Changeset View
Changeset View
Standalone View
Standalone View
sbin/pfctl/parse.y
Show First 20 Lines • Show All 236 Lines • ▼ Show 20 Lines | #define FOM_PRIO 0x2000 | ||||
u_int32_t prob; | u_int32_t prob; | ||||
struct { | struct { | ||||
int action; | int action; | ||||
struct node_state_opt *options; | struct node_state_opt *options; | ||||
} keep; | } keep; | ||||
int fragment; | int fragment; | ||||
int allowopts; | int allowopts; | ||||
char *label; | char *label; | ||||
char *schedule; | |||||
struct node_qassign queues; | struct node_qassign queues; | ||||
char *tag; | char *tag; | ||||
char *match_tag; | char *match_tag; | ||||
u_int8_t match_tag_not; | u_int8_t match_tag_not; | ||||
u_int rtableid; | u_int rtableid; | ||||
u_int8_t prio; | u_int8_t prio; | ||||
u_int8_t set_prio[2]; | u_int8_t set_prio[2]; | ||||
struct { | struct { | ||||
▲ Show 20 Lines • Show All 91 Lines • ▼ Show 20 Lines | |||||
int expand_queue(struct pf_altq *, struct node_if *, | int expand_queue(struct pf_altq *, struct node_if *, | ||||
struct node_queue *, struct node_queue_bw, | struct node_queue *, struct node_queue_bw, | ||||
struct node_queue_opt *); | struct node_queue_opt *); | ||||
int expand_skip_interface(struct node_if *); | int expand_skip_interface(struct node_if *); | ||||
int check_rulestate(int); | int check_rulestate(int); | ||||
int getservice(char *); | int getservice(char *); | ||||
int rule_label(struct pfctl_rule *, char *); | int rule_label(struct pfctl_rule *, char *); | ||||
int rule_schedule(struct pfctl_rule *, char *); | |||||
int rt_tableid_max(void); | int rt_tableid_max(void); | ||||
void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *); | void mv_rules(struct pfctl_ruleset *, struct pfctl_ruleset *); | ||||
void decide_address_family(struct node_host *, sa_family_t *); | void decide_address_family(struct node_host *, sa_family_t *); | ||||
void remove_invalid_hosts(struct node_host **, sa_family_t *); | void remove_invalid_hosts(struct node_host **, sa_family_t *); | ||||
int invalid_redirect(struct node_host *, sa_family_t); | int invalid_redirect(struct node_host *, sa_family_t); | ||||
u_int16_t parseicmpspec(char *, sa_family_t); | u_int16_t parseicmpspec(char *, sa_family_t); | ||||
int kw_casecmp(const void *, const void *); | int kw_casecmp(const void *, const void *); | ||||
▲ Show 20 Lines • Show All 95 Lines • ▼ Show 20 Lines | |||||
%token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS | %token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS | ||||
%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE | %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE | ||||
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF | %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF | ||||
%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL | %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL | ||||
%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | ||||
%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | ||||
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | ||||
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | %token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | ||||
%token ANTISPOOF FOR INCLUDE | %token ANTISPOOF FOR INCLUDE SCHEDULE | ||||
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY | %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY | ||||
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | ||||
%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | ||||
%token LOAD RULESET_OPTIMIZATION PRIO | %token LOAD RULESET_OPTIMIZATION PRIO | ||||
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | ||||
