1 %{
2 /*
3 * Copyright (C) 2003 by Darren Reed.
4 *
5 * See the IPFILTER.LICENCE file for details on licencing.
6 *
7 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
8 * Use is subject to license terms.
9 */
10
11 #include "ipf.h"
12 #include <sys/ioctl.h>
13 #include <syslog.h>
14 #ifdef IPFILTER_BPF
15 # include "pcap-bpf.h"
16 # define _NET_BPF_H_
17 # include <pcap.h>
18 #endif
19 #include "netinet/ip_pool.h"
20 #include "netinet/ip_htable.h"
21 #include "netinet/ipl.h"
22 #include "ipf_l.h"
23
24 #define YYDEBUG 1
25 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
26 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
27
28 #define OPTION_LOG 0x1
29 #define OPTION_QUICK 0x2
30 #define OPTION_DUP 0x4
31 #define OPTION_PROUTE 0x8
32 #define OPTION_ON 0x10
33 #define OPTION_REPLYTO 0x20
34 #define OPTION_FROUTE 0x40
35
36 extern void yyerror __P((char *));
37 extern int yyparse __P((void));
38 extern int yylex __P((void));
81
82 %}
83 %union {
84 char *str;
85 u_32_t num;
86 struct in_addr ipa;
87 frentry_t fr;
88 frtuc_t *frt;
89 struct alist_s *alist;
90 u_short port;
91 struct {
92 u_short p1;
93 u_short p2;
94 int pc;
95 } pc;
96 struct {
97 union i6addr a;
98 union i6addr m;
99 } ipp;
100 union i6addr ip6;
101 };
102
103 %type <port> portnum
104 %type <num> facility priority icmpcode seclevel secname icmptype
105 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
106 %type <num> portc porteq
107 %type <ipa> ipv4 ipv4_16 ipv4_24
108 %type <ip6> hostname mask
109 %type <ipp> addr ipaddr
110 %type <str> servicename name interfacename
111 %type <pc> portrange portcomp
112 %type <alist> addrlist poollist
113
114 %token <num> YY_NUMBER YY_HEX
115 %token <str> YY_STR
116 %token YY_COMMENT
117 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
118 %token YY_RANGE_OUT YY_RANGE_IN
119 %token <ip6> YY_IPV6
120
121 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
122 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
123 %token IPFY_IN IPFY_OUT
124 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
125 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
126 %token IPFY_TOS IPFY_TTL IPFY_PROTO
127 %token IPFY_HEAD IPFY_GROUP
128 %token IPFY_AUTH IPFY_PREAUTH
129 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
130 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
131 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
132 %token IPFY_PPS
133 %token IPFY_ESP IPFY_AH
134 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
135 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
136 %token IPFY_FLAGS IPFY_MULTICAST
137 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
138 %token IPFY_PORT
139 %token IPFY_NOW
140 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
141 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
142 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
143 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
144 %token IPFY_SYNC IPFY_FRAGBODY
145 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
146 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
147 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
148 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
149 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
501
502 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
503 FR_GROUPLEN););
504 free($2); }
505 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
