Head

GCC Code Coverage Report
Directory:	./		Exec	Total	Coverage
File:	sbin/ipsecctl/parse.c	Lines:	0	415	0.0 %
Date:	2017-11-13	Branches:	0	335	0.0 %

#include <stdlib.h>
#include <string.h>
#define YYBYACC 1
#define YYMAJOR 1
#define YYMINOR 9
#define YYLEX yylex()
#define YYEMPTY -1
#define yyclearin (yychar=(YYEMPTY))
#define yyerrok (yyerrflag=0)
#define YYRECOVERING() (yyerrflag!=0)
#define YYPREFIX "yy"
#line 24 "parse.y"
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip_ipsp.h>
#include <arpa/inet.h>

#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <ifaddrs.h>
#include <limits.h>
#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <netdb.h>

#include "ipsecctl.h"

TAILQ_HEAD(files, file)		 files = TAILQ_HEAD_INITIALIZER(files);
static struct file {
	TAILQ_ENTRY(file)	 entry;
	FILE			*stream;
	char			*name;
	int			 lineno;
	int			 errors;
} *file;
struct file	*pushfile(const char *, int);
int		 popfile(void);
int		 check_file_secrecy(int, const char *);
int		 yyparse(void);
int		 yylex(void);
int		 yyerror(const char *, ...)
    __attribute__((__format__ (printf, 1, 2)))
    __attribute__((__nonnull__ (1)));
int		 yywarn(const char *, ...)
    __attribute__((__format__ (printf, 1, 2)))
    __attribute__((__nonnull__ (1)));
int		 kw_cmp(const void *, const void *);
int		 lookup(char *);
int		 lgetc(int);
int		 lungetc(int);
int		 findeol(void);

TAILQ_HEAD(symhead, sym)	 symhead = TAILQ_HEAD_INITIALIZER(symhead);
struct sym {
	TAILQ_ENTRY(sym)	 entry;
	int			 used;
	int			 persist;
	char			*nam;
	char			*val;
};
int		 symset(const char *, const char *, int);
char		*symget(const char *);
int		 cmdline_symset(char *);

#define KEYSIZE_LIMIT	1024

static struct ipsecctl	*ipsec = NULL;
static int		 debug = 0;

const struct ipsec_xf authxfs[] = {
	{ "unknown",		AUTHXF_UNKNOWN,		0,	0 },
	{ "none",		AUTHXF_NONE,		0,	0 },
	{ "hmac-md5",		AUTHXF_HMAC_MD5,	16,	0 },
	{ "hmac-ripemd160",	AUTHXF_HMAC_RIPEMD160,	20,	0 },
	{ "hmac-sha1",		AUTHXF_HMAC_SHA1,	20,	0 },
	{ "hmac-sha2-256",	AUTHXF_HMAC_SHA2_256,	32,	0 },
	{ "hmac-sha2-384",	AUTHXF_HMAC_SHA2_384,	48,	0 },
	{ "hmac-sha2-512",	AUTHXF_HMAC_SHA2_512,	64,	0 },
	{ NULL,			0,			0,	0 },
};

const struct ipsec_xf encxfs[] = {
	{ "unknown",		ENCXF_UNKNOWN,		0,	0,	0, 0 },
	{ "none",		ENCXF_NONE,		0,	0,	0, 0 },
	{ "3des-cbc",		ENCXF_3DES_CBC,		24,	24,	0, 0 },
	{ "aes",		ENCXF_AES,		16,	32,	0, 0 },
	{ "aes-128",		ENCXF_AES_128,		16,	16,	0, 0 },
	{ "aes-192",		ENCXF_AES_192,		24,	24,	0, 0 },
	{ "aes-256",		ENCXF_AES_256,		32,	32,	0, 0 },
	{ "aesctr",		ENCXF_AESCTR,		16+4,	32+4,	0, 1 },
	{ "aes-128-ctr",	ENCXF_AES_128_CTR,	16+4,	16+4,	0, 1 },
	{ "aes-192-ctr",	ENCXF_AES_192_CTR,	24+4,	24+4,	0, 1 },
	{ "aes-256-ctr",	ENCXF_AES_256_CTR,	32+4,	32+4,	0, 1 },
	{ "aes-128-gcm",	ENCXF_AES_128_GCM,	16+4,	16+4,	1, 1 },
	{ "aes-192-gcm",	ENCXF_AES_192_GCM,	24+4,	24+4,	1, 1 },
	{ "aes-256-gcm",	ENCXF_AES_256_GCM,	32+4,	32+4,	1, 1 },
	{ "aes-128-gmac",	ENCXF_AES_128_GMAC,	16+4,	16+4,	1, 1 },
	{ "aes-192-gmac",	ENCXF_AES_192_GMAC,	24+4,	24+4,	1, 1 },
	{ "aes-256-gmac",	ENCXF_AES_256_GMAC,	32+4,	32+4,	1, 1 },
	{ "blowfish",		ENCXF_BLOWFISH,		5,	56,	0, 0 },
	{ "cast128",		ENCXF_CAST128,		5,	16,	0, 0 },
	{ "chacha20-poly1305",	ENCXF_CHACHA20_POLY1305, 32+4,	32+4,	1, 1 },
	{ "null",		ENCXF_NULL,		0,	0,	0, 0 },
	{ NULL,			0,			0,	0,	0, 0 },
};

const struct ipsec_xf compxfs[] = {
	{ "unknown",		COMPXF_UNKNOWN,		0,	0 },
	{ "deflate",		COMPXF_DEFLATE,		0,	0 },
	{ "lzs",		COMPXF_LZS,		0,	0 },
	{ NULL,			0,			0,	0 },
};

const struct ipsec_xf groupxfs[] = {
	{ "unknown",		GROUPXF_UNKNOWN,	0,	0 },
	{ "none",		GROUPXF_NONE,		0,	0 },
	{ "modp768",		GROUPXF_1,		768,	0 },
	{ "grp1",		GROUPXF_1,		768,	0 },
	{ "modp1024",		GROUPXF_2,		1024,	0 },
	{ "grp2",		GROUPXF_2,		1024,	0 },
	{ "modp1536",		GROUPXF_5,		1536,	0 },
	{ "grp5",		GROUPXF_5,		1536,	0 },
	{ "modp2048",		GROUPXF_14,		2048,	0 },
	{ "grp14",		GROUPXF_14,		2048,	0 },
	{ "modp3072",		GROUPXF_15,		3072,	0 },
	{ "grp15",		GROUPXF_15,		3072,	0 },
	{ "modp4096",		GROUPXF_16,		4096,	0 },
	{ "grp16",		GROUPXF_16,		4096,	0 },
	{ "modp6144",		GROUPXF_17,		6144,	0 },
	{ "grp17",		GROUPXF_17,		6144,	0 },
	{ "modp8192",		GROUPXF_18,		8192,	0 },
	{ "grp18",		GROUPXF_18,		8192,	0 },
	{ "ecp256",		GROUPXF_19,		256,	0 },
	{ "grp19",		GROUPXF_19,		256,	0 },
	{ "ecp384",		GROUPXF_20,		384,	0 },
	{ "grp20",		GROUPXF_20,		384,	0 },
	{ "ecp521",		GROUPXF_21,		521,	0 },
	{ "grp21",		GROUPXF_21,		521,	0 },
	{ "ecp192",		GROUPXF_25,		192,	0 },
	{ "grp25",		GROUPXF_25,		192,	0 },
	{ "ecp224",		GROUPXF_26,		224,	0 },
	{ "grp26",		GROUPXF_26,		224,	0 },
	{ "bp224",		GROUPXF_27,		224,	0 },
	{ "grp27",		GROUPXF_27,		224,	0 },
	{ "bp256",		GROUPXF_28,		256,	0 },
	{ "grp28",		GROUPXF_28,		256,	0 },
	{ "bp384",		GROUPXF_29,		384,	0 },
	{ "grp29",		GROUPXF_29,		384,	0 },
	{ "bp512",		GROUPXF_30,		512,	0 },
	{ "grp30",		GROUPXF_30,		512,	0 },
	{ NULL,			0,			0,	0 },
};

int			 atoul(char *, u_long *);
int			 atospi(char *, u_int32_t *);
u_int8_t		 x2i(unsigned char *);
struct ipsec_key	*parsekey(unsigned char *, size_t);
struct ipsec_key	*parsekeyfile(char *);
struct ipsec_addr_wrap	*host(const char *);
struct ipsec_addr_wrap	*host_v6(const char *, int);
struct ipsec_addr_wrap	*host_v4(const char *, int);
struct ipsec_addr_wrap	*host_dns(const char *, int);
struct ipsec_addr_wrap	*host_if(const char *, int);
struct ipsec_addr_wrap	*host_any(void);
void			 ifa_load(void);
int			 ifa_exists(const char *);
struct ipsec_addr_wrap	*ifa_lookup(const char *ifa_name);
struct ipsec_addr_wrap	*ifa_grouplookup(const char *);
void			 set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
const struct ipsec_xf	*parse_xf(const char *, const struct ipsec_xf *);
struct ipsec_lifetime	*parse_life(const char *);
struct ipsec_transforms *copytransforms(const struct ipsec_transforms *);
struct ipsec_lifetime	*copylife(const struct ipsec_lifetime *);
struct ipsec_auth	*copyipsecauth(const struct ipsec_auth *);
struct ike_auth		*copyikeauth(const struct ike_auth *);
struct ipsec_key	*copykey(struct ipsec_key *);
struct ipsec_addr_wrap	*copyhost(const struct ipsec_addr_wrap *);
char			*copytag(const char *);
struct ipsec_rule	*copyrule(struct ipsec_rule *);
int			 validate_af(struct ipsec_addr_wrap *,
			     struct ipsec_addr_wrap *);
int			 validate_sa(u_int32_t, u_int8_t,
			     struct ipsec_transforms *, struct ipsec_key *,
			     struct ipsec_key *, u_int8_t);
struct ipsec_rule	*create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *,
			     u_int32_t, struct ipsec_transforms *,
			     struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule	*reverse_sa(struct ipsec_rule *, u_int32_t,
			     struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule	*create_sabundle(struct ipsec_addr_wrap *, u_int8_t,
			     u_int32_t, struct ipsec_addr_wrap *, u_int8_t,
			     u_int32_t);
struct ipsec_rule	*create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *,
			     u_int8_t, char *, char *, u_int8_t);
int			 set_rule_peers(struct ipsec_rule *r,
			     struct ipsec_hosts *peers);
void			 expand_any(struct ipsec_addr_wrap *);
int			 expand_rule(struct ipsec_rule *, struct ipsec_hosts *,
			     u_int8_t, u_int32_t, struct ipsec_key *,
			     struct ipsec_key *, char *);
struct ipsec_rule	*reverse_rule(struct ipsec_rule *);
struct ipsec_rule	*create_ike(u_int8_t, struct ipsec_hosts *,
			     struct ike_mode *, struct ike_mode *, u_int8_t,
			     u_int8_t, u_int8_t, char *, char *,
			     struct ike_auth *, char *);
int			 add_sabundle(struct ipsec_rule *, char *);
int			 get_id_type(char *);

struct ipsec_transforms *ipsec_transforms;

typedef struct {
	union {
		int64_t	 	 number;
		u_int8_t	 ikemode;
		u_int8_t	 dir;
		u_int8_t	 satype;	/* encapsulating prococol */
		u_int8_t	 proto;		/* encapsulated protocol */
		u_int8_t	 tmode;
		char		*string;
		u_int16_t	 port;
		struct ipsec_hosts hosts;
		struct ipsec_hosts peers;
		struct ipsec_addr_wrap *anyhost;
		struct ipsec_addr_wrap *singlehost;
		struct ipsec_addr_wrap *host;
		struct {
			char *srcid;
			char *dstid;
		} ids;
		char		*id;
		u_int8_t	 type;
		struct ike_auth	 ikeauth;
		struct {
			u_int32_t	spiout;
			u_int32_t	spiin;
		} spis;
		struct {
			struct ipsec_key *keyout;
			struct ipsec_key *keyin;
		} authkeys;
		struct {
			struct ipsec_key *keyout;
			struct ipsec_key *keyin;
		} enckeys;
		struct {
			struct ipsec_key *keyout;
			struct ipsec_key *keyin;
		} keys;
		struct ipsec_transforms *transforms;
		struct ipsec_lifetime	*life;
		struct ike_mode		*mode;
	} v;
	int lineno;
} YYSTYPE;

