search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Replace MALLOC()/bzero() with MALLOC(M_ZERO).
[dragonfly.git] / usr.sbin / pfctl / parse.y
blobf71210bbb6faaf5123c5218a3c1e7fad244e1d0e
1 /* $OpenBSD: parse.y,v 1.449 2004/03/20 23:20:20 david Exp $ */
2 /* $DragonFly: src/usr.sbin/pfctl/parse.y,v 1.2 2005/02/11 22:31:45 joerg Exp $ */
3
4 /*
5 * Copyright (c) 2001 Markus Friedl. All rights reserved.
6 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved.
7 * Copyright (c) 2001 Theo de Raadt. All rights reserved.
8 * Copyright (c) 2002,2003 Henning Brauer. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30 %{
31 #include <sys/types.h>
32 #include <sys/socket.h>
33 #include <net/if.h>
34 #include <netinet/in.h>
35 #include <netinet/in_systm.h>
36 #include <netinet/ip.h>
37 #include <netinet/ip_icmp.h>
38 #include <netinet/icmp6.h>
39 #include <net/pf/pfvar.h>
40 #include <arpa/inet.h>
41 #include <net/altq/altq.h>
42 #include <net/altq/altq_cbq.h>
43 #include <net/altq/altq_priq.h>
44 #include <net/altq/altq_hfsc.h>
45
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <netdb.h>
49 #include <stdarg.h>
50 #include <errno.h>
51 #include <string.h>
52 #include <ctype.h>
53 #include <err.h>
54 #include <limits.h>
55 #include <pwd.h>
56 #include <grp.h>
57 #include <md5.h>
58
59 #include "pfctl_parser.h"
60 #include "pfctl.h"
61
62 static struct pfctl *pf = NULL;
63 static FILE *fin = NULL;
64 static int debug = 0;
65 static int lineno = 1;
66 static int errors = 0;
67 static int rulestate = 0;
68 static u_int16_t returnicmpdefault =
69 (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
70 static u_int16_t returnicmp6default =
71 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
72 static int blockpolicy = PFRULE_DROP;
73 static int require_order = 1;
74 static int default_statelock;
75
76 enum {
77 PFCTL_STATE_NONE,
78 PFCTL_STATE_OPTION,
79 PFCTL_STATE_SCRUB,
80 PFCTL_STATE_QUEUE,
81 PFCTL_STATE_NAT,
82 PFCTL_STATE_FILTER
83 };
84
85 struct node_proto {
86 u_int8_t proto;
87 struct node_proto *next;
88 struct node_proto *tail;
89 };
90
91 struct node_port {
92 u_int16_t port[2];
93 u_int8_t op;
94 struct node_port *next;
95 struct node_port *tail;
96 };
97
98 struct node_uid {
99 uid_t uid[2];
100 u_int8_t op;
101 struct node_uid *next;
102 struct node_uid *tail;
103 };
104
105 struct node_gid {
106 gid_t gid[2];
107 u_int8_t op;
108 struct node_gid *next;
109 struct node_gid *tail;
110 };
111
112 struct node_icmp {
113 u_int8_t code;
114 u_int8_t type;
115 u_int8_t proto;
116 struct node_icmp *next;
117 struct node_icmp *tail;
118 };
119
120 enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
121 PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_NODES,
122 PF_STATE_OPT_STATELOCK, PF_STATE_OPT_TIMEOUT };
123
124 enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
125
126 struct node_state_opt {
127 int type;
128 union {
129 u_int32_t max_states;
130 u_int32_t max_src_states;
131 u_int32_t max_src_nodes;
132 u_int8_t src_track;
133 u_int32_t statelock;
134 struct {
135 int number;
136 u_int32_t seconds;
137 } timeout;
138 } data;
139 struct node_state_opt *next;
140 struct node_state_opt *tail;
141 };
142
143 struct peer {
144 struct node_host *host;
145 struct node_port *port;
146 };
147
148 struct node_queue {
149 char queue[PF_QNAME_SIZE];
150 char parent[PF_QNAME_SIZE];
151 char ifname[IFNAMSIZ];
152 int scheduler;
153 struct node_queue *next;
154 struct node_queue *tail;
155 } *queues = NULL;
156
157 struct node_qassign {
158 char *qname;
159 char *pqname;
160 };
161
162 struct filter_opts {
163 int marker;
164 #define FOM_FLAGS 0x01
165 #define FOM_ICMP 0x02
166 #define FOM_TOS 0x04
167 #define FOM_KEEP 0x08
168 #define FOM_SRCTRACK 0x10
169 struct node_uid *uid;
170 struct node_gid *gid;
171 struct {
172 u_int8_t b1;
173 u_int8_t b2;
174 u_int16_t w;
175 u_int16_t w2;
176 } flags;
177 struct node_icmp *icmpspec;
178 u_int32_t tos;
179 struct {
180 int action;
181 struct node_state_opt *options;
182 } keep;
183 int fragment;
184 int allowopts;
185 char *label;
186 struct node_qassign queues;
187 char *tag;
188 char *match_tag;
189 u_int8_t match_tag_not;
190 } filter_opts;
191
192 struct antispoof_opts {
193 char *label;
194 } antispoof_opts;
195
196 struct scrub_opts {
197 int marker;
198 #define SOM_MINTTL 0x01
199 #define SOM_MAXMSS 0x02
200 #define SOM_FRAGCACHE 0x04
201 int nodf;
202 int minttl;
203 int maxmss;
204 int fragcache;
205 int randomid;
206 int reassemble_tcp;
207 } scrub_opts;
208
209 struct queue_opts {
210 int marker;
211 #define QOM_BWSPEC 0x01
212 #define QOM_SCHEDULER 0x02
213 #define QOM_PRIORITY 0x04
214 #define QOM_TBRSIZE 0x08
215 #define QOM_QLIMIT 0x10
216 struct node_queue_bw queue_bwspec;
217 struct node_queue_opt scheduler;
218 int priority;
219 int tbrsize;
220 int qlimit;
221 } queue_opts;
222
223 struct table_opts {
224 int flags;
225 int init_addr;
226 struct node_tinithead init_nodes;
227 } table_opts;
228
229 struct pool_opts {
230 int marker;
231 #define POM_TYPE 0x01
232 #define POM_STICKYADDRESS 0x02
233 u_int8_t opts;
234 int type;
235 int staticport;
236 struct pf_poolhashkey *key;
237
238 } pool_opts;
239
240
241 struct node_hfsc_opts hfsc_opts;
242
243 int yyerror(const char *, ...);
244 int disallow_table(struct node_host *, const char *);
245 int disallow_alias(struct node_host *, const char *);
246 int rule_consistent(struct pf_rule *);
247 int filter_consistent(struct pf_rule *);
248 int nat_consistent(struct pf_rule *);
249 int rdr_consistent(struct pf_rule *);
250 int process_tabledef(char *, struct table_opts *);
251 int yyparse(void);
252 void expand_label_str(char *, size_t, const char *, const char *);
253 void expand_label_if(const char *, char *, size_t, const char *);
254 void expand_label_addr(const char *, char *, size_t, u_int8_t,
255 struct node_host *);
256 void expand_label_port(const char *, char *, size_t, struct node_port *);
257 void expand_label_proto(const char *, char *, size_t, u_int8_t);
258 void expand_label_nr(const char *, char *, size_t);
259 void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *,
260 struct node_port *, struct node_host *, struct node_port *,
261 u_int8_t);
262 void expand_rule(struct pf_rule *, struct node_if *, struct node_host *,
263 struct node_proto *, struct node_os*, struct node_host *,
264 struct node_port *, struct node_host *, struct node_port *,
265 struct node_uid *, struct node_gid *, struct node_icmp *);
266 int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,
267 struct node_queue_bw bwspec, struct node_queue_opt *);
268 int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,
269 struct node_queue_bw, struct node_queue_opt *);
270
271 int check_rulestate(int);
272 int kw_cmp(const void *, const void *);
273 int lookup(char *);
274 int lgetc(FILE *);
275 int lungetc(int);
276 int findeol(void);
277 int yylex(void);
278 int atoul(char *, u_long *);
279 int getservice(char *);
280 int rule_label(struct pf_rule *, char *);
281
282 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
283 struct sym {
284 TAILQ_ENTRY(sym) entries;
285 int used;
286 int persist;
287 char *nam;
288 char *val;
289 };
290
291
292 int symset(const char *, const char *, int);
293 char *symget(const char *);
294
295 void decide_address_family(struct node_host *, sa_family_t *);
296 void remove_invalid_hosts(struct node_host **, sa_family_t *);
297 int invalid_redirect(struct node_host *, sa_family_t);
298 u_int16_t parseicmpspec(char *, sa_family_t);
299
300 TAILQ_HEAD(loadanchorshead, loadanchors)
301 loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
302
303 struct loadanchors {
304 TAILQ_ENTRY(loadanchors) entries;
305 char *anchorname;
306 char *rulesetname;
307 char *filename;
308 };
309
310 typedef struct {
311 union {
312 u_int32_t number;
313 int i;
314 char *string;
315 struct {
316 u_int8_t b1;
317 u_int8_t b2;
318 u_int16_t w;
319 u_int16_t w2;
320 } b;
321 struct range {
322 int a;
323 int b;
324 int t;
325 } range;
326 struct node_if *interface;
327 struct node_proto *proto;
328 struct node_icmp *icmp;
329 struct node_host *host;
330 struct node_os *os;
331 struct node_port *port;
332 struct node_uid *uid;
333 struct node_gid *gid;
334 struct node_state_opt *state_opt;
335 struct peer peer;
336 struct {
337 struct peer src, dst;
338 struct node_os *src_os;
339 } fromto;
340 struct {
341 struct node_host *host;
342 u_int8_t rt;
343 u_int8_t pool_opts;
344 sa_family_t af;
345 struct pf_poolhashkey *key;
346 } route;
347 struct redirection {
348 struct node_host *host;
349 struct range rport;
350 } *redirection;
351 struct {
352 int action;
353 struct node_state_opt *options;
354 } keep_state;
355 struct {
356 u_int8_t log;
357 u_int8_t quick;
358 } logquick;
359 struct pf_poolhashkey *hashkey;
360 struct node_queue *queue;
361 struct node_queue_opt queue_options;
362 struct node_queue_bw queue_bwspec;
363 struct node_qassign qassign;
364 struct filter_opts filter_opts;
365 struct antispoof_opts antispoof_opts;
366 struct queue_opts queue_opts;
367 struct scrub_opts scrub_opts;
368 struct table_opts table_opts;
369 struct pool_opts pool_opts;
370 struct node_hfsc_opts hfsc_opts;
371 } v;
372 int lineno;
373 } YYSTYPE;
374
375 #define PREPARE_ANCHOR_RULE(r, a) \
376 do { \
377 memset(&(r), 0, sizeof(r)); \
378 if (strlcpy(r.anchorname, (a), \
379 sizeof(r.anchorname)) >= \
380 sizeof(r.anchorname)) { \
381 yyerror("anchor name '%s' too long", \
382 (a)); \
383 YYERROR; \
384 } \
385 } while (0)
386
387 #define DYNIF_MULTIADDR(addr) ((addr).type == PF_ADDR_DYNIFTL && \
388 (!((addr).iflags & PFI_AFLAG_NOALIAS) || \
389 !isdigit((addr).v.ifname[strlen((addr).v.ifname)-1])))
390
391 extern char *infile;
392
393 %}
394
395 %token PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO FLAGS
396 %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
397 %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
398 %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
399 %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
400 %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
401 %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
402 %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG HOSTID
403 %token ANTISPOOF FOR
404 %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT
405 %token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
406 %token QUEUE PRIORITY QLIMIT
407 %token LOAD
408 %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
409 %token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY
410 %token <v.string> STRING
411 %token <v.i> PORTBINARY
412 %type <v.interface> interface if_list if_item_not if_item
413 %type <v.number> number icmptype icmp6type uid gid
414 %type <v.number> tos not yesno natpass
415 %type <v.i> no dir log af fragcache sourcetrack
416 %type <v.i> unaryop statelock
417 %type <v.b> action nataction flags flag blockspec
418 %type <v.range> port rport
419 %type <v.hashkey> hashkey
420 %type <v.proto> proto proto_list proto_item
421 %type <v.icmp> icmpspec
422 %type <v.icmp> icmp_list icmp_item
423 %type <v.icmp> icmp6_list icmp6_item
424 %type <v.fromto> fromto
425 %type <v.peer> ipportspec from to
426 %type <v.host> ipspec xhost host dynaddr host_list
427 %type <v.host> redir_host_list redirspec
428 %type <v.host> route_host route_host_list routespec
429 %type <v.os> os xos os_list
430 %type <v.port> portspec port_list port_item
431 %type <v.uid> uids uid_list uid_item
432 %type <v.gid> gids gid_list gid_item
433 %type <v.route> route
434 %type <v.redirection> redirection redirpool
435 %type <v.string> label string tag
436 %type <v.keep_state> keep
437 %type <v.state_opt> state_opt_spec state_opt_list state_opt_item
438 %type <v.logquick> logquick
439 %type <v.interface> antispoof_ifspc antispoof_iflst
440 %type <v.qassign> qname
441 %type <v.queue> qassign qassign_list qassign_item
442 %type <v.queue_options> scheduler
443 %type <v.number> cbqflags_list cbqflags_item
444 %type <v.number> priqflags_list priqflags_item
445 %type <v.hfsc_opts> hfscopts_list hfscopts_item hfsc_opts
446 %type <v.queue_bwspec> bandwidth
447 %type <v.filter_opts> filter_opts filter_opt filter_opts_l
448 %type <v.antispoof_opts> antispoof_opts antispoof_opt antispoof_opts_l
449 %type <v.queue_opts> queue_opts queue_opt queue_opts_l
450 %type <v.scrub_opts> scrub_opts scrub_opt scrub_opts_l
451 %type <v.table_opts> table_opts table_opt table_opts_l
452 %type <v.pool_opts> pool_opts pool_opt pool_opts_l
453 %%
454
455 ruleset : /* empty */
456 | ruleset '\n'
457 | ruleset option '\n'
458 | ruleset scrubrule '\n'
459 | ruleset natrule '\n'
460 | ruleset binatrule '\n'
461 | ruleset pfrule '\n'
462 | ruleset anchorrule '\n'
463 | ruleset loadrule '\n'
464 | ruleset altqif '\n'
465 | ruleset queuespec '\n'
466 | ruleset varset '\n'
467 | ruleset antispoof '\n'
468 | ruleset tabledef '\n'
469 | ruleset error '\n' { errors++; }
470 ;
471
472 option : SET OPTIMIZATION STRING {
473 if (check_rulestate(PFCTL_STATE_OPTION)) {
474 free($3);
475 YYERROR;
476 }
477 if (pfctl_set_optimization(pf, $3) != 0) {
478 yyerror("unknown optimization %s", $3);
479 free($3);
480 YYERROR;
481 }
482 free ($3);
483 }
484 | SET TIMEOUT timeout_spec
485 | SET TIMEOUT '{' timeout_list '}'
486 | SET LIMIT limit_spec
487 | SET LIMIT '{' limit_list '}'
488 | SET LOGINTERFACE STRING {
489 if (check_rulestate(PFCTL_STATE_OPTION)) {
490 free($3);
491 YYERROR;
492 }
493 if ((ifa_exists($3, 0) == NULL) && strcmp($3, "none")) {
494 yyerror("interface %s doesn't exist", $3);
495 free($3);
496 YYERROR;
497 }
498 if (pfctl_set_logif(pf, $3) != 0) {
499 yyerror("error setting loginterface %s", $3);
500 free($3);
501 YYERROR;
502 }
503 free($3);
504 }
505 | SET HOSTID number {
506 if ($3 == 0) {
507 yyerror("hostid must be non-zero");
508 YYERROR;
509 }
510 if (pfctl_set_hostid(pf, $3) != 0) {
511 yyerror("error setting loginterface %08x", $3);
512 YYERROR;
513 }
514 }
515 | SET BLOCKPOLICY DROP {
516 if (pf->opts & PF_OPT_VERBOSE)
517 printf("set block-policy drop\n");
518 if (check_rulestate(PFCTL_STATE_OPTION))
519 YYERROR;
520 blockpolicy = PFRULE_DROP;
521 }
522 | SET BLOCKPOLICY RETURN {
523 if (pf->opts & PF_OPT_VERBOSE)
524 printf("set block-policy return\n");
525 if (check_rulestate(PFCTL_STATE_OPTION))
526 YYERROR;
527 blockpolicy = PFRULE_RETURN;
528 }
529 | SET REQUIREORDER yesno {
530 if (pf->opts & PF_OPT_VERBOSE)
531 printf("set require-order %s\n",
532 $3 == 1 ? "yes" : "no");
533 require_order = $3;
534 }
535 | SET FINGERPRINTS STRING {
536 if (pf->opts & PF_OPT_VERBOSE)
537 printf("fingerprints %s\n", $3);
538 if (check_rulestate(PFCTL_STATE_OPTION)) {
539 free($3);
540 YYERROR;
541 }
542 if (pfctl_file_fingerprints(pf->dev, pf->opts, $3)) {
543 yyerror("error loading fingerprints %s", $3);
544 free($3);
545 YYERROR;
546 }
547 free($3);
548 }
549 | SET STATEPOLICY statelock {
550 if (pf->opts & PF_OPT_VERBOSE)
551 switch ($3) {
552 case 0:
553 printf("set state-policy floating\n");
554 break;
555 case PFRULE_IFBOUND:
556 printf("set state-policy if-bound\n");
557 break;
558 case PFRULE_GRBOUND:
559 printf("set state-policy "
560 "group-bound\n");
561 break;
562 }
563 default_statelock = $3;
564 }
565 | SET DEBUG STRING {
566 if (check_rulestate(PFCTL_STATE_OPTION)) {
567 free($3);
568 YYERROR;
569 }
570 if (pfctl_set_debug(pf, $3) != 0) {
571 yyerror("error setting debuglevel %s", $3);
572 free($3);
573 YYERROR;
574 }
575 free($3);
576 }
577 ;
578
579 string : string STRING {
580 if (asprintf(&$$, "%s %s", $1, $2) == -1)
581 err(1, "string: asprintf");
582 free($1);
583 free($2);
584 }
585 | STRING
586 ;
587
588 varset : STRING '=' string {
589 if (pf->opts & PF_OPT_VERBOSE)
590 printf("%s = \"%s\"\n", $1, $3);
591 if (symset($1, $3, 0) == -1)
592 err(1, "cannot store variable %s", $1);
593 free($1);
594 free($3);
595 }
596 ;
597
598 anchorrule : ANCHOR string dir interface af proto fromto filter_opts {
599 struct pf_rule r;
600
601 if (check_rulestate(PFCTL_STATE_FILTER)) {
602 free($2);
603 YYERROR;
604 }
605
606 PREPARE_ANCHOR_RULE(r, $2);
607 r.direction = $3;
608 r.af = $5;
609
610 if ($8.match_tag)
611 if (strlcpy(r.match_tagname, $8.match_tag,
612 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
613 yyerror("tag too long, max %u chars",
614 PF_TAG_NAME_SIZE - 1);
615 YYERROR;
616 }
617 r.match_tag_not = $8.match_tag_not;
618
619 decide_address_family($7.src.host, &r.af);
620 decide_address_family($7.dst.host, &r.af);
621
622 expand_rule(&r, $4, NULL, $6, $7.src_os,
623 $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
624 0, 0, 0);
625 }
626 | NATANCHOR string interface af proto fromto {
627 struct pf_rule r;
628
629 if (check_rulestate(PFCTL_STATE_NAT)) {
630 free($2);
631 YYERROR;
632 }
633
634 PREPARE_ANCHOR_RULE(r, $2);
635 free($2);
636 r.action = PF_NAT;
637 r.af = $4;
638
639 decide_address_family($6.src.host, &r.af);
640 decide_address_family($6.dst.host, &r.af);
641
642 expand_rule(&r, $3, NULL, $5, $6.src_os,
643 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
644 0, 0, 0);
645 }
646 | RDRANCHOR string interface af proto fromto {
647 struct pf_rule r;
648
649 if (check_rulestate(PFCTL_STATE_NAT)) {
650 free($2);
651 YYERROR;
652 }
653
654 PREPARE_ANCHOR_RULE(r, $2);
655 free($2);
656 r.action = PF_RDR;
657 r.af = $4;
658
659 decide_address_family($6.src.host, &r.af);
660 decide_address_family($6.dst.host, &r.af);
661
662 if ($6.src.port != NULL) {
663 yyerror("source port parameter not supported"
664 " in rdr-anchor");
665 YYERROR;
666 }
667 if ($6.dst.port != NULL) {
668 if ($6.dst.port->next != NULL) {
669 yyerror("destination port list "
670 "expansion not supported in "
671 "rdr-anchor");
672 YYERROR;
673 } else if ($6.dst.port->op != PF_OP_EQ) {
674 yyerror("destination port operators"
675 " not supported in rdr-anchor");
676 YYERROR;
677 }
678 r.dst.port[0] = $6.dst.port->port[0];
679 r.dst.port[1] = $6.dst.port->port[1];
680 r.dst.port_op = $6.dst.port->op;
681 }
682
683 expand_rule(&r, $3, NULL, $5, $6.src_os,
684 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
685 0, 0, 0);
686 }
687 | BINATANCHOR string interface af proto fromto {
688 struct pf_rule r;
689
690 if (check_rulestate(PFCTL_STATE_NAT)) {
691 free($2);
692 YYERROR;
693 }
694
695 PREPARE_ANCHOR_RULE(r, $2);
696 free($2);
697 r.action = PF_BINAT;
698 r.af = $4;
699 if ($5 != NULL) {
700 if ($5->next != NULL) {
701 yyerror("proto list expansion"
702 " not supported in binat-anchor");
703 YYERROR;
704 }
705 r.proto = $5->proto;
706 free($5);
707 }
708
709 if ($6.src.host != NULL || $6.src.port != NULL ||
710 $6.dst.host != NULL || $6.dst.port != NULL) {
711 yyerror("fromto parameter not supported"
712 " in binat-anchor");
713 YYERROR;
714 }
715
716 decide_address_family($6.src.host, &r.af);
717 decide_address_family($6.dst.host, &r.af);
718
719 pfctl_add_rule(pf, &r);
720 }
721 ;
722
723 loadrule : LOAD ANCHOR string FROM string {
724 char *t;
725 struct loadanchors *loadanchor;
726
727 t = strsep(&$3, ":");
728 if (*t == '\0' || $3 == NULL || *$3 == '\0') {
729 yyerror("anchor '%s' invalid\n", $3);
730 free(t);
731 YYERROR;
732 }
733 if (strlen(t) >= PF_ANCHOR_NAME_SIZE) {
734 yyerror("anchorname %s too long, max %u\n",
735 t, PF_ANCHOR_NAME_SIZE - 1);
736 free(t);
737 YYERROR;
738 }
739 if (strlen($3) >= PF_RULESET_NAME_SIZE) {
740 yyerror("rulesetname %s too long, max %u\n",
741 $3, PF_RULESET_NAME_SIZE - 1);
742 free(t);
743 YYERROR;
744 }
745
746 loadanchor = calloc(1, sizeof(struct loadanchors));
747 if (loadanchor == NULL)
748 err(1, "loadrule: calloc");
749 if ((loadanchor->anchorname = strdup(t)) == NULL)
750 err(1, "loadrule: strdup");
751 if ((loadanchor->rulesetname = strdup($3)) == NULL)
752 err(1, "loadrule: strdup");
753 if ((loadanchor->filename = strdup($5)) == NULL)
754 err(1, "loadrule: strdup");
755
756 TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
757 entries);
758
759 free(t); /* not $3 */
760 free($5);
761 };
762
763 scrubrule : SCRUB dir logquick interface af proto fromto scrub_opts
764 {
765 struct pf_rule r;
766
767 if (check_rulestate(PFCTL_STATE_SCRUB))
768 YYERROR;
769
770 memset(&r, 0, sizeof(r));
771
772 r.action = PF_SCRUB;
773 r.direction = $2;
774
775 r.log = $3.log;
776 if ($3.quick) {
777 yyerror("scrub rules do not support 'quick'");
778 YYERROR;
779 }
780
781 r.af = $5;
782 if ($8.nodf)
783 r.rule_flag |= PFRULE_NODF;
784 if ($8.randomid)
785 r.rule_flag |= PFRULE_RANDOMID;
786 if ($8.reassemble_tcp) {
787 if (r.direction != PF_INOUT) {
788 yyerror("reassemble tcp rules can not "
789 "specify direction");
790 YYERROR;
791 }
792 r.rule_flag |= PFRULE_REASSEMBLE_TCP;
793 }
794 if ($8.minttl)
795 r.min_ttl = $8.minttl;
796 if ($8.maxmss)
797 r.max_mss = $8.maxmss;
798 if ($8.fragcache)
799 r.rule_flag |= $8.fragcache;
800
801 expand_rule(&r, $4, NULL, $6, $7.src_os,
802 $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
803 NULL, NULL, NULL);
804 }
805 ;
806
807 scrub_opts : {
808 bzero(&scrub_opts, sizeof scrub_opts);
809 }
810 scrub_opts_l
811 { $$ = scrub_opts; }
812 | /* empty */ {
813 bzero(&scrub_opts, sizeof scrub_opts);
814 $$ = scrub_opts;
815 }
816 ;
817
818 scrub_opts_l : scrub_opts_l scrub_opt
819 | scrub_opt
820 ;
821
822 scrub_opt : NODF {
823 if (scrub_opts.nodf) {
824 yyerror("no-df cannot be respecified");
825 YYERROR;
826 }
827 scrub_opts.nodf = 1;
828 }
829 | MINTTL number {
830 if (scrub_opts.marker & SOM_MINTTL) {
831 yyerror("min-ttl cannot be respecified");
832 YYERROR;
833 }
834 if ($2 > 255) {
835 yyerror("illegal min-ttl value %d", $2);
836 YYERROR;
837 }
838 scrub_opts.marker |= SOM_MINTTL;
839 scrub_opts.minttl = $2;
840 }
841 | MAXMSS number {
842 if (scrub_opts.marker & SOM_MAXMSS) {
843 yyerror("max-mss cannot be respecified");
844 YYERROR;
845 }
846 if ($2 > 65535) {
847 yyerror("illegal max-mss value %d", $2);
848 YYERROR;
849 }
850 scrub_opts.marker |= SOM_MAXMSS;
851 scrub_opts.maxmss = $2;
852 }
853 | fragcache {
854 if (scrub_opts.marker & SOM_FRAGCACHE) {
855 yyerror("fragcache cannot be respecified");
856 YYERROR;
857 }
858 scrub_opts.marker |= SOM_FRAGCACHE;
859 scrub_opts.fragcache = $1;
860 }
861 | REASSEMBLE STRING {
862 if (strcasecmp($2, "tcp") != 0) {
863 free($2);
864 YYERROR;
865 }
866 free($2);
867 if (scrub_opts.reassemble_tcp) {
868 yyerror("reassemble tcp cannot be respecified");
869 YYERROR;
870 }
871 scrub_opts.reassemble_tcp = 1;
872 }
873 | RANDOMID {
874 if (scrub_opts.randomid) {
875 yyerror("random-id cannot be respecified");
876 YYERROR;
877 }
878 scrub_opts.randomid = 1;
879 }
880 ;
881
882 fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
883 | FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; }
884 | FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; }
885 ;
886
887 antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
888 struct pf_rule r;
889 struct node_host *h = NULL;
890 struct node_if *i, *j;
891
892 if (check_rulestate(PFCTL_STATE_FILTER))
893 YYERROR;
894
895 for (i = $3; i; i = i->next) {
896 bzero(&r, sizeof(r));
897
898 r.action = PF_DROP;
899 r.direction = PF_IN;
900 r.log = $2.log;
901 r.quick = $2.quick;
902 r.af = $4;
903 if (rule_label(&r, $5.label))
904 YYERROR;
905 j = calloc(1, sizeof(struct node_if));
906 if (j == NULL)
907 err(1, "antispoof: calloc");
908 if (strlcpy(j->ifname, i->ifname,
909 sizeof(j->ifname)) >= sizeof(j->ifname)) {
910 free(j);
911 yyerror("interface name too long");
912 YYERROR;
913 }
914 j->not = 1;
915 h = ifa_lookup(j->ifname, PFI_AFLAG_NETWORK);
916
917 if (h != NULL)
918 expand_rule(&r, j, NULL, NULL, NULL, h,
919 NULL, NULL, NULL, NULL, NULL, NULL);
920
921 if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
922 bzero(&r, sizeof(r));
923
924 r.action = PF_DROP;
925 r.direction = PF_IN;
926 r.log = $2.log;
927 r.quick = $2.quick;
928 r.af = $4;
929 if (rule_label(&r, $5.label))
930 YYERROR;
931 h = ifa_lookup(i->ifname, 0);
932 if (h != NULL)
933 expand_rule(&r, NULL, NULL,
934 NULL, NULL, h, NULL, NULL,
935 NULL, NULL, NULL, NULL);
936 }
937 }
938 free($5.label);
939 }
940 ;
941
942 antispoof_ifspc : FOR if_item { $$ = $2; }
943 | FOR '{' antispoof_iflst '}' { $$ = $3; }
944 ;
945
946 antispoof_iflst : if_item { $$ = $1; }
947 | antispoof_iflst comma if_item {
948 $1->tail->next = $3;
949 $1->tail = $3;
950 $$ = $1;
951 }
952 ;
953
954 antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); }
955 antispoof_opts_l
956 { $$ = antispoof_opts; }
957 | /* empty */ {
958 bzero(&antispoof_opts, sizeof antispoof_opts);
959 $$ = antispoof_opts;
960 }
961 ;
962
963 antispoof_opts_l : antispoof_opts_l antispoof_opt
964 | antispoof_opt
965 ;
966
967 antispoof_opt : label {
968 if (antispoof_opts.label) {
969 yyerror("label cannot be redefined");
970 YYERROR;
971 }
972 antispoof_opts.label = $1;
973 }
974 ;
975
976 not : '!' { $$ = 1; }
977 | /* empty */ { $$ = 0; }
978 ;
979
980 tabledef : TABLE '<' STRING '>' table_opts {
981 struct node_host *h, *nh;
982 struct node_tinit *ti, *nti;
983
984 if (strlen($3) >= PF_TABLE_NAME_SIZE) {
985 yyerror("table name too long, max %d chars",
986 PF_TABLE_NAME_SIZE - 1);
987 free($3);
988 YYERROR;
989 }
990 if (pf->loadopt & PFCTL_FLAG_TABLE)
991 if (process_tabledef($3, &$5)) {
992 free($3);
993 YYERROR;
994 }
995 free($3);
996 for (ti = SIMPLEQ_FIRST(&$5.init_nodes);
997 ti != SIMPLEQ_END(&$5.init_nodes); ti = nti) {
998 if (ti->file)
999 free(ti->file);
1000 for (h = ti->host; h != NULL; h = nh) {
1001 nh = h->next;
1002 free(h);
1003 }
1004 nti = SIMPLEQ_NEXT(ti, entries);
1005 free(ti);
1006 }
1007 }
1008 ;
1009
1010 table_opts : {
1011 bzero(&table_opts, sizeof table_opts);
1012 SIMPLEQ_INIT(&table_opts.init_nodes);
1013 }
1014 table_opts_l
1015 { $$ = table_opts; }
1016 | /* empty */
1017 {
1018 bzero(&table_opts, sizeof table_opts);
1019 SIMPLEQ_INIT(&table_opts.init_nodes);
1020 $$ = table_opts;
1021 }
1022 ;
1023
1024 table_opts_l : table_opts_l table_opt
1025 | table_opt
1026 ;
1027
1028 table_opt : STRING {
1029 if (!strcmp($1, "const"))
1030 table_opts.flags |= PFR_TFLAG_CONST;
1031 else if (!strcmp($1, "persist"))
1032 table_opts.flags |= PFR_TFLAG_PERSIST;
1033 else {
1034 free($1);
1035 YYERROR;
1036 }
1037 free($1);
1038 }
1039 | '{' '}' { table_opts.init_addr = 1; }
1040 | '{' host_list '}' {
1041 struct node_host *n;
1042 struct node_tinit *ti;
1043
1044 for (n = $2; n != NULL; n = n->next) {
1045 switch (n->addr.type) {
1046 case PF_ADDR_ADDRMASK:
1047 continue; /* ok */
1048 case PF_ADDR_DYNIFTL:
1049 yyerror("dynamic addresses are not "
1050 "permitted inside tables");
1051 break;
1052 case PF_ADDR_TABLE:
1053 yyerror("tables cannot contain tables");
1054 break;
1055 case PF_ADDR_NOROUTE:
1056 yyerror("\"no-route\" is not permitted "
1057 "inside tables");
1058 break;
1059 default:
1060 yyerror("unknown address type %d",
1061 n->addr.type);
1062 }
1063 YYERROR;
1064 }
1065 if (!(ti = calloc(1, sizeof(*ti))))
1066 err(1, "table_opt: calloc");
1067 ti->host = $2;
1068 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1069 entries);
1070 table_opts.init_addr = 1;
1071 }
1072 | FILENAME STRING {
1073 struct node_tinit *ti;
1074
1075 if (!(ti = calloc(1, sizeof(*ti))))
1076 err(1, "table_opt: calloc");
1077 ti->file = $2;
1078 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1079 entries);
1080 table_opts.init_addr = 1;
1081 }
1082 ;
1083
1084 altqif : ALTQ interface queue_opts QUEUE qassign {
1085 struct pf_altq a;
1086
1087 if (check_rulestate(PFCTL_STATE_QUEUE))
1088 YYERROR;
1089
1090 memset(&a, 0, sizeof(a));
1091 if ($3.scheduler.qtype == ALTQT_NONE) {
1092 yyerror("no scheduler specified!");
1093 YYERROR;
1094 }
1095 a.scheduler = $3.scheduler.qtype;
1096 a.qlimit = $3.qlimit;
1097 a.tbrsize = $3.tbrsize;
1098 if ($5 == NULL) {
1099 yyerror("no child queues specified");
1100 YYERROR;
1101 }
1102 if (expand_altq(&a, $2, $5, $3.queue_bwspec,
1103 &$3.scheduler))
1104 YYERROR;
1105 }
1106 ;
1107
1108 queuespec : QUEUE STRING interface queue_opts qassign {
1109 struct pf_altq a;
1110
1111 if (check_rulestate(PFCTL_STATE_QUEUE)) {
1112 free($2);
1113 YYERROR;
1114 }
1115
1116 memset(&a, 0, sizeof(a));
1117
1118 if (strlcpy(a.qname, $2, sizeof(a.qname)) >=
1119 sizeof(a.qname)) {
1120 yyerror("queue name too long (max "
1121 "%d chars)", PF_QNAME_SIZE-1);
1122 free($2);
1123 YYERROR;
1124 }
1125 free($2);
1126 if ($4.tbrsize) {
1127 yyerror("cannot specify tbrsize for queue");
1128 YYERROR;
1129 }
1130 if ($4.priority > 255) {
1131 yyerror("priority out of range: max 255");
1132 YYERROR;
1133 }
1134 a.priority = $4.priority;
1135 a.qlimit = $4.qlimit;
1136 a.scheduler = $4.scheduler.qtype;
1137 if (expand_queue(&a, $3, $5, $4.queue_bwspec,
1138 &$4.scheduler)) {
1139 yyerror("errors in queue definition");
1140 YYERROR;
1141 }
1142 }
1143 ;
1144
1145 queue_opts : {
1146 bzero(&queue_opts, sizeof queue_opts);
1147 queue_opts.priority = DEFAULT_PRIORITY;
1148 queue_opts.qlimit = DEFAULT_QLIMIT;
1149 queue_opts.scheduler.qtype = ALTQT_NONE;
1150 queue_opts.queue_bwspec.bw_percent = 100;
1151 }
1152 queue_opts_l
1153 { $$ = queue_opts; }
1154 | /* empty */ {
1155 bzero(&queue_opts, sizeof queue_opts);
1156 queue_opts.priority = DEFAULT_PRIORITY;
1157 queue_opts.qlimit = DEFAULT_QLIMIT;
1158 queue_opts.scheduler.qtype = ALTQT_NONE;
1159 queue_opts.queue_bwspec.bw_percent = 100;
1160 $$ = queue_opts;
1161 }
1162 ;
1163
1164 queue_opts_l : queue_opts_l queue_opt
1165 | queue_opt
1166 ;
1167
1168 queue_opt : BANDWIDTH bandwidth {
1169 if (queue_opts.marker & QOM_BWSPEC) {
1170 yyerror("bandwidth cannot be respecified");
1171 YYERROR;
1172 }
1173 queue_opts.marker |= QOM_BWSPEC;
1174 queue_opts.queue_bwspec = $2;
1175 }
1176 | PRIORITY number {
1177 if (queue_opts.marker & QOM_PRIORITY) {
1178 yyerror("priority cannot be respecified");
1179 YYERROR;
1180 }
1181 if ($2 > 255) {
1182 yyerror("priority out of range: max 255");
1183 YYERROR;
1184 }
1185 queue_opts.marker |= QOM_PRIORITY;
1186 queue_opts.priority = $2;
1187 }
1188 | QLIMIT number {
1189 if (queue_opts.marker & QOM_QLIMIT) {
1190 yyerror("qlimit cannot be respecified");
1191 YYERROR;
1192 }
