http://src.iws.cs.ovgu.de/source/xref/illumos-gate/usr/src/cmd/ipf/tools/ipf_y.y NOTE: Solaris 11.1 SRU 1.4 comes with a modified ipfilter, which is not compatible with the one shipped in previous releases of S11/OpenSolaris/ SolarisExpress/S10. So it is possible that it breaks your current ipf rule sets SILENTLY, i.e. without notifying you about breakage. E.g.: port lists like '( 123 http https )' are ignored (only the 1st arg gets handled), pakets generated by the ipfilter via block return-rst or block return-icmp... are now sent through the outgoing rules which usually will block them and so on. So it got IMHO severely broken and everybody should check, whether its rule sets still work as expected ... N .. decnumber H .. hexnumber (recognized by a leading '0x') S .. string LC() .. a comma separated list of the enclosed expression enclosed in braces, e.g. '(' expr ')'. If there is only one expression, the braces are optional. LCB() .. same as LC() but braces are required always. LCW() .. same as LC() but whitespace(s) are allowed as separator in addition. LCWB() .. same as LCW() but braces are required always. EOL .. End Of Line or ';' IPv6 .. IP v6 address TCPHF .. a combination of TCP header flags (see tcp.h tcphdr.th_flags) as a single dec or hexnumber (bitset) or string of chars in 'FSRPAUCW', whereby F corresponds to bit 0 set, S to bit 1 set and so on. SN .. service name or port number file: [ S '=' S ';' ]* ['set intercept_loopback' {'true'|'false'}';'] [{ inrule | outrule } EOL]* inrule: [@n] [n] { 'block' [ 'return-icmp'['-as-dest'] ['(' icmpcode ')'] |'return-rst' ] |'pass' |'log' ['body' |'first' |'or-block' |'level' [facility'.']priority]* |'count' |'auth' [ 'return-rst' ] | 'preauth' |'skip' n |'call' ['now'] S'/'N } 'in' // indented: order doesn't matter ['log' ['body' |'first' |'or-block' |'level' [facility'.']priority]* ] ['quick'] ['on' S[:N][,S[:N]]* [{'in-via'|'out-via'} S[,S]*]] ['dup-to' S [':' {host_or_ifname|IPv6}]] ['fastroute'] ['route-to' S [':' host_or_ifname|IPv6}]] ['reply-to' S [':' host_or_ifname|IPv6}]] ['tos' LCW( N|H ) ] ['ttl' LCW( N ) ] ['proto' {N | S | 'tcp/udp'}] // S == protoname { ['all'] |['from' [ [!]LCW(addr) ] [ 'port' {'='|'>='|'>'|'<='|'<'|'!='} SN |'port' SN {'<>'|'><'|':'} SN // OUT|IN|IN inc RANGE |'port' '=' LCW(SN) ] ] // if used at least one expr required ['to' [ [!]LCW(addr) ] [ 'port' {'='|'>='|'>'|'<='|'<'|'!='} SN |'port' SN {'<>'|'><'|':'} SN // OUT|IN|IN inc RANGE |'port' '=' LCW(SN) ] ] // if used at least one expr required } ['flags' [TCPHF]['/'TCPHF] ] // for proto tcp, only. If the first TCPFH // is ommited it gets replaced by 0. If // the 2nd expr is ommitted, it gets // replaced by 'FSRPAU'. At least one TCPFH // expr is required. ['icmp-type' LCW(icmptype) ['code' LCW(icmpcode|N)]] [{'and'|'with'} withopt+] ['keep' 'state' [LCWB(N|'strict'|'newisn'|'no-icmp-err'|'sync')] ] ['keep' 'frags' [LCWB('strict')] ] ['head' {S|N}] ['group' {S|N}] ['set-tag' LCB( 'nat' '=' {S|N} |'log' '=' N ) ] ['match-tag' LCB( 'nat' '=' {S|N} |'log' '=' N ) ] ['pps' N] ['age' N ['/' N]] ['{' file '}'] addr: 'pool' '/' N // N == PoolName, anonymous