d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import v3.4.8 into -current

Browse Source
This commit is contained in:
Darren Reed 2000-07-19 13:52:47 +00:00
parent 933f6f74ee
commit 02aea5e854
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/ipfilter/dist/; revision=63516
33 changed files with 960 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
contrib/ipfilter/FreeBSD/kinstall
View File

@ -15,12 +15,17 @@ foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
chmod 644 /sys/netinet/$i
end
echo ""
echo "Patching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
grep iplopen $archdir/$karch/conf.c >& /dev/null
if ( $status != 0 ) then
echo "Patching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
endif
grep fr_checkp /sys/netinet/ip_input.c >& /dev/null
if ( $status != 0 ) then
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
endif
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)

49
contrib/ipfilter/HISTORY
View File

@ -20,6 +20,55 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.8 19/07/2000 - Released
create fake opt_inet6.h for FreeBSD-4 compile as LKM
add #ifdef's for KLD_MODULE sanity
NAT fastroute'd packets which come out of return-*
fix upper/lower case crap in ftp proxy and get seq# checking fixed up.
3.4.7 08/07/2000 - Released
make "ipf -y" lookup NAT if's which are unknown
prepend line numbers to ioctl error messages in ipf/ipnat
don't apply patches to FreeBSD twice
allow for ip_len to be on an unaligned boundary early on in fr_precheck
fix printing of icmp code when it is 0
correct printing of port numbers in map rules with from/to
don't allow fr_func to be called at securelevel > 0 or rules to be added
if securelevel > 0 if they have a non-zero fr_func.
3.4.6 11/06/2000 - Released
add extra regression tests for new nat functionality
place restrictions on using '!' in map/rdr rules
fix up solaris compile problems
3.4.5 10/06/2000 - Released
mention -sl in ipfstat.8
fix/support '!' in from/to rules (rdr) for NAT
add from/to support to rdr NAT rules
don't send ICMP errors in response to ICMP errors
fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
input accounting list used for both outbound and inbound packets
3.4.4 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out

9
contrib/ipfilter/Makefile
View File

@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
# $Id: Makefile,v 2.11.2.1 2000/04/26 12:14:58 darrenr Exp $
# $Id: Makefile,v 2.11.2.2 2000/07/18 13:58:10 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -126,6 +126,11 @@ freebsd22: include
make freebsd
freebsd4: include
if [ x$INET6 = x ] ; then \
echo "#undef INET6" > opt_inet6.h; \
else \
echo "#define INET6" > opt_inet6.h; \
fi
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "DLKM=-DKLD_MODULE"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
@ -181,7 +186,7 @@ setup:
clean: clean-include
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
vnode_if.h $(LKM) *~
vnode_if.h $(LKM) *~ opt_inet6.h
(cd SunOS4; make clean)
(cd SunOS5; make clean)
(cd BSD; make clean)

41
contrib/ipfilter/fil.c
View File

@ -7,13 +7,9 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.18 2000/07/19 13:13:40 darrenr Exp $";
#endif
#if defined(_KERNEL) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
#include "opt_inet6.h"
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@ -25,6 +21,14 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darre
#endif
#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
# if (__FreeBSD_version >= 400000)
# ifndef KLD_MODULE
# include "opt_inet6.h"
# endif
# if (__FreeBSD_version == 400019)
# define CSUM_DELAY_DATA
# endif
# endif
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
@ -115,10 +119,8 @@ extern kmutex_t ipf_rw;
# if SOLARIS
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
ip, qif)
# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip, qif)
# else /* SOLARIS */
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip)
# endif /* SOLARIS || __sgi */
#endif /* _KERNEL */
@ -659,8 +661,11 @@ void *m;
* Just log this packet...
*/
passt = fr->fr_flags;
if ((passt & FR_CALLNOW) && fr->fr_func)
passt = (*fr->fr_func)(passt, ip, fin);
#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
if (securelevel <= 0)
#endif
if ((passt & FR_CALLNOW) && fr->fr_func)
passt = (*fr->fr_func)(passt, ip, fin);
fin->fin_fr = fr;
#ifdef IPFILTER_LOG
if ((passt & FR_LOGMASK) == FR_LOG) {
@ -965,8 +970,11 @@ int out;
pass &= ~(FR_LOGFIRST|FR_LOG);
}
if (fr && fr->fr_func && !(pass & FR_CALLNOW))
pass = (*fr->fr_func)(pass, ip, fin);
#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
if (securelevel <= 0)
#endif
if (fr && fr->fr_func && !(pass & FR_CALLNOW))
pass = (*fr->fr_func)(pass, ip, fin);
/*
* Only count/translate packets which will be passed on, out the
@ -975,10 +983,10 @@ int out;
if (out && (pass & FR_PASS)) {
#ifdef USE_INET6
if (v == 6)
list = ipacct6[0][fr_active];
list = ipacct6[1][fr_active];
else
#endif
list = ipacct[0][fr_active];
list = ipacct[1][fr_active];
if ((fin->fin_fr = list) &&
(fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
ATOMIC_INCL(frstats[1].fr_acct);
@ -1123,11 +1131,11 @@ int out;
if (((pass & FR_FASTROUTE) && !out) ||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
if (ipfr_fastroute(qif, ip, m, mp, fin, fdp) == 0)
if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0)
m = *mp = NULL;
}
if (mc)
ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif);
}
# endif /* !SOLARIS */
return (pass & FR_PASS) ? 0 : error;
@ -1359,7 +1367,7 @@ tcphdr_t *tcp;
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darrenr Exp $
* $Id: fil.c,v 2.35.2.18 2000/07/19 13:13:40 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1807,6 +1815,7 @@ void frsync()
ip_natsync(ifp);
ip_statesync(ifp);
}
ip_natsync((struct ifnet *)-1);
# endif
WRITE_ENTER(&ipf_mutex);

4
contrib/ipfilter/ip_auth.c
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.3 2000/06/17 06:24:31 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -46,7 +46,7 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 d
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
#if _BSDI_VERSION >= 199802
#if (_BSDI_VERSION >= 199802) || (__FreeBSD_Version >= 400000)
# include <sys/queue.h>
#endif
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)