506 $2);) }
507 ;
508
509 settagin:
510 | IPFY_SETTAG '(' taginlist ')'
511 ;
512
513 taginlist:
514 taginspec
515 | taginlist ',' taginspec
516 ;
517
518 taginspec:
519 logtag
520 |nattag
521 ;
522
523 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
524 $3, IPFTAG_LEN););
525 free($3); }
526 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
527 "%d", $3 & 0xffffffff);) }
528 ;
529
530 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
531 ;
532
533 settagout:
534 | IPFY_SETTAG '(' tagoutlist ')'
535 ;
536
537 tagoutlist:
538 tagoutspec
539 | tagoutlist ',' tagoutspec
540 ;
541
542 tagoutspec:
543 logtag
544 | nattag
545 ;
546
547 matchtagin:
548 | IPFY_MATCHTAG '(' tagoutlist ')'
549 ;
550
551 matchtagout:
552 | IPFY_MATCHTAG '(' taginlist ')'
553 ;
554
555 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
556 ;
557
558 new: | savegroup file restoregroup
559 ;
560
561 savegroup:
562 '{'
563 ;
564
1549 %%
1550
1551
1552 static struct wordtab ipfwords[96] = {
1553 { "age", IPFY_AGE },
1554 { "ah", IPFY_AH },
1555 { "all", IPFY_ALL },
1556 { "and", IPFY_AND },
1557 { "auth", IPFY_AUTH },
1558 { "bad", IPFY_BAD },
1559 { "bad-nat", IPFY_BADNAT },
1560 { "bad-src", IPFY_BADSRC },
1561 { "bcast", IPFY_BROADCAST },
1562 { "block", IPFY_BLOCK },
1563 { "body", IPFY_BODY },
1564 { "bpf-v4", IPFY_BPFV4 },
1565 #ifdef USE_INET6
1566 { "bpf-v6", IPFY_BPFV6 },
1567 #endif
1568 { "call", IPFY_CALL },
1569 { "code", IPFY_ICMPCODE },
1570 { "count", IPFY_COUNT },
1571 { "dup-to", IPFY_DUPTO },
1572 { "eq", YY_CMP_EQ },
1573 { "esp", IPFY_ESP },
1574 { "fastroute", IPFY_FROUTE },
1575 { "first", IPFY_FIRST },
1576 { "flags", IPFY_FLAGS },
1577 { "frag", IPFY_FRAG },
1578 { "frag-body", IPFY_FRAGBODY },
1579 { "frags", IPFY_FRAGS },
1580 { "from", IPFY_FROM },
1581 { "ge", YY_CMP_GE },
1582 { "group", IPFY_GROUP },
1583 { "gt", YY_CMP_GT },
1584 { "head", IPFY_HEAD },
1585 { "icmp", IPFY_ICMP },
1586 { "icmp-type", IPFY_ICMPTYPE },
1587 { "in", IPFY_IN },
1588 { "in-via", IPFY_INVIA },
1624 { "reply-to", IPFY_REPLY_TO },
1625 { "return-icmp", IPFY_RETICMP },
1626 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1627 { "return-rst", IPFY_RETRST },
1628 { "route-to", IPFY_ROUTETO },
1629 { "sec-class", IPFY_SECCLASS },
1630 { "set-tag", IPFY_SETTAG },
1631 { "set", IPFY_SET },
1632 { "skip", IPFY_SKIP },
1633 { "short", IPFY_SHORT },
1634 { "state", IPFY_STATE },
1635 { "state-age", IPFY_AGE },
1636 { "strict", IPFY_STRICT },
1637 { "sync", IPFY_SYNC },
1638 { "tcp", IPFY_TCP },
1639 { "tcp-udp", IPFY_TCPUDP },
1640 { "tos", IPFY_TOS },
1641 { "to", IPFY_TO },
1642 { "ttl", IPFY_TTL },
1643 { "udp", IPFY_UDP },
1644 { "v6hdrs", IPF6_V6HDRS },
1645 { "with", IPFY_WITH },
1646 { NULL, 0 }
1647 };
1648
1649 static struct wordtab addrwords[4] = {
1650 { "any", IPFY_ANY },
1651 { "hash", IPFY_HASH },
1652 { "pool", IPFY_POOL },
1653 { NULL, 0 }
1654 };
1655
1656 static struct wordtab maskwords[5] = {
1657 { "broadcast", IPFY_BROADCAST },
1658 { "netmasked", IPFY_NETMASKED },
1659 { "network", IPFY_NETWORK },
1660 { "peer", IPFY_PEER },
1661 { NULL, 0 }
1662 };
1663
|
1 %{
2 /*
3 * Copyright (C) 2003 by Darren Reed.
4 *
5 * See the IPFILTER.LICENCE file for details on licencing.
6 *
7 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
8 * Use is subject to license terms.
9 * Copyright 2019 Joyent, Inc.
