PERFORCE change 167544 for review
Tatsiana Elavaya
tsel at FreeBSD.org
Thu Aug 20 17:55:45 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=167544
Change 167544 by tsel at tsel_mz on 2009/08/20 17:54:49
Add ipfw.hll.8 man page
Simplify language by removing if/cond tokens
Fix anonymous conditions support bug
Fix grammar conflicts
Implement labels
Affected files ...
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/Makefile#5 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.8#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.c#5 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.h#5 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/parse.y#5 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/subr.c#4 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/Makefile#4 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name1#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name2#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name3#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name3.err#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_man#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_man.output#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test0#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test1.err#3 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test10#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test10.output#1 add
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test2#3 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test3#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test4#4 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test5#3 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test6#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test7#3 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test8#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test9#2 edit
.. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/token.l#4 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/Makefile#4 edit
.. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#13 edit
Differences ...
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/Makefile#5 (text+ko) ====
@@ -1,5 +1,5 @@
PROG= ipfw.hll
-NO_MAN=
+MAN= ipfw.hll.8
SRCS= parse.y token.l ipfw.hll.c subr.c
WARNS?= 2
@@ -11,7 +11,7 @@
DPADD= ${LIBL}
LDADD= -ll
-DEBUG_FLAGS+= -g -O0 -DIPFW_HLL_DEBUG
+#DEBUG_FLAGS+= -g -O0 -DIPFW_HLL_DEBUG
.PHONY: test
test:
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.c#5 (text+ko) ====
@@ -188,7 +188,7 @@
static void
usage(void)
{
- fprintf(stderr, "usage: ipfw.hll [-gh] [-n rulenum] [-i increment] file\n");
+ fprintf(stderr, "usage: ipfw.hll [-gh] [-n rulenum] [-i increment] [file]\n");
exit(EX_USAGE);
}
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.h#5 (text+ko) ====
@@ -74,12 +74,19 @@
};
struct var {
- TAILQ_ENTRY(var) vars_entries;
+ TAILQ_ENTRY(var) var_entries;
char *name;
char *value;
int lineno;
};
+struct label {
+ TAILQ_ENTRY(label) label_entries;
+ char *name;
+ struct rule *rule;
+ int lineno;
+};
+
extern struct ruleset *toplevel_ruleset;
void *safe_calloc(int size);
@@ -100,4 +107,7 @@
struct var * var_alloc(void);
struct var * var_lookup(char *name);
void var_insert(struct var *var);
+struct label * label_alloc(void);
+struct label * label_lookup(char *name);
