search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hack(6): Update gethdate().
[dragonfly.git] / usr.sbin / pfctl / parse.y
blob47cbc486ba07d2c0456ebbac855e30d93d2bf516
1 /* $OpenBSD: parse.y,v 1.549 2008/07/03 16:09:34 deraadt Exp $ */
2
3 /*
4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
5 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved.
6 * Copyright (c) 2001 Theo de Raadt. All rights reserved.
7 * Copyright (c) 2002,2003 Henning Brauer. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29 %{
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <sys/stat.h>
33 #include <net/if.h>
34 #include <netinet/in.h>
35 #include <netinet/in_systm.h>
36 #include <netinet/ip.h>
37 #include <netinet/ip_icmp.h>
38 #include <netinet/icmp6.h>
39 #include <net/pf/pfvar.h>
40 #include <arpa/inet.h>
41 #include <net/altq/altq.h>
42 #include <net/altq/altq_cbq.h>
43 #include <net/altq/altq_priq.h>
44 #include <net/altq/altq_hfsc.h>
45 #include <net/altq/altq_fairq.h>
46
47 #include <stdio.h>
48 #include <unistd.h>
49 #include <stdlib.h>
50 #include <netdb.h>
51 #include <stdarg.h>
52 #include <errno.h>
53 #include <string.h>
54 #include <ctype.h>
55 #include <math.h>
56 #include <err.h>
57 #include <limits.h>
58 #include <pwd.h>
59 #include <grp.h>
60 #include <md5.h>
61 #include <inttypes.h>
62
63 #include "pfctl_parser.h"
64 #include "pfctl.h"
65
66 static struct pfctl *pf = NULL;
67 static int debug = 0;
68 static int rulestate = 0;
69 static u_int16_t returnicmpdefault =
70 (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
71 static u_int16_t returnicmp6default =
72 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
73 static int blockpolicy = PFRULE_DROP;
74 static int require_order = 1;
75 static int default_statelock;
76 static int default_keeppolicy_action;
77 static struct node_state_opt *default_keeppolicy_options;
78
79 TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
80 static struct file {
81 TAILQ_ENTRY(file) entry;
82 FILE *stream;
83 char *name;
84 int lineno;
85 int errors;
86 } *file;
87 struct file *pushfile(const char *, int);
88 int popfile(void);
89 int check_file_secrecy(int, const char *);
90 int yylex(void);
91 int yyerror(const char *, ...) __printflike(1, 2);
92 int kw_cmp(const void *, const void *);
93 int lookup(char *);
94 int lgetc(int);
95 int lungetc(int);
96 int findeol(void);
97
98 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
99 struct sym {
100 TAILQ_ENTRY(sym) entry;
101 int used;
102 int persist;
103 char *nam;
104 char *val;
105 };
106 int symset(const char *, const char *, int);
107 char *symget(const char *);
108
109 int atoul(char *, u_long *);
110
111 enum {
112 PFCTL_STATE_NONE,
113 PFCTL_STATE_OPTION,
114 PFCTL_STATE_SCRUB,
115 PFCTL_STATE_QUEUE,
116 PFCTL_STATE_NAT,
117 PFCTL_STATE_FILTER
118 };
119
120 struct node_proto {
121 u_int8_t proto;
122 struct node_proto *next;
123 struct node_proto *tail;
124 };
125
126 struct node_port {
127 u_int16_t port[2];
128 u_int8_t op;
129 struct node_port *next;
130 struct node_port *tail;
131 };
132
133 struct node_uid {
134 uid_t uid[2];
135 u_int8_t op;
136 struct node_uid *next;
137 struct node_uid *tail;
138 };
139
140 struct node_gid {
141 gid_t gid[2];
142 u_int8_t op;
143 struct node_gid *next;
144 struct node_gid *tail;
145 };
146
147 struct node_icmp {
148 u_int8_t code;
149 u_int8_t type;
150 u_int8_t proto;
151 struct node_icmp *next;
152 struct node_icmp *tail;
153 };
154
155 enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
156 PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
157 PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
158 PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
159 PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, PF_STATE_OPT_PICKUPS };
160
161 enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
162
163 struct node_state_opt {
164 int type;
165 union {
166 u_int32_t max_states;
167 u_int32_t max_src_states;
168 u_int32_t max_src_conn;
169 struct {
170 u_int32_t limit;
171 u_int32_t seconds;
172 } max_src_conn_rate;
173 struct {
174 u_int8_t flush;
175 char tblname[PF_TABLE_NAME_SIZE];
176 } overload;
177 u_int32_t max_src_nodes;
178 u_int8_t src_track;
179 u_int8_t pickup_mode;
180 u_int32_t statelock;
181 struct {
182 int number;
183 u_int32_t seconds;
184 } timeout;
185 } data;
186 struct node_state_opt *next;
187 struct node_state_opt *tail;
188 };
189
190 struct peer {
191 struct node_host *host;
192 struct node_port *port;
193 };
194
195 struct node_queue {
196 char queue[PF_QNAME_SIZE];
197 char parent[PF_QNAME_SIZE];
198 char ifname[IFNAMSIZ];
199 int scheduler;
200 struct node_queue *next;
201 struct node_queue *tail;
202 } *queues = NULL;
203
204 struct node_qassign {
205 char *qname;
206 char *pqname;
207 };
208
209 struct filter_opts {
210 int marker;
211 #define FOM_FLAGS 0x01
212 #define FOM_ICMP 0x02
213 #define FOM_TOS 0x04
214 #define FOM_KEEP 0x08
215 #define FOM_SRCTRACK 0x10
216 struct node_uid *uid;
217 struct node_gid *gid;
218 struct {
219 u_int8_t b1;
220 u_int8_t b2;
221 u_int16_t w;
222 u_int16_t w2;
223 } flags;
224 struct node_icmp *icmpspec;
225 u_int32_t tos;
226 u_int32_t prob;
227 struct {
228 int action;
229 struct node_state_opt *options;
230 } keep;
231 int fragment;
232 int allowopts;
233 char *label;
234 struct node_qassign queues;
235 char *tag;
236 char *match_tag;
237 u_int8_t match_tag_not;
238 u_int rtableid;
239 struct {
240 struct node_host *addr;
241 u_int16_t port;
242 } divert;
243 } filter_opts;
244
245 struct antispoof_opts {
246 char *label;
247 u_int rtableid;
248 } antispoof_opts;
249
250 struct scrub_opts {
251 int marker;
252 #define SOM_MINTTL 0x01
253 #define SOM_MAXMSS 0x02
254 #define SOM_FRAGCACHE 0x04
255 #define SOM_SETTOS 0x08
256 int nodf;
257 int minttl;
258 int maxmss;
259 int settos;
260 int fragcache;
261 int randomid;
262 int reassemble_tcp;
263 char *match_tag;
264 u_int8_t match_tag_not;
265 u_int rtableid;
266 } scrub_opts;
267
268 struct queue_opts {
269 int marker;
270 #define QOM_BWSPEC 0x01
271 #define QOM_SCHEDULER 0x02
272 #define QOM_PRIORITY 0x04
273 #define QOM_TBRSIZE 0x08
274 #define QOM_QLIMIT 0x10
275 struct node_queue_bw queue_bwspec;
276 struct node_queue_opt scheduler;
277 int priority;
278 int tbrsize;
279 int qlimit;
280 } queue_opts;
281
282 struct table_opts {
283 int flags;
284 int init_addr;
285 struct node_tinithead init_nodes;
286 } table_opts;
287
288 struct pool_opts {
289 int marker;
290 #define POM_TYPE 0x01
291 #define POM_STICKYADDRESS 0x02
292 u_int8_t opts;
293 int type;
294 int staticport;
295 struct pf_poolhashkey *key;
296
297 } pool_opts;
298
299
300 struct node_hfsc_opts hfsc_opts;
301 struct node_fairq_opts fairq_opts;
302
303 int disallow_table(struct node_host *, const char *);
304 int disallow_urpf_failed(struct node_host *, const char *);
305 int disallow_alias(struct node_host *, const char *);
306 int rule_consistent(struct pf_rule *, int);
307 int filter_consistent(struct pf_rule *, int);
308 int nat_consistent(struct pf_rule *);
309 int rdr_consistent(struct pf_rule *);
310 int process_tabledef(char *, struct table_opts *);
311 void expand_label_str(char *, size_t, const char *, const char *);
312 void expand_label_if(const char *, char *, size_t, const char *);
313 void expand_label_addr(const char *, char *, size_t, u_int8_t,
314 struct node_host *);
315 void expand_label_port(const char *, char *, size_t,
316 struct node_port *);
317 void expand_label_proto(const char *, char *, size_t, u_int8_t);
318 void expand_label_nr(const char *, char *, size_t);
319 void expand_label(char *, size_t, const char *, u_int8_t,
320 struct node_host *, struct node_port *, struct node_host *,
321 struct node_port *, u_int8_t);
322 void expand_rule(struct pf_rule *, struct node_if *,
323 struct node_host *, struct node_proto *, struct node_os *,
324 struct node_host *, struct node_port *, struct node_host *,
325 struct node_port *, struct node_uid *, struct node_gid *,
326 struct node_icmp *, const char *);
327 int expand_altq(struct pf_altq *, struct node_if *,
328 struct node_queue *, struct node_queue_bw bwspec,
329 struct node_queue_opt *);
330 int expand_queue(struct pf_altq *, struct node_if *,
331 struct node_queue *, struct node_queue_bw,
332 struct node_queue_opt *);
333 int expand_skip_interface(struct node_if *);
334
335 int check_rulestate(int);
336 int getservice(char *);
337 int rule_label(struct pf_rule *, char *);
338
339 void mv_rules(struct pf_ruleset *, struct pf_ruleset *);
340 void decide_address_family(struct node_host *, sa_family_t *);
341 void remove_invalid_hosts(struct node_host **, sa_family_t *);
342 int invalid_redirect(struct node_host *, sa_family_t);
343 u_int16_t parseicmpspec(char *, sa_family_t);
344
345 TAILQ_HEAD(loadanchorshead, loadanchors)
346 loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
347
348 struct loadanchors {
349 TAILQ_ENTRY(loadanchors) entries;
350 char *anchorname;
351 char *filename;
352 };
353
354 typedef struct {
355 union {
356 int64_t number;
357 double probability;
358 int i;
359 char *string;
360 u_int rtableid;
361 struct {
362 u_int8_t b1;
363 u_int8_t b2;
364 u_int16_t w;
365 u_int16_t w2;
366 } b;
367 struct range {
368 int a;
369 int b;
370 int t;
371 } range;
372 struct node_if *interface;
373 struct node_proto *proto;
374 struct node_icmp *icmp;
375 struct node_host *host;
376 struct node_os *os;
377 struct node_port *port;
378 struct node_uid *uid;
379 struct node_gid *gid;
380 struct node_state_opt *state_opt;
381 struct peer peer;
382 struct {
383 struct peer src, dst;
384 struct node_os *src_os;
385 } fromto;
386 struct {
387 struct node_host *host;
388 u_int8_t rt;
389 u_int8_t pool_opts;
390 sa_family_t af;
391 struct pf_poolhashkey *key;
392 } route;
393 struct redirection {
394 struct node_host *host;
395 struct range rport;
396 } *redirection;
397 struct {
398 int action;
399 struct node_state_opt *options;
400 } keep_state;
401 struct {
402 u_int8_t log;
403 u_int8_t logif;
404 u_int8_t quick;
405 } logquick;
406 struct {
407 int neg;
408 char *name;
409 } tagged;
410 struct pf_poolhashkey *hashkey;
411 struct node_queue *queue;
412 struct node_queue_opt queue_options;
413 struct node_queue_bw queue_bwspec;
414 struct node_qassign qassign;
415 struct filter_opts filter_opts;
416 struct antispoof_opts antispoof_opts;
417 struct queue_opts queue_opts;
418 struct scrub_opts scrub_opts;
419 struct table_opts table_opts;
420 struct pool_opts pool_opts;
421 struct node_hfsc_opts hfsc_opts;
422 struct node_fairq_opts fairq_opts;
423 } v;
424 int lineno;
425 } YYSTYPE;
426
427 #define PPORT_RANGE 1
428 #define PPORT_STAR 2
429 int parseport(char *, struct range *r, int);
430
431 #define DYNIF_MULTIADDR(addr) ((addr).type == PF_ADDR_DYNIFTL && \
432 (!((addr).iflags & PFI_AFLAG_NOALIAS) || \
433 !isdigit((addr).v.ifname[strlen((addr).v.ifname)-1])))
434
435 extern char *infile;
436
437 %}
438
439 %token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
440 %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
441 %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
442 %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
443 %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
444 %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
445 %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
446 %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
447 %token ANTISPOOF FOR INCLUDE
448 %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
449 %token ALTQ CBQ PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
450 %token QUEUE PRIORITY QLIMIT RTABLE HOGS BUCKETS
451 %token LOAD RULESET_OPTIMIZATION
452 %token PICKUPS NOPICKUPS HASHONLY
453 %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
454 %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
455 %token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE SETTOS KEEPPOLICY
456 %token DIVERTTO DIVERTREPLY
457 %token <v.string> STRING
458 %token <v.number> NUMBER
459 %token <v.i> PORTBINARY
460 %type <v.interface> interface if_list if_item_not if_item
461 %type <v.number> number icmptype icmp6type uid gid
462 %type <v.number> tos not yesno
463 %type <v.probability> probability
464 %type <v.i> no dir af fragcache optimizer
465 %type <v.i> sourcetrack flush unaryop statelock
466 %type <v.b> action nataction natpasslog scrubaction
467 %type <v.b> flags flag blockspec
468 %type <v.range> portplain portstar portrange
469 %type <v.hashkey> hashkey
470 %type <v.proto> proto proto_list proto_item
471 %type <v.number> protoval
472 %type <v.icmp> icmpspec
473 %type <v.icmp> icmp_list icmp_item
474 %type <v.icmp> icmp6_list icmp6_item
475 %type <v.number> reticmpspec reticmp6spec
476 %type <v.fromto> fromto
477 %type <v.peer> ipportspec from to
478 %type <v.host> ipspec toipspec xhost host dynaddr host_list
479 %type <v.host> redir_host_list redirspec
480 %type <v.host> route_host route_host_list routespec
481 %type <v.os> os xos os_list
482 %type <v.port> portspec port_list port_item
483 %type <v.uid> uids uid_list uid_item
484 %type <v.gid> gids gid_list gid_item
485 %type <v.route> route
486 %type <v.redirection> redirection redirpool
487 %type <v.string> label stringall tag anchorname
488 %type <v.string> string varstring numberstring
489 %type <v.keep_state> keep
490 %type <v.state_opt> state_opt_spec state_opt_list state_opt_item
491 %type <v.logquick> logquick quick log logopts logopt
492 %type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if
493 %type <v.qassign> qname
494 %type <v.queue> qassign qassign_list qassign_item
495 %type <v.queue_options> scheduler
496 %type <v.number> cbqflags_list cbqflags_item
497 %type <v.number> priqflags_list priqflags_item
498 %type <v.hfsc_opts> hfscopts_list hfscopts_item hfsc_opts
499 %type <v.fairq_opts> fairqopts_list fairqopts_item fairq_opts
500 %type <v.queue_bwspec> bandwidth
501 %type <v.filter_opts> filter_opts filter_opt filter_opts_l
502 %type <v.antispoof_opts> antispoof_opts antispoof_opt antispoof_opts_l
503 %type <v.queue_opts> queue_opts queue_opt queue_opts_l
504 %type <v.scrub_opts> scrub_opts scrub_opt scrub_opts_l
505 %type <v.table_opts> table_opts table_opt table_opts_l
506 %type <v.pool_opts> pool_opts pool_opt pool_opts_l
507 %type <v.tagged> tagged
508 %type <v.rtableid> rtable
509 %%
510
511 ruleset : /* empty */
512 | ruleset include '\n'
513 | ruleset '\n'
514 | ruleset option '\n'
515 | ruleset scrubrule '\n'
516 | ruleset natrule '\n'
517 | ruleset binatrule '\n'
518 | ruleset pfrule '\n'
519 | ruleset anchorrule '\n'
520 | ruleset loadrule '\n'
521 | ruleset altqif '\n'
522 | ruleset queuespec '\n'
523 | ruleset varset '\n'
524 | ruleset antispoof '\n'
525 | ruleset tabledef '\n'
526 | '{' fakeanchor '}' '\n';
527 | ruleset error '\n' { file->errors++; }
528 ;
529
530 include : INCLUDE STRING {
531 struct file *nfile;
532
533 if ((nfile = pushfile($2, 0)) == NULL) {
534 yyerror("failed to include file %s", $2);
535 free($2);
536 YYERROR;
537 }
538 free($2);
539
540 file = nfile;
541 lungetc('\n');
542 }
543 ;
544
545 /*
546 * apply to previouslys specified rule: must be careful to note
547 * what that is: pf or nat or binat or rdr
548 */
549 fakeanchor : fakeanchor '\n'
550 | fakeanchor anchorrule '\n'
551 | fakeanchor binatrule '\n'
552 | fakeanchor natrule '\n'
553 | fakeanchor pfrule '\n'
554 | fakeanchor error '\n'
555 ;
556
557 optimizer : string {
558 if (!strcmp($1, "none"))
559 $$ = 0;
560 else if (!strcmp($1, "basic"))
561 $$ = PF_OPTIMIZE_BASIC;
562 else if (!strcmp($1, "profile"))
563 $$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
564 else {
565 yyerror("unknown ruleset-optimization %s", $1);
566 YYERROR;
567 }
568 }
569 ;
570
571 option : SET OPTIMIZATION STRING {
572 if (check_rulestate(PFCTL_STATE_OPTION)) {
573 free($3);
574 YYERROR;
575 }
576 if (pfctl_set_optimization(pf, $3) != 0) {
577 yyerror("unknown optimization %s", $3);
578 free($3);
579 YYERROR;
580 }
581 free($3);
582 }
583 | SET RULESET_OPTIMIZATION optimizer {
584 if (!(pf->opts & PF_OPT_OPTIMIZE)) {
585 pf->opts |= PF_OPT_OPTIMIZE;
586 pf->optimize = $3;
587 }
588 }
589 | SET TIMEOUT timeout_spec
590 | SET TIMEOUT '{' optnl timeout_list '}'
591 | SET LIMIT limit_spec
592 | SET LIMIT '{' optnl limit_list '}'
593 | SET LOGINTERFACE stringall {
594 if (check_rulestate(PFCTL_STATE_OPTION)) {
595 free($3);
596 YYERROR;
597 }
598 if (pfctl_set_logif(pf, $3) != 0) {
599 yyerror("error setting loginterface %s", $3);
600 free($3);
601 YYERROR;
602 }
603 free($3);
604 }
605 | SET HOSTID number {
606 if ($3 == 0 || $3 > UINT_MAX) {
607 yyerror("hostid must be non-zero");
608 YYERROR;
609 }
610 if (pfctl_set_hostid(pf, $3) != 0) {
611 yyerror("error setting hostid %08" PRId64, $3);
612 YYERROR;
613 }
614 }
615 | SET BLOCKPOLICY DROP {
616 if (pf->opts & PF_OPT_VERBOSE)
617 printf("set block-policy drop\n");
618 if (check_rulestate(PFCTL_STATE_OPTION))
619 YYERROR;
620 blockpolicy = PFRULE_DROP;
621 }
622 | SET BLOCKPOLICY RETURN {
623 if (pf->opts & PF_OPT_VERBOSE)
624 printf("set block-policy return\n");
625 if (check_rulestate(PFCTL_STATE_OPTION))
626 YYERROR;
627 blockpolicy = PFRULE_RETURN;
628 }
629 | SET REQUIREORDER yesno {
630 if (pf->opts & PF_OPT_VERBOSE)
631 printf("set require-order %s\n",
632 $3 == 1 ? "yes" : "no");
633 require_order = $3;
634 }
635 | SET FINGERPRINTS STRING {
636 if (pf->opts & PF_OPT_VERBOSE)
637 printf("set fingerprints \"%s\"\n", $3);
638 if (check_rulestate(PFCTL_STATE_OPTION)) {
639 free($3);
640 YYERROR;
641 }
642 if (!pf->anchor->name[0]) {
643 if (pfctl_file_fingerprints(pf->dev,
644 pf->opts, $3)) {
645 yyerror("error loading "
646 "fingerprints %s", $3);
647 free($3);
648 YYERROR;
649 }
650 }
651 free($3);
652 }
653 | SET STATEPOLICY statelock {
654 if (pf->opts & PF_OPT_VERBOSE)
655 switch ($3) {
656 case 0:
657 printf("set state-policy floating\n");
658 break;
659 case PFRULE_IFBOUND:
660 printf("set state-policy if-bound\n");
661 break;
662 }
663 default_statelock = $3;
664 }
665 | SET KEEPPOLICY keep {
