d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

This commit was generated by cvs2svn to compensate for changes in r145510,

Browse Source 
which included commits to RCS files with non-trunk default branches.
This commit is contained in:
Darren Reed 2005-04-25 17:31:50 +00:00
commit 3c911a00da
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=145511
417 changed files with 41249 additions and 1734 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
contrib/ipfilter/.cvsignore Normal file
View File

@ -0,0 +1,28 @@
ipf
sparcv7
sparcv9
h
ipf-darren
bugs
ipftest
patches
state
cbits
CVS
old
new
netinet
import
bak
streams
cvs.diff
threads
glibc
hp
windows
ipnat
opt_inet6.h
ippool
ipmon
ip_rules.c
ip_rules.h

27
contrib/ipfilter/BNF
View File

@ -1,25 +1,26 @@
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
[ proto ] [ ip ] [ group ].
[ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
insert = "@" decnumber .
action = block | "no-match" | "pass" | log | "count" | skip | auth | call .
action = block | "pass" | log | "count" | auth | call .
in-out = "in" | "out" .
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ]
[ via ] ] .
options = [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
tos = "tos" decnumber | "tos" hexnumber .
ttl = "ttl" decnumber .
proto = "proto" protocol .
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group = [ "head" decnumber ] [ "group" decnumber ] .
pps = "pps" decnumber .
onif = "on" interface-name [ "out-via" interface-name ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] .
auth = "auth" | "preauth" .
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
call = "call" [ "now" ] function-name .
skip = "skip" decnumber .
tag = "tag" tagid .
call = "call" [ "now" ] function-name "/" decnumber.
dup = "dup-to" interface-name[":"ipaddr] .
via = "in-via" interface-name | "out-via" interface-name .
froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
froute = "fastroute" | "to" interface-name .
replyto = "reply-to" interface-name [ ":" ipaddr ] .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst = "all" | fromto .
fromto = "from" object "to" object .
@ -34,8 +35,7 @@ flags = "flags" flag { flag } [ "/" flag { flag } ] .
with = "with" | "and" .
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep = "keep" "state" | "keep" "frags" | "keep" "state-age" state-age .
state-age = decnmber [ "/" decnumber ] .
keep = "keep" "state" [ "limit" number ] | "keep" "frags" .
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
@ -43,8 +43,9 @@ ipaddr = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
"mbcast" | "opt" ipopts .
optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
secname = seclvl [ "," secname ] .
@ -77,4 +78,4 @@ compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
range = "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag = "F" | "S" | "R" | "P" | "A" | "U" .
flag = "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .

22
contrib/ipfilter/BSD/.cvsignore Normal file
View File

@ -0,0 +1,22 @@
ipf
ipfs
ipfstat
ipftest
ipmon
ipnat
ipresend
ipsend
iptest
vnode_if.h
if_ipl
i386
amiga
FreeBSD*
BSDOS*
NetBSD*
OpenBSD*
*_lex_var.h
*_y.c
*_l.c
*_y.h
ip_rules.*