#line 268 "parse.c"
#define FLOW 257
#define FROM 258
#define ESP 259
#define AH 260
#define IN 261
#define PEER 262
#define ON 263
#define OUT 264
#define TO 265
#define SRCID 266
#define DSTID 267
#define RSA 268
#define PSK 269
#define TCPMD5 270
#define SPI 271
#define AUTHKEY 272
#define ENCKEY 273
#define FILENAME 274
#define AUTHXF 275
#define ENCXF 276
#define ERROR 277
#define IKE 278
#define MAIN 279
#define QUICK 280
#define AGGRESSIVE 281
#define PASSIVE 282
#define ACTIVE 283
#define ANY 284
#define IPIP 285
#define IPCOMP 286
#define COMPXF 287
#define TUNNEL 288
#define TRANSPORT 289
#define DYNAMIC 290
#define LIFETIME 291
#define TYPE 292
#define DENY 293
#define BYPASS 294
#define LOCAL 295
#define PROTO 296
#define USE 297
#define ACQUIRE 298
#define REQUIRE 299
#define DONTACQ 300
#define GROUP 301
#define PORT 302
#define TAG 303
#define INCLUDE 304
#define BUNDLE 305
#define STRING 306
#define NUMBER 307
#define YYERRCODE 256
const short yylhs[] =
	{                                        -1,
    0,    0,    0,    0,    0,    0,    0,    0,    0,   37,
   37,   31,   35,   34,   33,   32,    3,    3,    3,    3,
    3,    4,    4,    4,    4,    5,    5,    6,    6,    6,
    2,    2,    2,    7,    7,    8,    8,    9,    9,   10,
   10,   10,   10,   10,   11,   11,   12,   12,   14,   14,
   15,   15,   13,   13,   13,   13,   16,   16,   16,   16,
   26,   26,   26,   26,   26,   26,   26,   17,   18,   18,
   39,   23,   23,   38,   38,   40,   40,   40,   40,   28,
   28,   28,   29,   29,   27,   27,   27,   19,   19,   20,
   20,   21,   21,   22,   22,   24,   24,   24,   24,   25,
   25,   25,   30,   30,    1,    1,   36,
};
const short yylen[] =
	{                                         2,
    0,    3,    2,    3,    3,    3,    3,    3,    3,    1,
    0,    2,    4,    8,    8,   12,    0,    1,    1,    1,
    1,    0,    2,    2,    2,    1,    1,    0,    1,    1,
    0,    1,    1,    6,    6,    0,    2,    1,    1,    0,
    4,    4,    2,    2,    1,    1,    0,    1,    1,    3,
    1,    3,    1,    4,    1,    3,    0,    4,    2,    2,
    0,    2,    2,    2,    2,    2,    2,    1,    2,    2,
    0,    2,    0,    2,    1,    2,    2,    2,    2,    0,
    3,    3,    0,    3,    0,    2,    2,    0,    2,    0,
    2,    0,    2,    1,    2,    0,    1,    1,    1,    0,
    1,    2,    0,    2,    2,    1,    3,
};
const short yydefred[] =
	{                                      1,
    0,    0,    0,   18,   19,    0,    0,   21,   20,    0,
    0,    3,    0,    0,    0,    0,    0,    0,    0,    9,
    0,    0,    0,    0,   97,   99,   98,    0,   12,    0,
   29,   30,    0,    2,    4,    5,    6,    7,    8,   32,
   33,    0,   55,    0,    0,    0,    0,    0,    0,    0,
    0,  106,    0,    0,    0,    0,    0,   49,    0,    0,
    0,    0,    0,   69,   70,    0,   13,    0,  105,    0,
   24,   25,   26,   27,   23,    0,   52,   10,   56,    0,
   38,   39,   37,    0,    0,    0,    0,   94,   89,    0,
    0,    0,    0,    0,    0,   50,    0,   54,    0,   95,
    0,    0,    0,    0,    0,    0,    0,   75,   46,   48,
    0,   45,    0,    0,    0,    0,   34,   35,    0,    0,
    0,   76,   77,   78,   79,   74,    0,    0,   68,    0,
   60,    0,   15,    0,    0,    0,   91,    0,   14,   41,
   42,    0,   65,   66,   62,   63,   64,   67,    0,    0,
    0,    0,   93,   58,    0,   81,   82,    0,    0,   87,
   86,   84,  101,    0,    0,  102,    0,   16,  104,
};
const short yydgoto[] =
	{                                       1,
   53,   42,   13,   56,   75,   33,   24,   61,   83,   95,
  111,  112,   46,   59,   47,  116,  130,   50,   67,  121,
  139,   89,   91,   28,  165,  133,  156,  136,  152,  168,
   14,   15,   16,   17,   18,   19,   80,  107,   92,  108,
};
const short yysindex[] =
	{                                      0,
   41,   -1, -176,    0,    0, -167, -203,    0,    0, -279,
    2,    0, -181,   30,   82,   94,  102,  104,  106,    0,
 -161, -120, -120, -141,    0,    0,    0, -176,    0, -172,
    0,    0, -167,    0,    0,    0,    0,    0,    0,    0,
    0, -165,    0,   93, -120, -160,  101, -160, -186, -129,
 -181,    0, -162, -141, -245, -167, -159,    0,  -37, -180,
 -119, -157, -113,    0,    0, -228,    0, -165,    0,    0,
    0,    0,    0,    0,    0, -246,    0,    0,    0, -120,
    0,    0,    0, -120,  109, -120, -155,    0,    0, -167,
 -129, -190, -216, -154, -138,    0, -160,    0, -160,    0,
 -246, -126, -153, -152, -151, -150, -190,    0,    0,    0,
 -137,    0, -105, -147, -147, -132,    0,    0, -258, -228,
 -144,    0,    0,    0,    0,    0, -154, -216,    0, -102,
    0, -175,    0,    0,    0, -112,    0, -139,    0,    0,
    0, -147,    0,    0,    0,    0,    0,    0, -122, -122,
    0, -138,    0,    0, -170,    0,    0, -122, -130,    0,
    0,    0,    0, -135, -131,    0, -133,    0,    0,};
const short yyrindex[] =
	{                                      0,
 -183,    0, -222,    0,    0,    0, -241,    0,    0,    0,
    0,    0, -164,    0,    0,    0,    0,    0,    0,    0,
 -232,    0,    0,    0,    0,    0,    0, -236,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0, -163,    0,  -10,    0, -103,   10,  -84,    0,  165,
 -200,    0,  166,    0,    0,    0,    0,    0, -118,    0,
    0,    0,    0,    0,    0,    0,    0, -163,    0,   31,
    0,    0,    0,    0,    0,   -4,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
   -6,    0,  122,  153,   -9,    0,   89,    0,   89,    0,
  218,    3,    0,    0,    0,    0,   62,    0,    0,    0,
  173,    0,  191,    0,    0,  167,    0,    0,  222,    0,
  168,    0,    0,    0,    0,    0,  200,  200,    0,   18,
    0,    0,    0,  107,  107,   56,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,  239,  239,
  160,   46,    0,    0,    0,    0,    0,  243,   -8,    0,
    0,    0,    0,    0,  169,    0,    0,    0,    0,};
const short yygindex[] =
	{                                      0,
    0,    0,   22,  112,    0,  130,  -21,  -40,    0,   81,
   57,  -57,  -13,    0,  125,   32, -104,  135,   99,    0,
    0,   71,  -58,    0,    0,    0,  -69,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,   85,
};
#define YYTABLESIZE 546
const short yytable[] =
	{                                      51,
   57,  100,   45,   88,   11,   40,   78,   63,   20,   48,
  131,   54,   90,   71,   72,   93,   96,   96,   96,   53,
  134,   17,  135,   96,   21,   31,   29,   59,   17,   51,
   51,   58,   31,   51,   76,   17,  113,  154,   17,   34,
   73,   17,   17,   96,   96,   87,   96,   96,   94,   51,
   12,   17,   17,   53,   96,   57,  117,   28,  118,   17,
   73,   74,   30,   31,   28,   83,   96,  109,  101,  140,
   97,   72,   99,   17,   17,  149,  150,   88,   25,   26,
  157,   17,    4,    5,  103,  104,   27,   79,  162,  110,
   22,   35,  158,   28,   22,   28,  105,   23,   36,   40,
   28,   22,   41,   36,   17,   17,   31,   32,    8,    9,
  106,   37,   51,   38,   51,   39,   73,  143,  144,   64,
   65,  145,  146,  147,  148,   81,   82,  114,  115,   49,
   55,   47,   53,   52,   53,  160,  161,  163,  164,   57,
   62,   60,   66,   69,   86,   84,  120,   77,   44,   98,
  100,  110,  122,  123,  124,  125,  128,  127,  129,  132,
  138,   36,   47,   43,  142,   11,  153,  151,  155,   73,
  166,  167,  169,   36,   88,  107,   61,   92,  103,   90,
   68,  119,   43,  159,  141,   44,   85,   11,   70,  102,
  137,  126,    0,    0,    0,    0,    0,    0,    0,    0,
   44,    0,    0,    0,    0,    0,    0,    0,    0,   47,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,   40,    0,    0,
    0,   80,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,   51,   85,    0,
    0,   51,   85,    0,   51,   51,   51,   51,   51,    0,
   51,   40,   40,    0,    0,    0,   88,   53,   51,   51,
   51,   53,    0,   51,   53,   53,   53,   53,   53,    0,
   53,   51,   57,    0,   51,   59,   59,   40,   53,   53,
   53,   51,   51,   53,  100,   51,    2,    3,   88,    4,
    5,   53,   73,   73,   53,   71,   71,   90,    0,   59,
    6,   53,   53,   57,   57,   53,    0,   71,    7,    0,
   59,   83,   83,   83,   83,    8,    9,   72,   72,   72,
   72,   71,    0,   72,   72,   73,    0,    0,    0,    0,
    0,   72,    0,    0,   10,    0,   11,    0,   57,    0,
   36,    0,   72,    0,   36,   36,   36,   36,   83,   36,
    0,    0,    0,    0,   72,    0,   72,   36,   36,   36,
    0,    0,   73,   73,   73,   73,    0,    0,    0,    0,
   36,   71,   71,   36,    0,    0,   73,   47,   47,   47,
   47,   36,    0,   71,    0,    0,    0,   73,    0,    0,
   47,   47,   47,    0,    0,    0,    0,   71,    0,   73,
    0,    0,    0,   47,   47,    0,   47,    0,   47,   47,
   47,   47,    0,    0,   47,   73,   73,   73,   73,    0,
    0,   47,   47,   47,   71,   71,    0,    0,   43,   43,
   43,   43,    0,    0,   47,    0,   71,    0,    0,    0,
   73,   43,   43,   43,    0,   47,   44,   44,   44,   44,
   71,    0,   73,    0,   43,   47,   47,   47,   47,   44,
   44,   44,    0,    0,    0,   43,    0,    0,   47,   47,
   47,    0,   44,   40,   40,   40,   40,   80,   80,   80,
   80,   47,    0,   44,    0,    0,   40,   40,   40,    0,
    0,   80,   47,    0,   85,   85,   85,   85,   85,   85,
   85,   85,    0,    0,    0,    0,    0,    0,   85,    0,
   40,    0,    0,    0,   80,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,   85,    0,    0,    0,   85,
};
const short yycheck[] =
	{                                      10,
   10,   10,  123,   10,  123,   10,   44,   48,   10,   23,
  115,   33,   10,  259,  260,  262,  258,  259,  260,   10,
  279,  258,  281,  265,    3,  258,  306,   10,  265,   40,
   41,   45,  265,   44,   56,  258,   94,  142,  261,   10,
   10,  264,  265,  285,  286,  274,  288,  289,  295,   28,
   10,  288,  289,   44,  296,   10,   97,  258,   99,  296,
  306,  307,   61,  296,  265,   10,   80,  284,   90,  127,
   84,   10,   86,  296,  258,  134,  135,  306,  282,  283,
  150,  265,  259,  260,  275,  276,  290,  125,  158,  306,
  258,   10,  151,  258,  258,  296,  287,  265,   10,  261,
  265,  265,  264,   10,  288,  289,  288,  289,  285,  286,
  301,   10,  123,   10,  125,   10,   10,  293,  294,  306,
  307,  297,  298,  299,  300,  306,  307,  266,  267,  271,
  296,   10,  123,  306,  125,  306,  307,  268,  269,   47,
   40,  302,  272,  306,  258,  265,  273,  307,  306,   41,
  306,  306,  306,  306,  306,  306,  262,  295,  306,  292,
  305,  265,   10,  284,  267,  284,  306,  280,  291,   10,
  306,  303,  306,  258,   10,   10,   10,   10,   10,   68,
   51,  101,   10,  152,  128,  306,   62,  306,   54,   91,
  120,  107,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   10,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   10,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   10,   -1,   -1,
   -1,   10,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,  258,   10,   -1,
   -1,  262,   10,   -1,  265,  266,  267,  268,  269,   -1,
  271,  266,  267,   -1,   -1,   -1,  273,  258,  279,  280,
  281,  262,   -1,  284,  265,  266,  267,  268,  269,   -1,
  271,  292,  292,   -1,  295,  268,  269,  292,  279,  280,
  281,  302,  303,  284,  303,  306,  256,  257,  305,  259,
  260,  292,  272,  273,  295,  275,  276,  305,   -1,  292,
  270,  302,  303,  268,  269,  306,   -1,  287,  278,   -1,
  303,  266,  267,  268,  269,  285,  286,  266,  267,  268,
  269,  301,   -1,  272,  273,  305,   -1,   -1,   -1,   -1,
   -1,  280,   -1,   -1,  304,   -1,  306,   -1,  303,   -1,
  262,   -1,  291,   -1,  266,  267,  268,  269,  303,  271,
   -1,   -1,   -1,   -1,  303,   -1,  305,  279,  280,  281,
   -1,   -1,  266,  267,  268,  269,   -1,   -1,   -1,   -1,
  292,  275,  276,  295,   -1,   -1,  280,  266,  267,  268,
  269,  303,   -1,  287,   -1,   -1,   -1,  291,   -1,   -1,
  279,  280,  281,   -1,   -1,   -1,   -1,  301,   -1,  303,
   -1,   -1,   -1,  292,  262,   -1,  295,   -1,  266,  267,
  268,  269,   -1,   -1,  303,  266,  267,  268,  269,   -1,
   -1,  279,  280,  281,  275,  276,   -1,   -1,  266,  267,
  268,  269,   -1,   -1,  292,   -1,  287,   -1,   -1,   -1,
  291,  279,  280,  281,   -1,  303,  266,  267,  268,  269,
  301,   -1,  303,   -1,  292,  266,  267,  268,  269,  279,
  280,  281,   -1,   -1,   -1,  303,   -1,   -1,  279,  280,
  281,   -1,  292,  266,  267,  268,  269,  266,  267,  268,
  269,  292,   -1,  303,   -1,   -1,  279,  280,  281,   -1,
   -1,  280,  303,   -1,  266,  267,  268,  269,  266,  267,
  268,  269,   -1,   -1,   -1,   -1,   -1,   -1,  280,   -1,
  303,   -1,   -1,   -1,  303,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,  303,   -1,   -1,   -1,  303,
};
#define YYFINAL 1
#ifndef YYDEBUG
#define YYDEBUG 0
#endif
#define YYMAXTOKEN 307
#if YYDEBUG
const char * const yyname[] =
	{
"end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0,
"'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,"FLOW","FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","RSA",
"PSK","TCPMD5","SPI","AUTHKEY","ENCKEY","FILENAME","AUTHXF","ENCXF","ERROR",
"IKE","MAIN","QUICK","AGGRESSIVE","PASSIVE","ACTIVE","ANY","IPIP","IPCOMP",
"COMPXF","TUNNEL","TRANSPORT","DYNAMIC","LIFETIME","TYPE","DENY","BYPASS",
"LOCAL","PROTO","USE","ACQUIRE","REQUIRE","DONTACQ","GROUP","PORT","TAG",
"INCLUDE","BUNDLE","STRING","NUMBER",
};
const char * const yyrule[] =
	{"$accept : grammar",
"grammar :",
"grammar : grammar include '\\n'",
"grammar : grammar '\\n'",
"grammar : grammar ikerule '\\n'",
"grammar : grammar flowrule '\\n'",
"grammar : grammar sarule '\\n'",
"grammar : grammar tcpmd5rule '\\n'",
"grammar : grammar varset '\\n'",
"grammar : grammar error '\\n'",
"comma : ','",
"comma :",
"include : INCLUDE STRING",
"tcpmd5rule : TCPMD5 hosts spispec authkeyspec",
"sarule : satype tmode hosts spispec transforms authkeyspec enckeyspec bundlestring",
"flowrule : FLOW satype dir proto hosts peers ids type",
"ikerule : IKE ikemode satype tmode proto hosts peers phase1mode phase2mode ids ikeauth tag",
"satype :",
"satype : ESP",
"satype : AH",
"satype : IPCOMP",
"satype : IPIP",
"proto :",
"proto : PROTO protoval",
"proto : PROTO ESP",
"proto : PROTO AH",
"protoval : STRING",
"protoval : NUMBER",
"tmode :",
"tmode : TUNNEL",
"tmode : TRANSPORT",
"dir :",
"dir : IN",
"dir : OUT",
"hosts : FROM host port TO host port",
"hosts : TO host port FROM host port",
"port :",
"port : PORT portval",
"portval : STRING",
"portval : NUMBER",
"peers :",
"peers : PEER anyhost LOCAL singlehost",
"peers : LOCAL singlehost PEER anyhost",
"peers : PEER anyhost",
"peers : LOCAL singlehost",
"anyhost : singlehost",
"anyhost : ANY",
"singlehost :",
"singlehost : STRING",
"host_list : host",
"host_list : host_list comma host",
"host_spec : STRING",
"host_spec : STRING '/' NUMBER",
"host : host_spec",
"host : host_spec '(' host_spec ')'",
"host : ANY",
"host : '{' host_list '}'",
"ids :",
"ids : SRCID id DSTID id",
"ids : SRCID id",
"ids : DSTID id",
"type :",
"type : TYPE USE",
"type : TYPE ACQUIRE",
"type : TYPE REQUIRE",
"type : TYPE DENY",
"type : TYPE BYPASS",
"type : TYPE DONTACQ",
"id : STRING",
"spispec : SPI STRING",
"spispec : SPI NUMBER",
"$$1 :",
"transforms : $$1 transforms_l",
"transforms :",
"transforms_l : transforms_l transform",
"transforms_l : transform",
"transform : AUTHXF STRING",
"transform : ENCXF STRING",
"transform : COMPXF STRING",
"transform : GROUP STRING",
"phase1mode :",
"phase1mode : MAIN transforms lifetime",
"phase1mode : AGGRESSIVE transforms lifetime",
"phase2mode :",
"phase2mode : QUICK transforms lifetime",
"lifetime :",
"lifetime : LIFETIME NUMBER",
"lifetime : LIFETIME STRING",
"authkeyspec :",
"authkeyspec : AUTHKEY keyspec",
"enckeyspec :",
"enckeyspec : ENCKEY keyspec",
"bundlestring :",
"bundlestring : BUNDLE STRING",
"keyspec : STRING",
"keyspec : FILENAME STRING",
"ikemode :",
"ikemode : PASSIVE",
"ikemode : DYNAMIC",
"ikemode : ACTIVE",
"ikeauth :",
"ikeauth : RSA",
"ikeauth : PSK STRING",
"tag :",
"tag : TAG STRING",
"string : string STRING",
"string : STRING",
"varset : STRING '=' string",
};
#endif
#ifdef YYSTACKSIZE
#undef YYMAXDEPTH
#define YYMAXDEPTH YYSTACKSIZE
#else
#ifdef YYMAXDEPTH
#define YYSTACKSIZE YYMAXDEPTH
#else
#define YYSTACKSIZE 10000
#define YYMAXDEPTH 10000
#endif
#endif
#define YYINITSTACKSIZE 200
/* LINTUSED */
int yydebug;
int yynerrs;
int yyerrflag;
int yychar;
short *yyssp;
YYSTYPE *yyvsp;
YYSTYPE yyval;
YYSTYPE yylval;
short *yyss;
short *yysslim;
YYSTYPE *yyvs;
unsigned int yystacksize;
int yyparse(void);
#line 925 "parse.y"

