1c1
< /* $OpenBSD: parse.y,v 1.482 2005/03/07 13:20:03 henning Exp $ */
---
> /* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */
31c31
< __FBSDID("$FreeBSD: head/contrib/pf/pfctl/parse.y 145840 2005-05-03 16:55:20Z mlaier $");
---
> __FBSDID("$FreeBSD: head/contrib/pf/pfctl/parse.y 171172 2007-07-03 12:30:03Z mlaier $");
208a209
> int rtableid;
212a214
> int rtableid;
225a228
> int rtableid;
263a267
> int disallow_urpf_failed(struct node_host *, const char *);
265,266c269,270
< int rule_consistent(struct pf_rule *);
< int filter_consistent(struct pf_rule *);
---
> int rule_consistent(struct pf_rule *, int);
> int filter_consistent(struct pf_rule *, int);
315a320
> void mv_rules(struct pf_ruleset *, struct pf_ruleset *);
334a340
> int rtableid;
376a383
> u_int8_t logif;
405c412
< %token PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO FLAGS
---
> %token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
409c416
< %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
---
> %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
416,417c423,424
< %token QUEUE PRIORITY QLIMIT
< %token LOAD
---
> %token QUEUE PRIORITY QLIMIT RTABLE
> %token LOAD RULESET_OPTIMIZATION
420c427
< %token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY ROUTE
---
> %token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE
425,428c432,435
< %type <v.number> tos not yesno natpass
< %type <v.i> no dir log af fragcache sourcetrack flush
< %type <v.i> unaryop statelock
< %type <v.b> action nataction scrubaction
---
> %type <v.number> tos not yesno
> %type <v.i> no dir af fragcache optimizer
> %type <v.i> sourcetrack flush unaryop statelock
> %type <v.b> action nataction natpass scrubaction
447c454
< %type <v.string> label string tag
---
> %type <v.string> label string tag anchorname
450c457
< %type <v.logquick> logquick
---
> %type <v.logquick> logquick quick log logopts logopt
465a473
> %type <v.rtableid> rtable
481a490
> | '{' fakeanchor '}' '\n';
484a494,519
> /*
> * apply to previouslys specified rule: must be careful to note
> * what that is: pf or nat or binat or rdr
> */
> fakeanchor : fakeanchor '\n'
> | fakeanchor anchorrule '\n'
> | fakeanchor binatrule '\n'
> | fakeanchor natrule '\n'
> | fakeanchor pfrule '\n'
> | fakeanchor error '\n'
> ;
>
> optimizer : string {
> if (!strcmp($1, "none"))
> $$ = 0;
> else if (!strcmp($1, "basic"))
> $$ = PF_OPTIMIZE_BASIC;
> else if (!strcmp($1, "profile"))
> $$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
> else {
> yyerror("unknown ruleset-optimization %s", $$);
> YYERROR;
> }
> }
> ;
>
495c530
< free ($3);
---
> free($3);
496a532,537
> | SET RULESET_OPTIMIZATION optimizer {
> if (!(pf->opts & PF_OPT_OPTIMIZE)) {
> pf->opts |= PF_OPT_OPTIMIZE;
> pf->optimize = $3;
> }
> }
545c586
< printf("set fingerprints %s\n", $3);
---
> printf("set fingerprints \"%s\"\n", $3);
550c591
< if (!pf->anchor[0]) {
---
> if (!pf->anchor->name[0]) {
570,573d610
< case PFRULE_GRBOUND:
< printf("set state-policy "
< "group-bound\n");
< break;
616c653,695
< anchorrule : ANCHOR string dir interface af proto fromto filter_opts {
---
> anchorname : STRING { $$ = $1; }
> | /* empty */ { $$ = NULL; }
> ;
>
> optnl : optnl '\n'
> |
> ;
>
> pfa_anchorlist : pfrule optnl
> | anchorrule optnl
> | pfa_anchorlist pfrule optnl
> | pfa_anchorlist anchorrule optnl
> ;
>
> pfa_anchor : '{'
> {
> char ta[PF_ANCHOR_NAME_SIZE];
> struct pf_ruleset *rs;
>
> /* steping into a brace anchor */
> pf->asd++;
> pf->bn++;
> pf->brace = 1;
>
> /* create a holding ruleset in the root */
> snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
> rs = pf_find_or_create_ruleset(ta);
> if (rs == NULL)
> err(1, "pfa_anchor: pf_find_or_create_ruleset");
> pf->astack[pf->asd] = rs->anchor;
> pf->anchor = rs->anchor;
> } '\n' pfa_anchorlist '}'
> {
> pf->alast = pf->anchor;
> pf->asd--;
> pf->anchor = pf->astack[pf->asd];
> }
> | /* empty */
> ;
>
> anchorrule : ANCHOR anchorname dir quick interface af proto fromto
> filter_opts pfa_anchor
> {
619a699,704
> if ($2)
> free($2);
> YYERROR;
> }
>
> if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) {
620a706,707
> yyerror("anchor names beginning with '_' "
> "are reserved for internal use");
624a712,740
> if (pf->astack[pf->asd + 1]) {
> /* move inline rules into relative location */
> pf_anchor_setup(&r,
> &pf->astack[pf->asd]->ruleset,
> $2 ? $2 : pf->alast->name);
>
> if (r.anchor == NULL)
> err(1, "anchorrule: unable to "
> "create ruleset");
>
> if (pf->alast != r.anchor) {
> if (r.anchor->match) {
> yyerror("inline anchor '%s' "
> "already exists",
> r.anchor->name);
> YYERROR;
> }
> mv_rules(&pf->alast->ruleset,
> &r.anchor->ruleset);
> }
> pf_remove_if_empty_ruleset(&pf->alast->ruleset);
> pf->alast = r.anchor;
> } else {
> if (!$2) {
> yyerror("anchors without explicit "
> "rules must specify a name");
> YYERROR;
> }
> }
626,627c742,745
< r.af = $5;
< r.prob = $8.prob;
---
> r.quick = $4.quick;
> r.af = $6;
> r.prob = $9.prob;
> r.rtableid = $9.rtableid;
629,630c747,748
< if ($8.match_tag)
< if (strlcpy(r.match_tagname, $8.match_tag,
---
> if ($9.match_tag)
> if (strlcpy(r.match_tagname, $9.match_tag,
636c754
< r.match_tag_not = $8.match_tag_not;
---
> r.match_tag_not = $9.match_tag_not;
638,639c756,757
< decide_address_family($7.src.host, &r.af);
< decide_address_family($7.dst.host, &r.af);
---
> decide_address_family($8.src.host, &r.af);
> decide_address_family($8.dst.host, &r.af);
641,643c759,762
< expand_rule(&r, $4, NULL, $6, $7.src_os,
< $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
< 0, 0, 0, $2);
---
> expand_rule(&r, $5, NULL, $7, $8.src_os,
> $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
> 0, 0, 0, pf->astack[pf->asd + 1] ?