10 */
11
12 #include "ipf.h"
13 #include <sys/ioctl.h>
14 #include <syslog.h>
15 #ifdef IPFILTER_BPF
16 # include "pcap-bpf.h"
17 # define _NET_BPF_H_
18 # include <pcap.h>
19 #endif
20 #include <uuid/uuid.h>
21 #include "netinet/ip_pool.h"
22 #include "netinet/ip_htable.h"
23 #include "netinet/ipl.h"
24 #include "ipf_l.h"
25
26 #define YYDEBUG 1
27 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
28 #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x }
29
30 #define OPTION_LOG 0x1
31 #define OPTION_QUICK 0x2
32 #define OPTION_DUP 0x4
33 #define OPTION_PROUTE 0x8
34 #define OPTION_ON 0x10
35 #define OPTION_REPLYTO 0x20
36 #define OPTION_FROUTE 0x40
37
38 extern void yyerror __P((char *));
39 extern int yyparse __P((void));
40 extern int yylex __P((void));
83
84 %}
85 %union {
86 char *str;
87 u_32_t num;
88 struct in_addr ipa;
89 frentry_t fr;
90 frtuc_t *frt;
91 struct alist_s *alist;
92 u_short port;
93 struct {
94 u_short p1;
95 u_short p2;
96 int pc;
97 } pc;
98 struct {
99 union i6addr a;
100 union i6addr m;
101 } ipp;
102 union i6addr ip6;
103 uuid_t uuid;
104 };
105
106 %type <port> portnum
107 %type <num> facility priority icmpcode seclevel secname icmptype
108 %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
109 %type <num> portc porteq
110 %type <ipa> ipv4 ipv4_16 ipv4_24
111 %type <ip6> hostname mask
112 %type <ipp> addr ipaddr
113 %type <str> servicename name interfacename
114 %type <pc> portrange portcomp
115 %type <alist> addrlist poollist
116
117 %token <num> YY_NUMBER YY_HEX
118 %token <str> YY_STR
119 %token YY_COMMENT
120 %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
121 %token YY_RANGE_OUT YY_RANGE_IN
122 %token <ip6> YY_IPV6
123 %token <uuid> YY_UUID
124
125 %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL
126 %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
127 %token IPFY_IN IPFY_OUT
128 %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
129 %token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
130 %token IPFY_TOS IPFY_TTL IPFY_PROTO
131 %token IPFY_HEAD IPFY_GROUP
132 %token IPFY_AUTH IPFY_PREAUTH
133 %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
134 %token IPFY_UUID IPFY_CFWLOG
135 %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
136 %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
137 %token IPFY_PPS
138 %token IPFY_ESP IPFY_AH
139 %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
140 %token IPFY_TCPUDP IPFY_TCP IPFY_UDP
141 %token IPFY_FLAGS IPFY_MULTICAST
142 %token IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
143 %token IPFY_PORT
144 %token IPFY_NOW
145 %token IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
146 %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
147 %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
148 %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
149 %token IPFY_SYNC IPFY_FRAGBODY
150 %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
151 %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
152 %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
153 %token IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
154 %token IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
506
507 head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \
508 FR_GROUPLEN););
509 free($2); }
510 | IPFY_HEAD YY_NUMBER { DOALL(sprintf(fr->fr_grhead, "%d", \
511 $2);) }
512 ;
