
1737c478bd9Sstevel@tonic-gate %token	IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
1747c478bd9Sstevel@tonic-gate %token	IPFY_FAC_LFMT IPFY_FAC_CONSOLE
1757c478bd9Sstevel@tonic-gate 
1767c478bd9Sstevel@tonic-gate %token	IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
1777c478bd9Sstevel@tonic-gate %token	IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
178381a2a9aSdr %token	IPFY_SET_LOOPBACK IPFY_SET
1797c478bd9Sstevel@tonic-gate %%
1807c478bd9Sstevel@tonic-gate file:	line
1817c478bd9Sstevel@tonic-gate 	| assign
1827c478bd9Sstevel@tonic-gate 	| file line
1837c478bd9Sstevel@tonic-gate 	| file assign
1847c478bd9Sstevel@tonic-gate 	;
1857c478bd9Sstevel@tonic-gate 
1867c478bd9Sstevel@tonic-gate line:	xx rule		{ while ((fr = frtop) != NULL) {
1877c478bd9Sstevel@tonic-gate 				frtop = fr->fr_next;
1887c478bd9Sstevel@tonic-gate 				fr->fr_next = NULL;
1897c478bd9Sstevel@tonic-gate 				(*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
1907c478bd9Sstevel@tonic-gate 				fr->fr_next = frold;
1917c478bd9Sstevel@tonic-gate 				frold = fr;
1927c478bd9Sstevel@tonic-gate 			  }
1937c478bd9Sstevel@tonic-gate 			  resetlexer();
1947c478bd9Sstevel@tonic-gate 			}
1957c478bd9Sstevel@tonic-gate 	| YY_COMMENT
196381a2a9aSdr 	| set
1977c478bd9Sstevel@tonic-gate 	;
1987c478bd9Sstevel@tonic-gate 
1997c478bd9Sstevel@tonic-gate xx:	{ newrule(); }
2007c478bd9Sstevel@tonic-gate 	;
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
2037c478bd9Sstevel@tonic-gate 					  resetlexer();
2047c478bd9Sstevel@tonic-gate 					  free($1);
2057c478bd9Sstevel@tonic-gate 					  free($3);
206*22929378SDarren Reed 					  yyvarnext = 0;
2077c478bd9Sstevel@tonic-gate 					}
2087c478bd9Sstevel@tonic-gate 	;
2097c478bd9Sstevel@tonic-gate 
2107c478bd9Sstevel@tonic-gate assigning:
2117c478bd9Sstevel@tonic-gate 	'='				{ yyvarnext = 1; }
2127c478bd9Sstevel@tonic-gate 	;
2137c478bd9Sstevel@tonic-gate 
214381a2a9aSdr set:
215381a2a9aSdr 	IPFY_SET IPFY_SET_LOOPBACK YY_STR ';'
216381a2a9aSdr 			{
217381a2a9aSdr 			  int data;
218381a2a9aSdr 			  if (frold != NULL) {
219381a2a9aSdr 				yyerror("ipf rules before \"set\"");
220381a2a9aSdr 				return 0;
221381a2a9aSdr 			  }
222381a2a9aSdr 			  if (!strcmp($3, "true"))
223381a2a9aSdr 				data = 1;
224381a2a9aSdr 			  else if (!strcmp($3, "false"))
225381a2a9aSdr 				data = 0;
226381a2a9aSdr 			  else {
227381a2a9aSdr 				yyerror("invalid argument for ipf_loopback");
228381a2a9aSdr 				return 0;
229381a2a9aSdr 			  }
230381a2a9aSdr 			  if (((opts & OPT_DONOTHING) == 0) &&
231381a2a9aSdr 			      (ioctl(ipffd, SIOCIPFLP, &data) == -1))
232381a2a9aSdr 				perror("ioctl(SIOCIPFLP)");
233381a2a9aSdr 			}
234381a2a9aSdr 	;
235381a2a9aSdr 
236ab25eeb5Syz rule:	inrule eol
237ab25eeb5Syz 	| outrule eol
238ab25eeb5Syz 	;
239ab25eeb5Syz 
240ab25eeb5Syz eol:	| ';'
2417c478bd9Sstevel@tonic-gate 	;
2427c478bd9Sstevel@tonic-gate 
2437c478bd9Sstevel@tonic-gate inrule:
244ab25eeb5Syz 	rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2