40
contrib/ipfilter/ip_fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.9 2000/05/22 12:48:28 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.14 2000/07/18 13:57:55 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -692,6 +692,10 @@ caddr_t data;
if (error)
return EFAULT;
fp->fr_ref = 0;
#if (BSD >= 199306) && defined(_KERNEL)
if ((securelevel > 0) && (fp->fr_func != NULL))
return EPERM;
#endif
/*
* Check that the group number does exist and that if a head group
@ -764,7 +768,7 @@ caddr_t data;
* interface pointer in the comparison (fr_next, fr_ifa).
*/
for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
p != pp; p++)
p < pp; p++)
fp->fr_cksum += *p;
for (; (f = *ftail); ftail = &f->fr_next)
@ -1088,6 +1092,19 @@ int dst;
m = NULL;
ifp = fin->fin_ifp;
if (fin->fin_v == 4) {
if ((oip->ip_p == IPPROTO_ICMP) &&
!(fin->fin_fi.fi_fl & FI_SHORT))
switch (ntohs(fin->fin_data[0]) >> 8)
{
case ICMP_ECHO :
case ICMP_TSTAMP :
case ICMP_IREQ :
case ICMP_MASKREQ :
break;
default :
return 0;
}
# if (BSD < 199306) || defined(__sgi)
avail = MLEN;
m = m_get(M_DONTWAIT, MT_HEADER);
@ -1325,10 +1342,9 @@ frdest_t *fdp;
ATOMIC_INCL(frstats[1].fr_acct);
}
fin->fin_fr = NULL;
if (!fr || !(fr->fr_flags & FR_RETMASK)) {
if (!fr || !(fr->fr_flags & FR_RETMASK))
(void) fr_checkstate(ip, fin);
(void) ip_natout(ip, fin);
}
(void) ip_natout(ip, fin);
} else
ip->ip_sum = 0;
/*
@ -1585,15 +1601,29 @@ int v;
if (!ifneta) {
ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
if (!ifneta)
return NULL;
ifneta[1] = NULL;
ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
if (!ifneta[0]) {
free(ifneta);
return NULL;
}
nifs = 1;
} else {
nifs++;
ifneta = (struct ifnet **)realloc(ifneta,
(nifs + 1) * sizeof(*ifa));
if (!ifneta) {
nifs = 0;
return NULL;
}
ifneta[nifs] = NULL;
ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
if (!ifneta[nifs - 1]) {
nifs--;
return NULL;
}
}
ifp = ifneta[nifs - 1];

8
contrib/ipfilter/ip_fil.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.29.2.2 2000/05/22 10:26:13 darrenr Exp $
* $Id: ip_fil.h,v 2.29.2.3 2000/06/05 13:12:42 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@ -519,8 +519,8 @@ extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int ipfsync __P((void));
extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
fr_info_t *, frdest_t *));
extern int ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **,
fr_info_t *, frdest_t *));
extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *));
extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *));
extern int fr_qin __P((queue_t *, mblk_t *));
@ -529,8 +529,6 @@ extern int iplread __P((dev_t, struct uio *, cred_t *));
# else /* SOLARIS */
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern int send_reset __P((struct ip *, fr_info_t *));
extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi

5
contrib/ipfilter/ip_frag.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.3 2000/05/05 15:10:23 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.4 2000/06/06 15:49:15 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@ -144,6 +144,9 @@ ipfr_t *table[];
ipfr_t **fp, *fra, frag;
u_int idx;
if (ipfr_inuse >= IPFT_SIZE)
return NULL;
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;