1193 if ($2 > 65535) {
1194 yyerror("qlimit out of range: max 65535");
1195 YYERROR;
1196 }
1197 queue_opts.marker |= QOM_QLIMIT;
1198 queue_opts.qlimit = $2;
1199 }
1200 | scheduler {
1201 if (queue_opts.marker & QOM_SCHEDULER) {
1202 yyerror("scheduler cannot be respecified");
1203 YYERROR;
1204 }
1205 queue_opts.marker |= QOM_SCHEDULER;
1206 queue_opts.scheduler = $1;
1207 }
1208 | TBRSIZE number {
1209 if (queue_opts.marker & QOM_TBRSIZE) {
1210 yyerror("tbrsize cannot be respecified");
1211 YYERROR;
1212 }
1213 if ($2 > 65535) {
1214 yyerror("tbrsize too big: max 65535");
1215 YYERROR;
1216 }
1217 queue_opts.marker |= QOM_TBRSIZE;
1218 queue_opts.tbrsize = $2;
1219 }
1220 ;
1221
1222 bandwidth : STRING {
1223 double bps;
1224 char *cp;
1225
1226 $$.bw_percent = 0;
1227
1228 bps = strtod($1, &cp);
1229 if (cp != NULL) {
1230 if (!strcmp(cp, "b"))
1231 ; /* nothing */
1232 else if (!strcmp(cp, "Kb"))
1233 bps *= 1000;
1234 else if (!strcmp(cp, "Mb"))
1235 bps *= 1000 * 1000;
1236 else if (!strcmp(cp, "Gb"))
1237 bps *= 1000 * 1000 * 1000;
1238 else if (!strcmp(cp, "%")) {
1239 if (bps < 0 || bps > 100) {
1240 yyerror("bandwidth spec "
1241 "out of range");
1242 free($1);
1243 YYERROR;
1244 }
1245 $$.bw_percent = bps;
1246 bps = 0;
1247 } else {
1248 yyerror("unknown unit %s", cp);
1249 free($1);
1250 YYERROR;
1251 }
1252 }
1253 free($1);
1254 $$.bw_absolute = (u_int32_t)bps;
1255 }
1256 ;
1257
1258 scheduler : CBQ {
1259 $$.qtype = ALTQT_CBQ;
1260 $$.data.cbq_opts.flags = 0;
1261 }
1262 | CBQ '(' cbqflags_list ')' {
1263 $$.qtype = ALTQT_CBQ;
1264 $$.data.cbq_opts.flags = $3;
1265 }
1266 | PRIQ {
1267 $$.qtype = ALTQT_PRIQ;
1268 $$.data.priq_opts.flags = 0;
1269 }
1270 | PRIQ '(' priqflags_list ')' {
1271 $$.qtype = ALTQT_PRIQ;
1272 $$.data.priq_opts.flags = $3;
1273 }
1274 | HFSC {
1275 $$.qtype = ALTQT_HFSC;
1276 bzero(&$$.data.hfsc_opts,
1277 sizeof(struct node_hfsc_opts));
1278 }
1279 | HFSC '(' hfsc_opts ')' {
1280 $$.qtype = ALTQT_HFSC;
1281 $$.data.hfsc_opts = $3;
1282 }
1283 ;
1284
1285 cbqflags_list : cbqflags_item { $$ |= $1; }
1286 | cbqflags_list comma cbqflags_item { $$ |= $3; }
1287 ;
1288
1289 cbqflags_item : STRING {
1290 if (!strcmp($1, "default"))
1291 $$ = CBQCLF_DEFCLASS;
1292 else if (!strcmp($1, "borrow"))
1293 $$ = CBQCLF_BORROW;
1294 else if (!strcmp($1, "red"))
1295 $$ = CBQCLF_RED;
1296 else if (!strcmp($1, "ecn"))
1297 $$ = CBQCLF_RED|CBQCLF_ECN;
1298 else if (!strcmp($1, "rio"))
1299 $$ = CBQCLF_RIO;
1300 else {
1301 yyerror("unknown cbq flag \"%s\"", $1);
1302 free($1);
1303 YYERROR;
1304 }
1305 free($1);
1306 }
1307 ;
1308
1309 priqflags_list : priqflags_item { $$ |= $1; }
1310 | priqflags_list comma priqflags_item { $$ |= $3; }
1311 ;
1312
1313 priqflags_item : STRING {
1314 if (!strcmp($1, "default"))
1315 $$ = PRCF_DEFAULTCLASS;
1316 else if (!strcmp($1, "red"))
1317 $$ = PRCF_RED;
1318 else if (!strcmp($1, "ecn"))
1319 $$ = PRCF_RED|PRCF_ECN;
1320 else if (!strcmp($1, "rio"))
1321 $$ = PRCF_RIO;
1322 else {
1323 yyerror("unknown priq flag \"%s\"", $1);
1324 free($1);
1325 YYERROR;
1326 }
1327 free($1);
1328 }
1329 ;
1330
1331 hfsc_opts : {
1332 bzero(&hfsc_opts,
1333 sizeof(struct node_hfsc_opts));
1334 }
1335 hfscopts_list {
1336 $$ = hfsc_opts;
1337 }
1338 ;
1339
1340 hfscopts_list : hfscopts_item
1341 | hfscopts_list comma hfscopts_item
1342 ;
1343
1344 hfscopts_item : LINKSHARE bandwidth {
1345 if (hfsc_opts.linkshare.used) {
1346 yyerror("linkshare already specified");
1347 YYERROR;
1348 }
1349 hfsc_opts.linkshare.m2 = $2;
1350 hfsc_opts.linkshare.used = 1;
1351 }
1352 | LINKSHARE '(' bandwidth number bandwidth ')' {
1353 if (hfsc_opts.linkshare.used) {
1354 yyerror("linkshare already specified");
1355 YYERROR;
1356 }
1357 hfsc_opts.linkshare.m1 = $3;
1358 hfsc_opts.linkshare.d = $4;
1359 hfsc_opts.linkshare.m2 = $5;
1360 hfsc_opts.linkshare.used = 1;
1361 }
1362 | REALTIME bandwidth {
1363 if (hfsc_opts.realtime.used) {
1364 yyerror("realtime already specified");
1365 YYERROR;
1366 }
1367 hfsc_opts.realtime.m2 = $2;
1368 hfsc_opts.realtime.used = 1;
1369 }
1370 | REALTIME '(' bandwidth number bandwidth ')' {
1371 if (hfsc_opts.realtime.used) {
1372 yyerror("realtime already specified");
1373 YYERROR;
1374 }
1375 hfsc_opts.realtime.m1 = $3;
1376 hfsc_opts.realtime.d = $4;
1377 hfsc_opts.realtime.m2 = $5;
1378 hfsc_opts.realtime.used = 1;
1379 }
1380 | UPPERLIMIT bandwidth {
1381 if (hfsc_opts.upperlimit.used) {
1382 yyerror("upperlimit already specified");
1383 YYERROR;
1384 }
1385 hfsc_opts.upperlimit.m2 = $2;
1386 hfsc_opts.upperlimit.used = 1;
1387 }
1388 | UPPERLIMIT '(' bandwidth number bandwidth ')' {
1389 if (hfsc_opts.upperlimit.used) {
1390 yyerror("upperlimit already specified");
1391 YYERROR;
1392 }
1393 hfsc_opts.upperlimit.m1 = $3;
1394 hfsc_opts.upperlimit.d = $4;
1395 hfsc_opts.upperlimit.m2 = $5;
1396 hfsc_opts.upperlimit.used = 1;
1397 }
1398 | STRING {
1399 if (!strcmp($1, "default"))
1400 hfsc_opts.flags |= HFCF_DEFAULTCLASS;
1401 else if (!strcmp($1, "red"))
1402 hfsc_opts.flags |= HFCF_RED;
1403 else if (!strcmp($1, "ecn"))
1404 hfsc_opts.flags |= HFCF_RED|HFCF_ECN;
1405 else if (!strcmp($1, "rio"))
1406 hfsc_opts.flags |= HFCF_RIO;
1407 else {
1408 yyerror("unknown hfsc flag \"%s\"", $1);
1409 free($1);
1410 YYERROR;
1411 }
1412 free($1);
1413 }
1414 ;
1415
1416 qassign : /* empty */ { $$ = NULL; }
1417 | qassign_item { $$ = $1; }
1418 | '{' qassign_list '}' { $$ = $2; }
1419 ;
1420
1421 qassign_list : qassign_item { $$ = $1; }
1422 | qassign_list comma qassign_item {
1423 $1->tail->next = $3;
1424 $1->tail = $3;
1425 $$ = $1;
1426 }
1427 ;
1428
1429 qassign_item : STRING {
1430 $$ = calloc(1, sizeof(struct node_queue));
1431 if ($$ == NULL)
1432 err(1, "qassign_item: calloc");
1433 if (strlcpy($$->queue, $1, sizeof($$->queue)) >=
1434 sizeof($$->queue)) {
1435 yyerror("queue name '%s' too long (max "
1436 "%d chars)", $1, sizeof($$->queue)-1);
1437 free($1);
1438 free($$);
1439 YYERROR;
1440 }
1441 free($1);
1442 $$->next = NULL;
1443 $$->tail = $$;
1444 }
1445 ;
1446
1447 pfrule : action dir logquick interface route af proto fromto
1448 filter_opts
1449 {
1450 struct pf_rule r;
1451 struct node_state_opt *o;
1452 struct node_proto *proto;
1453 int srctrack = 0;
1454 int statelock = 0;
1455
1456 if (check_rulestate(PFCTL_STATE_FILTER))
1457 YYERROR;
1458
1459 memset(&r, 0, sizeof(r));
1460
1461 r.action = $1.b1;
1462 switch ($1.b2) {
1463 case PFRULE_RETURNRST:
1464 r.rule_flag |= PFRULE_RETURNRST;
1465 r.return_ttl = $1.w;
1466 break;
1467 case PFRULE_RETURNICMP:
1468 r.rule_flag |= PFRULE_RETURNICMP;
1469 r.return_icmp = $1.w;
1470 r.return_icmp6 = $1.w2;
1471 break;
1472 case PFRULE_RETURN:
1473 r.rule_flag |= PFRULE_RETURN;
1474 r.return_icmp = $1.w;
1475 r.return_icmp6 = $1.w2;
1476 break;
1477 }
1478 r.direction = $2;
1479 r.log = $3.log;
1480 r.quick = $3.quick;
1481
1482 r.af = $6;
1483 if ($9.tag)
1484 if (strlcpy(r.tagname, $9.tag,
1485 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1486 yyerror("tag too long, max %u chars",
1487 PF_TAG_NAME_SIZE - 1);
1488 YYERROR;
1489 }
1490 if ($9.match_tag)
1491 if (strlcpy(r.match_tagname, $9.match_tag,
1492 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1493 yyerror("tag too long, max %u chars",
1494 PF_TAG_NAME_SIZE - 1);
1495 YYERROR;
1496 }
1497 r.match_tag_not = $9.match_tag_not;
1498 r.flags = $9.flags.b1;
1499 r.flagset = $9.flags.b2;
1500 if (rule_label(&r, $9.label))
1501 YYERROR;
1502 free($9.label);
1503 if ($9.flags.b1 || $9.flags.b2 || $8.src_os) {
1504 for (proto = $7; proto != NULL &&
1505 proto->proto != IPPROTO_TCP;
1506 proto = proto->next)
1507 ; /* nothing */
1508 if (proto == NULL && $7 != NULL) {
1509 if ($9.flags.b1 || $9.flags.b2)
1510 yyerror(
1511 "flags only apply to tcp");
1512 if ($8.src_os)
1513 yyerror(
1514 "OS fingerprinting only "
1515 "apply to tcp");
1516 YYERROR;
1517 }
1518 #if 0
1519 if (($9.flags.b1 & parse_flags("S")) == 0 &&
1520 $8.src_os) {
1521 yyerror("OS fingerprinting requires "
1522 "the SYN TCP flag (flags S/SA)");
1523 YYERROR;
1524 }
1525 #endif
1526 }
1527
1528 r.tos = $9.tos;
1529 r.keep_state = $9.keep.action;
1530 o = $9.keep.options;
1531 while (o) {
1532 struct node_state_opt *p = o;
1533
1534 switch (o->type) {
1535 case PF_STATE_OPT_MAX:
1536 if (r.max_states) {
1537 yyerror("state option 'max' "
1538 "multiple definitions");
1539 YYERROR;
1540 }
1541 r.max_states = o->data.max_states;
1542 break;
1543 case PF_STATE_OPT_NOSYNC:
1544 if (r.rule_flag & PFRULE_NOSYNC) {
1545 yyerror("state option 'sync' "
1546 "multiple definitions");
1547 YYERROR;
1548 }
1549 r.rule_flag |= PFRULE_NOSYNC;
1550 break;
1551 case PF_STATE_OPT_SRCTRACK:
1552 if (srctrack) {
1553 yyerror("state option "
1554 "'source-track' "
1555 "multiple definitions");
1556 YYERROR;
1557 }
1558 srctrack = o->data.src_track;
1559 break;
1560 case PF_STATE_OPT_MAX_SRC_STATES:
1561 if (r.max_src_states) {
1562 yyerror("state option "
1563 "'max-src-states' "
1564 "multiple definitions");
1565 YYERROR;
1566 }
1567 if (o->data.max_src_nodes == 0) {
1568 yyerror("'max-src-states' must "
1569 "be > 0");
1570 YYERROR;
1571 }
1572 r.max_src_states =
1573 o->data.max_src_states;
1574 r.rule_flag |= PFRULE_SRCTRACK;
1575 break;
1576 case PF_STATE_OPT_MAX_SRC_NODES:
1577 if (r.max_src_nodes) {
1578 yyerror("state option "
1579 "'max-src-nodes' "
1580 "multiple definitions");
1581 YYERROR;
1582 }
1583 if (o->data.max_src_nodes == 0) {
1584 yyerror("'max-src-nodes' must "
1585 "be > 0");
1586 YYERROR;
1587 }
1588 r.max_src_nodes =
1589 o->data.max_src_nodes;
1590 r.rule_flag |= PFRULE_SRCTRACK |
1591 PFRULE_RULESRCTRACK;
1592 break;
1593 case PF_STATE_OPT_STATELOCK:
1594 if (statelock) {
1595 yyerror("state locking option: "
1596 "multiple definitions");
1597 YYERROR;
1598 }
1599 statelock = 1;
1600 r.rule_flag |= o->data.statelock;
1601 break;
1602 case PF_STATE_OPT_TIMEOUT:
1603 if (r.timeout[o->data.timeout.number]) {
1604 yyerror("state timeout %s "
1605 "multiple definitions",
1606 pf_timeouts[o->data.
1607 timeout.number].name);
1608 YYERROR;
1609 }
1610 r.timeout[o->data.timeout.number] =
1611 o->data.timeout.seconds;
1612 }
1613 o = o->next;
1614 free(p);
1615 }
1616 if (srctrack) {
1617 if (srctrack == PF_SRCTRACK_GLOBAL &&
1618 r.max_src_nodes) {
1619 yyerror("'max-src-nodes' is "
1620 "incompatible with "
1621 "'source-track global'");
1622 YYERROR;
1623 }
1624 r.rule_flag |= PFRULE_SRCTRACK;
1625 if (srctrack == PF_SRCTRACK_RULE)
1626 r.rule_flag |= PFRULE_RULESRCTRACK;
1627 }
1628 if (r.keep_state && !statelock)
1629 r.rule_flag |= default_statelock;
1630
1631 if ($9.fragment)
1632 r.rule_flag |= PFRULE_FRAGMENT;
1633 r.allow_opts = $9.allowopts;
1634
1635 decide_address_family($8.src.host, &r.af);
1636 decide_address_family($8.dst.host, &r.af);
1637
1638 if ($5.rt) {
1639 if (!r.direction) {
1640 yyerror("direction must be explicit "
1641 "with rules that specify routing");
1642 YYERROR;
1643 }
1644 r.rt = $5.rt;
1645 r.rpool.opts = $5.pool_opts;
1646 if ($5.key != NULL)
1647 memcpy(&r.rpool.key, $5.key,
1648 sizeof(struct pf_poolhashkey));
1649 }
1650 if (r.rt && r.rt != PF_FASTROUTE) {
1651 decide_address_family($5.host, &r.af);
1652 remove_invalid_hosts(&$5.host, &r.af);
1653 if ($5.host == NULL) {
1654 yyerror("no routing address with "
1655 "matching address family found.");
1656 YYERROR;
1657 }
1658 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
1659 PF_POOL_NONE && ($5.host->next != NULL ||
1660 $5.host->addr.type == PF_ADDR_TABLE ||
1661 DYNIF_MULTIADDR($5.host->addr)))
1662 r.rpool.opts |= PF_POOL_ROUNDROBIN;
1663 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1664 PF_POOL_ROUNDROBIN &&
1665 disallow_table($5.host, "tables are only "
1666 "supported in round-robin routing pools"))
1667 YYERROR;
1668 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1669 PF_POOL_ROUNDROBIN &&
1670 disallow_alias($5.host, "interface (%s) "
1671 "is only supported in round-robin "
1672 "routing pools"))
1673 YYERROR;
1674 if ($5.host->next != NULL) {
1675 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
1676 PF_POOL_ROUNDROBIN) {
1677 yyerror("r.rpool.opts must "
1678 "be PF_POOL_ROUNDROBIN");
1679 YYERROR;
1680 }
1681 }
1682 }
1683 if ($9.queues.qname != NULL) {
1684 if (strlcpy(r.qname, $9.queues.qname,
1685 sizeof(r.qname)) >= sizeof(r.qname)) {
1686 yyerror("rule qname too long (max "
1687 "%d chars)", sizeof(r.qname)-1);
1688 YYERROR;
1689 }
1690 free($9.queues.qname);
1691 }
1692 if ($9.queues.pqname != NULL) {
1693 if (strlcpy(r.pqname, $9.queues.pqname,
1694 sizeof(r.pqname)) >= sizeof(r.pqname)) {
1695 yyerror("rule pqname too long (max "
1696 "%d chars)", sizeof(r.pqname)-1);
1697 YYERROR;
1698 }
1699 free($9.queues.pqname);
1700 }
1701
1702 expand_rule(&r, $4, $5.host, $7, $8.src_os,
1703 $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
1704 $9.uid, $9.gid, $9.icmpspec);
1705 }
1706 ;
1707
1708 filter_opts : { bzero(&filter_opts, sizeof filter_opts); }
1709 filter_opts_l
1710 { $$ = filter_opts; }
1711 | /* empty */ {
1712 bzero(&filter_opts, sizeof filter_opts);
1713 $$ = filter_opts;
1714 }
1715 ;
1716
1717 filter_opts_l : filter_opts_l filter_opt
1718 | filter_opt
1719 ;
1720
1721 filter_opt : USER uids {
1722 if (filter_opts.uid)
1723 $2->tail->next = filter_opts.uid;
1724 filter_opts.uid = $2;
1725 }
1726 | GROUP gids {
1727 if (filter_opts.gid)
1728 $2->tail->next = filter_opts.gid;
1729 filter_opts.gid = $2;
1730 }
1731 | flags {
1732 if (filter_opts.marker & FOM_FLAGS) {
1733 yyerror("flags cannot be redefined");
1734 YYERROR;
1735 }
1736 filter_opts.marker |= FOM_FLAGS;
1737 filter_opts.flags.b1 |= $1.b1;
1738 filter_opts.flags.b2 |= $1.b2;
1739 filter_opts.flags.w |= $1.w;
1740 filter_opts.flags.w2 |= $1.w2;
1741 }
1742 | icmpspec {
1743 if (filter_opts.marker & FOM_ICMP) {
1744 yyerror("icmp-type cannot be redefined");
1745 YYERROR;
1746 }
1747 filter_opts.marker |= FOM_ICMP;
1748 filter_opts.icmpspec = $1;
1749 }
1750 | tos {
1751 if (filter_opts.marker & FOM_TOS) {
1752 yyerror("tos cannot be redefined");
1753 YYERROR;
1754 }
1755 filter_opts.marker |= FOM_TOS;
1756 filter_opts.tos = $1;
1757 }
1758 | keep {
1759 if (filter_opts.marker & FOM_KEEP) {
1760 yyerror("modulate or keep cannot be redefined");
1761 YYERROR;
1762 }
1763 filter_opts.marker |= FOM_KEEP;
1764 filter_opts.keep.action = $1.action;
1765 filter_opts.keep.options = $1.options;
1766 }
1767 | FRAGMENT {
1768 filter_opts.fragment = 1;
1769 }
1770 | ALLOWOPTS {
1771 filter_opts.allowopts = 1;
1772 }
1773 | label {
1774 if (filter_opts.label) {
1775 yyerror("label cannot be redefined");
1776 YYERROR;
1777 }
1778 filter_opts.label = $1;
1779 }
1780 | qname {
1781 if (filter_opts.queues.qname) {
1782 yyerror("queue cannot be redefined");
1783 YYERROR;
1784 }
1785 filter_opts.queues = $1;
1786 }
1787 | TAG string {
1788 filter_opts.tag = $2;
1789 }
1790 | not TAGGED string {
1791 filter_opts.match_tag = $3;
1792 filter_opts.match_tag_not = $1;
1793 }
1794 ;
1795
1796 action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; }