666 if (pf->opts & PF_OPT_VERBOSE)
667 printf("A default keeppolicy was set\n");
668 default_keeppolicy_action = $3.action;
669 default_keeppolicy_options = $3.options;
670 }
671 | SET DEBUG STRING {
672 if (check_rulestate(PFCTL_STATE_OPTION)) {
673 free($3);
674 YYERROR;
675 }
676 if (pfctl_set_debug(pf, $3) != 0) {
677 yyerror("error setting debuglevel %s", $3);
678 free($3);
679 YYERROR;
680 }
681 free($3);
682 }
683 | SET SKIP interface {
684 if (expand_skip_interface($3) != 0) {
685 yyerror("error setting skip interface(s)");
686 YYERROR;
687 }
688 }
689 ;
690
691 stringall : STRING { $$ = $1; }
692 | ALL {
693 if (($$ = strdup("all")) == NULL) {
694 err(1, "stringall: strdup");
695 }
696 }
697 ;
698
699 string : STRING string {
700 if (asprintf(&$$, "%s %s", $1, $2) == -1)
701 err(1, "string: asprintf");
702 free($1);
703 free($2);
704 }
705 | STRING
706 ;
707
708 varstring : numberstring varstring {
709 if (asprintf(&$$, "%s %s", $1, $2) == -1)
710 err(1, "string: asprintf");
711 free($1);
712 free($2);
713 }
714 | numberstring
715 ;
716
717 numberstring : NUMBER {
718 char *s;
719 if (asprintf(&s, "%" PRId64, $1) == -1) {
720 yyerror("string: asprintf");
721 YYERROR;
722 }
723 $$ = s;
724 }
725 | STRING
726 ;
727
728 varset : STRING '=' varstring {
729 if (pf->opts & PF_OPT_VERBOSE)
730 printf("%s = \"%s\"\n", $1, $3);
731 if (symset($1, $3, 0) == -1)
732 err(1, "cannot store variable %s", $1);
733 free($1);
734 free($3);
735 }
736 ;
737
738 anchorname : STRING { $$ = $1; }
739 | /* empty */ { $$ = NULL; }
740 ;
741
742 pfa_anchorlist : /* empty */
743 | pfa_anchorlist '\n'
744 | pfa_anchorlist pfrule '\n'
745 | pfa_anchorlist anchorrule '\n'
746 ;
747
748 pfa_anchor : '{'
749 {
750 char ta[PF_ANCHOR_NAME_SIZE];
751 struct pf_ruleset *rs;
752
753 /* steping into a brace anchor */
754 pf->asd++;
755 pf->bn++;
756 pf->brace = 1;
757
758 /* create a holding ruleset in the root */
759 snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
760 rs = pf_find_or_create_ruleset(ta);
761 if (rs == NULL)
762 err(1, "pfa_anchor: pf_find_or_create_ruleset");
763 pf->astack[pf->asd] = rs->anchor;
764 pf->anchor = rs->anchor;
765 } '\n' pfa_anchorlist '}'
766 {
767 pf->alast = pf->anchor;
768 pf->asd--;
769 pf->anchor = pf->astack[pf->asd];
770 }
771 | /* empty */
772 ;
773
774 anchorrule : ANCHOR anchorname dir quick interface af proto fromto
775 filter_opts pfa_anchor
776 {
777 struct pf_rule r;
778 struct node_proto *proto;
779
780 if (check_rulestate(PFCTL_STATE_FILTER)) {
781 if ($2)
782 free($2);
783 YYERROR;
784 }
785
786 if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) {
787 free($2);
788 yyerror("anchor names beginning with '_' "
789 "are reserved for internal use");
790 YYERROR;
791 }
792
793 memset(&r, 0, sizeof(r));
794 if (pf->astack[pf->asd + 1]) {
795 /* move inline rules into relative location */
796 pf_anchor_setup(&r,
797 &pf->astack[pf->asd]->ruleset,
798 $2 ? $2 : pf->alast->name);
799
800 if (r.anchor == NULL)
801 err(1, "anchorrule: unable to "
802 "create ruleset");
803
804 if (pf->alast != r.anchor) {
805 if (r.anchor->match) {
806 yyerror("inline anchor '%s' "
807 "already exists",
808 r.anchor->name);
809 YYERROR;
810 }
811 mv_rules(&pf->alast->ruleset,
812 &r.anchor->ruleset);
813 }
814 pf_remove_if_empty_ruleset(&pf->alast->ruleset);
815 pf->alast = r.anchor;
816 } else {
817 if (!$2) {
818 yyerror("anchors without explicit "
819 "rules must specify a name");
820 YYERROR;
821 }
822 }
823 r.direction = $3;
824 r.quick = $4.quick;
825 r.af = $6;
826 r.prob = $9.prob;
827 r.rtableid = $9.rtableid;
828
829 if ($9.tag)
830 if (strlcpy(r.tagname, $9.tag,
831 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
832 yyerror("tag too long, max %u chars",
833 PF_TAG_NAME_SIZE - 1);
834 YYERROR;
835 }
836 if ($9.match_tag)
837 if (strlcpy(r.match_tagname, $9.match_tag,
838 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
839 yyerror("tag too long, max %u chars",
840 PF_TAG_NAME_SIZE - 1);
841 YYERROR;
842 }
843 r.match_tag_not = $9.match_tag_not;
844 if (rule_label(&r, $9.label))
845 YYERROR;
846 free($9.label);
847 r.flags = $9.flags.b1;
848 r.flagset = $9.flags.b2;
849 if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) {
850 yyerror("flags always false");
851 YYERROR;
852 }
853 if ($9.flags.b1 || $9.flags.b2 || $8.src_os) {
854 for (proto = $7; proto != NULL &&
855 proto->proto != IPPROTO_TCP;
856 proto = proto->next)
857 ; /* nothing */
858 if (proto == NULL && $7 != NULL) {
859 if ($9.flags.b1 || $9.flags.b2)
860 yyerror(
861 "flags only apply to tcp");
862 if ($8.src_os)
863 yyerror(
864 "OS fingerprinting only "
865 "applies to tcp");
866 YYERROR;
867 }
868 }
869
870 r.tos = $9.tos;
871
872 if ($9.keep.action) {
873 yyerror("cannot specify state handling "
874 "on anchors");
875 YYERROR;
876 }
877
878 if ($9.match_tag)
879 if (strlcpy(r.match_tagname, $9.match_tag,
880 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
881 yyerror("tag too long, max %u chars",
882 PF_TAG_NAME_SIZE - 1);
883 YYERROR;
884 }
885 r.match_tag_not = $9.match_tag_not;
886
887 decide_address_family($8.src.host, &r.af);
888 decide_address_family($8.dst.host, &r.af);
889
890 expand_rule(&r, $5, NULL, $7, $8.src_os,
891 $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
892 $9.uid, $9.gid, $9.icmpspec,
893 pf->astack[pf->asd + 1] ? pf->alast->name : $2);
894 free($2);
895 pf->astack[pf->asd + 1] = NULL;
896 }
897 | NATANCHOR string interface af proto fromto rtable {
898 struct pf_rule r;
899
900 if (check_rulestate(PFCTL_STATE_NAT)) {
901 free($2);
902 YYERROR;
903 }
904
905 memset(&r, 0, sizeof(r));
906 r.action = PF_NAT;
907 r.af = $4;
908 r.rtableid = $7;
909
910 decide_address_family($6.src.host, &r.af);
911 decide_address_family($6.dst.host, &r.af);
912
913 expand_rule(&r, $3, NULL, $5, $6.src_os,
914 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
915 0, 0, 0, $2);
916 free($2);
917 }
918 | RDRANCHOR string interface af proto fromto rtable {
919 struct pf_rule r;
920
921 if (check_rulestate(PFCTL_STATE_NAT)) {
922 free($2);
923 YYERROR;
924 }
925
926 memset(&r, 0, sizeof(r));
927 r.action = PF_RDR;
928 r.af = $4;
929 r.rtableid = $7;
930
931 decide_address_family($6.src.host, &r.af);
932 decide_address_family($6.dst.host, &r.af);
933
934 if ($6.src.port != NULL) {
935 yyerror("source port parameter not supported"
936 " in rdr-anchor");
937 YYERROR;
938 }
939 if ($6.dst.port != NULL) {
940 if ($6.dst.port->next != NULL) {
941 yyerror("destination port list "
942 "expansion not supported in "
943 "rdr-anchor");
944 YYERROR;
945 } else if ($6.dst.port->op != PF_OP_EQ) {
946 yyerror("destination port operators"
947 " not supported in rdr-anchor");
948 YYERROR;
949 }
950 r.dst.port[0] = $6.dst.port->port[0];
951 r.dst.port[1] = $6.dst.port->port[1];
952 r.dst.port_op = $6.dst.port->op;
953 }
954
955 expand_rule(&r, $3, NULL, $5, $6.src_os,
956 $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
957 0, 0, 0, $2);
958 free($2);
959 }
960 | BINATANCHOR string interface af proto fromto rtable {
961 struct pf_rule r;
962
963 if (check_rulestate(PFCTL_STATE_NAT)) {
964 free($2);
965 YYERROR;
966 }
967
968 memset(&r, 0, sizeof(r));
969 r.action = PF_BINAT;
970 r.af = $4;
971 r.rtableid = $7;
972 if ($5 != NULL) {
973 if ($5->next != NULL) {
974 yyerror("proto list expansion"
975 " not supported in binat-anchor");
976 YYERROR;
977 }
978 r.proto = $5->proto;
979 free($5);
980 }
981
982 if ($6.src.host != NULL || $6.src.port != NULL ||
983 $6.dst.host != NULL || $6.dst.port != NULL) {
984 yyerror("fromto parameter not supported"
985 " in binat-anchor");
986 YYERROR;
987 }
988
989 decide_address_family($6.src.host, &r.af);
990 decide_address_family($6.dst.host, &r.af);
991
992 pfctl_add_rule(pf, &r, $2);
993 free($2);
994 }
995 ;
996
997 loadrule : LOAD ANCHOR string FROM string {
998 struct loadanchors *loadanchor;
999
1000 if (strlen(pf->anchor->name) + 1 +
1001 strlen($3) >= MAXPATHLEN) {
1002 yyerror("anchorname %s too long, max %u\n",
1003 $3, MAXPATHLEN - 1);
1004 free($3);
1005 YYERROR;
1006 }
1007 loadanchor = calloc(1, sizeof(struct loadanchors));
1008 if (loadanchor == NULL)
1009 err(1, "loadrule: calloc");
1010 if ((loadanchor->anchorname = malloc(MAXPATHLEN)) ==
1011 NULL)
1012 err(1, "loadrule: malloc");
1013 if (pf->anchor->name[0])
1014 snprintf(loadanchor->anchorname, MAXPATHLEN,
1015 "%s/%s", pf->anchor->name, $3);
1016 else
1017 strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
1018 if ((loadanchor->filename = strdup($5)) == NULL)
1019 err(1, "loadrule: strdup");
1020
1021 TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
1022 entries);
1023
1024 free($3);
1025 free($5);
1026 };
1027
1028 scrubaction : no SCRUB {
1029 $$.b2 = $$.w = 0;
1030 if ($1)
1031 $$.b1 = PF_NOSCRUB;
1032 else
1033 $$.b1 = PF_SCRUB;
1034 }
1035 ;
1036
1037 scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
1038 {
1039 struct pf_rule r;
1040
1041 if (check_rulestate(PFCTL_STATE_SCRUB))
1042 YYERROR;
1043
1044 memset(&r, 0, sizeof(r));
1045
1046 r.action = $1.b1;
1047 r.direction = $2;
1048
1049 r.log = $3.log;
1050 r.logif = $3.logif;
1051 if ($3.quick) {
1052 yyerror("scrub rules do not support 'quick'");
1053 YYERROR;
1054 }
1055
1056 r.af = $5;
1057 if ($8.nodf)
1058 r.rule_flag |= PFRULE_NODF;
1059 if ($8.randomid)
1060 r.rule_flag |= PFRULE_RANDOMID;
1061 if ($8.reassemble_tcp) {
1062 if (r.direction != PF_INOUT) {
1063 yyerror("reassemble tcp rules can not "
1064 "specify direction");
1065 YYERROR;
1066 }
1067 r.rule_flag |= PFRULE_REASSEMBLE_TCP;
1068 }
1069 if ($8.minttl)
1070 r.min_ttl = $8.minttl;
1071 if ($8.maxmss)
1072 r.max_mss = $8.maxmss;
1073 if ($8.marker & SOM_SETTOS) {
1074 r.rule_flag |= PFRULE_SET_TOS;
1075 r.set_tos = $8.settos;
1076 }
1077 if ($8.fragcache)
1078 r.rule_flag |= $8.fragcache;
1079 if ($8.match_tag)
1080 if (strlcpy(r.match_tagname, $8.match_tag,
1081 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1082 yyerror("tag too long, max %u chars",
1083 PF_TAG_NAME_SIZE - 1);
1084 YYERROR;
1085 }
1086 r.match_tag_not = $8.match_tag_not;
1087 r.rtableid = $8.rtableid;
1088
1089 expand_rule(&r, $4, NULL, $6, $7.src_os,
1090 $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
1091 NULL, NULL, NULL, "");
1092 }
1093 ;
1094
1095 scrub_opts : {
1096 bzero(&scrub_opts, sizeof scrub_opts);
1097 scrub_opts.rtableid = -1;
1098 }
1099 scrub_opts_l
1100 { $$ = scrub_opts; }
1101 | /* empty */ {
1102 bzero(&scrub_opts, sizeof scrub_opts);
1103 scrub_opts.rtableid = -1;
1104 $$ = scrub_opts;
1105 }
1106 ;
1107
1108 scrub_opts_l : scrub_opts_l scrub_opt
1109 | scrub_opt
1110 ;
1111
1112 scrub_opt : NODF {
1113 if (scrub_opts.nodf) {
1114 yyerror("no-df cannot be respecified");
1115 YYERROR;
1116 }
1117 scrub_opts.nodf = 1;
1118 }
1119 | MINTTL NUMBER {
1120 if (scrub_opts.marker & SOM_MINTTL) {
1121 yyerror("min-ttl cannot be respecified");
1122 YYERROR;
1123 }
1124 if ($2 < 0 || $2 > 255) {
1125 yyerror("illegal min-ttl value %" PRId64, $2);
1126 YYERROR;
1127 }
1128 scrub_opts.marker |= SOM_MINTTL;
1129 scrub_opts.minttl = $2;
1130 }
1131 | MAXMSS NUMBER {
1132 if (scrub_opts.marker & SOM_MAXMSS) {
1133 yyerror("max-mss cannot be respecified");
1134 YYERROR;
1135 }
1136 if ($2 < 0 || $2 > 65535) {
1137 yyerror("illegal max-mss value %" PRId64, $2);
1138 YYERROR;
1139 }
1140 scrub_opts.marker |= SOM_MAXMSS;
1141 scrub_opts.maxmss = $2;
1142 }
1143 | SETTOS tos {
1144 if (scrub_opts.marker & SOM_SETTOS) {
1145 yyerror("set-tos cannot be respecified");
1146 YYERROR;
1147 }
1148 scrub_opts.marker |= SOM_SETTOS;
1149 scrub_opts.settos = $2;
1150 }
1151 | fragcache {
1152 if (scrub_opts.marker & SOM_FRAGCACHE) {
1153 yyerror("fragcache cannot be respecified");
1154 YYERROR;
1155 }
1156 scrub_opts.marker |= SOM_FRAGCACHE;
1157 scrub_opts.fragcache = $1;
1158 }
1159 | REASSEMBLE STRING {
1160 if (strcasecmp($2, "tcp") != 0) {
1161 yyerror("scrub reassemble supports only tcp, "
1162 "not '%s'", $2);
1163 free($2);
1164 YYERROR;
1165 }
1166 free($2);
1167 if (scrub_opts.reassemble_tcp) {
1168 yyerror("reassemble tcp cannot be respecified");
1169 YYERROR;
1170 }
1171 scrub_opts.reassemble_tcp = 1;
1172 }
1173 | RANDOMID {
1174 if (scrub_opts.randomid) {
1175 yyerror("random-id cannot be respecified");
1176 YYERROR;
1177 }
1178 scrub_opts.randomid = 1;
1179 }
1180 | RTABLE NUMBER {
1181 scrub_opts.rtableid = $2;
1182 }
1183 | not TAGGED string {
1184 scrub_opts.match_tag = $3;
1185 scrub_opts.match_tag_not = $1;
1186 }
1187 ;
1188
1189 fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ }
1190 | FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; }
1191 | FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; }
1192 ;
1193
1194 antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
1195 struct pf_rule r;
1196 struct node_host *h = NULL, *hh;
1197 struct node_if *i, *j;
1198
1199 if (check_rulestate(PFCTL_STATE_FILTER))
1200 YYERROR;
1201
1202 for (i = $3; i; i = i->next) {
1203 bzero(&r, sizeof(r));
1204
1205 r.action = PF_DROP;
1206 r.direction = PF_IN;
1207 r.log = $2.log;
1208 r.logif = $2.logif;
1209 r.quick = $2.quick;
1210 r.af = $4;
1211 if (rule_label(&r, $5.label))
1212 YYERROR;
1213 r.rtableid = $5.rtableid;
1214 j = calloc(1, sizeof(struct node_if));
1215 if (j == NULL)
1216 err(1, "antispoof: calloc");
1217 if (strlcpy(j->ifname, i->ifname,
1218 sizeof(j->ifname)) >= sizeof(j->ifname)) {
1219 free(j);
1220 yyerror("interface name too long");
1221 YYERROR;
1222 }
1223 j->not = 1;
1224 if (i->dynamic) {
1225 h = calloc(1, sizeof(*h));
1226 if (h == NULL)
1227 err(1, "address: calloc");
1228 h->addr.type = PF_ADDR_DYNIFTL;
1229 set_ipmask(h, 128);
1230 if (strlcpy(h->addr.v.ifname, i->ifname,
1231 sizeof(h->addr.v.ifname)) >=
1232 sizeof(h->addr.v.ifname)) {
1233 free(h);
1234 yyerror(
1235 "interface name too long");
1236 YYERROR;
1237 }
1238 hh = malloc(sizeof(*hh));
1239 if (hh == NULL)
1240 err(1, "address: malloc");
1241 bcopy(h, hh, sizeof(*hh));
1242 h->addr.iflags = PFI_AFLAG_NETWORK;
1243 } else {
1244 h = ifa_lookup(j->ifname,
1245 PFI_AFLAG_NETWORK);
1246 hh = NULL;
1247 }
1248
1249 if (h != NULL)
1250 expand_rule(&r, j, NULL, NULL, NULL, h,
1251 NULL, NULL, NULL, NULL, NULL,
1252 NULL, "");
1253
1254 if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
1255 bzero(&r, sizeof(r));
1256
1257 r.action = PF_DROP;
1258 r.direction = PF_IN;
1259 r.log = $2.log;
1260 r.quick = $2.quick;
1261 r.af = $4;
1262 if (rule_label(&r, $5.label))
1263 YYERROR;
1264 r.rtableid = $5.rtableid;
1265 if (hh != NULL)
1266 h = hh;
1267 else
1268 h = ifa_lookup(i->ifname, 0);
1269 if (h != NULL)
1270 expand_rule(&r, NULL, NULL,
1271 NULL, NULL, h, NULL, NULL,
1272 NULL, NULL, NULL, NULL, "");
1273 } else
1274 free(hh);
1275 }
1276 free($5.label);
1277 }
1278 ;
1279
1280 antispoof_ifspc : FOR antispoof_if { $$ = $2; }
1281 | FOR '{' optnl antispoof_iflst '}' { $$ = $4; }
1282 ;
1283
1284 antispoof_iflst : antispoof_if optnl { $$ = $1; }
1285 | antispoof_iflst comma antispoof_if optnl {
1286 $1->tail->next = $3;
1287 $1->tail = $3;
1288 $$ = $1;
1289 }
1290 ;
1291
1292 antispoof_if : if_item { $$ = $1; }
1293 | '(' if_item ')' {
1294 $2->dynamic = 1;
1295 $$ = $2;
1296 }
1297 ;
1298
1299 antispoof_opts : {
1300 bzero(&antispoof_opts, sizeof antispoof_opts);
1301 antispoof_opts.rtableid = -1;
1302 }
1303 antispoof_opts_l
1304 { $$ = antispoof_opts; }
1305 | /* empty */ {
1306 bzero(&antispoof_opts, sizeof antispoof_opts);
1307 antispoof_opts.rtableid = -1;
1308 $$ = antispoof_opts;
1309 }
1310 ;
1311
1312 antispoof_opts_l : antispoof_opts_l antispoof_opt
1313 | antispoof_opt
1314 ;
1315
1316 antispoof_opt : label {
1317 if (antispoof_opts.label) {
1318 yyerror("label cannot be redefined");
1319 YYERROR;
1320 }
1321 antispoof_opts.label = $1;
1322 }
1323 | RTABLE NUMBER {
1324 antispoof_opts.rtableid = $2;
1325 }
1326 ;
1327
1328 not : '!' { $$ = 1; }
1329 | /* empty */ { $$ = 0; }
1330 ;
1331
1332 tabledef : TABLE '<' STRING '>' table_opts {
1333 struct node_host *h, *nh;
1334 struct node_tinit *ti, *nti;
1335
1336 if (strlen($3) >= PF_TABLE_NAME_SIZE) {
1337 yyerror("table name too long, max %d chars",
1338 PF_TABLE_NAME_SIZE - 1);
1339 free($3);
1340 YYERROR;
1341 }
1342 if (pf->loadopt & PFCTL_FLAG_TABLE)
1343 if (process_tabledef($3, &$5)) {
1344 free($3);
1345 YYERROR;
1346 }
1347 free($3);
1348 for (ti = SIMPLEQ_FIRST(&$5.init_nodes);
1349 ti != SIMPLEQ_END(&$5.init_nodes); ti = nti) {
1350 if (ti->file)
1351 free(ti->file);
1352 for (h = ti->host; h != NULL; h = nh) {
1353 nh = h->next;
1354 free(h);
1355 }
1356 nti = SIMPLEQ_NEXT(ti, entries);
1357 free(ti);
1358 }
1359 }
1360 ;
1361
1362 table_opts : {
1363 bzero(&table_opts, sizeof table_opts);
1364 SIMPLEQ_INIT(&table_opts.init_nodes);
1365 }
1366 table_opts_l
1367 { $$ = table_opts; }
1368 | /* empty */
1369 {
1370 bzero(&table_opts, sizeof table_opts);
1371 SIMPLEQ_INIT(&table_opts.init_nodes);
1372 $$ = table_opts;
1373 }
1374 ;
1375
1376 table_opts_l : table_opts_l table_opt
1377 | table_opt
1378 ;
1379
1380 table_opt : STRING {
1381 if (!strcmp($1, "const"))
1382 table_opts.flags |= PFR_TFLAG_CONST;
1383 else if (!strcmp($1, "persist"))
1384 table_opts.flags |= PFR_TFLAG_PERSIST;
1385 else if (!strcmp($1, "counters"))
1386 table_opts.flags |= PFR_TFLAG_COUNTERS;
1387 else {
1388 yyerror("invalid table option '%s'", $1);
1389 free($1);
1390 YYERROR;
1391 }
1392 free($1);
1393 }
1394 | '{' optnl '}' { table_opts.init_addr = 1; }
1395 | '{' optnl host_list '}' {
1396 struct node_host *n;
1397 struct node_tinit *ti;
1398
1399 for (n = $3; n != NULL; n = n->next) {
1400 switch (n->addr.type) {
1401 case PF_ADDR_ADDRMASK:
1402 continue; /* ok */
1403 case PF_ADDR_RANGE:
1404 yyerror("address ranges are not "
1405 "permitted inside tables");
1406 break;
1407 case PF_ADDR_DYNIFTL:
1408 yyerror("dynamic addresses are not "
1409 "permitted inside tables");
1410 break;
1411 case PF_ADDR_TABLE:
1412 yyerror("tables cannot contain tables");
1413 break;
1414 case PF_ADDR_NOROUTE:
1415 yyerror("\"no-route\" is not permitted "
1416 "inside tables");