> pf->alast->name : $2);
644a764
> pf->astack[pf->asd + 1] = NULL;
646c766
< | NATANCHOR string interface af proto fromto {
---
> | NATANCHOR string interface af proto fromto rtable {
656a777
> r.rtableid = $7;
666c787
< | RDRANCHOR string interface af proto fromto {
---
> | RDRANCHOR string interface af proto fromto rtable {
676a798
> r.rtableid = $7;
707c829
< | BINATANCHOR string interface af proto fromto {
---
> | BINATANCHOR string interface af proto fromto rtable {
717a840
> r.rtableid = $7;
746c869,870
< if (strlen($3) >= MAXPATHLEN) {
---
> if (strlen(pf->anchor->name) + 1 +
> strlen($3) >= MAXPATHLEN) {
755,756c879,886
< if ((loadanchor->anchorname = strdup($3)) == NULL)
< err(1, "loadrule: strdup");
---
> if ((loadanchor->anchorname = malloc(MAXPATHLEN)) ==
> NULL)
> err(1, "loadrule: malloc");
> if (pf->anchor->name[0])
> snprintf(loadanchor->anchorname, MAXPATHLEN,
> "%s/%s", pf->anchor->name, $3);
> else
> strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
788a919
> r.logif = $3.logif;
812a944
> r.rtableid = $8.rtableid;
821,822c953,955
< bzero(&scrub_opts, sizeof scrub_opts);
< }
---
> bzero(&scrub_opts, sizeof scrub_opts);
> scrub_opts.rtableid = -1;
> }
826a960
> scrub_opts.rtableid = -1;
894a1029,1040
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> scrub_opts.rtableid = $2;
> #endif
> }
915a1062
> r.logif = $2.logif;
919a1067
> r.rtableid = $5.rtableid;
969a1118
> r.rtableid = $5.rtableid;
1004c1153,1156
< antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); }
---
> antispoof_opts : {
> bzero(&antispoof_opts, sizeof antispoof_opts);
> antispoof_opts.rtableid = -1;
> }
1008a1161
> antispoof_opts.rtableid = -1;
1023a1177,1188
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> antispoof_opts.rtableid = $2;
> #endif
> }
1109a1275,1278
> case PF_ADDR_URPFFAILED:
> yyerror("\"urpf-failed\" is not "
> "permitted inside tables");
> break;
1508a1678
> int adaptive = 0;
1533a1704
> r.logif = $3.logif;
1535a1707
> r.rtableid = $9.rtableid;
1553,1554d1724
< r.flags = $9.flags.b1;
< r.flagset = $9.flags.b2;
1557a1728,1733
> r.flags = $9.flags.b1;
> r.flagset = $9.flags.b2;
> if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) {
> yyerror("flags always false");
> YYERROR;
> }
1584a1761,1766
>
> /* 'keep state' by default on pass rules. */
> if (!r.keep_state && !r.action &&
> !($9.marker & FOM_KEEP))
> r.keep_state = PF_STATE_NORMAL;
>
1681,1682c1863,1864
< "maximum rate must be < %u",
< PF_THRESHOLD_MAX);
---
> "maximum rate must be < %u",
> PF_THRESHOLD_MAX);
1718a1901,1905
> if (o->data.timeout.number ==
> PFTM_ADAPTIVE_START ||
> o->data.timeout.number ==
> PFTM_ADAPTIVE_END)
> adaptive = 1;
1731a1919,1932
>
> /* 'flags S/SA' by default on stateful rules */
> if (!r.action && !r.flags && !r.flagset &&
> !$9.fragment && !($9.marker & FOM_FLAGS) &&
> r.keep_state) {
> r.flags = parse_flags("S");
> r.flagset = parse_flags("SA");
> }
> if (!adaptive && r.max_states) {
> r.timeout[PFTM_ADAPTIVE_START] =
> (r.max_states / 10) * 6;
> r.timeout[PFTM_ADAPTIVE_END] =
> (r.max_states / 10) * 12;
> }
1842c2043,2046
< filter_opts : { bzero(&filter_opts, sizeof filter_opts); }
---
> filter_opts : {
> bzero(&filter_opts, sizeof filter_opts);
> filter_opts.rtableid = -1;
> }
1846a2051
> filter_opts.rtableid = -1;
1949a2155,2166
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> filter_opts.rtableid = $2;
> #endif
> }
2031,2035c2248,2249
< logquick : /* empty */ { $$.log = 0; $$.quick = 0; }
< | log { $$.log = $1; $$.quick = 0; }
< | QUICK { $$.log = 0; $$.quick = 1; }
< | log QUICK { $$.log = $1; $$.quick = 1; }
< | QUICK log { $$.log = $2; $$.quick = 1; }
---
> quick : /* empty */ { $$.quick = 0; }
> | QUICK { $$.quick = 1; }
2038,2039c2252,2256
< log : LOG { $$ = 1; }
< | LOGALL { $$ = 2; }
---
> logquick : /* empty */ { $$.log = 0; $$.quick = 0; $$.logif = 0; }
> | log { $$ = $1; $$.quick = 0; }
> | QUICK { $$.quick = 1; $$.log = 0; $$.logif = 0; }
> | log QUICK { $$ = $1; $$.quick = 1; }
> | QUICK log { $$ = $2; $$.quick = 1; }
2041a2259,2298
> log : LOG { $$.log = PF_LOG; $$.logif = 0; }
> | LOG '(' logopts ')' {
> $$.log = PF_LOG | $3.log;
> $$.logif = $3.logif;
> }
> ;
>
> logopts : logopt { $$ = $1; }
> | logopts comma logopt {
> $$.log = $1.log | $3.log;
> $$.logif = $3.logif;
> if ($$.logif == 0)
> $$.logif = $1.logif;
> }
> ;
>
> logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
> | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> | TO string {
> const char *errstr;
> u_int i;
>
> $$.log = 0;
> if (strncmp($2, "pflog", 5)) {
> yyerror("%s: should be a pflog interface", $2);
> free($2);
> YYERROR;
> }
> i = strtonum($2 + 5, 0, 255, &errstr);
> if (errstr) {
> yyerror("%s: %s", $2, errstr);
> free($2);
> YYERROR;
> }
> free($2);
> $$.logif = i;
> }
> ;
>
2072c2329
< if ((n = ifa_exists($1, 1)) != NULL)
---
> if ((n = ifa_exists($1)) != NULL)
2185a2443,2445
> if (disallow_urpf_failed($2.host, "\"urpf-failed\" is "
> "not permitted in a destination address"))
> YYERROR;
2209,2210c2469,2470
< host_list : xhost { $$ = $1; }
< | host_list comma xhost {
---