495
contrib/ipfilter/BSD/Makefile
View File

@ -1,16 +1,14 @@
#
# Copyright (C) 1993-1998 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
BINDEST=/usr/sbin
SBINDEST=/sbin
SEARCHDIRS=$(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin \
/usr/local/bin /usr/local/sbin
MANDIR=/usr/share/man
CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O
SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i<NF;i++){print $$i;}}' - | sort -u
CC=cc -Wall -Wuninitialized -Wstrict-prototypes -O
CFLAGS=-g -I$(TOP)
#
# For NetBSD/FreeBSD
@ -21,16 +19,19 @@ INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch
DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS)
IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST
VNODESHDIR=/sys/kern
MLD=$(ML) vnode_if.h
MLD=$(ML)
ML=mln_ipl.c
IPFILC=ip_fil.c
LKM=if_ipl.o
LKMR=ipfrule.o
DLKM=
OBJ=.
DEST=$(OBJ)
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)"
"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" "SYNC=$(SYNC)"
LIBS=-L. -lipf $(LIBBPF)
#
########## ########## ########## ########## ########## ########## ##########
#
@ -39,205 +40,425 @@ RM=/bin/rm
CHMOD=/bin/chmod
INSTALL=install
#
MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
ip_auth.o ip_log.o
DFLAGS=$(IPFLKM) $(DEF) $(DLKM)
IPF=ipf.o parse.o common.o opt.o facpri.o
IPT=ipt.o parse.o common.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o \
opt.o ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \
ip_auth_u.o ipft_hx.o ip_fil_u.o ip_log_u.o natparse.o facpri.o \
printnat.o printstate.o
IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o
MODOBJS=ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o ip_rules.o \
ip_scan.o ip_sync.o
# ip_trafcon.o
DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF)
IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o
IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \
ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \
ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \
ippool_y.o ippool_l.o ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o \
md5_u.o radix_u.o bpf_filter_u.o
# ip_syn_u.o
#ip_trafcon_u.o
TOOL=$(TOP)/tools
IPNAT=ipnat.o ipnat_y.o ipnat_l.o
IPMON=ipmon.o ipmon_y.o ipmon_l.o
IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o
IPTRAFCON=iptrafcon.o
PROXYLIST=$(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_irc_pxy.c \
$(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c $(TOP)/ip_rcmd_pxy.c \
$(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c
FILS=ipfstat.o
LIBSRC=$(TOP)/lib
RANLIB=ranlib
AROPTS=cq
HERE!=pwd
CCARGS=-I. $(DEBUG) $(CFLAGS)
#
# Extra is option kernel things we always want in user space.
#
EXTRA=$(ALLOPTS)
build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM)
/bin/rm -f $(TOP)/ipf
ln -s `pwd`/ipf $(TOP)
/bin/rm -f $(TOP)/ipftest
ln -s `pwd`/ipftest $(TOP)
/bin/rm -f $(TOP)/ipmon
ln -s `pwd`/ipmon $(TOP)
/bin/rm -f $(TOP)/ipnat
ln -s `pwd`/ipnat $(TOP)
include $(TOP)/lib/Makefile
ipfstat: $(FILS)
$(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
$(FILS) -o $@ $(LIBS) $(STATETOP_LIB) -lkvm
build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \
ippool ipscan ipsyncm ipsyncs $(LKM) $(LKMR)
-sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done'
ipf: $(IPF)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
machine: Makefile.kmod
if [ -f Makefile.kmod ] ; then \
make -f Makefile.kmod depend MKUPDATE=no; \
fi
ipftest: $(IPT)
$(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS)
Makefile.kmod:
if [ -f /usr/share/mk/bsd.kmod.mk -a "`uname -s`" = "NetBSD" ] ; then \
rm -f Makefile.kmod; \
ln -s /usr/share/mk/bsd.kmod.mk Makefile.kmod; \
fi
ipnat: $(IPNAT)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm
ipfstat: $(FILS) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
-o $@ $(LIBS) $(STATETOP_LIB) -lkvm
ipf: $(IPF) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF)
ipftest: $(IPT) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF)
ipnat: $(IPNAT) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lkvm -ll
ipfs: ipfs.o
$(CC) -static $(DEBUG) $(CFLAGS) ipfs.o -o $@ $(LIBS)
$(CC) $(CCARGS) ipfs.o -o $@
ipsyncm: ipsyncm.o $(OBJ)/libipf.a
$(CC) $(CCARGS) ipsyncm.o -o $@ $(LIBS)
ipsyncs: ipsyncs.o $(OBJ)/libipf.a
$(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS)
ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h
$(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@
ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h
$(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@
tests:
(cd test; make )
fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \
$(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
-c $(TOP)/fils.c -o $@
ipfstat.o: $(TOOL)/ipfstat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \
$(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h $(TOP)/opts.h
$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
-c $(TOOL)/ipfstat.c -o $@
ipfs.o: $(TOP)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \
$(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipfs.c -o $@
ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \
$(TOP)/ip_nat.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipfs.c -o $@
fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/fil.c -o $@
fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
$(TOP)/opts.h $(TOP)/ip_rules.h
$(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -D_RADIX_H_ -c $(TOP)/fil.c -o $@
fil_k.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
$(TOP)/ipl.h
$(CC) $(DEBUG) $(CFLAGS) $(POLICY) $(DFLAGS) -c $(TOP)/fil.c -o $@
fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \
$(TOP)/ip_rules.h
$(CC) $(CCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) \
-c $(TOP)/fil.c -o $@
ipf.o: $(TOP)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipf.c -o $@
ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipf.c -o $@
ipt.o: $(TOP)/ipt.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipt.c -o $@
ipfcomp.o: $(TOOL)/ipfcomp.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipfcomp.c -o $@
misc.o: $(TOP)/misc.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/misc.c -o $@
ipftest.o: $(TOOL)/ipftest.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h \
$(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipftest.c -o $@
opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@
ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@
ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@
ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h
$(CC) $(CCARGS) -c ipnat_y.c -o $@
natparse.o: $(TOP)/natparse.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/natparse.c -o $@
ipnat_l.o: ipnat_l.c ipnat_y.h
$(CC) $(CCARGS) -I. -c ipnat_l.c -o $@
printnat.o: $(TOP)/printnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/ip_compat.h $(TOP)/ip_proxy.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printnat.c -o $@
ipnat_y.c: $(TOOL)/ipnat_y.y
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
printstate.o: $(TOP)/printstate.c $(TOP)/ip_fil.h $(TOP)/ipf.h \
$(TOP)/ip_state.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/printstate.c -o $@
ipnat_y.h: ipnat_y.c
ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \
$(TOP)/snoop.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@
ipnat_l.c: $(TOOL)/lexer.c $(TOP)/ip_nat.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipft_ef.o: $(TOP)/ipft_ef.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_ef.c -o $@
ipft_td.o: $(TOP)/ipft_td.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_td.c -o $@
ipft_pc.o: $(TOP)/ipft_pc.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@
ipft_tx.o: $(TOP)/ipft_tx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_tx.c -o $@
ipft_hx.o: $(TOP)/ipft_hx.c $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/ipt.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_hx.c -o $@
ipnat_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_nat.c -o $@
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@
ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_rcmd_pxy.c \
$(TOP)/ip_raudio_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_proxy.c -o $@
$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@
ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_frag.c -o $@
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_frag.c -o $@
ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_state.c -o $@
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_state.c -o $@
ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_auth.c -o $@
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_auth.c -o $@
ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/$(IPFILC) -o $@
ip_fil_u.o: $(TOP)/ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_fil.c -o $@
ip_rules_u.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_rules.h
$(CC) $(CCARGS) $(EXTRA) -c ip_rules.c -o $@
ip_scan_u.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_scan.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_scan.c -o $@
ip_sync_u.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_sync.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_sync.c -o $@
ip_pool_u.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_pool.c -o $@
ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@
ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@
ip_trafcon_u.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_trafcon.h
$(CC) $(CCARGS) -c $(TOP)/ip_trafcon.c -o $@
ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ip_log.c -o $@
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_log.c -o $@
md5_u.o: $(TOP)/md5.c $(TOP)/md5.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/md5.c -o $@
radix_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix.c -o $@
bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/bpf_filter.c -o $@
if_ipl.o: $(MODOBJS)
ld -r $(MODOBJS) -o $(LKM)
${RM} -f if_ipl
ipfrule.ko.5: ip_rulesx.o $(MLR)
ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) ip_rulesx.o $(MLR)
ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/)
ipfrule.ko: ip_rulesx.o $(MLR)
gensetdefs ip_rulesx.o $(MLR)
$(CC) $(CCARGS) -c setdef0.c
$(CC) $(CCARGS) -c setdef1.c
ld -Bshareable -o $@ setdef0.o ip_rulesx.o $(MLR) setdef1.o
ipf.ko.5 ipl.ko.5: $(MODOBJS)
ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) $(MODOBJS)
ld -Bshareable -d -warn-common -o $(LKM:S/.5$//) $(.TARGET:S/.ko/.kld/)
ipf.ko ipl.ko: $(MODOBJS)
gensetdefs $(MODOBJS)
$(CC) $(DEBUG) $(CFLAGS) -c setdef0.c
$(CC) $(DEBUG) $(CFLAGS) -c setdef1.c
ld -Bshareable -o $(LKM) setdef0.o $(MODOBJS) setdef1.o
$(CC) $(CCARGS) -c setdef0.c
$(CC) $(CCARGS) -c setdef1.c
ld -Bshareable -o $@ setdef0.o $(MODOBJS) setdef1.o
ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@
ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@
ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@
ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_ftp_pxy.c $(TOP)/ip_raudio_pxy.c \
$(TOP)/ip_rcmd_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@
ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@
ip_fil.c:
/bin/rm -f ip_fil.c
ln -s $(TOP)/ip_fil_`uname -s|tr A-Z a-z`.c ip_fil.c
ip_fil.o: ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h
$(CC) $(CCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@
ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@
vnode_if.h: $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src
ip_scan.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_scan.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@
ip_sync.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_sync.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@
ip_pool.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_pool.c -o $@
ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@
ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@
ip_trafcon.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_trafcon.h
$(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@
vnode_if.h: $(VNODESHDIR)/vnode_if.src
mkdir -p ../sys
sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src
if [ -f $(VNODESHDIR)/vnode_if.sh ] ; then \
sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src; \
fi
if [ -f $(VNODESHDIR)/vnode_if.pl ] ; then \
perl $(VNODESHDIR)/vnode_if.pl $(VNODESHDIR)/vnode_if.src; \
fi
if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi
rmdir ../sys
ml_ipl.o: $(TOP)/$(MLD) $(TOP)/ipl.h
ml_ipl.o: vnode_if.h $(TOP)/$(MLD) $(TOP)/ipl.h
-/bin/rm -f vnode_if.c
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@
kmem.o: $(TOP)/kmem.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/kmem.c -o $@
ip_rules.o: ip_rules.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) $(COMPIPF) -c ip_rules.c -o $@
parse.o: $(TOP)/parse.c $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/parse.c -o $@
ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.c ipf
./ipf -cc -nf $(TOP)/rules/ip_rules
common.o: $(TOP)/common.c $(TOP)/ip_fil.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/common.c -o $@
$(TOP)/ip_rules.h: ip_rules.c
if [ ! -f $(TOP)/ip_rules.h ] ; then \
/bin/mv -f ip_rules.h $(TOP); \
else \
touch $(TOP)/ip_rules.h; \
fi
facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/facpri.c -o $@
ip_rulesx.o: ip_rules.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@
ipmon: $(TOP)/ipmon.c
$(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS)
mlf_rule.o: $(TOP)/mlf_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlf_rule.c -o $@
mln_rule.o: $(TOP)/mln_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mln_rule.c -o $@
mlo_rule.o: $(TOP)/mlo_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlo_rule.c -o $@
mlfk_rule.o: $(TOP)/mlfk_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@
ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
$(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@
ipf_l.o: ipf_l.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
$(CC) $(CCARGS) -I. -c ipf_l.c -o $@
ipf_y.c: $(TOOL)/ipf_y.y $(TOP)/ipf.h $(TOP)/opts.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipf_y.h: ipf_y.c
ipf_l.c: $(TOOL)/lexer.c $(TOP)/ipf.h $(TOP)/opts.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipf_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon: $(IPMON) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPMON) -o $@ $(LIBS) -ll
ipmon.o: $(TOOL)/ipmon.c $(TOP)/ipmon.h
$(CC) $(CCARGS) $(LOGFAC) -c $(TOOL)/ipmon.c -o $@
ipmon_y.o: ipmon_y.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h
$(CC) $(CCARGS) -c ipmon_y.c -o $@
ipmon_l.o: ipmon_l.c ipmon_y.h $(TOP)/ipmon.h
$(CC) $(CCARGS) -I. -c ipmon_l.c -o $@
ipmon_y.c: $(TOOL)/ipmon_y.y $(TOP)/ipmon.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon_y.h: ipmon_y.c
ipmon_l.c: $(TOOL)/lexer.c $(TOP)/ipmon.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipscan: ipscan_y.o ipscan_l.o
$(CC) $(DEBUG) ipscan_y.o ipscan_l.o -o $@ -ll $(LIBS) -lkvm
ipscan_y.o: ipscan_y.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h
$(CC) $(CCARGS) -c ipscan_y.c -o $@
ipscan_l.o: ipscan_l.c ipscan_y.h $(TOP)/ip_scan.h
$(CC) $(CCARGS) -I. -c ipscan_l.c -o $@
ipscan_y.c: $(TOOL)/ipscan_y.y $(TOP)/ip_scan.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipscan_y.h: ipscan_y.c
ipscan_l.c ipscan_l.h: $(TOOL)/lexer.c $(TOP)/ip_scan.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool: $(IPPOOL) $(OBJ)/libipf.a
$(CC) $(DEBUG) -I. $(CFLAGS) $(IPPOOL) -o $@ -ll -lkvm -L. -lipf
ippool.o: $(TOOL)/ippool.c $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(TOOL)/ippool.c -o $@
ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h
$(CC) $(CCARGS) -c ippool_y.c -o $@
ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -I. -c ippool_l.c -o $@
ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool_y.h: ippool_y.c
ippool_l.c: $(TOOL)/lexer.c $(TOP)/ip_pool.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
iptrafcon.o: $(TOP)/iptrafcon.c
$(CC) $(CCARGS) -c $< -o $@
iptrafcon: $(IPTRAFCON) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPTRAFCON) -o $@ $(LIBS)
.y.c:
.l.c:
clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
y.tab.? lex.yy.c ipfs
${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat
${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest
${RM} -f ../ipscan ../ipsyncm ../ipsyncs
${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon
${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld*
${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h
${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h
${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h
${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h
${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h
${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h
${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h
${MAKE} -f Makefile.ipsend ${MFLAGS} clean
if [ -f Makefile.kmod ] ; then \
${MAKE} -f Makefile.kmod ${MFLAGS} clean; \
fi
-(for i in *; do \
if [ -d $${i} -a -f $${i}/Makefile ] ; then \
cd $${i}; (make clean); cd ..; \
rm $${i}/Makefile $${i}/Makefile.ipsend; \
cd $${i}; (make TOP=../.. clean); cd ..; \
/bin/rm -f $${i}/Makefile $${i}/Makefile.ipsend; \
/bin/rm -f $${i}/Makefile.kmod; \
rmdir $${i}; \
fi \
done)
@ -254,15 +475,31 @@ install:
-if [ -d /modules -a -f ipf.ko ] ; then \
cp ipf.ko /modules; \
fi
-if [ -d /modules -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /modules; \
fi
-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
cp ipf.ko /boot/kernel; \
fi
-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /boot/kernel; \
fi
-if [ -d /usr/lkm -a -f if_ipl.o ] ; then \
cp if_ipl.o /usr/lkm; \
fi
-$(INSTALL) -cs -g wheel -m 755 -o root ipscan $(SBINDEST)
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
@for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \
ippool:$(BINDEST) ipsyncm:$(BINDEST) ipsyncs:$(BINDEST) \
ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
def="`expr $$i : '[^:]*:\(.*\)'`"; \
p="`expr $$i : '\([^:]*\):.*'`"; \
dd=; \
for d in $(SEARCHDIRS); do \
if [ -f $$d/$$p ] ; then \
echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
dd=$$d; \
dd=XXX; \
fi; \
done; \
if [ -z "$$dd" ] ; then \