2457c478bd9Sstevel@tonic-gate 	;
2467c478bd9Sstevel@tonic-gate 
2477c478bd9Sstevel@tonic-gate outrule:
248ab25eeb5Syz 	rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2
2497c478bd9Sstevel@tonic-gate 	;
2507c478bd9Sstevel@tonic-gate 
2517c478bd9Sstevel@tonic-gate rulehead:
2527c478bd9Sstevel@tonic-gate 	collection action
2537c478bd9Sstevel@tonic-gate 	| insert collection action
2547c478bd9Sstevel@tonic-gate 	;
2557c478bd9Sstevel@tonic-gate 
2567c478bd9Sstevel@tonic-gate markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
2577c478bd9Sstevel@tonic-gate 	;
2587c478bd9Sstevel@tonic-gate 
2597c478bd9Sstevel@tonic-gate markout:
2607c478bd9Sstevel@tonic-gate 	IPFY_OUT			{ fr->fr_flags |= FR_OUTQUE; }
2617c478bd9Sstevel@tonic-gate 	;
2627c478bd9Sstevel@tonic-gate 
2637c478bd9Sstevel@tonic-gate rulemain:
2647c478bd9Sstevel@tonic-gate 	ipfrule
2657c478bd9Sstevel@tonic-gate 	| bpfrule
2667c478bd9Sstevel@tonic-gate 	;
2677c478bd9Sstevel@tonic-gate 
2687c478bd9Sstevel@tonic-gate ipfrule:
2697c478bd9Sstevel@tonic-gate 	tos ttl proto ip
2707c478bd9Sstevel@tonic-gate 	;
2717c478bd9Sstevel@tonic-gate 
2727c478bd9Sstevel@tonic-gate bpfrule:
273ab25eeb5Syz 	IPFY_BPFV4 '{' YY_STR '}' 	{ dobpf(4, $3); free($3); }
274ab25eeb5Syz 	| IPFY_BPFV6 '{' YY_STR '}' 	{ dobpf(6, $3); free($3); }
2757c478bd9Sstevel@tonic-gate 	;
2767c478bd9Sstevel@tonic-gate 
2777c478bd9Sstevel@tonic-gate ruletail:
278ab25eeb5Syz 	with keep head group
279ab25eeb5Syz 	;
280ab25eeb5Syz 
281ab25eeb5Syz ruletail2:
282ab25eeb5Syz 	pps age new
283ab25eeb5Syz 	;
284ab25eeb5Syz 
285ab25eeb5Syz intag:	settagin matchtagin
286ab25eeb5Syz 	;
287ab25eeb5Syz 
288ab25eeb5Syz outtag:	settagout matchtagout
2897c478bd9Sstevel@tonic-gate 	;
2907c478bd9Sstevel@tonic-gate 
2917c478bd9Sstevel@tonic-gate insert:
292ab25eeb5Syz 	'@' YY_NUMBER			{ fr->fr_hits = (U_QUAD_T)$2 + 1; }
2937c478bd9Sstevel@tonic-gate 	;
2947c478bd9Sstevel@tonic-gate 
2957c478bd9Sstevel@tonic-gate collection:
2967c478bd9Sstevel@tonic-gate 	| YY_NUMBER			{ fr->fr_collect = $1; }
2977c478bd9Sstevel@tonic-gate 	;
2987c478bd9Sstevel@tonic-gate 
2997c478bd9Sstevel@tonic-gate action:	block
3007c478bd9Sstevel@tonic-gate 	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
3017c478bd9Sstevel@tonic-gate 	| log
3027c478bd9Sstevel@tonic-gate 	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
3037c478bd9Sstevel@tonic-gate 	| auth
3047c478bd9Sstevel@tonic-gate 	| IPFY_SKIP YY_NUMBER		{ fr->fr_flags |= FR_SKIP;
3057c478bd9Sstevel@tonic-gate 					  fr->fr_arg = $2; }
3067c478bd9Sstevel@tonic-gate 	| IPFY_CALL func
3077c478bd9Sstevel@tonic-gate 	| IPFY_CALL IPFY_NOW func	{ fr->fr_flags |= FR_CALLNOW; }
3087c478bd9Sstevel@tonic-gate 	;
3097c478bd9Sstevel@tonic-gate 
3107c478bd9Sstevel@tonic-gate block:	blocked
3117c478bd9Sstevel@tonic-gate 	| blocked blockreturn
3127c478bd9Sstevel@tonic-gate 	;
3137c478bd9Sstevel@tonic-gate 
3147c478bd9Sstevel@tonic-gate blocked:
3157c478bd9Sstevel@tonic-gate 	IPFY_BLOCK			{ fr->fr_flags = FR_BLOCK; }