> host_list : ipspec { $$ = $1; }
> | host_list comma ipspec {
2230c2490
< | NOROUTE {
---
> | not NOROUTE {
2235a2496
> $$->not = $1;
2237a2499,2507
> | not URPFFAILED {
> $$ = calloc(1, sizeof(struct node_host));
> if ($$ == NULL)
> err(1, "xhost: calloc");
> $$->addr.type = PF_ADDR_URPFFAILED;
> $$->next = NULL;
> $$->not = $1;
> $$->tail = $$;
> }
2438,2439d2707
< struct servent *s = NULL;
< u_long ulval;
2442,2459c2710,2712
< if (atoul($1, &ulval) == 0) {
< if (ulval > 65535) {
< free($1);
< yyerror("illegal port value %lu",
< ulval);
< YYERROR;
< }
< $$.a = htons(ulval);
< } else {
< s = getservbyname($1, "tcp");
< if (s == NULL)
< s = getservbyname($1, "udp");
< if (s == NULL) {
< yyerror("unknown port %s", $1);
< free($1);
< YYERROR;
< }
< $$.a = s->s_port;
---
> if (($$.a = getservice($1)) == -1) {
> free($1);
> YYERROR;
2461,2462c2714
< $$.b = 0;
< $$.t = 0;
---
> $$.b = $$.t = 0;
2658a2911
> | FLAGS ANY { $$.b1 = 0; $$.b2 = 0; }
2796c3049,3050
< yyerror("illegal icmp6-type %lu", ulval);
---
> yyerror("illegal icmp6-type %lu",
> ulval);
2842,2844d3095
< | GRBOUND {
< $$ = PFRULE_GRBOUND;
< }
2850c3101,3105
< keep : KEEP STATE state_opt_spec {
---
> keep : NO STATE {
> $$.action = 0;
> $$.options = NULL;
> }
> | KEEP STATE state_opt_spec {
3209,3210c3464,3471
< natpass : /* empty */ { $$ = 0; }
< | PASS { $$ = 1; }
---
> /* ifdef __FreeBSD__ */
> natpass : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; }
> | PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
> /* else
> natpass : empty { $$.b1 = $$.b2 = 0; }
> | PASS { $$.b1 = 1; $$.b2 = 0; }
> * endif */
> | PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
3214c3475,3478
< $$.b2 = $$.w = 0;
---
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3219c3483,3485
< $$.b2 = $3;
---
> $$.b2 = $3.b1;
> $$.w = $3.b2;
> $$.w2 = $3.w2;
3222c3488,3491
< $$.b2 = $$.w = 0;
---
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3227c3496,3498
< $$.b2 = $3;
---
> $$.b2 = $3.b1;
> $$.w = $3.b2;
> $$.w2 = $3.w2;
3231c3502,3503
< natrule : nataction interface af proto fromto tag tagged redirpool pool_opts
---
> natrule : nataction interface af proto fromto tag tagged rtable
> redirpool pool_opts
3241a3514,3515
> r.log = $1.w;
> r.logif = $1.w2;
3268a3543
> r.rtableid = $8;
3271c3546
< if ($8 != NULL) {
---
> if ($9 != NULL) {
3277c3552
< if ($8 == NULL || $8->host == NULL) {
---
> if ($9 == NULL || $9->host == NULL) {
3282,3283c3557,3558
< if (!r.af && ! $8->host->ifindex)
< r.af = $8->host->af;
---
> if (!r.af && ! $9->host->ifindex)
> r.af = $9->host->af;
3285,3286c3560,3561
< remove_invalid_hosts(&$8->host, &r.af);
< if (invalid_redirect($8->host, r.af))
---
> remove_invalid_hosts(&$9->host, &r.af);
> if (invalid_redirect($9->host, r.af))
3288c3563
< if (check_netmask($8->host, r.af))
---
> if (check_netmask($9->host, r.af))
3291c3566
< r.rpool.proxy_port[0] = ntohs($8->rport.a);
---
> r.rpool.proxy_port[0] = ntohs($9->rport.a);
3295c3570
< if (!$8->rport.b && $8->rport.t &&
---
> if (!$9->rport.b && $9->rport.t &&
3298c3573
< ntohs($8->rport.a) +
---
> ntohs($9->rport.a) +
3305c3580
< ntohs($8->rport.b);
---
> ntohs($9->rport.b);
3309c3584
< ntohs($8->rport.b);
---
> ntohs($9->rport.b);
3324c3599
< r.rpool.opts = $9.type;
---
> r.rpool.opts = $10.type;
3326,3328c3601,3603
< PF_POOL_NONE && ($8->host->next != NULL ||
< $8->host->addr.type == PF_ADDR_TABLE ||
< DYNIF_MULTIADDR($8->host->addr)))
---
> PF_POOL_NONE && ($9->host->next != NULL ||
> $9->host->addr.type == PF_ADDR_TABLE ||
> DYNIF_MULTIADDR($9->host->addr)))
3332c3607
< disallow_table($8->host, "tables are only "
---
> disallow_table($9->host, "tables are only "
3338c3613
< disallow_alias($8->host, "interface (%s) "
---
> disallow_alias($9->host, "interface (%s) "
3342c3617
< if ($8->host->next != NULL) {
---
> if ($9->host->next != NULL) {
3353,3354c3628,3629
< if ($9.key != NULL)
< memcpy(&r.rpool.key, $9.key,
---
> if ($10.key != NULL)
> memcpy(&r.rpool.key, $10.key,
3357,3358c3632,3633
< if ($9.opts)
< r.rpool.opts |= $9.opts;
---
> if ($10.opts)
> r.rpool.opts |= $10.opts;
3360c3635
< if ($9.staticport) {
---
> if ($10.staticport) {
3379c3654
< expand_rule(&r, $2, $8 == NULL ? NULL : $8->host, $4,
---
> expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4,
3382c3657
< free($8);
---
> free($9);
3386,3387c3661,3662
< binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag tagged
< redirection
---
> binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
> tagged rtable redirection
3393a3669,3671
> if (disallow_urpf_failed($10, "\"urpf-failed\" is not "
> "permitted as a binat destination"))
> YYERROR;
3396a3675,3678
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3401c3683,3685
< binat.natpass = $3;
---
> binat.natpass = $3.b1;
> binat.log = $3.b2;
> binat.logif = $3.w2;
3408,3409c3692,3693
< if (!binat.af && $13 != NULL && $13->host)
< binat.af = $13->host->af;
---
> if (!binat.af && $14 != NULL && $14->host)
> binat.af = $14->host->af;
3437a3722
> binat.rtableid = $13;
3451,3452c3736,3737
< if ($13 != NULL && $13->host != NULL && disallow_table(
< $13->host, "invalid use of table <%s> as the "