1417 break;
1418 case PF_ADDR_URPFFAILED:
1419 yyerror("\"urpf-failed\" is not "
1420 "permitted inside tables");
1421 break;
1422 default:
1423 yyerror("unknown address type %d",
1424 n->addr.type);
1425 }
1426 YYERROR;
1427 }
1428 if (!(ti = calloc(1, sizeof(*ti))))
1429 err(1, "table_opt: calloc");
1430 ti->host = $3;
1431 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1432 entries);
1433 table_opts.init_addr = 1;
1434 }
1435 | FILENAME STRING {
1436 struct node_tinit *ti;
1437
1438 if (!(ti = calloc(1, sizeof(*ti))))
1439 err(1, "table_opt: calloc");
1440 ti->file = $2;
1441 SIMPLEQ_INSERT_TAIL(&table_opts.init_nodes, ti,
1442 entries);
1443 table_opts.init_addr = 1;
1444 }
1445 ;
1446
1447 altqif : ALTQ interface queue_opts QUEUE qassign {
1448 struct pf_altq a;
1449
1450 if (check_rulestate(PFCTL_STATE_QUEUE))
1451 YYERROR;
1452
1453 memset(&a, 0, sizeof(a));
1454 if ($3.scheduler.qtype == ALTQT_NONE) {
1455 yyerror("no scheduler specified!");
1456 YYERROR;
1457 }
1458 a.scheduler = $3.scheduler.qtype;
1459 a.qlimit = $3.qlimit;
1460 a.tbrsize = $3.tbrsize;
1461 if ($5 == NULL) {
1462 yyerror("no child queues specified");
1463 YYERROR;
1464 }
1465 if (expand_altq(&a, $2, $5, $3.queue_bwspec,
1466 &$3.scheduler))
1467 YYERROR;
1468 }
1469 ;
1470
1471 queuespec : QUEUE STRING interface queue_opts qassign {
1472 struct pf_altq a;
1473
1474 if (check_rulestate(PFCTL_STATE_QUEUE)) {
1475 free($2);
1476 YYERROR;
1477 }
1478
1479 memset(&a, 0, sizeof(a));
1480
1481 if (strlcpy(a.qname, $2, sizeof(a.qname)) >=
1482 sizeof(a.qname)) {
1483 yyerror("queue name too long (max "
1484 "%d chars)", PF_QNAME_SIZE-1);
1485 free($2);
1486 YYERROR;
1487 }
1488 free($2);
1489 if ($4.tbrsize) {
1490 yyerror("cannot specify tbrsize for queue");
1491 YYERROR;
1492 }
1493 if ($4.priority > 255) {
1494 yyerror("priority out of range: max 255");
1495 YYERROR;
1496 }
1497 a.priority = $4.priority;
1498 a.qlimit = $4.qlimit;
1499 a.scheduler = $4.scheduler.qtype;
1500 if (expand_queue(&a, $3, $5, $4.queue_bwspec,
1501 &$4.scheduler)) {
1502 yyerror("errors in queue definition");
1503 YYERROR;
1504 }
1505 }
1506 ;
1507
1508 queue_opts : {
1509 bzero(&queue_opts, sizeof queue_opts);
1510 queue_opts.priority = DEFAULT_PRIORITY;
1511 queue_opts.qlimit = DEFAULT_QLIMIT;
1512 queue_opts.scheduler.qtype = ALTQT_NONE;
1513 queue_opts.queue_bwspec.bw_percent = 100;
1514 }
1515 queue_opts_l
1516 { $$ = queue_opts; }
1517 | /* empty */ {
1518 bzero(&queue_opts, sizeof queue_opts);
1519 queue_opts.priority = DEFAULT_PRIORITY;
1520 queue_opts.qlimit = DEFAULT_QLIMIT;
1521 queue_opts.scheduler.qtype = ALTQT_NONE;
1522 queue_opts.queue_bwspec.bw_percent = 100;
1523 $$ = queue_opts;
1524 }
1525 ;
1526
1527 queue_opts_l : queue_opts_l queue_opt
1528 | queue_opt
1529 ;
1530
1531 queue_opt : BANDWIDTH bandwidth {
1532 if (queue_opts.marker & QOM_BWSPEC) {
1533 yyerror("bandwidth cannot be respecified");
1534 YYERROR;
1535 }
1536 queue_opts.marker |= QOM_BWSPEC;
1537 queue_opts.queue_bwspec = $2;
1538 }
1539 | PRIORITY NUMBER {
1540 if (queue_opts.marker & QOM_PRIORITY) {
1541 yyerror("priority cannot be respecified");
1542 YYERROR;
1543 }
1544 if ($2 < 0 || $2 > 255) {
1545 yyerror("priority out of range: max 255");
1546 YYERROR;
1547 }
1548 queue_opts.marker |= QOM_PRIORITY;
1549 queue_opts.priority = $2;
1550 }
1551 | QLIMIT NUMBER {
1552 if (queue_opts.marker & QOM_QLIMIT) {
1553 yyerror("qlimit cannot be respecified");
1554 YYERROR;
1555 }
1556 if ($2 < 0 || $2 > 65535) {
1557 yyerror("qlimit out of range: max 65535");
1558 YYERROR;
1559 }
1560 queue_opts.marker |= QOM_QLIMIT;
1561 queue_opts.qlimit = $2;
1562 }
1563 | scheduler {
1564 if (queue_opts.marker & QOM_SCHEDULER) {
1565 yyerror("scheduler cannot be respecified");
1566 YYERROR;
1567 }
1568 queue_opts.marker |= QOM_SCHEDULER;
1569 queue_opts.scheduler = $1;
1570 }
1571 | TBRSIZE NUMBER {
1572 if (queue_opts.marker & QOM_TBRSIZE) {
1573 yyerror("tbrsize cannot be respecified");
1574 YYERROR;
1575 }
1576 if ($2 < 0 || $2 > 65535) {
1577 yyerror("tbrsize too big: max 65535");
1578 YYERROR;
1579 }
1580 queue_opts.marker |= QOM_TBRSIZE;
1581 queue_opts.tbrsize = $2;
1582 }
1583 ;
1584
1585 bandwidth : STRING {
1586 double bps;
1587 char *cp;
1588
1589 $$.bw_percent = 0;
1590
1591 bps = strtod($1, &cp);
1592 if (cp != NULL) {
1593 if (!strcmp(cp, "b"))
1594 ; /* nothing */
1595 else if (!strcmp(cp, "Kb"))
1596 bps *= 1000;
1597 else if (!strcmp(cp, "Mb"))
1598 bps *= 1000 * 1000;
1599 else if (!strcmp(cp, "Gb"))
1600 bps *= 1000 * 1000 * 1000;
1601 else if (!strcmp(cp, "%")) {
1602 if (bps < 0 || bps > 100) {
1603 yyerror("bandwidth spec "
1604 "out of range");
1605 free($1);
1606 YYERROR;
1607 }
1608 $$.bw_percent = bps;
1609 bps = 0;
1610 } else {
1611 yyerror("unknown unit %s", cp);
1612 free($1);
1613 YYERROR;
1614 }
1615 }
1616 free($1);
1617 $$.bw_absolute = (u_int32_t)bps;
1618 }
1619 | NUMBER {
1620 if ($1 < 0 || $1 > UINT_MAX) {
1621 yyerror("bandwidth number too big");
1622 YYERROR;
1623 }
1624 $$.bw_percent = 0;
1625 $$.bw_absolute = $1;
1626 }
1627 ;
1628
1629 scheduler : CBQ {
1630 $$.qtype = ALTQT_CBQ;
1631 $$.data.cbq_opts.flags = 0;
1632 }
1633 | CBQ '(' cbqflags_list ')' {
1634 $$.qtype = ALTQT_CBQ;
1635 $$.data.cbq_opts.flags = $3;
1636 }
1637 | PRIQ {
1638 $$.qtype = ALTQT_PRIQ;
1639 $$.data.priq_opts.flags = 0;
1640 }
1641 | PRIQ '(' priqflags_list ')' {
1642 $$.qtype = ALTQT_PRIQ;
1643 $$.data.priq_opts.flags = $3;
1644 }
1645 | HFSC {
1646 $$.qtype = ALTQT_HFSC;
1647 bzero(&$$.data.hfsc_opts,
1648 sizeof(struct node_hfsc_opts));
1649 }
1650 | HFSC '(' hfsc_opts ')' {
1651 $$.qtype = ALTQT_HFSC;
1652 $$.data.hfsc_opts = $3;
1653 }
1654 | FAIRQ {
1655 $$.qtype = ALTQT_FAIRQ;
1656 bzero(&$$.data.fairq_opts,
1657 sizeof(struct node_fairq_opts));
1658 }
1659 | FAIRQ '(' fairq_opts ')' {
1660 $$.qtype = ALTQT_FAIRQ;
1661 $$.data.fairq_opts = $3;
1662 }
1663 ;
1664
1665 cbqflags_list : cbqflags_item { $$ |= $1; }
1666 | cbqflags_list comma cbqflags_item { $$ |= $3; }
1667 ;
1668
1669 cbqflags_item : STRING {
1670 if (!strcmp($1, "default"))
1671 $$ = CBQCLF_DEFCLASS;
1672 else if (!strcmp($1, "borrow"))
1673 $$ = CBQCLF_BORROW;
1674 else if (!strcmp($1, "red"))
1675 $$ = CBQCLF_RED;
1676 else if (!strcmp($1, "ecn"))
1677 $$ = CBQCLF_RED|CBQCLF_ECN;
1678 else if (!strcmp($1, "rio"))
1679 $$ = CBQCLF_RIO;
1680 else {
1681 yyerror("unknown cbq flag \"%s\"", $1);
1682 free($1);
1683 YYERROR;
1684 }
1685 free($1);
1686 }
1687 ;
1688
1689 priqflags_list : priqflags_item { $$ |= $1; }
1690 | priqflags_list comma priqflags_item { $$ |= $3; }
1691 ;
1692
1693 priqflags_item : STRING {
1694 if (!strcmp($1, "default"))
1695 $$ = PRCF_DEFAULTCLASS;
1696 else if (!strcmp($1, "red"))
1697 $$ = PRCF_RED;
1698 else if (!strcmp($1, "ecn"))
1699 $$ = PRCF_RED|PRCF_ECN;
1700 else if (!strcmp($1, "rio"))
1701 $$ = PRCF_RIO;
1702 else {
1703 yyerror("unknown priq flag \"%s\"", $1);
1704 free($1);
1705 YYERROR;
1706 }
1707 free($1);
1708 }
1709 ;
1710
1711 hfsc_opts : {
1712 bzero(&hfsc_opts,
1713 sizeof(struct node_hfsc_opts));
1714 }
1715 hfscopts_list {
1716 $$ = hfsc_opts;
1717 }
1718 ;
1719
1720 hfscopts_list : hfscopts_item
1721 | hfscopts_list comma hfscopts_item
1722 ;
1723
1724 hfscopts_item : LINKSHARE bandwidth {
1725 if (hfsc_opts.linkshare.used) {
1726 yyerror("linkshare already specified");
1727 YYERROR;
1728 }
1729 hfsc_opts.linkshare.m2 = $2;
1730 hfsc_opts.linkshare.used = 1;
1731 }
1732 | LINKSHARE '(' bandwidth comma NUMBER comma bandwidth ')'
1733 {
1734 if ($5 < 0 || $5 > INT_MAX) {
1735 yyerror("timing in curve out of range");
1736 YYERROR;
1737 }
1738 if (hfsc_opts.linkshare.used) {
1739 yyerror("linkshare already specified");
1740 YYERROR;
1741 }
1742 hfsc_opts.linkshare.m1 = $3;
1743 hfsc_opts.linkshare.d = $5;
1744 hfsc_opts.linkshare.m2 = $7;
1745 hfsc_opts.linkshare.used = 1;
1746 }
1747 | REALTIME bandwidth {
1748 if (hfsc_opts.realtime.used) {
1749 yyerror("realtime already specified");
1750 YYERROR;
1751 }
1752 hfsc_opts.realtime.m2 = $2;
1753 hfsc_opts.realtime.used = 1;
1754 }
1755 | REALTIME '(' bandwidth comma NUMBER comma bandwidth ')'
1756 {
1757 if ($5 < 0 || $5 > INT_MAX) {
1758 yyerror("timing in curve out of range");
1759 YYERROR;
1760 }
1761 if (hfsc_opts.realtime.used) {
1762 yyerror("realtime already specified");
1763 YYERROR;
1764 }
1765 hfsc_opts.realtime.m1 = $3;
1766 hfsc_opts.realtime.d = $5;
1767 hfsc_opts.realtime.m2 = $7;
1768 hfsc_opts.realtime.used = 1;
1769 }
1770 | UPPERLIMIT bandwidth {
1771 if (hfsc_opts.upperlimit.used) {
1772 yyerror("upperlimit already specified");
1773 YYERROR;
1774 }
1775 hfsc_opts.upperlimit.m2 = $2;
1776 hfsc_opts.upperlimit.used = 1;
1777 }
1778 | UPPERLIMIT '(' bandwidth comma NUMBER comma bandwidth ')'
1779 {
1780 if ($5 < 0 || $5 > INT_MAX) {
1781 yyerror("timing in curve out of range");
1782 YYERROR;
1783 }
1784 if (hfsc_opts.upperlimit.used) {
1785 yyerror("upperlimit already specified");
1786 YYERROR;
1787 }
1788 hfsc_opts.upperlimit.m1 = $3;
1789 hfsc_opts.upperlimit.d = $5;
1790 hfsc_opts.upperlimit.m2 = $7;
1791 hfsc_opts.upperlimit.used = 1;
1792 }
1793 | STRING {
1794 if (!strcmp($1, "default"))
1795 hfsc_opts.flags |= HFCF_DEFAULTCLASS;
1796 else if (!strcmp($1, "red"))
1797 hfsc_opts.flags |= HFCF_RED;
1798 else if (!strcmp($1, "ecn"))
1799 hfsc_opts.flags |= HFCF_RED|HFCF_ECN;
1800 else if (!strcmp($1, "rio"))
1801 hfsc_opts.flags |= HFCF_RIO;
1802 else {
1803 yyerror("unknown hfsc flag \"%s\"", $1);
1804 free($1);
1805 YYERROR;
1806 }
1807 free($1);
1808 }
1809 ;
1810
1811 fairq_opts : {
1812 bzero(&fairq_opts,
1813 sizeof(struct node_fairq_opts));
1814 }
1815 fairqopts_list {
1816 $$ = fairq_opts;
1817 }
1818 ;
1819
1820 fairqopts_list : fairqopts_item
1821 | fairqopts_list comma fairqopts_item
1822 ;
1823
1824 fairqopts_item : LINKSHARE bandwidth {
1825 if (fairq_opts.linkshare.used) {
1826 yyerror("linkshare already specified");
1827 YYERROR;
1828 }
1829 fairq_opts.linkshare.m2 = $2;
1830 fairq_opts.linkshare.used = 1;
1831 }
1832 | LINKSHARE '(' bandwidth number bandwidth ')' {
1833 if (fairq_opts.linkshare.used) {
1834 yyerror("linkshare already specified");
1835 YYERROR;
1836 }
1837 fairq_opts.linkshare.m1 = $3;
1838 fairq_opts.linkshare.d = $4;
1839 fairq_opts.linkshare.m2 = $5;
1840 fairq_opts.linkshare.used = 1;
1841 }
1842 | HOGS bandwidth {
1843 fairq_opts.hogs_bw = $2;
1844 }
1845 | BUCKETS number {
1846 fairq_opts.nbuckets = $2;
1847 }
1848 | STRING {
1849 if (!strcmp($1, "default"))
1850 fairq_opts.flags |= FARF_DEFAULTCLASS;
1851 else if (!strcmp($1, "red"))
1852 fairq_opts.flags |= FARF_RED;
1853 else if (!strcmp($1, "ecn"))
1854 fairq_opts.flags |= FARF_RED|FARF_ECN;
1855 else if (!strcmp($1, "rio"))
1856 fairq_opts.flags |= FARF_RIO;
1857 else {
1858 yyerror("unknown fairq flag \"%s\"", $1);
1859 free($1);
1860 YYERROR;
1861 }
1862 free($1);
1863 }
1864 ;
1865
1866 qassign : /* empty */ { $$ = NULL; }
1867 | qassign_item { $$ = $1; }
1868 | '{' optnl qassign_list '}' { $$ = $3; }
1869 ;
1870
1871 qassign_list : qassign_item optnl { $$ = $1; }
1872 | qassign_list comma qassign_item optnl {
1873 $1->tail->next = $3;
1874 $1->tail = $3;
1875 $$ = $1;
1876 }
1877 ;
1878
1879 qassign_item : STRING {
1880 $$ = calloc(1, sizeof(struct node_queue));
1881 if ($$ == NULL)
1882 err(1, "qassign_item: calloc");
1883 if (strlcpy($$->queue, $1, sizeof($$->queue)) >=
1884 sizeof($$->queue)) {
1885 yyerror("queue name '%s' too long (max "
1886 "%zd chars)", $1, sizeof($$->queue)-1);
1887 free($1);
1888 free($$);
1889 YYERROR;
1890 }
1891 free($1);
1892 $$->next = NULL;
1893 $$->tail = $$;
1894 }
1895 ;
1896
1897 pfrule : action dir logquick interface route af proto fromto
1898 filter_opts
1899 {
1900 struct pf_rule r;
1901 struct node_state_opt *o;
1902 struct node_proto *proto;
1903 int srctrack = 0;
1904 int statelock = 0;
1905 int adaptive = 0;
1906 int dofree;
1907
1908 if (check_rulestate(PFCTL_STATE_FILTER))
1909 YYERROR;
1910
1911 memset(&r, 0, sizeof(r));
1912
1913 r.action = $1.b1;
1914 switch ($1.b2) {
1915 case PFRULE_RETURNRST:
1916 r.rule_flag |= PFRULE_RETURNRST;
1917 r.return_ttl = $1.w;
1918 break;
1919 case PFRULE_RETURNICMP:
1920 r.rule_flag |= PFRULE_RETURNICMP;
1921 r.return_icmp = $1.w;
1922 r.return_icmp6 = $1.w2;
1923 break;
1924 case PFRULE_RETURN:
1925 r.rule_flag |= PFRULE_RETURN;
1926 r.return_icmp = $1.w;
1927 r.return_icmp6 = $1.w2;
1928 break;
1929 }
1930 r.direction = $2;
1931 r.log = $3.log;
1932 r.logif = $3.logif;
1933 r.quick = $3.quick;
1934 r.prob = $9.prob;
1935 r.rtableid = $9.rtableid;
1936
1937 r.af = $6;
1938 if ($9.tag)
1939 if (strlcpy(r.tagname, $9.tag,
1940 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1941 yyerror("tag too long, max %u chars",
1942 PF_TAG_NAME_SIZE - 1);
1943 YYERROR;
1944 }
1945 if ($9.match_tag)
1946 if (strlcpy(r.match_tagname, $9.match_tag,
1947 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
1948 yyerror("tag too long, max %u chars",
1949 PF_TAG_NAME_SIZE - 1);
1950 YYERROR;
1951 }
1952 r.match_tag_not = $9.match_tag_not;
1953 if (rule_label(&r, $9.label))
1954 YYERROR;
1955 free($9.label);
1956 r.flags = $9.flags.b1;
1957 r.flagset = $9.flags.b2;
1958 if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) {
1959 yyerror("flags always false");
1960 YYERROR;
1961 }
1962 if ($9.flags.b1 || $9.flags.b2 || $8.src_os) {
1963 for (proto = $7; proto != NULL &&
1964 proto->proto != IPPROTO_TCP;
1965 proto = proto->next)
1966 ; /* nothing */
1967 if (proto == NULL && $7 != NULL) {
1968 if ($9.flags.b1 || $9.flags.b2)
1969 yyerror(
1970 "flags only apply to tcp");
1971 if ($8.src_os)
1972 yyerror(
1973 "OS fingerprinting only "
1974 "apply to tcp");
1975 YYERROR;
1976 }
1977 #if 0
1978 if (($9.flags.b1 & parse_flags("S")) == 0 &&
1979 $8.src_os) {
1980 yyerror("OS fingerprinting requires "
1981 "the SYN TCP flag (flags S/SA)");
1982 YYERROR;
1983 }
1984 #endif
1985 }
1986
1987 r.tos = $9.tos;
1988
1989 if (filter_opts.marker & FOM_KEEP) {
1990 r.keep_state = $9.keep.action;
1991 o = $9.keep.options;
1992 dofree = 1;
1993 } else if (r.action == PF_PASS) {
1994 r.keep_state = default_keeppolicy_action;
1995 o = default_keeppolicy_options;
1996 dofree = 0;
1997 } else {
1998 o = NULL;
1999 dofree = 0;
2000 }
2001 while (o) {
2002 struct node_state_opt *p = o;
2003
2004 switch (o->type) {
2005 case PF_STATE_OPT_MAX:
2006 if (r.max_states) {
2007 yyerror("state option 'max' "
2008 "multiple definitions");
2009 YYERROR;
2010 }
2011 r.max_states = o->data.max_states;
2012 break;
2013 case PF_STATE_OPT_NOSYNC:
2014 if (r.rule_flag & PFRULE_NOSYNC) {
2015 yyerror("state option 'sync' "
2016 "multiple definitions");
2017 YYERROR;
2018 }
2019 r.rule_flag |= PFRULE_NOSYNC;
2020 break;
2021 case PF_STATE_OPT_SRCTRACK:
2022 if (srctrack) {
2023 yyerror("state option "
2024 "'source-track' "
2025 "multiple definitions");
2026 YYERROR;
2027 }
2028 srctrack = o->data.src_track;
2029 r.rule_flag |= PFRULE_SRCTRACK;
2030 break;
2031 case PF_STATE_OPT_MAX_SRC_STATES:
2032 if (r.max_src_states) {
2033 yyerror("state option "
2034 "'max-src-states' "
2035 "multiple definitions");
2036 YYERROR;
2037 }
2038 if (o->data.max_src_states == 0) {
2039 yyerror("'max-src-states' must "
2040 "be > 0");
2041 YYERROR;
2042 }
2043 r.max_src_states =
2044 o->data.max_src_states;
2045 r.rule_flag |= PFRULE_SRCTRACK;
2046 break;
2047 case PF_STATE_OPT_OVERLOAD:
2048 if (r.overload_tblname[0]) {
2049 yyerror("multiple 'overload' "
2050 "table definitions");
2051 YYERROR;
2052 }
2053 if (strlcpy(r.overload_tblname,
2054 o->data.overload.tblname,
2055 PF_TABLE_NAME_SIZE) >=
2056 PF_TABLE_NAME_SIZE) {
2057 yyerror("state option: "
2058 "strlcpy");
2059 YYERROR;
2060 }
2061 r.flush = o->data.overload.flush;
2062 break;
2063 case PF_STATE_OPT_MAX_SRC_CONN:
2064 if (r.max_src_conn) {
2065 yyerror("state option "
2066 "'max-src-conn' "
2067 "multiple definitions");
2068 YYERROR;
2069 }
2070 if (o->data.max_src_conn == 0) {
2071 yyerror("'max-src-conn' "
2072 "must be > 0");
2073 YYERROR;
2074 }
2075 r.max_src_conn =
2076 o->data.max_src_conn;
2077 r.rule_flag |= PFRULE_SRCTRACK |
2078 PFRULE_RULESRCTRACK;
2079 break;
2080 case PF_STATE_OPT_MAX_SRC_CONN_RATE:
2081 if (r.max_src_conn_rate.limit) {
2082 yyerror("state option "
2083 "'max-src-conn-rate' "
2084 "multiple definitions");
2085 YYERROR;
2086 }
2087 if (!o->data.max_src_conn_rate.limit ||
2088 !o->data.max_src_conn_rate.seconds) {
2089 yyerror("'max-src-conn-rate' "
2090 "values must be > 0");
2091 YYERROR;
2092 }
2093 if (o->data.max_src_conn_rate.limit >
2094 PF_THRESHOLD_MAX) {
2095 yyerror("'max-src-conn-rate' "
2096 "maximum rate must be < %u",
2097 PF_THRESHOLD_MAX);
2098 YYERROR;
2099 }
2100 r.max_src_conn_rate.limit =
2101 o->data.max_src_conn_rate.limit;
2102 r.max_src_conn_rate.seconds =
2103 o->data.max_src_conn_rate.seconds;
2104 r.rule_flag |= PFRULE_SRCTRACK |
2105 PFRULE_RULESRCTRACK;
2106 break;
2107 case PF_STATE_OPT_MAX_SRC_NODES:
2108 if (r.max_src_nodes) {
2109 yyerror("state option "
2110 "'max-src-nodes' "
2111 "multiple definitions");
2112 YYERROR;
2113 }
2114 if (o->data.max_src_nodes == 0) {
2115 yyerror("'max-src-nodes' must "
2116 "be > 0");
2117 YYERROR;
2118 }
2119 r.max_src_nodes =
2120 o->data.max_src_nodes;
2121 r.rule_flag |= PFRULE_SRCTRACK |
2122 PFRULE_RULESRCTRACK;
2123 break;
2124 case PF_STATE_OPT_STATELOCK:
2125 if (statelock) {
2126 yyerror("state locking option: "
2127 "multiple definitions");
2128 YYERROR;
2129 }
2130 statelock = 1;
2131 r.rule_flag |= o->data.statelock;
2132 break;
2133 case PF_STATE_OPT_SLOPPY:
2134 if (r.rule_flag & PFRULE_STATESLOPPY) {
2135 yyerror("state sloppy option: "
2136 "multiple definitions");
2137 YYERROR;
2138 }
2139 r.rule_flag |= PFRULE_STATESLOPPY;
2140 break;
2141 case PF_STATE_OPT_TIMEOUT:
2142 if (o->data.timeout.number ==
2143 PFTM_ADAPTIVE_START ||
2144 o->data.timeout.number ==
2145 PFTM_ADAPTIVE_END)
2146 adaptive = 1;
2147 if (r.timeout[o->data.timeout.number]) {
2148 yyerror("state timeout %s "
2149 "multiple definitions",
2150 pf_timeouts[o->data.