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | ||||
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | ||||
%token DIVERTTO DIVERTREPLY | %token DIVERTTO DIVERTREPLY | ||||
Show All 22 Lines | |||||
%type <v.host> redir_host_list redirspec | %type <v.host> redir_host_list redirspec | ||||
%type <v.host> route_host route_host_list routespec | %type <v.host> route_host route_host_list routespec | ||||
%type <v.os> os xos os_list | %type <v.os> os xos os_list | ||||
%type <v.port> portspec port_list port_item | %type <v.port> portspec port_list port_item | ||||
%type <v.uid> uids uid_list uid_item | %type <v.uid> uids uid_list uid_item | ||||
%type <v.gid> gids gid_list gid_item | %type <v.gid> gids gid_list gid_item | ||||
%type <v.route> route | %type <v.route> route | ||||
%type <v.redirection> redirection redirpool | %type <v.redirection> redirection redirpool | ||||
%type <v.string> label stringall tag anchorname | %type <v.string> label schedule stringall tag anchorname | ||||
%type <v.string> string varstring numberstring | %type <v.string> string varstring numberstring | ||||
%type <v.keep_state> keep | %type <v.keep_state> keep | ||||
%type <v.state_opt> state_opt_spec state_opt_list state_opt_item | %type <v.state_opt> state_opt_spec state_opt_list state_opt_item | ||||
%type <v.logquick> logquick quick log logopts logopt | %type <v.logquick> logquick quick log logopts logopt | ||||
%type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if | %type <v.interface> antispoof_ifspc antispoof_iflst antispoof_if | ||||
%type <v.qassign> qname | %type <v.qassign> qname | ||||
%type <v.queue> qassign qassign_list qassign_item | %type <v.queue> qassign qassign_list qassign_item | ||||
%type <v.queue_options> scheduler | %type <v.queue_options> scheduler | ||||
▲ Show 20 Lines • Show All 1,574 Lines • ▼ Show 20 Lines | pfrule : action dir logquick interface route af proto fromto | ||||
yyerror("tag too long, max %u chars", | yyerror("tag too long, max %u chars", | ||||
PF_TAG_NAME_SIZE - 1); | PF_TAG_NAME_SIZE - 1); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
r.match_tag_not = $9.match_tag_not; | r.match_tag_not = $9.match_tag_not; | ||||
if (rule_label(&r, $9.label)) | if (rule_label(&r, $9.label)) | ||||
YYERROR; | YYERROR; | ||||
free($9.label); | free($9.label); | ||||
if (rule_schedule(&r, $9.schedule)) | |||||
YYERROR; | |||||
free($9.schedule); | |||||
r.flags = $9.flags.b1; | r.flags = $9.flags.b1; | ||||
r.flagset = $9.flags.b2; | r.flagset = $9.flags.b2; | ||||
if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { | if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) { | ||||
yyerror("flags always false"); | yyerror("flags always false"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
if ($9.flags.b1 || $9.flags.b2 || $8.src_os) { | if ($9.flags.b1 || $9.flags.b2 || $8.src_os) { | ||||
for (proto = $7; proto != NULL && | for (proto = $7; proto != NULL && | ||||
▲ Show 20 Lines • Show All 427 Lines • ▼ Show 20 Lines | filter_opt : USER uids { | ||||
} | } | ||||
| label { | | label { | ||||
if (filter_opts.label) { | if (filter_opts.label) { | ||||
yyerror("label cannot be redefined"); | yyerror("label cannot be redefined"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
filter_opts.label = $1; | filter_opts.label = $1; | ||||
} | } | ||||
| schedule { | |||||
if (filter_opts.schedule) { | |||||
yyerror("schedule cannot be redefined"); | |||||
YYERROR; | |||||
} | |||||
filter_opts.schedule = $1; | |||||
} | |||||
| qname { | | qname { | ||||
if (filter_opts.queues.qname) { | if (filter_opts.queues.qname) { | ||||