---
> if ($14 != NULL && $14->host != NULL && disallow_table(
> $14->host, "invalid use of table <%s> as the "
3455,3456c3740,3741
< if ($13 != NULL && $13->host != NULL && disallow_alias(
< $13->host, "invalid use of interface (%s) as the "
---
> if ($14 != NULL && $14->host != NULL && disallow_alias(
> $14->host, "invalid use of interface (%s) as the "
3495c3780
< if ($13 != NULL) {
---
> if ($14 != NULL) {
3501c3786
< if ($13 == NULL || $13->host == NULL) {
---
> if ($14 == NULL || $14->host == NULL) {
3507,3508c3792,3793
< remove_invalid_hosts(&$13->host, &binat.af);
< if (invalid_redirect($13->host, binat.af))
---
> remove_invalid_hosts(&$14->host, &binat.af);
> if (invalid_redirect($14->host, binat.af))
3510c3795
< if ($13->host->next != NULL) {
---
> if ($14->host->next != NULL) {
3515c3800
< if (check_netmask($13->host, binat.af))
---
> if (check_netmask($14->host, binat.af))
3521c3806
< &$13->host->addr.v.a.mask, binat.af)) {
---
> &$14->host->addr.v.a.mask, binat.af)) {
3531c3816
< pa->addr = $13->host->addr;
---
> pa->addr = $14->host->addr;
3536c3821
< free($13);
---
> free($14);
3550a3836,3850
> rtable : /* empty */ { $$ = -1; }
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> $$ = $2;
> #endif
> }
> ;
>
3710a4011,4021
> disallow_urpf_failed(struct node_host *h, const char *fmt)
> {
> for (; h != NULL; h = h->next)
> if (h->addr.type == PF_ADDR_URPFFAILED) {
> yyerror(fmt);
> return (1);
> }
> return (0);
> }
>
> int
3722c4033
< rule_consistent(struct pf_rule *r)
---
> rule_consistent(struct pf_rule *r, int anchor_call)
3731c4042
< problems = filter_consistent(r);
---
> problems = filter_consistent(r, anchor_call);
3750c4061
< filter_consistent(struct pf_rule *r)
---
> filter_consistent(struct pf_rule *r, int anchor_call)
3802,3806d4112
< if ((r->tagname[0] || r->match_tagname[0]) && !r->keep_state &&
< r->action == PF_PASS) {
< yyerror("tags cannot be used without keep state");
< problems++;
< }
3874c4180
< pf->anchor, &ab, pf->tticket)) {
---
> pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
3972a4279,4281
> case PF_ADDR_URPFFAILED:
> snprintf(tmp, sizeof(tmp), "urpf-failed");
> break;
4063c4372
< snprintf(n, sizeof(n), "%u", pf->rule_nr);
---
> snprintf(n, sizeof(n), "%u", pf->anchor->match);
4490c4799
< if (rule_consistent(r) < 0 || error)
---
> if (rule_consistent(r, anchor_call[0]) < 0 || error)
4493c4802
< r->nr = pf->rule_nr++;
---
> r->nr = pf->astack[pf->asd]->match++;
4608d4916
< { "group-bound", GRBOUND},
4623d4930
< { "log-all", LOGALL},
4667a4975
> { "rtable", RTABLE},
4668a4977
> { "ruleset-optimization", RULESET_OPTIMIZATION},
4687a4997
> { "urpf-failed", URPFFAILED},
4735,4737c5045
< if (isspace(next))
< yyerror("whitespace after \\");
< ungetc(next, f);
---
> c = next;
5025c5333
< decide_address_family(struct node_host *n, sa_family_t *af)
---
> mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
5027c5335,5336
< sa_family_t target_af = 0;
---
> int i;
> struct pf_rule *r;
5029,5034c5338,5343
< while (!*af && n != NULL) {
< if (n->af) {
< if (target_af == 0)
< target_af = n->af;
< if (target_af != n->af)
< return;
---
> for (i = 0; i < PF_RULESET_MAX; ++i) {
> while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
> != NULL) {
> TAILQ_REMOVE(src->rules[i].active.ptr, r, entries);
> TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries);
> dst->anchor->match++;
5036c5345,5351
< n = n->next;
---
> src->anchor->match = 0;
> while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr))
> != NULL) {
> TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries);
> TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr,
> r, entries);
> }
5038,5039d5352
< if (!*af && target_af)
< *af = target_af;
5042a5356,5369
> decide_address_family(struct node_host *n, sa_family_t *af)
> {
> if (*af != 0 || n == NULL)
> return;
> *af = n->af;
> while ((n = n->next) != NULL) {
> if (n->af != *af) {
> *af = 0;
> return;
> }
> }
> }
>
> void
5180c5507
< pfctl_load_anchors(int dev, int opts, struct pfr_buffer *trans)
---
> pfctl_load_anchors(int dev, struct pfctl *pf, struct pfr_buffer *trans)
5182a5510
> FILE *fin;
5185c5513
< if (opts & PF_OPT_VERBOSE)
---
> if (pf->opts & PF_OPT_VERBOSE)
5188,5189c5516,5521
< if (pfctl_rules(dev, la->filename, opts, la->anchorname,
< trans) == -1)
---
> if ((fin = pfctl_fopen(la->filename, "r")) == NULL) {
> warn("%s", la->filename);
> continue;
> }
> if (pfctl_rules(dev, la->filename, fin, pf->opts, pf->optimize,
> la->anchorname, trans) == -1)
5195d5526
<
< /* $OpenBSD: parse.y,v 1.482 2005/03/07 13:20:03 henning Exp $ */
---
> /* $OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $ */
31c31
< __FBSDID("$FreeBSD: head/contrib/pf/pfctl/parse.y 145840 2005-05-03 16:55:20Z mlaier $");
---
> __FBSDID("$FreeBSD: head/contrib/pf/pfctl/parse.y 171172 2007-07-03 12:30:03Z mlaier $");
208a209
> int rtableid;
212a214
> int rtableid;
225a228
> int rtableid;
263a267
> int disallow_urpf_failed(struct node_host *, const char *);
265,266c269,270
< int rule_consistent(struct pf_rule *);
< int filter_consistent(struct pf_rule *);
---