2151 timeout.number].name);
2152 YYERROR;
2153 }
2154 r.timeout[o->data.timeout.number] =
2155 o->data.timeout.seconds;
2156 break;
2157 case PF_STATE_OPT_PICKUPS:
2158 r.pickup_mode = o->data.pickup_mode;
2159 break;
2160 }
2161 o = o->next;
2162 if (dofree)
2163 free(p);
2164 }
2165
2166 #if 0
2167 /* 'flags S/SA' by default on stateful rules */
2168 if (!r.action && !r.flags && !r.flagset &&
2169 !$9.fragment && !($9.marker & FOM_FLAGS) &&
2170 r.keep_state) {
2171 r.flags = parse_flags("S");
2172 r.flagset = parse_flags("SA");
2173 }
2174 #endif
2175 if (!adaptive && r.max_states) {
2176 r.timeout[PFTM_ADAPTIVE_START] =
2177 (r.max_states / 10) * 6;
2178 r.timeout[PFTM_ADAPTIVE_END] =
2179 (r.max_states / 10) * 12;
2180 }
2181 if (r.rule_flag & PFRULE_SRCTRACK) {
2182 if (srctrack == PF_SRCTRACK_GLOBAL &&
2183 r.max_src_nodes) {
2184 yyerror("'max-src-nodes' is "
2185 "incompatible with "
2186 "'source-track global'");
2187 YYERROR;
2188 }
2189 if (srctrack == PF_SRCTRACK_GLOBAL &&
2190 r.max_src_conn) {
2191 yyerror("'max-src-conn' is "
2192 "incompatible with "
2193 "'source-track global'");
2194 YYERROR;
2195 }
2196 if (srctrack == PF_SRCTRACK_GLOBAL &&
2197 r.max_src_conn_rate.seconds) {
2198 yyerror("'max-src-conn-rate' is "
2199 "incompatible with "
2200 "'source-track global'");
2201 YYERROR;
2202 }
2203 if (r.timeout[PFTM_SRC_NODE] <
2204 r.max_src_conn_rate.seconds)
2205 r.timeout[PFTM_SRC_NODE] =
2206 r.max_src_conn_rate.seconds;
2207 r.rule_flag |= PFRULE_SRCTRACK;
2208 if (srctrack == PF_SRCTRACK_RULE)
2209 r.rule_flag |= PFRULE_RULESRCTRACK;
2210 }
2211 if (r.keep_state && !statelock)
2212 r.rule_flag |= default_statelock;
2213
2214 if ($9.fragment)
2215 r.rule_flag |= PFRULE_FRAGMENT;
2216 r.allow_opts = $9.allowopts;
2217
2218 decide_address_family($8.src.host, &r.af);
2219 decide_address_family($8.dst.host, &r.af);
2220
2221 if ($5.rt) {
2222 if (!r.direction) {
2223 yyerror("direction must be explicit "
2224 "with rules that specify routing");
2225 YYERROR;
2226 }
2227 r.rt = $5.rt;
2228 r.rpool.opts = $5.pool_opts;
2229 if ($5.key != NULL)
2230 memcpy(&r.rpool.key, $5.key,
2231 sizeof(struct pf_poolhashkey));
2232 }
2233 if (r.rt && r.rt != PF_FASTROUTE) {
2234 decide_address_family($5.host, &r.af);
2235 remove_invalid_hosts(&$5.host, &r.af);
2236 if ($5.host == NULL) {
2237 yyerror("no routing address with "
2238 "matching address family found.");
2239 YYERROR;
2240 }
2241 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
2242 PF_POOL_NONE && ($5.host->next != NULL ||
2243 $5.host->addr.type == PF_ADDR_TABLE ||
2244 DYNIF_MULTIADDR($5.host->addr)))
2245 r.rpool.opts |= PF_POOL_ROUNDROBIN;
2246 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
2247 PF_POOL_ROUNDROBIN &&
2248 disallow_table($5.host, "tables are only "
2249 "supported in round-robin routing pools"))
2250 YYERROR;
2251 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
2252 PF_POOL_ROUNDROBIN &&
2253 disallow_alias($5.host, "interface (%s) "
2254 "is only supported in round-robin "
2255 "routing pools"))
2256 YYERROR;
2257 if ($5.host->next != NULL) {
2258 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
2259 PF_POOL_ROUNDROBIN) {
2260 yyerror("r.rpool.opts must "
2261 "be PF_POOL_ROUNDROBIN");
2262 YYERROR;
2263 }
2264 }
2265 }
2266 if ($9.queues.qname != NULL) {
2267 if (strlcpy(r.qname, $9.queues.qname,
2268 sizeof(r.qname)) >= sizeof(r.qname)) {
2269 yyerror("rule qname too long (max "
2270 "%zd chars)", sizeof(r.qname)-1);
2271 YYERROR;
2272 }
2273 free($9.queues.qname);
2274 }
2275 if ($9.queues.pqname != NULL) {
2276 if (strlcpy(r.pqname, $9.queues.pqname,
2277 sizeof(r.pqname)) >= sizeof(r.pqname)) {
2278 yyerror("rule pqname too long (max "
2279 "%zd chars)", sizeof(r.pqname)-1);
2280 YYERROR;
2281 }
2282 free($9.queues.pqname);
2283 }
2284 if ((r.divert.port = $9.divert.port)) {
2285 if (r.direction == PF_OUT) {
2286 if ($9.divert.addr) {
2287 yyerror("address specified "
2288 "for outgoing divert");
2289 YYERROR;
2290 }
2291 bzero(&r.divert.addr,
2292 sizeof(r.divert.addr));
2293 } else {
2294 if (!$9.divert.addr) {
2295 yyerror("no address specified "
2296 "for incoming divert");
2297 YYERROR;
2298 }
2299 if ($9.divert.addr->af != r.af) {
2300 yyerror("address family "
2301 "mismatch for divert");
2302 YYERROR;
2303 }
2304 r.divert.addr =
2305 $9.divert.addr->addr.v.a.addr;
2306 }
2307 }
2308
2309 expand_rule(&r, $4, $5.host, $7, $8.src_os,
2310 $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
2311 $9.uid, $9.gid, $9.icmpspec, "");
2312 }
2313 ;
2314
2315 filter_opts : {
2316 bzero(&filter_opts, sizeof filter_opts);
2317 filter_opts.rtableid = -1;
2318 }
2319 filter_opts_l
2320 { $$ = filter_opts; }
2321 | /* empty */ {
2322 bzero(&filter_opts, sizeof filter_opts);
2323 filter_opts.rtableid = -1;
2324 $$ = filter_opts;
2325 }
2326 ;
2327
2328 filter_opts_l : filter_opts_l filter_opt
2329 | filter_opt
2330 ;
2331
2332 filter_opt : USER uids {
2333 if (filter_opts.uid)
2334 $2->tail->next = filter_opts.uid;
2335 filter_opts.uid = $2;
2336 }
2337 | GROUP gids {
2338 if (filter_opts.gid)
2339 $2->tail->next = filter_opts.gid;
2340 filter_opts.gid = $2;
2341 }
2342 | flags {
2343 if (filter_opts.marker & FOM_FLAGS) {
2344 yyerror("flags cannot be redefined");
2345 YYERROR;
2346 }
2347 filter_opts.marker |= FOM_FLAGS;
2348 filter_opts.flags.b1 |= $1.b1;
2349 filter_opts.flags.b2 |= $1.b2;
2350 filter_opts.flags.w |= $1.w;
2351 filter_opts.flags.w2 |= $1.w2;
2352 }
2353 | icmpspec {
2354 if (filter_opts.marker & FOM_ICMP) {
2355 yyerror("icmp-type cannot be redefined");
2356 YYERROR;
2357 }
2358 filter_opts.marker |= FOM_ICMP;
2359 filter_opts.icmpspec = $1;
2360 }
2361 | TOS tos {
2362 if (filter_opts.marker & FOM_TOS) {
2363 yyerror("tos cannot be redefined");
2364 YYERROR;
2365 }
2366 filter_opts.marker |= FOM_TOS;
2367 filter_opts.tos = $2;
2368 }
2369 | keep {
2370 if (filter_opts.marker & FOM_KEEP) {
2371 yyerror("modulate or keep cannot be redefined");
2372 YYERROR;
2373 }
2374 filter_opts.marker |= FOM_KEEP;
2375 filter_opts.keep.action = $1.action;
2376 filter_opts.keep.options = $1.options;
2377 }
2378 | FRAGMENT {
2379 filter_opts.fragment = 1;
2380 }
2381 | ALLOWOPTS {
2382 filter_opts.allowopts = 1;
2383 }
2384 | label {
2385 if (filter_opts.label) {
2386 yyerror("label cannot be redefined");
2387 YYERROR;
2388 }
2389 filter_opts.label = $1;
2390 }
2391 | qname {
2392 if (filter_opts.queues.qname) {
2393 yyerror("queue cannot be redefined");
2394 YYERROR;
2395 }
2396 filter_opts.queues = $1;
2397 }
2398 | TAG string {
2399 filter_opts.tag = $2;
2400 }
2401 | not TAGGED string {
2402 filter_opts.match_tag = $3;
2403 filter_opts.match_tag_not = $1;
2404 }
2405 | PROBABILITY probability {
2406 double p;
2407
2408 p = floor($2 * UINT_MAX + 0.5);
2409 if (p < 0.0 || p > UINT_MAX) {
2410 yyerror("invalid probability: %lf", p);
2411 YYERROR;
2412 }
2413 filter_opts.prob = (u_int32_t)p;
2414 if (filter_opts.prob == 0)
2415 filter_opts.prob = 1;
2416 }
2417 | RTABLE NUMBER {
2418 filter_opts.rtableid = $2;
2419 }
2420 | DIVERTTO STRING PORT portplain {
2421 if ((filter_opts.divert.addr = host($2)) == NULL) {
2422 yyerror("could not parse divert address: %s",
2423 $2);
2424 free($2);
2425 YYERROR;
2426 }
2427 free($2);
2428 filter_opts.divert.port = $4.a;
2429 if (!filter_opts.divert.port) {
2430 yyerror("invalid divert port: %u", ntohs($4.a));
2431 YYERROR;
2432 }
2433 }
2434 | DIVERTREPLY {
2435 filter_opts.divert.port = 1; /* some random value */
2436 }
2437 ;
2438
2439 probability : STRING {
2440 char *e;
2441 double p = strtod($1, &e);
2442
2443 if (*e == '%') {
2444 p *= 0.01;
2445 e++;
2446 }
2447 if (*e) {
2448 yyerror("invalid probability: %s", $1);
2449 free($1);
2450 YYERROR;
2451 }
2452 free($1);
2453 $$ = p;
2454 }
2455 | NUMBER {
2456 $$ = (double)$1;
2457 }
2458 ;
2459
2460
2461 action : PASS { $$.b1 = PF_PASS; $$.b2 = $$.w = 0; }
2462 | BLOCK blockspec { $$ = $2; $$.b1 = PF_DROP; }
2463 ;
2464
2465 blockspec : /* empty */ {
2466 $$.b2 = blockpolicy;
2467 $$.w = returnicmpdefault;
2468 $$.w2 = returnicmp6default;
2469 }
2470 | DROP {
2471 $$.b2 = PFRULE_DROP;
2472 $$.w = 0;
2473 $$.w2 = 0;
2474 }
2475 | RETURNRST {
2476 $$.b2 = PFRULE_RETURNRST;
2477 $$.w = 0;
2478 $$.w2 = 0;
2479 }
2480 | RETURNRST '(' TTL NUMBER ')' {
2481 if ($4 < 0 || $4 > 255) {
2482 yyerror("illegal ttl value %" PRId64, $4);
2483 YYERROR;
2484 }
2485 $$.b2 = PFRULE_RETURNRST;
2486 $$.w = $4;
2487 $$.w2 = 0;
2488 }
2489 | RETURNICMP {
2490 $$.b2 = PFRULE_RETURNICMP;
2491 $$.w = returnicmpdefault;
2492 $$.w2 = returnicmp6default;
2493 }
2494 | RETURNICMP6 {
2495 $$.b2 = PFRULE_RETURNICMP;
2496 $$.w = returnicmpdefault;
2497 $$.w2 = returnicmp6default;
2498 }
2499 | RETURNICMP '(' reticmpspec ')' {
2500 $$.b2 = PFRULE_RETURNICMP;
2501 $$.w = $3;
2502 $$.w2 = returnicmpdefault;
2503 }
2504 | RETURNICMP6 '(' reticmp6spec ')' {
2505 $$.b2 = PFRULE_RETURNICMP;
2506 $$.w = returnicmpdefault;
2507 $$.w2 = $3;
2508 }
2509 | RETURNICMP '(' reticmpspec comma reticmp6spec ')' {
2510 $$.b2 = PFRULE_RETURNICMP;
2511 $$.w = $3;
2512 $$.w2 = $5;
2513 }
2514 | RETURN {
2515 $$.b2 = PFRULE_RETURN;
2516 $$.w = returnicmpdefault;
2517 $$.w2 = returnicmp6default;
2518 }
2519 ;
2520
2521 reticmpspec : STRING {
2522 if (!($$ = parseicmpspec($1, AF_INET))) {
2523 free($1);
2524 YYERROR;
2525 }
2526 free($1);
2527 }
2528 | NUMBER {
2529 u_int8_t icmptype;
2530
2531 if ($1 < 0 || $1 > 255) {
2532 yyerror("invalid icmp code %" PRId64, $1);
2533 YYERROR;
2534 }
2535 icmptype = returnicmpdefault >> 8;
2536 $$ = (icmptype << 8 | $1);
2537 }
2538 ;
2539
2540 reticmp6spec : STRING {
2541 if (!($$ = parseicmpspec($1, AF_INET6))) {
2542 free($1);
2543 YYERROR;
2544 }
2545 free($1);
2546 }
2547 | NUMBER {
2548 u_int8_t icmptype;
2549
2550 if ($1 < 0 || $1 > 255) {
2551 yyerror("invalid icmp code %" PRId64, $1);
2552 YYERROR;
2553 }
2554 icmptype = returnicmp6default >> 8;
2555 $$ = (icmptype << 8 | $1);
2556 }
2557 ;
2558
2559 dir : /* empty */ { $$ = PF_INOUT; }
2560 | IN { $$ = PF_IN; }
2561 | OUT { $$ = PF_OUT; }
2562 ;
2563
2564 quick : /* empty */ { $$.quick = 0; }
2565 | QUICK { $$.quick = 1; }
2566 ;
2567
2568 logquick : /* empty */ { $$.log = 0; $$.quick = 0; $$.logif = 0; }
2569 | log { $$ = $1; $$.quick = 0; }
2570 | QUICK { $$.quick = 1; $$.log = 0; $$.logif = 0; }
2571 | log QUICK { $$ = $1; $$.quick = 1; }
2572 | QUICK log { $$ = $2; $$.quick = 1; }
2573 ;
2574
2575 log : LOG { $$.log = PF_LOG; $$.logif = 0; }
2576 | LOG '(' logopts ')' {
2577 $$.log = PF_LOG | $3.log;
2578 $$.logif = $3.logif;
2579 }
2580 ;
2581
2582 logopts : logopt { $$ = $1; }
2583 | logopts comma logopt {
2584 $$.log = $1.log | $3.log;
2585 $$.logif = $3.logif;
2586 if ($$.logif == 0)
2587 $$.logif = $1.logif;
2588 }
2589 ;
2590
2591 logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
2592 | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
2593 | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
2594 | TO string {
2595 const char *errstr;
2596 u_int i;
2597
2598 $$.log = 0;
2599 if (strncmp($2, "pflog", 5)) {
2600 yyerror("%s: should be a pflog interface", $2);
2601 free($2);
2602 YYERROR;
2603 }
2604 i = strtonum($2 + 5, 0, 255, &errstr);
2605 if (errstr) {
2606 yyerror("%s: %s", $2, errstr);
2607 free($2);
2608 YYERROR;
2609 }
2610 free($2);
2611 $$.logif = i;
2612 }
2613 ;
2614
2615 interface : /* empty */ { $$ = NULL; }
2616 | ON if_item_not { $$ = $2; }
2617 | ON '{' optnl if_list '}' { $$ = $4; }
2618 ;
2619
2620 if_list : if_item_not optnl { $$ = $1; }
2621 | if_list comma if_item_not optnl {
2622 $1->tail->next = $3;
2623 $1->tail = $3;
2624 $$ = $1;
2625 }
2626 ;
2627
2628 if_item_not : not if_item { $$ = $2; $$->not = $1; }
2629 ;
2630
2631 if_item : STRING {
2632 struct node_host *n;
2633
2634 $$ = calloc(1, sizeof(struct node_if));
2635 if ($$ == NULL)
2636 err(1, "if_item: calloc");
2637 if (strlcpy($$->ifname, $1, sizeof($$->ifname)) >=
2638 sizeof($$->ifname)) {
2639 free($1);
2640 free($$);
2641 yyerror("interface name too long");
2642 YYERROR;
2643 }
2644
2645 if ((n = ifa_exists($1)) != NULL)
2646 $$->ifa_flags = n->ifa_flags;
2647
2648 free($1);
2649 $$->not = 0;
2650 $$->next = NULL;
2651 $$->tail = $$;
2652 }
2653 ;
2654
2655 af : /* empty */ { $$ = 0; }
2656 | INET { $$ = AF_INET; }
2657 | INET6 { $$ = AF_INET6; }
2658 ;
2659
2660 proto : /* empty */ { $$ = NULL; }
2661 | PROTO proto_item { $$ = $2; }
2662 | PROTO '{' optnl proto_list '}' { $$ = $4; }
2663 ;
2664
2665 proto_list : proto_item optnl { $$ = $1; }
2666 | proto_list comma proto_item optnl {
2667 $1->tail->next = $3;
2668 $1->tail = $3;
2669 $$ = $1;
2670 }
2671 ;
2672
2673 proto_item : protoval {
2674 u_int8_t pr;
2675
2676 pr = (u_int8_t)$1;
2677 if (pr == 0) {
2678 yyerror("proto 0 cannot be used");
2679 YYERROR;
2680 }
2681 $$ = calloc(1, sizeof(struct node_proto));
2682 if ($$ == NULL)
2683 err(1, "proto_item: calloc");
2684 $$->proto = pr;
2685 $$->next = NULL;
2686 $$->tail = $$;
2687 }
2688 ;
2689
2690 protoval : STRING {
2691 struct protoent *p;
2692
2693 p = getprotobyname($1);
2694 if (p == NULL) {
2695 yyerror("unknown protocol %s", $1);
2696 free($1);
2697 YYERROR;
2698 }
2699 $$ = p->p_proto;
2700 free($1);
2701 }
2702 | NUMBER {
2703 if ($1 < 0 || $1 > 255) {
2704 yyerror("protocol outside range");
2705 YYERROR;
2706 }
2707 }
2708 ;
2709
2710 fromto : ALL {
2711 $$.src.host = NULL;
2712 $$.src.port = NULL;
2713 $$.dst.host = NULL;
2714 $$.dst.port = NULL;
2715 $$.src_os = NULL;
2716 }
2717 | from os to {
2718 $$.src = $1;
2719 $$.src_os = $2;
2720 $$.dst = $3;
2721 }
2722 ;
2723
2724 os : /* empty */ { $$ = NULL; }
2725 | OS xos { $$ = $2; }
2726 | OS '{' optnl os_list '}' { $$ = $4; }
2727 ;
2728
2729 xos : STRING {
2730 $$ = calloc(1, sizeof(struct node_os));
2731 if ($$ == NULL)
2732 err(1, "os: calloc");
2733 $$->os = $1;
2734 $$->tail = $$;
2735 }
2736 ;
2737
2738 os_list : xos optnl { $$ = $1; }
2739 | os_list comma xos optnl {
2740 $1->tail->next = $3;
2741 $1->tail = $3;
2742 $$ = $1;
2743 }
2744 ;
2745
2746 from : /* empty */ {
2747 $$.host = NULL;
2748 $$.port = NULL;
2749 }
2750 | FROM ipportspec {
2751 $$ = $2;
2752 }
2753 ;
2754
2755 to : /* empty */ {
2756 $$.host = NULL;
2757 $$.port = NULL;
2758 }
2759 | TO ipportspec {
2760 if (disallow_urpf_failed($2.host, "\"urpf-failed\" is "
2761 "not permitted in a destination address"))
2762 YYERROR;
2763 $$ = $2;
2764 }
2765 ;
2766
2767 ipportspec : ipspec {
2768 $$.host = $1;
2769 $$.port = NULL;
2770 }
2771 | ipspec PORT portspec {
2772 $$.host = $1;
2773 $$.port = $3;
2774 }
2775 | PORT portspec {
2776 $$.host = NULL;
2777 $$.port = $2;
2778 }
2779 ;
2780
2781 optnl : '\n' optnl
2782 |
2783 ;
2784
2785 ipspec : ANY { $$ = NULL; }
2786 | xhost { $$ = $1; }
2787 | '{' optnl host_list '}' { $$ = $3; }
2788 ;
2789
2790 toipspec : TO ipspec { $$ = $2; }
2791 | /* empty */ { $$ = NULL; }
2792 ;
2793
2794 host_list : ipspec optnl { $$ = $1; }
2795 | host_list comma ipspec optnl {
2796 if ($3 == NULL)
2797 $$ = $1;
2798 else if ($1 == NULL)
2799 $$ = $3;
2800 else {
2801 $1->tail->next = $3;
2802 $1->tail = $3->tail;
2803 $$ = $1;
2804 }
2805 }
2806 ;
2807
2808 xhost : not host {
2809 struct node_host *n;
2810
2811 for (n = $2; n != NULL; n = n->next)
2812 n->not = $1;
2813 $$ = $2;
2814 }
2815 | not NOROUTE {
2816 $$ = calloc(1, sizeof(struct node_host));
2817 if ($$ == NULL)
2818 err(1, "xhost: calloc");
2819 $$->addr.type = PF_ADDR_NOROUTE;
2820 $$->next = NULL;
2821 $$->not = $1;
2822 $$->tail = $$;
2823 }
2824 | not URPFFAILED {
2825 $$ = calloc(1, sizeof(struct node_host));
2826 if ($$ == NULL)
2827 err(1, "xhost: calloc");
2828 $$->addr.type = PF_ADDR_URPFFAILED;
2829 $$->next = NULL;
2830 $$->not = $1;
2831 $$->tail = $$;
2832 }
2833 ;
2834
2835 host : STRING {
2836 if (($$ = host($1)) == NULL) {
2837 /* error. "any" is handled elsewhere */
2838 free($1);
2839 yyerror("could not parse host specification");
2840 YYERROR;
2841 }
2842 free($1);
2843
2844 }
2845 | STRING '-' STRING {
2846 struct node_host *b, *e;
2847
2848 if ((b = host($1)) == NULL || (e = host($3)) == NULL) {
2849 free($1);
2850 free($3);
2851 yyerror("could not parse host specification");
2852 YYERROR;
2853 }
2854 if (b->af != e->af ||
2855 b->addr.type != PF_ADDR_ADDRMASK ||
2856 e->addr.type != PF_ADDR_ADDRMASK ||
2857 unmask(&b->addr.v.a.mask, b->af) !=
2858 (b->af == AF_INET ? 32 : 128) ||
2859 unmask(&e->addr.v.a.mask, e->af) !=
2860 (e->af == AF_INET ? 32 : 128) ||
2861 b->next != NULL || b->not ||
2862 e->next != NULL || e->not) {
2863 free(b);
2864 free(e);
2865 free($1);
2866 free($3);
2867 yyerror("invalid address range");
2868 YYERROR;
2869 }
2870 memcpy(&b->addr.v.a.mask, &e->addr.v.a.addr,
2871 sizeof(b->addr.v.a.mask));
2872 b->addr.type = PF_ADDR_RANGE;
2873 $$ = b;
2874 free(e);
2875 free($1);
2876 free($3);
2877 }
2878 | STRING '/' NUMBER {
2879 char *buf;
2880
2881 if (asprintf(&buf, "%s/%" PRId64, $1, $3) == -1)
2882 err(1, "host: asprintf");
2883 free($1);
2884 if (($$ = host(buf)) == NULL) {
2885 /* error. "any" is handled elsewhere */
2886 free(buf);
2887 yyerror("could not parse host specification");
2888 YYERROR;
2889 }
2890 free(buf);
2891 }
2892 | NUMBER '/' NUMBER {
2893 char *buf;
2894
2895 /* ie. for 10/8 parsing */
2896 if (asprintf(&buf, "%" PRId64 "/%" PRId64, $1, $3) == -1)
2897 err(1, "host: asprintf");
2898 if (($$ = host(buf)) == NULL) {
2899 /* error. "any" is handled elsewhere */
2900 free(buf);
2901 yyerror("could not parse host specification");
2902 YYERROR;
2903 }
2904 free(buf);
2905 }
2906 | dynaddr
2907 | dynaddr '/' NUMBER {
2908 struct node_host *n;
2909
2910 if ($3 < 0 || $3 > 128) {
2911 yyerror("bit number too big");
2912 YYERROR;
2913 }
2914 $$ = $1;
2915 for (n = $1; n != NULL; n = n->next)
2916 set_ipmask(n, $3);
2917 }
2918 | '<' STRING '>' {
2919 if (strlen($2) >= PF_TABLE_NAME_SIZE) {
2920 yyerror("table name '%s' too long", $2);
2921 free($2);
2922 YYERROR;
2923 }
2924 $$ = calloc(1, sizeof(struct node_host));
2925 if ($$ == NULL)
2926 err(1, "host: calloc");
2927 $$->addr.type = PF_ADDR_TABLE;
2928 if (strlcpy($$->addr.v.tblname, $2,
2929 sizeof($$->addr.v.tblname)) >=
2930 sizeof($$->addr.v.tblname))
2931 errx(1, "host: strlcpy");
2932 free($2);
2933 $$->next = NULL;
2934 $$->tail = $$;
2935 }
2936 | ROUTE STRING {
2937 $$ = calloc(1, sizeof(struct node_host));
2938 if ($$ == NULL) {
2939 free($2);
2940 err(1, "host: calloc");
2941 }
2942 $$->addr.type = PF_ADDR_RTLABEL;
2943 if (strlcpy($$->addr.v.rtlabelname, $2,
2944 sizeof($$->addr.v.rtlabelname)) >=
2945 sizeof($$->addr.v.rtlabelname)) {
2946 yyerror("route label too long, max %zd chars",
2947 sizeof($$->addr.v.rtlabelname) - 1);
2948 free($2);
2949 free($$);
2950 YYERROR;
2951 }
2952 $$->next = NULL;
2953 $$->tail = $$;
2954 free($2);
2955 }
2956 ;
2957
2958 number : NUMBER
2959 | STRING {
2960 u_long ulval;
2961
2962 if (atoul($1, &ulval) == -1) {
2963 yyerror("%s is not a number", $1);
2964 free($1);
2965 YYERROR;
2966 } else
2967 $$ = ulval;
2968 free($1);
2969 }
2970 ;
2971
2972 dynaddr : '(' STRING ')' {
2973 int flags = 0;
2974 char *p, *op;
2975
2976 op = $2;
2977 if (!isalpha(op[0])) {
2978 yyerror("invalid interface name '%s'", op);
2979 free(op);
2980 YYERROR;
2981 }
2982 while ((p = strrchr($2, ':')) != NULL) {
2983 if (!strcmp(p+1, "network"))
2984 flags |= PFI_AFLAG_NETWORK;
2985 else if (!strcmp(p+1, "broadcast"))
2986 flags |= PFI_AFLAG_BROADCAST;
2987 else if (!strcmp(p+1, "peer"))
2988 flags |= PFI_AFLAG_PEER;
2989 else if (!strcmp(p+1, "0"))
2990 flags |= PFI_AFLAG_NOALIAS;
2991 else {
2992 yyerror("interface %s has bad modifier",
2993 $2);
2994 free(op);
2995 YYERROR;
2996 }
2997 *p = '\0';
2998 }
2999 if (flags & (flags - 1) & PFI_AFLAG_MODEMASK) {
3000 free(op);
3001 yyerror("illegal combination of "
3002 "interface modifiers");
3003 YYERROR;