map doesn't work | 'hash' '/' N // N == HashPoolName, anonymous map doesn't work | ipaddr ipaddr: 'any' | { host_or_ifname | IPv6 } [ '/' mask ] mask: N['.'N['.'N['.'N]]] | H | 'broadcast' | 'network' | 'netmasked' | 'peer' // NOTE: // If 'broadcast' | 'network' | 'netmasked' | 'peer' is used, the part // in front of the slash (/) must be an interface name, which in turn // implies, that it must appear as a parameter to the 'on' or a *via clause // in the same rule as well! // If mask == 'broadcast' it gets replaced by the broadcast address/32 // assigned to the named interface. // If mask == 'peer' it gets replaced by the address/32 assigned to // the remote host for the named point to point interface. // If mask == 'network' it gets replaced by the network address/32 // associated with the named interface. // If mask == 'netmasked' it gets replaced by the network address/netmask // associated with the named interface. // No mask implies a mask of /32. 'any' is the equivalent for 0.0.0.0/0 // A match occures if (ip2check & ruleMask == ruleIp). host_or_ifname: N['.'N['.'N['.'N]]] | H | S // NOTE: // If S == '' it gets replaced by ${ uname -n; } and thus a // hostname lookup will be made for it at parse time to get its IP. // If S == interface name which also appears as a 'on' or '*via' parameter // in the same rule, it gets replaced by the first ip address of that // interface and dynamically updated, if the address of the interface // changes. If you get an error like 'load_pool:SIOCLOOKUP*NODE' you // probably hit an ipfilter bug: try to add optional clauses to the // related rule like 'from any' ... // Otherwise a normal getent hosts S will be made and the first IP address // returned by the lookup is used. If a hostname cannot be resolved, it // gets either replaced with 0/0 (which means 'any') or ipf exits with an // error depending on its position in the rule! facility: 'kern' |'user' |'mail' |'daemon' |'auth' |'syslog' |'lpr' |'news' |'uucp' |'cron' |'ftp' |'authpriv' |'audit' |'logalert' |'security' |'local'{'0'|'1'|'2'|'3'|'4'|'5'|'6'|'7'} priority: 'emerg' |'alert' |'crit' |'err' |'warn' |'notice' |'info' |'debug' icmpcode: 'cutoff-preced' |'filter-prohib' |'isolate' |'needfrag' |'net-prohib' |'net-tos' |'host-preced' |'host-prohib' |'host-tos' |'host-unk' |'host-unr' |'net-unk' |'net-unr' |'port-unr' |'proto-unr' |'srcfail' icmptype: 'echo' |'echorep' |'inforeq' |'inforep' |'maskrep' |'maskreq' |'paramprob' |'redir' |'unreach' |'routerad' |'routersol' |'squench' |'timest' |'timestrep' |'timex' withopt: ['not'] opttype | ['not'] 'opt' ipv4opt[,ipv4opt]* | 'v6hdrs' ipv6hdr[,ipv6hdr]* opttype: 'ipopts' |'short' |'nat' |'bad'['-nat'|'-src'] |'lowttl' |'frag'['-body'] |{'mb'|'b'|'m'}'cast' |'state' |'oow' ipv4opt: 'addext' |'cipso' |'dps' |'e-sec' |'eip' |'encode' |'finn' |'imitd' |'mtup' |'mtur' |'nop' |'nsapa' |['ls'|'ss']'rr' |'rtralrt' |'satid' |'sdb' |'sec' |'tr' |'ts' |'ump' |'visa' |'zsu' | 'sec-class' seclevel[,seclevel]* seclevel: 'confid' |'reserve-'{'1'|'2'|'3'|'4'} |'secret' |'topsecret' |'unclass' ipv6hdr: 'ah' |'esp' |'frag' |'dstopts' |'hopopts' |'ipv6' |'none' |'routing'