19
contrib/ipfilter/BSD/Makefile.ipsend
View File

@ -1,16 +1,18 @@
#
# $Id: Makefile.ipsend,v 2.2 2000/02/28 08:27:51 darrenr Exp $
# Id: Makefile.ipsend,v 2.8 2002/05/22 16:15:36 darrenr Exp
#
BINDEST=/usr/sbin
SBINDEST=/sbin
MANDIR=/usr/share/man
OBJS=ipsend.o ip.o ipsopt.o y.tab.o lex.yy.o
OBJS=ipsend.o ip.o ipsopt.o iplang_y.o iplang_l.o
IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o
ROBJS=ipresend.o ip.o resend.o $(IPFTO) opt.o
ROBJS=ipresend.o ip.o resend.o
TOBJS=iptest.o iptests.o ip.o
UNIXOBJS=sbpf.o sock.o 44arp.o
OBJ=.
LIBS=-L$(OBJ) -lipf
CC=gcc -Wuninitialized -Wstrict-prototypes -O
CFLAGS=-g -I$(TOP)
@ -19,14 +21,14 @@ MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)"
"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)"
#
all build bsd-bpf : ipsend ipresend iptest
y.tab.o: $(TOP)/iplang/iplang_y.y
iplang_y.o: $(TOP)/iplang/iplang_y.y
(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
lex.yy.o: $(TOP)/iplang/iplang_l.l
iplang_l.o: $(TOP)/iplang/iplang_l.l
(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
.c.o:
@ -42,7 +44,7 @@ iptest: $(TOBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS)
clean:
rm -rf *.o core a.out ipsend ipresend iptest
rm -rf *.o core a.out ipsend ipresend iptest iplang_y.* iplang_l.*
ipsend.o: $(TOP)/ipsend/ipsend.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@
@ -101,9 +103,6 @@ dlcommon.o: $(TOP)/ipsend/dlcommon.c
sdlpi.o: $(TOP)/ipsend/sdlpi.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@
arp.o: $(TOP)/ipsend/arp.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@
install:
-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)