3004 }
3005 $$ = calloc(1, sizeof(struct node_host));
3006 if ($$ == NULL)
3007 err(1, "address: calloc");
3008 $$->af = 0;
3009 set_ipmask($$, 128);
3010 $$->addr.type = PF_ADDR_DYNIFTL;
3011 $$->addr.iflags = flags;
3012 if (strlcpy($$->addr.v.ifname, $2,
3013 sizeof($$->addr.v.ifname)) >=
3014 sizeof($$->addr.v.ifname)) {
3015 free(op);
3016 free($$);
3017 yyerror("interface name too long");
3018 YYERROR;
3019 }
3020 free(op);
3021 $$->next = NULL;
3022 $$->tail = $$;
3023 }
3024 ;
3025
3026 portspec : port_item { $$ = $1; }
3027 | '{' optnl port_list '}' { $$ = $3; }
3028 ;
3029
3030 port_list : port_item optnl { $$ = $1; }
3031 | port_list comma port_item optnl {
3032 $1->tail->next = $3;
3033 $1->tail = $3;
3034 $$ = $1;
3035 }
3036 ;
3037
3038 port_item : portrange {
3039 $$ = calloc(1, sizeof(struct node_port));
3040 if ($$ == NULL)
3041 err(1, "port_item: calloc");
3042 $$->port[0] = $1.a;
3043 $$->port[1] = $1.b;
3044 if ($1.t)
3045 $$->op = PF_OP_RRG;
3046 else
3047 $$->op = PF_OP_EQ;
3048 $$->next = NULL;
3049 $$->tail = $$;
3050 }
3051 | unaryop portrange {
3052 if ($2.t) {
3053 yyerror("':' cannot be used with an other "
3054 "port operator");
3055 YYERROR;
3056 }
3057 $$ = calloc(1, sizeof(struct node_port));
3058 if ($$ == NULL)
3059 err(1, "port_item: calloc");
3060 $$->port[0] = $2.a;
3061 $$->port[1] = $2.b;
3062 $$->op = $1;
3063 $$->next = NULL;
3064 $$->tail = $$;
3065 }
3066 | portrange PORTBINARY portrange {
3067 if ($1.t || $3.t) {
3068 yyerror("':' cannot be used with an other "
3069 "port operator");
3070 YYERROR;
3071 }
3072 $$ = calloc(1, sizeof(struct node_port));
3073 if ($$ == NULL)
3074 err(1, "port_item: calloc");
3075 $$->port[0] = $1.a;
3076 $$->port[1] = $3.a;
3077 $$->op = $2;
3078 $$->next = NULL;
3079 $$->tail = $$;
3080 }
3081 ;
3082
3083 portplain : numberstring {
3084 if (parseport($1, &$$, 0) == -1) {
3085 free($1);
3086 YYERROR;
3087 }
3088 free($1);
3089 }
3090 ;
3091
3092 portrange : numberstring {
3093 if (parseport($1, &$$, PPORT_RANGE) == -1) {
3094 free($1);
3095 YYERROR;
3096 }
3097 free($1);
3098 }
3099 ;
3100
3101 uids : uid_item { $$ = $1; }
3102 | '{' optnl uid_list '}' { $$ = $3; }
3103 ;
3104
3105 uid_list : uid_item optnl { $$ = $1; }
3106 | uid_list comma uid_item optnl {
3107 $1->tail->next = $3;
3108 $1->tail = $3;
3109 $$ = $1;
3110 }
3111 ;
3112
3113 uid_item : uid {
3114 $$ = calloc(1, sizeof(struct node_uid));
3115 if ($$ == NULL)
3116 err(1, "uid_item: calloc");
3117 $$->uid[0] = $1;
3118 $$->uid[1] = $1;
3119 $$->op = PF_OP_EQ;
3120 $$->next = NULL;
3121 $$->tail = $$;
3122 }
3123 | unaryop uid {
3124 if ($2 == UID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
3125 yyerror("user unknown requires operator = or "
3126 "!=");
3127 YYERROR;
3128 }
3129 $$ = calloc(1, sizeof(struct node_uid));
3130 if ($$ == NULL)
3131 err(1, "uid_item: calloc");
3132 $$->uid[0] = $2;
3133 $$->uid[1] = $2;
3134 $$->op = $1;
3135 $$->next = NULL;
3136 $$->tail = $$;
3137 }
3138 | uid PORTBINARY uid {
3139 if ($1 == UID_MAX || $3 == UID_MAX) {
3140 yyerror("user unknown requires operator = or "
3141 "!=");
3142 YYERROR;
3143 }
3144 $$ = calloc(1, sizeof(struct node_uid));
3145 if ($$ == NULL)
3146 err(1, "uid_item: calloc");
3147 $$->uid[0] = $1;
3148 $$->uid[1] = $3;
3149 $$->op = $2;
3150 $$->next = NULL;
3151 $$->tail = $$;
3152 }
3153 ;
3154
3155 uid : STRING {
3156 if (!strcmp($1, "unknown"))
3157 $$ = UID_MAX;
3158 else {
3159 struct passwd *pw;
3160
3161 if ((pw = getpwnam($1)) == NULL) {
3162 yyerror("unknown user %s", $1);
3163 free($1);
3164 YYERROR;
3165 }
3166 $$ = pw->pw_uid;
3167 }
3168 free($1);
3169 }
3170 | NUMBER {
3171 if ($1 < 0 || $1 >= UID_MAX) {
3172 yyerror("illegal uid value %" PRId64, $1);
3173 YYERROR;
3174 }
3175 $$ = $1;
3176 }
3177 ;
3178
3179 gids : gid_item { $$ = $1; }
3180 | '{' optnl gid_list '}' { $$ = $3; }
3181 ;
3182
3183 gid_list : gid_item optnl { $$ = $1; }
3184 | gid_list comma gid_item optnl {
3185 $1->tail->next = $3;
3186 $1->tail = $3;
3187 $$ = $1;
3188 }
3189 ;
3190
3191 gid_item : gid {
3192 $$ = calloc(1, sizeof(struct node_gid));
3193 if ($$ == NULL)
3194 err(1, "gid_item: calloc");
3195 $$->gid[0] = $1;
3196 $$->gid[1] = $1;
3197 $$->op = PF_OP_EQ;
3198 $$->next = NULL;
3199 $$->tail = $$;
3200 }
3201 | unaryop gid {
3202 if ($2 == GID_MAX && $1 != PF_OP_EQ && $1 != PF_OP_NE) {
3203 yyerror("group unknown requires operator = or "
3204 "!=");
3205 YYERROR;
3206 }
3207 $$ = calloc(1, sizeof(struct node_gid));
3208 if ($$ == NULL)
3209 err(1, "gid_item: calloc");
3210 $$->gid[0] = $2;
3211 $$->gid[1] = $2;
3212 $$->op = $1;
3213 $$->next = NULL;
3214 $$->tail = $$;
3215 }
3216 | gid PORTBINARY gid {
3217 if ($1 == GID_MAX || $3 == GID_MAX) {
3218 yyerror("group unknown requires operator = or "
3219 "!=");
3220 YYERROR;
3221 }
3222 $$ = calloc(1, sizeof(struct node_gid));
3223 if ($$ == NULL)
3224 err(1, "gid_item: calloc");
3225 $$->gid[0] = $1;
3226 $$->gid[1] = $3;
3227 $$->op = $2;
3228 $$->next = NULL;
3229 $$->tail = $$;
3230 }
3231 ;
3232
3233 gid : STRING {
3234 if (!strcmp($1, "unknown"))
3235 $$ = GID_MAX;
3236 else {
3237 struct group *grp;
3238
3239 if ((grp = getgrnam($1)) == NULL) {
3240 yyerror("unknown group %s", $1);
3241 free($1);
3242 YYERROR;
3243 }
3244 $$ = grp->gr_gid;
3245 }
3246 free($1);
3247 }
3248 | NUMBER {
3249 if ($1 < 0 || $1 >= GID_MAX) {
3250 yyerror("illegal gid value %" PRId64, $1);
3251 YYERROR;
3252 }
3253 $$ = $1;
3254 }
3255 ;
3256
3257 flag : STRING {
3258 int f;
3259
3260 if ((f = parse_flags($1)) < 0) {
3261 yyerror("bad flags %s", $1);
3262 free($1);
3263 YYERROR;
3264 }
3265 free($1);
3266 $$.b1 = f;
3267 }
3268 ;
3269
3270 flags : FLAGS flag '/' flag { $$.b1 = $2.b1; $$.b2 = $4.b1; }
3271 | FLAGS '/' flag { $$.b1 = 0; $$.b2 = $3.b1; }
3272 | FLAGS ANY { $$.b1 = 0; $$.b2 = 0; }
3273 ;
3274
3275 icmpspec : ICMPTYPE icmp_item { $$ = $2; }
3276 | ICMPTYPE '{' optnl icmp_list '}' { $$ = $4; }
3277 | ICMP6TYPE icmp6_item { $$ = $2; }
3278 | ICMP6TYPE '{' optnl icmp6_list '}' { $$ = $4; }
3279 ;
3280
3281 icmp_list : icmp_item optnl { $$ = $1; }
3282 | icmp_list comma icmp_item optnl {
3283 $1->tail->next = $3;
3284 $1->tail = $3;
3285 $$ = $1;
3286 }
3287 ;
3288
3289 icmp6_list : icmp6_item optnl { $$ = $1; }
3290 | icmp6_list comma icmp6_item optnl {
3291 $1->tail->next = $3;
3292 $1->tail = $3;
3293 $$ = $1;
3294 }
3295 ;
3296
3297 icmp_item : icmptype {
3298 $$ = calloc(1, sizeof(struct node_icmp));
3299 if ($$ == NULL)
3300 err(1, "icmp_item: calloc");
3301 $$->type = $1;
3302 $$->code = 0;
3303 $$->proto = IPPROTO_ICMP;
3304 $$->next = NULL;
3305 $$->tail = $$;
3306 }
3307 | icmptype CODE STRING {
3308 const struct icmpcodeent *p;
3309
3310 if ((p = geticmpcodebyname($1-1, $3, AF_INET)) == NULL) {
3311 yyerror("unknown icmp-code %s", $3);
3312 free($3);
3313 YYERROR;
3314 }
3315
3316 free($3);
3317 $$ = calloc(1, sizeof(struct node_icmp));
3318 if ($$ == NULL)
3319 err(1, "icmp_item: calloc");
3320 $$->type = $1;
3321 $$->code = p->code + 1;
3322 $$->proto = IPPROTO_ICMP;
3323 $$->next = NULL;
3324 $$->tail = $$;
3325 }
3326 | icmptype CODE NUMBER {
3327 if ($3 < 0 || $3 > 255) {
3328 yyerror("illegal icmp-code %" PRId64, $3);
3329 YYERROR;
3330 }
3331 $$ = calloc(1, sizeof(struct node_icmp));
3332 if ($$ == NULL)
3333 err(1, "icmp_item: calloc");
3334 $$->type = $1;
3335 $$->code = $3 + 1;
3336 $$->proto = IPPROTO_ICMP;
3337 $$->next = NULL;
3338 $$->tail = $$;
3339 }
3340 ;
3341
3342 icmp6_item : icmp6type {
3343 $$ = calloc(1, sizeof(struct node_icmp));
3344 if ($$ == NULL)
3345 err(1, "icmp_item: calloc");
3346 $$->type = $1;
3347 $$->code = 0;
3348 $$->proto = IPPROTO_ICMPV6;
3349 $$->next = NULL;
3350 $$->tail = $$;
3351 }
3352 | icmp6type CODE STRING {
3353 const struct icmpcodeent *p;
3354
3355 if ((p = geticmpcodebyname($1-1, $3, AF_INET6)) == NULL) {
3356 yyerror("unknown icmp6-code %s", $3);
3357 free($3);
3358 YYERROR;
3359 }
3360 free($3);
3361
3362 $$ = calloc(1, sizeof(struct node_icmp));
3363 if ($$ == NULL)
3364 err(1, "icmp_item: calloc");
3365 $$->type = $1;
3366 $$->code = p->code + 1;
3367 $$->proto = IPPROTO_ICMPV6;
3368 $$->next = NULL;
3369 $$->tail = $$;
3370 }
3371 | icmp6type CODE NUMBER {
3372 if ($3 < 0 || $3 > 255) {
3373 yyerror("illegal icmp-code %" PRId64, $3);
3374 YYERROR;
3375 }
3376 $$ = calloc(1, sizeof(struct node_icmp));
3377 if ($$ == NULL)
3378 err(1, "icmp_item: calloc");
3379 $$->type = $1;
3380 $$->code = $3 + 1;
3381 $$->proto = IPPROTO_ICMPV6;
3382 $$->next = NULL;
3383 $$->tail = $$;
3384 }
3385 ;
3386
3387 icmptype : STRING {
3388 const struct icmptypeent *p;
3389
3390 if ((p = geticmptypebyname($1, AF_INET)) == NULL) {
3391 yyerror("unknown icmp-type %s", $1);
3392 free($1);
3393 YYERROR;
3394 }
3395 $$ = p->type + 1;
3396 free($1);
3397 }
3398 | NUMBER {
3399 if ($1 < 0 || $1 > 255) {
3400 yyerror("illegal icmp-type %" PRId64, $1);
3401 YYERROR;
3402 }
3403 $$ = $1 + 1;
3404 }
3405 ;
3406
3407 icmp6type : STRING {
3408 const struct icmptypeent *p;
3409
3410 if ((p = geticmptypebyname($1, AF_INET6)) ==
3411 NULL) {
3412 yyerror("unknown icmp6-type %s", $1);
3413 free($1);
3414 YYERROR;
3415 }
3416 $$ = p->type + 1;
3417 free($1);
3418 }
3419 | NUMBER {
3420 if ($1 < 0 || $1 > 255) {
3421 yyerror("illegal icmp6-type %" PRId64, $1);
3422 YYERROR;
3423 }
3424 $$ = $1 + 1;
3425 }
3426 ;
3427
3428 tos : STRING {
3429 if (!strcmp($1, "lowdelay"))
3430 $$ = IPTOS_LOWDELAY;
3431 else if (!strcmp($1, "throughput"))
3432 $$ = IPTOS_THROUGHPUT;
3433 else if (!strcmp($1, "reliability"))
3434 $$ = IPTOS_RELIABILITY;
3435 else if ($1[0] == '0' && $1[1] == 'x')
3436 $$ = strtoul($1, NULL, 16);
3437 else
3438 $$ = 0; /* flag bad argument */
3439 if (!$$ || $$ > 255) {
3440 yyerror("illegal tos value %s", $1);
3441 free($1);
3442 YYERROR;
3443 }
3444 free($1);
3445 }
3446 | NUMBER {
3447 $$ = $1;
3448 if (!$$ || $$ > 255) {
3449 yyerror("illegal tos value %" PRId64, $1);
3450 YYERROR;
3451 }
3452 }
3453 ;
3454
3455 sourcetrack : SOURCETRACK { $$ = PF_SRCTRACK; }
3456 | SOURCETRACK GLOBAL { $$ = PF_SRCTRACK_GLOBAL; }
3457 | SOURCETRACK RULE { $$ = PF_SRCTRACK_RULE; }
3458 ;
3459
3460 statelock : IFBOUND {
3461 $$ = PFRULE_IFBOUND;
3462 }
3463 | FLOATING {
3464 $$ = 0;
3465 }
3466 ;
3467
3468 keep : NO STATE {
3469 $$.action = 0;
3470 $$.options = NULL;
3471 }
3472 | KEEP STATE state_opt_spec {
3473 $$.action = PF_STATE_NORMAL;
3474 $$.options = $3;
3475 }
3476 | MODULATE STATE state_opt_spec {
3477 $$.action = PF_STATE_MODULATE;
3478 $$.options = $3;
3479 }
3480 | SYNPROXY STATE state_opt_spec {
3481 $$.action = PF_STATE_SYNPROXY;
3482 $$.options = $3;
3483 }
3484 ;
3485
3486 flush : /* empty */ { $$ = 0; }
3487 | FLUSH { $$ = PF_FLUSH; }
3488 | FLUSH GLOBAL {
3489 $$ = PF_FLUSH | PF_FLUSH_GLOBAL;
3490 }
3491 ;
3492
3493 state_opt_spec : '(' state_opt_list ')' { $$ = $2; }
3494 | /* empty */ { $$ = NULL; }
3495 ;
3496
3497 state_opt_list : state_opt_item { $$ = $1; }
3498 | state_opt_list comma state_opt_item {
3499 $1->tail->next = $3;
3500 $1->tail = $3;
3501 $$ = $1;
3502 }
3503 ;
3504
3505 state_opt_item : MAXIMUM NUMBER {
3506 if ($2 < 0 || $2 > UINT_MAX) {
3507 yyerror("only positive values permitted");
3508 YYERROR;
3509 }
3510 $$ = calloc(1, sizeof(struct node_state_opt));
3511 if ($$ == NULL)
3512 err(1, "state_opt_item: calloc");
3513 $$->type = PF_STATE_OPT_MAX;
3514 $$->data.max_states = $2;
3515 $$->next = NULL;
3516 $$->tail = $$;
3517 }
3518 | NOSYNC {
3519 $$ = calloc(1, sizeof(struct node_state_opt));
3520 if ($$ == NULL)
3521 err(1, "state_opt_item: calloc");
3522 $$->type = PF_STATE_OPT_NOSYNC;
3523 $$->next = NULL;
3524 $$->tail = $$;
3525 }
3526 | MAXSRCSTATES NUMBER {
3527 if ($2 < 0 || $2 > UINT_MAX) {
3528 yyerror("only positive values permitted");
3529 YYERROR;
3530 }
3531 $$ = calloc(1, sizeof(struct node_state_opt));
3532 if ($$ == NULL)
3533 err(1, "state_opt_item: calloc");
3534 $$->type = PF_STATE_OPT_MAX_SRC_STATES;
3535 $$->data.max_src_states = $2;
3536 $$->next = NULL;
3537 $$->tail = $$;
3538 }
3539 | MAXSRCCONN NUMBER {
3540 if ($2 < 0 || $2 > UINT_MAX) {
3541 yyerror("only positive values permitted");
3542 YYERROR;
3543 }
3544 $$ = calloc(1, sizeof(struct node_state_opt));
3545 if ($$ == NULL)
3546 err(1, "state_opt_item: calloc");
3547 $$->type = PF_STATE_OPT_MAX_SRC_CONN;
3548 $$->data.max_src_conn = $2;
3549 $$->next = NULL;
3550 $$->tail = $$;
3551 }
3552 | MAXSRCCONNRATE NUMBER '/' NUMBER {
3553 if ($2 < 0 || $2 > UINT_MAX ||
3554 $4 < 0 || $4 > UINT_MAX) {
3555 yyerror("only positive values permitted");
3556 YYERROR;
3557 }
3558 $$ = calloc(1, sizeof(struct node_state_opt));
3559 if ($$ == NULL)
3560 err(1, "state_opt_item: calloc");
3561 $$->type = PF_STATE_OPT_MAX_SRC_CONN_RATE;
3562 $$->data.max_src_conn_rate.limit = $2;
3563 $$->data.max_src_conn_rate.seconds = $4;
3564 $$->next = NULL;
3565 $$->tail = $$;
3566 }
3567 | OVERLOAD '<' STRING '>' flush {
3568 if (strlen($3) >= PF_TABLE_NAME_SIZE) {
3569 yyerror("table name '%s' too long", $3);
3570 free($3);
3571 YYERROR;
3572 }
3573 $$ = calloc(1, sizeof(struct node_state_opt));
3574 if ($$ == NULL)
3575 err(1, "state_opt_item: calloc");
3576 if (strlcpy($$->data.overload.tblname, $3,
3577 PF_TABLE_NAME_SIZE) >= PF_TABLE_NAME_SIZE)
3578 errx(1, "state_opt_item: strlcpy");
3579 free($3);
3580 $$->type = PF_STATE_OPT_OVERLOAD;
3581 $$->data.overload.flush = $5;
3582 $$->next = NULL;
3583 $$->tail = $$;
3584 }
3585 | MAXSRCNODES NUMBER {
3586 if ($2 < 0 || $2 > UINT_MAX) {
3587 yyerror("only positive values permitted");
3588 YYERROR;
3589 }
3590 $$ = calloc(1, sizeof(struct node_state_opt));
3591 if ($$ == NULL)
3592 err(1, "state_opt_item: calloc");
3593 $$->type = PF_STATE_OPT_MAX_SRC_NODES;
3594 $$->data.max_src_nodes = $2;
3595 $$->next = NULL;
3596 $$->tail = $$;
3597 }
3598 | PICKUPS {
3599 $$ = calloc(1, sizeof(struct node_state_opt));
3600 if ($$ == NULL)
3601 err(1, "state_opt_item: calloc");
3602 $$->type = PF_STATE_OPT_PICKUPS;
3603 $$->data.pickup_mode = PF_PICKUPS_ENABLED;
3604 $$->next = NULL;
3605 $$->tail = $$;
3606 }
3607 | NOPICKUPS {
3608 $$ = calloc(1, sizeof(struct node_state_opt));
3609 if ($$ == NULL)
3610 err(1, "state_opt_item: calloc");
3611 $$->type = PF_STATE_OPT_PICKUPS;
3612 $$->data.pickup_mode = PF_PICKUPS_DISABLED;
3613 $$->next = NULL;
3614 $$->tail = $$;
3615 }
3616 | HASHONLY {
3617 $$ = calloc(1, sizeof(struct node_state_opt));
3618 if ($$ == NULL)
3619 err(1, "state_opt_item: calloc");
3620 $$->type = PF_STATE_OPT_PICKUPS;
3621 $$->data.pickup_mode = PF_PICKUPS_HASHONLY;
3622 $$->next = NULL;
3623 $$->tail = $$;
3624 }
3625 | sourcetrack {
3626 $$ = calloc(1, sizeof(struct node_state_opt));
3627 if ($$ == NULL)
3628 err(1, "state_opt_item: calloc");
3629 $$->type = PF_STATE_OPT_SRCTRACK;
3630 $$->data.src_track = $1;
3631 $$->next = NULL;
3632 $$->tail = $$;
3633 }
3634 | statelock {
3635 $$ = calloc(1, sizeof(struct node_state_opt));
3636 if ($$ == NULL)
3637 err(1, "state_opt_item: calloc");
3638 $$->type = PF_STATE_OPT_STATELOCK;
3639 $$->data.statelock = $1;
3640 $$->next = NULL;
3641 $$->tail = $$;
3642 }
3643 | SLOPPY {
3644 $$ = calloc(1, sizeof(struct node_state_opt));
3645 if ($$ == NULL)
3646 err(1, "state_opt_item: calloc");
3647 $$->type = PF_STATE_OPT_SLOPPY;
3648 $$->next = NULL;
3649 $$->tail = $$;
3650 }
3651 | STRING NUMBER {
3652 int i;
3653
3654 if ($2 < 0 || $2 > UINT_MAX) {
3655 yyerror("only positive values permitted");
3656 YYERROR;
3657 }
3658 for (i = 0; pf_timeouts[i].name &&
3659 strcmp(pf_timeouts[i].name, $1); ++i)
3660 ; /* nothing */
3661 if (!pf_timeouts[i].name) {
3662 yyerror("illegal timeout name %s", $1);
3663 free($1);
3664 YYERROR;
3665 }
3666 if (strchr(pf_timeouts[i].name, '.') == NULL) {
3667 yyerror("illegal state timeout %s", $1);
3668 free($1);
3669 YYERROR;
3670 }
3671 free($1);
3672 $$ = calloc(1, sizeof(struct node_state_opt));
3673 if ($$ == NULL)
3674 err(1, "state_opt_item: calloc");
3675 $$->type = PF_STATE_OPT_TIMEOUT;
3676 $$->data.timeout.number = pf_timeouts[i].timeout;
3677 $$->data.timeout.seconds = $2;
3678 $$->next = NULL;
3679 $$->tail = $$;
3680 }
3681 ;
3682
3683 label : LABEL STRING {
3684 $$ = $2;
3685 }
3686 ;
3687
3688 qname : QUEUE STRING {
3689 $$.qname = $2;
3690 $$.pqname = NULL;
3691 }
3692 | QUEUE '(' STRING ')' {
3693 $$.qname = $3;
3694 $$.pqname = NULL;
3695 }
3696 | QUEUE '(' STRING comma STRING ')' {
3697 $$.qname = $3;
3698 $$.pqname = $5;
3699 }
3700 ;
3701
3702 no : /* empty */ { $$ = 0; }
3703 | NO { $$ = 1; }
3704 ;
3705
3706 portstar : numberstring {
3707 if (parseport($1, &$$, PPORT_RANGE|PPORT_STAR) == -1) {
3708 free($1);
3709 YYERROR;
3710 }
3711 free($1);
3712 }
3713 ;
3714
3715 redirspec : host { $$ = $1; }
3716 | '{' optnl redir_host_list '}' { $$ = $3; }
3717 ;
3718
3719 redir_host_list : host optnl { $$ = $1; }
3720 | redir_host_list comma host optnl {
3721 $1->tail->next = $3;
3722 $1->tail = $3->tail;
3723 $$ = $1;
3724 }
3725 ;
3726
3727 redirpool : /* empty */ { $$ = NULL; }
3728 | ARROW redirspec {
3729 $$ = calloc(1, sizeof(struct redirection));
3730 if ($$ == NULL)
3731 err(1, "redirection: calloc");
3732 $$->host = $2;
3733 $$->rport.a = $$->rport.b = $$->rport.t = 0;
3734 }
3735 | ARROW redirspec PORT portstar {
3736 $$ = calloc(1, sizeof(struct redirection));
3737 if ($$ == NULL)
3738 err(1, "redirection: calloc");
3739 $$->host = $2;
3740 $$->rport = $4;
3741 }
3742 ;
3743
3744 hashkey : /* empty */
3745 {
3746 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3747 if ($$ == NULL)
3748 err(1, "hashkey: calloc");
3749 $$->key32[0] = arc4random();
3750 $$->key32[1] = arc4random();
3751 $$->key32[2] = arc4random();
3752 $$->key32[3] = arc4random();
3753 }
3754 | string
3755 {
3756 if (!strncmp($1, "0x", 2)) {
3757 if (strlen($1) != 34) {
3758 free($1);
3759 yyerror("hex key must be 128 bits "
3760 "(32 hex digits) long");
3761 YYERROR;
3762 }
3763 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3764 if ($$ == NULL)
3765 err(1, "hashkey: calloc");
3766
3767 if (sscanf($1, "0x%8x%8x%8x%8x",
3768 &$$->key32[0], &$$->key32[1],
3769 &$$->key32[2], &$$->key32[3]) != 4) {
3770 free($$);
3771 free($1);
3772 yyerror("invalid hex key");
3773 YYERROR;
3774 }
3775 } else {
3776 MD5_CTX context;
3777
3778 $$ = calloc(1, sizeof(struct pf_poolhashkey));
3779 if ($$ == NULL)
3780 err(1, "hashkey: calloc");
3781 MD5Init(&context);
3782 MD5Update(&context, (unsigned char *)$1,
3783 strlen($1));
3784 MD5Final((unsigned char *)$$, &context);
3785 $$->key32[0] = htonl($$->key32[0]);
3786 $$->key32[1] = htonl($$->key32[1]);
3787 $$->key32[2] = htonl($$->key32[2]);
3788 $$->key32[3] = htonl($$->key32[3]);
3789 }
3790 free($1);
3791 }
3792 ;
3793
3794 pool_opts : { bzero(&pool_opts, sizeof pool_opts); }
3795 pool_opts_l
3796 { $$ = pool_opts; }
3797 | /* empty */ {
3798 bzero(&pool_opts, sizeof pool_opts);
3799 $$ = pool_opts;
3800 }
3801 ;
3802
3803 pool_opts_l : pool_opts_l pool_opt
3804 | pool_opt
3805 ;
3806
3807 pool_opt : BITMASK {
3808 if (pool_opts.type) {
3809 yyerror("pool type cannot be redefined");
3810 YYERROR;
3811 }
3812 pool_opts.type = PF_POOL_BITMASK;
3813 }
3814 | RANDOM {
3815 if (pool_opts.type) {
3816 yyerror("pool type cannot be redefined");
3817 YYERROR;
3818 }
3819 pool_opts.type = PF_POOL_RANDOM;
3820 }
3821 | SOURCEHASH hashkey {
3822 if (pool_opts.type) {
3823 yyerror("pool type cannot be redefined");
3824 YYERROR;
3825 }
3826 pool_opts.type = PF_POOL_SRCHASH;
3827 pool_opts.key = $2;
3828 }
3829 | ROUNDROBIN {
3830 if (pool_opts.type) {
3831 yyerror("pool type cannot be redefined");
3832 YYERROR;
3833 }
3834 pool_opts.type = PF_POOL_ROUNDROBIN;
3835 }
3836 | STATICPORT {
3837 if (pool_opts.staticport) {
3838 yyerror("static-port cannot be redefined");
3839 YYERROR;
3840 }
3841 pool_opts.staticport = 1;
3842 }
3843 | STICKYADDRESS {