+void label_insert(struct label *label);
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/parse.y#5 (text+ko) ====
@@ -54,21 +54,21 @@
%token<str> STR
%token<str> ACTION
+%token COLON
%token DEFINE
%token RULESET
%token SET
%token CALL
%token SEMICOLON
-%token IF
%token THEN
%token BLOCK_BEGIN
%token BLOCK_END
%type<condset> define_cond cond_body cond_list
-%type<cond> cond cond_cmd_list
-%type<ruleset> define_ruleset rule_body rule_list
-%type<rule> rule rule_tail rule_action rule_action_list
-%type<cmd> cond_cmd cond_tail
+%type<cond> cond
+%type<ruleset> define_ruleset rule_body rule_list toprule_list
+%type<rule> rule rule_action rule_action_list toprule label
+%type<cmd> cond_cmd
%type<str> id str
%type<var> define_var
@@ -77,22 +77,32 @@
%%
begin
- : define_list rule_list
+ : space body
+ ;
+
+body
+ : define_list toprule_list
{
- if ($2 == NULL)
- errx(EX_DATAERR, "%s:%d: top level ruleset is empty", yyfile, yyline);
toplevel_ruleset = $2;
}
+ | define_list
+ {
+ errx(EX_DATAERR, "%s:%d: top level ruleset is empty", yyfile, yyline);
+ }
+ ;
+
+space
+ :
+ | space SEMICOLON
;
define_list
:
- | define_list define_block
+ | define_list define_block space
;
define_block
- : SEMICOLON
- | define_var
+ : define_var
| define_cond
| define_ruleset
;
@@ -108,9 +118,9 @@
}
define_cond
- : DEFINE id cond_body SEMICOLON
+ : DEFINE id space cond_body SEMICOLON
{
- $$ = $3;
+ $$ = $4;
$$->lineno = $2.lineno;
$$->name = $2.s;
condsets_insert($$);
@@ -118,9 +128,9 @@
;
define_ruleset
- : RULESET id rule_body SEMICOLON
+ : RULESET id space rule_body SEMICOLON
{
- $$ = $3;
+ $$ = $4;
$$->lineno = $2.lineno;
$$->name = $2.s;
rulesets_insert($$);
@@ -130,78 +140,92 @@
cond_body
: BLOCK_BEGIN cond_list BLOCK_END
{ $$ = $2; }
+ | BLOCK_BEGIN BLOCK_END
+ { $$ = condset_alloc(); }
rule_body
: BLOCK_BEGIN rule_list BLOCK_END
{ $$ = $2; }
+ | BLOCK_BEGIN BLOCK_END
+ { $$ = ruleset_alloc(); }
cond_list
- :
- { $$ = NULL; }
- | cond_list cond cond_tail SEMICOLON
+ : SEMICOLON
+ {
+ $$ = condset_alloc();
+ }
+ | cond SEMICOLON
+ {
+ $$ = condset_alloc();
+ if ($1 != NULL) {
+ TAILQ_INSERT_TAIL(&$$->conds, $1, cond_entries);
+ }
+ }
+ | cond_list SEMICOLON
+ {
+ $$ = $1;
+ }
+ | cond_list cond SEMICOLON
{
+ $$ = $1;
if ($2 != NULL) {
- if ($1 == NULL)
- $1 = condset_alloc();
- if ($3 != NULL) {
- TAILQ_INSERT_TAIL(&$2->cmds, $3, cmd_entries);
- }
TAILQ_INSERT_TAIL(&$1->conds, $2, cond_entries);
}
- $$ = $1;
}
;
-rule_list
- :
- { $$ = NULL; }
- | rule_list rule SEMICOLON
+toprule_list
+ : toprule
{
- if ($2 != NULL) {
- if ($1 == NULL)
- $1 = ruleset_alloc();
- TAILQ_INSERT_TAIL(&$1->rules, $2, rule_entries);
+ $$ = ruleset_alloc();
+ if ($1 != NULL) {
+ $$->lineno = $1->lineno;
+ TAILQ_INSERT_TAIL(&$$->rules, $1, rule_entries);
}
- $$ = $1;
+ }
+ | toprule_list toprule
+ {
+ if ($2 != NULL)
+ TAILQ_INSERT_TAIL(&$$->rules, $2, rule_entries);
}
- ;
-cond
- :
- { $$ = NULL; }
- | IF cond_cmd_list
- { $$ = $2; }
- ;
+toprule
+ : label
+ { $$ = $1; }
+ | rule
+ { $$ = $1; }
-cond_tail
- :
- { $$ = NULL; }
- | cond_body
- {
- $$ = cmd_alloc();
- $$->cmd_condset = $1;
+rule_list
+ : rule
+ {
+ $$ = ruleset_alloc();
+ if ($1 != NULL) {
+ TAILQ_INSERT_TAIL(&$$->rules, $1, rule_entries);
+ }
+ }
+ | rule_list rule
+ {
+ $$ = $1;
+ if ($2 != NULL) {