226
contrib/ipfilter/BSD/kupgrade
View File

@ -1,41 +1,89 @@
#!/bin/sh
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
argv0=`basename $0`
os=`uname -s`
rev=`uname -r`
maj=`expr $rev : '\([0-9]*\)\.'`
min=`expr $rev : '[0-9]*\.\([0-9]*\)'`
sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'`
# try to bomb out fast if anything fails....
set -e
argv0=`basename $0`
fullrev=`printf '%02d%02d%02d' $maj $min $sub`
dir=`pwd`
karch=`uname -m`
os=`uname -s`
if [ $os = FreeBSD ] ; then
rev=`uname -r`
rev=`expr $rev : '\([0-9]*\)\..*'`
if [ $rev = 2 ] ; then
echo "Copying /usr/include/osreldate.h to /sys/sys"
cp /usr/include/osreldate.h /sys/sys
fi
if [ -f /sys/contrib/ipfilter/netinet/mlfk_ipl.c ] ; then
/bin/cp mlfk_ipl.c /sys/contrib/ipfilter/netinet/
fi
fi
archdir="/sys/arch/$karch"
ipfdir=/sys/netinet
if [ -d /sys/contrib/ipfilter ] ; then
ipfdir=/sys/contrib/ipfilter/netinet
fi
if [ -d /sys/dist/ipf ] ; then
ipfdir=/sys/dist/ipf/netinet
fi
confdir="$archdir/conf"
if [ -f /dev/ipnat ] ; then
major=`ls -l /dev/ipnat | sed -e 's/.* \([0-9]*\),.*/\1/'`
echo "Major number for IP Filter is $major"
else
major=x
fi
echo -n "Installing "
for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch] ip_auth.[ch] ip_log.c ip_compat.h ipl.h ip_*_pxy.c ; do
echo -n "$i "
for j in auth frag nat proxy scan state sync pool htable lookup rules; do
for i in ip_$j.[ch]; do
if [ -f "$i" ] ; then
echo -n " $i"
cp $i $ipfdir
chmod 644 $ipfdir/$i
fi
done
done
case $os in
SunOS)
case `uname -r` in
5.*)
filc=ip_fil_solaris.c
;;
4.*)
filc=ip_fil_sunos.c
;;
esac
;;
*BSD)
filc=ip_fil_`echo $os | tr A-Z a-z`.c
case $os in
FreeBSD)
cp mlfk_ipl.c $ipfdir/
;;
*)
;;
esac
;;
esac
if [ -f $ipfdir/$filc ] ; then
echo -n "$filc -> $ipfdir/$filc "
cp $filc $ipfdir/$filc
chmod 644 $ipfdir/$filc
fi
if [ -f $ipfdir/ip_fil.c ] ; then
echo -n "$filc -> $ipfdir/ip_fil.c "
cp $filc $ipfdir/ip_fil.c
chmod 644 $ipfdir/ip_fil.c
fi
for i in ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c; do
echo -n " $i"
cp $i $ipfdir
chmod 644 $ipfdir/$i
done
echo ""
echo -n "Installing into /usr/include/netinet"
for j in auth compat fil frag nat proxy state ; do
for j in auth compat fil frag nat proxy scan state sync pool htable lookup; do
i=ip_$j.h
if [ -f "$i" ] ; then
echo -n " $i"
@ -57,4 +105,148 @@ if [ -f /sys/netinet/ip_fil_compat.h ] ; then
rm /sys/netinet/ip_fil_compat.h
ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h
fi
if [ $major != x ] ; then
if [ ! -e /dev/ipsync ] ; then
echo "Creating /dev/ipsync"
mknod /dev/ipsync c $major 4
fi
if [ ! -e /dev/ipsync ] ; then
echo "Creating /dev/ipscan"
mknod /dev/ipsync c $major 5
fi
if [ ! -e /dev/iplookup ] ; then
echo "Creating /dev/iplookup"
mknod /dev/iplookup c $major 6
fi
fi
set +e
os=`uname -s`
if [ $os = FreeBSD -a -f /sys/conf/files ] ; then
cd /sys/conf
if [ -f options ] ; then
if [ ! -f options.preipf4 ] ; then
mv options options.preipf4
cp -p options.preipf4 options
fi
for i in SCAN SYNC LOOKUP COMPILED; do
grep IPFILTER_$i options >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo >> options
echo "# extra option for IP Filter" >> options
echo "IPFILTER_$i opt_ipfilter.h" >> options
fi
done
fi
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
for i in htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "contrib/ipfilter/netinet/ip_$i.c optional ipfilter inet ipfilter_lookup" >> files
fi
done
grep ip_sync.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_sync.c optional ipfilter inet ipfilter_sync' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_scan.c optional ipfilter inet ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_rules.c optional ipfilter inet ipfilter_compiled' >> files
fi
fi
if [ $os = NetBSD -a -f /sys/conf/files ] ; then
cd /sys/conf
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then
for i in htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files
fi
done
grep ip_sync.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files
fi
fi
fi
if [ $os = OpenBSD -a -f /sys/conf/files ] ; then
cd /sys/conf
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
if [ $fullrev -ge 030400 ] ; then
for i in htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files
fi
done
grep ip_sync.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files
fi
fi
fi
if [ -f /usr/src/sys/modules/ipfilter/Makefile -a \
! -f /usr/src/sys/modules/ipfilter/Makefile.orig ] ; then
cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__
*** Makefile.orig Mon Mar 28 09:10:11 2005
--- Makefile Mon Mar 28 09:12:51 2005
***************
*** 5,13 ****
KMOD= ipl
SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
! ip_log.c ip_fil.c fil.c
.if !defined(NOINET6)
CFLAGS+= -DUSE_INET6
.endif
CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter
! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS
--- 5,15 ----
KMOD= ipl
SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
! ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_htable.c \\
! ip_sync.c ip_scan.c ip_rules.c
.if !defined(NOINET6)
CFLAGS+= -DUSE_INET6
.endif
CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter
! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS \\
! -DIPFILTER_LOOKUP -DIPFILTER_COMPILED
__EOF__
fi
exit 0

2
contrib/ipfilter/BSD/make-devices
View File

@ -26,3 +26,5 @@ mknod /dev/ipl c $major 0
mknod /dev/ipnat c $major 1
mknod /dev/ipstate c $major 2
mknod /dev/ipauth c $major 3
mknod /dev/ipsync c $major 4
mknod /dev/ipscan c $major 5

16
contrib/ipfilter/FWTK/fwtk_transparent.diff
View File

@ -124,7 +124,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
***************
*** 11,30 ****
#
# RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $"
# RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $"
# Your C compiler (eg, "cc" or "gcc")
@ -145,7 +145,7 @@ diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
-Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \
--- 11,34 ----
#
# RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.1 1999/08/04 17:40:48 darrenr Exp $"
# RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $"
+ #
+ # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c)
@ -649,15 +649,15 @@ diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+ if((natfd=open("/dev/ipl",O_RDONLY))<0) {
+ if((natfd=open("/dev/ipnat",O_RDONLY))<0) {
+ return(NULL);
+ }
+ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
+ return(NULL);
+ }
+ close(natfd);
+ if(ptr) *ptr=ntohs(natlookup.nl_inport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
+ if(ptr) *ptr=ntohs(natlookup.nl_realport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
+ #endif
+
+ #if defined(SOLARIS) /* for Solaris */
@ -679,15 +679,15 @@ diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+ if( (natfd=open("/dev/ipl",O_RDONLY)) < 0) {
+ if( (natfd=open(IPL_NAT,O_RDONLY)) < 0) {
+ return(NULL);
+ }
+ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
+ return(NULL);
+ }
+ close(natfd);
+ if(ptr) *ptr=ntohs(natlookup.nl_inport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
+ if(ptr) *ptr=ntohs(natlookup.nl_realport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
+ #endif
+
+ /* No transparent proxy support */