3844 if (filter_opts.marker & POM_STICKYADDRESS) {
3845 yyerror("sticky-address cannot be redefined");
3846 YYERROR;
3847 }
3848 pool_opts.marker |= POM_STICKYADDRESS;
3849 pool_opts.opts |= PF_POOL_STICKYADDR;
3850 }
3851 ;
3852
3853 redirection : /* empty */ { $$ = NULL; }
3854 | ARROW host {
3855 $$ = calloc(1, sizeof(struct redirection));
3856 if ($$ == NULL)
3857 err(1, "redirection: calloc");
3858 $$->host = $2;
3859 $$->rport.a = $$->rport.b = $$->rport.t = 0;
3860 }
3861 | ARROW host PORT portstar {
3862 $$ = calloc(1, sizeof(struct redirection));
3863 if ($$ == NULL)
3864 err(1, "redirection: calloc");
3865 $$->host = $2;
3866 $$->rport = $4;
3867 }
3868 ;
3869
3870 natpasslog : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; }
3871 | PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
3872 | PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
3873 | log { $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; }
3874 ;
3875
3876 nataction : no NAT natpasslog {
3877 if ($1 && $3.b1) {
3878 yyerror("\"pass\" not valid with \"no\"");
3879 YYERROR;
3880 }
3881 if ($1)
3882 $$.b1 = PF_NONAT;
3883 else
3884 $$.b1 = PF_NAT;
3885 $$.b2 = $3.b1;
3886 $$.w = $3.b2;
3887 $$.w2 = $3.w2;
3888 }
3889 | no RDR natpasslog {
3890 if ($1 && $3.b1) {
3891 yyerror("\"pass\" not valid with \"no\"");
3892 YYERROR;
3893 }
3894 if ($1)
3895 $$.b1 = PF_NORDR;
3896 else
3897 $$.b1 = PF_RDR;
3898 $$.b2 = $3.b1;
3899 $$.w = $3.b2;
3900 $$.w2 = $3.w2;
3901 }
3902 ;
3903
3904 natrule : nataction interface af proto fromto tag tagged rtable
3905 redirpool pool_opts
3906 {
3907 struct pf_rule r;
3908
3909 if (check_rulestate(PFCTL_STATE_NAT))
3910 YYERROR;
3911
3912 memset(&r, 0, sizeof(r));
3913
3914 r.action = $1.b1;
3915 r.natpass = $1.b2;
3916 r.log = $1.w;
3917 r.logif = $1.w2;
3918 r.af = $3;
3919
3920 if (!r.af) {
3921 if ($5.src.host && $5.src.host->af &&
3922 !$5.src.host->ifindex)
3923 r.af = $5.src.host->af;
3924 else if ($5.dst.host && $5.dst.host->af &&
3925 !$5.dst.host->ifindex)
3926 r.af = $5.dst.host->af;
3927 }
3928
3929 if ($6 != NULL)
3930 if (strlcpy(r.tagname, $6, PF_TAG_NAME_SIZE) >=
3931 PF_TAG_NAME_SIZE) {
3932 yyerror("tag too long, max %u chars",
3933 PF_TAG_NAME_SIZE - 1);
3934 YYERROR;
3935 }
3936
3937 if ($7.name)
3938 if (strlcpy(r.match_tagname, $7.name,
3939 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
3940 yyerror("tag too long, max %u chars",
3941 PF_TAG_NAME_SIZE - 1);
3942 YYERROR;
3943 }
3944 r.match_tag_not = $7.neg;
3945 r.rtableid = $8;
3946
3947 if (r.action == PF_NONAT || r.action == PF_NORDR) {
3948 if ($9 != NULL) {
3949 yyerror("translation rule with 'no' "
3950 "does not need '->'");
3951 YYERROR;
3952 }
3953 } else {
3954 if ($9 == NULL || $9->host == NULL) {
3955 yyerror("translation rule requires '-> "
3956 "address'");
3957 YYERROR;
3958 }
3959 if (!r.af && ! $9->host->ifindex)
3960 r.af = $9->host->af;
3961
3962 remove_invalid_hosts(&$9->host, &r.af);
3963 if (invalid_redirect($9->host, r.af))
3964 YYERROR;
3965 if (check_netmask($9->host, r.af))
3966 YYERROR;
3967
3968 r.rpool.proxy_port[0] = ntohs($9->rport.a);
3969
3970 switch (r.action) {
3971 case PF_RDR:
3972 if (!$9->rport.b && $9->rport.t &&
3973 $5.dst.port != NULL) {
3974 r.rpool.proxy_port[1] =
3975 ntohs($9->rport.a) +
3976 (ntohs(
3977 $5.dst.port->port[1]) -
3978 ntohs(
3979 $5.dst.port->port[0]));
3980 } else
3981 r.rpool.proxy_port[1] =
3982 ntohs($9->rport.b);
3983 break;
3984 case PF_NAT:
3985 r.rpool.proxy_port[1] =
3986 ntohs($9->rport.b);
3987 if (!r.rpool.proxy_port[0] &&
3988 !r.rpool.proxy_port[1]) {
3989 r.rpool.proxy_port[0] =
3990 PF_NAT_PROXY_PORT_LOW;
3991 r.rpool.proxy_port[1] =
3992 PF_NAT_PROXY_PORT_HIGH;
3993 } else if (!r.rpool.proxy_port[1])
3994 r.rpool.proxy_port[1] =
3995 r.rpool.proxy_port[0];
3996 break;
3997 default:
3998 break;
3999 }
4000
4001 r.rpool.opts = $10.type;
4002 if ((r.rpool.opts & PF_POOL_TYPEMASK) ==
4003 PF_POOL_NONE && ($9->host->next != NULL ||
4004 $9->host->addr.type == PF_ADDR_TABLE ||
4005 DYNIF_MULTIADDR($9->host->addr)))
4006 r.rpool.opts = PF_POOL_ROUNDROBIN;
4007 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
4008 PF_POOL_ROUNDROBIN &&
4009 disallow_table($9->host, "tables are only "
4010 "supported in round-robin redirection "
4011 "pools"))
4012 YYERROR;
4013 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
4014 PF_POOL_ROUNDROBIN &&
4015 disallow_alias($9->host, "interface (%s) "
4016 "is only supported in round-robin "
4017 "redirection pools"))
4018 YYERROR;
4019 if ($9->host->next != NULL) {
4020 if ((r.rpool.opts & PF_POOL_TYPEMASK) !=
4021 PF_POOL_ROUNDROBIN) {
4022 yyerror("only round-robin "
4023 "valid for multiple "
4024 "redirection addresses");
4025 YYERROR;
4026 }
4027 }
4028 }
4029
4030 if ($10.key != NULL)
4031 memcpy(&r.rpool.key, $10.key,
4032 sizeof(struct pf_poolhashkey));
4033
4034 if ($10.opts)
4035 r.rpool.opts |= $10.opts;
4036
4037 if ($10.staticport) {
4038 if (r.action != PF_NAT) {
4039 yyerror("the 'static-port' option is "
4040 "only valid with nat rules");
4041 YYERROR;
4042 }
4043 if (r.rpool.proxy_port[0] !=
4044 PF_NAT_PROXY_PORT_LOW &&
4045 r.rpool.proxy_port[1] !=
4046 PF_NAT_PROXY_PORT_HIGH) {
4047 yyerror("the 'static-port' option can't"
4048 " be used when specifying a port"
4049 " range");
4050 YYERROR;
4051 }
4052 r.rpool.proxy_port[0] = 0;
4053 r.rpool.proxy_port[1] = 0;
4054 }
4055
4056 expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4,
4057 $5.src_os, $5.src.host, $5.src.port, $5.dst.host,
4058 $5.dst.port, 0, 0, 0, "");
4059 free($9);
4060 }
4061 ;
4062
4063 binatrule : no BINAT natpasslog interface af proto FROM host toipspec tag
4064 tagged rtable redirection
4065 {
4066 struct pf_rule binat;
4067 struct pf_pooladdr *pa;
4068
4069 if (check_rulestate(PFCTL_STATE_NAT))
4070 YYERROR;
4071 if (disallow_urpf_failed($9, "\"urpf-failed\" is not "
4072 "permitted as a binat destination"))
4073 YYERROR;
4074
4075 memset(&binat, 0, sizeof(binat));
4076
4077 if ($1 && $3.b1) {
4078 yyerror("\"pass\" not valid with \"no\"");
4079 YYERROR;
4080 }
4081 if ($1)
4082 binat.action = PF_NOBINAT;
4083 else
4084 binat.action = PF_BINAT;
4085 binat.natpass = $3.b1;
4086 binat.log = $3.b2;
4087 binat.logif = $3.w2;
4088 binat.af = $5;
4089 if (!binat.af && $8 != NULL && $8->af)
4090 binat.af = $8->af;
4091 if (!binat.af && $9 != NULL && $9->af)
4092 binat.af = $9->af;
4093
4094 if (!binat.af && $13 != NULL && $13->host)
4095 binat.af = $13->host->af;
4096 if (!binat.af) {
4097 yyerror("address family (inet/inet6) "
4098 "undefined");
4099 YYERROR;
4100 }
4101
4102 if ($4 != NULL) {
4103 memcpy(binat.ifname, $4->ifname,
4104 sizeof(binat.ifname));
4105 binat.ifnot = $4->not;
4106 free($4);
4107 }
4108
4109 if ($10 != NULL)
4110 if (strlcpy(binat.tagname, $10,
4111 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
4112 yyerror("tag too long, max %u chars",
4113 PF_TAG_NAME_SIZE - 1);
4114 YYERROR;
4115 }
4116 if ($11.name)
4117 if (strlcpy(binat.match_tagname, $11.name,
4118 PF_TAG_NAME_SIZE) >= PF_TAG_NAME_SIZE) {
4119 yyerror("tag too long, max %u chars",
4120 PF_TAG_NAME_SIZE - 1);
4121 YYERROR;
4122 }
4123 binat.match_tag_not = $11.neg;
4124 binat.rtableid = $12;
4125
4126 if ($6 != NULL) {
4127 binat.proto = $6->proto;
4128 free($6);
4129 }
4130
4131 if ($8 != NULL && disallow_table($8, "invalid use of "
4132 "table <%s> as the source address of a binat rule"))
4133 YYERROR;
4134 if ($8 != NULL && disallow_alias($8, "invalid use of "
4135 "interface (%s) as the source address of a binat "
4136 "rule"))
4137 YYERROR;
4138 if ($13 != NULL && $13->host != NULL && disallow_table(
4139 $13->host, "invalid use of table <%s> as the "
4140 "redirect address of a binat rule"))
4141 YYERROR;
4142 if ($13 != NULL && $13->host != NULL && disallow_alias(
4143 $13->host, "invalid use of interface (%s) as the "
4144 "redirect address of a binat rule"))
4145 YYERROR;
4146
4147 if ($8 != NULL) {
4148 if ($8->next) {
4149 yyerror("multiple binat ip addresses");
4150 YYERROR;
4151 }
4152 if ($8->addr.type == PF_ADDR_DYNIFTL)
4153 $8->af = binat.af;
4154 if ($8->af != binat.af) {
4155 yyerror("binat ip versions must match");
4156 YYERROR;
4157 }
4158 if (check_netmask($8, binat.af))
4159 YYERROR;
4160 memcpy(&binat.src.addr, &$8->addr,
4161 sizeof(binat.src.addr));
4162 free($8);
4163 }
4164 if ($9 != NULL) {
4165 if ($9->next) {
4166 yyerror("multiple binat ip addresses");
4167 YYERROR;
4168 }
4169 if ($9->af != binat.af && $9->af) {
4170 yyerror("binat ip versions must match");
4171 YYERROR;
4172 }
4173 if (check_netmask($9, binat.af))
4174 YYERROR;
4175 memcpy(&binat.dst.addr, &$9->addr,
4176 sizeof(binat.dst.addr));
4177 binat.dst.neg = $9->not;
4178 free($9);
4179 }
4180
4181 if (binat.action == PF_NOBINAT) {
4182 if ($13 != NULL) {
4183 yyerror("'no binat' rule does not need"
4184 " '->'");
4185 YYERROR;
4186 }
4187 } else {
4188 if ($13 == NULL || $13->host == NULL) {
4189 yyerror("'binat' rule requires"
4190 " '-> address'");
4191 YYERROR;
4192 }
4193
4194 remove_invalid_hosts(&$13->host, &binat.af);
4195 if (invalid_redirect($13->host, binat.af))
4196 YYERROR;
4197 if ($13->host->next != NULL) {
4198 yyerror("binat rule must redirect to "
4199 "a single address");
4200 YYERROR;
4201 }
4202 if (check_netmask($13->host, binat.af))
4203 YYERROR;
4204
4205 if (!PF_AZERO(&binat.src.addr.v.a.mask,
4206 binat.af) &&
4207 !PF_AEQ(&binat.src.addr.v.a.mask,
4208 &$13->host->addr.v.a.mask, binat.af)) {
4209 yyerror("'binat' source mask and "
4210 "redirect mask must be the same");
4211 YYERROR;
4212 }
4213
4214 TAILQ_INIT(&binat.rpool.list);
4215 pa = calloc(1, sizeof(struct pf_pooladdr));
4216 if (pa == NULL)
4217 err(1, "binat: calloc");
4218 pa->addr = $13->host->addr;
4219 pa->ifname[0] = 0;
4220 TAILQ_INSERT_TAIL(&binat.rpool.list,
4221 pa, entries);
4222
4223 free($13);
4224 }
4225
4226 pfctl_add_rule(pf, &binat, "");
4227 }
4228 ;
4229
4230 tag : /* empty */ { $$ = NULL; }
4231 | TAG STRING { $$ = $2; }
4232 ;
4233
4234 tagged : /* empty */ { $$.neg = 0; $$.name = NULL; }
4235 | not TAGGED string { $$.neg = $1; $$.name = $3; }
4236 ;
4237
4238 rtable : /* empty */ { $$ = -1; }
4239 | RTABLE NUMBER {
4240 $$ = $2;
4241 }
4242 ;
4243
4244 route_host : STRING {
4245 $$ = calloc(1, sizeof(struct node_host));
4246 if ($$ == NULL)
4247 err(1, "route_host: calloc");
4248 $$->ifname = $1;
4249 set_ipmask($$, 128);
4250 $$->next = NULL;
4251 $$->tail = $$;
4252 }
4253 | '(' STRING host ')' {
4254 $$ = $3;
4255 $$->ifname = $2;
4256 }
4257 ;
4258
4259 route_host_list : route_host optnl { $$ = $1; }
4260 | route_host_list comma route_host optnl {
4261 if ($1->af == 0)
4262 $1->af = $3->af;
4263 if ($1->af != $3->af) {
4264 yyerror("all pool addresses must be in the "
4265 "same address family");
4266 YYERROR;
4267 }
4268 $1->tail->next = $3;
4269 $1->tail = $3->tail;
4270 $$ = $1;
4271 }
4272 ;
4273
4274 routespec : route_host { $$ = $1; }
4275 | '{' optnl route_host_list '}' { $$ = $3; }
4276 ;
4277
4278 route : /* empty */ {
4279 $$.host = NULL;
4280 $$.rt = 0;
4281 $$.pool_opts = 0;
4282 }
4283 | FASTROUTE {
4284 $$.host = NULL;
4285 $$.rt = PF_FASTROUTE;
4286 $$.pool_opts = 0;
4287 }
4288 | ROUTETO routespec pool_opts {
4289 $$.host = $2;
4290 $$.rt = PF_ROUTETO;
4291 $$.pool_opts = $3.type | $3.opts;
4292 if ($3.key != NULL)
4293 $$.key = $3.key;
4294 }
4295 | REPLYTO routespec pool_opts {
4296 $$.host = $2;
4297 $$.rt = PF_REPLYTO;
4298 $$.pool_opts = $3.type | $3.opts;
4299 if ($3.key != NULL)
4300 $$.key = $3.key;
4301 }
4302 | DUPTO routespec pool_opts {
4303 $$.host = $2;
4304 $$.rt = PF_DUPTO;
4305 $$.pool_opts = $3.type | $3.opts;
4306 if ($3.key != NULL)
4307 $$.key = $3.key;
4308 }
4309 ;
4310
4311 timeout_spec : STRING NUMBER
4312 {
4313 if (check_rulestate(PFCTL_STATE_OPTION)) {
4314 free($1);
4315 YYERROR;
4316 }
4317 if ($2 < 0 || $2 > UINT_MAX) {
4318 yyerror("only positive values permitted");
4319 YYERROR;
4320 }
4321 if (pfctl_set_timeout(pf, $1, $2, 0) != 0) {
4322 yyerror("unknown timeout %s", $1);
4323 free($1);
4324 YYERROR;
4325 }
4326 free($1);
4327 }
4328 ;
4329
4330 timeout_list : timeout_list comma timeout_spec optnl
4331 | timeout_spec optnl
4332 ;
4333
4334 limit_spec : STRING NUMBER
4335 {
4336 if (check_rulestate(PFCTL_STATE_OPTION)) {
4337 free($1);
4338 YYERROR;
4339 }
4340 if ($2 < 0 || $2 > UINT_MAX) {
4341 yyerror("only positive values permitted");
4342 YYERROR;
4343 }
4344 if (pfctl_set_limit(pf, $1, $2) != 0) {
4345 yyerror("unable to set limit %s %" PRId64, $1, $2);
4346 free($1);
4347 YYERROR;
4348 }
4349 free($1);
4350 }
4351 ;
4352
4353 limit_list : limit_list comma limit_spec optnl
4354 | limit_spec optnl
4355 ;
4356
4357 comma : ','
4358 | /* empty */
4359 ;
4360
4361 yesno : NO { $$ = 0; }
4362 | STRING {
4363 if (!strcmp($1, "yes"))
4364 $$ = 1;
4365 else {
4366 yyerror("invalid value '%s', expected 'yes' "
4367 "or 'no'", $1);
4368 free($1);
4369 YYERROR;
4370 }
4371 free($1);
4372 }
4373 ;
4374
4375 unaryop : '=' { $$ = PF_OP_EQ; }
4376 | '!' '=' { $$ = PF_OP_NE; }
4377 | '<' '=' { $$ = PF_OP_LE; }
4378 | '<' { $$ = PF_OP_LT; }
4379 | '>' '=' { $$ = PF_OP_GE; }
4380 | '>' { $$ = PF_OP_GT; }
4381 ;
4382
4383 %%
4384
4385 int
4386 yyerror(const char *fmt, ...)
4387 {
4388 va_list ap;
4389
4390 file->errors++;
4391 va_start(ap, fmt);
4392 fprintf(stderr, "%s:%d: ", file->name, yylval.lineno);
4393 vfprintf(stderr, fmt, ap);
4394 fprintf(stderr, "\n");
4395 va_end(ap);
4396 return (0);
4397 }
4398
4399 int
4400 disallow_table(struct node_host *h, const char *fmt)
4401 {
4402 for (; h != NULL; h = h->next)
4403 if (h->addr.type == PF_ADDR_TABLE) {
4404 yyerror(fmt, h->addr.v.tblname);
4405 return (1);
4406 }
4407 return (0);
4408 }
4409
4410 int
4411 disallow_urpf_failed(struct node_host *h, const char *fmt)
4412 {
4413 for (; h != NULL; h = h->next)
4414 if (h->addr.type == PF_ADDR_URPFFAILED) {
4415 yyerror("%s", fmt);
4416 return (1);
4417 }
4418 return (0);
4419 }
4420
4421 int
4422 disallow_alias(struct node_host *h, const char *fmt)
4423 {
4424 for (; h != NULL; h = h->next)
4425 if (DYNIF_MULTIADDR(h->addr)) {
4426 yyerror(fmt, h->addr.v.tblname);
4427 return (1);
4428 }
4429 return (0);
4430 }
4431
4432 int
4433 rule_consistent(struct pf_rule *r, int anchor_call __unused)
4434 {
4435 int problems = 0;
4436
4437 switch (r->action) {
4438 case PF_PASS:
4439 case PF_DROP:
4440 case PF_SCRUB:
4441 case PF_NOSCRUB:
4442 problems = filter_consistent(r, anchor_call);
4443 break;
4444 case PF_NAT:
4445 case PF_NONAT:
4446 problems = nat_consistent(r);
4447 break;
4448 case PF_RDR:
4449 case PF_NORDR:
4450 problems = rdr_consistent(r);
4451 break;
4452 case PF_BINAT:
4453 case PF_NOBINAT:
4454 default:
4455 break;
4456 }
4457 return (problems);
4458 }
4459
4460 int
4461 filter_consistent(struct pf_rule *r, int anchor_call __unused)
4462 {
4463 int problems = 0;
4464
4465 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP &&
4466 (r->src.port_op || r->dst.port_op)) {
4467 yyerror("port only applies to tcp/udp");
4468 problems++;
4469 }
4470 if (r->proto != IPPROTO_ICMP && r->proto != IPPROTO_ICMPV6 &&
4471 (r->type || r->code)) {
4472 yyerror("icmp-type/code only applies to icmp");
4473 problems++;
4474 }
4475 if (!r->af && (r->type || r->code)) {
4476 yyerror("must indicate address family with icmp-type/code");
4477 problems++;
4478 }
4479 if (r->overload_tblname[0] &&
4480 r->max_src_conn == 0 && r->max_src_conn_rate.seconds == 0) {
4481 yyerror("'overload' requires 'max-src-conn' "
4482 "or 'max-src-conn-rate'");
4483 problems++;
4484 }
4485 if ((r->proto == IPPROTO_ICMP && r->af == AF_INET6) ||
4486 (r->proto == IPPROTO_ICMPV6 && r->af == AF_INET)) {
4487 yyerror("proto %s doesn't match address family %s",
4488 r->proto == IPPROTO_ICMP ? "icmp" : "icmp6",
4489 r->af == AF_INET ? "inet" : "inet6");
4490 problems++;
4491 }
4492 if (r->allow_opts && r->action != PF_PASS) {
4493 yyerror("allow-opts can only be specified for pass rules");
4494 problems++;
4495 }
4496 if (r->rule_flag & PFRULE_FRAGMENT && (r->src.port_op ||
4497 r->dst.port_op || r->flagset || r->type || r->code)) {
4498 yyerror("fragments can be filtered only on IP header fields");
4499 problems++;
4500 }
4501 if (r->rule_flag & PFRULE_RETURNRST && r->proto != IPPROTO_TCP) {
4502 yyerror("return-rst can only be applied to TCP rules");
4503 problems++;
4504 }
4505 if (r->max_src_nodes && !(r->rule_flag & PFRULE_RULESRCTRACK)) {
4506 yyerror("max-src-nodes requires 'source-track rule'");
4507 problems++;
4508 }
4509 if (r->action == PF_DROP && r->keep_state) {
4510 yyerror("keep state on block rules doesn't make sense");
4511 problems++;
4512 }
4513 if (r->rule_flag & PFRULE_STATESLOPPY &&
4514 (r->keep_state == PF_STATE_MODULATE ||
4515 r->keep_state == PF_STATE_SYNPROXY)) {
4516 yyerror("sloppy state matching cannot be used with "
4517 "synproxy state or modulate state");
4518 problems++;
4519 }
4520 return (-problems);
4521 }
4522
4523 int
4524 nat_consistent(struct pf_rule *r __unused)
4525 {
4526 return (0); /* yeah! */
4527 }
4528
4529 int
4530 rdr_consistent(struct pf_rule *r)
4531 {
4532 int problems = 0;
4533
4534 if (r->proto != IPPROTO_TCP && r->proto != IPPROTO_UDP) {
4535 if (r->src.port_op) {
4536 yyerror("src port only applies to tcp/udp");
4537 problems++;
4538 }
4539 if (r->dst.port_op) {
4540 yyerror("dst port only applies to tcp/udp");
4541 problems++;
4542 }
4543 if (r->rpool.proxy_port[0]) {
4544 yyerror("rpool port only applies to tcp/udp");
4545 problems++;
4546 }
4547 }
4548 if (r->dst.port_op &&
4549 r->dst.port_op != PF_OP_EQ && r->dst.port_op != PF_OP_RRG) {
4550 yyerror("invalid port operator for rdr destination port");
4551 problems++;
4552 }
4553 return (-problems);
4554 }
4555
4556 int
4557 process_tabledef(char *name, struct table_opts *opts)
4558 {
4559 struct pfr_buffer ab;
4560 struct node_tinit *ti;
4561
4562 bzero(&ab, sizeof(ab));
4563 ab.pfrb_type = PFRB_ADDRS;
4564 SIMPLEQ_FOREACH(ti, &opts->init_nodes, entries) {
4565 if (ti->file)
4566 if (pfr_buf_load(&ab, ti->file, 0, append_addr)) {
4567 if (errno)
4568 yyerror("cannot load \"%s\": %s",
4569 ti->file, strerror(errno));
4570 else
4571 yyerror("file \"%s\" contains bad data",
4572 ti->file);
4573 goto _error;
4574 }
4575 if (ti->host)
4576 if (append_addr_host(&ab, ti->host, 0, 0)) {
4577 yyerror("cannot create address buffer: %s",
4578 strerror(errno));
4579 goto _error;
4580 }
4581 }
4582 if (pf->opts & PF_OPT_VERBOSE)
4583 print_tabledef(name, opts->flags, opts->init_addr,
4584 &opts->init_nodes);
4585 if (!(pf->opts & PF_OPT_NOACTION) &&
4586 pfctl_define_table(name, opts->flags, opts->init_addr,
4587 pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
4588 yyerror("cannot define table %s: %s", name,
4589 pfr_strerror(errno));
4590 goto _error;
4591 }
4592 pf->tdirty = 1;
4593 pfr_buf_clear(&ab);
4594 return (0);
4595 _error:
4596 pfr_buf_clear(&ab);
4597 return (-1);
4598 }
4599
4600 struct keywords {
4601 const char *k_name;
4602 int k_val;
4603 };
4604
4605 /* macro gore, but you should've seen the prior indentation nightmare... */
4606
4607 #define FREE_LIST(T,r) \
4608 do { \
4609 T *p, *node = r; \
4610 while (node != NULL) { \
4611 p = node; \
4612 node = node->next; \
4613 free(p); \
4614 } \
4615 } while (0)
4616
4617 #define LOOP_THROUGH(T,n,r,C) \
4618 do { \
4619 T *n; \
4620 if (r == NULL) { \
4621 r = calloc(1, sizeof(T)); \
4622 if (r == NULL) \
4623 err(1, "LOOP: calloc"); \
4624 r->next = NULL; \
4625 } \
4626 n = r; \
4627 while (n != NULL) { \
4628 do { \
4629 C; \
4630 } while (0); \
4631 n = n->next; \
4632 } \
4633 } while (0)
4634
4635 void
4636 expand_label_str(char *label, size_t len, const char *srch, const char *repl)
4637 {
4638 char *tmp;
4639 char *p, *q;
4640
4641 if ((tmp = calloc(1, len)) == NULL)
4642 err(1, "expand_label_str: calloc");