+ TAILQ_INSERT_TAIL(&$$->rules, $2, rule_entries);
+ }
}
;
rule
- :
+ : SEMICOLON
{ $$ = NULL; }
- | rule_action
- { $$ = $1; }
- | cond THEN rule_tail
+ | THEN space rule_action SEMICOLON
+ { $$ = $3; }
+ | cond SEMICOLON
{
- $$ = $3;
- $$->cond = $1;
+ $$ = NULL;
+ yyerror("rule action is not specified");
}
- ;
-
-rule_tail
- : rule_action
- { $$ = $1; }
- | rule_body
+ | cond THEN space rule_action SEMICOLON
{
- $$ = rule_alloc();
- $$->action_ruleset = $1;
+ $$ = $4;
+ $$->cond = $1;
}
;
@@ -218,6 +242,11 @@
{
$$ = $1;
}
+ | rule_body
+ {
+ $$ = rule_alloc();
+ $$->action_ruleset = $1;
+ }
;
rule_action_list
@@ -254,16 +283,41 @@
}
;
-cond_cmd_list
- : { $$ = NULL; }
- | cond_cmd_list cond_cmd
+label
+ : id COLON SEMICOLON
+ {
+ struct label *label;
+ struct cmd *cmd;
+ char **p;
+ char *cmds[] = {
+ "alias", $1.s,
+ "count", "all", "from", "any", "to", "any", NULL
+ };
+
+ $$ = rule_alloc();
+ $$->lineno = $1.lineno;
+ for (p = cmds; *p != NULL; p++) {
+ cmd = cmd_alloc();
+ cmd->cmd = strdup(*p);
+ TAILQ_INSERT_TAIL(&$$->actions, cmd, cmd_entries);
+ }
+ label = label_alloc();
+ label->lineno = $1.lineno;
+ label->rule = $$;
+ label->name = strdup($1.s);
+ label_insert(label);
+ }
+
+cond
+ : cond_cmd
+ {
+ $$ = cond_alloc();
+ TAILQ_INSERT_TAIL(&$$->cmds, $1, cmd_entries);
+ }
+ | cond cond_cmd
{
- if ($1 == NULL) {
- $1 = cond_alloc();
- }
-
- TAILQ_INSERT_TAIL(&$1->cmds, $2, cmd_entries);
$$ = $1;
+ TAILQ_INSERT_TAIL(&$$->cmds, $2, cmd_entries);
}
;
@@ -278,9 +332,11 @@
}
| cond_body
{
- $$ = cmd_alloc();
- $$->lineno = $1->lineno;
- $$->cmd_condset = $1;
+ if ($1 != NULL) {
+ $$ = cmd_alloc();
+ $$->lineno = $1->lineno;
+ $$->cmd_condset = $1;
+ }
}
| str
{
@@ -335,10 +391,19 @@
void yyerror(char *s)
{
- if (yytext)
- warnx("%s:%d: '%s': %s", yyfile, yyline, yytext, s);
+int line;
+char *text;
+
+ line = yyline;
+ text = yytext;
+ if (yytext && yytext[0] == '\n' && yytext[1] == '\0') {
+ line--;
+ text = NULL;
+ }
+ if (text)
+ warnx("%s:%d: '%s': %s", yyfile, line, text, s);
else
- warnx("%s:%d: %s", yyfile, yyline, s);
+ warnx("%s:%d: %s", yyfile, line, s);
}
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/subr.c#4 (text+ko) ====
@@ -12,6 +12,7 @@
static TAILQ_HEAD(, ruleset) rulesets = TAILQ_HEAD_INITIALIZER(rulesets);
static TAILQ_HEAD(, condset) condsets = TAILQ_HEAD_INITIALIZER(condsets);
static TAILQ_HEAD(, var) vars = TAILQ_HEAD_INITIALIZER(vars);
+static TAILQ_HEAD(, label) labels = TAILQ_HEAD_INITIALIZER(labels);
void *safe_calloc(int size)
{
@@ -220,7 +221,7 @@
{
struct var *r;
- TAILQ_FOREACH(r, &vars, vars_entries) {
+ TAILQ_FOREACH(r, &vars, var_entries) {
if (strcmp(r->name, name) == 0)
return (r);
}
@@ -236,6 +237,39 @@
if (dup != NULL)
errx(EX_DATAERR, "%s:%d: variable '%s' is already defined at line %d",
yyfile, var->lineno, var->name, dup->lineno);
- TAILQ_INSERT_TAIL(&vars, var, vars_entries);
+ TAILQ_INSERT_TAIL(&vars, var, var_entries);
+}
+
+struct label *
+label_alloc(void)
+{
+ struct label *r;
+
+ r = safe_calloc(sizeof(struct label));
+ return (r);
+}
+
+struct label *
+label_lookup(char *name)
+{
+ struct label *r;
+
+ TAILQ_FOREACH(r, &labels, label_entries) {
+ if (strcmp(r->name, name) == 0)
+ return (r);
+ }
+ return (NULL);
+}
+
+void
+label_insert(struct label *label)
+{
+ struct label *dup;
+
+ dup = label_lookup(label->name);