6
contrib/ipfilter/FWTK/fwtkp
View File

@ -482,15 +482,15 @@ diff -c -r ./lib/hnam.c ../../NEW/fwtk/lib/hnam.c
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+ if((natfd=open("/dev/ipl",O_RDONLY))<0) {
+ if((natfd=open(IPL_NAT,O_RDONLY))<0) {
+ return(NULL);
+ }
+ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
+ return(NULL);
+ }
+ close(natfd);
+ if(ptr) *ptr=ntohs(natlookup.nl_inport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
+ if(ptr) *ptr=ntohs(natlookup.nl_realport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
+ #endif
+
+ /* No transparent proxy support */

6
contrib/ipfilter/FreeBSD-2.2/files.diffs
View File

@ -2,7 +2,7 @@
--- files Sat Apr 4 10:52:58 1998
***************
*** 222,227 ****
--- 222,236 ----
--- 222,240 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
@ -15,6 +15,10 @@
+ netinet/mlf_ipl.c optional ipfilter inet
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_input.c optional ipx

6
contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
View File

@ -2,7 +2,7 @@
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,175 ----
--- 161,179 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
@ -15,6 +15,10 @@
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/mlf_ipl.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

11
contrib/ipfilter/FreeBSD-2.2/kinstall
View File

@ -8,18 +8,17 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h \
ip_auth.[ch] ip_log.c)
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
breaksw
endsw
end
echo ""
echo "Copying /usr/include/osreldate.h to /sys/sys"

2
contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3
View File

@ -16,6 +16,8 @@ To build a kernel with the IP filter, follow these seven steps:
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
7. reboot

8
contrib/ipfilter/FreeBSD-3/kinstall
View File

@ -9,17 +9,17 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c ipl.h \
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"

2
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
View File

@ -1,3 +1,5 @@
.\" $NetBSD$
.\"
*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
--- ip6_input.c Wed Apr 26 22:31:34 2000
***************

2
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
View File

@ -1,3 +1,5 @@
.\" $NetBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************

65
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 Normal file
View File

@ -0,0 +1,65 @@
.\" $NetBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************
*** 120,125 ****
--- 120,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 289,294 ****
--- 291,305 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Sat Jul 15 07:14:35 2000
--- ip6_output.c Thu Oct 19 17:13:53 2000
***************
*** 106,111 ****
--- 106,113 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 787,792 ****
--- 789,803 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

26
contrib/ipfilter/FreeBSD-4.0/kinstall
View File

@ -11,31 +11,25 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_*_pxy.c mlf_ipl.c mlfk_ipl.c \
ipl.h ip_compat.h ip_auth.[ch] ip_log.c)
foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlfk_ipl.c ipl.h ip_compat.h ip_log.c )
echo -n "$i ";
cp $i $ipfdir
chmod 644 $ipfdir/$i
switch ( $i )
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
set patchfile=FreeBSD-4.0/ipv6-patch-$krev
if ( -f $patchfile ) then
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat $patchfile | (cd /sys/netinet6; patch)
else
echo "IPv6 patching not required for your OS version"
endif
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -N)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "

2
contrib/ipfilter/FreeBSD-4.0/unkinstall
View File

@ -12,7 +12,7 @@ if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
ip_log.c mlf_ipl.c mlfk_ipl.c ipl.h)
ip_log.c mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end

6
contrib/ipfilter/FreeBSD/files.diffs
View File

@ -2,7 +2,7 @@
--- files Sun Jan 14 14:32:25 1996
***************
*** 208,213 ****
--- 208,221 ----
--- 208,225 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
@ -14,6 +14,10 @@
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool ipfilter inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

6
contrib/ipfilter/FreeBSD/files.newconf.diffs
View File

@ -2,7 +2,7 @@
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,174 ----
--- 161,178 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
@ -14,6 +14,10 @@
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

6
contrib/ipfilter/FreeBSD/files.oldconf.diffs
View File

@ -2,7 +2,7 @@
--- files.oldconf Sun Apr 23 17:54:18 1995
***************
*** 180,185 ****
--- 180,193 ----
--- 180,197 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
@ -14,6 +14,10 @@
+ netinet/ip_proxy.c optional ipfilter requires inet
+ netinet/ip_auth.c optional ipfilter requires inet
+ netinet/ip_log.c optional ipfilter requires inet
+ netinet/ip_scan.c optional ipfilter requires inet
+ netinet/ip_sync.c optional ipfilter requires inet
+ netinet/ip_pool.c optional ipfilter_pool requires ipfilter
+ netinet/ip_rules.c optional ipfilter_compiled requires ipfilter
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

12
contrib/ipfilter/FreeBSD/filez.diffs
View File

@ -9,11 +9,15 @@
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netiso/clnp_debug.c iso
file netiso/clnp_er.c iso
file netiso/clnp_frag.c iso

10
contrib/ipfilter/FreeBSD/kinstall
View File

@ -8,17 +8,17 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_auth.[ch] ip_*_pxy.c ip_compat.h ip_log.c)
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c ip_compat.h ip_log.c )
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ( $i )
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
breaksw
endsw
end
echo ""
grep iplopen $archdir/$karch/conf.c >& /dev/null