struct keywords {
	const char	*k_name;
	int		 k_val;
};

int
yyerror(const char *fmt, ...)
{
	va_list		 ap;

	file->errors++;
	va_start(ap, fmt);
	fprintf(stderr, "%s: %d: ", file->name, yylval.lineno);
	vfprintf(stderr, fmt, ap);
	fprintf(stderr, "\n");
	va_end(ap);
	return (0);
}

int
yywarn(const char *fmt, ...)
{
	va_list		 ap;

	va_start(ap, fmt);
	fprintf(stderr, "%s: %d: ", file->name, yylval.lineno);
	vfprintf(stderr, fmt, ap);
	fprintf(stderr, "\n");
	va_end(ap);
	return (0);
}

int
kw_cmp(const void *k, const void *e)
{
	return (strcmp(k, ((const struct keywords *)e)->k_name));
}

int
lookup(char *s)
{
	/* this has to be sorted always */
	static const struct keywords keywords[] = {
		{ "acquire",		ACQUIRE },
		{ "active",		ACTIVE },
		{ "aggressive",		AGGRESSIVE },
		{ "ah",			AH },
		{ "any",		ANY },
		{ "auth",		AUTHXF },
		{ "authkey",		AUTHKEY },
		{ "bundle",		BUNDLE },
		{ "bypass",		BYPASS },
		{ "comp",		COMPXF },
		{ "deny",		DENY },
		{ "dontacq",		DONTACQ },
		{ "dstid",		DSTID },
		{ "dynamic",		DYNAMIC },
		{ "enc",		ENCXF },
		{ "enckey",		ENCKEY },
		{ "esp",		ESP },
		{ "file",		FILENAME },
		{ "flow",		FLOW },
		{ "from",		FROM },
		{ "group",		GROUP },
		{ "ike",		IKE },
		{ "in",			IN },
		{ "include",		INCLUDE },
		{ "ipcomp",		IPCOMP },
		{ "ipip",		IPIP },
		{ "lifetime",		LIFETIME },
		{ "local",		LOCAL },
		{ "main",		MAIN },
		{ "out",		OUT },
		{ "passive",		PASSIVE },
		{ "peer",		PEER },
		{ "port",		PORT },
		{ "proto",		PROTO },
		{ "psk",		PSK },
		{ "quick",		QUICK },
		{ "require",		REQUIRE },
		{ "rsa",		RSA },
		{ "spi",		SPI },
		{ "srcid",		SRCID },
		{ "tag",		TAG },
		{ "tcpmd5",		TCPMD5 },
		{ "to",			TO },
		{ "transport",		TRANSPORT },
		{ "tunnel",		TUNNEL },
		{ "type",		TYPE },
		{ "use",		USE }
	};
	const struct keywords	*p;

	p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
	    sizeof(keywords[0]), kw_cmp);

	if (p) {
		if (debug > 1)
			fprintf(stderr, "%s: %d\n", s, p->k_val);
		return (p->k_val);
	} else {
		if (debug > 1)
			fprintf(stderr, "string: %s\n", s);
		return (STRING);
	}
}

#define MAXPUSHBACK	128

u_char	*parsebuf;
int	 parseindex;
u_char	 pushback_buffer[MAXPUSHBACK];
int	 pushback_index = 0;

int
lgetc(int quotec)
{
	int		c, next;

	if (parsebuf) {
		/* Read character from the parsebuffer instead of input. */
		if (parseindex >= 0) {
			c = parsebuf[parseindex++];
			if (c != '\0')
				return (c);
			parsebuf = NULL;
		} else
			parseindex++;
	}

	if (pushback_index)
		return (pushback_buffer[--pushback_index]);

	if (quotec) {
		if ((c = getc(file->stream)) == EOF) {
			yyerror("reached end of file while parsing quoted string");
			if (popfile() == EOF)
				return (EOF);
			return (quotec);
		}
		return (c);
	}

	while ((c = getc(file->stream)) == '\\') {
		next = getc(file->stream);
		if (next != '\n') {
			c = next;
			break;
		}
		yylval.lineno = file->lineno;
		file->lineno++;
	}

	while (c == EOF) {
		if (popfile() == EOF)
			return (EOF);
		c = getc(file->stream);
	}
	return (c);
}

int
lungetc(int c)
{
	if (c == EOF)
		return (EOF);
	if (parsebuf) {
		parseindex--;
		if (parseindex >= 0)
			return (c);
	}
	if (pushback_index < MAXPUSHBACK-1)
		return (pushback_buffer[pushback_index++] = c);
	else
		return (EOF);
}

int
findeol(void)
{
	int	c;

	parsebuf = NULL;

	/* skip to either EOF or the first real EOL */
	while (1) {
		if (pushback_index)
			c = pushback_buffer[--pushback_index];
		else
			c = lgetc(0);
		if (c == '\n') {
			file->lineno++;
			break;
		}
		if (c == EOF)
			break;
	}
	return (ERROR);
}

int
yylex(void)
{
	u_char	 buf[8096];
	u_char	*p, *val;
	int	 quotec, next, c;
	int	 token;

top:
	p = buf;
	while ((c = lgetc(0)) == ' ' || c == '\t')
		; /* nothing */

	yylval.lineno = file->lineno;
	if (c == '#')
		while ((c = lgetc(0)) != '\n' && c != EOF)
			; /* nothing */
	if (c == '$' && parsebuf == NULL) {
		while (1) {
			if ((c = lgetc(0)) == EOF)
				return (0);

			if (p + 1 >= buf + sizeof(buf) - 1) {
				yyerror("string too long");
				return (findeol());
			}
			if (isalnum(c) || c == '_') {
				*p++ = c;
				continue;
			}
			*p = '\0';
			lungetc(c);
			break;
		}
		val = symget(buf);
		if (val == NULL) {
			yyerror("macro '%s' not defined", buf);
			return (findeol());
		}
		parsebuf = val;
		parseindex = 0;
		goto top;
	}

	switch (c) {
	case '\'':
	case '"':
		quotec = c;
		while (1) {
			if ((c = lgetc(quotec)) == EOF)
				return (0);
			if (c == '\n') {
				file->lineno++;
				continue;
			} else if (c == '\\') {
				if ((next = lgetc(quotec)) == EOF)
					return (0);
				if (next == quotec || c == ' ' || c == '\t')
					c = next;
				else if (next == '\n') {
					file->lineno++;
					continue;
				} else
					lungetc(next);
			} else if (c == quotec) {
				*p = '\0';
				break;
			} else if (c == '\0') {
				yyerror("syntax error");
				return (findeol());
			}
			if (p + 1 >= buf + sizeof(buf) - 1) {
				yyerror("string too long");
				return (findeol());
			}
			*p++ = c;
		}
		yylval.v.string = strdup(buf);
		if (yylval.v.string == NULL)
			err(1, "yylex: strdup");
		return (STRING);
	}

#define allowed_to_end_number(x) \
	(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')

	if (c == '-' || isdigit(c)) {
		do {
			*p++ = c;
			if ((unsigned)(p-buf) >= sizeof(buf)) {
				yyerror("string too long");
				return (findeol());
			}
		} while ((c = lgetc(0)) != EOF && isdigit(c));
		lungetc(c);
		if (p == buf + 1 && buf[0] == '-')
			goto nodigits;
		if (c == EOF || allowed_to_end_number(c)) {
			const char *errstr = NULL;

			*p = '\0';
			yylval.v.number = strtonum(buf, LLONG_MIN,
			    LLONG_MAX, &errstr);
			if (errstr) {
				yyerror("\"%s\" invalid number: %s",
				    buf, errstr);
				return (findeol());
			}
			return (NUMBER);
		} else {
nodigits:
			while (p > buf + 1)
				lungetc(*--p);
			c = *--p;
			if (c == '-')
				return (c);
		}
	}

#define allowed_in_string(x) \
	(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
	x != '{' && x != '}' && x != '<' && x != '>' && \
	x != '!' && x != '=' && x != '/' && x != '#' && \
	x != ','))

	if (isalnum(c) || c == ':' || c == '_' || c == '*') {
		do {
			*p++ = c;
			if ((unsigned)(p-buf) >= sizeof(buf)) {
				yyerror("string too long");
				return (findeol());
			}
		} while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
		lungetc(c);
		*p = '\0';
		if ((token = lookup(buf)) == STRING)
			if ((yylval.v.string = strdup(buf)) == NULL)
				err(1, "yylex: strdup");
		return (token);
	}
	if (c == '\n') {
		yylval.lineno = file->lineno;
		file->lineno++;
	}
	if (c == EOF)
		return (0);
	return (c);
}

int
check_file_secrecy(int fd, const char *fname)
{
	struct stat	st;

	if (fstat(fd, &st)) {
		warn("cannot stat %s", fname);
		return (-1);
	}
	if (st.st_uid != 0 && st.st_uid != getuid()) {
		warnx("%s: owner not root or current user", fname);
		return (-1);
	}
	if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
		warnx("%s: group writable or world read/writable", fname);
		return (-1);
	}
	return (0);
}

struct file *
pushfile(const char *name, int secret)
{
	struct file	*nfile;

	if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
		warn("malloc");
		return (NULL);
	}
	if ((nfile->name = strdup(name)) == NULL) {
		warn("malloc");
		free(nfile);
		return (NULL);
	}
	if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) {
		nfile->stream = stdin;
		free(nfile->name);
		if ((nfile->name = strdup("stdin")) == NULL) {
			warn("strdup");
			free(nfile);
			return (NULL);
		}
	} else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
		warn("%s", nfile->name);
		free(nfile->name);
		free(nfile);
		return (NULL);
	} else if (secret &&
	    check_file_secrecy(fileno(nfile->stream), nfile->name)) {
		fclose(nfile->stream);
		free(nfile->name);
		free(nfile);
		return (NULL);
	}
	nfile->lineno = 1;
	TAILQ_INSERT_TAIL(&files, nfile, entry);
	return (nfile);
}

int
popfile(void)
{
	struct file	*prev;

	if ((prev = TAILQ_PREV(file, files, entry)) != NULL) {
		prev->errors += file->errors;
		TAILQ_REMOVE(&files, file, entry);
		fclose(file->stream);
		free(file->name);
		free(file);
		file = prev;
		return (0);
	}
	return (EOF);
}

int
parse_rules(const char *filename, struct ipsecctl *ipsecx)
{
	struct sym	*sym;
	int		 errors = 0;

	ipsec = ipsecx;

	if ((file = pushfile(filename, 1)) == NULL) {
		return (-1);
	}

	yyparse();
	errors = file->errors;
	popfile();

