Changeset View
Changeset View
Standalone View
Standalone View
sbin/pfctl/parse.y
Show First 20 Lines • Show All 300 Lines • ▼ Show 20 Lines | |||||
static struct pool_opts { | static struct pool_opts { | ||||
int marker; | int marker; | ||||
#define POM_TYPE 0x01 | #define POM_TYPE 0x01 | ||||
#define POM_STICKYADDRESS 0x02 | #define POM_STICKYADDRESS 0x02 | ||||
u_int8_t opts; | u_int8_t opts; | ||||
int type; | int type; | ||||
int staticport; | int staticport; | ||||
struct pf_poolhashkey *key; | struct pf_poolhashkey *key; | ||||
struct pf_mape_portset mape; | |||||
} pool_opts; | } pool_opts; | ||||
static struct codel_opts codel_opts; | static struct codel_opts codel_opts; | ||||
static struct node_hfsc_opts hfsc_opts; | static struct node_hfsc_opts hfsc_opts; | ||||
static struct node_fairq_opts fairq_opts; | static struct node_fairq_opts fairq_opts; | ||||
static struct node_state_opt *keep_state_defaults = NULL; | static struct node_state_opt *keep_state_defaults = NULL; | ||||
▲ Show 20 Lines • Show All 139 Lines • ▼ Show 20 Lines | |||||
%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE | %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE | ||||
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF | %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF | ||||
%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL | %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL | ||||
%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE | ||||
%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR | ||||
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY | ||||
%token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | %token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID | ||||
%token ANTISPOOF FOR INCLUDE | %token ANTISPOOF FOR INCLUDE | ||||
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY | %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET | ||||
%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME | ||||
%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL | ||||
%token LOAD RULESET_OPTIMIZATION PRIO | %token LOAD RULESET_OPTIMIZATION PRIO | ||||
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE | ||||
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY | ||||
%token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS | ||||
%token DIVERTTO DIVERTREPLY | %token DIVERTTO DIVERTREPLY | ||||
%token <v.string> STRING | %token <v.string> STRING | ||||
▲ Show 20 Lines • Show All 3,537 Lines • ▼ Show 20 Lines | pool_opt : BITMASK { | ||||
| STICKYADDRESS { | | STICKYADDRESS { | ||||
if (filter_opts.marker & POM_STICKYADDRESS) { | if (filter_opts.marker & POM_STICKYADDRESS) { | ||||
yyerror("sticky-address cannot be redefined"); | yyerror("sticky-address cannot be redefined"); | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
pool_opts.marker |= POM_STICKYADDRESS; | pool_opts.marker |= POM_STICKYADDRESS; | ||||
pool_opts.opts |= PF_POOL_STICKYADDR; | pool_opts.opts |= PF_POOL_STICKYADDR; | ||||
} | } | ||||
| MAPEPORTSET number '/' number '/' number { | |||||
if (pool_opts.mape.offset) { | |||||
yyerror("map-e-portset cannot be redefined"); | |||||
YYERROR; | |||||
kp: The warning doesn't match the check. 0 is allowed here. | |||||
Done Inline ActionsI will fix $2 < 0 to $2 <= 0 takahiro.kurosawa_gmail.com: I will fix `$2 < 0` to `$2 <= 0` | |||||
} | |||||
if (pool_opts.type) { | |||||
yyerror("map-e-portset cannot be used with " | |||||
"address pools"); | |||||
YYERROR; | |||||
} | |||||
if ($2 <= 0 || $2 >= 16) { | |||||
yyerror("MAP-E PSID offset must be 1-15"); | |||||
YYERROR; | |||||
} | |||||
if ($4 < 0 || $4 >= 16 || $2 + $4 > 16) { | |||||
yyerror("Invalid MAP-E PSID length"); | |||||
YYERROR; | |||||
} else if ($4 == 0) { | |||||
yyerror("PSID Length = 0: this means" | |||||
" you do not need MAP-E"); | |||||
YYERROR; | |||||
} | |||||
if ($6 < 0 || $6 > 65535) { | |||||
yyerror("Invalid MAP-E PSID"); | |||||
YYERROR; | |||||
} | |||||
pool_opts.mape.offset = $2; | |||||
pool_opts.mape.psidlen = $4; | |||||
pool_opts.mape.psid = $6; | |||||
} | |||||
; | ; | ||||