> int rule_consistent(struct pf_rule *, int);
> int filter_consistent(struct pf_rule *, int);
315a320
> void mv_rules(struct pf_ruleset *, struct pf_ruleset *);
334a340
> int rtableid;
376a383
> u_int8_t logif;
405c412
< %token PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO FLAGS
---
> %token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
409c416
< %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
---
> %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
416,417c423,424
< %token QUEUE PRIORITY QLIMIT
< %token LOAD
---
> %token QUEUE PRIORITY QLIMIT RTABLE
> %token LOAD RULESET_OPTIMIZATION
420c427
< %token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY ROUTE
---
> %token TAGGED TAG IFBOUND FLOATING STATEPOLICY ROUTE
425,428c432,435
< %type <v.number> tos not yesno natpass
< %type <v.i> no dir log af fragcache sourcetrack flush
< %type <v.i> unaryop statelock
< %type <v.b> action nataction scrubaction
---
> %type <v.number> tos not yesno
> %type <v.i> no dir af fragcache optimizer
> %type <v.i> sourcetrack flush unaryop statelock
> %type <v.b> action nataction natpass scrubaction
447c454
< %type <v.string> label string tag
---
> %type <v.string> label string tag anchorname
450c457
< %type <v.logquick> logquick
---
> %type <v.logquick> logquick quick log logopts logopt
465a473
> %type <v.rtableid> rtable
481a490
> | '{' fakeanchor '}' '\n';
484a494,519
> /*
> * apply to previouslys specified rule: must be careful to note
> * what that is: pf or nat or binat or rdr
> */
> fakeanchor : fakeanchor '\n'
> | fakeanchor anchorrule '\n'
> | fakeanchor binatrule '\n'
> | fakeanchor natrule '\n'
> | fakeanchor pfrule '\n'
> | fakeanchor error '\n'
> ;
>
> optimizer : string {
> if (!strcmp($1, "none"))
> $$ = 0;
> else if (!strcmp($1, "basic"))
> $$ = PF_OPTIMIZE_BASIC;
> else if (!strcmp($1, "profile"))
> $$ = PF_OPTIMIZE_BASIC | PF_OPTIMIZE_PROFILE;
> else {
> yyerror("unknown ruleset-optimization %s", $$);
> YYERROR;
> }
> }
> ;
>
495c530
< free ($3);
---
> free($3);
496a532,537
> | SET RULESET_OPTIMIZATION optimizer {
> if (!(pf->opts & PF_OPT_OPTIMIZE)) {
> pf->opts |= PF_OPT_OPTIMIZE;
> pf->optimize = $3;
> }
> }
545c586
< printf("set fingerprints %s\n", $3);
---
> printf("set fingerprints \"%s\"\n", $3);
550c591
< if (!pf->anchor[0]) {
---
> if (!pf->anchor->name[0]) {
570,573d610
< case PFRULE_GRBOUND:
< printf("set state-policy "
< "group-bound\n");
< break;
616c653,695
< anchorrule : ANCHOR string dir interface af proto fromto filter_opts {
---
> anchorname : STRING { $$ = $1; }
> | /* empty */ { $$ = NULL; }
> ;
>
> optnl : optnl '\n'
> |
> ;
>
> pfa_anchorlist : pfrule optnl
> | anchorrule optnl
> | pfa_anchorlist pfrule optnl
> | pfa_anchorlist anchorrule optnl
> ;
>
> pfa_anchor : '{'
> {
> char ta[PF_ANCHOR_NAME_SIZE];
> struct pf_ruleset *rs;
>
> /* steping into a brace anchor */
> pf->asd++;
> pf->bn++;
> pf->brace = 1;
>
> /* create a holding ruleset in the root */
> snprintf(ta, PF_ANCHOR_NAME_SIZE, "_%d", pf->bn);
> rs = pf_find_or_create_ruleset(ta);
> if (rs == NULL)
> err(1, "pfa_anchor: pf_find_or_create_ruleset");
> pf->astack[pf->asd] = rs->anchor;
> pf->anchor = rs->anchor;
> } '\n' pfa_anchorlist '}'
> {
> pf->alast = pf->anchor;
> pf->asd--;
> pf->anchor = pf->astack[pf->asd];
> }
> | /* empty */
> ;
>
> anchorrule : ANCHOR anchorname dir quick interface af proto fromto
> filter_opts pfa_anchor
> {
619a699,704
> if ($2)
> free($2);
> YYERROR;
> }
>
> if ($2 && ($2[0] == '_' || strstr($2, "/_") != NULL)) {
620a706,707
> yyerror("anchor names beginning with '_' "
> "are reserved for internal use");
624a712,740
> if (pf->astack[pf->asd + 1]) {
> /* move inline rules into relative location */
> pf_anchor_setup(&r,
> &pf->astack[pf->asd]->ruleset,
> $2 ? $2 : pf->alast->name);
>
> if (r.anchor == NULL)
> err(1, "anchorrule: unable to "
> "create ruleset");
>
> if (pf->alast != r.anchor) {
> if (r.anchor->match) {
> yyerror("inline anchor '%s' "
> "already exists",
> r.anchor->name);
> YYERROR;
> }
> mv_rules(&pf->alast->ruleset,
> &r.anchor->ruleset);
> }
> pf_remove_if_empty_ruleset(&pf->alast->ruleset);
> pf->alast = r.anchor;
> } else {
> if (!$2) {
> yyerror("anchors without explicit "
> "rules must specify a name");
> YYERROR;
> }
> }
626,627c742,745
< r.af = $5;
< r.prob = $8.prob;
---
> r.quick = $4.quick;
> r.af = $6;
> r.prob = $9.prob;
> r.rtableid = $9.rtableid;
629,630c747,748
< if ($8.match_tag)
< if (strlcpy(r.match_tagname, $8.match_tag,
---
> if ($9.match_tag)
> if (strlcpy(r.match_tagname, $9.match_tag,
636c754
< r.match_tag_not = $8.match_tag_not;
---
> r.match_tag_not = $9.match_tag_not;
638,639c756,757
< decide_address_family($7.src.host, &r.af);
< decide_address_family($7.dst.host, &r.af);
---
> decide_address_family($8.src.host, &r.af);
> decide_address_family($8.dst.host, &r.af);
641,643c759,762
< expand_rule(&r, $4, NULL, $6, $7.src_os,
< $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
< 0, 0, 0, $2);
---
> expand_rule(&r, $5, NULL, $7, $8.src_os,
> $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
> 0, 0, 0, pf->astack[pf->asd + 1] ?