1797 | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; }
1798 ;
1799
1800 blockspec : /* empty */ {
1801 $$.b2 = blockpolicy;
1802 $$.w = returnicmpdefault;
1803 $$.w2 = returnicmp6default;
1804 }
1805 | DROP {
1806 $$.b2 = PFRULE_DROP;
1807 $$.w = 0;
1808 $$.w2 = 0;
1809 }
1810 | RETURNRST {
1811 $$.b2 = PFRULE_RETURNRST;
1812 $$.w = 0;
1813 $$.w2 = 0;
1814 }
1815 | RETURNRST '(' TTL number ')' {
1816 if ($4 > 255) {
1817 yyerror("illegal ttl value %d", $4);
1818 YYERROR;
1819 }
1820 $$.b2 = PFRULE_RETURNRST;
1821 $$.w = $4;
1822 $$.w2 = 0;
1823 }
1824 | RETURNICMP {
1825 $$.b2 = PFRULE_RETURNICMP;
1826 $$.w = returnicmpdefault;
1827 $$.w2 = returnicmp6default;
1828 }
1829 | RETURNICMP6 {
1830 $$.b2 = PFRULE_RETURNICMP;
1831 $$.w = returnicmpdefault;
1832 $$.w2 = returnicmp6default;
1833 }
1834 | RETURNICMP '(' STRING ')' {
1835 $$.b2 = PFRULE_RETURNICMP;
1836 if (!($$.w = parseicmpspec($3, AF_INET))) {
1837 free($3);
1838 YYERROR;
1839 }
1840 free($3);
1841 $$.w2 = returnicmp6default;
1842 }
1843 | RETURNICMP6 '(' STRING ')' {
1844 $$.b2 = PFRULE_RETURNICMP;
1845 $$.w = returnicmpdefault;
1846 if (!($$.w2 = parseicmpspec($3, AF_INET6))) {
1847 free($3);
1848 YYERROR;
1849 }
1850 free($3);
1851 }
1852 | RETURNICMP '(' STRING comma STRING ')' {
1853 $$.b2 = PFRULE_RETURNICMP;
1854 if (!($$.w = parseicmpspec($3, AF_INET)) ||
1855 !($$.w2 = parseicmpspec($5, AF_INET6))) {
1856 free($3);
1857 free($5);
1858 YYERROR;
1859 }
1860 free($3);
1861 free($5);
1862 }
1863 | RETURN {
1864 $$.b2 = PFRULE_RETURN;
1865 $$.w = returnicmpdefault;
1866 $$.w2 = returnicmp6default;
1867 }
1868 ;
1869
1870 dir : /* empty */ { $$ = 0; }
1871 | IN { $$ = PF_IN; }
1872 | OUT { $$ = PF_OUT; }
1873 ;
1874
1875 logquick : /* empty */ { $$.log = 0; $$.quick = 0; }
1876 | log { $$.log = $1; $$.quick = 0; }
1877 | QUICK { $$.log = 0; $$.quick = 1; }
1878 | log QUICK { $$.log = $1; $$.quick = 1; }
1879 | QUICK log { $$.log = $2; $$.quick = 1; }
1880 ;
1881
1882 log : LOG { $$ = 1; }
1883 | LOGALL { $$ = 2; }
1884 ;
1885
1886 interface : /* empty */ { $$ = NULL; }
1887 | ON if_item_not { $$ = $2; }
1888 | ON '{' if_list '}' { $$ = $3; }
1889 ;
1890
1891 if_list : if_item_not { $$ = $1; }
1892 | if_list comma if_item_not {
1893 $1->tail->next = $3;
1894 $1->tail = $3;
1895 $$ = $1;
1896 }
1897 ;
1898
1899 if_item_not : not if_item { $$ = $2; $$->not = $1; }
1900 ;
1901
1902 if_item : STRING {
1903 struct node_host *n;
1904
1905 if ((n = ifa_exists($1, 1)) == NULL) {
1906 yyerror("unknown interface %s", $1);
1907 free($1);
1908 YYERROR;
1909 }
1910 $$ = calloc(1, sizeof(struct node_if));
1911 if ($$ == NULL)
1912 err(1, "if_item: calloc");
1913 if (strlcpy($$->ifname, $1, sizeof($$->ifname)) >=
1914 sizeof($$->ifname)) {
1915 free($1);
1916 free($$);
1917 yyerror("interface name too long");
1918 YYERROR;
1919 }
1920 free($1);
1921 $$->ifa_flags = n->ifa_flags;
1922 $$->not = 0;
1923 $$->next = NULL;
1924 $$->tail = $$;
1925 }
1926 ;
1927
1928 af : /* empty */ { $$ = 0; }
1929 | INET { $$ = AF_INET; }
1930 | INET6 { $$ = AF_INET6; }
1931 ;
1932
1933 proto : /* empty */ { $$ = NULL; }
1934 | PROTO proto_item { $$ = $2; }
1935 | PROTO '{' proto_list '}' { $$ = $3; }
1936 ;
1937
1938 proto_list : proto_item { $$ = $1; }
1939 | proto_list comma proto_item {
1940 $1->tail->next = $3;
1941 $1->tail = $3;
1942 $$ = $1;
1943 }
1944 ;
1945
1946 proto_item : STRING {
1947 u_int8_t pr;
1948 u_long ulval;
1949
1950 if (atoul($1, &ulval) == 0) {
1951 if (ulval > 255) {
1952 yyerror("protocol outside range");
1953 free($1);
1954 YYERROR;
1955 }
1956 pr = (u_int8_t)ulval;
1957 } else {
1958 struct protoent *p;
1959
1960 p = getprotobyname($1);
1961 if (p == NULL) {
1962 yyerror("unknown protocol %s", $1);
1963 free($1);
1964 YYERROR;
1965 }
1966 pr = p->p_proto;
1967 }
1968 free($1);
1969 if (pr == 0) {
1970 yyerror("proto 0 cannot be used");
1971 YYERROR;
1972 }
1973 $$ = calloc(1, sizeof(struct node_proto));
1974 if ($$ == NULL)
1975 err(1, "proto_item: calloc");
1976 $$->proto = pr;
1977 $$->next = NULL;
1978 $$->tail = $$;
1979 }
1980 ;
1981
1982 fromto : ALL {
1983 $$.src.host = NULL;
1984 $$.src.port = NULL;
1985 $$.dst.host = NULL;
1986 $$.dst.port = NULL;
1987 $$.src_os = NULL;
1988 }
1989 | from os to {
1990 $$.src = $1;
1991 $$.src_os = $2;
1992 $$.dst = $3;
1993 }
1994 ;
1995
1996 os : /* empty */ { $$ = NULL; }
1997 | OS xos { $$ = $2; }
1998 | OS '{' os_list '}' { $$ = $3; }
1999 ;
2000
2001 xos : STRING {
2002 $$ = calloc(1, sizeof(struct node_os));
2003 if ($$ == NULL)
2004 err(1, "os: calloc");
2005 $$->os = $1;
2006 $$->tail = $$;
2007 }
2008 ;
2009
2010 os_list : xos { $$ = $1; }
2011 | os_list comma xos {
2012 $1->tail->next = $3;
2013 $1->tail = $3;
2014 $$ = $1;
2015 }
2016 ;
2017
2018 from : /* empty */ {
2019 $$.host = NULL;
2020 $$.port = NULL;
2021 }
2022 | FROM ipportspec {
2023 $$ = $2;
2024 }
2025 ;
2026
2027 to : /* empty */ {
2028 $$.host = NULL;
2029 $$.port = NULL;
2030 }
2031 | TO ipportspec {
2032 $$ = $2;
2033 }
2034 ;
2035
2036 ipportspec : ipspec {
2037 $$.host = $1;
2038 $$.port = NULL;
2039 }
2040 | ipspec PORT portspec {
2041 $$.host = $1;
2042 $$.port = $3;
2043 }
2044 | PORT portspec {
2045 $$.host = NULL;
2046 $$.port = $2;
2047 }
2048 ;
2049
2050 ipspec : ANY { $$ = NULL; }
2051 | xhost { $$ = $1; }
2052 | '{' host_list '}' { $$ = $2; }
2053 ;
2054
2055 host_list : xhost { $$ = $1; }
2056 | host_list comma xhost {
2057 if ($3 == NULL)
2058 $$ = $1;
2059 else if ($1 == NULL)
2060 $$ = $3;
2061 else {
2062 $1->tail->next = $3;
2063 $1->tail = $3->tail;
2064 $$ = $1;
2065 }
2066 }
2067 ;
2068
2069 xhost : not host {
2070 struct node_host *n;
2071
2072 for (n = $2; n != NULL; n = n->next)
2073 n->not = $1;
2074 $$ = $2;
2075 }
2076 | NOROUTE {
2077 $$ = calloc(1, sizeof(struct node_host));
2078 if ($$ == NULL)
2079 err(1, "xhost: calloc");
2080 $$->addr.type = PF_ADDR_NOROUTE;
2081 $$->next = NULL;
2082 $$->tail = $$;
2083 }
2084 ;
2085
2086 host : STRING {
2087 if (($$ = host($1)) == NULL) {
2088 /* error. "any" is handled elsewhere */
2089 free($1);
2090 yyerror("could not parse host specification");
2091 YYERROR;
2092 }
2093 free($1);
2094
2095 }
2096 | STRING '/' number {
2097 char *buf;
2098
2099 if (asprintf(&buf, "%s/%u", $1, $3) == -1)
2100 err(1, "host: asprintf");
2101 free($1);
2102 if (($$ = host(buf)) == NULL) {
2103 /* error. "any" is handled elsewhere */
2104 free(buf);
2105 yyerror("could not parse host specification");
2106 YYERROR;
2107 }
2108 free(buf);
2109 }
2110 | dynaddr
2111 | dynaddr '/' number {
2112 struct node_host *n;
2113
2114 $$ = $1;
2115 for (n = $1; n != NULL; n = n->next)
2116 set_ipmask(n, $3);
2117 }
2118 | '<' STRING '>' {
2119 if (strlen($2) >= PF_TABLE_NAME_SIZE) {
2120 yyerror("table name '%s' too long", $2);
2121 free($2);
2122 YYERROR;
2123 }
2124 $$ = calloc(1, sizeof(struct node_host));
2125 if ($$ == NULL)
2126 err(1, "host: calloc");
2127 $$->addr.type = PF_ADDR_TABLE;
2128 if (strlcpy($$->addr.v.tblname, $2,
2129 sizeof($$->addr.v.tblname)) >=
2130 sizeof($$->addr.v.tblname))
2131 errx(1, "host: strlcpy");
2132 free($2);
2133 $$->next = NULL;
2134 $$->tail = $$;
2135 }
2136 ;
2137
2138 number : STRING {
2139 u_long ulval;
2140
2141 if (atoul($1, &ulval) == -1) {
2142 yyerror("%s is not a number", $1);
2143 free($1);
2144 YYERROR;
2145 } else
2146 $$ = ulval;
2147 free($1);
2148 }
2149 ;
2150
2151 dynaddr : '(' STRING ')' {
2152 int flags = 0;
2153 char *p, *op;
2154
2155 op = $2;
2156 while ((p = strrchr($2, ':')) != NULL) {
2157 if (!strcmp(p+1, "network"))
2158 flags |= PFI_AFLAG_NETWORK;
2159 else if (!strcmp(p+1, "broadcast"))
2160 flags |= PFI_AFLAG_BROADCAST;
2161 else if (!strcmp(p+1, "peer"))
2162 flags |= PFI_AFLAG_PEER;
2163 else if (!strcmp(p+1, "0"))
2164 flags |= PFI_AFLAG_NOALIAS;
2165 else {
2166 yyerror("interface %s has bad modifier",
2167 $2);
2168 free(op);
2169 YYERROR;
2170 }
2171 *p = '\0';
2172 }
2173 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) {
2174 free(op);
2175 yyerror("illegal combination of "
2176 "interface modifiers");
2177 YYERROR;
2178 }
2179 if (ifa_exists($2, 1) == NULL && strcmp($2, "self")) {
2180 yyerror("interface %s does not exist", $2);
2181 free(op);
2182 YYERROR;
2183 }
2184 $$ = calloc(1, sizeof(struct node_host));
2185 if ($$ == NULL)
2186 err(1, "address: calloc");
2187 $$->af = 0;
2188 set_ipmask($$, 128);
2189 $$->addr.type = PF_ADDR_DYNIFTL;
2190 $$->addr.iflags = flags;
2191 if (strlcpy($$->addr.v.ifname, $2,
2192 sizeof($$->addr.v.ifname)) >=
2193 sizeof($$->addr.v.ifname)) {
2194 free(op);
2195 free($$);
2196 yyerror("interface name too long");
2197 YYERROR;
2198 }
2199 free(op);
2200 $$->next = NULL;
2201 $$->tail = $$;
2202 }
2203 ;
2204
2205 portspec : port_item { $$ = $1; }
2206 | '{' port_list '}' { $$ = $2; }
2207 ;
2208
2209 port_list : port_item { $$ = $1; }
2210 | port_list comma port_item {
2211 $1->tail->next = $3;
2212 $1->tail = $3;
2213 $$ = $1;
2214 }
2215 ;
2216
2217 port_item : port {
2218 $$ = calloc(1, sizeof(struct node_port));
2219 if ($$ == NULL)
2220 err(1, "port_item: calloc");
2221 $$->port[0] = $1.a;
2222 $$->port[1] = $1.b;
2223 if ($1.t)
2224 $$->op = PF_OP_RRG;
2225 else
2226 $$->op = PF_OP_EQ;
2227 $$->next = NULL;
2228 $$->tail = $$;
2229 }
2230 | unaryop port {
2231 if ($2.t) {
2232 yyerror("':' cannot be used with an other "
2233 "port operator");
2234 YYERROR;
2235 }
2236 $$ = calloc(1, sizeof(struct node_port));
2237 if ($$ == NULL)
2238 err(1, "port_item: calloc");
2239 $$->port[0] = $2.a;
2240 $$->port[1] = $2.b;
2241 $$->op = $1;
2242 $$->next = NULL;
2243 $$->tail = $$;
2244 }
2245 | port PORTBINARY port {
2246 if ($1.t || $3.t) {
2247 yyerror("':' cannot be used with an other "
2248 "port operator");
2249 YYERROR;
2250 }
2251 $$ = calloc(1, sizeof(struct node_port));
2252 if ($$ == NULL)
2253 err(1, "port_item: calloc");
2254 $$->port[0] = $1.a;
2255 $$->port[1] = $3.a;
2256 $$->op = $2;
2257 $$->next = NULL;
2258 $$->tail = $$;
2259 }
2260 ;
2261
2262 port : STRING {
2263 char *p = strchr($1, ':');
2264 struct servent *s = NULL;
2265 u_long ulval;
2266
2267 if (p == NULL) {
2268 if (atoul($1, &ulval) == 0) {
2269 if (ulval > 65535) {
2270 free($1);
2271 yyerror("illegal port value %d",
2272 ulval);
2273 YYERROR;
2274 }
2275 $$.a = htons(ulval);
2276 } else {
2277 s = getservbyname($1, "tcp");
2278 if (s == NULL)
2279 s = getservbyname($1, "udp");
2280 if (s == NULL) {
2281 yyerror("unknown port %s", $1);
2282 free($1);
2283 YYERROR;
2284 }
2285 $$.a = s->s_port;
2286 }
2287 $$.b = 0;
2288 $$.t = 0;
2289 } else {
2290 int port[2];
2291
2292 *p++ = 0;
2293 if ((port[0] = getservice($1)) == -1 ||
2294 (port[1] = getservice(p)) == -1) {
2295 free($1);
2296 YYERROR;
2297 }
2298 $$.a = port[0];
2299 $$.b = port[1];
2300 $$.t = PF_OP_RRG;
2301 }
2302 free($1);
2303 }
2304 ;
2305
2306 uids : uid_item { $$ = $1; }
2307 | '{' uid_list '}' { $$ = $2; }
2308 ;
2309
2310 uid_list : uid_item { $$ = $1; }
2311 | uid_list comma uid_item {
2312 $1->tail->next = $3;
2313 $1->tail = $3;
2314 $$ = $1;
2315 }
2316 ;
2317
2318 uid_item : uid {
2319 $$ = calloc(1, sizeof(struct node_uid));
2320 if ($$ == NULL)
2321 err(1, "uid_item: calloc");
2322 $$->uid[0] = $1;
2323 $$->uid[1] = $1;
2324 $$->op = PF_OP_EQ;
2325 $$->next = NULL;
2326 $$->tail = $$;
2327 }
2328 | unaryop uid {
2329 if ($2 == UID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
2330 yyerror("user unknown requires operator = or "
2331 "!=");
2332 YYERROR;
2333 }
2334 $$ = calloc(1, sizeof(struct node_uid));
2335 if ($$ == NULL)
2336 err(1, "uid_item: calloc");
2337 $$->uid[0] = $2;
2338 $$->uid[1] = $2;
2339 $$->op = $1;
2340 $$->next = NULL;
2341 $$->tail = $$;
2342 }
2343 | uid PORTBINARY uid {
2344 if ($1 == UID_MAX || $3 == UID_MAX) {
2345 yyerror("user unknown requires operator = or "
2346 "!=");
2347 YYERROR;
2348 }
2349 $$ = calloc(1, sizeof(struct node_uid));
2350 if ($$ == NULL)
2351 err(1, "uid_item: calloc");
2352 $$->uid[0] = $1;
2353 $$->uid[1] = $3;
2354 $$->op = $2;
2355 $$->next = NULL;
2356 $$->tail = $$;
2357 }
2358 ;
2359
2360 uid : STRING {
2361 u_long ulval;
2362
2363 if (atoul($1, &ulval) == -1) {
2364 if (!strcmp($1, "unknown"))
2365 $$ = UID_MAX;
2366 else {
2367 struct passwd *pw;
2368
2369 if ((pw = getpwnam($1)) == NULL) {
2370 yyerror("unknown user %s", $1);
2371 free($1);
2372 YYERROR;
2373 }
2374 $$ = pw->pw_uid;
2375 }
2376 } else {
2377 if (ulval >= UID_MAX) {
2378 free($1);
2379 yyerror("illegal uid value %lu", ulval);
2380 YYERROR;
2381 }
2382 $$ = ulval;
2383 }
2384 free($1);
2385 }
2386 ;
2387
2388 gids : gid_item { $$ = $1; }
2389 | '{' gid_list '}' { $$ = $2; }
2390 ;
2391
2392 gid_list : gid_item { $$ = $1; }
2393 | gid_list comma gid_item {
2394 $1->tail->next = $3;
2395 $1->tail = $3;
2396 $$ = $1;
2397 }
2398 ;
2399
2400 gid_item : gid {
2401 $$ = calloc(1, sizeof(struct node_gid));
2402 if ($$ == NULL)
2403 err(1, "gid_item: calloc");
2404 $$->gid[0] = $1;
2405 $$->gid[1] = $1;
2406 $$->op = PF_OP_EQ;
2407 $$->next = NULL;
2408 $$->tail = $$;
2409 }
2410 | unaryop gid {
2411 if ($2 == GID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
2412 yyerror("group unknown requires operator = or "
2413 "!=");
2414 YYERROR;
2415 }
2416 $$ = calloc(1, sizeof(struct node_gid));
2417 if ($$ == NULL)
2418 err(1, "gid_item: calloc");
2419 $$->gid[0] = $2;
2420 $$->gid[1] = $2;
2421 $$->op = $1;
2422 $$->next = NULL;
2423 $$->tail = $$;
2424 }
2425 | gid PORTBINARY gid {
2426 if ($1 == GID_MAX || $3 == GID_MAX) {
2427 yyerror("group unknown requires operator = or "
2428 "!=");
2429 YYERROR;
2430 }
2431 $$ = calloc(1, sizeof(struct node_gid));
2432 if ($$ == NULL)
2433 err(1, "gid_item: calloc");
2434 $$->gid[0] = $1;
2435 $$->gid[1] = $3;
2436 $$->op = $2;
2437 $$->next = NULL;
2438 $$->tail = $$;
2439 }
2440 ;
2441
2442 gid : STRING {
2443 u_long ulval;
2444
2445 if (atoul($1, &ulval) == -1) {
2446 if (!strcmp($1, "unknown"))
2447 $$ = GID_MAX;
2448 else {
2449 struct group *grp;
2450
2451 if ((grp = getgrnam($1)) == NULL) {
2452 yyerror("unknown group %s", $1);
2453 free($1);
2454 YYERROR;
2455 }
2456 $$ = grp->gr_gid;
2457 }
2458 } else {
2459 if (ulval >= GID_MAX) {
2460 yyerror("illegal gid value %lu", ulval);
2461 free($1);
2462 YYERROR;
2463 }
2464 $$ = ulval;
2465 }
2466 free($1);
2467 }
2468 ;
2469
2470 flag : STRING {
2471 int f;
2472
2473 if ((f = parse_flags($1)) < 0) {
2474 yyerror("bad flags %s", $1);
2475 free($1);
2476 YYERROR;
2477 }
2478 free($1);
2479 $$.b1 = f;
2480 }
2481 ;
2482
2483 flags : FLAGS flag '/' flag { $$.b1 = $2.b1; $$.b2 = $4.b1; }
2484 | FLAGS '/' flag { $$.b1 = 0; $$.b2 = $3.b1; }
2485 ;
2486
2487 icmpspec : ICMPTYPE icmp_item { $$ = $2; }
2488 | ICMPTYPE '{' icmp_list '}' { $$ = $3; }
2489 | ICMP6TYPE icmp6_item { $$ = $2; }
2490 | ICMP6TYPE '{' icmp6_list '}' { $$ = $3; }
2491 ;
2492
2493 icmp_list : icmp_item { $$ = $1; }
2494 | icmp_list comma icmp_item {
2495 $1->tail->next = $3;
2496 $1->tail = $3;
2497 $$ = $1;
2498 }
2499 ;
2500
2501 icmp6_list : icmp6_item { $$ = $1; }