	/* Free macros and check which have not been used. */
	while ((sym = TAILQ_FIRST(&symhead))) {
		if ((ipsec->opts & IPSECCTL_OPT_VERBOSE2) && !sym->used)
			fprintf(stderr, "warning: macro '%s' not "
			    "used\n", sym->nam);
		free(sym->nam);
		free(sym->val);
		TAILQ_REMOVE(&symhead, sym, entry);
		free(sym);
	}

	return (errors ? -1 : 0);
}

int
symset(const char *nam, const char *val, int persist)
{
	struct sym	*sym;

	TAILQ_FOREACH(sym, &symhead, entry) {
		if (strcmp(nam, sym->nam) == 0)
			break;
	}

	if (sym != NULL) {
		if (sym->persist == 1)
			return (0);
		else {
			free(sym->nam);
			free(sym->val);
			TAILQ_REMOVE(&symhead, sym, entry);
			free(sym);
		}
	}
	if ((sym = calloc(1, sizeof(*sym))) == NULL)
		return (-1);

	sym->nam = strdup(nam);
	if (sym->nam == NULL) {
		free(sym);
		return (-1);
	}
	sym->val = strdup(val);
	if (sym->val == NULL) {
		free(sym->nam);
		free(sym);
		return (-1);
	}
	sym->used = 0;
	sym->persist = persist;
	TAILQ_INSERT_TAIL(&symhead, sym, entry);
	return (0);
}

int
cmdline_symset(char *s)
{
	char	*sym, *val;
	int	ret;
	size_t	len;

	if ((val = strrchr(s, '=')) == NULL)
		return (-1);

	len = strlen(s) - strlen(val) + 1;
	if ((sym = malloc(len)) == NULL)
		err(1, "cmdline_symset: malloc");

	strlcpy(sym, s, len);

	ret = symset(sym, val + 1, 1);
	free(sym);

	return (ret);
}

char *
symget(const char *nam)
{
	struct sym	*sym;

	TAILQ_FOREACH(sym, &symhead, entry) {
		if (strcmp(nam, sym->nam) == 0) {
			sym->used = 1;
			return (sym->val);
		}
	}
	return (NULL);
}

int
atoul(char *s, u_long *ulvalp)
{
	u_long	 ulval;
	char	*ep;

	errno = 0;
	ulval = strtoul(s, &ep, 0);
	if (s[0] == '\0' || *ep != '\0')
		return (-1);
	if (errno == ERANGE && ulval == ULONG_MAX)
		return (-1);
	*ulvalp = ulval;
	return (0);
}

int
atospi(char *s, u_int32_t *spivalp)
{
	unsigned long	ulval;

	if (atoul(s, &ulval) == -1)
		return (-1);
	if (ulval > UINT_MAX) {
		yyerror("%lu not a valid spi", ulval);
		return (-1);
	}
	if (ulval >= SPI_RESERVED_MIN && ulval <= SPI_RESERVED_MAX) {
		yyerror("%lu within reserved spi range", ulval);
		return (-1);
	}
	*spivalp = ulval;
	return (0);
}

u_int8_t
x2i(unsigned char *s)
{
	char	ss[3];

	ss[0] = s[0];
	ss[1] = s[1];
	ss[2] = 0;

	if (!isxdigit(s[0]) || !isxdigit(s[1])) {
		yyerror("keys need to be specified in hex digits");
		return (-1);
	}
	return ((u_int8_t)strtoul(ss, NULL, 16));
}

struct ipsec_key *
parsekey(unsigned char *hexkey, size_t len)
{
	struct ipsec_key *key;
	int		  i;

	key = calloc(1, sizeof(struct ipsec_key));
	if (key == NULL)
		err(1, "parsekey: calloc");

	key->len = len / 2;
	key->data = calloc(key->len, sizeof(u_int8_t));
	if (key->data == NULL)
		err(1, "parsekey: calloc");

	for (i = 0; i < (int)key->len; i++)
		key->data[i] = x2i(hexkey + 2 * i);

	return (key);
}

struct ipsec_key *
parsekeyfile(char *filename)
{
	struct stat	 sb;
	int		 fd;
	unsigned char	*hex;

	if ((fd = open(filename, O_RDONLY)) < 0)
		err(1, "open %s", filename);
	if (fstat(fd, &sb) < 0)
		err(1, "parsekeyfile: stat %s", filename);
	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
		    "small");
	if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL)
		err(1, "parsekeyfile: calloc");
	if (read(fd, hex, sb.st_size) < sb.st_size)
		err(1, "parsekeyfile: read");
	close(fd);
	return (parsekey(hex, sb.st_size));
}

int
get_id_type(char *string)
{
	struct in6_addr ia;

	if (string == NULL)
		return (ID_UNKNOWN);

	if (inet_pton(AF_INET, string, &ia) == 1)
		return (ID_IPV4);
	else if (inet_pton(AF_INET6, string, &ia) == 1)
		return (ID_IPV6);
	else if (strchr(string, '@'))
		return (ID_UFQDN);
	else
		return (ID_FQDN);
}

struct ipsec_addr_wrap *
host(const char *s)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	int			 mask, cont = 1;
	char			*p, *q, *ps;

	if ((p = strrchr(s, '/')) != NULL) {
		errno = 0;
		mask = strtol(p + 1, &q, 0);
		if (errno == ERANGE || !q || *q || mask > 128 || q == (p + 1))
			errx(1, "host: invalid netmask '%s'", p);
		if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
			err(1, "host: calloc");
		strlcpy(ps, s, strlen(s) - strlen(p) + 1);
	} else {
		if ((ps = strdup(s)) == NULL)
			err(1, "host: strdup");
		mask = -1;
	}

	/* Does interface with this name exist? */
	if (cont && (ipa = host_if(ps, mask)) != NULL)
		cont = 0;

	/* IPv4 address? */
	if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL)
		cont = 0;

	/* IPv6 address? */
	if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL)
		cont = 0;

	/* dns lookup */
	if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL)
		cont = 0;
	free(ps);

	if (ipa == NULL || cont == 1) {
		fprintf(stderr, "no IP address found for %s\n", s);
		return (NULL);
	}
	return (ipa);
}

struct ipsec_addr_wrap *
host_v6(const char *s, int prefixlen)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	struct addrinfo		 hints, *res;
	char			 hbuf[NI_MAXHOST];

	bzero(&hints, sizeof(struct addrinfo));
	hints.ai_family = AF_INET6;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_NUMERICHOST;
	if (getaddrinfo(s, NULL, &hints, &res))
		return (NULL);
	if (res->ai_next)
		err(1, "host_v6: numeric hostname expanded to multiple item");

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_v6: calloc");
	ipa->af = res->ai_family;
	memcpy(&ipa->address.v6,
	    &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
	    sizeof(struct in6_addr));
	if (prefixlen > 128)
		prefixlen = 128;
	ipa->next = NULL;
	ipa->tail = ipa;

	set_ipmask(ipa, prefixlen);
	if (getnameinfo(res->ai_addr, res->ai_addrlen,
	    hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
		errx(1, "could not get a numeric hostname");
	}

	if (prefixlen != 128) {
		ipa->netaddress = 1;
		if (asprintf(&ipa->name, "%s/%d", hbuf, prefixlen) == -1)
			err(1, "host_v6: asprintf");
	} else {
		if ((ipa->name = strdup(hbuf)) == NULL)
			err(1, "host_v6: strdup");
	}

	freeaddrinfo(res);

	return (ipa);
}

struct ipsec_addr_wrap *
host_v4(const char *s, int mask)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	struct in_addr		 ina;
	int			 bits = 32;

	bzero(&ina, sizeof(struct in_addr));
	if (strrchr(s, '/') != NULL) {
		if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) == -1)
			return (NULL);
	} else {
		if (inet_pton(AF_INET, s, &ina) != 1)
			return (NULL);
	}

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_v4: calloc");

	ipa->address.v4 = ina;
	ipa->name = strdup(s);
	if (ipa->name == NULL)
		err(1, "host_v4: strdup");
	ipa->af = AF_INET;
	ipa->next = NULL;
	ipa->tail = ipa;

	set_ipmask(ipa, bits);
	if (strrchr(s, '/') != NULL)
		ipa->netaddress = 1;

	return (ipa);
}

struct ipsec_addr_wrap *
host_dns(const char *s, int mask)
{
	struct ipsec_addr_wrap	*ipa = NULL, *head = NULL;
	struct addrinfo		 hints, *res0, *res;
	int			 error;
	char			 hbuf[NI_MAXHOST];

	bzero(&hints, sizeof(struct addrinfo));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	error = getaddrinfo(s, NULL, &hints, &res0);
	if (error)
		return (NULL);

	for (res = res0; res; res = res->ai_next) {
		if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
			continue;

		ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (ipa == NULL)
			err(1, "host_dns: calloc");
		switch (res->ai_family) {
		case AF_INET:
			memcpy(&ipa->address.v4,
			    &((struct sockaddr_in *)res->ai_addr)->sin_addr,
			    sizeof(struct in_addr));
			break;
		case AF_INET6:
			/* XXX we do not support scoped IPv6 address yet */
			if (((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
				free(ipa);
				continue;
			}
			memcpy(&ipa->address.v6,
			    &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
			    sizeof(struct in6_addr));
			break;
		}
		error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
		    sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
		if (error)
			err(1, "host_dns: getnameinfo");
		ipa->name = strdup(hbuf);
		if (ipa->name == NULL)
			err(1, "host_dns: strdup");
		ipa->af = res->ai_family;
		ipa->next = NULL;
		ipa->tail = ipa;
		if (head == NULL)
			head = ipa;
		else {
			head->tail->next = ipa;
			head->tail = ipa;
		}

		/*
		 * XXX for now, no netmask support for IPv6.
		 * but since there's no way to specify address family, once you
		 * have IPv6 address on a host, you cannot use dns/netmask
		 * syntax.
		 */
		if (ipa->af == AF_INET)
			set_ipmask(ipa, mask == -1 ? 32 : mask);
		else
			if (mask != -1)
				err(1, "host_dns: cannot apply netmask "
				    "on non-IPv4 address");
	}
	freeaddrinfo(res0);

	return (head);
}

struct ipsec_addr_wrap *
host_if(const char *s, int mask)
{
	struct ipsec_addr_wrap *ipa = NULL;

	if (ifa_exists(s))
		ipa = ifa_lookup(s);

	return (ipa);
}

struct ipsec_addr_wrap *
host_any(void)
{
	struct ipsec_addr_wrap	*ipa;

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_any: calloc");
	ipa->af = AF_UNSPEC;
	ipa->netaddress = 1;
	ipa->tail = ipa;
	return (ipa);
}

/* interface lookup routintes */

struct ipsec_addr_wrap	*iftab;

void
ifa_load(void)
{
	struct ifaddrs		*ifap, *ifa;
	struct ipsec_addr_wrap	*n = NULL, *h = NULL;

	if (getifaddrs(&ifap) < 0)
		err(1, "ifa_load: getifaddrs");

	for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
		if (!(ifa->ifa_addr->sa_family == AF_INET ||
		    ifa->ifa_addr->sa_family == AF_INET6 ||
		    ifa->ifa_addr->sa_family == AF_LINK))
			continue;
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (n == NULL)
			err(1, "ifa_load: calloc");
		n->af = ifa->ifa_addr->sa_family;
		if ((n->name = strdup(ifa->ifa_name)) == NULL)
			err(1, "ifa_load: strdup");
		if (n->af == AF_INET) {
			n->af = AF_INET;
			memcpy(&n->address.v4, &((struct sockaddr_in *)
			    ifa->ifa_addr)->sin_addr,
			    sizeof(struct in_addr));
			memcpy(&n->mask.v4, &((struct sockaddr_in *)
			    ifa->ifa_netmask)->sin_addr,
			    sizeof(struct in_addr));
		} else if (n->af == AF_INET6) {
			n->af = AF_INET6;
			memcpy(&n->address.v6, &((struct sockaddr_in6 *)
			    ifa->ifa_addr)->sin6_addr,
			    sizeof(struct in6_addr));
			memcpy(&n->mask.v6, &((struct sockaddr_in6 *)
			    ifa->ifa_netmask)->sin6_addr,
			    sizeof(struct in6_addr));
		}
		n->next = NULL;
		n->tail = n;
		if (h == NULL)
			h = n;
		else {
			h->tail->next = n;
			h->tail = n;
		}
	}

	iftab = h;
	freeifaddrs(ifap);
}

int
ifa_exists(const char *ifa_name)
{
	struct ipsec_addr_wrap	*n;
	struct ifgroupreq	 ifgr;
	int			 s;

	if (iftab == NULL)
		ifa_load();

	/* check whether this is a group */
	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		err(1, "ifa_exists: socket");
	bzero(&ifgr, sizeof(ifgr));
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
		close(s);
		return (1);
	}
	close(s);

	for (n = iftab; n; n = n->next) {
		if (n->af == AF_LINK && !strncmp(n->name, ifa_name,
		    IFNAMSIZ))
			return (1);
	}

	return (0);
}

struct ipsec_addr_wrap *
ifa_grouplookup(const char *ifa_name)
{
	struct ifg_req		*ifg;
	struct ifgroupreq	 ifgr;
	int			 s;
	size_t			 len;
	struct ipsec_addr_wrap	*n, *h = NULL, *hn;