> pf->alast->name : $2);
644a764
> pf->astack[pf->asd + 1] = NULL;
646c766
< | NATANCHOR string interface af proto fromto {
---
> | NATANCHOR string interface af proto fromto rtable {
656a777
> r.rtableid = $7;
666c787
< | RDRANCHOR string interface af proto fromto {
---
> | RDRANCHOR string interface af proto fromto rtable {
676a798
> r.rtableid = $7;
707c829
< | BINATANCHOR string interface af proto fromto {
---
> | BINATANCHOR string interface af proto fromto rtable {
717a840
> r.rtableid = $7;
746c869,870
< if (strlen($3) >= MAXPATHLEN) {
---
> if (strlen(pf->anchor->name) + 1 +
> strlen($3) >= MAXPATHLEN) {
755,756c879,886
< if ((loadanchor->anchorname = strdup($3)) == NULL)
< err(1, "loadrule: strdup");
---
> if ((loadanchor->anchorname = malloc(MAXPATHLEN)) ==
> NULL)
> err(1, "loadrule: malloc");
> if (pf->anchor->name[0])
> snprintf(loadanchor->anchorname, MAXPATHLEN,
> "%s/%s", pf->anchor->name, $3);
> else
> strlcpy(loadanchor->anchorname, $3, MAXPATHLEN);
788a919
> r.logif = $3.logif;
812a944
> r.rtableid = $8.rtableid;
821,822c953,955
< bzero(&scrub_opts, sizeof scrub_opts);
< }
---
> bzero(&scrub_opts, sizeof scrub_opts);
> scrub_opts.rtableid = -1;
> }
826a960
> scrub_opts.rtableid = -1;
894a1029,1040
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> scrub_opts.rtableid = $2;
> #endif
> }
915a1062
> r.logif = $2.logif;
919a1067
> r.rtableid = $5.rtableid;
969a1118
> r.rtableid = $5.rtableid;
1004c1153,1156
< antispoof_opts : { bzero(&antispoof_opts, sizeof antispoof_opts); }
---
> antispoof_opts : {
> bzero(&antispoof_opts, sizeof antispoof_opts);
> antispoof_opts.rtableid = -1;
> }
1008a1161
> antispoof_opts.rtableid = -1;
1023a1177,1188
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> antispoof_opts.rtableid = $2;
> #endif
> }
1109a1275,1278
> case PF_ADDR_URPFFAILED:
> yyerror("\"urpf-failed\" is not "
> "permitted inside tables");
> break;
1508a1678
> int adaptive = 0;
1533a1704
> r.logif = $3.logif;
1535a1707
> r.rtableid = $9.rtableid;
1553,1554d1724
< r.flags = $9.flags.b1;
< r.flagset = $9.flags.b2;
1557a1728,1733
> r.flags = $9.flags.b1;
> r.flagset = $9.flags.b2;
> if (($9.flags.b1 & $9.flags.b2) != $9.flags.b1) {
> yyerror("flags always false");
> YYERROR;
> }
1584a1761,1766
>
> /* 'keep state' by default on pass rules. */
> if (!r.keep_state && !r.action &&
> !($9.marker & FOM_KEEP))
> r.keep_state = PF_STATE_NORMAL;
>
1681,1682c1863,1864
< "maximum rate must be < %u",
< PF_THRESHOLD_MAX);
---
> "maximum rate must be < %u",
> PF_THRESHOLD_MAX);
1718a1901,1905
> if (o->data.timeout.number ==
> PFTM_ADAPTIVE_START ||
> o->data.timeout.number ==
> PFTM_ADAPTIVE_END)
> adaptive = 1;
1731a1919,1932
>
> /* 'flags S/SA' by default on stateful rules */
> if (!r.action && !r.flags && !r.flagset &&
> !$9.fragment && !($9.marker & FOM_FLAGS) &&
> r.keep_state) {
> r.flags = parse_flags("S");
> r.flagset = parse_flags("SA");
> }
> if (!adaptive && r.max_states) {
> r.timeout[PFTM_ADAPTIVE_START] =
> (r.max_states / 10) * 6;
> r.timeout[PFTM_ADAPTIVE_END] =
> (r.max_states / 10) * 12;
> }
1842c2043,2046
< filter_opts : { bzero(&filter_opts, sizeof filter_opts); }
---
> filter_opts : {
> bzero(&filter_opts, sizeof filter_opts);
> filter_opts.rtableid = -1;
> }
1846a2051
> filter_opts.rtableid = -1;
1949a2155,2166
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> filter_opts.rtableid = $2;
> #endif
> }
2031,2035c2248,2249
< logquick : /* empty */ { $$.log = 0; $$.quick = 0; }
< | log { $$.log = $1; $$.quick = 0; }
< | QUICK { $$.log = 0; $$.quick = 1; }
< | log QUICK { $$.log = $1; $$.quick = 1; }
< | QUICK log { $$.log = $2; $$.quick = 1; }
---
> quick : /* empty */ { $$.quick = 0; }
> | QUICK { $$.quick = 1; }
2038,2039c2252,2256
< log : LOG { $$ = 1; }
< | LOGALL { $$ = 2; }
---
> logquick : /* empty */ { $$.log = 0; $$.quick = 0; $$.logif = 0; }
> | log { $$ = $1; $$.quick = 0; }
> | QUICK { $$.quick = 1; $$.log = 0; $$.logif = 0; }
> | log QUICK { $$ = $1; $$.quick = 1; }
> | QUICK log { $$ = $2; $$.quick = 1; }
2041a2259,2298
> log : LOG { $$.log = PF_LOG; $$.logif = 0; }
> | LOG '(' logopts ')' {
> $$.log = PF_LOG | $3.log;
> $$.logif = $3.logif;
> }
> ;
>
> logopts : logopt { $$ = $1; }
> | logopts comma logopt {
> $$.log = $1.log | $3.log;
> $$.logif = $3.logif;
> if ($$.logif == 0)
> $$.logif = $1.logif;
> }
> ;
>
> logopt : ALL { $$.log = PF_LOG_ALL; $$.logif = 0; }
> | USER { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> | GROUP { $$.log = PF_LOG_SOCKET_LOOKUP; $$.logif = 0; }
> | TO string {
> const char *errstr;
> u_int i;
>
> $$.log = 0;
> if (strncmp($2, "pflog", 5)) {
> yyerror("%s: should be a pflog interface", $2);
> free($2);
> YYERROR;
> }
> i = strtonum($2 + 5, 0, 255, &errstr);
> if (errstr) {
> yyerror("%s: %s", $2, errstr);
> free($2);
> YYERROR;
> }
> free($2);
> $$.logif = i;
> }
> ;
>
2072c2329
< if ((n = ifa_exists($1, 1)) != NULL)
---
> if ((n = ifa_exists($1)) != NULL)
2185a2443,2445
> if (disallow_urpf_failed($2.host, "\"urpf-failed\" is "