98
contrib/ipfilter/ip_ftp_pxy.c
View File

@ -2,14 +2,17 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* $Id: ip_ftp_pxy.c,v 2.7.2.7 2000/05/13 14:28:14 darrenr Exp $
* $Id: ip_ftp_pxy.c,v 2.7.2.12 2000/07/19 13:06:13 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
#endif
#define isdigit(x) ((x) >= '0' && (x) <= '9')
#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A')
#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
#define isalpha(x) (isupper(x) || islower(x))
#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A')
#define IPF_FTP_PROXY
@ -35,6 +38,7 @@ u_short ippr_ftp_atoi __P((char **));
static frentry_t natfr;
int ippr_ftp_pasvonly = 0;
int ippr_ftp_insecure = 0;
/*
@ -97,21 +101,12 @@ int dlen;
#endif
tcp = (tcphdr_t *)fin->fin_dp;
off = f->ftps_seq - ntohl(tcp->th_seq);
if (off < 0)
return 0;
/*
* Check for client sending out PORT message.
*/
if (dlen < IPF_MINPORTLEN)
return 0;
/*
* Count the number of bytes in the PORT message is.
*/
if (off < 0)
return 0;
off += fin->fin_hlen + (tcp->th_off << 2);
off = fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
*/
@ -201,6 +196,10 @@ int dlen;
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
m_copyback(m, off, nlen, newbuf);
# ifdef M_PKTHDR
if (!(m->m_flags & M_PKTHDR))
m->m_pkthdr.len += inc;
# endif
#endif
if (inc != 0) {
#if SOLARIS || defined(__sgi)
@ -275,27 +274,39 @@ ftpinfo_t *ftp;
ip_t *ip;
int dlen;
{
char *rptr, *wptr;
char *rptr, *wptr, cmd[6], c;
ftpside_t *f;
int inc;
int inc, i;
inc = 0;
f = &ftp->ftp_side[0];
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
if ((ftp->ftp_passok == 0) && !strncmp(rptr, "USER ", 5))
for (i = 0; (i < 5) && (i < dlen); i++) {
c = rptr[i];
if (isalpha(c)) {
cmd[i] = toupper(c);
} else {
cmd[i] = c;
}
}
cmd[i] = '\0';
if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5))
ftp->ftp_passok = 1;
else if ((ftp->ftp_passok == 2) && !strncmp(rptr, "PASS ", 5))
else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5))
ftp->ftp_passok = 3;
else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly &&
!strncmp(rptr, "PORT ", 5)) {
!strncmp(cmd, "PORT ", 5)) {
inc = ippr_ftp_port(fin, ip, nat, f, dlen);
} else if (ippr_ftp_insecure && !ippr_ftp_pasvonly &&
!strncmp(cmd, "PORT ", 5)) {
inc = ippr_ftp_port(fin, ip, nat, f, dlen);
}
while ((*rptr++ != '\n') && (rptr < wptr))
;
f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
return inc;
}
@ -313,8 +324,8 @@ int dlen;
u_short a5, a6, sp, dp;
u_int a1, a2, a3, a4;
fr_info_t fi;
int inc, off;
nat_t *ipn;
int inc;
char *s;
/*
@ -325,15 +336,8 @@ int dlen;
else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25))
return 0;
/*
* Count the number of bytes in the 227 reply is.
*/
tcp = (tcphdr_t *)fin->fin_dp;
off = f->ftps_seq - ntohl(tcp->th_seq);
if (off < 0)
return 0;
off += fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
*/
@ -417,13 +421,13 @@ int dlen;
m1->b_wptr += inc;
}
/*copyin_mblk(m, off, nlen, newbuf);*/
#else
#else /* SOLARIS */
m = *((mb_t **)fin->fin_mp);
if (inc < 0)
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
/*m_copyback(m, off, nlen, newbuf);*/
#endif
#endif /* SOLARIS */
if (inc != 0) {
#if SOLARIS || defined(__sgi)
register u_32_t sum1, sum2;
@ -438,10 +442,10 @@ int dlen;
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
fix_outcksum(&ip->ip_sum, sum2, 0);
#endif
#endif /* SOLARIS || defined(__sgi) */
ip->ip_len += inc;
}
#endif
#endif /* 0 */
/*
* Add skeleton NAT entry for connection which will come back the
@ -507,10 +511,11 @@ int dlen;
ftp->ftp_passok = 0;
else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
}
while ((*rptr++ != '\n') && (rptr < wptr))
;
f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
return inc;
}
@ -548,16 +553,16 @@ size_t len;
return 1;
} else
return 1;
} else if (isupper(c)) {
} else if (isalpha(c)) {
c = *s++;
i--;
if (isupper(c)) {
if (isalpha(c)) {
c = *s++;
i--;
if (isupper(c)) {
if (isalpha(c)) {
c = *s++;
i--;
if (isupper(c)) {
if (isalpha(c)) {
c = *s++;
i--;
if ((c != ' ') && (c != '\r'))
@ -586,10 +591,10 @@ nat_t *nat;
ftpinfo_t *ftp;
int rv;
{
int mlen, len, off, inc, i;
int mlen, len, off, inc, i, sel;
char *rptr, *wptr;
ftpside_t *f, *t;
tcphdr_t *tcp;
ftpside_t *f;
mb_t *m;
tcp = (tcphdr_t *)fin->fin_dp;
@ -606,23 +611,29 @@ int rv;
#else
mlen = mbufchainlen(m) - off;
#endif
if (!mlen)
t = &ftp->ftp_side[1 - rv];
if (!mlen) {
t->ftps_seq = ntohl(tcp->th_ack);
return 0;
}
inc = 0;
f = &ftp->ftp_side[rv];
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
if ((wptr == f->ftps_buf) && (f->ftps_seq <= ntohl(tcp->th_seq)))
f->ftps_seq = ntohl(tcp->th_seq);
sel = nat->nat_aps->aps_sel[1 - rv];
if (rv)
i = nat->nat_aps->aps_ackoff[sel];
else
i = nat->nat_aps->aps_seqoff[sel];
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
if (ntohl(tcp->th_seq) != f->ftps_seq + (wptr - rptr)) {
return APR_ERR(0);
if (ntohl(tcp->th_seq) + i != f->ftps_seq) {
return APR_ERR(-1);
}
while (mlen > 0) {
@ -666,7 +677,6 @@ int rv;
} else
rptr++;
}
f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
}
@ -677,7 +687,6 @@ int rv;
i = wptr - rptr;
if ((rptr == f->ftps_buf) ||
(wptr - rptr > FTP_BUFSZ / 2)) {
f->ftps_seq += i;
f->ftps_junk = 1;
rptr = wptr = f->ftps_buf;
} else {
@ -691,6 +700,7 @@ int rv;
}
}
t->ftps_seq = ntohl(tcp->th_ack);
f->ftps_rptr = rptr;
f->ftps_wptr = wptr;
return inc;

8
contrib/ipfilter/ip_log.c
View File

@ -5,7 +5,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: ip_log.c,v 2.5 2000/03/13 22:10:21 darrenr Exp $
* $Id: ip_log.c,v 2.5.2.1 2000/07/19 13:11:47 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@ -20,7 +20,11 @@
# include "opt_ipfilter.h"
# endif
# else
# include <osreldate.h>
# ifdef KLD_MODULE
# include <sys/osreldate.h>
# else
# include <osreldate.h>
# endif
# endif
#endif
#ifdef IPFILTER_LOG