2502 | icmp6_list comma icmp6_item {
2503 $1->tail->next = $3;
2504 $1->tail = $3;
2505 $$ = $1;
2506 }
2507 ;
2508
2509 icmp_item : icmptype {
2510 $$ = calloc(1, sizeof(struct node_icmp));
2511 if ($$ == NULL)
2512 err(1, "icmp_item: calloc");
2513 $$->type = $1;
2514 $$->code = 0;
2515 $$->proto = IPPROTO_ICMP;
2516 $$->next = NULL;
2517 $$->tail = $$;
2518 }
2519 | icmptype CODE STRING {
2520 const struct icmpcodeent *p;
2521 u_long ulval;
2522
2523 if (atoul($3, &ulval) == 0) {
2524 if (ulval > 255) {
2525 free($3);
2526 yyerror("illegal icmp-code %d", ulval);
2527 YYERROR;
2528 }
2529 } else {
2530 if ((p = geticmpcodebyname($1-1, $3,
2531 AF_INET)) == NULL) {
2532 yyerror("unknown icmp-code %s", $3);
2533 free($3);
2534 YYERROR;
2535 }
2536 ulval = p->code;
2537 }
2538 free($3);
2539 $$ = calloc(1, sizeof(struct node_icmp));
2540 if ($$ == NULL)
2541 err(1, "icmp_item: calloc");
2542 $$->type = $1;
2543 $$->code = ulval + 1;
2544 $$->proto = IPPROTO_ICMP;
2545 $$->next = NULL;
2546 $$->tail = $$;
2547 }
2548 ;
2549
2550 icmp6_item : icmp6type {
2551 $$ = calloc(1, sizeof(struct node_icmp));
2552 if ($$ == NULL)
2553 err(1, "icmp_item: calloc");
2554 $$->type = $1;
2555 $$->code = 0;
2556 $$->proto = IPPROTO_ICMPV6;
2557 $$->next = NULL;
2558 $$->tail = $$;
2559 }
2560 | icmp6type CODE STRING {
2561 const struct icmpcodeent *p;
2562 u_long ulval;
2563
2564 if (atoul($3, &ulval) == 0) {
2565 if (ulval > 255) {
2566 yyerror("illegal icmp6-code %ld",
2567 ulval);
2568 free($3);
2569 YYERROR;
2570 }
2571 } else {
2572 if ((p = geticmpcodebyname($1-1, $3,
2573 AF_INET6)) == NULL) {
2574 yyerror("unknown icmp6-code %s", $3);
2575 free($3);
2576 YYERROR;
2577 }
2578 ulval = p->code;
2579 }
2580 free($3);
2581 $$ = calloc(1, sizeof(struct node_icmp));
2582 if ($$ == NULL)
2583 err(1, "icmp_item: calloc");
2584 $$->type = $1;
2585 $$->code = ulval + 1;
2586 $$->proto = IPPROTO_ICMPV6;
2587 $$->next = NULL;
2588 $$->tail = $$;
2589 }
2590 ;
2591
2592 icmptype : STRING {
2593 const struct icmptypeent *p;
2594 u_long ulval;
2595
2596 if (atoul($1, &ulval) == 0) {
2597 if (ulval > 255) {
2598 yyerror("illegal icmp-type %d", ulval);
2599 free($1);
2600 YYERROR;
2601 }
2602 $$ = ulval + 1;
2603 } else {
2604 if ((p = geticmptypebyname($1, AF_INET)) ==
2605 NULL) {
2606 yyerror("unknown icmp-type %s", $1);
2607 free($1);
2608 YYERROR;
2609 }
2610 $$ = p->type + 1;
2611 }
2612 free($1);
2613 }
2614 ;
2615
2616 icmp6type : STRING {
2617 const struct icmptypeent *p;
2618 u_long ulval;
2619
2620 if (atoul($1, &ulval) == 0) {
2621 if (ulval > 255) {
2622 yyerror("illegal icmp6-type %d", ulval);
2623 free($1);
2624 YYERROR;
2625 }
2626 $$ = ulval + 1;
2627 } else {
2628 if ((p = geticmptypebyname($1, AF_INET6)) ==
2629 NULL) {
2630 yyerror("unknown icmp6-type %s", $1);
2631 free($1);
2632 YYERROR;
2633 }
2634 $$ = p->type + 1;
2635 }
2636 free($1);
2637 }
2638 ;
2639
2640 tos : TOS STRING {
2641 if (!strcmp($2, "lowdelay"))
2642 $$ = IPTOS_LOWDELAY;
2643 else if (!strcmp($2, "throughput"))
2644 $$ = IPTOS_THROUGHPUT;
2645 else if (!strcmp($2, "reliability"))
2646 $$ = IPTOS_RELIABILITY;
2647 else if ($2[0] == '0' && $2[1] == 'x')
2648 $$ = strtoul($2, NULL, 16);
2649 else
2650 $$ = strtoul($2, NULL, 10);
2651 if (!$$ || $$ > 255) {
2652 yyerror("illegal tos value %s", $2);
2653 free($2);
2654 YYERROR;
2655 }
2656 free($2);
2657 }
2658 ;
2659
2660 sourcetrack : SOURCETRACK { $$ = PF_SRCTRACK; }
2661 | SOURCETRACK GLOBAL { $$ = PF_SRCTRACK_GLOBAL; }
2662 | SOURCETRACK RULE { $$ = PF_SRCTRACK_RULE; }
2663 ;
2664
2665 statelock : IFBOUND {
2666 $$ = PFRULE_IFBOUND;
2667 }
2668 | GRBOUND {
2669 $$ = PFRULE_GRBOUND;
2670 }
2671 | FLOATING {
2672 $$ = 0;
2673 }
2674 ;
2675
2676 keep : KEEP STATE state_opt_spec {
2677 $$.action = PF_STATE_NORMAL;
2678 $$.options = $3;
2679 }
2680 | MODULATE STATE state_opt_spec {
2681 $$.action = PF_STATE_MODULATE;
2682 $$.options = $3;
2683 }
2684 | SYNPROXY STATE state_opt_spec {
2685 $$.action = PF_STATE_SYNPROXY;
2686 $$.options = $3;
2687 }
2688 ;
2689
2690 state_opt_spec : '(' state_opt_list ')' { $$ = $2; }
2691 | /* empty */ { $$ = NULL; }
2692 ;
2693
2694 state_opt_list : state_opt_item { $$ = $1; }
2695 | state_opt_list comma state_opt_item {
2696 $1->tail->next = $3;
2697 $1->tail = $3;
2698 $$ = $1;
2699 }
2700 ;
2701
2702 state_opt_item : MAXIMUM number {
2703 $$ = calloc(1, sizeof(struct node_state_opt));
2704 if ($$ == NULL)
2705 err(1, "state_opt_item: calloc");
2706 $$->type = PF_STATE_OPT_MAX;
2707 $$->data.max_states = $2;
2708 $$->next = NULL;
2709 $$->tail = $$;
2710 }
2711 | NOSYNC {
2712 $$ = calloc(1, sizeof(struct node_state_opt));
2713 if ($$ == NULL)
2714 err(1, "state_opt_item: calloc");
2715 $$->type = PF_STATE_OPT_NOSYNC;
2716 $$->next = NULL;
2717 $$->tail = $$;
2718 }
2719 | MAXSRCSTATES number {
2720 $$ = calloc(1, sizeof(struct node_state_opt));
2721 if ($$ == NULL)
2722 err(1, "state_opt_item: calloc");
2723 $$->type = PF_STATE_OPT_MAX_SRC_STATES;
2724 $$->data.max_src_states = $2;
2725 $$->next = NULL;
2726 $$->tail = $$;
2727 }
2728 | MAXSRCNODES number {
2729 $$ = calloc(1, sizeof(struct node_state_opt));
2730 if ($$ == NULL)
2731 err(1, "state_opt_item: calloc");
2732 $$->type = PF_STATE_OPT_MAX_SRC_NODES;
2733 $$->data.max_src_nodes = $2;
2734 $$->next = NULL;
2735 $$->tail = $$;
2736 }
2737 | sourcetrack {
2738 $$ = calloc(1, sizeof(struct node_state_opt));
2739 if ($$ == NULL)
2740 err(1, "state_opt_item: calloc");
2741 $$->type = PF_STATE_OPT_SRCTRACK;
2742 $$->data.src_track = $1;
2743 $$->next = NULL;
2744 $$->tail = $$;
2745 }
2746 | statelock {
2747 $$ = calloc(1, sizeof(struct node_state_opt));
2748 if ($$ == NULL)
2749 err(1, "state_opt_item: calloc");
2750 $$->type = PF_STATE_OPT_STATELOCK;
2751 $$->data.statelock = $1;
2752 $$->next = NULL;
2753 $$->tail = $$;
2754 }
2755 | STRING number {
2756 int i;
2757
2758 for (i = 0; pf_timeouts[i].name &&
2759 strcmp(pf_timeouts[i].name, $1); ++i)
2760 ; /* nothing */
2761 if (!pf_timeouts[i].name) {
2762 yyerror("illegal timeout name %s", $1);
2763 free($1);
2764 YYERROR;
2765 }
2766 if (strchr(pf_timeouts[i].name, '.') == NULL) {
2767 yyerror("illegal state timeout %s", $1);
2768 free($1);
2769 YYERROR;
2770 }
2771 free($1);
2772 $$ = calloc(1, sizeof(struct node_state_opt));
2773 if ($$ == NULL)
2774 err(1, "state_opt_item: calloc");
2775 $$->type = PF_STATE_OPT_TIMEOUT;
2776 $$->data.timeout.number = pf_timeouts[i].timeout;
2777 $$->data.timeout.seconds = $2;
2778 $$->next = NULL;
2779 $$->tail = $$;
2780 }
2781 ;
2782
2783 label : LABEL STRING {
2784 $$ = $2;
2785 }
2786 ;
2787
2788 qname : QUEUE STRING {
2789 $$.qname = $2;
2790 }
2791 | QUEUE '(' STRING ')' {
2792 $$.qname = $3;
2793 }
2794 | QUEUE '(' STRING comma STRING ')' {
2795 $$.qname = $3;
2796 $$.pqname = $5;
2797 }
2798 ;
2799
2800 no : /* empty */ { $$ = 0; }
2801 | NO { $$ = 1; }
2802 ;
2803
2804 rport : STRING {
2805 char *p = strchr($1, ':');
2806
2807 if (p == NULL) {
2808 if (($$.a = getservice($1)) == -1) {
2809 free($1);
2810 YYERROR;
2811 }
2812 $$.b = $$.t = 0;
2813 } else if (!strcmp(p+1, "*")) {
2814 *p = 0;
2815 if (($$.a = getservice($1)) == -1) {
2816 free($1);
2817 YYERROR;
2818 }
2819 $$.b = 0;
2820 $$.t = 1;
2821 } else {
2822 *p++ = 0;
2823 if (($$.a = getservice($1)) == -1 ||
2824 ($$.b = getservice(p)) == -1) {
2825 free($1);
2826 YYERROR;
2827 }
2828 if ($$.a == $$.b)
2829 $$.b = 0;
2830 $$.t = 0;
2831 }
2832 free($1);
2833 }
2834 ;
2835
2836 redirspec : host { $$ = $1; }
2837 | '{' redir_host_list '}' { $$ = $2; }
2838 ;
2839
2840 redir_host_list : host { $$ = $1; }
2841 | redir_host_list comma host {
2842 $1->tail->next = $3;
2843 $1->tail = $3->tail;
2844 $$ = $1;
2845 }
2846 ;
2847
2848 redirpool : /* empty */ { $$ = NULL; }
2849 | ARROW redirspec {
2850 $$ = calloc(1, sizeof(struct redirection));
2851 if ($$ == NULL)
2852 err(1, "redirection: calloc");
2853 $$->host = $2;
2854 $$->rport.a = $$->rport.b = $$->rport.t = 0;
2855 }
2856 | ARROW redirspec PORT rport {
2857 $$ = calloc(1, sizeof(struct redirection));
2858 if ($$ == NULL)
2859 err(1, "redirection: calloc");
2860 $$->host = $2;
2861 $$->rport = $4;
2862 }
2863 ;
2864
2865 hashkey : /* empty */
2866 {
2867 $$ = calloc(1, sizeof(struct pf_poolhashkey));
2868 if ($$ == NULL)
2869 err(1, "hashkey: calloc");
2870 $$->key32[0] = arc4random();
2871 $$->key32[1] = arc4random();
2872 $$->key32[2] = arc4random();
2873 $$->key32[3] = arc4random();
2874 }
2875 | string
2876 {
2877 if (!strncmp($1, "0x", 2)) {
2878 if (strlen($1) != 34) {
2879 free($1);
2880 yyerror("hex key must be 128 bits "
2881 "(32 hex digits) long");
2882 YYERROR;
2883 }
2884 $$ = calloc(1, sizeof(struct pf_poolhashkey));
2885 if ($$ == NULL)
2886 err(1, "hashkey: calloc");
2887
2888 if (sscanf($1, "0x%8x%8x%8x%8x",
2889 &$$->key32[0], &$$->key32[1],
2890 &$$->key32[2], &$$->key32[3]) != 4) {
2891 free($$);
2892 free($1);
2893 yyerror("invalid hex key");
2894 YYERROR;
2895 }
2896 } else {
2897 MD5_CTX context;
2898
2899 $$ = calloc(1, sizeof(struct pf_poolhashkey));
2900 if ($$ == NULL)
2901 err(1, "hashkey: calloc");
2902 MD5Init(&context);
2903 MD5Update(&context, (unsigned char *)$1,
2904 strlen($1));
2905 MD5Final((unsigned char *)$$, &context);
2906 $$->key32[0] = htonl($$->key32[0]);
2907 $$->key32[1] = htonl($$->key32[1]);
2908 $$->key32[2] = htonl($$->key32[2]);
2909 $$->key32[3] = htonl($$->key32[3]);
2910 }
2911 free($1);
2912 }
2913 ;
2914
2915 pool_opts : { bzero(&pool_opts, sizeof pool_opts); }
2916 pool_opts_l
2917 { $$ = pool_opts; }
2918 | /* empty */ {
2919 bzero(&pool_opts, sizeof pool_opts);
2920 $$ = pool_opts;
2921 }
2922 ;
2923
2924 pool_opts_l : pool_opts_l pool_opt
2925 | pool_opt
2926 ;
2927
2928 pool_opt : BITMASK {
2929 if (pool_opts.type) {
2930 yyerror("pool type cannot be redefined");
2931 YYERROR;
2932 }
2933 pool_opts.type = PF_POOL_BITMASK;
2934 }
2935 | RANDOM {
2936 if (pool_opts.type) {
2937 yyerror("pool type cannot be redefined");
2938 YYERROR;
2939 }
2940 pool_opts.type = PF_POOL_RANDOM;
2941 }
2942 | SOURCEHASH hashkey {
2943 if (pool_opts.type) {
2944 yyerror("pool type cannot be redefined");
2945 YYERROR;
2946 }
2947 pool_opts.type = PF_POOL_SRCHASH;
2948 pool_opts.key = $2;
2949 }
2950 | ROUNDROBIN {
2951 if (pool_opts.type) {
2952 yyerror("pool type cannot be redefined");
2953 YYERROR;
2954 }
2955 pool_opts.type = PF_POOL_ROUNDROBIN;
2956 }
2957 | STATICPORT {
2958 if (pool_opts.staticport) {
2959 yyerror("static-port cannot be redefined");
2960 YYERROR;
2961 }
2962 pool_opts.staticport = 1;
2963 }
2964 | STICKYADDRESS {
2965 if (filter_opts.marker & POM_STICKYADDRESS) {
2966 yyerror("sticky-address cannot be redefined");
2967 YYERROR;
2968 }
2969 pool_opts.marker |= POM_STICKYADDRESS;
2970 pool_opts.opts |= PF_POOL_STICKYADDR;
2971 }
2972 ;
2973
2974 redirection : /* empty */ { $$ = NULL; }
2975 | ARROW host {
2976 $$ = calloc(1, sizeof(struct redirection));
2977 if ($$ == NULL)
2978 err(1, "redirection: calloc");
2979 $$->host = $2;
2980 $$->rport.a = $$->rport.b = $$->rport.t = 0;
2981 }
2982 | ARROW host PORT rport {
2983 $$ = calloc(1, sizeof(struct redirection));
2984 if ($$ == NULL)
2985 err(1, "redirection: calloc");
2986 $$->host = $2;
2987 $$->rport = $4;
2988 }
2989 ;
2990
2991 natpass : /* empty */ { $$ = 0; }
2992 | PASS { $$ = 1; }
2993 ;
2994
2995 nataction : no NAT natpass {
2996 $$.b2 = $$.w = 0;
2997 if ($1)
2998 $$.b1 = PF_NONAT;
2999 else
3000 $$.b1 = PF_NAT;
3001 $$.b2 = $3;
3002 }
3003 | no RDR natpass {
3004 $$.b2 = $$.w = 0;
3005 if ($1)
3006 $$.b1 = PF_NORDR;
3007 else
3008 $$.b1 = PF_RDR;
3009 $$.b2 = $3;
3010 }
3011 ;
3012
3013 natrule : nataction interface af proto fromto tag redirpool pool_opts
3014 {
3015 struct pf_rule r;
3016
3017 if (check_rulestate(PFCTL_STATE_NAT))
3018 YYERROR;
3019
3020 memset(&r, 0, sizeof(r));
3021
3022 r.action = $1.b1;
3023 r.natpass = $1.b2;
3024 r.af = $3;
3025
3026 if (!r.af) {
3027 if ($5.src.host && $5.src.host->af &&
3028 !$5.src.host->ifindex)
3029 r.af = $5.src.host->af;
3030 else if ($5.dst.host && $5.dst.host->af &&
3031 !$5.dst.host->ifindex)
3032 r.af = $5.dst.host->af;
3033 }
3034
3035 if ($6 != NULL)
3036 if (strlcpy(r.tagname, $6, PF_TAG_NAME_SIZE) >=
3037 PF_TAG_NAME_SIZE) {
3038 yyerror("tag too long, max %u chars",
3039 PF_TAG_NAME_SIZE - 1);
3040 YYERROR;
3041 }
3042
3043 if (r.action == PF_NONAT || r.action == PF_NORDR) {
3044 if ($7 != NULL) {
3045 yyerror("translation rule with 'no' "
3046 "does not need '->'");
3047 YYERROR;
3048 }
3049 } else {
3050 if ($7 == NULL || $7->host == NULL) {
3051 yyerror("translation rule requires '-> "
3052 "address'");
3053 YYERROR;
3054 }
3055 if (!r.af && ! $7->host->ifindex)
3056 r.af = $7->host->af;
3057
3058 remove_invalid_hosts(&$7->host, &r.af);
3059 if (invalid_redirect($7->host, r.af))
3060 YYERROR;
3061 if (check_netmask($7->host, r.af))
3062 YYERROR;
3063
3064 r.rpool.proxy_port[0] = ntohs($7->rport.a);
3065
3066 switch (r.action) {
3067 case PF_RDR:
3068 if (!$7->rport.b && $7->rport.t &&
3069 $5.dst.port != NULL) {
3070 r.rpool.proxy_port[1] =
3071 ntohs($7->rport.a) +
3072 (ntohs(
3073 $5.dst.port->port[1]) -
3074 ntohs(
3075 $5.dst.port->port[0]));
3076 } else
3077 r.rpool.proxy_port[1] =
3078 ntohs($7->rport.b);
3079 break;
3080 case PF_NAT:
3081 r.rpool.proxy_port[1] =
3082 ntohs($7->rport.b);
3083 if (!r.rpool.proxy_port[0] &&
3084 !r.rpool.proxy_port[1]) {
3085 r.rpool.proxy_port[0] =
3086 PF_NAT_PROXY_PORT_LOW;
3087 r.rpool.proxy_port[1] =
3088 PF_NAT_PROXY_PORT_HIGH;
3089 } else if (!r.rpool.proxy_port[1])
3090 r.rpool.proxy_port[1] =
3091 r.rpool.proxy_port[0];
3092 break;
3093 default:
3094 break;
3095 }
3096
3097 r.rpool.opts = $8.type;
3098 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
3099 PF_POOL_NONE && ($7->host->next != NULL ||
3100 $7->host->addr.type == PF_ADDR_TABLE ||
3101 DYNIF_MULTIADDR($7->host->addr)))
3102 r.rpool.opts = PF_POOL_ROUNDROBIN;
3103 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3104 PF_POOL_ROUNDROBIN &&
3105 disallow_table($7->host, "tables are only "
3106 "supported in round-robin redirection "
3107 "pools"))
3108 YYERROR;
3109 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3110 PF_POOL_ROUNDROBIN &&
3111 disallow_alias($7->host, "interface (%s) "
3112 "is only supported in round-robin "
3113 "redirection pools"))
3114 YYERROR;
3115 if ($7->host->next != NULL) {
3116 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
3117 PF_POOL_ROUNDROBIN) {
3118 yyerror("only round-robin "
3119 "valid for multiple "
3120 "redirection addresses");
3121 YYERROR;
3122 }
3123 }
3124 }
3125
3126 if ($8.key != NULL)
3127 memcpy(&r.rpool.key, $8.key,
3128 sizeof(struct pf_poolhashkey));
3129
3130 if ($8.opts)
3131 r.rpool.opts |= $8.opts;
3132
3133 if ($8.staticport) {
3134 if (r.action != PF_NAT) {
3135 yyerror("the 'static-port' option is "
3136 "only valid with nat rules");
3137 YYERROR;
3138 }
3139 if (r.rpool.proxy_port[0] !=
3140 PF_NAT_PROXY_PORT_LOW &&
3141 r.rpool.proxy_port[1] !=
3142 PF_NAT_PROXY_PORT_HIGH) {
3143 yyerror("the 'static-port' option can't"