	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		err(1, "socket");
	bzero(&ifgr, sizeof(ifgr));
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
		close(s);
		return (NULL);
	}

	len = ifgr.ifgr_len;
	if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
		err(1, "calloc");
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
		err(1, "ioctl");

	for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
	    ifg++) {
		len -= sizeof(struct ifg_req);
		if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL)
			continue;
		if (h == NULL)
			h = n;
		else {
			for (hn = h; hn->next != NULL; hn = hn->next)
				;	/* nothing */
			hn->next = n;
			n->tail = hn;
		}
	}
	free(ifgr.ifgr_groups);
	close(s);

	return (h);
}

struct ipsec_addr_wrap *
ifa_lookup(const char *ifa_name)
{
	struct ipsec_addr_wrap	*p = NULL, *h = NULL, *n = NULL;

	if (iftab == NULL)
		ifa_load();

	if ((n = ifa_grouplookup(ifa_name)) != NULL)
		return (n);

	for (p = iftab; p; p = p->next) {
		if (p->af != AF_INET && p->af != AF_INET6)
			continue;
		if (strncmp(p->name, ifa_name, IFNAMSIZ))
			continue;
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (n == NULL)
			err(1, "ifa_lookup: calloc");
		memcpy(n, p, sizeof(struct ipsec_addr_wrap));
		if ((n->name = strdup(p->name)) == NULL)
			err(1, "ifa_lookup: strdup");
		switch (n->af) {
		case AF_INET:
			set_ipmask(n, 32);
			break;
		case AF_INET6:
			/* route/show.c and bgpd/util.c give KAME credit */
			if (IN6_IS_ADDR_LINKLOCAL(&n->address.v6)) {
				u_int16_t tmp16;
				/* for now we can not handle link local,
				 * therefore bail for now
				 */
				free(n);
				continue;

				memcpy(&tmp16, &n->address.v6.s6_addr[2],
				    sizeof(tmp16));
				/* use this when we support link-local
				 * n->??.scopeid = ntohs(tmp16);
				 */
				n->address.v6.s6_addr[2] = 0;
				n->address.v6.s6_addr[3] = 0;
			}
			set_ipmask(n, 128);
			break;
		}

		n->next = NULL;
		n->tail = n;
		if (h == NULL)
			h = n;
		else {
			h->tail->next = n;
			h->tail = n;
		}
	}

	return (h);
}

void
set_ipmask(struct ipsec_addr_wrap *address, u_int8_t b)
{
	struct ipsec_addr	*ipa;
	int			 i, j = 0;

	ipa = &address->mask;
	bzero(ipa, sizeof(struct ipsec_addr));

	while (b >= 32) {
		ipa->addr32[j++] = 0xffffffff;
		b -= 32;
	}
	for (i = 31; i > 31 - b; --i)
		ipa->addr32[j] |= (1 << i);
	if (b)
		ipa->addr32[j] = htonl(ipa->addr32[j]);
}

const struct ipsec_xf *
parse_xf(const char *name, const struct ipsec_xf xfs[])
{
	int		i;

	for (i = 0; xfs[i].name != NULL; i++) {
		if (strncmp(name, xfs[i].name, strlen(name)))
			continue;
		return &xfs[i];
	}
	return (NULL);
}

struct ipsec_lifetime *
parse_life(const char *value)
{
	struct ipsec_lifetime	*life;
	int			ret;
	int			seconds = 0;
	char			unit = 0;

	ret = sscanf(value, "%d%c", &seconds, &unit);
	if (ret == 2) {
		switch (tolower((unsigned char)unit)) {
		case 'm':
			seconds *= 60;
			break;
		case 'h':
			seconds *= 60 * 60;
			break;
		default:
			err(1, "invalid time unit");
		}
	} else if (ret != 1)
		err(1, "invalid time specification: %s", value);

	life = calloc(1, sizeof(struct ipsec_lifetime));
	if (life == NULL)
		err(1, "calloc");

	life->lt_seconds = seconds;
	life->lt_bytes = -1;

	return (life);
}

struct ipsec_transforms *
copytransforms(const struct ipsec_transforms *xfs)
{
	struct ipsec_transforms *newxfs;

	if (xfs == NULL)
		return (NULL);

	newxfs = calloc(1, sizeof(struct ipsec_transforms));
	if (newxfs == NULL)
		err(1, "copytransforms: calloc");

	memcpy(newxfs, xfs, sizeof(struct ipsec_transforms));
	return (newxfs);
}

struct ipsec_lifetime *
copylife(const struct ipsec_lifetime *life)
{
	struct ipsec_lifetime *newlife;

	if (life == NULL)
		return (NULL);

	newlife = calloc(1, sizeof(struct ipsec_lifetime));
	if (newlife == NULL)
		err(1, "copylife: calloc");

	memcpy(newlife, life, sizeof(struct ipsec_lifetime));
	return (newlife);
}

struct ipsec_auth *
copyipsecauth(const struct ipsec_auth *auth)
{
	struct ipsec_auth	*newauth;

	if (auth == NULL)
		return (NULL);

	if ((newauth = calloc(1, sizeof(struct ipsec_auth))) == NULL)
		err(1, "calloc");
	if (auth->srcid &&
	    asprintf(&newauth->srcid, "%s", auth->srcid) == -1)
		err(1, "asprintf");
	if (auth->dstid &&
	    asprintf(&newauth->dstid, "%s", auth->dstid) == -1)
		err(1, "asprintf");

	newauth->srcid_type = auth->srcid_type;
	newauth->dstid_type = auth->dstid_type;
	newauth->type = auth->type;

	return (newauth);
}

struct ike_auth *
copyikeauth(const struct ike_auth *auth)
{
	struct ike_auth	*newauth;

	if (auth == NULL)
		return (NULL);

	if ((newauth = calloc(1, sizeof(struct ike_auth))) == NULL)
		err(1, "calloc");
	if (auth->string &&
	    asprintf(&newauth->string, "%s", auth->string) == -1)
		err(1, "asprintf");

	newauth->type = auth->type;

	return (newauth);
}

struct ipsec_key *
copykey(struct ipsec_key *key)
{
	struct ipsec_key	*newkey;

	if (key == NULL)
		return (NULL);

	if ((newkey = calloc(1, sizeof(struct ipsec_key))) == NULL)
		err(1, "calloc");
	if ((newkey->data = calloc(key->len, sizeof(u_int8_t))) == NULL)
		err(1, "calloc");
	memcpy(newkey->data, key->data, key->len);
	newkey->len = key->len;

	return (newkey);
}

struct ipsec_addr_wrap *
copyhost(const struct ipsec_addr_wrap *src)
{
	struct ipsec_addr_wrap *dst;

	if (src == NULL)
		return (NULL);

	dst = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (dst == NULL)
		err(1, "copyhost: calloc");

	memcpy(dst, src, sizeof(struct ipsec_addr_wrap));

	if (src->name != NULL && (dst->name = strdup(src->name)) == NULL)
		err(1, "copyhost: strdup");

	return dst;
}

char *
copytag(const char *src)
{
	char *tag;

	if (src == NULL)
		return (NULL);
	if ((tag = strdup(src)) == NULL)
		err(1, "copytag: strdup");

	return (tag);
}

struct ipsec_rule *
copyrule(struct ipsec_rule *rule)
{
	struct ipsec_rule	*r;

	if ((r = calloc(1, sizeof(struct ipsec_rule))) == NULL)
		err(1, "calloc");

	r->src = copyhost(rule->src);
	r->dst = copyhost(rule->dst);
	r->local = copyhost(rule->local);
	r->peer = copyhost(rule->peer);
	r->auth = copyipsecauth(rule->auth);
	r->ikeauth = copyikeauth(rule->ikeauth);
	r->xfs = copytransforms(rule->xfs);
	r->p1xfs = copytransforms(rule->p1xfs);
	r->p2xfs = copytransforms(rule->p2xfs);
	r->p1life = copylife(rule->p1life);
	r->p2life = copylife(rule->p2life);
	r->authkey = copykey(rule->authkey);
	r->enckey = copykey(rule->enckey);
	r->tag = copytag(rule->tag);

	r->p1ie = rule->p1ie;
	r->p2ie = rule->p2ie;
	r->type = rule->type;
	r->satype = rule->satype;
	r->proto = rule->proto;
	r->tmode = rule->tmode;
	r->direction = rule->direction;
	r->flowtype = rule->flowtype;
	r->sport = rule->sport;
	r->dport = rule->dport;
	r->ikemode = rule->ikemode;
	r->spi = rule->spi;
	r->nr = rule->nr;

	return (r);
}

int
validate_af(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst)
{
	struct ipsec_addr_wrap *ta;
	u_int8_t src_v4 = 0;
	u_int8_t dst_v4 = 0;
	u_int8_t src_v6 = 0;
	u_int8_t dst_v6 = 0;

	for (ta = src; ta; ta = ta->next) {
		if (ta->af == AF_INET)
			src_v4 = 1;
		if (ta->af == AF_INET6)
			src_v6 = 1;
		if (ta->af == AF_UNSPEC)
			return 0;
		if (src_v4 && src_v6)
			break;
	}
	for (ta = dst; ta; ta = ta->next) {
		if (ta->af == AF_INET)
			dst_v4 = 1;
		if (ta->af == AF_INET6)
			dst_v6 = 1;
		if (ta->af == AF_UNSPEC)
			return 0;
		if (dst_v4 && dst_v6)
			break;
	}
	if (src_v4 != dst_v4 && src_v6 != dst_v6)
		return (1);

	return (0);
}


int
validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs,
    struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode)
{
	/* Sanity checks */
	if (spi == 0) {
		yyerror("no SPI specified");
		return (0);
	}
	if (satype == IPSEC_AH) {
		if (!xfs) {
			yyerror("no transforms specified");
			return (0);
		}
		if (!xfs->authxf)
			xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256];
		if (xfs->encxf) {
			yyerror("ah does not provide encryption");
			return (0);
		}
		if (xfs->compxf) {
			yyerror("ah does not provide compression");
			return (0);
		}
	}
	if (satype == IPSEC_ESP) {
		if (!xfs) {
			yyerror("no transforms specified");
			return (0);
		}
		if (xfs->compxf) {
			yyerror("esp does not provide compression");
			return (0);
		}
		if (!xfs->encxf)
			xfs->encxf = &encxfs[ENCXF_AES];
		if (xfs->encxf->nostatic) {
			yyerror("%s is disallowed with static keys",
			    xfs->encxf->name);
			return 0;
		}
		if (xfs->encxf->noauth && xfs->authxf) {
			yyerror("authentication is implicit for %s",
			    xfs->encxf->name);
			return (0);
		} else if (!xfs->encxf->noauth && !xfs->authxf)
			xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256];
	}
	if (satype == IPSEC_IPCOMP) {
		if (!xfs) {
			yyerror("no transform specified");
			return (0);
		}
		if (xfs->authxf || xfs->encxf) {
			yyerror("no encryption or authentication with ipcomp");
			return (0);
		}
		if (!xfs->compxf)
			xfs->compxf = &compxfs[COMPXF_DEFLATE];
	}
	if (satype == IPSEC_IPIP) {
		if (!xfs) {
			yyerror("no transform specified");
			return (0);
		}
		if (xfs->authxf || xfs->encxf || xfs->compxf) {
			yyerror("no encryption, authentication or compression"
			    " with ipip");
			return (0);
		}
	}
	if (satype == IPSEC_TCPMD5 && authkey == NULL && tmode !=
	    IPSEC_TRANSPORT) {
		yyerror("authentication key needed for tcpmd5");
		return (0);
	}
	if (xfs && xfs->authxf) {
		if (!authkey && xfs->authxf != &authxfs[AUTHXF_NONE]) {
			yyerror("no authentication key specified");
			return (0);
		}
		if (authkey && authkey->len != xfs->authxf->keymin) {
			yyerror("wrong authentication key length, needs to be "
			    "%zu bits", xfs->authxf->keymin * 8);
			return (0);
		}
	}
	if (xfs && xfs->encxf) {
		if (!enckey && xfs->encxf != &encxfs[ENCXF_NULL]) {
			yyerror("no encryption key specified");
			return (0);
		}
		if (enckey) {
			if (enckey->len < xfs->encxf->keymin) {
				yyerror("encryption key too short (%zu bits), "
				    "minimum %zu bits", enckey->len * 8,
				    xfs->encxf->keymin * 8);
				return (0);
			}
			if (xfs->encxf->keymax < enckey->len) {
				yyerror("encryption key too long (%zu bits), "
				    "maximum %zu bits", enckey->len * 8,
				    xfs->encxf->keymax * 8);
				return (0);
			}
		}
	}

	return 1;
}

int
add_sabundle(struct ipsec_rule *r, char *bundle)
{
	struct ipsec_rule	*rp, *last, *sabundle;
	int			 found = 0;