4643 p = q = label;
4644 while ((q = strstr(p, srch)) != NULL) {
4645 *q = '\0';
4646 if ((strlcat(tmp, p, len) >= len) ||
4647 (strlcat(tmp, repl, len) >= len))
4648 errx(1, "expand_label: label too long");
4649 q += strlen(srch);
4650 p = q;
4651 }
4652 if (strlcat(tmp, p, len) >= len)
4653 errx(1, "expand_label: label too long");
4654 strlcpy(label, tmp, len); /* always fits */
4655 free(tmp);
4656 }
4657
4658 void
4659 expand_label_if(const char *name, char *label, size_t len, const char *ifname)
4660 {
4661 if (strstr(label, name) != NULL) {
4662 if (!*ifname)
4663 expand_label_str(label, len, name, "any");
4664 else
4665 expand_label_str(label, len, name, ifname);
4666 }
4667 }
4668
4669 void
4670 expand_label_addr(const char *name, char *label, size_t len, sa_family_t af,
4671 struct node_host *h)
4672 {
4673 char tmp[64], tmp_not[66];
4674
4675 if (strstr(label, name) != NULL) {
4676 switch (h->addr.type) {
4677 case PF_ADDR_DYNIFTL:
4678 snprintf(tmp, sizeof(tmp), "(%s)", h->addr.v.ifname);
4679 break;
4680 case PF_ADDR_TABLE:
4681 snprintf(tmp, sizeof(tmp), "<%s>", h->addr.v.tblname);
4682 break;
4683 case PF_ADDR_NOROUTE:
4684 snprintf(tmp, sizeof(tmp), "no-route");
4685 break;
4686 case PF_ADDR_URPFFAILED:
4687 snprintf(tmp, sizeof(tmp), "urpf-failed");
4688 break;
4689 case PF_ADDR_ADDRMASK:
4690 if (!af || (PF_AZERO(&h->addr.v.a.addr, af) &&
4691 PF_AZERO(&h->addr.v.a.mask, af)))
4692 snprintf(tmp, sizeof(tmp), "any");
4693 else {
4694 char a[48];
4695 int bits;
4696
4697 if (inet_ntop(af, &h->addr.v.a.addr, a,
4698 sizeof(a)) == NULL)
4699 snprintf(tmp, sizeof(tmp), "?");
4700 else {
4701 bits = unmask(&h->addr.v.a.mask, af);
4702 if ((af == AF_INET && bits < 32) ||
4703 (af == AF_INET6 && bits < 128))
4704 snprintf(tmp, sizeof(tmp),
4705 "%s/%d", a, bits);
4706 else
4707 snprintf(tmp, sizeof(tmp),
4708 "%s", a);
4709 }
4710 }
4711 break;
4712 default:
4713 snprintf(tmp, sizeof(tmp), "?");
4714 break;
4715 }
4716
4717 if (h->not) {
4718 snprintf(tmp_not, sizeof(tmp_not), "! %s", tmp);
4719 expand_label_str(label, len, name, tmp_not);
4720 } else
4721 expand_label_str(label, len, name, tmp);
4722 }
4723 }
4724
4725 void
4726 expand_label_port(const char *name, char *label, size_t len,
4727 struct node_port *port)
4728 {
4729 char a1[6], a2[6], op[13] = "";
4730
4731 if (strstr(label, name) != NULL) {
4732 snprintf(a1, sizeof(a1), "%u", ntohs(port->port[0]));
4733 snprintf(a2, sizeof(a2), "%u", ntohs(port->port[1]));
4734 if (!port->op)
4735 ;
4736 else if (port->op == PF_OP_IRG)
4737 snprintf(op, sizeof(op), "%s><%s", a1, a2);
4738 else if (port->op == PF_OP_XRG)
4739 snprintf(op, sizeof(op), "%s<>%s", a1, a2);
4740 else if (port->op == PF_OP_EQ)
4741 snprintf(op, sizeof(op), "%s", a1);
4742 else if (port->op == PF_OP_NE)
4743 snprintf(op, sizeof(op), "!=%s", a1);
4744 else if (port->op == PF_OP_LT)
4745 snprintf(op, sizeof(op), "<%s", a1);
4746 else if (port->op == PF_OP_LE)
4747 snprintf(op, sizeof(op), "<=%s", a1);
4748 else if (port->op == PF_OP_GT)
4749 snprintf(op, sizeof(op), ">%s", a1);
4750 else if (port->op == PF_OP_GE)
4751 snprintf(op, sizeof(op), ">=%s", a1);
4752 expand_label_str(label, len, name, op);
4753 }
4754 }
4755
4756 void
4757 expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto)
4758 {
4759 struct protoent *pe;
4760 char n[4];
4761
4762 if (strstr(label, name) != NULL) {
4763 pe = getprotobynumber(proto);
4764 if (pe != NULL)
4765 expand_label_str(label, len, name, pe->p_name);
4766 else {
4767 snprintf(n, sizeof(n), "%u", proto);
4768 expand_label_str(label, len, name, n);
4769 }
4770 }
4771 }
4772
4773 void
4774 expand_label_nr(const char *name, char *label, size_t len)
4775 {
4776 char n[11];
4777
4778 if (strstr(label, name) != NULL) {
4779 snprintf(n, sizeof(n), "%u", pf->anchor->match);
4780 expand_label_str(label, len, name, n);
4781 }
4782 }
4783
4784 void
4785 expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
4786 struct node_host *src_host, struct node_port *src_port,
4787 struct node_host *dst_host, struct node_port *dst_port,
4788 u_int8_t proto)
4789 {
4790 expand_label_if("$if", label, len, ifname);
4791 expand_label_addr("$srcaddr", label, len, af, src_host);
4792 expand_label_addr("$dstaddr", label, len, af, dst_host);
4793 expand_label_port("$srcport", label, len, src_port);
4794 expand_label_port("$dstport", label, len, dst_port);
4795 expand_label_proto("$proto", label, len, proto);
4796 expand_label_nr("$nr", label, len);
4797 }
4798
4799 int
4800 expand_altq(struct pf_altq *a, struct node_if *interfaces,
4801 struct node_queue *nqueues, struct node_queue_bw bwspec,
4802 struct node_queue_opt *opts)
4803 {
4804 struct pf_altq pa, pb;
4805 char qname[PF_QNAME_SIZE];
4806 struct node_queue *n;
4807 struct node_queue_bw bw;
4808 int errs = 0;
4809
4810 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
4811 FREE_LIST(struct node_if, interfaces);
4812 FREE_LIST(struct node_queue, nqueues);
4813 return (0);
4814 }
4815
4816 LOOP_THROUGH(struct node_if, interface, interfaces,
4817 memcpy(&pa, a, sizeof(struct pf_altq));
4818 if (strlcpy(pa.ifname, interface->ifname,
4819 sizeof(pa.ifname)) >= sizeof(pa.ifname))
4820 errx(1, "expand_altq: strlcpy");
4821
4822 if (interface->not) {
4823 yyerror("altq on ! <interface> is not supported");
4824 errs++;
4825 } else {
4826 if (eval_pfaltq(pf, &pa, &bwspec, opts))
4827 errs++;
4828 else
4829 if (pfctl_add_altq(pf, &pa))
4830 errs++;
4831
4832 if (pf->opts & PF_OPT_VERBOSE) {
4833 print_altq(&pf->paltq->altq, 0,
4834 &bwspec, opts);
4835 if (nqueues && nqueues->tail) {
4836 printf("queue { ");
4837 LOOP_THROUGH(struct node_queue, queue,
4838 nqueues,
4839 printf("%s ",
4840 queue->queue);
4841 );
4842 printf("}");
4843 }
4844 printf("\n");
4845 }
4846
4847 if (pa.scheduler == ALTQT_CBQ ||
4848 pa.scheduler == ALTQT_HFSC) {
4849 /* now create a root queue */
4850 memset(&pb, 0, sizeof(struct pf_altq));
4851 if (strlcpy(qname, "root_", sizeof(qname)) >=
4852 sizeof(qname))
4853 errx(1, "expand_altq: strlcpy");
4854 if (strlcat(qname, interface->ifname,
4855 sizeof(qname)) >= sizeof(qname))
4856 errx(1, "expand_altq: strlcat");
4857 if (strlcpy(pb.qname, qname,
4858 sizeof(pb.qname)) >= sizeof(pb.qname))
4859 errx(1, "expand_altq: strlcpy");
4860 if (strlcpy(pb.ifname, interface->ifname,
4861 sizeof(pb.ifname)) >= sizeof(pb.ifname))
4862 errx(1, "expand_altq: strlcpy");
4863 pb.qlimit = pa.qlimit;
4864 pb.scheduler = pa.scheduler;
4865 bw.bw_absolute = pa.ifbandwidth;
4866 bw.bw_percent = 0;
4867 if (eval_pfqueue(pf, &pb, &bw, opts))
4868 errs++;
4869 else
4870 if (pfctl_add_altq(pf, &pb))
4871 errs++;
4872 }
4873
4874 LOOP_THROUGH(struct node_queue, queue, nqueues,
4875 n = calloc(1, sizeof(struct node_queue));
4876 if (n == NULL)
4877 err(1, "expand_altq: calloc");
4878 if (pa.scheduler == ALTQT_CBQ ||
4879 pa.scheduler == ALTQT_HFSC /*||
4880 pa.scheduler == ALTQT_FAIRQ*/)
4881 if (strlcpy(n->parent, qname,
4882 sizeof(n->parent)) >=
4883 sizeof(n->parent))
4884 errx(1, "expand_altq: strlcpy");
4885 if (strlcpy(n->queue, queue->queue,
4886 sizeof(n->queue)) >= sizeof(n->queue))
4887 errx(1, "expand_altq: strlcpy");
4888 if (strlcpy(n->ifname, interface->ifname,
4889 sizeof(n->ifname)) >= sizeof(n->ifname))
4890 errx(1, "expand_altq: strlcpy");
4891 n->scheduler = pa.scheduler;
4892 n->next = NULL;
4893 n->tail = n;
4894 if (queues == NULL)
4895 queues = n;
4896 else {
4897 queues->tail->next = n;
4898 queues->tail = n;
4899 }
4900 );
4901 }
4902 );
4903 FREE_LIST(struct node_if, interfaces);
4904 FREE_LIST(struct node_queue, nqueues);
4905
4906 return (errs);
4907 }
4908
4909 int
4910 expand_queue(struct pf_altq *a, struct node_if *interfaces,
4911 struct node_queue *nqueues, struct node_queue_bw bwspec,
4912 struct node_queue_opt *opts)
4913 {
4914 struct node_queue *n, *nq;
4915 struct pf_altq pa;
4916 u_int8_t found = 0;
4917 u_int8_t errs = 0;
4918
4919 if ((pf->loadopt & PFCTL_FLAG_ALTQ) == 0) {
4920 FREE_LIST(struct node_queue, nqueues);
4921 return (0);
4922 }
4923
4924 if (queues == NULL) {
4925 yyerror("queue %s has no parent", a->qname);
4926 FREE_LIST(struct node_queue, nqueues);
4927 return (1);
4928 }
4929
4930 LOOP_THROUGH(struct node_if, interface, interfaces,
4931 LOOP_THROUGH(struct node_queue, tqueue, queues,
4932 if (!strncmp(a->qname, tqueue->queue, PF_QNAME_SIZE) &&
4933 (interface->ifname[0] == 0 ||
4934 (!interface->not && !strncmp(interface->ifname,
4935 tqueue->ifname, IFNAMSIZ)) ||
4936 (interface->not && strncmp(interface->ifname,
4937 tqueue->ifname, IFNAMSIZ)))) {
4938 /* found ourself in queues */
4939 found++;
4940
4941 memcpy(&pa, a, sizeof(struct pf_altq));
4942
4943 if (pa.scheduler != ALTQT_NONE &&
4944 pa.scheduler != tqueue->scheduler) {
4945 yyerror("exactly one scheduler type "
4946 "per interface allowed");
4947 return (1);
4948 }
4949 pa.scheduler = tqueue->scheduler;
4950
4951 /* scheduler dependent error checking */
4952 switch (pa.scheduler) {
4953 case ALTQT_PRIQ:
4954 if (nqueues != NULL) {
4955 yyerror("priq queues cannot "
4956 "have child queues");
4957 return (1);
4958 }
4959 if (bwspec.bw_absolute > 0 ||
4960 bwspec.bw_percent < 100) {
4961 yyerror("priq doesn't take "
4962 "bandwidth");
4963 return (1);
4964 }
4965 break;
4966 default:
4967 break;
4968 }
4969
4970 if (strlcpy(pa.ifname, tqueue->ifname,
4971 sizeof(pa.ifname)) >= sizeof(pa.ifname))
4972 errx(1, "expand_queue: strlcpy");
4973 if (strlcpy(pa.parent, tqueue->parent,
4974 sizeof(pa.parent)) >= sizeof(pa.parent))
4975 errx(1, "expand_queue: strlcpy");
4976
4977 if (eval_pfqueue(pf, &pa, &bwspec, opts))
4978 errs++;
4979 else
4980 if (pfctl_add_altq(pf, &pa))
4981 errs++;
4982
4983 for (nq = nqueues; nq != NULL; nq = nq->next) {
4984 if (!strcmp(a->qname, nq->queue)) {
4985 yyerror("queue cannot have "
4986 "itself as child");
4987 errs++;
4988 continue;
4989 }
4990 n = calloc(1,
4991 sizeof(struct node_queue));
4992 if (n == NULL)
4993 err(1, "expand_queue: calloc");
4994 if (strlcpy(n->parent, a->qname,
4995 sizeof(n->parent)) >=
4996 sizeof(n->parent))
4997 errx(1, "expand_queue strlcpy");
4998 if (strlcpy(n->queue, nq->queue,
4999 sizeof(n->queue)) >=
5000 sizeof(n->queue))
5001 errx(1, "expand_queue strlcpy");
5002 if (strlcpy(n->ifname, tqueue->ifname,
5003 sizeof(n->ifname)) >=
5004 sizeof(n->ifname))
5005 errx(1, "expand_queue strlcpy");
5006 n->scheduler = tqueue->scheduler;
5007 n->next = NULL;
5008 n->tail = n;
5009 if (queues == NULL)
5010 queues = n;
5011 else {
5012 queues->tail->next = n;
5013 queues->tail = n;
5014 }
5015 }
5016 if ((pf->opts & PF_OPT_VERBOSE) && (
5017 (found == 1 && interface->ifname[0] == 0) ||
5018 (found > 0 && interface->ifname[0] != 0))) {
5019 print_queue(&pf->paltq->altq, 0,
5020 &bwspec, interface->ifname[0] != 0,
5021 opts);
5022 if (nqueues && nqueues->tail) {
5023 printf("{ ");
5024 LOOP_THROUGH(struct node_queue,
5025 queue, nqueues,
5026 printf("%s ",
5027 queue->queue);
5028 );
5029 printf("}");
5030 }
5031 printf("\n");
5032 }
5033 }
5034 );
5035 );
5036
5037 FREE_LIST(struct node_queue, nqueues);
5038 FREE_LIST(struct node_if, interfaces);
5039
5040 if (!found) {
5041 yyerror("queue %s has no parent", a->qname);
5042 errs++;
5043 }
5044
5045 if (errs)
5046 return (1);
5047 else
5048 return (0);
5049 }
5050
5051 void
5052 expand_rule(struct pf_rule *r,
5053 struct node_if *interfaces, struct node_host *rpool_hosts,
5054 struct node_proto *protos, struct node_os *src_oses,
5055 struct node_host *src_hosts, struct node_port *src_ports,
5056 struct node_host *dst_hosts, struct node_port *dst_ports,
5057 struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types,
5058 const char *anchor_call)
5059 {
5060 sa_family_t af = r->af;
5061 int added = 0, error = 0;
5062 char ifname[IF_NAMESIZE];
5063 char label[PF_RULE_LABEL_SIZE];
5064 char tagname[PF_TAG_NAME_SIZE];
5065 char match_tagname[PF_TAG_NAME_SIZE];
5066 struct pf_pooladdr *pa;
5067 struct node_host *h;
5068 u_int8_t flags, flagset, keep_state;
5069
5070 if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label))
5071 errx(1, "expand_rule: strlcpy");
5072 if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname))
5073 errx(1, "expand_rule: strlcpy");
5074 if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >=
5075 sizeof(match_tagname))
5076 errx(1, "expand_rule: strlcpy");
5077 flags = r->flags;
5078 flagset = r->flagset;
5079 keep_state = r->keep_state;
5080
5081 LOOP_THROUGH(struct node_if, interface, interfaces,
5082 LOOP_THROUGH(struct node_proto, proto, protos,
5083 LOOP_THROUGH(struct node_icmp, icmp_type, icmp_types,
5084 LOOP_THROUGH(struct node_host, src_host, src_hosts,
5085 LOOP_THROUGH(struct node_port, src_port, src_ports,
5086 LOOP_THROUGH(struct node_os, src_os, src_oses,
5087 LOOP_THROUGH(struct node_host, dst_host, dst_hosts,
5088 LOOP_THROUGH(struct node_port, dst_port, dst_ports,
5089 LOOP_THROUGH(struct node_uid, uid, uids,
5090 LOOP_THROUGH(struct node_gid, gid, gids,
5091
5092 r->af = af;
5093 /* for link-local IPv6 address, interface must match up */
5094 if ((r->af && src_host->af && r->af != src_host->af) ||
5095 (r->af && dst_host->af && r->af != dst_host->af) ||
5096 (src_host->af && dst_host->af &&
5097 src_host->af != dst_host->af) ||
5098 (src_host->ifindex && dst_host->ifindex &&
5099 src_host->ifindex != dst_host->ifindex) ||
5100 (src_host->ifindex && *interface->ifname &&
5101 src_host->ifindex != if_nametoindex(interface->ifname)) ||
5102 (dst_host->ifindex && *interface->ifname &&
5103 dst_host->ifindex != if_nametoindex(interface->ifname)))
5104 continue;
5105 if (!r->af && src_host->af)
5106 r->af = src_host->af;
5107 else if (!r->af && dst_host->af)
5108 r->af = dst_host->af;
5109
5110 if (*interface->ifname)
5111 strlcpy(r->ifname, interface->ifname,
5112 sizeof(r->ifname));
5113 else if (if_indextoname(src_host->ifindex, ifname))
5114 strlcpy(r->ifname, ifname, sizeof(r->ifname));
5115 else if (if_indextoname(dst_host->ifindex, ifname))
5116 strlcpy(r->ifname, ifname, sizeof(r->ifname));
5117 else
5118 memset(r->ifname, '\0', sizeof(r->ifname));
5119
5120 if (strlcpy(r->label, label, sizeof(r->label)) >=
5121 sizeof(r->label))
5122 errx(1, "expand_rule: strlcpy");
5123 if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >=
5124 sizeof(r->tagname))
5125 errx(1, "expand_rule: strlcpy");
5126 if (strlcpy(r->match_tagname, match_tagname,
5127 sizeof(r->match_tagname)) >= sizeof(r->match_tagname))
5128 errx(1, "expand_rule: strlcpy");
5129 expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af,
5130 src_host, src_port, dst_host, dst_port, proto->proto);
5131 expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af,
5132 src_host, src_port, dst_host, dst_port, proto->proto);
5133 expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname,
5134 r->af, src_host, src_port, dst_host, dst_port,
5135 proto->proto);
5136
5137 error += check_netmask(src_host, r->af);
5138 error += check_netmask(dst_host, r->af);
5139
5140 r->ifnot = interface->not;
5141 r->proto = proto->proto;
5142 r->src.addr = src_host->addr;
5143 r->src.neg = src_host->not;
5144 r->src.port[0] = src_port->port[0];
5145 r->src.port[1] = src_port->port[1];
5146 r->src.port_op = src_port->op;
5147 r->dst.addr = dst_host->addr;
5148 r->dst.neg = dst_host->not;
5149 r->dst.port[0] = dst_port->port[0];
5150 r->dst.port[1] = dst_port->port[1];
5151 r->dst.port_op = dst_port->op;
5152 r->uid.op = uid->op;
5153 r->uid.uid[0] = uid->uid[0];
5154 r->uid.uid[1] = uid->uid[1];
5155 r->gid.op = gid->op;
5156 r->gid.gid[0] = gid->gid[0];
5157 r->gid.gid[1] = gid->gid[1];
5158 r->type = icmp_type->type;
5159 r->code = icmp_type->code;
5160
5161 if ((keep_state == PF_STATE_MODULATE ||
5162 keep_state == PF_STATE_SYNPROXY) &&
5163 r->proto && r->proto != IPPROTO_TCP)
5164 r->keep_state = PF_STATE_NORMAL;
5165 else
5166 r->keep_state = keep_state;
5167
5168 if (r->proto && r->proto != IPPROTO_TCP) {
5169 r->flags = 0;
5170 r->flagset = 0;
5171 } else {
5172 r->flags = flags;
5173 r->flagset = flagset;
5174 }
5175 if (icmp_type->proto && r->proto != icmp_type->proto) {
5176 yyerror("icmp-type mismatch");
5177 error++;
5178 }
5179
5180 if (src_os && src_os->os) {
5181 r->os_fingerprint = pfctl_get_fingerprint(src_os->os);
5182 if ((pf->opts & PF_OPT_VERBOSE2) &&
5183 r->os_fingerprint == PF_OSFP_NOMATCH)
5184 fprintf(stderr,
5185 "warning: unknown '%s' OS fingerprint\n",
5186 src_os->os);
5187 } else {
5188 r->os_fingerprint = PF_OSFP_ANY;
5189 }
5190
5191 TAILQ_INIT(&r->rpool.list);
5192 for (h = rpool_hosts; h != NULL; h = h->next) {
5193 pa = calloc(1, sizeof(struct pf_pooladdr));
5194 if (pa == NULL)
5195 err(1, "expand_rule: calloc");
5196 pa->addr = h->addr;
5197 if (h->ifname != NULL) {
5198 if (strlcpy(pa->ifname, h->ifname,
5199 sizeof(pa->ifname)) >=
5200 sizeof(pa->ifname))
5201 errx(1, "expand_rule: strlcpy");
5202 } else
5203 pa->ifname[0] = 0;
5204 TAILQ_INSERT_TAIL(&r->rpool.list, pa, entries);
5205 }
5206
5207 if (rule_consistent(r, anchor_call[0]) < 0 || error)
5208 yyerror("skipping rule due to errors");
5209 else {
5210 r->nr = pf->astack[pf->asd]->match++;
5211 pfctl_add_rule(pf, r, anchor_call);
5212 added++;
5213 }
5214
5215 ))))))))));
5216
5217 FREE_LIST(struct node_if, interfaces);
5218 FREE_LIST(struct node_proto, protos);
5219 FREE_LIST(struct node_host, src_hosts);
5220 FREE_LIST(struct node_port, src_ports);
5221 FREE_LIST(struct node_os, src_oses);
5222 FREE_LIST(struct node_host, dst_hosts);
5223 FREE_LIST(struct node_port, dst_ports);
5224 FREE_LIST(struct node_uid, uids);
5225 FREE_LIST(struct node_gid, gids);
5226 FREE_LIST(struct node_icmp, icmp_types);
5227 FREE_LIST(struct node_host, rpool_hosts);
5228
5229 if (!added)
5230 yyerror("rule expands to no valid combination");
5231 }
5232
5233 int
5234 expand_skip_interface(struct node_if *interfaces)
5235 {
5236 int errs = 0;
5237
5238 if (!interfaces || (!interfaces->next && !interfaces->not &&
5239 !strcmp(interfaces->ifname, "none"))) {
5240 if (pf->opts & PF_OPT_VERBOSE)
5241 printf("set skip on none\n");
5242 errs = pfctl_set_interface_flags(pf, __DECONST(char *, ""), PFI_IFLAG_SKIP, 0);
5243 return (errs);
5244 }
5245
5246 if (pf->opts & PF_OPT_VERBOSE)
5247 printf("set skip on {");
5248 LOOP_THROUGH(struct node_if, interface, interfaces,
5249 if (pf->opts & PF_OPT_VERBOSE)
5250 printf(" %s", interface->ifname);
5251 if (interface->not) {
5252 yyerror("skip on ! <interface> is not supported");
5253 errs++;
5254 } else
5255 errs += pfctl_set_interface_flags(pf,
5256 interface->ifname, PFI_IFLAG_SKIP, 1);
5257 );
5258 if (pf->opts & PF_OPT_VERBOSE)
5259 printf(" }\n");
5260
5261 FREE_LIST(struct node_if, interfaces);
5262
5263 if (errs)
5264 return (1);
5265 else
5266 return (0);
5267 }
5268
5269 #undef FREE_LIST
5270 #undef LOOP_THROUGH
5271
5272 int
5273 check_rulestate(int desired_state)
5274 {
5275 if (require_order && (rulestate > desired_state)) {
5276 yyerror("Rules must be in order: options, normalization, "
5277 "queueing, translation, filtering");
5278 return (1);
5279 }
5280 rulestate = desired_state;
5281 return (0);
5282 }
5283
5284 int
5285 kw_cmp(const void *k, const void *e)
5286 {
5287 return (strcmp(k, ((const struct keywords *)e)->k_name));
5288 }
5289
5290 int
5291 lookup(char *s)
5292 {
5293 /* this has to be sorted always */
5294 static const struct keywords keywords[] = {
5295 { "all", ALL},
5296 { "allow-opts", ALLOWOPTS},
5297 { "altq", ALTQ},
5298 { "anchor", ANCHOR},
5299 { "antispoof", ANTISPOOF},
5300 { "any", ANY},
5301 { "bandwidth", BANDWIDTH},
5302 { "binat", BINAT},
5303 { "binat-anchor", BINATANCHOR},
5304 { "bitmask", BITMASK},
5305 { "block", BLOCK},
5306 { "block-policy", BLOCKPOLICY},
5307 { "buckets", BUCKETS},
5308 { "cbq", CBQ},
5309 { "code", CODE},
5310 { "crop", FRAGCROP},
5311 { "debug", DEBUG},
5312 { "divert-reply", DIVERTREPLY},