3167c478bd9Sstevel@tonic-gate 	;
3177c478bd9Sstevel@tonic-gate blockreturn:
3187c478bd9Sstevel@tonic-gate 	IPFY_RETICMP			{ fr->fr_flags |= FR_RETICMP; }
3197c478bd9Sstevel@tonic-gate 	| IPFY_RETICMP returncode	{ fr->fr_flags |= FR_RETICMP; }
3207c478bd9Sstevel@tonic-gate 	| IPFY_RETICMPASDST		{ fr->fr_flags |= FR_FAKEICMP; }
3217c478bd9Sstevel@tonic-gate 	| IPFY_RETICMPASDST returncode	{ fr->fr_flags |= FR_FAKEICMP; }
3227c478bd9Sstevel@tonic-gate 	| IPFY_RETRST			{ fr->fr_flags |= FR_RETRST; }
3237c478bd9Sstevel@tonic-gate 	;
3247c478bd9Sstevel@tonic-gate 
3257c478bd9Sstevel@tonic-gate log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
3267c478bd9Sstevel@tonic-gate 	| IPFY_LOG logoptions		{ fr->fr_flags |= FR_LOG; }
3277c478bd9Sstevel@tonic-gate 	;
3287c478bd9Sstevel@tonic-gate 
3297c478bd9Sstevel@tonic-gate auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
3307c478bd9Sstevel@tonic-gate 	| IPFY_AUTH IPFY_RETRST		{ fr->fr_flags |= (FR_AUTH|FR_RETRST);}
3317c478bd9Sstevel@tonic-gate 	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
3327c478bd9Sstevel@tonic-gate 	;
3337c478bd9Sstevel@tonic-gate 
3347c478bd9Sstevel@tonic-gate func:	YY_STR '/' YY_NUMBER	{ fr->fr_func = nametokva($1,
3357c478bd9Sstevel@tonic-gate 							  ipfioctl[IPL_LOGIPF]);
3367c478bd9Sstevel@tonic-gate 				  fr->fr_arg = $3;
3377c478bd9Sstevel@tonic-gate 				  free($1); }
3387c478bd9Sstevel@tonic-gate 	;
3397c478bd9Sstevel@tonic-gate 
3407c478bd9Sstevel@tonic-gate inopts:
3417c478bd9Sstevel@tonic-gate 	| inopts inopt
3427c478bd9Sstevel@tonic-gate 	;
3437c478bd9Sstevel@tonic-gate 
3447c478bd9Sstevel@tonic-gate inopt:
3457c478bd9Sstevel@tonic-gate 	logopt
3467c478bd9Sstevel@tonic-gate 	{
3477c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_LOG )
3487c478bd9Sstevel@tonic-gate 			yyerror("Duplicate log option");
3497c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_LOG;
3507c478bd9Sstevel@tonic-gate 	}
3517c478bd9Sstevel@tonic-gate 	| quick
3527c478bd9Sstevel@tonic-gate 	{
3537c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_QUICK )
3547c478bd9Sstevel@tonic-gate 			yyerror("Duplicate quick option");
3557c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_QUICK;
3567c478bd9Sstevel@tonic-gate 	}
3577c478bd9Sstevel@tonic-gate 	| on
3587c478bd9Sstevel@tonic-gate 	{
3597c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_ON )
3607c478bd9Sstevel@tonic-gate 			yyerror("Duplicate on option");
3617c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_ON;
3627c478bd9Sstevel@tonic-gate 	}
3637c478bd9Sstevel@tonic-gate 	| dup
3647c478bd9Sstevel@tonic-gate 	{
3657c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_DUP )
3667c478bd9Sstevel@tonic-gate 			yyerror("Duplicate dup option");
3677c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_DUP;
3687c478bd9Sstevel@tonic-gate 	}
3697c478bd9Sstevel@tonic-gate 	| froute
3707c478bd9Sstevel@tonic-gate 	{
3717c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_FROUTE )