	TAILQ_FOREACH(rp, &ipsec->bundle_queue, bundle_entry) {
		if ((strcmp(rp->src->name, r->src->name) == 0) &&
		    (strcmp(rp->dst->name, r->dst->name) == 0) &&
		    (strcmp(rp->bundle, bundle) == 0)) {
			found = 1;
			break;
		}
	}
	if (found) {
		last = TAILQ_LAST(&rp->dst_bundle_queue, dst_bundle_queue);
		TAILQ_INSERT_TAIL(&rp->dst_bundle_queue, r, dst_bundle_entry);

		sabundle = create_sabundle(last->dst, last->satype, last->spi,
		    r->dst, r->satype, r->spi);
		if (sabundle == NULL)
			return (1);
		sabundle->nr = ipsec->rule_nr++;
		if (ipsecctl_add_rule(ipsec, sabundle))
			return (1);
	} else {
		TAILQ_INSERT_TAIL(&ipsec->bundle_queue, r, bundle_entry);
		TAILQ_INIT(&r->dst_bundle_queue);
		TAILQ_INSERT_TAIL(&r->dst_bundle_queue, r, dst_bundle_entry);
		r->bundle = bundle;
	}

	return (0);
}

struct ipsec_rule *
create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts,
    u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey,
    struct ipsec_key *enckey)
{
	struct ipsec_rule *r;

	if (validate_sa(spi, satype, xfs, authkey, enckey, tmode) == 0)
		return (NULL);

	r = calloc(1, sizeof(struct ipsec_rule));
	if (r == NULL)
		err(1, "create_sa: calloc");

	r->type |= RULE_SA;
	r->satype = satype;
	r->tmode = tmode;
	r->src = hosts->src;
	r->dst = hosts->dst;
	r->spi = spi;
	r->xfs = xfs;
	r->authkey = authkey;
	r->enckey = enckey;

	return r;
}

struct ipsec_rule *
reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
    struct ipsec_key *enckey)
{
	struct ipsec_rule *reverse;

	if (validate_sa(spi, rule->satype, rule->xfs, authkey, enckey,
	    rule->tmode) == 0)
		return (NULL);

	reverse = calloc(1, sizeof(struct ipsec_rule));
	if (reverse == NULL)
		err(1, "reverse_sa: calloc");

	reverse->type |= RULE_SA;
	reverse->satype = rule->satype;
	reverse->tmode = rule->tmode;
	reverse->src = copyhost(rule->dst);
	reverse->dst = copyhost(rule->src);
	reverse->spi = spi;
	reverse->xfs = copytransforms(rule->xfs);
	reverse->authkey = authkey;
	reverse->enckey = enckey;

	return (reverse);
}

struct ipsec_rule *
create_sabundle(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi,
    struct ipsec_addr_wrap *dst2, u_int8_t proto2, u_int32_t spi2)
{
	struct ipsec_rule *r;

	r = calloc(1, sizeof(struct ipsec_rule));
	if (r == NULL)
		err(1, "create_sabundle: calloc");

	r->type |= RULE_BUNDLE;

	r->dst = copyhost(dst);
	r->dst2 = copyhost(dst2);
	r->proto = proto;
	r->proto2 = proto2;
	r->spi = spi;
	r->spi2 = spi2;
	r->satype = proto;

	return (r);
}

struct ipsec_rule *
create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts,
    u_int8_t satype, char *srcid, char *dstid, u_int8_t type)
{
	struct ipsec_rule *r;

	r = calloc(1, sizeof(struct ipsec_rule));
	if (r == NULL)
		err(1, "create_flow: calloc");

	r->type |= RULE_FLOW;

	if (dir == IPSEC_INOUT)
		r->direction = IPSEC_OUT;
	else
		r->direction = dir;

	r->satype = satype;
	r->proto = proto;
	r->src = hosts->src;
	r->sport = hosts->sport;
	r->dst = hosts->dst;
	r->dport = hosts->dport;
	if ((hosts->sport != 0 || hosts->dport != 0) &&
	    (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) {
		yyerror("no protocol supplied with source/destination ports");
		goto errout;
	}

	switch (satype) {
	case IPSEC_IPCOMP:
	case IPSEC_IPIP:
		if (type == TYPE_UNKNOWN)
			type = TYPE_USE;
		break;
	default:
		if (type == TYPE_UNKNOWN)
			type = TYPE_REQUIRE;
		break;
	}

	r->flowtype = type;
	if (type == TYPE_DENY || type == TYPE_BYPASS)
		return (r);

	r->auth = calloc(1, sizeof(struct ipsec_auth));
	if (r->auth == NULL)
		err(1, "create_flow: calloc");
	r->auth->srcid = srcid;
	r->auth->dstid = dstid;
	r->auth->srcid_type = get_id_type(srcid);
	r->auth->dstid_type = get_id_type(dstid);
	return r;

errout:
	free(r);
	if (srcid)
		free(srcid);
	if (dstid)
		free(dstid);
	free(hosts->src);
	hosts->src = NULL;
	free(hosts->dst);
	hosts->dst = NULL;

	return NULL;
}

void
expand_any(struct ipsec_addr_wrap *ipa_in)
{
	struct ipsec_addr_wrap *oldnext, *ipa;

	for (ipa = ipa_in; ipa; ipa = ipa->next) {
		if (ipa->af != AF_UNSPEC)
			continue;
		oldnext = ipa->next;

		ipa->af = AF_INET;
		ipa->netaddress = 1;
		if ((ipa->name = strdup("0.0.0.0/0")) == NULL)
			err(1, "expand_any: strdup");

		ipa->next = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (ipa->next == NULL)
			err(1, "expand_any: calloc");
		ipa->next->af = AF_INET6;
		ipa->next->netaddress = 1;
		if ((ipa->next->name = strdup("::/0")) == NULL)
			err(1, "expand_any: strdup");

		ipa->next->next = oldnext;
	}
}

int
set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers)
{
	if (r->type == RULE_FLOW &&
	    (r->flowtype == TYPE_DENY || r->flowtype == TYPE_BYPASS))
		return (0);

	r->local = copyhost(peers->src);
	r->peer = copyhost(peers->dst);
	if (r->peer == NULL) {
		/* Set peer to remote host.  Must be a host address. */
		if (r->direction == IPSEC_IN) {
			if (!r->src->netaddress)
				r->peer = copyhost(r->src);
		} else {
			if (!r->dst->netaddress)
				r->peer = copyhost(r->dst);
		}
	}
	if (r->type == RULE_FLOW && r->peer == NULL) {
		yyerror("no peer specified for destination %s",
		    r->dst->name);
		return (1);
	}
	if (r->peer != NULL && r->peer->af == AF_UNSPEC) {
		/* If peer has been specified as any, use the default peer. */
		free(r->peer);
		r->peer = NULL;
	}
	if (r->type == RULE_IKE && r->peer == NULL) {
		/*
                 * Check if the default peer is consistent for all
                 * rules.  Only warn to avoid breaking existing configs.
		 */
		static struct ipsec_rule *pdr = NULL;

		if (pdr == NULL) {
			/* Remember first default peer rule for comparison. */
			pdr = r;
		} else {
			/* The new default peer must create the same config. */
			if ((pdr->local == NULL && r->local != NULL) ||
			    (pdr->local != NULL && r->local == NULL) ||
			    (pdr->local != NULL && r->local != NULL &&
			    strcmp(pdr->local->name, r->local->name)))
				yywarn("default peer local mismatch");
			if (pdr->ikeauth->type != r->ikeauth->type)
				yywarn("default peer phase 1 auth mismatch");
			if (pdr->ikeauth->type == IKE_AUTH_PSK &&
			    r->ikeauth->type == IKE_AUTH_PSK &&
			    strcmp(pdr->ikeauth->string, r->ikeauth->string))
				yywarn("default peer psk mismatch");
			if (pdr->p1ie != r->p1ie)
				yywarn("default peer phase 1 mode mismatch");
			/*
			 * Transforms have ADD insted of SET so they may be
			 * different and are not checked here.
			 */
			if ((pdr->auth->srcid == NULL &&
			    r->auth->srcid != NULL) ||
			    (pdr->auth->srcid != NULL &&
			    r->auth->srcid == NULL) ||
			    (pdr->auth->srcid != NULL &&
			    r->auth->srcid != NULL &&
			    strcmp(pdr->auth->srcid, r->auth->srcid)))
				yywarn("default peer srcid mismatch");
			if ((pdr->auth->dstid == NULL &&
			    r->auth->dstid != NULL) ||
			    (pdr->auth->dstid != NULL &&
			    r->auth->dstid == NULL) ||
			    (pdr->auth->dstid != NULL &&
			    r->auth->dstid != NULL &&
			    strcmp(pdr->auth->dstid, r->auth->dstid)))
				yywarn("default peer dstid mismatch");
		}
	}
	return (0);
}

int
expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers,
    u_int8_t direction, u_int32_t spi, struct ipsec_key *authkey,
    struct ipsec_key *enckey, char *bundle)
{
	struct ipsec_rule	*r, *revr;
	struct ipsec_addr_wrap	*src, *dst;
	int added = 0, ret = 1;

	if (validate_af(rule->src, rule->dst)) {
		yyerror("source/destination address families do not match");
		goto errout;
	}
	expand_any(rule->src);
	expand_any(rule->dst);
	for (src = rule->src; src; src = src->next) {
		for (dst = rule->dst; dst; dst = dst->next) {
			if (src->af != dst->af)
				continue;
			r = copyrule(rule);

			r->src = copyhost(src);
			r->dst = copyhost(dst);

			if (peers && set_rule_peers(r, peers)) {
				ipsecctl_free_rule(r);
				goto errout;
			}

			r->nr = ipsec->rule_nr++;
			if (ipsecctl_add_rule(ipsec, r))
				goto out;
			if (bundle && add_sabundle(r, bundle))
				goto out;

			if (direction == IPSEC_INOUT) {
				/* Create and add reverse flow rule. */
				revr = reverse_rule(r);
				if (revr == NULL)
					goto out;

				revr->nr = ipsec->rule_nr++;
				if (ipsecctl_add_rule(ipsec, revr))
					goto out;
				if (bundle && add_sabundle(revr, bundle))
					goto out;
			} else if (spi != 0 || authkey || enckey) {
				/* Create and add reverse sa rule. */
				revr = reverse_sa(r, spi, authkey, enckey);
				if (revr == NULL)
					goto out;

				revr->nr = ipsec->rule_nr++;
				if (ipsecctl_add_rule(ipsec, revr))
					goto out;
				if (bundle && add_sabundle(revr, bundle))
					goto out;
			}
			added++;
		}
	}
	if (!added)
		yyerror("rule expands to no valid combination");
 errout:
	ret = 0;
	ipsecctl_free_rule(rule);
 out:
	if (peers) {
		if (peers->src)
			free(peers->src);
		if (peers->dst)
			free(peers->dst);
	}
	return (ret);
}

struct ipsec_rule *
reverse_rule(struct ipsec_rule *rule)
{
	struct ipsec_rule *reverse;

	reverse = calloc(1, sizeof(struct ipsec_rule));
	if (reverse == NULL)
		err(1, "reverse_rule: calloc");

	reverse->type |= RULE_FLOW;

	/* Reverse direction */
	if (rule->direction == (u_int8_t)IPSEC_OUT)
		reverse->direction = (u_int8_t)IPSEC_IN;
	else
		reverse->direction = (u_int8_t)IPSEC_OUT;

	reverse->flowtype = rule->flowtype;
	reverse->src = copyhost(rule->dst);
	reverse->dst = copyhost(rule->src);
	reverse->sport = rule->dport;
	reverse->dport = rule->sport;
	if (rule->local)
		reverse->local = copyhost(rule->local);
	if (rule->peer)
		reverse->peer = copyhost(rule->peer);
	reverse->satype = rule->satype;
	reverse->proto = rule->proto;

	if (rule->auth) {
		reverse->auth = calloc(1, sizeof(struct ipsec_auth));
		if (reverse->auth == NULL)
			err(1, "reverse_rule: calloc");
		if (rule->auth->dstid && (reverse->auth->dstid =
		    strdup(rule->auth->dstid)) == NULL)
			err(1, "reverse_rule: strdup");
		if (rule->auth->srcid && (reverse->auth->srcid =
		    strdup(rule->auth->srcid)) == NULL)
			err(1, "reverse_rule: strdup");
		reverse->auth->srcid_type = rule->auth->srcid_type;
		reverse->auth->dstid_type = rule->auth->dstid_type;
		reverse->auth->type = rule->auth->type;
	}

	return reverse;
}

struct ipsec_rule *
create_ike(u_int8_t proto, struct ipsec_hosts *hosts,
    struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype,
    u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid,
    struct ike_auth *authtype, char *tag)
{
	struct ipsec_rule *r;

	r = calloc(1, sizeof(struct ipsec_rule));
	if (r == NULL)
		err(1, "create_ike: calloc");

	r->type = RULE_IKE;

	r->proto = proto;
	r->src = hosts->src;
	r->sport = hosts->sport;
	r->dst = hosts->dst;
	r->dport = hosts->dport;
	if ((hosts->sport != 0 || hosts->dport != 0) &&
	    (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) {
		yyerror("no protocol supplied with source/destination ports");
		goto errout;
	}

	r->satype = satype;
	r->tmode = tmode;
	r->ikemode = mode;
	if (phase1mode) {
		r->p1xfs = phase1mode->xfs;
		r->p1life = phase1mode->life;
		r->p1ie = phase1mode->ike_exch;
	} else {
		r->p1ie = IKE_MM;
	}
	if (phase2mode) {
		if (phase2mode->xfs && phase2mode->xfs->encxf &&
		    phase2mode->xfs->encxf->noauth &&
		    phase2mode->xfs->authxf) {
			yyerror("authentication is implicit for %s",
			    phase2mode->xfs->encxf->name);
			goto errout;
		}
		r->p2xfs = phase2mode->xfs;
		r->p2life = phase2mode->life;
		r->p2ie = phase2mode->ike_exch;
	} else {
		r->p2ie = IKE_QM;
	}

	r->auth = calloc(1, sizeof(struct ipsec_auth));
	if (r->auth == NULL)
		err(1, "create_ike: calloc");
	r->auth->srcid = srcid;
	r->auth->dstid = dstid;
	r->auth->srcid_type = get_id_type(srcid);
	r->auth->dstid_type = get_id_type(dstid);
	r->ikeauth = calloc(1, sizeof(struct ike_auth));
	if (r->ikeauth == NULL)
		err(1, "create_ike: calloc");
	r->ikeauth->type = authtype->type;
	r->ikeauth->string = authtype->string;
	r->tag = tag;

	return (r);

errout:
	free(r);
	free(hosts->src);
	hosts->src = NULL;
	free(hosts->dst);
	hosts->dst = NULL;
	if (phase1mode) {
		free(phase1mode->xfs);
		phase1mode->xfs = NULL;
		free(phase1mode->life);
		phase1mode->life = NULL;
	}
	if (phase2mode) {
		free(phase2mode->xfs);
		phase2mode->xfs = NULL;
		free(phase2mode->life);
		phase2mode->life = NULL;
	}
	if (srcid)
		free(srcid);
	if (dstid)
		free(dstid);
	return NULL;
}
#line 2628 "parse.c"
/* allocate initial stack or double stack size, up to YYMAXDEPTH */
static int yygrowstack(void)
{
    unsigned int newsize;
    long sslen;
    short *newss;
    YYSTYPE *newvs;

    if ((newsize = yystacksize) == 0)
        newsize = YYINITSTACKSIZE;
    else if (newsize >= YYMAXDEPTH)
        return -1;
    else if ((newsize *= 2) > YYMAXDEPTH)
        newsize = YYMAXDEPTH;
    sslen = yyssp - yyss;
#ifdef SIZE_MAX
#define YY_SIZE_MAX SIZE_MAX
#else
#define YY_SIZE_MAX 0xffffffffU
#endif
    if (newsize && YY_SIZE_MAX / newsize < sizeof *newss)
        goto bail;
    newss = yyss ? (short *)realloc(yyss, newsize * sizeof *newss) :
      (short *)malloc(newsize * sizeof *newss); /* overflow check above */
    if (newss == NULL)
        goto bail;
    yyss = newss;
    yyssp = newss + sslen;
    if (newsize && YY_SIZE_MAX / newsize < sizeof *newvs)
        goto bail;
    newvs = yyvs ? (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs) :
      (YYSTYPE *)malloc(newsize * sizeof *newvs); /* overflow check above */
    if (newvs == NULL)
        goto bail;
    yyvs = newvs;
    yyvsp = newvs + sslen;
    yystacksize = newsize;
    yysslim = yyss + newsize - 1;
    return 0;
bail:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return -1;
}