yyerror("queue cannot be redefined"); | yyerror("queue cannot be redefined"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
filter_opts.queues = $1; | filter_opts.queues = $1; | ||||
} | } | ||||
| TAG string { | | TAG string { | ||||
▲ Show 20 Lines • Show All 1,303 Lines • ▼ Show 20 Lines | state_opt_item : MAXIMUM NUMBER { | ||||
} | } | ||||
; | ; | ||||
label : LABEL STRING { | label : LABEL STRING { | ||||
$$ = $2; | $$ = $2; | ||||
} | } | ||||
; | ; | ||||
schedule : SCHEDULE STRING { | |||||
$$ = $2; | |||||
} | |||||
; | |||||
qname : QUEUE STRING { | qname : QUEUE STRING { | ||||
$$.qname = $2; | $$.qname = $2; | ||||
$$.pqname = NULL; | $$.pqname = NULL; | ||||
} | } | ||||
| QUEUE '(' STRING ')' { | | QUEUE '(' STRING ')' { | ||||
$$.qname = $3; | $$.qname = $3; | ||||
$$.pqname = NULL; | $$.pqname = NULL; | ||||
} | } | ||||
▲ Show 20 Lines • Show All 1,392 Lines • ▼ Show 20 Lines | expand_rule(struct pfctl_rule *r, | ||||
struct node_host *dst_hosts, struct node_port *dst_ports, | struct node_host *dst_hosts, struct node_port *dst_ports, | ||||
struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types, | struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types, | ||||
const char *anchor_call) | const char *anchor_call) | ||||
{ | { | ||||
sa_family_t af = r->af; | sa_family_t af = r->af; | ||||
int added = 0, error = 0; | int added = 0, error = 0; | ||||
char ifname[IF_NAMESIZE]; | char ifname[IF_NAMESIZE]; | ||||
char label[PF_RULE_LABEL_SIZE]; | char label[PF_RULE_LABEL_SIZE]; | ||||
char schedule[PF_RULE_LABEL_SIZE]; | |||||
char tagname[PF_TAG_NAME_SIZE]; | char tagname[PF_TAG_NAME_SIZE]; | ||||
char match_tagname[PF_TAG_NAME_SIZE]; | char match_tagname[PF_TAG_NAME_SIZE]; | ||||
struct pf_pooladdr *pa; | struct pf_pooladdr *pa; | ||||
struct node_host *h; | struct node_host *h; | ||||
u_int8_t flags, flagset, keep_state; | u_int8_t flags, flagset, keep_state; | ||||
if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label)) | if (strlcpy(label, r->label, sizeof(label)) >= sizeof(label)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
if (strlcpy(schedule, r->schedule, sizeof(schedule)) >= sizeof(schedule)) | |||||
errx(1, "expand_rule: strlcpy"); | |||||
if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) | if (strlcpy(tagname, r->tagname, sizeof(tagname)) >= sizeof(tagname)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= | if (strlcpy(match_tagname, r->match_tagname, sizeof(match_tagname)) >= | ||||
sizeof(match_tagname)) | sizeof(match_tagname)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
flags = r->flags; | flags = r->flags; | ||||
flagset = r->flagset; | flagset = r->flagset; | ||||
keep_state = r->keep_state; | keep_state = r->keep_state; | ||||
Show All 35 Lines | LOOP_THROUGH(struct node_gid, gid, gids, | ||||
else if (if_indextoname(dst_host->ifindex, ifname)) | else if (if_indextoname(dst_host->ifindex, ifname)) | ||||
strlcpy(r->ifname, ifname, sizeof(r->ifname)); | strlcpy(r->ifname, ifname, sizeof(r->ifname)); | ||||
else | else | ||||
memset(r->ifname, '\0', sizeof(r->ifname)); | memset(r->ifname, '\0', sizeof(r->ifname)); | ||||
if (strlcpy(r->label, label, sizeof(r->label)) >= | if (strlcpy(r->label, label, sizeof(r->label)) >= | ||||
sizeof(r->label)) | sizeof(r->label)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
if (strlcpy(r->schedule, schedule, sizeof(r->schedule)) >= | |||||
sizeof(r->schedule)) | |||||
errx(1, "expand_rule: strlcpy"); | |||||
if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= | if (strlcpy(r->tagname, tagname, sizeof(r->tagname)) >= | ||||