3727c478bd9Sstevel@tonic-gate 			yyerror("Duplicate froute option");
3737c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_FROUTE;
3747c478bd9Sstevel@tonic-gate 	}
3757c478bd9Sstevel@tonic-gate 	| proute
3767c478bd9Sstevel@tonic-gate 	{
3777c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_PROUTE )
3787c478bd9Sstevel@tonic-gate 			yyerror("Duplicate proute option");
3797c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_PROUTE;
3807c478bd9Sstevel@tonic-gate 	}
3817c478bd9Sstevel@tonic-gate 	| replyto
3827c478bd9Sstevel@tonic-gate 	{
3837c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_REPLYTO )
3847c478bd9Sstevel@tonic-gate 			yyerror("Duplicate replyto option");
3857c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_REPLYTO;
3867c478bd9Sstevel@tonic-gate 	}
3877c478bd9Sstevel@tonic-gate 	;
3887c478bd9Sstevel@tonic-gate 
3897c478bd9Sstevel@tonic-gate outopts:
3907c478bd9Sstevel@tonic-gate 	| outopts outopt
3917c478bd9Sstevel@tonic-gate 	;
3927c478bd9Sstevel@tonic-gate 
3937c478bd9Sstevel@tonic-gate outopt:
3947c478bd9Sstevel@tonic-gate 	logopt
3957c478bd9Sstevel@tonic-gate 	{
3967c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_LOG )
3977c478bd9Sstevel@tonic-gate 			yyerror("Duplicate log option");
3987c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_LOG;
3997c478bd9Sstevel@tonic-gate 	}
4007c478bd9Sstevel@tonic-gate 	| quick
4017c478bd9Sstevel@tonic-gate 	{
4027c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_QUICK )
4037c478bd9Sstevel@tonic-gate 			yyerror("Duplicate quick option");
4047c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_QUICK;
4057c478bd9Sstevel@tonic-gate 	}
4067c478bd9Sstevel@tonic-gate 	| on
4077c478bd9Sstevel@tonic-gate 	{
4087c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_ON )
4097c478bd9Sstevel@tonic-gate 			yyerror("Duplicate on option");
4107c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_ON;
4117c478bd9Sstevel@tonic-gate 	}
4127c478bd9Sstevel@tonic-gate 	| dup
4137c478bd9Sstevel@tonic-gate 	{
4147c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_DUP )
4157c478bd9Sstevel@tonic-gate 			yyerror("Duplicate dup option");
4167c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_DUP;
4177c478bd9Sstevel@tonic-gate 	}
4187c478bd9Sstevel@tonic-gate 	| proute
4197c478bd9Sstevel@tonic-gate 	{
4207c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_PROUTE )
4217c478bd9Sstevel@tonic-gate 			yyerror("Duplicate proute option");
4227c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_PROUTE;
4237c478bd9Sstevel@tonic-gate 	}
4247c478bd9Sstevel@tonic-gate 	| replyto
4257c478bd9Sstevel@tonic-gate 	{
4267c478bd9Sstevel@tonic-gate 		if ( ruleopts & OPTION_REPLYTO )
4277c478bd9Sstevel@tonic-gate 			yyerror("Duplicate replyto option");
4287c478bd9Sstevel@tonic-gate 		ruleopts |= OPTION_REPLYTO;
4297c478bd9Sstevel@tonic-gate 	}
4307c478bd9Sstevel@tonic-gate 	;
4317c478bd9Sstevel@tonic-gate 
4327c478bd9Sstevel@tonic-gate tos:	| settos YY_NUMBER	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