+ if (dup != NULL)
+ errx(EX_DATAERR, "%s:%d: label '%s' is already defined at line %d",
+ yyfile, label->lineno, label->name, dup->lineno);
+ TAILQ_INSERT_TAIL(&labels, label, label_entries);
}
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/Makefile#4 (text+ko) ====
@@ -1,5 +1,6 @@
-TESTS+= test0 test1 test2 test3 test4 test5 test6 test7 test8 test9
-TESTS+= t_dup_name1 t_dup_name2
+TESTS+= test0 test1 test2 test3 test4 test5 test6 test7 test8 test9 test10
+TESTS+= t_dup_name1 t_dup_name2 t_dup_name3
+TESTS+= t_man
all: test
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name1#2 (text+ko) ====
@@ -1,16 +1,16 @@
define q {
- cond q11 q12
- cond q21 q22
+ q11 q12
+ q21 q22
}
define q {
- cond w11 w12
- cond w21 w22
+ w11 w12
+ w21 w22
}
define q {
- cond w11 w12
- cond w21 w22
+ w11 w12
+ w21 w22
}
-cond c1 c2 @q => allow
+c1 c2 @q => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name2#2 (text+ko) ====
@@ -1,10 +1,10 @@
define q {
- cond q11 q12
- cond q21 q22
+ q11 q12
+ q21 q22
}
ruleset q {
- allow
+ => allow
}
-cond c1 c2 @q => allow
+c1 c2 @q => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test0#2 (text+ko) ====
@@ -1,7 +1,7 @@
# comment
# comment 2
- cond c1 c2 => allow # comment
+ c1 c2 => allow # comment
-cond c3 c4 => deny
+c3 c4 => deny
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test1.err#3 (text+ko) ====
@@ -1,1 +1,1 @@
-ipfw.hll: <stdin>:1: 'error': syntax error
+ipfw.hll: <stdin>:1: rule action is not specified
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test2#3 (text+ko) ====
@@ -1,9 +1,9 @@
# sdfsdf
define c1 {
- cond q1 q2
+ q1 q2;
};
ruleset r1 {
- if c1 then drop
+ @c1 => drop;
};
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test3#2 (text+ko) ====
@@ -6,7 +6,7 @@
X = "nested bb ${var_a} cc ${var_a} nested"
-cond ${var_a} c1 c2 => allow
-cond c3 ${VAR2} c4 => allow
-cond c5 c6 ${X} => allow
+${var_a} c1 c2 => allow
+c3 ${VAR2} c4 => allow
+c5 c6 ${X} => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test4#4 (text+ko) ====
@@ -1,15 +1,15 @@
define q {
- cond q11 q12
- cond q21 q22
+ q11 q12
+ q21 q22
}
define w {
- cond w11 w12
- cond w21 w22
+ w11 w12
+ w21 w22
}
-cond c1 c2 @q => allow
-cond c3 @q c4 => allow
-cond c1 c2 c3 c4 @w => allow
-cond c3 @w @q c4 => allow
-cond @w c5 c6 @q => allow
+c1 c2 @q => allow
+c3 @q c4 => allow
+c1 c2 c3 c4 @w => allow
+c3 @w @q c4 => allow
+ at w c5 c6 @q => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test5#3 (text+ko) ====
@@ -1,22 +1,22 @@
ruleset r2 {
- cond r2-c1 => allow
- cond r2-c2 => deny
+ r2-c1 => allow
+ r2-c2 => deny
}
ruleset r1 {
- cond r1-c1 => allow
- cond r1-c2 => @r2
- cond r1-c3 => @r2
+ r1-c1 => allow
+ r1-c2 => @r2
+ r1-c3 => @r2
}
ruleset r0 {
- if c1 => {
- if c1-1 c1-2 then allow
- deny
+ c1 => {
+ c1-1 c1-2 => allow
+ => deny
}
- if c2 then deny
- if c3 => @r1
+ c2 => deny
+ c3 => @r1
}
- at r0
+=> @r0
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test6#2 (text+ko) ====
@@ -1,16 +1,16 @@
define e {
- cond e11 e12
- cond e21 e22
+ e11 e12
+ e21 e22
}
define w {
- cond w11 @e w12
- cond @e w21 w22
+ w11 @e w12
+ @e w21 w22
}
define q {
- cond @w q11 q12
- cond q21 q22 @w
+ @w q11 q12
+ q21 q22 @w
}
-cond c1 @q c2 => allow
+c1 @q c2 => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test7#3 (text+ko) ====