sizeof(r->tagname)) | sizeof(r->tagname)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
if (strlcpy(r->match_tagname, match_tagname, | if (strlcpy(r->match_tagname, match_tagname, | ||||
sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) | sizeof(r->match_tagname)) >= sizeof(r->match_tagname)) | ||||
errx(1, "expand_rule: strlcpy"); | errx(1, "expand_rule: strlcpy"); | ||||
expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af, | expand_label(r->label, PF_RULE_LABEL_SIZE, r->ifname, r->af, | ||||
src_host, src_port, dst_host, dst_port, proto->proto); | src_host, src_port, dst_host, dst_port, proto->proto); | ||||
expand_label(r->schedule, PF_RULE_LABEL_SIZE, r->ifname, r->af, | |||||
src_host, src_port, dst_host, dst_port, proto->proto); | |||||
expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af, | expand_label(r->tagname, PF_TAG_NAME_SIZE, r->ifname, r->af, | ||||
src_host, src_port, dst_host, dst_port, proto->proto); | src_host, src_port, dst_host, dst_port, proto->proto); | ||||
expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname, | expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r->ifname, | ||||
r->af, src_host, src_port, dst_host, dst_port, | r->af, src_host, src_port, dst_host, dst_port, | ||||
proto->proto); | proto->proto); | ||||
error += check_netmask(src_host, r->af); | error += check_netmask(src_host, r->af); | ||||
error += check_netmask(dst_host, r->af); | error += check_netmask(dst_host, r->af); | ||||
▲ Show 20 Lines • Show All 249 Lines • ▼ Show 20 Lines | static const struct keywords keywords[] = { | ||||
{ "return-icmp6", RETURNICMP6}, | { "return-icmp6", RETURNICMP6}, | ||||
{ "return-rst", RETURNRST}, | { "return-rst", RETURNRST}, | ||||
{ "round-robin", ROUNDROBIN}, | { "round-robin", ROUNDROBIN}, | ||||
{ "route", ROUTE}, | { "route", ROUTE}, | ||||
{ "route-to", ROUTETO}, | { "route-to", ROUTETO}, | ||||
{ "rtable", RTABLE}, | { "rtable", RTABLE}, | ||||
{ "rule", RULE}, | { "rule", RULE}, | ||||
{ "ruleset-optimization", RULESET_OPTIMIZATION}, | { "ruleset-optimization", RULESET_OPTIMIZATION}, | ||||
{ "schedule", SCHEDULE}, | |||||
{ "scrub", SCRUB}, | { "scrub", SCRUB}, | ||||
{ "set", SET}, | { "set", SET}, | ||||
{ "set-tos", SETTOS}, | { "set-tos", SETTOS}, | ||||
{ "skip", SKIP}, | { "skip", SKIP}, | ||||
{ "sloppy", SLOPPY}, | { "sloppy", SLOPPY}, | ||||
{ "source-hash", SOURCEHASH}, | { "source-hash", SOURCEHASH}, | ||||
{ "source-track", SOURCETRACK}, | { "source-track", SOURCETRACK}, | ||||
{ "state", STATE}, | { "state", STATE}, | ||||
▲ Show 20 Lines • Show All 613 Lines • ▼ Show 20 Lines | |||||
int | int | ||||
rule_label(struct pfctl_rule *r, char *s) | rule_label(struct pfctl_rule *r, char *s) | ||||
{ | { | ||||
if (s) { | if (s) { | ||||
if (strlcpy(r->label, s, sizeof(r->label)) >= | if (strlcpy(r->label, s, sizeof(r->label)) >= | ||||
sizeof(r->label)) { | sizeof(r->label)) { | ||||
yyerror("rule label too long (max %d chars)", | yyerror("rule label too long (max %d chars)", | ||||
sizeof(r->label)-1); | sizeof(r->label)-1); | ||||
return (-1); | |||||
} | |||||
} | |||||
return (0); | |||||
} | |||||
int | |||||
rule_schedule(struct pfctl_rule *r, char *s) | |||||
{ | |||||
if (s) { | |||||
if (strlcpy(r->schedule, s, sizeof(r->schedule)) >= | |||||
sizeof(r->schedule)) { | |||||
yyerror("rule schedule too long (max %d chars)", | |||||
sizeof(r->schedule)-1); | |||||
return (-1); | return (-1); | ||||
} | } | ||||
} | } | ||||
return (0); | return (0); | ||||
} | } | ||||
u_int16_t | u_int16_t | ||||
parseicmpspec(char *w, sa_family_t af) | parseicmpspec(char *w, sa_family_t af) | ||||
▲ Show 20 Lines • Show All 147 Lines • Show Last 20 Lines |