66
contrib/ipfilter/ip_nat.c
View File

@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.10 2000/05/19 15:54:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.16 2000/07/18 13:57:40 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -473,10 +473,14 @@ int mode;
n->in_next = NULL;
*np = n;
if (n->in_redir & NAT_REDIRECT)
if (n->in_redir & NAT_REDIRECT) {
n->in_flags &= ~IPN_NOTDST;
nat_addrdr(n);
if (n->in_redir & (NAT_MAP|NAT_MAPBLK))
}
if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
n->in_flags &= ~IPN_NOTSRC;
nat_addnat(n);
}
n->in_use = 0;
if (n->in_redir & NAT_MAPBLK)
@ -1517,6 +1521,8 @@ int dir;
ip_t *oip;
int flags = 0;
if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))
return NULL;
if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir)))
return NULL;
*nflags = IPN_ICMPERR;
@ -1559,14 +1565,14 @@ int dir;
fix_outcksum(&icmp->icmp_cksum, sumd, 0);
} else {
fix_outcksum(&oip->ip_sum, sumd, 0);
#if !SOLARIS && !defined(__sgi)
sumd += (sumd & 0xffff);
while (sumd > 0xffff)
sumd = (sumd & 0xffff) + (sumd >> 16);
/* fix_incksum(&icmp->icmp_cksum, sumd, 0); */
fix_incksum(&icmp->icmp_cksum, sumd, 0);
#endif
}
if ((flags & IPN_TCPUDP) != 0) {
tcphdr_t *tcp;
@ -1714,19 +1720,28 @@ ip_t *ip;
if (np->in_p && ip->ip_p != np->in_p)
return 0;
if (fin->fin_out) {
if (!(np->in_redir && (NAT_MAP|NAT_MAPBLK)))
if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
return 0;
if ((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
^ ((np->in_flags & IPN_NOTSRC) != 0))
return 0;
if ((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
^ ((np->in_flags & IPN_NOTDST) != 0))
return 0;
} else {
if (!(np->in_redir && NAT_REDIRECT))
if (!(np->in_redir & NAT_REDIRECT))
return 0;
if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
^ ((np->in_flags & IPN_NOTSRC) != 0))
return 0;
if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
^ ((np->in_flags & IPN_NOTDST) != 0))
return 0;
}
ft = &np->in_tuc;
if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) {
if (!(fin->fin_fi.fi_fl & FI_TCPUDP) ||
(fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) {
if (ft->ftu_scmp || ft->ftu_dcmp)
return 0;
return 1;
@ -1863,7 +1878,6 @@ fr_info_t *fin;
np = nat->nat_ptr;
if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
ip->ip_src = nat->nat_outip;
MUTEX_ENTER(&nat->nat_lock);
nat->nat_age = fr_defnatage;
nat->nat_bytes += ip->ip_len;
@ -1874,12 +1888,27 @@ fr_info_t *fin;
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
if (nflags == IPN_ICMPERR) {
u_32_t s1, s2, sumd;
s1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
CALC_SUMD(s1, s2, sumd);
if (nat->nat_dir == NAT_OUTBOUND)
fix_incksum(&ip->ip_sum, sumd, 0);
else
fix_outcksum(&ip->ip_sum, sumd, 0);
}
#if SOLARIS || defined(__sgi)
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0);
else
fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0);
else {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0);
else
fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0);
}
#endif
ip->ip_src = nat->nat_outip;
if (!(ip->ip_off & IP_OFFMASK) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
@ -1917,6 +1946,7 @@ fr_info_t *fin;
} else if (ip->ip_p == IPPROTO_ICMP) {
nat->nat_age = fr_defnaticmpage;
}
if (csump) {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump, nat->nat_sumd[1],
@ -1986,7 +2016,7 @@ fr_info_t *fin;
if ((ip->ip_p == IPPROTO_ICMP) &&
(nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
;
else if ((ip->ip_off & IP_OFFMASK) &&
else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
(nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p,
@ -2024,7 +2054,7 @@ fr_info_t *fin;
} else if ((in.s_addr & np->in_outmsk) != np->in_outip)
continue;
if ((np->in_redir & NAT_REDIRECT) &&
(!np->in_pmin ||
(!np->in_pmin || (np->in_flags & IPN_FILTER) ||
((ntohs(np->in_pmax) >= ntohs(dport)) &&
(ntohs(dport) >= ntohs(np->in_pmin)))))
if ((nat = nat_new(np, ip, fin, nflags,

15
contrib/ipfilter/ip_nat.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.17.2.1 2000/05/15 06:50:14 darrenr Exp $
* $Id: ip_nat.h,v 2.17.2.6 2000/07/15 14:50:06 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@ -103,9 +103,10 @@ typedef struct ipnat {
u_int in_hits;
struct in_addr in_nextip;
u_short in_pnext;
u_short in_ppip; /* ports per IP */
u_short in_ippip; /* IP #'s per IP# */
u_short in_flags; /* From here to in_dport must be reflected */
u_32_t in_flags; /* From here to in_dport must be reflected */
u_short in_spare;
u_short in_ppip; /* ports per IP */
u_short in_port[2]; /* correctly in IPN_CMPSIZ */
struct in_addr in_in[2];
struct in_addr in_out[2];
@ -212,11 +213,13 @@ typedef struct natstat {
#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
#define IPN_AUTOPORTMAP 0x010
#define IPN_IPRANGE 0x020
#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|\
IPN_SPLIT|IPN_ROUNDR|IPN_FILTER)
#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST)
#define IPN_FILTER 0x040
#define IPN_SPLIT 0x080
#define IPN_ROUNDR 0x100
#define IPN_NOTSRC 0x080000
#define IPN_NOTDST 0x100000
typedef struct natlog {
@ -236,6 +239,8 @@ typedef struct natlog {
#define NL_NEWMAP NAT_MAP
#define NL_NEWRDR NAT_REDIRECT
#define NL_NEWBIMAP NAT_BIMAP
#define NL_NEWBLOCK NAT_MAPBLK
#define NL_EXPIRE 0xffff
#define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m))

17
contrib/ipfilter/ip_rcmd_pxy.c
View File

@ -1,5 +1,5 @@
/*
* $Id: ip_rcmd_pxy.c,v 1.4.2.1 2000/05/06 11:19:34 darrenr Exp $
* $Id: ip_rcmd_pxy.c,v 1.4.2.2 2000/07/15 12:38:30 darrenr Exp $
*/
/*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
@ -93,8 +93,17 @@ nat_t *nat;
#endif
tcp = (tcphdr_t *)fin->fin_dp;
if (tcp->th_flags & TH_SYN) {
*(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1);
return 0;
}
if ((*(u_32_t *)aps->aps_data != 0) &&
(tcp->th_seq != *(u_32_t *)aps->aps_data))
return 0;
off = (ip->ip_hl << 2) + (tcp->th_off << 2);
m = *(mb_t **)fin->fin_mp;
#if SOLARIS
m = fin->fin_qfm;
@ -103,13 +112,11 @@ nat_t *nat;
bzero(portbuf, sizeof(portbuf));
copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#else
m = *(mb_t **)fin->fin_mp;
dlen = mbufchainlen(m) - off;
bzero(portbuf, sizeof(portbuf));
m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#endif
if ((*(u_32_t *)aps->aps_data != 0) &&
(tcp->th_seq != *(u_32_t *)aps->aps_data))
return 0;
portbuf[sizeof(portbuf) - 1] = '\0';
s = portbuf;