#define YYABORT goto yyabort
#define YYREJECT goto yyabort
#define YYACCEPT goto yyaccept
#define YYERROR goto yyerrlab
int
yyparse(void)
{
    int yym, yyn, yystate;
#if YYDEBUG
    const char *yys;

    if ((yys = getenv("YYDEBUG")))
    {
        yyn = *yys;
        if (yyn >= '0' && yyn <= '9')
            yydebug = yyn - '0';
    }
#endif /* YYDEBUG */

    yynerrs = 0;
    yyerrflag = 0;
    yychar = (-1);

    if (yyss == NULL && yygrowstack()) goto yyoverflow;
    yyssp = yyss;
    yyvsp = yyvs;
    *yyssp = yystate = 0;

yyloop:
    if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
    if (yychar < 0)
    {
        if ((yychar = yylex()) < 0) yychar = 0;
#if YYDEBUG
        if (yydebug)
        {
            yys = 0;
            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
            if (!yys) yys = "illegal-symbol";
            printf("%sdebug: state %d, reading %d (%s)\n",
                    YYPREFIX, yystate, yychar, yys);
        }
#endif
    }
    if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
    {
#if YYDEBUG
        if (yydebug)
            printf("%sdebug: state %d, shifting to state %d\n",
                    YYPREFIX, yystate, yytable[yyn]);
#endif
        if (yyssp >= yysslim && yygrowstack())
        {
            goto yyoverflow;
        }
        *++yyssp = yystate = yytable[yyn];
        *++yyvsp = yylval;
        yychar = (-1);
        if (yyerrflag > 0)  --yyerrflag;
        goto yyloop;
    }
    if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
    {
        yyn = yytable[yyn];
        goto yyreduce;
    }
    if (yyerrflag) goto yyinrecovery;
#if defined(__GNUC__)
    goto yynewerror;
#endif
yynewerror:
    yyerror("syntax error");
#if defined(__GNUC__)
    goto yyerrlab;
#endif
yyerrlab:
    ++yynerrs;
yyinrecovery:
    if (yyerrflag < 3)
    {
        yyerrflag = 3;
        for (;;)
        {
            if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE) >= 0 &&
                    yyn <= YYTABLESIZE && yycheck[yyn] == YYERRCODE)
            {
#if YYDEBUG
                if (yydebug)
                    printf("%sdebug: state %d, error recovery shifting\
 to state %d\n", YYPREFIX, *yyssp, yytable[yyn]);
#endif
                if (yyssp >= yysslim && yygrowstack())
                {
                    goto yyoverflow;
                }
                *++yyssp = yystate = yytable[yyn];
                *++yyvsp = yylval;
                goto yyloop;
            }
            else
            {
#if YYDEBUG
                if (yydebug)
                    printf("%sdebug: error recovery discarding state %d\n",
                            YYPREFIX, *yyssp);
#endif
                if (yyssp <= yyss) goto yyabort;
                --yyssp;
                --yyvsp;
            }
        }
    }
    else
    {
        if (yychar == 0) goto yyabort;
#if YYDEBUG
        if (yydebug)
        {
            yys = 0;
            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
            if (!yys) yys = "illegal-symbol";
            printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
                    YYPREFIX, yystate, yychar, yys);
        }
#endif
        yychar = (-1);
        goto yyloop;
    }
yyreduce:
#if YYDEBUG
    if (yydebug)
        printf("%sdebug: state %d, reducing by rule %d (%s)\n",
                YYPREFIX, yystate, yyn, yyrule[yyn]);
#endif
    yym = yylen[yyn];
    if (yym)
        yyval = yyvsp[1-yym];
    else
        memset(&yyval, 0, sizeof yyval);
    switch (yyn)
    {
case 9:
#line 324 "parse.y"
{ file->errors++; }
break;
case 12:
#line 331 "parse.y"
{
			struct file	*nfile;

			if ((nfile = pushfile(yyvsp[0].v.string, 0)) == NULL) {
				yyerror("failed to include file %s", yyvsp[0].v.string);
				free(yyvsp[0].v.string);
				YYERROR;
			}
			free(yyvsp[0].v.string);

			file = nfile;
			lungetc('\n');
		}
break;
case 13:
#line 346 "parse.y"
{
			struct ipsec_rule	*r;

			r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &yyvsp[-2].v.hosts,
			    yyvsp[-1].v.spis.spiout, NULL, yyvsp[0].v.authkeys.keyout, NULL);
			if (r == NULL)
				YYERROR;

			if (expand_rule(r, NULL, 0, yyvsp[-1].v.spis.spiin, yyvsp[0].v.authkeys.keyin, NULL,
			    NULL))
				errx(1, "tcpmd5rule: expand_rule");
		}
break;
case 14:
#line 361 "parse.y"
{
			struct ipsec_rule	*r;

			r = create_sa(yyvsp[-7].v.satype, yyvsp[-6].v.tmode, &yyvsp[-5].v.hosts, yyvsp[-4].v.spis.spiout, yyvsp[-3].v.transforms, yyvsp[-2].v.authkeys.keyout,
			    yyvsp[-1].v.enckeys.keyout);
			if (r == NULL)
				YYERROR;

			if (expand_rule(r, NULL, 0, yyvsp[-4].v.spis.spiin, yyvsp[-2].v.authkeys.keyin,
			    yyvsp[-1].v.enckeys.keyin, yyvsp[0].v.string))
				errx(1, "sarule: expand_rule");
		}
break;
case 15:
#line 375 "parse.y"
{
			struct ipsec_rule	*r;

			r = create_flow(yyvsp[-5].v.dir, yyvsp[-4].v.proto, &yyvsp[-3].v.hosts, yyvsp[-6].v.satype, yyvsp[-1].v.ids.srcid,
			    yyvsp[-1].v.ids.dstid, yyvsp[0].v.type);
			if (r == NULL)
				YYERROR;

			if (expand_rule(r, &yyvsp[-2].v.peers, yyvsp[-5].v.dir, 0, NULL, NULL, NULL))
				errx(1, "flowrule: expand_rule");
		}
break;
case 16:
#line 389 "parse.y"
{
			struct ipsec_rule	*r;

			r = create_ike(yyvsp[-7].v.proto, &yyvsp[-6].v.hosts, yyvsp[-4].v.mode, yyvsp[-3].v.mode, yyvsp[-9].v.satype, yyvsp[-8].v.tmode, yyvsp[-10].v.ikemode,
			    yyvsp[-2].v.ids.srcid, yyvsp[-2].v.ids.dstid, &yyvsp[-1].v.ikeauth, yyvsp[0].v.string);
			if (r == NULL)
				YYERROR;

			if (expand_rule(r, &yyvsp[-5].v.peers, 0, 0, NULL, NULL, NULL))
				errx(1, "ikerule: expand_rule");
		}
break;
case 17:
#line 402 "parse.y"
{ yyval.v.satype = IPSEC_ESP; }
break;
case 18:
#line 403 "parse.y"
{ yyval.v.satype = IPSEC_ESP; }
break;
case 19:
#line 404 "parse.y"
{ yyval.v.satype = IPSEC_AH; }
break;
case 20:
#line 405 "parse.y"
{ yyval.v.satype = IPSEC_IPCOMP; }
break;
case 21:
#line 406 "parse.y"
{ yyval.v.satype = IPSEC_IPIP; }
break;
case 22:
#line 409 "parse.y"
{ yyval.v.proto = 0; }
break;
case 23:
#line 410 "parse.y"
{ yyval.v.proto = yyvsp[0].v.number; }
break;
case 24:
#line 411 "parse.y"
{ yyval.v.proto = IPPROTO_ESP; }
break;
case 25:
#line 412 "parse.y"
{ yyval.v.proto = IPPROTO_AH; }
break;
case 26:
#line 415 "parse.y"
{
			struct protoent *p;

			p = getprotobyname(yyvsp[0].v.string);
			if (p == NULL) {
				yyerror("unknown protocol: %s", yyvsp[0].v.string);
				YYERROR;
			}
			yyval.v.number = p->p_proto;
			free(yyvsp[0].v.string);
		}
break;
case 27:
#line 426 "parse.y"
{
			if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
				yyerror("protocol outside range");
				YYERROR;
			}
		}
break;
case 28:
#line 434 "parse.y"
{ yyval.v.tmode = IPSEC_TUNNEL; }
break;
case 29:
#line 435 "parse.y"
{ yyval.v.tmode = IPSEC_TUNNEL; }
break;
case 30:
#line 436 "parse.y"
{ yyval.v.tmode = IPSEC_TRANSPORT; }
break;
case 31:
#line 439 "parse.y"
{ yyval.v.dir = IPSEC_INOUT; }
break;
case 32:
#line 440 "parse.y"
{ yyval.v.dir = IPSEC_IN; }
break;
case 33:
#line 441 "parse.y"
{ yyval.v.dir = IPSEC_OUT; }
break;
case 34:
#line 444 "parse.y"
{
			struct ipsec_addr_wrap *ipa;
			for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) {
				if (ipa->srcnat) {
					yyerror("no flow NAT support for"
					    " destination network: %s", ipa->name);
					YYERROR;
				}
			}
			yyval.v.hosts.src = yyvsp[-4].v.host;
			yyval.v.hosts.sport = yyvsp[-3].v.port;
			yyval.v.hosts.dst = yyvsp[-1].v.host;
			yyval.v.hosts.dport = yyvsp[0].v.port;
		}
break;
case 35:
#line 458 "parse.y"
{
			struct ipsec_addr_wrap *ipa;
			for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) {
				if (ipa->srcnat) {
					yyerror("no flow NAT support for"
					    " destination network: %s", ipa->name);
					YYERROR;
				}
			}
			yyval.v.hosts.src = yyvsp[-1].v.host;
			yyval.v.hosts.sport = yyvsp[0].v.port;
			yyval.v.hosts.dst = yyvsp[-4].v.host;
			yyval.v.hosts.dport = yyvsp[-3].v.port;
		}
break;
case 36:
#line 474 "parse.y"
{ yyval.v.port = 0; }
break;
case 37:
#line 475 "parse.y"
{ yyval.v.port = yyvsp[0].v.number; }
break;
case 38:
#line 478 "parse.y"
{
			struct servent *s;

			if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL ||
			    (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL) {
				yyval.v.number = s->s_port;
			} else {
				yyerror("unknown port: %s", yyvsp[0].v.string);
				YYERROR;
			}
		}
break;
case 39:
#line 489 "parse.y"
{
			if (yyvsp[0].v.number > USHRT_MAX || yyvsp[0].v.number < 0) {
				yyerror("port outside range");
				YYERROR;
			}
			yyval.v.number = htons(yyvsp[0].v.number);
		}
break;
case 40:
#line 498 "parse.y"
{
			yyval.v.peers.dst = NULL;
			yyval.v.peers.src = NULL;
		}
break;
case 41:
#line 502 "parse.y"
{
			yyval.v.peers.dst = yyvsp[-2].v.anyhost;
			yyval.v.peers.src = yyvsp[0].v.singlehost;
		}
break;
case 42:
#line 506 "parse.y"
{
			yyval.v.peers.dst = yyvsp[0].v.anyhost;
			yyval.v.peers.src = yyvsp[-2].v.singlehost;
		}
break;
case 43:
#line 510 "parse.y"
{
			yyval.v.peers.dst = yyvsp[0].v.anyhost;
			yyval.v.peers.src = NULL;
		}
break;
case 44:
#line 514 "parse.y"
{
			yyval.v.peers.dst = NULL;
			yyval.v.peers.src = yyvsp[0].v.singlehost;
		}
break;
case 45:
#line 520 "parse.y"
{ yyval.v.anyhost = yyvsp[0].v.singlehost; }
break;
case 46:
#line 521 "parse.y"
{
			yyval.v.anyhost = host_any();
		}
break;
case 47:
#line 525 "parse.y"
{ yyval.v.singlehost = NULL; }
break;
case 48:
#line 526 "parse.y"
{
			if ((yyval.v.singlehost = host(yyvsp[0].v.string)) == NULL) {
				free(yyvsp[0].v.string);
				yyerror("could not parse host specification");
				YYERROR;
			}
			free(yyvsp[0].v.string);
		}
break;
case 49:
#line 536 "parse.y"
{ yyval.v.host = yyvsp[0].v.host; }
break;
case 50:
#line 537 "parse.y"
{
			if (yyvsp[0].v.host == NULL)
				yyval.v.host = yyvsp[-2].v.host;
			else if (yyvsp[-2].v.host == NULL)
				yyval.v.host = yyvsp[0].v.host;
			else {
				yyvsp[-2].v.host->tail->next = yyvsp[0].v.host;
				yyvsp[-2].v.host->tail = yyvsp[0].v.host->tail;
				yyval.v.host = yyvsp[-2].v.host;
			}
		}
break;
case 51:
#line 550 "parse.y"
{
			if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL) {
				free(yyvsp[0].v.string);
				yyerror("could not parse host specification");
				YYERROR;
			}
			free(yyvsp[0].v.string);
		}
break;
case 52:
#line 558 "parse.y"
{
			char	*buf;