813
contrib/ipfilter/HISTORY
View File

@ -6,757 +6,394 @@
# in providing a very available location for the IP Filter home page and
# distribution center.
#
# Thanks to Hewlett Packard for making it possible to port IP Filter to
# HP-UX 11.00.
#
# Thanks to Tel.Net Media for supplying me with equipment to ensure that
# IP Filter continues to work on Solaris/sparc64.
#
# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
# to further support development of IP Filter under BSDI.
#
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
# Thanks also to all those who have contributed patches and other code,
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.35 21/6/2004 - Released
4.1.8 - Released 29 March 2005
some cases of ICMP checksum alteration were wrong
include path from Phil Dibowitz for sorting ipfstat -t output by source or
destination port.
block packets that fail to create state table entries
fix a bug in printing rules where interface names could not be printed,
even if they're in the rule structure.
correctly handle all return values from ip_natout() when fastrouting
fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD
ipmon was not correctly calculating the length of the IPv6 packet (excluded
ipv6 header length)
add 2 new features to SIOCGNATL:
- if IPN_FINDFORWARD is set, check if the respective MAP is already
present in the outbound table
- if IPN_IN is set, search for a matching MAP entry instead of RDR
(Peter Potsma)
3.4.34 20/4/2004 - Released
turn off function inlining for freebsd 5.3+
correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
UDP doesn't pullup enough data which can sometimes cause a panic.
Fix other protocols, as required, where a similar problem may exist.
various changes to ipsend for sending packets with ipv4 options
overhaul the timeout queue management, especially that for user defined queues
which are now only freed in an orderly manner.
look for ipmon's pidfile in /var/run and /etc/opt/ipf in Solaris' init script
4.1.7 - Released 13 March 2005
only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
Using the GRE call field is almost impossible because it is unbalanced and
both call fields are not present in each v1 header.
make "ipfstat -f" output more informative
Fix a problem where it was possible to load duplicate rules into ipf
compatibility for openbsd byte order changes to ip_off/ip_len
patch from John Wehle to address problems with fastroute on solaris
disallow "freebsd" as a make target (encourages people to do the wrong thing)
Copying data out for ipf -z failed because it tried to copy out to an address
that is a kernel pointer in user space.
3.4.33 15/12/2003 - Released
add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
pass on messages moving through ipfilter when it is unloading itself on Solaris
synch up with NetBSD's changes
add disabling of auto-detach when the module attaches on Solaris
fix problems parsing long lines of text in the ftp proxy where they would not
be parsed properly and stop the session from working
compatibility patches for 'struct ifnet' changes on FreeBSD
enhance the PPTP proxy so that it tries to decode messages in the TCP stream
so it knows when to create and destroy the state/nat sessions for GRE. There
are also 4 new regression tests for it, testing map/rdr rules.
implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
impose some limits on the size of data that can be moved with SIOCSTPUT in
the NAT code and also prevent a duplicate session entry from being created
using this method.
fix ipfstat -A
add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
to check if it is possible to create an outgoing transparent NAT mapping to
compliment the redirect being investigated.
frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
Linux requires that the checksums in the IP header get adjusted
fix where packet header pointers are pointing to after doing an ipf_pullup
only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
in SIOCSTPUT to prevent bad data being loaded from userspace.
fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.
make the byte counting for state correct (was counting data from ICMP packet
twice)
3.4.32 18/6/2003 - Released
print out the keyword "frag-body" if the flag is set.
fix up the behaviour of ipfs
fix ipfs loading/restoring NAT sessions
make parsing errors in ipf/ipnat return an error rather than return
indicating success.
patch from Frank to correctly format IP addresses in ipfstat -t output
window scaling patch
parsing port numbers in ipf/ipnat was confusing as the port number was returned
in an int that was also overloaded to be the suceess/failure. instead, change
the port using pass by reference and only use the return value for indicating
success or failure.
make ipfstat work as a set{g,u}id thing - gave up privs before opening
/dev/ipl
4.1.6 - Released 19 February 2005
checksum adjustment corrections for ICMP & NAT
add a new timeout number to NAT (fr_defnatipage) that is used for all
non-TCP/UDP/ICMP protocols - default 60 seconds.
attempt to always get an mbuf full of data through pullup if possible
buffer leak with bad nat - David Gueluy
Fix bug with NAT and fragments causing system to crash
fix memory leak with state entries created by proxies
Add patches for OpenBSD 3.3
eliminate copying too much data into a scan buffer
stop LKM locking up the machine on modern NetBSD(?)
allow a trailing protocol name for map rules as well as rdr ones
allow timeouts in NAT rules to over-ride fr_defnatage if LARGE_NAT is defined
fix bug in parsing of <= and > for NAT rules (two were crossed over)
Locking patches for IRIX 6.5 from SGI.
fix bug in synchronising state sessions where all interfaces were invalidated
FreeBSD's iplwrite hasn't kept pace with iplread's prototype
fix bug in openbsd 3.2 bridge diffs
expand documention on the karma of using "auto" in ipnat map rules
fix bug parsing port comparisons in proxy rules
add matching on IP protocol to ipnat map rules
3.4.31 7/12/2002 - Released
allow ippool definitions to contain no addresses to start with
Solaris 10 compatibility
Linux NAT needs to modify the IP header checksum as it gets called after it
has been computed by IP.
fix linking into pfil in NetBSD
UDP was missing a pullup for packet header information before examining
the header
fix IRIX 6.2 compatibility
4.1.5 - Released 9 January 2005
add code to check consistency of fr_checkp/fr_check on non-Solaris
all rules were being converted into "dup-to" rules in the kernel
OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2,
make LKM work for 3.2 (OpenBSD LKMs now match NetBSD)
fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in
complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied
over correctly.
3.4.30 26/11/2002 - Released
response to CWDs
revert ip_off back to network byte order in the ICMP error packet that
gets generated.
attempt to detect using GNU make and abort if so
4.1.4 - Released 9 January 2005
OpenBSD 3.2 patches from Stefan Hermes von GMX
force NAT rules to only match ipv4 NAT rules (which all are, currently,
by default)
add MSS clamping code from NetBSD
include state synchronisation fixes from Frank Volf
correctly display ipv6 output with ipfstat for (accounting) rules
make the maximum log size for internally buffered log entries accessible
via "ipf -T"
fix problems with ioctl handling for /dev/ipauth
redesign start of fr_check() to avoid putting duplicate information in
ipfilter about how much data needs to be pulled up for a protocol to be
properly filtered.
set SYN bit in rcmd fake packet to create back channel
tidy up sending ICMP error messages - some bad inputs could result in
data not being freed and/or no error returned.
make libpcap reader capable of determining in/out (not in libpcap file)
and add more DLT types
make the maximum size of the log buffer run-time tunable
do not allow redirects to localhost for Solaris in NAT parser
fix bug in parsing TCP header when looking for MSS option that could make
the system hang
allow return-rst with auth rules
change pool lookups that fail to find a match to return "no match"
rather than fail.
man page corrections
add run-time tunable debugging for proxy support code and FTP proxy.
fix for handling ipv6 icmp errors
fix state table updates for entries where the first packet as an ICMPv6
multicast message
fix up ipfs command line option processing
fix hang when flushing state for v4/v6 and other (v6/v4) entries are present
too
only allow processing a ftp 227 response following a PASV command
attaching filtering to ipv6 pfil hook wasn't present for solaris
NetBSD: use poll() and adapt to new cdevsw mechanism
don't allow rules with "keep state" and "with oow"
make flushing for just ipv6 things work
move a bunch of userland only code from fil.c to ip_fil.c
3.4.29 28/8/2002 - Released
make fr_coalesce() more resiliant to bad input, just returning an error
instead of crashing, making calling it easier in many places
Make substantial changes to the FTP proxy to improve reliability, security
and functionality.
When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer
to the same mbuf passed in as the first arg.
don't send ICMP errors/TCP RST's in response to blocked proxy packets
remove fr_unreach and use ENETUNREACH by default.
fix potential memory leaks when unloading ipfilter from kernel
printing out of tag data in ipf rules doesn't match input syntax
fix bug in SIOCGNATL handler that did not preserve the expected