> "not permitted in a destination address"))
> YYERROR;
2209,2210c2469,2470
< host_list : xhost { $$ = $1; }
< | host_list comma xhost {
---
> host_list : ipspec { $$ = $1; }
> | host_list comma ipspec {
2230c2490
< | NOROUTE {
---
> | not NOROUTE {
2235a2496
> $$->not = $1;
2237a2499,2507
> | not URPFFAILED {
> $$ = calloc(1, sizeof(struct node_host));
> if ($$ == NULL)
> err(1, "xhost: calloc");
> $$->addr.type = PF_ADDR_URPFFAILED;
> $$->next = NULL;
> $$->not = $1;
> $$->tail = $$;
> }
2438,2439d2707
< struct servent *s = NULL;
< u_long ulval;
2442,2459c2710,2712
< if (atoul($1, &ulval) == 0) {
< if (ulval > 65535) {
< free($1);
< yyerror("illegal port value %lu",
< ulval);
< YYERROR;
< }
< $$.a = htons(ulval);
< } else {
< s = getservbyname($1, "tcp");
< if (s == NULL)
< s = getservbyname($1, "udp");
< if (s == NULL) {
< yyerror("unknown port %s", $1);
< free($1);
< YYERROR;
< }
< $$.a = s->s_port;
---
> if (($$.a = getservice($1)) == -1) {
> free($1);
> YYERROR;
2461,2462c2714
< $$.b = 0;
< $$.t = 0;
---
> $$.b = $$.t = 0;
2658a2911
> | FLAGS ANY { $$.b1 = 0; $$.b2 = 0; }
2796c3049,3050
< yyerror("illegal icmp6-type %lu", ulval);
---
> yyerror("illegal icmp6-type %lu",
> ulval);
2842,2844d3095
< | GRBOUND {
< $$ = PFRULE_GRBOUND;
< }
2850c3101,3105
< keep : KEEP STATE state_opt_spec {
---
> keep : NO STATE {
> $$.action = 0;
> $$.options = NULL;
> }
> | KEEP STATE state_opt_spec {
3209,3210c3464,3471
< natpass : /* empty */ { $$ = 0; }
< | PASS { $$ = 1; }
---
> /* ifdef __FreeBSD__ */
> natpass : /* empty */ { $$.b1 = $$.b2 = 0; $$.w2 = 0; }
> | PASS { $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
> /* else
> natpass : empty { $$.b1 = $$.b2 = 0; }
> | PASS { $$.b1 = 1; $$.b2 = 0; }
> * endif */
> | PASS log { $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
3214c3475,3478
< $$.b2 = $$.w = 0;
---
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3219c3483,3485
< $$.b2 = $3;
---
> $$.b2 = $3.b1;
> $$.w = $3.b2;
> $$.w2 = $3.w2;
3222c3488,3491
< $$.b2 = $$.w = 0;
---
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3227c3496,3498
< $$.b2 = $3;
---
> $$.b2 = $3.b1;
> $$.w = $3.b2;
> $$.w2 = $3.w2;
3231c3502,3503
< natrule : nataction interface af proto fromto tag tagged redirpool pool_opts
---
> natrule : nataction interface af proto fromto tag tagged rtable
> redirpool pool_opts
3241a3514,3515
> r.log = $1.w;
> r.logif = $1.w2;
3268a3543
> r.rtableid = $8;
3271c3546
< if ($8 != NULL) {
---
> if ($9 != NULL) {
3277c3552
< if ($8 == NULL || $8->host == NULL) {
---
> if ($9 == NULL || $9->host == NULL) {
3282,3283c3557,3558
< if (!r.af && ! $8->host->ifindex)
< r.af = $8->host->af;
---
> if (!r.af && ! $9->host->ifindex)
> r.af = $9->host->af;
3285,3286c3560,3561
< remove_invalid_hosts(&$8->host, &r.af);
< if (invalid_redirect($8->host, r.af))
---
> remove_invalid_hosts(&$9->host, &r.af);
> if (invalid_redirect($9->host, r.af))
3288c3563
< if (check_netmask($8->host, r.af))
---
> if (check_netmask($9->host, r.af))
3291c3566
< r.rpool.proxy_port[0] = ntohs($8->rport.a);
---
> r.rpool.proxy_port[0] = ntohs($9->rport.a);
3295c3570
< if (!$8->rport.b && $8->rport.t &&
---
> if (!$9->rport.b && $9->rport.t &&
3298c3573
< ntohs($8->rport.a) +
---
> ntohs($9->rport.a) +
3305c3580
< ntohs($8->rport.b);
---
> ntohs($9->rport.b);
3309c3584
< ntohs($8->rport.b);
---
> ntohs($9->rport.b);
3324c3599
< r.rpool.opts = $9.type;
---
> r.rpool.opts = $10.type;
3326,3328c3601,3603
< PF_POOL_NONE && ($8->host->next != NULL ||
< $8->host->addr.type == PF_ADDR_TABLE ||
< DYNIF_MULTIADDR($8->host->addr)))
---
> PF_POOL_NONE && ($9->host->next != NULL ||
> $9->host->addr.type == PF_ADDR_TABLE ||
> DYNIF_MULTIADDR($9->host->addr)))
3332c3607
< disallow_table($8->host, "tables are only "
---
> disallow_table($9->host, "tables are only "
3338c3613
< disallow_alias($8->host, "interface (%s) "
---
> disallow_alias($9->host, "interface (%s) "
3342c3617
< if ($8->host->next != NULL) {
---
> if ($9->host->next != NULL) {
3353,3354c3628,3629
< if ($9.key != NULL)
< memcpy(&r.rpool.key, $9.key,
---
> if ($10.key != NULL)
> memcpy(&r.rpool.key, $10.key,
3357,3358c3632,3633
< if ($9.opts)
< r.rpool.opts |= $9.opts;
---
> if ($10.opts)
> r.rpool.opts |= $10.opts;
3360c3635
< if ($9.staticport) {
---
> if ($10.staticport) {
3379c3654
< expand_rule(&r, $2, $8 == NULL ? NULL : $8->host, $4,
---
> expand_rule(&r, $2, $9 == NULL ? NULL : $9->host, $4,
3382c3657
< free($8);
---
> free($9);
3386,3387c3661,3662
< binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag tagged
< redirection
---
> binatrule : no BINAT natpass interface af proto FROM host TO ipspec tag
> tagged rtable redirection
3393a3669,3671
> if (disallow_urpf_failed($10, "\"urpf-failed\" is not "
> "permitted as a binat destination"))
> YYERROR;
3396a3675,3678
> if ($1 && $3.b1) {
> yyerror("\"pass\" not valid with \"no\"");
> YYERROR;
> }
3401c3683,3685
< binat.natpass = $3;
---
> binat.natpass = $3.b1;
> binat.log = $3.b2;