513
514 settagin:
515 | IPFY_SETTAG '(' taginlist ')'
516 ;
517
518 taginlist:
519 taginspec
520 | taginlist ',' taginspec
521 ;
522
523 taginspec:
524 logtag
525 |nattag
526 |uuidtag
527 |cfwtag
528 ;
529
530 nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\
531 $3, IPFTAG_LEN););
532 free($3); }
533 | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\
534 "%d", $3 & 0xffffffff);) }
535 ;
536
537 logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) }
538 ;
539
540 cfwtag: IPFY_CFWLOG { DOALL(fr->fr_flags |= FR_CFWLOG;) }
541 ;
542
543 uuidtag: IPFY_UUID '=' YY_UUID { DOALL(uuid_copy(fr->fr_uuid, $3);) }
544 ;
545
546 settagout:
547 | IPFY_SETTAG '(' tagoutlist ')'
548 ;
549
550 tagoutlist:
551 tagoutspec
552 | tagoutlist ',' tagoutspec
553 ;
554
555 tagoutspec:
556 logtag
557 | nattag
558 | uuidtag
559 | cfwtag
560 ;
561
562 matchtagin:
563 | IPFY_MATCHTAG '(' tagoutlist ')'
564 ;
565
566 matchtagout:
567 | IPFY_MATCHTAG '(' taginlist ')'
568 ;
569
570 pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) }
571 ;
572
573 new: | savegroup file restoregroup
574 ;
575
576 savegroup:
577 '{'
578 ;
579
1564 %%
1565
1566
1567 static struct wordtab ipfwords[96] = {
1568 { "age", IPFY_AGE },
1569 { "ah", IPFY_AH },
1570 { "all", IPFY_ALL },
1571 { "and", IPFY_AND },
1572 { "auth", IPFY_AUTH },
1573 { "bad", IPFY_BAD },
1574 { "bad-nat", IPFY_BADNAT },
1575 { "bad-src", IPFY_BADSRC },
1576 { "bcast", IPFY_BROADCAST },
1577 { "block", IPFY_BLOCK },
1578 { "body", IPFY_BODY },
1579 { "bpf-v4", IPFY_BPFV4 },
1580 #ifdef USE_INET6
1581 { "bpf-v6", IPFY_BPFV6 },
1582 #endif
1583 { "call", IPFY_CALL },
1584 { "cfwlog", IPFY_CFWLOG },
1585 { "code", IPFY_ICMPCODE },
1586 { "count", IPFY_COUNT },
1587 { "dup-to", IPFY_DUPTO },
1588 { "eq", YY_CMP_EQ },
1589 { "esp", IPFY_ESP },
1590 { "fastroute", IPFY_FROUTE },
1591 { "first", IPFY_FIRST },
1592 { "flags", IPFY_FLAGS },
1593 { "frag", IPFY_FRAG },
1594 { "frag-body", IPFY_FRAGBODY },
1595 { "frags", IPFY_FRAGS },
1596 { "from", IPFY_FROM },
1597 { "ge", YY_CMP_GE },
1598 { "group", IPFY_GROUP },
1599 { "gt", YY_CMP_GT },
1600 { "head", IPFY_HEAD },
1601 { "icmp", IPFY_ICMP },
1602 { "icmp-type", IPFY_ICMPTYPE },
1603 { "in", IPFY_IN },
1604 { "in-via", IPFY_INVIA },
1640 { "reply-to", IPFY_REPLY_TO },
1641 { "return-icmp", IPFY_RETICMP },
1642 { "return-icmp-as-dest", IPFY_RETICMPASDST },
1643 { "return-rst", IPFY_RETRST },
1644 { "route-to", IPFY_ROUTETO },
1645 { "sec-class", IPFY_SECCLASS },
1646 { "set-tag", IPFY_SETTAG },
1647 { "set", IPFY_SET },
1648 { "skip", IPFY_SKIP },
1649 { "short", IPFY_SHORT },
1650 { "state", IPFY_STATE },
1651 { "state-age", IPFY_AGE },
1652 { "strict", IPFY_STRICT },
1653 { "sync", IPFY_SYNC },
1654 { "tcp", IPFY_TCP },
1655 { "tcp-udp", IPFY_TCPUDP },
1656 { "tos", IPFY_TOS },
1657 { "to", IPFY_TO },
1658 { "ttl", IPFY_TTL },
1659 { "udp", IPFY_UDP },
1660 { "uuid", IPFY_UUID },
1661 { "v6hdrs", IPF6_V6HDRS },
1662 { "with", IPFY_WITH },
1663 { NULL, 0 }
1664 };
1665
1666 static struct wordtab addrwords[4] = {
1667 { "any", IPFY_ANY },
1668 { "hash", IPFY_HASH },
1669 { "pool", IPFY_POOL },
1670 { NULL, 0 }
1671 };
1672
1673 static struct wordtab maskwords[5] = {
1674 { "broadcast", IPFY_BROADCAST },
1675 { "netmasked", IPFY_NETMASKED },
1676 { "network", IPFY_NETWORK },
1677 { "peer", IPFY_PEER },
1678 { NULL, 0 }
1679 };
1680
|