byte order from earlier versions in the port number
ipftest(1) man page update
set do not fragment flag in generated packets according to system flags,
where available.
ipfs command line option parsing still rejects some valid syntaxes
preserve filter rule number and group number in state structure
SIGHUP handling by ipmon was not as safe as it could be
fix bug in ipmon printing of p/P/b/B
fix various parsing regressions, including "<thishost>", "tcpudp", ordering
of "keep" options
make some changes to the kmem.c code for IRIX compatibility
patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD,
ICMP packet length not calculated correctly in send_icmp_err, reply-to
not printed by ipfstat, keep state with icmp passing (mtrr)
add code to specifically handle ip.tun* interfaces on Solaris
patches for return-rst and return-icmp from Attila Fueloep
(lichtscheu@gesindel.org)
3.4.28 6/6/2002 - Released
4.1.3 - Released 18 July 2004
Fix for H.323 proxy to work on little endian boxes
do some more fine tuning on NAT checksum adjustments
IRIX: Update installation documentation
add route lock patch
correct IP address byte order in proxy setup for ipsec/pptp
allow use of groups > 65535
man page updates
create a new packet info summary for packets going through ipfr_fastroute()
so that where details are different (RST/ICMP errors), the packet now gets
correctly NAT'd, etc.
fix numerous problems with ipfs operation
fix the FTP proxy so that checks for TCP sequence numbers outside the
normal offset due to data changes use absolute numbers
complete new syntax for ipmon.conf in its parser and update the sample file
make it possible to remove rules in ipftest
assign error value consistantly in fastroute code
Update installing onto OpenBSD and split into two directories:
OpenBSD-2 and OpenBSD-3
rewrite allocation of mbufs in send_reset/send_icmp_err to better use
mbuf clusters and size calculations
fix error in printout out the protocol in NAT rules
resolve problem with linux panic'ing because the wrong flag was being
passed to skb_clone/skb_alloc
always unlock ipfilter if locking fails half way through in ipfs
enable use of shared/exclusive locks on freebsd5 and above
fix problems with TCP window scaling
do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD
and so use mbufchainlen to get the mbuf length instead
update of man pages for ipnat(4) and ipftest(1)
replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is
going to be on the stack and not in userland
3.4.27 28/04/2002 - Released
packet buffer pointers were not refreshed & used properly in fr_check()
fix calculation of 2's complmenent 16 bit checksum for user space
include extra bits for OpenBSD 3.4 & 3.5.
add mbuflen() to usespace compiles.
fix ipf/ipnat parsing regression problems with v3.4
add more #ifdef complexity for platform portability
4.1.2 - RELEASED - 27 May 2004
add OpenBSD 3.1 diffs
add state top for ipv6
3.4.26 25/04/2002 - Released
fix numerous parsing regressions
fix parsing and printing of NAT rules with regression tests.
change sample proxies to use SIOCGNATL with the new API
add code to adjust TCP checksums inside ICMP errors where present and as
required for NAT.
allow macro names to contain underscores (_)
fix documentation problems in instal documents
split the parser into a collection of dictionaries so that keywords do
not interfere with resolving hostnames and portnames
fix locking problem with auth code on Solaris
fix ipfrule LKM loading on freebsd
fix use of version macros for FreeBSD and make the use of __FreeBSD_version
override previous hacks except when not present
support mapping a fixed range of ports to a single port
fix the macros defined for SIOCAUTHR and SIOCAUTHW
fix timeout queue use by proxies with private queues
fix the H.323 proxy so it no longer panics (multiple issues: re-entry into
nat_ioctl with lock held on Solaris, trying to copy data from kernel space
with copyin, unaligned access to get 32bit & 16bit numbers)
handle space-led ftp server replies properly
use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets
generated by IPFilter
fix timeout queue management
fix comparing state information to delete state table entries
fix fastroute, generation of RST & ICMP packets and operation with to/fastroute
flag packets as being "bad state" if they're outside the window and prevent
them from being able to cause new state to be created - except for SYN packets
resolve further linux compatibility problems
be stricter about what packets match a TCP state table entry if its creation
was triggered by a SYN packet.
replace the use of COPYIN with BCOPYIN for platforms that provide ioctl
args on the stack
add patches to handle TCP window scaling
allow flushing of ipv6 rules independant of ipv4 rules
don't update TCP state table entries if the packet is not considered to be
part of the connection
correct internal ipv6 checksum calculations
ipfs wasn't allowing -i command line option in getopt
if a 'keep state' rule fails to create state, block the packet rather
than let it through
IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2
regardless of user compile, fix the getkflags script to prune down the
output more so it is acceptable
correct all checksums in regression tests and correct NAT code to adjust
checksums correctly.
change building in Makefiles to create links to the application in $(TOP)
at the end of "build" rather than when each is created.
fix ipfs -R/-W
update BSD/kupgrade for FreeBSD
4.1.1 - RELEASED - 24 March 2004
l4check wasn't properly closing things when a connection fails
allow new connections with the same port numbers as an existing one
in the state table if the creating packet is a SYN
man page updates for ipmon(8) and ipnat(5)
timeout values have drifted, incorrectly, from what they were in 3.4
more regression tests added.
FreeBSD - compatibility changes for 5.2
3.4.25 13/03/2002 - Released
don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
rather than per "flow"
retain rule # in state information
fr_cksum() returned the wrong answer for ICMP
log the direction of a packet so ipmon gets it right rather than incorrectly
deriving it from the rule flags
Linux:
- get return-rst and return-icmp working
- treat the interface name the same as if_xname on BSD
add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD
kernel config files to increase that buffer size)
adjust expectations for TCP urgent bits based on observed traffic in the
wild
recognise return-* rules differently to block in ipftest
openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called
fix bug in ipmon output for solaris
fix flushing of hash pool gorups (ippool -F) as well as displaying them
(ippool -l)
add regression testing for skip rules, logging and using head/group
passing of pointers to interface structures wrong for HP-UX/Solaris with
return-* rules.
fix output of ipmon: was displaying large unsigned ints rather than -1
when no rules matched.
Make the solaris boot script able to run on 2.5.1
make logging code compile into ipftest and add -l command line option to
dump binary log file (read with ipmon -f) when it finishes.
ippool related files missing from Solaris packages
protect rule # and group # from interference when checking accounting rules
The name /dev/ippool should be /dev/iplookup
add regression testing for log output (text) from ipmon.
add regression testing for parsing long interface names in nat rules,
along with mssclamp and tags. Also add test for mssclamp operation.
document -b command line option for ipmon
fix double-quick in Solaris startup script
ttl displayed for "ipfstat -t" is wrong because ttl is not computed.
3.4.24 01/03/2002 - Released
parse logical interface names (Sun)
fix how files are installed on SunOS5
unloading LKMs was only working if they were enabled.
fix some minor problems in SunOS5 ipfboot script
sync'ing up NAT sessions when NICs change should cause NAT rules to
re-lookup name->pointer mappings
by default, compile all OpenBSD tools in 3.0 for IPv6
not all of the ippool ioctl's are IOWR and they should be because they
use the ipfobj_t for passing information in/out of the kernel. leave the
old values defined and handle them, for compatibility.
fix NULL-pointer dereference in NAT code
pool stats wrong: ippoolstate used where ipoolstat should be, hash table
statistics not reported at all
make a better attempt at replacing the appropriate binaries on BSD systems
fr_running not set correctly for OpenBSD when compiled into the kernel
always print IPv6 icmp-types as a number
Allow SIOCGETFF while disabled
impose some rules about what "skip" can be used with
Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
altered. How do you say "untested" ?)
fix parsing problems with "keep state" and "keep state-age"
4.1 - RELEASED - 12 February 2004
Try to read as much data as is in the log device in ipmon
4.0-BETA1 20 August 2003
remove some redundant checks when searching for rdr/nat rules
support 0/32 and 0/0 on the RHS in redirect rules
fix bug in handling of ACCT with FTP proxy
where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
for bimap rules.
increase array size for interface names, using LIFNAMSIZ
allow NAT rule to match 'all' interfaces with * as interface name
include H.323 proxy from QNX
do mapping of ICMP sequence id#'s in pings
3.4.23 16/01/2002 - Released
allow default age for NAT entries to be set per NAT rule
Include patches to install IPFilter into OpenBSD 3.0, both for just kernel
compiles and complete system builds.