> binat.logif = $3.w2;
3408,3409c3692,3693
< if (!binat.af && $13 != NULL && $13->host)
< binat.af = $13->host->af;
---
> if (!binat.af && $14 != NULL && $14->host)
> binat.af = $14->host->af;
3437a3722
> binat.rtableid = $13;
3451,3452c3736,3737
< if ($13 != NULL && $13->host != NULL && disallow_table(
< $13->host, "invalid use of table <%s> as the "
---
> if ($14 != NULL && $14->host != NULL && disallow_table(
> $14->host, "invalid use of table <%s> as the "
3455,3456c3740,3741
< if ($13 != NULL && $13->host != NULL && disallow_alias(
< $13->host, "invalid use of interface (%s) as the "
---
> if ($14 != NULL && $14->host != NULL && disallow_alias(
> $14->host, "invalid use of interface (%s) as the "
3495c3780
< if ($13 != NULL) {
---
> if ($14 != NULL) {
3501c3786
< if ($13 == NULL || $13->host == NULL) {
---
> if ($14 == NULL || $14->host == NULL) {
3507,3508c3792,3793
< remove_invalid_hosts(&$13->host, &binat.af);
< if (invalid_redirect($13->host, binat.af))
---
> remove_invalid_hosts(&$14->host, &binat.af);
> if (invalid_redirect($14->host, binat.af))
3510c3795
< if ($13->host->next != NULL) {
---
> if ($14->host->next != NULL) {
3515c3800
< if (check_netmask($13->host, binat.af))
---
> if (check_netmask($14->host, binat.af))
3521c3806
< &$13->host->addr.v.a.mask, binat.af)) {
---
> &$14->host->addr.v.a.mask, binat.af)) {
3531c3816
< pa->addr = $13->host->addr;
---
> pa->addr = $14->host->addr;
3536c3821
< free($13);
---
> free($14);
3550a3836,3850
> rtable : /* empty */ { $$ = -1; }
> | RTABLE number {
> #ifdef __FreeBSD__
> yyerror("rtable id not supported in FreeBSD, yet");
> YYERROR;
> #else
> if ($2 > RT_TABLEID_MAX || $2 < 0) {
> yyerror("invalid rtable id");
> YYERROR;
> }
> $$ = $2;
> #endif
> }
> ;
>
3710a4011,4021
> disallow_urpf_failed(struct node_host *h, const char *fmt)
> {
> for (; h != NULL; h = h->next)
> if (h->addr.type == PF_ADDR_URPFFAILED) {
> yyerror(fmt);
> return (1);
> }
> return (0);
> }
>
> int
3722c4033
< rule_consistent(struct pf_rule *r)
---
> rule_consistent(struct pf_rule *r, int anchor_call)
3731c4042
< problems = filter_consistent(r);
---
> problems = filter_consistent(r, anchor_call);
3750c4061
< filter_consistent(struct pf_rule *r)
---
> filter_consistent(struct pf_rule *r, int anchor_call)
3802,3806d4112
< if ((r->tagname[0] || r->match_tagname[0]) && !r->keep_state &&
< r->action == PF_PASS) {
< yyerror("tags cannot be used without keep state");
< problems++;
< }
3874c4180
< pf->anchor, &ab, pf->tticket)) {
---
> pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
3972a4279,4281
> case PF_ADDR_URPFFAILED:
> snprintf(tmp, sizeof(tmp), "urpf-failed");
> break;
4063c4372
< snprintf(n, sizeof(n), "%u", pf->rule_nr);
---
> snprintf(n, sizeof(n), "%u", pf->anchor->match);
4490c4799
< if (rule_consistent(r) < 0 || error)
---
> if (rule_consistent(r, anchor_call[0]) < 0 || error)
4493c4802
< r->nr = pf->rule_nr++;
---
> r->nr = pf->astack[pf->asd]->match++;
4608d4916
< { "group-bound", GRBOUND},
4623d4930
< { "log-all", LOGALL},
4667a4975
> { "rtable", RTABLE},
4668a4977
> { "ruleset-optimization", RULESET_OPTIMIZATION},
4687a4997
> { "urpf-failed", URPFFAILED},
4735,4737c5045
< if (isspace(next))
< yyerror("whitespace after \\");
< ungetc(next, f);
---
> c = next;
5025c5333
< decide_address_family(struct node_host *n, sa_family_t *af)
---
> mv_rules(struct pf_ruleset *src, struct pf_ruleset *dst)
5027c5335,5336
< sa_family_t target_af = 0;
---
> int i;
> struct pf_rule *r;
5029,5034c5338,5343
< while (!*af && n != NULL) {
< if (n->af) {
< if (target_af == 0)
< target_af = n->af;
< if (target_af != n->af)
< return;
---
> for (i = 0; i < PF_RULESET_MAX; ++i) {
> while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
> != NULL) {
> TAILQ_REMOVE(src->rules[i].active.ptr, r, entries);
> TAILQ_INSERT_TAIL(dst->rules[i].active.ptr, r, entries);
> dst->anchor->match++;
5036c5345,5351
< n = n->next;
---
> src->anchor->match = 0;
> while ((r = TAILQ_FIRST(src->rules[i].inactive.ptr))
> != NULL) {
> TAILQ_REMOVE(src->rules[i].inactive.ptr, r, entries);
> TAILQ_INSERT_TAIL(dst->rules[i].inactive.ptr,
> r, entries);
> }
5038,5039d5352
< if (!*af && target_af)
< *af = target_af;
5042a5356,5369
> decide_address_family(struct node_host *n, sa_family_t *af)
> {
> if (*af != 0 || n == NULL)
> return;
> *af = n->af;
> while ((n = n->next) != NULL) {
> if (n->af != *af) {
> *af = 0;
> return;
> }
> }
> }
>
> void
5180c5507
< pfctl_load_anchors(int dev, int opts, struct pfr_buffer *trans)
---
> pfctl_load_anchors(int dev, struct pfctl *pf, struct pfr_buffer *trans)
5182a5510
> FILE *fin;
5185c5513
< if (opts & PF_OPT_VERBOSE)
---
> if (pf->opts & PF_OPT_VERBOSE)
5188,5189c5516,5521
< if (pfctl_rules(dev, la->filename, opts, la->anchorname,
< trans) == -1)
---
> if ((fin = pfctl_fopen(la->filename, "r")) == NULL) {
> warn("%s", la->filename);
> continue;
> }
> if (pfctl_rules(dev, la->filename, fin, pf->opts, pf->optimize,
> la->anchorname, trans) == -1)
5195d5526
<