4337c478bd9Sstevel@tonic-gate 	| settos YY_HEX	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
4347c478bd9Sstevel@tonic-gate 	| settos lstart toslist lend
4357c478bd9Sstevel@tonic-gate 	;
4367c478bd9Sstevel@tonic-gate 
4377c478bd9Sstevel@tonic-gate settos:	IPFY_TOS			{ setipftype(); }
4387c478bd9Sstevel@tonic-gate 	;
4397c478bd9Sstevel@tonic-gate 
4407c478bd9Sstevel@tonic-gate toslist:
4417c478bd9Sstevel@tonic-gate 	YY_NUMBER	{ DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
4427c478bd9Sstevel@tonic-gate 	| YY_HEX	{ DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
4437c478bd9Sstevel@tonic-gate 	| toslist lmore YY_NUMBER
4447c478bd9Sstevel@tonic-gate 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
4457c478bd9Sstevel@tonic-gate 	| toslist lmore YY_HEX
4467c478bd9Sstevel@tonic-gate 			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
4477c478bd9Sstevel@tonic-gate 	;
4487c478bd9Sstevel@tonic-gate 
4497c478bd9Sstevel@tonic-gate ttl:	| setttl YY_NUMBER
4507c478bd9Sstevel@tonic-gate 			{ DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
4517c478bd9Sstevel@tonic-gate 	| setttl lstart ttllist lend
4527c478bd9Sstevel@tonic-gate 	;
4537c478bd9Sstevel@tonic-gate 
4547c478bd9Sstevel@tonic-gate lstart:	'('				{ newlist = 1; fr = frc; added = 0; }
4557c478bd9Sstevel@tonic-gate 	;
4567c478bd9Sstevel@tonic-gate 
4577c478bd9Sstevel@tonic-gate lend:	')'				{ nrules += added; }
4587c478bd9Sstevel@tonic-gate 	;
4597c478bd9Sstevel@tonic-gate 
4607c478bd9Sstevel@tonic-gate lmore:	lanother			{ if (newlist == 1) {
4617c478bd9Sstevel@tonic-gate 						newlist = 0;
4627c478bd9Sstevel@tonic-gate 					  }
4637c478bd9Sstevel@tonic-gate 					  fr = addrule();
4647c478bd9Sstevel@tonic-gate 					  if (yycont != NULL)
465ab25eeb5Syz 						*yycont = 1;
4667c478bd9Sstevel@tonic-gate 					}
4677c478bd9Sstevel@tonic-gate 	;
4687c478bd9Sstevel@tonic-gate 
4697c478bd9Sstevel@tonic-gate lanother:
4707c478bd9Sstevel@tonic-gate 	| ','
4717c478bd9Sstevel@tonic-gate 	;
4727c478bd9Sstevel@tonic-gate 
4737c478bd9Sstevel@tonic-gate setttl:	IPFY_TTL			{ setipftype(); }
4747c478bd9Sstevel@tonic-gate 	;
4757c478bd9Sstevel@tonic-gate 
4767c478bd9Sstevel@tonic-gate ttllist:
4777c478bd9Sstevel@tonic-gate 	YY_NUMBER	{ DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
4787c478bd9Sstevel@tonic-gate 	| ttllist lmore YY_NUMBER
4797c478bd9Sstevel@tonic-gate 			{ DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
4807c478bd9Sstevel@tonic-gate 	;
4817c478bd9Sstevel@tonic-gate 
4827c478bd9Sstevel@tonic-gate proto:	| protox protocol		{ yyresetdict(); }
4837c478bd9Sstevel@tonic-gate 	;
4847c478bd9Sstevel@tonic-gate 
4857c478bd9Sstevel@tonic-gate protox:	IPFY_PROTO			{ setipftype();
4867c478bd9Sstevel@tonic-gate 					  fr = frc;
4877c478bd9Sstevel@tonic-gate 					  yysetdict(NULL); }
4887c478bd9Sstevel@tonic-gate 	;
4897c478bd9Sstevel@tonic-gate 
490ab25eeb5Syz ip:	srcdst flags icmp
4917c478bd9Sstevel@tonic-gate 	;
4927c478bd9Sstevel@tonic-gate