redirection : /* empty */ { $$ = NULL; } | redirection : /* empty */ { $$ = NULL; } | ||||
| ARROW host { | | ARROW host { | ||||
$$ = calloc(1, sizeof(struct redirection)); | $$ = calloc(1, sizeof(struct redirection)); | ||||
if ($$ == NULL) | if ($$ == NULL) | ||||
err(1, "redirection: calloc"); | err(1, "redirection: calloc"); | ||||
$$->host = $2; | $$->host = $2; | ||||
▲ Show 20 Lines • Show All 182 Lines • ▼ Show 20 Lines | natrule : nataction interface af proto fromto tag tagged rtable | ||||
YYERROR; | YYERROR; | ||||
} | } | ||||
if (r.rpool.proxy_port[0] != | if (r.rpool.proxy_port[0] != | ||||
PF_NAT_PROXY_PORT_LOW && | PF_NAT_PROXY_PORT_LOW && | ||||
r.rpool.proxy_port[1] != | r.rpool.proxy_port[1] != | ||||
PF_NAT_PROXY_PORT_HIGH) { | PF_NAT_PROXY_PORT_HIGH) { | ||||
yyerror("the 'static-port' option can't" | yyerror("the 'static-port' option can't" | ||||
" be used when specifying a port" | " be used when specifying a port" | ||||
" range"); | " range"); | ||||
Done Inline ActionsIf I'm reading the parser code correctly this is impossible, so maybe this should be an assert() rather than input validation. kp: If I'm reading the parser code correctly this is impossible, so maybe this should be an assert… | |||||
Done Inline ActionsI have confirmed that the yyerror message below is actually displayed by running: $ echo 'rdr on lo0 proto tcp from any to any -> 127.0.0.1 map-e-portset 6/8/0x34' | /sbin/pfctl -n -f - stdin:1: the 'map-e-portset' option is only valid with nat rules So I'm going to keep it unchanged. takahiro.kurosawa_gmail.com: I have confirmed that the yyerror message below is actually displayed by running:
```
$ echo… | |||||
YYERROR; | YYERROR; | ||||
} | } | ||||
r.rpool.proxy_port[0] = 0; | r.rpool.proxy_port[0] = 0; | ||||
r.rpool.proxy_port[1] = 0; | r.rpool.proxy_port[1] = 0; | ||||
} | } | ||||
if ($10.mape.offset) { | |||||
if (r.action != PF_NAT) { | |||||
yyerror("the 'map-e-portset' option is" | |||||
" only valid with nat rules"); | |||||
YYERROR; | |||||
} | |||||
if ($10.staticport) { | |||||
yyerror("the 'map-e-portset' option" | |||||
" can't be used 'static-port'"); | |||||
YYERROR; | |||||
} | |||||
if (r.rpool.proxy_port[0] != | |||||
PF_NAT_PROXY_PORT_LOW && | |||||
r.rpool.proxy_port[1] != | |||||
PF_NAT_PROXY_PORT_HIGH) { | |||||
yyerror("the 'map-e-portset' option" | |||||
" can't be used when specifying" | |||||
" a port range"); | |||||
YYERROR; | |||||
} | |||||
r.rpool.mape = $10.mape; | |||||
} | |||||
expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4, | expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4, | ||||
$5.src_os, $5.src.host, $5.src.port, $5.dst.host, | $5.src_os, $5.src.host, $5.src.port, $5.dst.host, | ||||
$5.dst.port, 0, 0, 0, ""); | $5.dst.port, 0, 0, 0, ""); | ||||
free($9); | free($9); | ||||
} | } | ||||
; | ; | ||||
binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag | binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag | ||||
▲ Show 20 Lines • Show All 1,309 Lines • ▼ Show 20 Lines | static const struct keywords keywords[] = { | ||||
{ "interval", INTERVAL}, | { "interval", INTERVAL}, | ||||
{ "keep", KEEP}, | { "keep", KEEP}, | ||||
{ "label", LABEL}, | { "label", LABEL}, | ||||
{ "limit", LIMIT}, | { "limit", LIMIT}, | ||||
{ "linkshare", LINKSHARE}, | { "linkshare", LINKSHARE}, | ||||
{ "load", LOAD}, | { "load", LOAD}, | ||||
{ "log", LOG}, | { "log", LOG}, | ||||
{ "loginterface", LOGINTERFACE}, | { "loginterface", LOGINTERFACE}, | ||||
{ "map-e-portset", MAPEPORTSET}, | |||||
{ "max", MAXIMUM}, | { "max", MAXIMUM}, | ||||
{ "max-mss", MAXMSS}, | { "max-mss", MAXMSS}, | ||||
{ "max-src-conn", MAXSRCCONN}, | { "max-src-conn", MAXSRCCONN}, | ||||
{ "max-src-conn-rate", MAXSRCCONNRATE}, | { "max-src-conn-rate", MAXSRCCONNRATE}, | ||||
{ "max-src-nodes", MAXSRCNODES}, | { "max-src-nodes", MAXSRCNODES}, | ||||
{ "max-src-states", MAXSRCSTATES}, | { "max-src-states", MAXSRCSTATES}, | ||||
{ "min-ttl", MINTTL}, | { "min-ttl", MINTTL}, | ||||
{ "modulate", MODULATE}, | { "modulate", MODULATE}, | ||||
▲ Show 20 Lines • Show All 823 Lines • Show Last 20 Lines |
The warning doesn't match the check. 0 is allowed here.