3144 " be used when specifying a port"
3145 " range");
3146 YYERROR;
3147 }
3148 r.rpool.proxy_port[0] = 0;
3149 r.rpool.proxy_port[1] = 0;
3150 }
3151
3152 expand_rule(&r, $2, $7 == NULL ? NULL : $7->host, $4,
3153 $5.src_os, $5.src.host, $5.src.port, $5.dst.host,
3154 $5.dst.port, 0, 0, 0);
3155 free($7);
3156 }
3157 ;
3158
3159 binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
3160 redirection
3161 {
3162 struct pf_rule binat;
3163 struct pf_pooladdr *pa;
3164
3165 if (check_rulestate(PFCTL_STATE_NAT))
3166 YYERROR;
3167
3168 memset(&binat, 0, sizeof(binat));
3169
3170 if ($1)
3171 binat.action = PF_NOBINAT;
3172 else
3173 binat.action = PF_BINAT;
3174 binat.natpass = $3;
3175 binat.af = $5;
3176 if (!binat.af && $8 != NULL && $8->af)
3177 binat.af = $8->af;
3178 if (!binat.af && $10 != NULL && $10->af)
3179 binat.af = $10->af;
3180 if (!binat.af && $12 != NULL && $12->host)
3181 binat.af = $12->host->af;
3182 if (!binat.af) {
3183 yyerror("address family (inet/inet6) "
3184 "undefined");
3185 YYERROR;
3186 }
3187
3188 if ($4 != NULL) {
3189 memcpy(binat.ifname, $4->ifname,
3190 sizeof(binat.ifname));
3191 binat.ifnot = $4->not;
3192 free($4);
3193 }
3194 if ($11 != NULL)
3195 if (strlcpy(binat.tagname, $11,
3196 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
3197 yyerror("tag too long, max %u chars",
3198 PF_TAG_NAME_SIZE - 1);
3199 YYERROR;
3200 }
3201
3202 if ($6 != NULL) {
3203 binat.proto = $6->proto;
3204 free($6);
3205 }
3206
3207 if ($8 != NULL && disallow_table($8, "invalid use of "
3208 "table <%s> as the source address of a binat rule"))
3209 YYERROR;
3210 if ($8 != NULL && disallow_alias($8, "invalid use of "
3211 "interface (%s) as the source address of a binat "
3212 "rule"))
3213 YYERROR;
3214 if ($12 != NULL && $12->host != NULL && disallow_table(
3215 $12->host, "invalid use of table <%s> as the "
3216 "redirect address of a binat rule"))
3217 YYERROR;
3218 if ($12 != NULL && $12->host != NULL && disallow_alias(
3219 $12->host, "invalid use of interface (%s) as the "
3220 "redirect address of a binat rule"))
3221 YYERROR;
3222
3223 if ($8 != NULL) {
3224 if ($8->next) {
3225 yyerror("multiple binat ip addresses");
3226 YYERROR;
3227 }
3228 if ($8->addr.type == PF_ADDR_DYNIFTL)
3229 $8->af = binat.af;
3230 if ($8->af != binat.af) {
3231 yyerror("binat ip versions must match");
3232 YYERROR;
3233 }
3234 if (check_netmask($8, binat.af))
3235 YYERROR;
3236 memcpy(&binat.src.addr, &$8->addr,
3237 sizeof(binat.src.addr));
3238 free($8);
3239 }
3240 if ($10 != NULL) {
3241 if ($10->next) {
3242 yyerror("multiple binat ip addresses");
3243 YYERROR;
3244 }
3245 if ($10->af != binat.af && $10->af) {
3246 yyerror("binat ip versions must match");
3247 YYERROR;
3248 }
3249 if (check_netmask($10, binat.af))
3250 YYERROR;
3251 memcpy(&binat.dst.addr, &$10->addr,
3252 sizeof(binat.dst.addr));
3253 binat.dst.not = $10->not;
3254 free($10);
3255 }
3256
3257 if (binat.action == PF_NOBINAT) {
3258 if ($12 != NULL) {
3259 yyerror("'no binat' rule does not need"
3260 " '->'");
3261 YYERROR;
3262 }
3263 } else {
3264 if ($12 == NULL || $12->host == NULL) {
3265 yyerror("'binat' rule requires"
3266 " '-> address'");
3267 YYERROR;
3268 }
3269
3270 remove_invalid_hosts(&$12->host, &binat.af);
3271 if (invalid_redirect($12->host, binat.af))
3272 YYERROR;
3273 if ($12->host->next != NULL) {
3274 yyerror("binat rule must redirect to "
3275 "a single address");
3276 YYERROR;
3277 }
3278 if (check_netmask($12->host, binat.af))
3279 YYERROR;
3280
3281 if (!PF_AZERO(&binat.src.addr.v.a.mask,
3282 binat.af) &&
3283 !PF_AEQ(&binat.src.addr.v.a.mask,
3284 &$12->host->addr.v.a.mask, binat.af)) {
3285 yyerror("'binat' source mask and "
3286 "redirect mask must be the same");
3287 YYERROR;
3288 }
3289
3290 TAILQ_INIT(&binat.rpool.list);
3291 pa = calloc(1, sizeof(struct pf_pooladdr));
3292 if (pa == NULL)
3293 err(1, "binat: calloc");
3294 pa->addr = $12->host->addr;
3295 pa->ifname[0] = 0;
3296 TAILQ_INSERT_TAIL(&binat.rpool.list,
3297 pa, entries);
3298
3299 free($12);
3300 }
3301
3302 pfctl_add_rule(pf, &binat);
3303 }
3304 ;
3305
3306 tag : /* empty */ { $$ = NULL; }
3307 | TAG STRING { $$ = $2; }
3308 ;
3309
3310 route_host : STRING {
3311 $$ = calloc(1, sizeof(struct node_host));
3312 if ($$ == NULL)
3313 err(1, "route_host: calloc");
3314 $$->ifname = $1;
3315 if (ifa_exists($$->ifname, 0) == NULL) {
3316 yyerror("routeto: unknown interface %s",
3317 $$->ifname);
3318 free($1);
3319 free($$);
3320 YYERROR;
3321 }
3322 set_ipmask($$, 128);
3323 $$->next = NULL;
3324 $$->tail = $$;
3325 }
3326 | '(' STRING host ')' {
3327 $$ = $3;
3328 $$->ifname = $2;
3329 if (ifa_exists($$->ifname, 0) == NULL) {
3330 yyerror("routeto: unknown interface %s",
3331 $$->ifname);
3332 YYERROR;
3333 }
3334 }
3335 ;
3336
3337 route_host_list : route_host { $$ = $1; }
3338 | route_host_list comma route_host {
3339 if ($1->af == 0)
3340 $1->af = $3->af;
3341 if ($1->af != $3->af) {
3342 yyerror("all pool addresses must be in the "
3343 "same address family");
3344 YYERROR;
3345 }
3346 $1->tail->next = $3;
3347 $1->tail = $3->tail;
3348 $$ = $1;
3349 }
3350 ;
3351
3352 routespec : route_host { $$ = $1; }
3353 | '{' route_host_list '}' { $$ = $2; }
3354 ;
3355
3356 route : /* empty */ {
3357 $$.host = NULL;
3358 $$.rt = 0;
3359 $$.pool_opts = 0;
3360 }
3361 | FASTROUTE {
3362 $$.host = NULL;
3363 $$.rt = PF_FASTROUTE;
3364 $$.pool_opts = 0;
3365 }
3366 | ROUTETO routespec pool_opts {
3367 $$.host = $2;
3368 $$.rt = PF_ROUTETO;
3369 $$.pool_opts = $3.type | $3.opts;
3370 if ($3.key != NULL)
3371 $$.key = $3.key;
3372 }
3373 | REPLYTO routespec pool_opts {
3374 $$.host = $2;
3375 $$.rt = PF_REPLYTO;
3376 $$.pool_opts = $3.type | $3.opts;
3377 if ($3.key != NULL)
3378 $$.key = $3.key;
3379 }
3380 | DUPTO routespec pool_opts {
3381 $$.host = $2;
3382 $$.rt = PF_DUPTO;
3383 $$.pool_opts = $3.type | $3.opts;
3384 if ($3.key != NULL)
3385 $$.key = $3.key;
3386 }
3387 ;
3388
3389 timeout_spec : STRING number
3390 {
3391 if (check_rulestate(PFCTL_STATE_OPTION)) {
3392 free($1);
3393 YYERROR;
3394 }
3395 if (pfctl_set_timeout(pf, $1, $2, 0) != 0) {
3396 yyerror("unknown timeout %s", $1);
3397 free($1);
3398 YYERROR;
3399 }
3400 free($1);
3401 }
3402 ;
3403
3404 timeout_list : timeout_list comma timeout_spec
3405 | timeout_spec
3406 ;
3407
3408 limit_spec : STRING number
3409 {
3410 if (check_rulestate(PFCTL_STATE_OPTION)) {
3411 free($1);
3412 YYERROR;
3413 }
3414 if (pfctl_set_limit(pf, $1, $2) != 0) {
3415 yyerror("unable to set limit %s %u", $1, $2);
3416 free($1);
3417 YYERROR;
3418 }
3419 free($1);
3420 }
3421 ;
3422
3423 limit_list : limit_list comma limit_spec
3424 | limit_spec
3425 ;
3426
3427 comma : ','
3428 | /* empty */
3429 ;
3430
3431 yesno : NO { $$ = 0; }
3432 | STRING {
3433 if (!strcmp($1, "yes"))
3434 $$ = 1;
3435 else {
3436 free($1);
3437 YYERROR;
3438 }
3439 free($1);
3440 }
3441 ;
3442
3443 unaryop : '=' { $$ = PF_OP_EQ; }
3444 | '!' '=' { $$ = PF_OP_NE; }
3445 | '<' '=' { $$ = PF_OP_LE; }
3446 | '<' { $$ = PF_OP_LT; }
3447 | '>' '=' { $$ = PF_OP_GE; }
3448 | '>' { $$ = PF_OP_GT; }
3449 ;
3450
3451 %%
3452
3453 int
3454 yyerror(const char *fmt, ...)
3455 {
3456 va_list ap;
3457
3458 errors = 1;
3459 va_start(ap, fmt);
3460 fprintf(stderr, "%s:%d: ", infile, yylval.lineno);
3461 vfprintf(stderr, fmt, ap);
3462 fprintf(stderr, "\n");
3463 va_end(ap);
3464 return (0);
3465 }
3466
3467 int
3468 disallow_table(struct node_host *h, const char *fmt)
3469 {
3470 for (; h != NULL; h = h->next)
3471 if (h->addr.type == PF_ADDR_TABLE) {
3472 yyerror(fmt, h->addr.v.tblname);
3473 return (1);
3474 }
3475 return (0);
3476 }
3477
3478 int
3479 disallow_alias(struct node_host *h, const char *fmt)
3480 {
3481 for (; h != NULL; h = h->next)
3482 if (DYNIF_MULTIADDR(h->addr)) {
3483 yyerror(fmt, h->addr.v.tblname);
3484 return (1);
3485 }
3486 return (0);
3487 }
3488
3489 int
3490 rule_consistent(struct pf_rule *r)
3491 {
3492 int problems = 0;
3493
3494 switch (r->action) {
3495 case PF_PASS:
3496 case PF_DROP:
3497 case PF_SCRUB:
3498 problems = filter_consistent(r);
3499 break;
3500 case PF_NAT:
3501 case PF_NONAT:
3502 problems = nat_consistent(r);
3503 break;
3504 case PF_RDR:
3505 case PF_NORDR:
3506 problems = rdr_consistent(r);
3507 break;
3508 case PF_BINAT:
3509 case PF_NOBINAT:
3510 default:
3511 break;
3512 }
3513 return (problems);
3514 }
3515
3516 int
3517 filter_consistent(struct pf_rule *r)
3518 {
3519 int problems = 0;
3520
3521 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
3522 (r->src.port_op || r->dst.port_op)) {
3523 yyerror("port only applies to tcp/udp");
3524 problems++;
3525 }
3526 if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 &&
3527 (r->type || r->code)) {
3528 yyerror("icmp-type/code only applies to icmp");
3529 problems++;
3530 }
3531 if (!r->af && (r->type || r->code)) {
3532 yyerror("must indicate address family with icmp-type/code");
3533 problems++;
3534 }
3535 if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) ||
3536 (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) {
3537 yyerror("proto %s doesn't match address family %s",
3538 r->proto == IPPROTO_ICMP ? "icmp" : "icmp6",
3539 r->af == AF_INET ? "inet" : "inet6");
3540 problems++;
3541 }
3542 if (r->allow_opts && r->action != PF_PASS) {
3543 yyerror("allow-opts can only be specified for pass rules");
3544 problems++;
3545 }
3546 if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op ||
3547 r->dst.port_op || r->flagset || r->type || r->code)) {
3548 yyerror("fragments can be filtered only on IP header fields");
3549 problems++;
3550 }
3551 if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) {
3552 yyerror("return-rst can only be applied to TCP rules");
3553 problems++;
3554 }
3555 if (r->max_src_nodes && !(r->rule_flag & PFRULE_RULESRCTRACK)) {
3556 yyerror("max-src-nodes requires 'source-track rule'");
3557 problems++;
3558 }
3559 if (r->action == PF_DROP && r->keep_state) {
3560 yyerror("keep state on block rules doesn't make sense");
3561 problems++;
3562 }
3563 if ((r->tagname[0] || r->match_tagname[0]) && !r->keep_state &&
3564 r->action == PF_PASS && !r->anchorname[0]) {
3565 yyerror("tags cannot be used without keep state");
3566 problems++;
3567 }
3568 return (-problems);
3569 }
3570
3571 int
3572 nat_consistent(struct pf_rule *r __unused)
3573 {
3574 return (0); /* yeah! */
3575 }
3576
3577 int
3578 rdr_consistent(struct pf_rule *r)
3579 {
3580 int problems = 0;
3581
3582 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP) {
3583 if (r->src.port_op) {
3584 yyerror("src port only applies to tcp/udp");
3585 problems++;
3586 }
3587 if (r->dst.port_op) {
3588 yyerror("dst port only applies to tcp/udp");
3589 problems++;
3590 }
3591 if (r->rpool.proxy_port[0]) {
3592 yyerror("rpool port only applies to tcp/udp");
3593 problems++;
3594 }
3595 }
3596 if (r->dst.port_op &&
3597 r->dst.port_op != PF_OP_EQ && r->dst.port_op != PF_OP_RRG) {
3598 yyerror("invalid port operator for rdr destination port");
3599 problems++;
3600 }
3601 return (-problems);
3602 }
3603
3604 int
3605 process_tabledef(char *name, struct table_opts *opts)
3606 {
3607 struct pfr_buffer ab;
3608 struct node_tinit *ti;
3609
3610 bzero(&ab, sizeof(ab));
3611 ab.pfrb_type = PFRB_ADDRS;
3612 SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) {
3613 if (ti->file)
3614 if (pfr_buf_load(&ab, ti->file, 0, append_addr)) {
3615 if (errno)
3616 yyerror("cannot load \"%s\": %s",
3617 ti->file, strerror(errno));
3618 else
3619 yyerror("file \"%s\" contains bad data",
3620 ti->file);
3621 goto _error;
3622 }
3623 if (ti->host)
3624 if (append_addr_host(&ab, ti->host, 0, 0)) {
3625 yyerror("cannot create address buffer: %s",
3626 strerror(errno));
3627 goto _error;
3628 }
3629 }
3630 if (pf->opts & PF_OPT_VERBOSE)
3631 print_tabledef(name, opts->flags, opts->init_addr,
3632 &opts->init_nodes);
3633 if (!(pf->opts & PF_OPT_NOACTION) &&
3634 pfctl_define_table(name, opts->flags, opts->init_addr,
3635 pf->anchor, pf->ruleset, &ab, pf->tticket)) {
3636 yyerror("cannot define table %s: %s", name,
3637 pfr_strerror(errno));
3638 goto _error;
3639 }
3640 pf->tdirty = 1;
3641 pfr_buf_clear(&ab);
3642 return (0);
3643 _error:
3644 pfr_buf_clear(&ab);
3645 return (-1);
3646 }
3647
3648 struct keywords {
3649 const char *k_name;
3650 int k_val;
3651 };
3652
3653 /* macro gore, but you should've seen the prior indentation nightmare... */
3654
3655 #define FREE_LIST(T,r) \
3656 do { \
3657 T *p, *node = r; \
3658 while (node != NULL) { \
3659 p = node; \
3660 node = node->next; \
3661 free(p); \
3662 } \
3663 } while (0)
3664
3665 #define LOOP_THROUGH(T,n,r,C) \
3666 do { \
3667 T *n; \
3668 if (r == NULL) { \
3669 r = calloc(1, sizeof(T)); \
3670 if (r == NULL) \
3671 err(1, "LOOP: calloc"); \
3672 r->next = NULL; \
3673 } \
3674 n = r; \
3675 while (n != NULL) { \
3676 do { \
3677 C; \
3678 } while (0); \
3679 n = n->next; \
3680 } \
3681 } while (0)
3682
3683 void
3684 expand_label_str(char *label, size_t len, const char *srch, const char *repl)
3685 {
3686 char *tmp;
3687 char *p, *q;
3688
3689 if ((tmp = calloc(1, len)) == NULL)
3690 err(1, "expand_label_str: calloc");
3691 p = q = label;
3692 while ((q = strstr(p, srch)) != NULL) {
3693 *q = '\0';
3694 if ((strlcat(tmp, p, len) >= len) ||
3695 (strlcat(tmp, repl, len) >= len))
3696 errx(1, "expand_label: label too long");
3697 q += strlen(srch);
3698 p = q;
3699 }
3700 if (strlcat(tmp, p, len) >= len)
3701 errx(1, "expand_label: label too long");
3702 strlcpy(label, tmp, len); /* always fits */
3703 free(tmp);
3704 }
3705
3706 void
3707 expand_label_if(const char *name, char *label, size_t len, const char *ifname)
3708 {
3709 if (strstr(label, name) != NULL) {
3710 if (!*ifname)
3711 expand_label_str(label, len, name, "any");
3712 else
3713 expand_label_str(label, len, name, ifname);
3714 }
3715 }
3716
3717 void
3718 expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
3719 struct node_host *h)
3720 {
3721 char tmp[64], tmp_not[66];
3722
3723 if (strstr(label, name) != NULL) {
3724 switch (h->addr.type) {
3725 case PF_ADDR_DYNIFTL:
3726 snprintf(tmp, sizeof(tmp), "(%s)", h->addr.v.ifname);
3727 break;
3728 case PF_ADDR_TABLE:
3729 snprintf(tmp, sizeof(tmp), "<%s>", h->addr.v.tblname);
3730 break;
3731 case PF_ADDR_NOROUTE:
3732 snprintf(tmp, sizeof(tmp), "no-route");
3733 break;
3734 case PF_ADDR_ADDRMASK:
3735 if (!af || (PF_AZERO(&h->addr.v.a.addr, af) &&
3736 PF_AZERO(&h->addr.v.a.mask, af)))
3737 snprintf(tmp, sizeof(tmp), "any");
3738 else {
3739 char a[48];
3740 int bits;
3741
3742 if (inet_ntop(af, &h->addr.v.a.addr, a,
3743 sizeof(a)) == NULL)
3744 snprintf(tmp, sizeof(tmp), "?");
3745 else {
3746 bits = unmask(&h->addr.v.a.mask, af);
3747 if ((af == AF_INET && bits < 32) ||
3748 (af == AF_INET6 && bits < 128))
3749 snprintf(tmp, sizeof(tmp),
3750 "%s/%d", a, bits);
3751 else
3752 snprintf(tmp, sizeof(tmp),
3753 "%s", a);
3754 }
3755 }
3756 break;
3757 default:
3758 snprintf(tmp, sizeof(tmp), "?");
3759 break;
3760 }
3761
3762 if (h->not) {