4
contrib/ipfilter/ip_sfil.c
View File

@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.2 2000/05/22 10:26:14 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.3 2000/07/08 02:20:14 darrenr Exp $";
#endif
#include <sys/types.h>
@ -515,7 +515,7 @@ caddr_t data;
* interface pointer in the comparison (fr_next, fr_ifa).
*/
for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
p != pp; p++)
p < pp; p++)
fp->fr_cksum += *p;
for (; (f = *ftail); ftail = &f->fr_next)

26
contrib/ipfilter/ip_state.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.9 2000/05/22 10:26:15 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.12 2000/06/19 02:38:37 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -381,8 +381,8 @@ caddr_t data;
{
register ipstate_t *is, *isn;
ipstate_save_t ips, *ipsp;
int error, out;
frentry_t *fr;
int error;
error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp));
if (error)
@ -405,8 +405,26 @@ caddr_t data;
return ENOMEM;
}
bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
out = fr->fr_flags & FR_OUTQUE ? 1 : 0;
isn->is_rule = fr;
ips.ips_is.is_rule = fr;
if (*fr->fr_ifname) {
fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_v);
if (fr->fr_ifa == NULL)
fr->fr_ifa = (void *)-1;
#ifdef _KERNEL
else {
strncpy(isn->is_ifname[out],
IFNAME(fr->fr_ifa), IFNAMSIZ);
isn->is_ifp[out] = fr->fr_ifa;
}
#endif
} else
fr->fr_ifa = NULL;
/*
* send a copy back to userland of what we ended up
* to allow for verification.
*/
error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips));
if (error) {
KFREE(isn);
@ -1582,8 +1600,8 @@ fr_info_t *fin;
(oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
(is->is_type - 1 == oic->icmp6_type )) {
ips_stats.iss_hits++;
is->is_pkts++;
is->is_bytes += fin->fin_plen;
is->is_pkts++;
is->is_bytes += fin->fin_plen;
return is->is_rule;
}
}

6
contrib/ipfilter/ip_state.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $Id: ip_state.h,v 2.13 2000/03/13 22:10:23 darrenr Exp $
* $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@ -17,8 +17,8 @@
# define SIOCDELST _IOW(r, 61, struct ipstate *)
#endif
#define IPSTATE_SIZE 257
#define IPSTATE_MAX 2048 /* Maximum number of states held */
#define IPSTATE_SIZE 5737
#define IPSTATE_MAX 4013 /* Maximum number of states held */
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))

34
contrib/ipfilter/ipf.c
View File

@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10 2000/03/13 22:10:23 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.1 2000/07/08 02:19:46 darrenr Exp $";
#endif
#if SOLARIS
@ -295,9 +295,10 @@ char *name, *file;
if ((opts & OPT_ZERORULEST) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1)
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCZRLST)");
else {
} else {
#ifdef USE_QUAD_T
printf("hits %qd bytes %qd ",
(long long)fr->fr_hits,
@ -310,11 +311,15 @@ char *name, *file;
}
} else if ((opts & OPT_REMOVE) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, del, &fr) == -1)
if (ioctl(fd, del, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(delete rule)");
}
} else if (!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, &fr) == -1)
if (ioctl(fd, add, &fr) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(add/insert rule)");
}
}
}
}
@ -339,7 +344,7 @@ FILE *file;
int s, len;
do {
for (p = str, s = size;; p += len, s -= len) {
for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
/*
* if an error occured, EOF was encounterd, or there
* was no room to put NUL, return NULL.
@ -347,12 +352,21 @@ FILE *file;
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
p[len - 1] = '\0';
if (p[len - 1] != '\\')
if (p[len - 1] != '\n') {
p[len] = '\0';
break;
size -= len;
}
p[len - 1] = '\0';
if (len < 2 || p[len - 2] != '\\')
break;
else
/*
* Convert '\\' to a space so words don't
* run together
*/
p[len - 2] = ' ';
}
} while (*str == '\0' || *str == '\n');
} while (*str == '\0');
return (str);
}

4
contrib/ipfilter/ipl.h
View File

@ -6,12 +6,12 @@
* to the original author and the contributors.
*
* @(#)ipl.h 1.21 6/5/96
* $Id: ipl.h,v 2.15.2.5 2000/05/22 10:26:16 darrenr Exp $
* $Id: ipl.h,v 2.15.2.9 2000/07/19 13:40:04 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v3.4.4"
#define IPL_VERSION "IP Filter: v3.4.8"
#endif

10
contrib/ipfilter/ipmon.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12 2000/03/13 22:10:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.2 2000/07/15 14:50:06 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -209,11 +209,11 @@ static void init_tabs()
if (s->s_proto == NULL)
continue;
else if (!strcmp(s->s_proto, "tcp")) {
port = s->s_port;
port = ntohs(s->s_port);
name = s->s_name;
tab = tcp_ports;
} else if (!strcmp(s->s_proto, "udp")) {
port = s->s_port;
port = ntohs(s->s_port);
name = s->s_name;
tab = udp_ports;
} else
@ -401,6 +401,10 @@ int blen;
strcpy(t, "NAT:RDR ");
else if (nl->nl_type == NL_EXPIRE)
strcpy(t, "NAT:EXPIRE ");
else if (nl->nl_type == NL_NEWBIMAP)
strcpy(t, "NAT:BIMAP ");
else if (nl->nl_type == NL_NEWBLOCK)
strcpy(t, "NAT:MAPBLOCK ");
else
sprintf(t, "Type: %d ", nl->nl_type);
t += strlen(t);

6
contrib/ipfilter/man/ipfstat.8
View File

@ -99,8 +99,10 @@ protocol number. If this option is not specified, state entries for any
protocol are specified.
.TP
.B \-s
Show packet/flow state information (statistics) and held state information (in
the kernel) if any is present.
Show packet/flow state information (statistics only).
.TP
.B \-sl
Show held state information (in the kernel) if any is present (no statistics).
.TP
.BR \-S \0<addrport>
This option is only valid in combination with \fB\-t\fP. Limit the state top