@@ -1,34 +1,40 @@
# set of predicates = set of ipfw options containing no actions (allow, deny, ...)
-define predicate_1 {
- cond src-ip 1.2.3.4 dsp-ip 1.2.3.0/24
- cond src-ip 6.7.8.9 dst-ip 6.7.8.0/24
+define predicate_1
+{
+ src-ip 1.2.3.4 dsp-ip 1.2.3.0/24
+ src-ip 6.7.8.9 dst-ip 6.7.8.0/24
}
-define predicate_2 {
- cond proto tcp
- cond proto udp
+define predicate_2
+{
+ proto tcp
+ proto udp
}
-define predicate_3 {
- cond via bridge1
- cond via bridge2
+define predicate_3
+{
+ via bridge1
+ via bridge2
}
-define predicate_4_nested {
- cond @predicate_1 @predicate_2
- cond @predicate_3 tagged 1010
+define predicate_4_nested
+{
+ @predicate_1 @predicate_2
+ @predicate_3 tagged 1010
}
# ruleset = set of ipfw rules
# rule is just like generic ipfw rule but can contain predicates
-ruleset ruleset_1 {
- if @predicate_1 => {
- if proto tcp then allow
- deny
+ruleset ruleset_1
+{
+ @predicate_1 =>
+ {
+ proto tcp => allow
+ => deny
}
- if proto udp then deny
+ proto udp => deny
}
# unnamed = default ruleset
-if @predicate_1 @predicate_2 @predicate_3 then allow
-if @predicate_3 then @ruleset_1
+ at predicate_1 @predicate_2 @predicate_3 => allow
+ at predicate_3 => @ruleset_1
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test8#2 (text+ko) ====
@@ -1,1 +1,1 @@
-if c1 c2 c3 { cond w1; cond w2 } => allow
+c1 c2 c3 { w1; w2 } => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test9#2 (text+ko) ====
@@ -7,65 +7,65 @@
# RFC1918 nets
define private_nets {
- cond 10.0.0.0/8
- cond 172.16.0.0/12
- cond 192.168.0.0/16
+ 10.0.0.0/8
+ 172.16.0.0/12
+ 192.168.0.0/16
}
define reserved_nets {
- cond 0.0.0.0/8
- cond 169.254.0.0/16
- cond 192.0.2.0/24
- cond 224.0.0.0/4
- cond 240.0.0.0/4
+ 0.0.0.0/8
+ 169.254.0.0/16
+ 192.0.2.0/24
+ 224.0.0.0/4
+ 240.0.0.0/4
}
define spoofed {
- cond src-ip ${inet} in via ${oif}
- cond src-ip ${onet} in via ${iif}
+ src-ip ${inet} in via ${oif}
+ src-ip ${onet} in via ${iif}
}
# Stop spoofing
-if @spoofed => deny
+ at spoofed => deny
# Stop RFC1918 nets on the outside interface
-if dst-ip @private_nets via ${oif} => deny
+dst-ip @private_nets via ${oif} => deny
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
-if dst-ip @reserved_nets via ${oif} => deny
+dst-ip @reserved_nets via ${oif} => deny
# Stop RFC1918 nets on the outside interface
-if src-ip @private_nets via ${oif} => deny
+src-ip @private_nets via ${oif} => deny
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
-if src-ip @reserved_nets via ${oif} => deny
+src-ip @reserved_nets via ${oif} => deny
# Allow TCP through if setup succeeded
-if tcp from any to any established => allow
+tcp from any to any established => allow
# Allow IP fragments to pass through
-if all from any to any frag => pass
+all from any to any frag => pass
# Allow setup of incoming email, www, dns
-if proto tcp dst-ip me setup dst-port { cond 25; cond 80; cond 53; } => allow
+proto tcp dst-ip me setup dst-port { 25; 80; 53; } => allow
# Allow access to our DNS
-if proto tcp dst-ip me dst-port 53 setup => allow
-if proto udp dst-ip me => {
- cond src-port 53 => allow
- cond dst-port 53 => allow
+proto tcp dst-ip me dst-port 53 setup => allow
+proto udp dst-ip me => {
+ src-port 53 => allow
+ dst-port 53 => allow
}
# Reject&Log all setup of incoming connections from the outside
-if log proto tcp in via ${oif} setup => deny
+log proto tcp in via ${oif} setup => deny
# Allow setup of any other TCP connection
-if proto tcp setup => allow
+proto tcp setup => allow
# Allow DNS queries out in the world
-if proto udp src-ip me keep-state dst-port { cond 53; cond 123; } => allow
+proto udp src-ip me keep-state dst-port { 53; 123; } => allow
==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/token.l#4 (text+ko) ====
@@ -81,10 +81,9 @@
[ \t]+ ;
";" { return SEMICOLON; }
+":" { return COLON; }
"@" { return CALL; }
"=" { return SET; }
-"if" { return IF; }
-"cond" { return IF; }
"then" { return THEN; }
">>" { return THEN; }
"=>" { return THEN; }
==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/Makefile#4 (text+ko) ====
@@ -5,6 +5,6 @@
WARNS?= 2
LDADD= -lutil
MAN= ipfw.8
-DEBUG_FLAGS+= -g
+DEBUG_FLAGS+= -g -I${.CURDIR}/../../sys
.include <bsd.prog.mk>
==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#13 (text+ko) ====
@@ -2250,11 +2250,12 @@
optimization_filter_groups(struct insn_match_group_head *head)
{
struct insn_match_group *g, *g_tmp;
+ size_t sz;
int labels_max, group_count;
- group_count = sizeof(labels_max);
+ sz = sizeof(labels_max);
if (sysctlbyname("net.inet.ip.fw.optimization_buf_max", &labels_max,
- &group_count, NULL, 0) == -1) {
+ &sz, NULL, 0) == -1) {
errx(EX_DATAERR, "optimization not supported");
}
labels_max *= 8 / 2; /* 2 bits long per label. */
More information about the p4-projects
mailing list