3763 snprintf(tmp_not, sizeof(tmp_not), "! %s", tmp);
3764 expand_label_str(label, len, name, tmp_not);
3765 } else
3766 expand_label_str(label, len, name, tmp);
3767 }
3768 }
3769
3770 void
3771 expand_label_port(const char *name, char *label, size_t len,
3772 struct node_port *port)
3773 {
3774 char a1[6], a2[6], op[13] = "";
3775
3776 if (strstr(label, name) != NULL) {
3777 snprintf(a1, sizeof(a1), "%u", ntohs(port->port[0]));
3778 snprintf(a2, sizeof(a2), "%u", ntohs(port->port[1]));
3779 if (!port->op)
3780 ;
3781 else if (port->op == PF_OP_IRG)
3782 snprintf(op, sizeof(op), "%s><%s", a1, a2);
3783 else if (port->op == PF_OP_XRG)
3784 snprintf(op, sizeof(op), "%s<>%s", a1, a2);
3785 else if (port->op == PF_OP_EQ)
3786 snprintf(op, sizeof(op), "%s", a1);
3787 else if (port->op == PF_OP_NE)
3788 snprintf(op, sizeof(op), "!=%s", a1);
3789 else if (port->op == PF_OP_LT)
3790 snprintf(op, sizeof(op), "<%s", a1);
3791 else if (port->op == PF_OP_LE)
3792 snprintf(op, sizeof(op), "<=%s", a1);
3793 else if (port->op == PF_OP_GT)
3794 snprintf(op, sizeof(op), ">%s", a1);
3795 else if (port->op == PF_OP_GE)
3796 snprintf(op, sizeof(op), ">=%s", a1);
3797 expand_label_str(label, len, name, op);
3798 }
3799 }
3800
3801 void
3802 expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto)
3803 {
3804 struct protoent *pe;
3805 char n[4];
3806
3807 if (strstr(label, name) != NULL) {
3808 pe = getprotobynumber(proto);
3809 if (pe != NULL)
3810 expand_label_str(label, len, name, pe->p_name);
3811 else {
3812 snprintf(n, sizeof(n), "%u", proto);
3813 expand_label_str(label, len, name, n);
3814 }
3815 }
3816 }
3817
3818 void
3819 expand_label_nr(const char *name, char *label, size_t len)
3820 {
3821 char n[11];
3822
3823 if (strstr(label, name) != NULL) {
3824 snprintf(n, sizeof(n), "%u", pf->rule_nr);
3825 expand_label_str(label, len, name, n);
3826 }
3827 }
3828
3829 void
3830 expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
3831 struct node_host *src_host, struct node_port *src_port,
3832 struct node_host *dst_host, struct node_port *dst_port,
3833 u_int8_t proto)
3834 {
3835 expand_label_if("$if", label, len, ifname);
3836 expand_label_addr("$srcaddr", label, len, af, src_host);
3837 expand_label_addr("$dstaddr", label, len, af, dst_host);
3838 expand_label_port("$srcport", label, len, src_port);
3839 expand_label_port("$dstport", label, len, dst_port);
3840 expand_label_proto("$proto", label, len, proto);
3841 expand_label_nr("$nr", label, len);
3842 }
3843
3844 int
3845 expand_altq(struct pf_altq *a, struct node_if *interfaces,
3846 struct node_queue *nqueues, struct node_queue_bw bwspec,
3847 struct node_queue_opt *opts)
3848 {
3849 struct pf_altq pa, pb;
3850 char qname[PF_QNAME_SIZE];
3851 struct node_queue *n;
3852 struct node_queue_bw bw;
3853 int errs = 0;
3854
3855 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
3856 FREE_LIST(struct node_if, interfaces);
3857 FREE_LIST(struct node_queue, nqueues);
3858 return (0);
3859 }
3860
3861 LOOP_THROUGH(struct node_if, interface, interfaces,
3862 memcpy(&pa, a, sizeof(struct pf_altq));
3863 if (strlcpy(pa.ifname, interface->ifname,
3864 sizeof(pa.ifname)) >= sizeof(pa.ifname))
3865 errx(1, "expand_altq: strlcpy");
3866
3867 if (interface->not) {
3868 yyerror("altq on ! <interface> is not supported");
3869 errs++;
3870 } else {
3871 if (eval_pfaltq(pf, &pa, &bwspec, opts))
3872 errs++;
3873 else
3874 if (pfctl_add_altq(pf, &pa))
3875 errs++;
3876
3877 if (pf->opts & PF_OPT_VERBOSE) {
3878 print_altq(&pf->paltq->altq, 0,
3879 &bwspec, opts);
3880 if (nqueues && nqueues->tail) {
3881 printf("queue { ");
3882 LOOP_THROUGH(struct node_queue, queue,
3883 nqueues,
3884 printf("%s ",
3885 queue->queue);
3886 );
3887 printf("}");
3888 }
3889 printf("\n");
3890 }
3891
3892 if (pa.scheduler == ALTQT_CBQ ||
3893 pa.scheduler == ALTQT_HFSC) {
3894 /* now create a root queue */
3895 memset(&pb, 0, sizeof(struct pf_altq));
3896 if (strlcpy(qname, "root_", sizeof(qname)) >=
3897 sizeof(qname))
3898 errx(1, "expand_altq: strlcpy");
3899 if (strlcat(qname, interface->ifname,
3900 sizeof(qname)) >= sizeof(qname))
3901 errx(1, "expand_altq: strlcat");
3902 if (strlcpy(pb.qname, qname,
3903 sizeof(pb.qname)) >= sizeof(pb.qname))
3904 errx(1, "expand_altq: strlcpy");
3905 if (strlcpy(pb.ifname, interface->ifname,
3906 sizeof(pb.ifname)) >= sizeof(pb.ifname))
3907 errx(1, "expand_altq: strlcpy");
3908 pb.qlimit = pa.qlimit;
3909 pb.scheduler = pa.scheduler;
3910 bw.bw_absolute = pa.ifbandwidth;
3911 bw.bw_percent = 0;
3912 if (eval_pfqueue(pf, &pb, &bw, opts))
3913 errs++;
3914 else
3915 if (pfctl_add_altq(pf, &pb))
3916 errs++;
3917 }
3918
3919 LOOP_THROUGH(struct node_queue, queue, nqueues,
3920 n = calloc(1, sizeof(struct node_queue));
3921 if (n == NULL)
3922 err(1, "expand_altq: calloc");
3923 if (pa.scheduler == ALTQT_CBQ ||
3924 pa.scheduler == ALTQT_HFSC)
3925 if (strlcpy(n->parent, qname,
3926 sizeof(n->parent)) >=
3927 sizeof(n->parent))
3928 errx(1, "expand_altq: strlcpy");
3929 if (strlcpy(n->queue, queue->queue,
3930 sizeof(n->queue)) >= sizeof(n->queue))
3931 errx(1, "expand_altq: strlcpy");
3932 if (strlcpy(n->ifname, interface->ifname,
3933 sizeof(n->ifname)) >= sizeof(n->ifname))
3934 errx(1, "expand_altq: strlcpy");
3935 n->scheduler = pa.scheduler;
3936 n->next = NULL;
3937 n->tail = n;
3938 if (queues == NULL)
3939 queues = n;
3940 else {
3941 queues->tail->next = n;
3942 queues->tail = n;
3943 }
3944 );
3945 }
3946 );
3947 FREE_LIST(struct node_if, interfaces);
3948 FREE_LIST(struct node_queue, nqueues);
3949
3950 return (errs);
3951 }
3952
3953 int
3954 expand_queue(struct pf_altq *a, struct node_if *interfaces,
3955 struct node_queue *nqueues, struct node_queue_bw bwspec,
3956 struct node_queue_opt *opts)
3957 {
3958 struct node_queue *n, *nq;
3959 struct pf_altq pa;
3960 u_int8_t found = 0;
3961 u_int8_t errs = 0;
3962
3963 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
3964 FREE_LIST(struct node_queue, nqueues);
3965 return (0);
3966 }
3967
3968 if (queues == NULL) {
3969 yyerror("queue %s has no parent", a->qname);
3970 FREE_LIST(struct node_queue, nqueues);
3971 return (1);
3972 }
3973
3974 LOOP_THROUGH(struct node_if, interface, interfaces,
3975 LOOP_THROUGH(struct node_queue, tqueue, queues,
3976 if (!strncmp(a->qname, tqueue->queue, PF_QNAME_SIZE) &&
3977 (interface->ifname[0] == 0 ||
3978 (!interface->not && !strncmp(interface->ifname,
3979 tqueue->ifname, IFNAMSIZ)) ||
3980 (interface->not && strncmp(interface->ifname,
3981 tqueue->ifname, IFNAMSIZ)))) {
3982 /* found ourself in queues */
3983 found++;
3984
3985 memcpy(&pa, a, sizeof(struct pf_altq));
3986
3987 if (pa.scheduler != ALTQT_NONE &&
3988 pa.scheduler != tqueue->scheduler) {
3989 yyerror("exactly one scheduler type "
3990 "per interface allowed");
3991 return (1);
3992 }
3993 pa.scheduler = tqueue->scheduler;
3994
3995 /* scheduler dependent error checking */
3996 switch (pa.scheduler) {
3997 case ALTQT_PRIQ:
3998 if (nqueues != NULL) {
3999 yyerror("priq queues cannot "
4000 "have child queues");
4001 return (1);
4002 }
4003 if (bwspec.bw_absolute > 0 ||
4004 bwspec.bw_percent < 100) {
4005 yyerror("priq doesn't take "
4006 "bandwidth");
4007 return (1);
4008 }
4009 break;
4010 default:
4011 break;
4012 }
4013
4014 if (strlcpy(pa.ifname, tqueue->ifname,
4015 sizeof(pa.ifname)) >= sizeof(pa.ifname))
4016 errx(1, "expand_queue: strlcpy");
4017 if (strlcpy(pa.parent, tqueue->parent,
4018 sizeof(pa.parent)) >= sizeof(pa.parent))
4019 errx(1, "expand_queue: strlcpy");
4020
4021 if (eval_pfqueue(pf, &pa, &bwspec, opts))
4022 errs++;
4023 else
4024 if (pfctl_add_altq(pf, &pa))
4025 errs++;
4026
4027 for (nq = nqueues; nq != NULL; nq = nq->next) {
4028 if (!strcmp(a->qname, nq->queue)) {
4029 yyerror("queue cannot have "
4030 "itself as child");
4031 errs++;
4032 continue;
4033 }
4034 n = calloc(1,
4035 sizeof(struct node_queue));
4036 if (n == NULL)
4037 err(1, "expand_queue: calloc");
4038 if (strlcpy(n->parent, a->qname,
4039 sizeof(n->parent)) >=
4040 sizeof(n->parent))
4041 errx(1, "expand_queue strlcpy");
4042 if (strlcpy(n->queue, nq->queue,
4043 sizeof(n->queue)) >=
4044 sizeof(n->queue))
4045 errx(1, "expand_queue strlcpy");
4046 if (strlcpy(n->ifname, tqueue->ifname,
4047 sizeof(n->ifname)) >=
4048 sizeof(n->ifname))
4049 errx(1, "expand_queue strlcpy");
4050 n->scheduler = tqueue->scheduler;
4051 n->next = NULL;
4052 n->tail = n;
4053 if (queues == NULL)
4054 queues = n;
4055 else {
4056 queues->tail->next = n;
4057 queues->tail = n;
4058 }
4059 }
4060 if ((pf->opts & PF_OPT_VERBOSE) && (
4061 (found == 1 && interface->ifname[0] == 0) ||
4062 (found > 0 && interface->ifname[0] != 0))) {
4063 print_queue(&pf->paltq->altq, 0,
4064 &bwspec, interface->ifname[0] != 0,
4065 opts);
4066 if (nqueues && nqueues->tail) {
4067 printf("{ ");
4068 LOOP_THROUGH(struct node_queue,
4069 queue, nqueues,
4070 printf("%s ",
4071 queue->queue);
4072 );
4073 printf("}");
4074 }
4075 printf("\n");
4076 }
4077 }
4078 );
4079 );
4080
4081 FREE_LIST(struct node_queue, nqueues);
4082 FREE_LIST(struct node_if, interfaces);
4083
4084 if (!found) {
4085 yyerror("queue %s has no parent", a->qname);
4086 errs++;
4087 }
4088
4089 if (errs)
4090 return (1);
4091 else
4092 return (0);
4093 }
4094
4095 void
4096 expand_rule(struct pf_rule *r,
4097 struct node_if *interfaces, struct node_host *rpool_hosts,
4098 struct node_proto *protos, struct node_os *src_oses,
4099 struct node_host *src_hosts, struct node_port *src_ports,
4100 struct node_host *dst_hosts, struct node_port *dst_ports,
4101 struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types)
4102 {
4103 sa_family_t af = r->af;
4104 int added = 0, error = 0;
4105 char ifname[IF_NAMESIZE];
4106 char label[PF_RULE_LABEL_SIZE];
4107 char tagname[PF_TAG_NAME_SIZE];
4108 char match_tagname[PF_TAG_NAME_SIZE];
4109 struct pf_pooladdr *pa;
4110 struct node_host *h;
4111 u_int8_t flags, flagset, keep_state;
4112
4113 if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label))
4114 errx(1, "expand_rule: strlcpy");
4115 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname))
4116 errx(1, "expand_rule: strlcpy");
4117 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >=
4118 sizeof(match_tagname))
4119 errx(1, "expand_rule: strlcpy");
4120 flags = r->flags;
4121 flagset = r->flagset;
4122 keep_state = r->keep_state;
4123
4124 LOOP_THROUGH(struct node_if, interface, interfaces,
4125 LOOP_THROUGH(struct node_proto, proto, protos,
4126 LOOP_THROUGH(struct node_icmp, icmp_type, icmp_types,
4127 LOOP_THROUGH(struct node_host, src_host, src_hosts,
4128 LOOP_THROUGH(struct node_port, src_port, src_ports,
4129 LOOP_THROUGH(struct node_os, src_os, src_oses,
4130 LOOP_THROUGH(struct node_host, dst_host, dst_hosts,
4131 LOOP_THROUGH(struct node_port, dst_port, dst_ports,
4132 LOOP_THROUGH(struct node_uid, uid, uids,
4133 LOOP_THROUGH(struct node_gid, gid, gids,
4134
4135 r->af = af;
4136 /* for link-local IPv6 address, interface must match up */
4137 if ((r->af && src_host->af && r->af != src_host->af) ||
4138 (r->af && dst_host->af && r->af != dst_host->af) ||
4139 (src_host->af && dst_host->af &&
4140 src_host->af != dst_host->af) ||
4141 (src_host->ifindex && dst_host->ifindex &&
4142 src_host->ifindex != dst_host->ifindex) ||
4143 (src_host->ifindex && *interface->ifname &&
4144 src_host->ifindex != if_nametoindex(interface->ifname)) ||
4145 (dst_host->ifindex && *interface->ifname &&
4146 dst_host->ifindex != if_nametoindex(interface->ifname)))
4147 continue;
4148 if (!r->af && src_host->af)
4149 r->af = src_host->af;
4150 else if (!r->af && dst_host->af)
4151 r->af = dst_host->af;
4152
4153 if (*interface->ifname)
4154 memcpy(r->ifname, interface->ifname, sizeof(r->ifname));
4155 else if (if_indextoname(src_host->ifindex, ifname))
4156 memcpy(r->ifname, ifname, sizeof(r->ifname));
4157 else if (if_indextoname(dst_host->ifindex, ifname))
4158 memcpy(r->ifname, ifname, sizeof(r->ifname));
4159 else
4160 memset(r->ifname, '\0', sizeof(r->ifname));
4161
4162 if (strlcpy(r->label, label, sizeof(r->label)) >=
4163 sizeof(r->label))
4164 errx(1, "expand_rule: strlcpy");
4165 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >=
4166 sizeof(r->tagname))
4167 errx(1, "expand_rule: strlcpy");
4168 if (strlcpy(r->match_tagname, match_tagname,
4169 sizeof(r->match_tagname)) >= sizeof(r->match_tagname))
4170 errx(1, "expand_rule: strlcpy");
4171 expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af,
4172 src_host, src_port, dst_host, dst_port, proto->proto);
4173 expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af,
4174 src_host, src_port, dst_host, dst_port, proto->proto);
4175 expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname,
4176 r->af, src_host, src_port, dst_host, dst_port,
4177 proto->proto);
4178
4179 error += check_netmask(src_host, r->af);
4180 error += check_netmask(dst_host, r->af);
4181
4182 r->ifnot = interface->not;
4183 r->proto = proto->proto;
4184 r->src.addr = src_host->addr;
4185 r->src.not = src_host->not;
4186 r->src.port[0] = src_port->port[0];
4187 r->src.port[1] = src_port->port[1];
4188 r->src.port_op = src_port->op;
4189 r->dst.addr = dst_host->addr;
4190 r->dst.not = dst_host->not;
4191 r->dst.port[0] = dst_port->port[0];
4192 r->dst.port[1] = dst_port->port[1];
4193 r->dst.port_op = dst_port->op;
4194 r->uid.op = uid->op;
4195 r->uid.uid[0] = uid->uid[0];
4196 r->uid.uid[1] = uid->uid[1];
4197 r->gid.op = gid->op;
4198 r->gid.gid[0] = gid->gid[0];
4199 r->gid.gid[1] = gid->gid[1];
4200 r->type = icmp_type->type;
4201 r->code = icmp_type->code;
4202
4203 if ((keep_state == PF_STATE_MODULATE ||
4204 keep_state == PF_STATE_SYNPROXY) &&
4205 r->proto && r->proto != IPPROTO_TCP)
4206 r->keep_state = PF_STATE_NORMAL;
4207 else
4208 r->keep_state = keep_state;
4209
4210 if (r->proto && r->proto != IPPROTO_TCP) {
4211 r->flags = 0;
4212 r->flagset = 0;
4213 } else {
4214 r->flags = flags;
4215 r->flagset = flagset;
4216 }
4217 if (icmp_type->proto && r->proto != icmp_type->proto) {
4218 yyerror("icmp-type mismatch");
4219 error++;
4220 }
4221
4222 if (src_os && src_os->os) {
4223 r->os_fingerprint = pfctl_get_fingerprint(src_os->os);
4224 if ((pf->opts & PF_OPT_VERBOSE2) &&
4225 r->os_fingerprint == PF_OSFP_NOMATCH)
4226 fprintf(stderr,
4227 "warning: unknown '%s' OS fingerprint\n",
4228 src_os->os);
4229 } else {
4230 r->os_fingerprint = PF_OSFP_ANY;
4231 }
4232
4233 TAILQ_INIT(&r->rpool.list);
4234 for (h = rpool_hosts; h != NULL; h = h->next) {
4235 pa = calloc(1, sizeof(struct pf_pooladdr));
4236 if (pa == NULL)
4237 err(1, "expand_rule: calloc");
4238 pa->addr = h->addr;
4239 if (h->ifname != NULL) {
4240 if (strlcpy(pa->ifname, h->ifname,
4241 sizeof(pa->ifname)) >=
4242 sizeof(pa->ifname))
4243 errx(1, "expand_rule: strlcpy");
4244 } else
4245 pa->ifname[0] = 0;
4246 TAILQ_INSERT_TAIL(&r->rpool.list, pa, entries);
4247 }
4248
4249 if (rule_consistent(r) < 0 || error)
4250 yyerror("skipping rule due to errors");
4251 else {
4252 r->nr = pf->rule_nr++;
4253 pfctl_add_rule(pf, r);