106
contrib/ipfilter/natparse.c
View File

@ -54,7 +54,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.1 2000/04/28 18:08:00 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $";
#endif
@ -103,25 +103,35 @@ void *ptr;
printf(" %s ", np->in_ifname);
if (np->in_flags & IPN_FILTER) {
if (np->in_flags & IPN_NOTSRC)
printf("! ");
printf("from ");
if (np->in_redir == NAT_REDIRECT)
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
else
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
} else {
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
}
if (np->in_flags & IPN_NOTDST)
printf(" !");
printf(" to ");
if (np->in_redir == NAT_REDIRECT)
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
else
if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_outip,
(u_32_t *)&np->in_outmsk);
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
} else {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
if (np->in_dcmp)
printportcmp(np->in_p, &np->in_tuc.ftu_dst);
if (np->in_scmp)
printportcmp(np->in_p, &np->in_tuc.ftu_src);
}
}
if (np->in_redir == NAT_REDIRECT) {
@ -132,12 +142,12 @@ void *ptr;
printf("/%d ", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1]));
if (np->in_pmin)
printf("port %d", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("- %d", ntohs(np->in_pmax));
}
if (np->in_pmin)
printf("port %d ", ntohs(np->in_pmin));
if (np->in_pmax != np->in_pmin)
printf("- %d ", ntohs(np->in_pmax));
printf("-> %s", inet_ntoa(np->in_in[0]));
printf(" -> %s", inet_ntoa(np->in_in[0]));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1]));
if (np->in_pnext)
@ -312,7 +322,27 @@ int linenum;
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
cpp++;
if (!strcasecmp(*cpp, "from")) {
if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
if (!strcmp(*cpp, "!")) {
cpp++;
if (strcasecmp(*cpp, "from")) {
fprintf(stderr, "Missing from after !\n");
return NULL;
}
ipn.in_flags |= IPN_NOTSRC;
} else if (**cpp == '!') {
if (strcasecmp(*cpp + 1, "from")) {
fprintf(stderr, "Missing from after !\n");
return NULL;
}
ipn.in_flags |= IPN_NOTSRC;
}
if ((ipn.in_flags & IPN_NOTSRC) &&
(ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
fprintf(stderr, "Cannot use '! from' with map\n");
return NULL;
}
ipn.in_flags |= IPN_FILTER;
cpp++;
if (ipn.in_redir == NAT_REDIRECT) {
@ -325,34 +355,48 @@ int linenum;
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk,
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
&ipn.in_sport, &ipn.in_scmp,
&ipn.in_stop, linenum)) {
return NULL;
}
}
if (!strcmp(*cpp, "!")) {
cpp++;
ipn.in_flags |= IPN_NOTDST;
} else if (**cpp == '!') {
(*cpp)++;
ipn.in_flags |= IPN_NOTDST;
}
if (strcasecmp(*cpp, "to")) {
fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
linenum, *cpp);
return NULL;
}
if ((ipn.in_flags & IPN_NOTDST) &&
(ipn.in_redir & (NAT_REDIRECT))) {
fprintf(stderr, "Cannot use '! to' with rdr\n");
return NULL;
}
if (!*++cpp) {
fprintf(stderr, "%d: missing host after to\n", linenum);
return NULL;
}
if (ipn.in_redir == NAT_REDIRECT) {
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk,
if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
(u_32_t *)&ipn.in_outmsk,
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
return NULL;
}
ipn.in_pmin = htons(ipn.in_dport);
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk,
&ipn.in_sport, &ipn.in_scmp,
&ipn.in_stop, linenum)) {
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
return NULL;
}
}
@ -673,8 +717,11 @@ int linenum;
return NULL;
}
cpp++;
if (!*cpp)
if (!*cpp) {
fprintf(stderr, "%d: missing expression following portmap\n",
linenum);
return NULL;
}
if (!strcasecmp(*cpp, "tcp"))
ipn.in_flags |= IPN_TCP;
@ -741,7 +788,7 @@ int opts;
fp = stdin;
while (fgets(line, sizeof(line) - 1, fp)) {
linenum++;
linenum++;
line[sizeof(line) - 1] = '\0';
if ((s = strchr(line, '\n')))
*s = '\0';
@ -755,10 +802,15 @@ int opts;
printnat(np, opts, NULL);
if (!(opts & OPT_NODO)) {
if (!(opts & OPT_REMOVE)) {
if (ioctl(fd, SIOCADNAT, &np) == -1)
if (ioctl(fd, SIOCADNAT, &np) == -1) {
fprintf(stderr, "%d:",
linenum);
perror("ioctl(SIOCADNAT)");
} else if (ioctl(fd, SIOCRMNAT, &np) == -1)
}
} else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCRMNAT)");
}
}
}
}

27
contrib/ipfilter/parse.c
View File

@ -939,14 +939,20 @@ int linenum;
linenum, **cp);
return -1;
}
fp->fr_icmp |= (u_short)i;
fp->fr_icmpm = (u_short)0xffff;
(*cp)++;
return 0;
} else {
i = icmpcode(**cp);
if (i == -1) {
fprintf(stderr,
"%d: Invalid icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
}
fprintf(stderr, "%d: Invalid icmp code (%s) specified\n",
linenum, **cp);
return -1;
i &= 0xff;
fp->fr_icmp |= (u_short)i;
fp->fr_icmpm = (u_short)0xffff;
(*cp)++;
return 0;
}
@ -966,9 +972,8 @@ char *str;
char *s;
int i, len;
if (!(s = strrchr(str, ')')))
return -1;
*s = '\0';
if ((s = strrchr(str, ')')))
*s = '\0';
if (isdigit(*str)) {
if (!ratoi(str, &i, 0, 255))
return -1;
@ -1153,7 +1158,7 @@ struct frentry *fp;
printf(" icmp-type %s", icmptypes[type]);
else
printf(" icmp-type %d", type);
if (code)
if (ntohs(fp->fr_icmpm) & 0xff)
printf(" code %d", code);
}
if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {

34
contrib/ipfilter/solaris.c
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.3 2000/05/22 10:26:17 darrenr Exp $"
#pragma ident "@(#)$Id: solaris.c,v 2.15.2.6 2000/07/18 13:56:33 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@ -625,15 +625,28 @@ int out;
sap = qif->qf_ill->ill_sap;
if (sap == 0x800) {
u_short tlen;
hlen = sizeof(*ip);
plen = ntohs(ip->ip_len);
/* XXX - might not be aligned (from ppp?) */
((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
plen = ntohs(tlen);
sap = 0;
}
#if SOLARIS2 >= 8
else if (sap == IP6_DL_SAP) {
u_short tlen;
hlen = sizeof(ip6_t);
ip6 = (ip6_t *)ip;
plen = ntohs(ip6->ip6_plen);
/* XXX - might not be aligned (from ppp?) */
((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
plen = ntohs(tlen);
sap = IP6_DL_SAP;
}
#endif
@ -670,7 +683,7 @@ int out;
s = m->b_rptr;
}
*mp = m2;
MTYPE(m2) = M_DATA;
MTYPE(m2) = MTYPE(mt);
freemsg(mt);
mt = m2;
@ -678,7 +691,6 @@ int out;
synced = 1;
off = 0;
goto tryagain;
}
if (((sap == 0) && (ip->ip_v != IP_VERSION))
@ -1590,8 +1602,7 @@ ire_t *ire;
#endif
int ipfr_fastroute(qf, ip, mb, mpp, fin, fdp)
qif_t *qf;
int ipfr_fastroute(ip, mb, mpp, fin, fdp)
ip_t *ip;
mblk_t *mb, **mpp;
fr_info_t *fin;
@ -1608,13 +1619,15 @@ frdest_t *fdp;
frentry_t *fr;
frdest_t fd;
ill_t *ifp;
qif_t *qif;
u_char *s;
qif_t *qf;
int p;
#ifndef sparc
u_short __iplen, __ipoff;
#endif
qf = fin->fin_qif;
/*
* If this is a duplicate mblk then we want ip to point at that
* data, not the original, if and only if it is already pointing at
@ -1718,10 +1731,9 @@ frdest_t *fdp;
ATOMIC_INCL(frstats[1].fr_acct);
}
fin->fin_fr = NULL;
if (!fr || !(fr->fr_flags & FR_RETMASK)) {
if (!fr || !(fr->fr_flags & FR_RETMASK))
(void) fr_checkstate(ip, fin);
(void) ip_natout(ip, fin);
}
(void) ip_natout(ip, fin);
}
#ifndef sparc
if (fin->fin_v == 4) {

6
contrib/ipfilter/test/Makefile
View File

@ -20,7 +20,7 @@ ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
ntests: n1 n2 n3 n4
ntests: n1 n2 n3 n4 n5 n6 n7
0:
@(cd ..; make ipftest; )
@ -34,10 +34,10 @@ f12:
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@/bin/sh ./itest $@
n1 n2 n3 n4:
n1 n2 n3 n4 n5 n6 n7:
@/bin/sh ./nattest $@
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/*
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
/bin/rm -f n1 n2 n3 n4
/bin/rm -f n1 n2 n3 n4 n5 n6 n7

330
contrib/ipfilter/test/expected/n5 Normal file
View File

@ -0,0 +1,330 @@
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 10.2.2.2 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
ip 48(20) 1 10.2.2.2 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.1.1.1
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.1.1.2 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.1.1.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.1.1.3 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.1.1.3 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.0 > 10.1.1.2
ip 20(20) 0 10.2.2.2 > 10.1.2.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------
ip 20(20) 255 10.3.4.5 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.3.4.5 > 10.1.1.1
ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.0
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 48(20) 1 10.1.1.1 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.2.2.2
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.1.1.2 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.1.1.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.1.1.3 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.1.1.3 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025
ip 20(20) 0 10.3.4.5 > 10.1.1.2
ip 20(20) 0 10.3.4.5 > 10.1.2.1
ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
ip 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80
ip 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80
ip 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80
ip 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
ip 48(20) 1 10.3.4.1 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.2.2.2
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.3.4.1 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.3.4.1 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.3.4.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.3.4.2 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.0 > 10.1.1.2
ip 20(20) 0 10.1.1.1 > 10.1.2.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.3.4.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.3.4.1,1025 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 28(20) 17 10.3.4.1,1025 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
ip 48(20) 1 10.1.1.1 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.2.2.2
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.1.1.2 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.1.1.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.1.1.3 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.1.1.3 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.0 > 10.1.1.2
ip 20(20) 0 10.1.1.1 > 10.1.2.1
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
ip 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025
ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
ip 48(20) 1 10.1.1.1 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.2.2.2
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.1.1.2 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.1.1.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.1.1.3 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.1.1.3 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.0 > 10.1.1.2
ip 20(20) 0 10.1.1.1 > 10.1.2.1
ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
ip 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80
ip 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80
ip 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80
ip 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
ip 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------
ip 20(20) 255 10.1.1.0 > 10.1.1.2
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
ip 20(20) 255 10.2.2.1 > 10.1.2.1
ip 20(20) 255 10.2.2.2 > 10.1.2.1
ip 20(20) 255 10.1.1.1 > 10.1.1.2
ip 20(20) 255 10.1.1.2 > 10.1.1.1
ip 20(20) 255 10.2.2.1 > 10.2.1.1
ip 20(20) 255 10.2.2.2 > 10.2.1.1
ip 20(20) 255 10.2.2.3 > 10.1.1.1
ip 20(20) 255 10.2.3.4 > 10.2.2.2
ip 20(20) 255 10.1.1.1 > 10.2.2.2
ip 20(20) 255 10.1.1.2 > 10.2.2.2
ip 20(20) 255 10.1.1.0 > 10.3.4.5
ip 20(20) 255 10.1.1.1 > 10.3.4.5
ip 20(20) 255 10.1.1.2 > 10.3.4.5
ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
ip 48(20) 1 10.1.1.1 > 10.4.3.2
ip 48(20) 1 10.4.3.2 > 10.2.2.2
ip 48(20) 1 10.4.3.2 > 10.3.4.3
ip 48(20) 1 10.4.3.2 > 10.3.4.5
ip 20(20) 34 10.1.1.2 > 10.4.3.2
ip 20(20) 34 10.4.3.2 > 10.3.4.4
ip 20(20) 34 10.1.1.2 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.5
ip 20(20) 34 10.1.1.3 > 10.4.3.4
ip 20(20) 34 10.4.3.4 > 10.3.4.6
ip 20(20) 35 10.1.1.3 > 10.4.3.4
ip 20(20) 35 10.4.3.4 > 10.3.4.7
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.0 > 10.1.1.2
ip 20(20) 0 10.1.1.1 > 10.1.2.1
ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
ip 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025
ip 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80
ip 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80
ip 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80
ip 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80
ip 20(20) 0 10.1.1.1 > 10.1.1.2
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 20(20) 0 10.1.1.2 > 10.1.1.1
ip 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
ip 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000
ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
ip 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001
ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-------------------------------