			if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1)
				err(1, "host: asprintf");
			free(yyvsp[-2].v.string);
			if ((yyval.v.host = host(buf)) == NULL)	{
				free(buf);
				yyerror("could not parse host specification");
				YYERROR;
			}
			free(buf);
		}
break;
case 53:
#line 573 "parse.y"
{ yyval.v.host = yyvsp[0].v.host; }
break;
case 54:
#line 574 "parse.y"
{
			if (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af) {
				yyerror("Flow NAT address family mismatch");
				YYERROR;
			}
			yyval.v.host = yyvsp[-3].v.host;
			yyval.v.host->srcnat = yyvsp[-1].v.host;
		}
break;
case 55:
#line 582 "parse.y"
{
			yyval.v.host = host_any();
		}
break;
case 56:
#line 585 "parse.y"
{ yyval.v.host = yyvsp[-1].v.host; }
break;
case 57:
#line 588 "parse.y"
{
			yyval.v.ids.srcid = NULL;
			yyval.v.ids.dstid = NULL;
		}
break;
case 58:
#line 592 "parse.y"
{
			yyval.v.ids.srcid = yyvsp[-2].v.id;
			yyval.v.ids.dstid = yyvsp[0].v.id;
		}
break;
case 59:
#line 596 "parse.y"
{
			yyval.v.ids.srcid = yyvsp[0].v.id;
			yyval.v.ids.dstid = NULL;
		}
break;
case 60:
#line 600 "parse.y"
{
			yyval.v.ids.srcid = NULL;
			yyval.v.ids.dstid = yyvsp[0].v.id;
		}
break;
case 61:
#line 606 "parse.y"
{
			yyval.v.type = TYPE_UNKNOWN;
		}
break;
case 62:
#line 609 "parse.y"
{
			yyval.v.type = TYPE_USE;
		}
break;
case 63:
#line 612 "parse.y"
{
			yyval.v.type = TYPE_ACQUIRE;
		}
break;
case 64:
#line 615 "parse.y"
{
			yyval.v.type = TYPE_REQUIRE;
		}
break;
case 65:
#line 618 "parse.y"
{
			yyval.v.type = TYPE_DENY;
		}
break;
case 66:
#line 621 "parse.y"
{
			yyval.v.type = TYPE_BYPASS;
		}
break;
case 67:
#line 624 "parse.y"
{
			yyval.v.type = TYPE_DONTACQ;
		}
break;
case 68:
#line 629 "parse.y"
{ yyval.v.id = yyvsp[0].v.string; }
break;
case 69:
#line 632 "parse.y"
{
			u_int32_t	 spi;
			char		*p = strchr(yyvsp[0].v.string, ':');

			if (p != NULL) {
				*p++ = 0;

				if (atospi(p, &spi) == -1) {
					free(yyvsp[0].v.string);
					YYERROR;
				}
				yyval.v.spis.spiin = spi;
			} else
				yyval.v.spis.spiin = 0;

			if (atospi(yyvsp[0].v.string, &spi) == -1) {
				free(yyvsp[0].v.string);
				YYERROR;
			}
			yyval.v.spis.spiout = spi;


			free(yyvsp[0].v.string);
		}
break;
case 70:
#line 656 "parse.y"
{
			if (yyvsp[0].v.number > UINT_MAX || yyvsp[0].v.number < 0) {
				yyerror("%lld not a valid spi", yyvsp[0].v.number);
				YYERROR;
			}
			if (yyvsp[0].v.number >= SPI_RESERVED_MIN && yyvsp[0].v.number <= SPI_RESERVED_MAX) {
				yyerror("%lld within reserved spi range", yyvsp[0].v.number);
				YYERROR;
			}

			yyval.v.spis.spiin = 0;
			yyval.v.spis.spiout = yyvsp[0].v.number;
		}
break;
case 71:
#line 671 "parse.y"
{
			if ((ipsec_transforms = calloc(1,
			    sizeof(struct ipsec_transforms))) == NULL)
				err(1, "transforms: calloc");
		}
break;
case 72:
#line 677 "parse.y"
{ yyval.v.transforms = ipsec_transforms; }
break;
case 73:
#line 678 "parse.y"
{
			if ((yyval.v.transforms = calloc(1,
			    sizeof(struct ipsec_transforms))) == NULL)
				err(1, "transforms: calloc");
		}
break;
case 76:
#line 689 "parse.y"
{
			if (ipsec_transforms->authxf)
				yyerror("auth already set");
			else {
				ipsec_transforms->authxf = parse_xf(yyvsp[0].v.string,
				    authxfs);
				if (!ipsec_transforms->authxf)
					yyerror("%s not a valid transform", yyvsp[0].v.string);
			}
		}
break;
case 77:
#line 699 "parse.y"
{
			if (ipsec_transforms->encxf)
				yyerror("enc already set");
			else {
				ipsec_transforms->encxf = parse_xf(yyvsp[0].v.string, encxfs);
				if (!ipsec_transforms->encxf)
					yyerror("%s not a valid transform", yyvsp[0].v.string);
			}
		}
break;
case 78:
#line 708 "parse.y"
{
			if (ipsec_transforms->compxf)
				yyerror("comp already set");
			else {
				ipsec_transforms->compxf = parse_xf(yyvsp[0].v.string,
				    compxfs);
				if (!ipsec_transforms->compxf)
					yyerror("%s not a valid transform", yyvsp[0].v.string);
			}
		}
break;
case 79:
#line 718 "parse.y"
{
			if (ipsec_transforms->groupxf)
				yyerror("group already set");
			else {
				ipsec_transforms->groupxf = parse_xf(yyvsp[0].v.string,
				    groupxfs);
				if (!ipsec_transforms->groupxf)
					yyerror("%s not a valid transform", yyvsp[0].v.string);
			}
		}
break;
case 80:
#line 730 "parse.y"
{
			struct ike_mode		*p1;

			/* We create just an empty main mode */
			if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
				err(1, "phase1mode: calloc");
			p1->ike_exch = IKE_MM;
			yyval.v.mode = p1;
		}
break;
case 81:
#line 739 "parse.y"
{
			struct ike_mode *p1;

			if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
				err(1, "phase1mode: calloc");
			p1->xfs = yyvsp[-1].v.transforms;
			p1->life = yyvsp[0].v.life;
			p1->ike_exch = IKE_MM;
			yyval.v.mode = p1;
		}
break;
case 82:
#line 749 "parse.y"
{
			struct ike_mode	*p1;

			if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
				err(1, "phase1mode: calloc");
			p1->xfs = yyvsp[-1].v.transforms;
			p1->life = yyvsp[0].v.life;
			p1->ike_exch = IKE_AM;
			yyval.v.mode = p1;
		}
break;
case 83:
#line 761 "parse.y"
{
			struct ike_mode		*p2;

			/* We create just an empty quick mode */
			if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)
				err(1, "phase2mode: calloc");
			p2->ike_exch = IKE_QM;
			yyval.v.mode = p2;
		}
break;
case 84:
#line 770 "parse.y"
{
			struct ike_mode	*p2;

			if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)
				err(1, "phase2mode: calloc");
			p2->xfs = yyvsp[-1].v.transforms;
			p2->life = yyvsp[0].v.life;
			p2->ike_exch = IKE_QM;
			yyval.v.mode = p2;
		}
break;
case 85:
#line 782 "parse.y"
{
			struct ipsec_lifetime *life;

			/* We create just an empty transform */
			if ((life = calloc(1, sizeof(struct ipsec_lifetime)))
			    == NULL)
				err(1, "life: calloc");
			life->lt_seconds = -1;
			life->lt_bytes = -1;
			yyval.v.life = life;
		}
break;
case 86:
#line 793 "parse.y"
{
			struct ipsec_lifetime *life;

			if ((life = calloc(1, sizeof(struct ipsec_lifetime)))
			    == NULL)
				err(1, "life: calloc");
			life->lt_seconds = yyvsp[0].v.number;
			life->lt_bytes = -1;
			yyval.v.life = life;
		}
break;
case 87:
#line 803 "parse.y"
{
			yyval.v.life = parse_life(yyvsp[0].v.string);
		}
break;
case 88:
#line 808 "parse.y"
{
			yyval.v.authkeys.keyout = NULL;
			yyval.v.authkeys.keyin = NULL;
		}
break;
case 89:
#line 812 "parse.y"
{
			yyval.v.authkeys.keyout = yyvsp[0].v.keys.keyout;
			yyval.v.authkeys.keyin = yyvsp[0].v.keys.keyin;
		}
break;
case 90:
#line 818 "parse.y"
{
			yyval.v.enckeys.keyout = NULL;
			yyval.v.enckeys.keyin = NULL;
		}
break;
case 91:
#line 822 "parse.y"
{
			yyval.v.enckeys.keyout = yyvsp[0].v.keys.keyout;
			yyval.v.enckeys.keyin = yyvsp[0].v.keys.keyin;
		}
break;
case 92:
#line 828 "parse.y"
{ yyval.v.string = NULL; }
break;
case 93:
#line 829 "parse.y"
{ yyval.v.string = yyvsp[0].v.string; }
break;
case 94:
#line 832 "parse.y"
{
			unsigned char	*hex;
			unsigned char	*p = strchr(yyvsp[0].v.string, ':');

			if (p != NULL ) {
				*p++ = 0;

				if (!strncmp(p, "0x", 2))
					p += 2;
				yyval.v.keys.keyin = parsekey(p, strlen(p));
			} else
				yyval.v.keys.keyin = NULL;

			hex = yyvsp[0].v.string;
			if (!strncmp(hex, "0x", 2))
				hex += 2;
			yyval.v.keys.keyout = parsekey(hex, strlen(hex));

			free(yyvsp[0].v.string);
		}
break;
case 95:
#line 852 "parse.y"
{
			unsigned char	*p = strchr(yyvsp[0].v.string, ':');

			if (p != NULL) {
				*p++ = 0;
				yyval.v.keys.keyin = parsekeyfile(p);
			}
			yyval.v.keys.keyout = parsekeyfile(yyvsp[0].v.string);
			free(yyvsp[0].v.string);
		}
break;
case 96:
#line 864 "parse.y"
{ yyval.v.ikemode = IKE_ACTIVE; }
break;
case 97:
#line 865 "parse.y"
{ yyval.v.ikemode = IKE_PASSIVE; }
break;
case 98:
#line 866 "parse.y"
{ yyval.v.ikemode = IKE_DYNAMIC; }
break;
case 99:
#line 867 "parse.y"
{ yyval.v.ikemode = IKE_ACTIVE; }
break;
case 100:
#line 870 "parse.y"
{
			yyval.v.ikeauth.type = IKE_AUTH_RSA;
			yyval.v.ikeauth.string = NULL;
		}
break;
case 101:
#line 874 "parse.y"
{
			yyval.v.ikeauth.type = IKE_AUTH_RSA;
			yyval.v.ikeauth.string = NULL;
		}
break;
case 102:
#line 878 "parse.y"
{
			yyval.v.ikeauth.type = IKE_AUTH_PSK;
			if ((yyval.v.ikeauth.string = strdup(yyvsp[0].v.string)) == NULL)
				err(1, "ikeauth: strdup");
		}
break;
case 103:
#line 886 "parse.y"
{
			yyval.v.string = NULL;
		}
break;
case 104:
#line 890 "parse.y"
{
			yyval.v.string = yyvsp[0].v.string;
		}
break;
case 105:
#line 896 "parse.y"
{
			if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
				err(1, "string: asprintf");
			free(yyvsp[-1].v.string);
			free(yyvsp[0].v.string);
		}
break;
case 107:
#line 906 "parse.y"
{
			char *s = yyvsp[-2].v.string;
			if (ipsec->opts & IPSECCTL_OPT_VERBOSE)
				printf("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string);
			while (*s++) {
				if (isspace((unsigned char)*s)) {
					yyerror("macro name cannot contain "
					    "whitespace");
					YYERROR;
				}
			}
			if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1)
				err(1, "cannot store variable");
			free(yyvsp[-2].v.string);
			free(yyvsp[0].v.string);
		}
break;
#line 3613 "parse.c"
    }
    yyssp -= yym;
    yystate = *yyssp;
    yyvsp -= yym;
    yym = yylhs[yyn];
    if (yystate == 0 && yym == 0)
    {
#if YYDEBUG
        if (yydebug)
            printf("%sdebug: after reduction, shifting from state 0 to\
 state %d\n", YYPREFIX, YYFINAL);
#endif
        yystate = YYFINAL;
        *++yyssp = YYFINAL;
        *++yyvsp = yyval;
        if (yychar < 0)
        {
            if ((yychar = yylex()) < 0) yychar = 0;
#if YYDEBUG
            if (yydebug)
            {
                yys = 0;
                if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
                if (!yys) yys = "illegal-symbol";
                printf("%sdebug: state %d, reading %d (%s)\n",
                        YYPREFIX, YYFINAL, yychar, yys);
            }
#endif
        }
        if (yychar == 0) goto yyaccept;
        goto yyloop;
    }
    if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yystate)
        yystate = yytable[yyn];
    else
        yystate = yydgoto[yym];
#if YYDEBUG
    if (yydebug)
        printf("%sdebug: after reduction, shifting from state %d \
to state %d\n", YYPREFIX, *yyssp, yystate);
#endif
    if (yyssp >= yysslim && yygrowstack())
    {
        goto yyoverflow;
    }
    *++yyssp = yystate;
    *++yyvsp = yyval;
    goto yyloop;
yyoverflow:
    yyerror("yacc stack overflow");
yyabort:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return (1);
yyaccept:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return (0);
}

Generated by: GCOVR (Version 3.3)