5313 { "divert-to", DIVERTTO},
5314 { "drop", DROP},
5315 { "drop-ovl", FRAGDROP},
5316 { "dup-to", DUPTO},
5317 { "fairq", FAIRQ},
5318 { "fastroute", FASTROUTE},
5319 { "file", FILENAME},
5320 { "fingerprints", FINGERPRINTS},
5321 { "flags", FLAGS},
5322 { "floating", FLOATING},
5323 { "flush", FLUSH},
5324 { "for", FOR},
5325 { "fragment", FRAGMENT},
5326 { "from", FROM},
5327 { "global", GLOBAL},
5328 { "group", GROUP},
5329 { "hash-only", HASHONLY},
5330 { "hfsc", HFSC},
5331 { "hogs", HOGS},
5332 { "hostid", HOSTID},
5333 { "icmp-type", ICMPTYPE},
5334 { "icmp6-type", ICMP6TYPE},
5335 { "if-bound", IFBOUND},
5336 { "in", IN},
5337 { "include", INCLUDE},
5338 { "inet", INET},
5339 { "inet6", INET6},
5340 { "keep", KEEP},
5341 { "keep-policy", KEEPPOLICY},
5342 { "label", LABEL},
5343 { "limit", LIMIT},
5344 { "linkshare", LINKSHARE},
5345 { "load", LOAD},
5346 { "log", LOG},
5347 { "loginterface", LOGINTERFACE},
5348 { "max", MAXIMUM},
5349 { "max-mss", MAXMSS},
5350 { "max-src-conn", MAXSRCCONN},
5351 { "max-src-conn-rate", MAXSRCCONNRATE},
5352 { "max-src-nodes", MAXSRCNODES},
5353 { "max-src-states", MAXSRCSTATES},
5354 { "min-ttl", MINTTL},
5355 { "modulate", MODULATE},
5356 { "nat", NAT},
5357 { "nat-anchor", NATANCHOR},
5358 { "no", NO},
5359 { "no-df", NODF},
5360 { "no-pickups", NOPICKUPS},
5361 { "no-route", NOROUTE},
5362 { "no-sync", NOSYNC},
5363 { "on", ON},
5364 { "optimization", OPTIMIZATION},
5365 { "os", OS},
5366 { "out", OUT},
5367 { "overload", OVERLOAD},
5368 { "pass", PASS},
5369 { "pickups", PICKUPS},
5370 { "port", PORT},
5371 { "priority", PRIORITY},
5372 { "priq", PRIQ},
5373 { "probability", PROBABILITY},
5374 { "proto", PROTO},
5375 { "qlimit", QLIMIT},
5376 { "queue", QUEUE},
5377 { "quick", QUICK},
5378 { "random", RANDOM},
5379 { "random-id", RANDOMID},
5380 { "rdr", RDR},
5381 { "rdr-anchor", RDRANCHOR},
5382 { "realtime", REALTIME},
5383 { "reassemble", REASSEMBLE},
5384 { "reply-to", REPLYTO},
5385 { "require-order", REQUIREORDER},
5386 { "return", RETURN},
5387 { "return-icmp", RETURNICMP},
5388 { "return-icmp6", RETURNICMP6},
5389 { "return-rst", RETURNRST},
5390 { "round-robin", ROUNDROBIN},
5391 { "route", ROUTE},
5392 { "route-to", ROUTETO},
5393 { "rtable", RTABLE},
5394 { "rule", RULE},
5395 { "ruleset-optimization", RULESET_OPTIMIZATION},
5396 { "scrub", SCRUB},
5397 { "set", SET},
5398 { "set-tos", SETTOS},
5399 { "skip", SKIP},
5400 { "sloppy", SLOPPY},
5401 { "source-hash", SOURCEHASH},
5402 { "source-track", SOURCETRACK},
5403 { "state", STATE},
5404 { "state-policy", STATEPOLICY},
5405 { "static-port", STATICPORT},
5406 { "sticky-address", STICKYADDRESS},
5407 { "synproxy", SYNPROXY},
5408 { "table", TABLE},
5409 { "tag", TAG},
5410 { "tagged", TAGGED},
5411 { "tbrsize", TBRSIZE},
5412 { "timeout", TIMEOUT},
5413 { "to", TO},
5414 { "tos", TOS},
5415 { "ttl", TTL},
5416 { "upperlimit", UPPERLIMIT},
5417 { "urpf-failed", URPFFAILED},
5418 { "user", USER},
5419 };
5420 const struct keywords *p;
5421
5422 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
5423 sizeof(keywords[0]), kw_cmp);
5424
5425 if (p) {
5426 if (debug > 1)
5427 fprintf(stderr, "%s: %d\n", s, p->k_val);
5428 return (p->k_val);
5429 } else {
5430 if (debug > 1)
5431 fprintf(stderr, "string: %s\n", s);
5432 return (STRING);
5433 }
5434 }
5435
5436 #define MAXPUSHBACK 128
5437
5438 char *parsebuf;
5439 int parseindex;
5440 char pushback_buffer[MAXPUSHBACK];
5441 int pushback_index = 0;
5442
5443 int
5444 lgetc(int quotec)
5445 {
5446 int c, next;
5447
5448 if (parsebuf) {
5449 /* Read character from the parsebuffer instead of input. */
5450 if (parseindex >= 0) {
5451 c = parsebuf[parseindex++];
5452 if (c != '\0')
5453 return (c);
5454 parsebuf = NULL;
5455 } else
5456 parseindex++;
5457 }
5458
5459 if (pushback_index)
5460 return (pushback_buffer[--pushback_index]);
5461
5462 if (quotec) {
5463 if ((c = getc(file->stream)) == EOF) {
5464 yyerror("reached end of file while parsing quoted string");
5465 if (popfile() == EOF)
5466 return (EOF);
5467 return (quotec);
5468 }
5469 return (c);
5470 }
5471
5472 while ((c = getc(file->stream)) == '\\') {
5473 next = getc(file->stream);
5474 if (next != '\n') {
5475 c = next;
5476 break;
5477 }
5478 yylval.lineno = file->lineno;
5479 file->lineno++;
5480 }
5481
5482 while (c == EOF) {
5483 if (popfile() == EOF)
5484 return (EOF);
5485 c = getc(file->stream);
5486 }
5487 return (c);
5488 }
5489
5490 int
5491 lungetc(int c)
5492 {
5493 if (c == EOF)
5494 return (EOF);
5495 if (parsebuf) {
5496 parseindex--;
5497 if (parseindex >= 0)
5498 return (c);
5499 }
5500 if (pushback_index < MAXPUSHBACK-1)
5501 return (pushback_buffer[pushback_index++] = c);
5502 else
5503 return (EOF);
5504 }
5505
5506 int
5507 findeol(void)
5508 {
5509 int c;
5510
5511 parsebuf = NULL;
5512 pushback_index = 0;
5513
5514 /* skip to either EOF or the first real EOL */
5515 while (1) {
5516 c = lgetc(0);
5517 if (c == '\n') {
5518 file->lineno++;
5519 break;
5520 }
5521 if (c == EOF)
5522 break;
5523 }
5524 return (ERROR);
5525 }
5526
5527 int
5528 yylex(void)
5529 {
5530 char buf[8096];
5531 char *p, *val;
5532 int quotec, next, c;
5533 int token;
5534
5535 top:
5536 p = buf;
5537 while ((c = lgetc(0)) == ' ' || c == '\t')
5538 ; /* nothing */
5539
5540 yylval.lineno = file->lineno;
5541 if (c == '#')
5542 while ((c = lgetc(0)) != '\n' && c != EOF)
5543 ; /* nothing */
5544 if (c == '$' && parsebuf == NULL) {
5545 while (1) {
5546 if ((c = lgetc(0)) == EOF)
5547 return (0);
5548
5549 if (p + 1 >= buf + sizeof(buf) - 1) {
5550 yyerror("string too long");
5551 return (findeol());
5552 }
5553 if (isalnum(c) || c == '_') {
5554 *p++ = (char)c;
5555 continue;
5556 }
5557 *p = '\0';
5558 lungetc(c);
5559 break;
5560 }
5561 val = symget(buf);
5562 if (val == NULL) {
5563 yyerror("macro '%s' not defined", buf);
5564 return (findeol());
5565 }
5566 parsebuf = val;
5567 parseindex = 0;
5568 goto top;
5569 }
5570
5571 switch (c) {
5572 case '\'':
5573 case '"':
5574 quotec = c;
5575 while (1) {
5576 if ((c = lgetc(quotec)) == EOF)
5577 return (0);
5578 if (c == '\n') {
5579 file->lineno++;
5580 continue;
5581 } else if (c == '\\') {
5582 if ((next = lgetc(quotec)) == EOF)
5583 return (0);
5584 if (next == quotec || c == ' ' || c == '\t')
5585 c = next;
5586 else if (next == '\n')
5587 continue;
5588 else
5589 lungetc(next);
5590 } else if (c == quotec) {
5591 *p = '\0';
5592 break;
5593 }
5594 if (p + 1 >= buf + sizeof(buf) - 1) {
5595 yyerror("string too long");
5596 return (findeol());
5597 }
5598 *p++ = (char)c;
5599 }
5600 yylval.v.string = strdup(buf);
5601 if (yylval.v.string == NULL)
5602 err(1, "yylex: strdup");
5603 return (STRING);
5604 case '<':
5605 next = lgetc(0);
5606 if (next == '>') {
5607 yylval.v.i = PF_OP_XRG;
5608 return (PORTBINARY);
5609 }
5610 lungetc(next);
5611 break;
5612 case '>':
5613 next = lgetc(0);
5614 if (next == '<') {
5615 yylval.v.i = PF_OP_IRG;
5616 return (PORTBINARY);
5617 }
5618 lungetc(next);
5619 break;
5620 case '-':
5621 next = lgetc(0);
5622 if (next == '>')
5623 return (ARROW);
5624 lungetc(next);
5625 break;
5626 }
5627
5628 #define allowed_to_end_number(x) \
5629 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
5630
5631 if (c == '-' || isdigit(c)) {
5632 do {
5633 *p++ = c;
5634 if ((unsigned)(p-buf) >= sizeof(buf)) {
5635 yyerror("string too long");
5636 return (findeol());
5637 }
5638 } while ((c = lgetc(0)) != EOF && isdigit(c));
5639 lungetc(c);
5640 if (p == buf + 1 && buf[0] == '-')
5641 goto nodigits;
5642 if (c == EOF || allowed_to_end_number(c)) {
5643 const char *errstr = NULL;
5644
5645 *p = '\0';
5646 yylval.v.number = strtonum(buf, LLONG_MIN,
5647 LLONG_MAX, &errstr);
5648 if (errstr) {
5649 yyerror("\"%s\" invalid number: %s",
5650 buf, errstr);
5651 return (findeol());
5652 }
5653 return (NUMBER);
5654 } else {
5655 nodigits:
5656 while (p > buf + 1)
5657 lungetc(*--p);
5658 c = *--p;
5659 if (c == '-')
5660 return (c);
5661 }
5662 }
5663
5664 #define allowed_in_string(x) \
5665 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
5666 x != '{' && x != '}' && x != '<' && x != '>' && \
5667 x != '!' && x != '=' && x != '/' && x != '#' && \
5668 x != ','))
5669
5670 if (isalnum(c) || c == ':' || c == '_') {
5671 do {
5672 *p++ = c;
5673 if ((unsigned)(p-buf) >= sizeof(buf)) {
5674 yyerror("string too long");
5675 return (findeol());
5676 }
5677 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
5678 lungetc(c);
5679 *p = '\0';
5680 if ((token = lookup(buf)) == STRING)
5681 if ((yylval.v.string = strdup(buf)) == NULL)
5682 err(1, "yylex: strdup");
5683 return (token);
5684 }
5685 if (c == '\n') {
5686 yylval.lineno = file->lineno;
5687 file->lineno++;
5688 }
5689 if (c == EOF)
5690 return (0);
5691 return (c);
5692 }
5693
5694 int
5695 check_file_secrecy(int fd, const char *fname)
5696 {
5697 struct stat st;
5698
5699 if (fstat(fd, &st)) {
5700 warn("cannot stat %s", fname);
5701 return (-1);
5702 }
5703 if (st.st_uid != 0 && st.st_uid != getuid()) {
5704 warnx("%s: owner not root or current user", fname);
5705 return (-1);
5706 }
5707 if (st.st_mode & (S_IRWXG | S_IRWXO)) {
5708 warnx("%s: group/world readable/writeable", fname);
5709 return (-1);
5710 }
5711 return (0);
5712 }
5713
5714 struct file *
5715 pushfile(const char *name, int secret)
5716 {
5717 struct file *nfile;
5718
5719 if ((nfile = calloc(1, sizeof(struct file))) == NULL ||
5720 (nfile->name = strdup(name)) == NULL) {
5721 warn("malloc");
5722 return (NULL);
5723 }
5724 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) {
5725 nfile->stream = stdin;
5726 free(nfile->name);
5727 if ((nfile->name = strdup("stdin")) == NULL) {
5728 warn("strdup");
5729 free(nfile);
5730 return (NULL);
5731 }
5732 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
5733 warn("%s", nfile->name);
5734 free(nfile->name);
5735 free(nfile);
5736 return (NULL);
5737 } else if (secret &&
5738 check_file_secrecy(fileno(nfile->stream), nfile->name)) {
5739 fclose(nfile->stream);
5740 free(nfile->name);
5741 free(nfile);
5742 return (NULL);
5743 }
5744 nfile->lineno = 1;
5745 TAILQ_INSERT_TAIL(&files, nfile, entry);
5746 return (nfile);
5747 }
5748
5749 int
5750 popfile(void)
5751 {
5752 struct file *prev;
5753
5754 if ((prev = TAILQ_PREV(file, files, entry)) != NULL) {
5755 prev->errors += file->errors;
5756 TAILQ_REMOVE(&files, file, entry);
5757 fclose(file->stream);
5758 free(file->name);
5759 free(file);
5760 file = prev;
5761 return (0);
5762 }
5763 return (EOF);
5764 }
5765
5766 int
5767 parse_config(char *filename, struct pfctl *xpf)
5768 {
5769 int errors = 0;
5770 struct sym *sym;
5771
5772 pf = xpf;
5773 errors = 0;
5774 rulestate = PFCTL_STATE_NONE;
5775 returnicmpdefault = (ICMP_UNREACH << 8) | ICMP_UNREACH_PORT;
5776 returnicmp6default =
5777 (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
5778 blockpolicy = PFRULE_DROP;
5779 require_order = 1;
5780
5781 /*
5782 * Default keep-polifcy is:
5783 *
5784 * set keep-policy keep state (pickups, sloppy)
5785 *
5786 * pickups - Allows TCP connections to be picked up mid-stream,
5787 * meaning that router restarts and changes in packet
5788 * routing will not destroy TCP connections already in
5789 * progress.
5790 *
5791 * sloppy - Window scale options are only sent with SYN and SYN+ACK,
5792 * when picking up a connection in the middle, such as when
5793 * the router has been restarted or when multi-pathing
5794 * occurs, PF will not understand the window scale. This
5795 * tells PF to ignore the sequence space tests for this case.
5796 *
5797 * While it is true that ICMP attack vectors are easier with these
5798 * options, the problem is that PF just has no business defaulting
5799 * to strict enforcement because it completely destroys the system
5800 * operator's ability to multi-path packets, to change packet routing,
5801 * or to restart the router (or PF) without kicking *ALL* active TCP
5802 * connections that were flowing through the router at the time. It
5803 * unacceptable to kick active connections by default.
5804 */
5805 {
5806 struct node_state_opt *opt1 = calloc(1, sizeof(*opt1));
5807 struct node_state_opt *opt2 = calloc(1, sizeof(*opt2));
5808
5809 opt1->type = PF_STATE_OPT_PICKUPS;
5810 opt1->data.pickup_mode = PF_PICKUPS_ENABLED;
5811 opt1->next = NULL;
5812 opt1->tail = opt1;
5813
5814 opt2->type = PF_STATE_OPT_SLOPPY;
5815 opt2->next = NULL;
5816 opt2->tail = opt1;
5817
5818 default_keeppolicy_action = PF_STATE_NORMAL;
5819 default_keeppolicy_options = opt1;
5820 opt1->next = opt2;
5821 opt1->tail = opt2;
5822 }
5823
5824 if ((file = pushfile(filename, 0)) == NULL) {
5825 warn("cannot open the main config file!");
5826 return (-1);
5827 }
5828
5829 yyparse();
5830 errors = file->errors;
5831 popfile();
5832
5833 /* Free macros and check which have not been used. */
5834 while ((sym = TAILQ_FIRST(&symhead))) {
5835 if ((pf->opts & PF_OPT_VERBOSE2) && !sym->used)
5836 fprintf(stderr, "warning: macro '%s' not "
5837 "used\n", sym->nam);
5838 free(sym->nam);
5839 free(sym->val);
5840 TAILQ_REMOVE(&symhead, sym, entry);
5841 free(sym);
5842 }
5843
5844 return (errors ? -1 : 0);
5845 }
5846
5847 int
5848 symset(const char *nam, const char *val, int persist)
5849 {
5850 struct sym *sym;
5851
5852 for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam);
5853 sym = TAILQ_NEXT(sym, entry))
5854 ; /* nothing */
5855
5856 if (sym != NULL) {
5857 if (sym->persist == 1)
5858 return (0);
5859 else {
5860 free(sym->nam);
5861 free(sym->val);
5862 TAILQ_REMOVE(&symhead, sym, entry);
5863 free(sym);
5864 }
5865 }
5866 if ((sym = calloc(1, sizeof(*sym))) == NULL)
5867 return (-1);
5868
5869 sym->nam = strdup(nam);
5870 if (sym->nam == NULL) {
5871 free(sym);
5872 return (-1);
5873 }
5874 sym->val = strdup(val);
5875 if (sym->val == NULL) {
5876 free(sym->nam);
5877 free(sym);
5878 return (-1);
5879 }
5880 sym->used = 0;
5881 sym->persist = persist;
5882 TAILQ_INSERT_TAIL(&symhead, sym, entry);
5883 return (0);
5884 }
5885
5886 int
5887 pfctl_cmdline_symset(char *s)
5888 {
5889 char *sym, *val;
5890 int ret;
5891
5892 if ((val = strrchr(s, '=')) == NULL)
5893 return (-1);
5894
5895 if ((sym = malloc(strlen(s) - strlen(val) + 1)) == NULL)
5896 err(1, "pfctl_cmdline_symset: malloc");
5897
5898 strlcpy(sym, s, strlen(s) - strlen(val) + 1);
5899
5900 ret = symset(sym, val + 1, 1);
5901 free(sym);
5902
5903 return (ret);
5904 }
5905
5906 char *
5907 symget(const char *nam)
5908 {
5909 struct sym *sym;
5910
5911 TAILQ_FOREACH(sym, &symhead, entry)
5912 if (strcmp(nam, sym->nam) == 0) {
5913 sym->used = 1;
5914 return (sym->val);
5915 }
5916 return (NULL);
5917 }
5918
5919 void
5920 mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
5921 {
5922 int i;
5923 struct pf_rule *r;
5924
5925 for (i = 0; i < PF_RULESET_MAX; ++i) {
5926 while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
5927 != NULL) {
5928 TAILQ_REMOVE(src->rules[i].active.ptr, r, entries);
5929 TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries);
5930 dst->anchor->match++;
5931 }
5932 src->anchor->match = 0;
5933 while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr))
5934 != NULL) {
5935 TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries);
5936 TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr,
5937 r, entries);
5938 }
5939 }
5940 }
5941
5942 void
5943 decide_address_family(struct node_host *n, sa_family_t *af)
5944 {
5945 if (*af != 0 || n == NULL)
5946 return;
5947 *af = n->af;
5948 while ((n = n->next) != NULL) {
5949 if (n->af != *af) {
5950 *af = 0;
5951 return;
5952 }
5953 }
5954 }
5955
5956 void
5957 remove_invalid_hosts(struct node_host **nh, sa_family_t *af)
5958 {
5959 struct node_host *n = *nh, *prev = NULL;
5960
5961 while (n != NULL) {
5962 if (*af && n->af && n->af != *af) {
5963 /* unlink and free n */
5964 struct node_host *next = n->next;
5965
5966 /* adjust tail pointer */
5967 if (n == (*nh)->tail)
5968 (*nh)->tail = prev;
5969 /* adjust previous node's next pointer */
5970 if (prev == NULL)
5971 *nh = next;
5972 else
5973 prev->next = next;
5974 /* free node */
5975 if (n->ifname != NULL)
5976 free(n->ifname);
5977 free(n);
5978 n = next;
5979 } else {
5980 if (n->af && !*af)
5981 *af = n->af;
5982 prev = n;
5983 n = n->next;
5984 }
5985 }
5986 }
5987
5988 int
5989 invalid_redirect(struct node_host *nh, sa_family_t af)
5990 {
5991 if (!af) {
5992 struct node_host *n;
5993
5994 /* tables and dyniftl are ok without an address family */
5995 for (n = nh; n != NULL; n = n->next) {
5996 if (n->addr.type != PF_ADDR_TABLE &&
5997 n->addr.type != PF_ADDR_DYNIFTL) {
5998 yyerror("address family not given and "
5999 "translation address expands to multiple "
6000 "address families");
6001 return (1);
6002 }
6003 }
6004 }
6005 if (nh == NULL) {
6006 yyerror("no translation address with matching address family "
6007 "found.");
6008 return (1);
6009 }
6010 return (0);
6011 }
6012
6013 int
6014 atoul(char *s, u_long *ulvalp)
6015 {
6016 u_long ulval;
6017 char *ep;
6018
6019 errno = 0;
6020 ulval = strtoul(s, &ep, 0);
6021 if (s[0] == '\0' || *ep != '\0')
6022 return (-1);
6023 if (errno == ERANGE && ulval == ULONG_MAX)
6024 return (-1);
6025 *ulvalp = ulval;
6026 return (0);
6027 }
6028
6029 int
6030 getservice(char *n)
6031 {
6032 struct servent *s;
6033 u_long ulval;
6034
6035 if (atoul(n, &ulval) == 0) {
6036 if (ulval > 65535) {
6037 yyerror("illegal port value %lu", ulval);
6038 return (-1);
6039 }
6040 return (htons(ulval));
6041 } else {
6042 s = getservbyname(n, "tcp");
6043 if (s == NULL)
6044 s = getservbyname(n, "udp");
6045 if (s == NULL) {
6046 yyerror("unknown port %s", n);
6047 return (-1);
6048 }
6049 return (s->s_port);
6050 }
6051 }
6052
6053 int
6054 rule_label(struct pf_rule *r, char *s)
6055 {
6056 if (s) {
6057 if (strlcpy(r->label, s, sizeof(r->label)) >=
6058 sizeof(r->label)) {
6059 yyerror("rule label too long (max %zd chars)",
6060 sizeof(r->label)-1);
6061 return (-1);
6062 }
6063 }
6064 return (0);
6065 }
6066
6067 u_int16_t
6068 parseicmpspec(char *w, sa_family_t af)
6069 {
6070 const struct icmpcodeent *p;
6071 u_long ulval;
6072 u_int8_t icmptype;
6073
6074 if (af == AF_INET)
6075 icmptype = returnicmpdefault >> 8;
6076 else
6077 icmptype = returnicmp6default >> 8;
6078
6079 if (atoul(w, &ulval) == -1) {
6080 if ((p = geticmpcodebyname(icmptype, w, af)) == NULL) {
6081 yyerror("unknown icmp code %s", w);
6082 return (0);
6083 }
6084 ulval = p->code;
6085 }
6086 if (ulval > 255) {
6087 yyerror("invalid icmp code %lu", ulval);
6088 return (0);
6089 }
6090 return (icmptype << 8 | ulval);
6091 }
6092
6093 int
6094 parseport(char *port, struct range *r, int extensions)
6095 {
6096 char *p = strchr(port, ':');
6097
6098 if (p == NULL) {
6099 if ((r->a = getservice(port)) == -1)
6100 return (-1);
6101 r->b = 0;
6102 r->t = PF_OP_NONE;
6103 return (0);
6104 }
6105 if ((extensions & PPORT_STAR) && !strcmp(p+1, "*")) {
6106 *p = 0;
6107 if ((r->a = getservice(port)) == -1)
6108 return (-1);
6109 r->b = 0;
6110 r->t = PF_OP_IRG;
6111 return (0);
6112 }
6113 if ((extensions & PPORT_RANGE)) {
6114 *p++ = 0;
6115 if ((r->a = getservice(port)) == -1 ||
6116 (r->b = getservice(p)) == -1)
6117 return (-1);
6118 if (r->a == r->b) {
6119 r->b = 0;
6120 r->t = PF_OP_NONE;
6121 } else
6122 r->t = PF_OP_RRG;
6123 return (0);
6124 }
6125 return (-1);
6126 }
6127
6128 int
6129 pfctl_load_anchors(int dev, struct pfctl *his_pf, struct pfr_buffer *trans)
6130 {
6131 struct loadanchors *la;
6132
6133 TAILQ_FOREACH(la, &loadanchorshead, entries) {
6134 if (his_pf->opts & PF_OPT_VERBOSE)
6135 fprintf(stderr, "\nLoading anchor %s from %s\n",
6136 la->anchorname, la->filename);
6137 if (pfctl_rules(dev, la->filename, his_pf->opts, his_pf->optimize,
6138 la->anchorname, trans) == -1)
6139 return (-1);
6140 }
6141
6142 return (0);
6143 }
DragonFly BSD