70
contrib/ipfilter/test/expected/n6 Normal file
View File

@ -0,0 +1,70 @@
ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-------------------------------
ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-------------------------------
ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-------------------------------
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-------------------------------
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
ip 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053
ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-------------------------------

20
contrib/ipfilter/test/expected/n7 Normal file
View File

@ -0,0 +1,20 @@
ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
ip 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023
ip 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050
ip 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079
ip 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80
ip 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80
ip 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80
ip 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
ip 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
-------------------------------
ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
ip 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23
ip 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50
ip 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79
ip 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128
ip 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128
ip 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128
ip 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128
ip 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128
-------------------------------

54
contrib/ipfilter/test/input/n5 Normal file
View File

@ -0,0 +1,54 @@
out on zx0 255 10.1.1.0 10.1.1.2
out on zx0 255 10.1.1.1 10.1.1.2
out on zx0 255 10.1.1.2 10.1.1.1
out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
out on zx0 255 10.2.2.1 10.1.2.1
out on zx0 255 10.2.2.2 10.1.2.1
in on zx0 255 10.1.1.1 10.1.1.2
in on zx0 255 10.1.1.2 10.1.1.1
in on zx0 255 10.2.2.1 10.2.1.1
in on zx0 255 10.2.2.2 10.2.1.1
in on zx0 255 10.2.2.3 10.1.1.1
in on zx0 255 10.2.3.4 10.2.2.2
in on zx0 255 10.1.1.1 10.2.2.2
in on zx0 255 10.1.1.2 10.2.2.2
in on zx0 255 10.1.1.0 10.3.4.5
in on zx0 255 10.1.1.1 10.3.4.5
in on zx0 255 10.1.1.2 10.3.4.5
in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025
out on zx0 icmp 10.1.1.1 10.4.3.2
in on zx0 icmp 10.4.3.2 10.2.2.2
in on zx0 icmp 10.4.3.2 10.3.4.3
in on zx0 icmp 10.4.3.2 10.3.4.5
out on zx0 34 10.1.1.2 10.4.3.2
in on zx0 34 10.4.3.2 10.3.4.4
out on zx0 34 10.1.1.2 10.4.3.4
in on zx0 34 10.4.3.4 10.3.4.5
out on zx0 34 10.1.1.3 10.4.3.4
in on zx0 34 10.4.3.4 10.3.4.6
out on zx0 35 10.1.1.3 10.4.3.4
in on zx0 35 10.4.3.4 10.3.4.7
out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025
out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
out on zx0 10.1.1.0 10.1.1.2
out on zx0 10.1.1.1 10.1.2.1
out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025
out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80
out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80
out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80
out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80
in on zx0 10.1.1.1 10.1.1.2
in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
in on zx0 10.1.1.2 10.1.1.1
out on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
out on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
out on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
out on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001

13
contrib/ipfilter/test/input/n6 Normal file
View File

@ -0,0 +1,13 @@
in on zx0 tcp 10.2.2.2,12345 10.1.1.1,23
in on zx0 tcp 10.2.2.2,12345 10.1.1.2,23
in on zx0 tcp 10.3.0.1,12345 10.1.2.2,23
in on zx0 tcp 10.3.0.1,12345 10.2.2.2,23
in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23
in on zx0 tcp 10.2.2.2,12345 10.1.1.1,53
in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53
in on zx0 tcp 10.2.2.2,12345 10.1.0.0,23
in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23
in on zx0 udp 10.2.2.2,12345 10.1.1.0,53
in on zx0 udp 10.3.3.3,12345 10.1.1.0,53
in on zx0 tcp 10.2.2.2,12345 10.1.1.0,53
in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53

9
contrib/ipfilter/test/input/n7 Normal file
View File

@ -0,0 +1,9 @@
in on zx0 tcp 10.2.3.1,1230 10.1.1.1,22
in on zx0 tcp 10.2.3.1,1231 10.1.1.1,23
in on zx0 tcp 10.2.3.1,1232 10.1.1.1,50
in on zx0 tcp 10.2.3.1,1233 10.1.1.1,79
in on zx0 tcp 10.2.3.1,1234 10.1.1.1,80
in on zx0 tcp 10.2.3.1,1235 10.1.1.2,80
in on zx0 tcp 10.2.3.1,1236 10.1.1.3,80
in on zx0 tcp 10.2.3.1,1237 10.1.1.4,80
in on zx0 tcp 10.2.3.1,1238 10.1.1.4,80

6
contrib/ipfilter/test/regress/n5 Normal file
View File

@ -0,0 +1,6 @@
map zx0 10.1.1.1/32 -> 10.2.2.2/32
map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001

5
contrib/ipfilter/test/regress/n6 Normal file
View File

@ -0,0 +1,5 @@
rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp
rdr zx0 from any to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
rdr zx0 from 10.2.0.0/16 to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
rdr zx0 from 10.3.0.0/16 to 10.1.0.0/16 port = 23 -> 10.2.2.1 port 10023 tcp
rdr zx0 ! from 10.2.0.0/16 to 10.1.1.0/24 port = 53 -> 10.2.2.1 port 10053 udp

2
contrib/ipfilter/test/regress/n7 Normal file
View File

@ -0,0 +1,2 @@
rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1 port 10023 tcp
rdr zx0 10.1.1.0/24 port 80 -> 10.2.2.1,1.2.2.129 port 3128 tcp