4254 added++;
4255 }
4256
4257 ))))))))));
4258
4259 FREE_LIST(struct node_if, interfaces);
4260 FREE_LIST(struct node_proto, protos);
4261 FREE_LIST(struct node_host, src_hosts);
4262 FREE_LIST(struct node_port, src_ports);
4263 FREE_LIST(struct node_os, src_oses);
4264 FREE_LIST(struct node_host, dst_hosts);
4265 FREE_LIST(struct node_port, dst_ports);
4266 FREE_LIST(struct node_uid, uids);
4267 FREE_LIST(struct node_gid, gids);
4268 FREE_LIST(struct node_icmp, icmp_types);
4269 FREE_LIST(struct node_host, rpool_hosts);
4270
4271 if (!added)
4272 yyerror("rule expands to no valid combination");
4273 }
4274
4275 #undef FREE_LIST
4276 #undef LOOP_THROUGH
4277
4278 int
4279 check_rulestate(int desired_state)
4280 {
4281 if (require_order && (rulestate > desired_state)) {
4282 yyerror("Rules must be in order: options, normalization, "
4283 "queueing, translation, filtering");
4284 return (1);
4285 }
4286 rulestate = desired_state;
4287 return (0);
4288 }
4289
4290 int
4291 kw_cmp(const void *k, const void *e)
4292 {
4293 return (strcmp(k, ((const struct keywords *)e)->k_name));
4294 }
4295
4296 int
4297 lookup(char *s)
4298 {
4299 /* this has to be sorted always */
4300 static const struct keywords keywords[] = {
4301 { "all", ALL},
4302 { "allow-opts", ALLOWOPTS},
4303 { "altq", ALTQ},
4304 { "anchor", ANCHOR},
4305 { "antispoof", ANTISPOOF},
4306 { "any", ANY},
4307 { "bandwidth", BANDWIDTH},
4308 { "binat", BINAT},
4309 { "binat-anchor", BINATANCHOR},
4310 { "bitmask", BITMASK},
4311 { "block", BLOCK},
4312 { "block-policy", BLOCKPOLICY},
4313 { "cbq", CBQ},
4314 { "code", CODE},
4315 { "crop", FRAGCROP},
4316 { "debug", DEBUG},
4317 { "drop", DROP},
4318 { "drop-ovl", FRAGDROP},
4319 { "dup-to", DUPTO},
4320 { "fastroute", FASTROUTE},
4321 { "file", FILENAME},
4322 { "fingerprints", FINGERPRINTS},
4323 { "flags", FLAGS},
4324 { "floating", FLOATING},
4325 { "for", FOR},
4326 { "fragment", FRAGMENT},
4327 { "from", FROM},
4328 { "global", GLOBAL},
4329 { "group", GROUP},
4330 { "group-bound", GRBOUND},
4331 { "hfsc", HFSC},
4332 { "hostid", HOSTID},
4333 { "icmp-type", ICMPTYPE},
4334 { "icmp6-type", ICMP6TYPE},
4335 { "if-bound", IFBOUND},
4336 { "in", IN},
4337 { "inet", INET},
4338 { "inet6", INET6},
4339 { "keep", KEEP},
4340 { "label", LABEL},
4341 { "limit", LIMIT},
4342 { "linkshare", LINKSHARE},
4343 { "load", LOAD},
4344 { "log", LOG},
4345 { "log-all", LOGALL},
4346 { "loginterface", LOGINTERFACE},
4347 { "max", MAXIMUM},
4348 { "max-mss", MAXMSS},
4349 { "max-src-nodes", MAXSRCNODES},
4350 { "max-src-states", MAXSRCSTATES},
4351 { "min-ttl", MINTTL},
4352 { "modulate", MODULATE},
4353 { "nat", NAT},
4354 { "nat-anchor", NATANCHOR},
4355 { "no", NO},
4356 { "no-df", NODF},
4357 { "no-route", NOROUTE},
4358 { "no-sync", NOSYNC},
4359 { "on", ON},
4360 { "optimization", OPTIMIZATION},
4361 { "os", OS},
4362 { "out", OUT},
4363 { "pass", PASS},
4364 { "port", PORT},
4365 { "priority", PRIORITY},
4366 { "priq", PRIQ},
4367 { "proto", PROTO},
4368 { "qlimit", QLIMIT},
4369 { "queue", QUEUE},
4370 { "quick", QUICK},
4371 { "random", RANDOM},
4372 { "random-id", RANDOMID},
4373 { "rdr", RDR},
4374 { "rdr-anchor", RDRANCHOR},
4375 { "realtime", REALTIME},
4376 { "reassemble", REASSEMBLE},
4377 { "reply-to", REPLYTO},
4378 { "require-order", REQUIREORDER},
4379 { "return", RETURN},
4380 { "return-icmp", RETURNICMP},
4381 { "return-icmp6", RETURNICMP6},
4382 { "return-rst", RETURNRST},
4383 { "round-robin", ROUNDROBIN},
4384 { "route-to", ROUTETO},
4385 { "rule", RULE},
4386 { "scrub", SCRUB},
4387 { "set", SET},
4388 { "source-hash", SOURCEHASH},
4389 { "source-track", SOURCETRACK},
4390 { "state", STATE},
4391 { "state-policy", STATEPOLICY},
4392 { "static-port", STATICPORT},
4393 { "sticky-address", STICKYADDRESS},
4394 { "synproxy", SYNPROXY},
4395 { "table", TABLE},
4396 { "tag", TAG},
4397 { "tagged", TAGGED},
4398 { "tbrsize", TBRSIZE},
4399 { "timeout", TIMEOUT},
4400 { "to", TO},
4401 { "tos", TOS},
4402 { "ttl", TTL},
4403 { "upperlimit", UPPERLIMIT},
4404 { "user", USER},
4405 };
4406 const struct keywords *p;
4407
4408 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
4409 sizeof(keywords[0]), kw_cmp);
4410
4411 if (p) {
4412 if (debug > 1)
4413 fprintf(stderr, "%s: %d\n", s, p->k_val);
4414 return (p->k_val);
4415 } else {
4416 if (debug > 1)
4417 fprintf(stderr, "string: %s\n", s);
4418 return (STRING);
4419 }
4420 }
4421
4422 #define MAXPUSHBACK 128
4423
4424 char *parsebuf;
4425 int parseindex;
4426 char pushback_buffer[MAXPUSHBACK];
4427 int pushback_index = 0;
4428
4429 int
4430 lgetc(FILE *f)
4431 {
4432 int c, next;
4433
4434 if (parsebuf) {
4435 /* Read character from the parsebuffer instead of input. */
4436 if (parseindex >= 0) {
4437 c = parsebuf[parseindex++];
4438 if (c != '\0')
4439 return (c);
4440 parsebuf = NULL;
4441 } else
4442 parseindex++;
4443 }
4444
4445 if (pushback_index)
4446 return (pushback_buffer[--pushback_index]);
4447
4448 while ((c = getc(f)) == '\\') {
4449 next = getc(f);
4450 if (next != '\n') {
4451 if (isspace(next))
4452 yyerror("whitespace after \\");
4453 ungetc(next, f);
4454 break;
4455 }
4456 yylval.lineno = lineno;
4457 lineno++;
4458 }
4459 if (c == '\t' || c == ' ') {
4460 /* Compress blanks to a single space. */
4461 do {
4462 c = getc(f);
4463 } while (c == '\t' || c == ' ');
4464 ungetc(c, f);
4465 c = ' ';
4466 }
4467
4468 return (c);
4469 }
4470
4471 int
4472 lungetc(int c)
4473 {
4474 if (c == EOF)
4475 return (EOF);
4476 if (parsebuf) {
4477 parseindex--;
4478 if (parseindex >= 0)
4479 return (c);
4480 }
4481 if (pushback_index < MAXPUSHBACK-1)
4482 return (pushback_buffer[pushback_index++] = c);
4483 else
4484 return (EOF);
4485 }
4486
4487 int
4488 findeol(void)
4489 {
4490 int c;
4491
4492 parsebuf = NULL;
4493 pushback_index = 0;
4494
4495 /* skip to either EOF or the first real EOL */
4496 while (1) {
4497 c = lgetc(fin);
4498 if (c == '\n') {
4499 lineno++;
4500 break;
4501 }
4502 if (c == EOF)
4503 break;
4504 }
4505 return (ERROR);
4506 }
4507
4508 int
4509 yylex(void)
4510 {
4511 char buf[8096];
4512 char *p, *val;
4513 int endc, c, next;
4514 int token;
4515
4516 top:
4517 p = buf;
4518 while ((c = lgetc(fin)) == ' ')
4519 ; /* nothing */
4520
4521 yylval.lineno = lineno;
4522 if (c == '#')
4523 while ((c = lgetc(fin)) != '\n' && c != EOF)
4524 ; /* nothing */
4525 if (c == '$' && parsebuf == NULL) {
4526 while (1) {
4527 if ((c = lgetc(fin)) == EOF)
4528 return (0);
4529
4530 if (p + 1 >= buf + sizeof(buf) - 1) {
4531 yyerror("string too long");
4532 return (findeol());
4533 }
4534 if (isalnum(c) || c == '_') {
4535 *p++ = (char)c;
4536 continue;
4537 }
4538 *p = '\0';
4539 lungetc(c);
4540 break;
4541 }
4542 val = symget(buf);
4543 if (val == NULL) {
4544 yyerror("macro '%s' not defined", buf);
4545 return (findeol());
4546 }
4547 parsebuf = val;
4548 parseindex = 0;
4549 goto top;
4550 }
4551
4552 switch (c) {
4553 case '\'':
4554 case '"':
4555 endc = c;
4556 while (1) {
4557 if ((c = lgetc(fin)) == EOF)
4558 return (0);
4559 if (c == endc) {
4560 *p = '\0';
4561 break;
4562 }
4563 if (c == '\n') {
4564 lineno++;
4565 continue;
4566 }
4567 if (p + 1 >= buf + sizeof(buf) - 1) {
4568 yyerror("string too long");
4569 return (findeol());
4570 }
4571 *p++ = (char)c;
4572 }
4573 yylval.v.string = strdup(buf);
4574 if (yylval.v.string == NULL)
4575 err(1, "yylex: strdup");
4576 return (STRING);
4577 case '<':
4578 next = lgetc(fin);
4579 if (next == '>') {
4580 yylval.v.i = PF_OP_XRG;
4581 return (PORTBINARY);
4582 }
4583 lungetc(next);
4584 break;
4585 case '>':
4586 next = lgetc(fin);
4587 if (next == '<') {
4588 yylval.v.i = PF_OP_IRG;
4589 return (PORTBINARY);
4590 }
4591 lungetc(next);
4592 break;
4593 case '-':
4594 next = lgetc(fin);
4595 if (next == '>')
4596 return (ARROW);
4597 lungetc(next);
4598 break;
4599 }
4600
4601 #define allowed_in_string(x) \
4602 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
4603 x != '{' && x != '}' && x != '<' && x != '>' && \
4604 x != '!' && x != '=' && x != '/' && x != '#' && \
4605 x != ','))
4606
4607 if (isalnum(c) || c == ':' || c == '_') {
4608 do {
4609 *p++ = c;
4610 if ((unsigned)(p-buf) >= sizeof(buf)) {
4611 yyerror("string too long");
4612 return (findeol());
4613 }
4614 } while ((c = lgetc(fin)) != EOF && (allowed_in_string(c)));
4615 lungetc(c);
4616 *p = '\0';
4617 if ((token = lookup(buf)) == STRING)
4618 if ((yylval.v.string = strdup(buf)) == NULL)
4619 err(1, "yylex: strdup");
4620 return (token);
4621 }
4622 if (c == '\n') {
4623 yylval.lineno = lineno;
4624 lineno++;
4625 }
4626 if (c == EOF)
4627 return (0);
4628 return (c);
4629 }
4630
4631 int
4632 parse_rules(FILE *input, struct pfctl *xpf)
4633 {
4634 struct sym *sym, *next;
4635
4636 fin = input;
4637 pf = xpf;
4638 lineno = 1;
4639 errors = 0;
4640 rulestate = PFCTL_STATE_NONE;
4641 returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
4642 returnicmp6default =
4643 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
4644 blockpolicy = PFRULE_DROP;
4645 require_order = 1;
4646
4647 yyparse();
4648
4649 /* Free macros and check which have not been used. */
4650 for (sym = TAILQ_FIRST(&symhead); sym != NULL; sym = next) {
4651 next = TAILQ_NEXT(sym, entries);
4652 if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used)
4653 fprintf(stderr, "warning: macro '%s' not "
4654 "used\n", sym->nam);
4655 free(sym->nam);
4656 free(sym->val);
4657 TAILQ_REMOVE(&symhead, sym, entries);
4658 free(sym);
4659 }
4660
4661 return (errors ? -1 : 0);
4662 }
4663
4664 /*
4665 * Over-designed efficiency is a French and German concept, so how about
4666 * we wait until they discover this ugliness and make it all fancy.
4667 */
4668 int
4669 symset(const char *nam, const char *val, int persist)
4670 {
4671 struct sym *sym;
4672
4673 for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam);
4674 sym = TAILQ_NEXT(sym, entries))
4675 ; /* nothing */
4676
4677 if (sym != NULL) {
4678 if (sym->persist == 1)
4679 return (0);
4680 else {
4681 free(sym->nam);
4682 free(sym->val);
4683 TAILQ_REMOVE(&symhead, sym, entries);
4684 free(sym);
4685 }
4686 }
4687 if ((sym = calloc(1, sizeof(*sym))) == NULL)
4688 return (-1);
4689
4690 sym->nam = strdup(nam);
4691 if (sym->nam == NULL) {
4692 free(sym);
4693 return (-1);
4694 }
4695 sym->val = strdup(val);
4696 if (sym->val == NULL) {
4697 free(sym->nam);
4698 free(sym);
4699 return (-1);
4700 }
4701 sym->used = 0;
4702 sym->persist = persist;
4703 TAILQ_INSERT_TAIL(&symhead, sym, entries);
4704 return (0);
4705 }
4706
4707 int
4708 pfctl_cmdline_symset(char *s)
4709 {
4710 char *sym, *val;
4711 int ret;
4712
4713 if ((val = strrchr(s, '=')) == NULL)
4714 return (-1);
4715
4716 if ((sym = malloc(strlen(s) - strlen(val) + 1)) == NULL)
4717 err(1, "pfctl_cmdline_symset: malloc");
4718
4719 strlcpy(sym, s, strlen(s) - strlen(val) + 1);
4720
4721 ret = symset(sym, val + 1, 1);
4722 free(sym);
4723
4724 return (ret);
4725 }
4726
4727 char *
4728 symget(const char *nam)
4729 {
4730 struct sym *sym;
4731
4732 TAILQ_FOREACH(sym, &symhead, entries)
4733 if (strcmp(nam, sym->nam) == 0) {
4734 sym->used = 1;
4735 return (sym->val);
4736 }
4737 return (NULL);
4738 }
4739
4740 void
4741 decide_address_family(struct node_host *n, sa_family_t *af)
4742 {
4743 sa_family_t target_af = 0;
4744
4745 while (!*af && n != NULL) {
4746 if (n->af) {
4747 if (target_af == 0)
4748 target_af = n->af;
4749 if (target_af != n->af)
4750 return;
4751 }
4752 n = n->next;
4753 }
4754 if (!*af && target_af)
4755 *af = target_af;
4756 }
4757
4758 void
4759 remove_invalid_hosts(struct node_host **nh, sa_family_t *af)
4760 {
4761 struct node_host *n = *nh, *prev = NULL;
4762
4763 while (n != NULL) {
4764 if (*af && n->af && n->af != *af) {
4765 /* unlink and free n */
4766 struct node_host *next = n->next;
4767
4768 /* adjust tail pointer */
4769 if (n == (*nh)->tail)
4770 (*nh)->tail = prev;
4771 /* adjust previous node's next pointer */
4772 if (prev == NULL)
4773 *nh = next;
4774 else
4775 prev->next = next;
4776 /* free node */
4777 if (n->ifname != NULL)
4778 free(n->ifname);
4779 free(n);
4780 n = next;
4781 } else {
4782 if (n->af && !*af)
4783 *af = n->af;
4784 prev = n;
4785 n = n->next;
4786 }
4787 }
4788 }
4789
4790 int
4791 invalid_redirect(struct node_host *nh, sa_family_t af)
4792 {
4793 if (!af) {
4794 struct node_host *n;
4795
4796 /* tables and dyniftl are ok without an address family */
4797 for (n = nh; n != NULL; n = n->next) {
4798 if (n->addr.type != PF_ADDR_TABLE &&
4799 n->addr.type != PF_ADDR_DYNIFTL) {
4800 yyerror("address family not given and "
4801 "translation address expands to multiple "
4802 "address families");
4803 return (1);
4804 }
4805 }
4806 }
4807 if (nh == NULL) {
4808 yyerror("no translation address with matching address family "
4809 "found.");
4810 return (1);
4811 }
4812 return (0);
4813 }
4814
4815 int
4816 atoul(char *s, u_long *ulvalp)
4817 {
4818 u_long ulval;
4819 char *ep;
4820
4821 errno = 0;
4822 ulval = strtoul(s, &ep, 0);
4823 if (s[0] == '\0' || *ep != '\0')
4824 return (-1);
4825 if (errno == ERANGE && ulval == ULONG_MAX)
4826 return (-1);
4827 *ulvalp = ulval;
4828 return (0);
4829 }
4830
4831 int
4832 getservice(char *n)
4833 {
4834 struct servent *s;
4835 u_long ulval;
4836
4837 if (atoul(n, &ulval) == 0) {
4838 if (ulval > 65535) {
4839 yyerror("illegal port value %d", ulval);
4840 return (-1);
4841 }
4842 return (htons(ulval));
4843 } else {
4844 s = getservbyname(n, "tcp");
4845 if (s == NULL)
4846 s = getservbyname(n, "udp");
4847 if (s == NULL) {
4848 yyerror("unknown port %s", n);
4849 return (-1);
4850 }
4851 return (s->s_port);
4852 }
4853 }
4854
4855 int
4856 rule_label(struct pf_rule *r, char *s)
4857 {
4858 if (s) {
4859 if (strlcpy(r->label, s, sizeof(r->label)) >=
4860 sizeof(r->label)) {
4861 yyerror("rule label too long (max %d chars)",
4862 sizeof(r->label)-1);
4863 return (-1);
4864 }
4865 }
4866 return (0);
4867 }
4868
4869 u_int16_t
4870 parseicmpspec(char *w, sa_family_t af)
4871 {
4872 const struct icmpcodeent *p;
4873 u_long ulval;
4874 u_int8_t icmptype;
4875
4876 if (af == AF_INET)
4877 icmptype = returnicmpdefault >> 8;
4878 else
4879 icmptype = returnicmp6default >> 8;
4880
4881 if (atoul(w, &ulval) == -1) {
4882 if ((p = geticmpcodebyname(icmptype, w, af)) == NULL) {
4883 yyerror("unknown icmp code %s", w);
4884 return (0);
4885 }
4886 ulval = p->code;
4887 }
4888 if (ulval > 255) {
4889 yyerror("invalid icmp code %ld", ulval);
4890 return (0);
4891 }
4892 return (icmptype << 8 | ulval);
4893 }
4894
4895 int
4896 pfctl_load_anchors(int dev, int opts, struct pfr_buffer *trans)
4897 {
4898 struct loadanchors *la;
4899
4900 TAILQ_FOREACH(la, &loadanchorshead, entries) {
4901 if (opts & PF_OPT_VERBOSE)
4902 fprintf(stderr, "\nLoading anchor %s:%s from %s\n",
4903 la->anchorname, la->rulesetname, la->filename);
4904 if (pfctl_rules(dev, la->filename, opts, la->anchorname,
4905 la->rulesetname, trans) == -1)
4906 return (-1);
4907 }
4908
4909 return (0);
4910 }
4911
DragonFly BSD