provide round robin selection of destination addresses for redirect
Fix bug in automatic flushing of state table which would cause it to hang
in an infinite loop bug introduced in 3.4.20.
ipmon can load a configuration file with instructions on actions
to take when a matching log entry is received
Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for
the outgoing connection to make it look like it comes from the real source.
now requires pfil to work on Solaris & HP-UX
Only support ICMPv6 with IPv6.
supports mapping outbound connections to a specific address/port
Move ipnat.1 to ipnat.8
support toggling of logging per ipfilter 'device'
Enhance ipmon to print textual ICMP[v6] types and subtypes where possible.
use queues to expire data rather than lists
Make it possible to do IPv6 regression testing with ipftest.
add MSN RPC proxy
Use kvm library for kmem access, rather than trying to do it manually with
open/lseek/read.
add IRC proxy
Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute.
support rules with dynamic ip addresses
Remove Berkeley advertising licence clause. Reference:
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
add ability to define a pool of addresses & networks which can then
be placed in a single rule
Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded
and fragmentation required.
support passing entire packet back to user program for authentication
Fix ipfboot script on Solaris to deal with no nameservers or no route to
them in a clean manner.
support master/slave for state information sharing
Support per-rule set timeouts for non-TCP NAT and state
reorganise generic code into a lib directory and make libipf.a
Add netbios proxy
user programs enforce version matching with the kernel
Add ICMPv6 stateful checking, including handling multicast destination
addresses for neighbour discovery.
supports window scaling if seen at TCP session setup
Fix problems with internals of ICMP messages for MTU discovery and
unreachables not being correctly adjust on little endian boxes.
generates C code from filter rules to compile in or load as native
machine code.
Add "in-via" and "out-via" to filtering rules grammar. It is now possible
to bind a rule to both incoming and outgoing interfaces, in both forward
and reverse directions (4 directions in total). allows for asymetric flows
through a firewall.
supports loading rules comprised of BPF bytecode statements
Fix ipfstat and ipnat for working on crash dumps.
HP-UX 11 port completed
Don't let USE_INET6 stay defined for SunOS4
and packets-per-second filtering
Count things we see for each interface on solaris.
add numerical tags to rules for filtering and display in ipmon output
Include <netinet/icmp6.h> when compiling with USE_INET6 defined and
also include a whole bunch of #define's to make sure the symbols expected
can be used.
Fix up fastroute on BSD systems.
Make fastrouting work for IPv6 just a bit better. doesn't split up big
packets into fragments like the IPv4 one does. You can now do a
"to <if>:<ipv6_addr>"
Remove some of the differences between user-space and kernel-space code
that is internal to ipfilter.
Call ipfr_slowtimer() after each packet is processed in ipftest to artificially
create the illusion of passing time and include the expire functions in the
code compiled for user-space.
Fix issues with the IPSec proxy not working or leading to a system crash.
Junk all processing of SPIs and special handling for ESP.
Add "no-match" as a filter rule action (resets _LAST_ match)
Add hack to workaround problems with Cassini interface cards on
Solaris and VLANs
Add some protocols to etc/protocols
3.4.22 03/12/2001 - Released
various openbsd changes
sorting based on IP numbers for ipfstat top output
fix various IPv6 code & compile problems
modify ip_fil.c to be more netbsd friendly
fix fastroute bug where it modified a packet post-sending
fix get_unit() - don't understand why it was broken.
add FI_IGNOREPKT and don't count so marked packets when doing stats or
state/nat.
extend the interface name saved to log output
make proxies capable of extending the matching done on a packet with a
particular nat session
change interfaces inside NAT & state code to accomodate redesign to allow
IPsec proxy to work.
fix bug when free'ing loaded rules that results in a memory leak
(only an issue with "ipf -rf -", not flush)
make ipftest capable of loading > 1 file or rules, making it now possible
to load both NAT & filter rules
fix hex input for ipftest to allow interface name & direction to work
show ipsec proxy details in ipnat output
if OPT_HEX is set in opts, print a packet out as hex
don't modify b_next or preseve it or preserve b_prev for solaris
fix up kinstall scripts to install all the files everywhere they need to
fix overflowing of bits in ip_off inside iptest
make userauth and proxy in samples directory compile
fix minimum size when doing a pullup for ESP & ICMPv6
3.4.21 24/10/2001 - Released
include ipsec proxy
make state work for non-tcp/udp/icmp in a very simple way
include diffs for ipv6 firewall on openbsd-2.9
add compatibility filter wrapper for NetBSD-current
fix command line option problems with ipfs
if we fill the state table and a automated flush doesn't purge any
expiring entries, remove all entries idle for more than half a day
fix bug with sending resets/icmp errors where the pointer to the data
section of the packet was not being set (BSD only)
split out validating ftp commands and responses into different halves,
one for each of server & client.
do not compile in STATETOP support for specific architectures
fix INSTALL.FreeBSD to no longer provide directions and properly direct
people to the right file for the right version of FreeBSD.
3.4.20 24/07/2001 - Released
adjust NAT hashing to give a better spread across the table
show icmp code/type names in output, where known
fix bug in altering cached interface names in state when resync'ing
fix bug in real audio proxy that caused crashs
fix compiling using sunos4 cc
patch from casper to address weird exit problem for ipstat in top mode
patch from Greg Woods to produce names for icmp types/unreach codes,
where they are known
fix bug where ipfr_fastroute() would use a mblk and it would also get
freed later.
don't match fragments which would cause 64k length to be exceeded
ftp proxy fix for port numbers being setup for pasv ftp with state/nat
change hashing for NAT to include both IP#'s and ports.
Solaris fixes for IPv6
fix compiling iplang bits, under Solaris, for ipsend
3.4.19 29/06/2001 - Released
fix to support suspend/resume on solaris8 as well as ipv6
include group/group-head in match of filter rules
fix endian problem reading snoop files
make all licence comments point to the one place
fix ftp proxy to only advance state if a reply is received in response to
a recognised command
3.4.18 05/06/2001 - Released
fix up parsing of "from ! host" where '!' is separate
disable hardware checksums for NetBSD
put ipftest temporary files in . rather than /tmp
modify ftp proxy to be more intelligent about moving between states
and recognise new authentication commands
allow state/nat table sizes to be externally influenced
print out host mapping table for NAT with ipnat -l
fix handling of hardware checksum'ing on Solaris
fixup makefiles for Solaris
update regression tests
fix surrender of SPL's for failure cases
include patches for OpenBSD's new timeout mechanism
default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it
ICMP_UNREACH_FILTER
fix up handling of packets matching auth rules and interaction with state
add -q command line option to ipfstat on Solaris to list bound interfaces
add command line option to ipfstat/ipnat to select different core image
don't use ncurses on Solaris for STATETOP
fix includes to get FreeBSD version
do not byte swap ip_id
fix handling success for packets matching the auth rule
don't double-count short packets
add ICMP router discovery message size recognition
fix packet length calculation for IPv6
set CPUDIR when for install-sunos5 make target
SUNWspro -xF causes Solaris 2.5.1 kernel to crash
3.4.17 06/04/2001 - Released
fix fragment#0 handling bug where they could get in via cache information
created by state table entries
use ire_walk to look for ire cache entries with link layer headers cached
deal with bad SPL assumptions for log reading on BSD
fix ftp proxy to allow logins with passwords
some auth rule patches, fixing byte endian problems and returning as an error
support LOG_SECURITY, where available, in ipmon
don't return an error for packets which match auth rules
introduce fr_icmpacktimeout to timeout entries once an ICMP reply has
been seen separately to when created
3.4.16 15/01/2001 - Released
fix race condition in flushing of state entries that are timing out
Add TCP ECN patches
log all NAT entries created, not just those via rules
3.4.15 17/12/2000 - Released
add minimum ttl filtering (to be replaced later by return-icmp-as-dest
for all ICMP packets matching state entries).
fix NAT'ing of fragments
fix sanity checks for ICMPV6
fix up compiling on IRIX 6.2 with IDF/IDL installed
3.4.14 02/11/2000 - Released
cause flushing NAT table to generate log records the same as state flush
does.
fix ftp proxy port/pasv
fix problem where nat_{in,out}lookup() would release a write lock when it
didn't need to.
add check for ipf6.conf in Solaris ipfboot
3.4.13 28/10/2000 - Released
fix introduced bug with ICMP packets being rejected when valid
fix bug with proxy's that don't set fin_dlen correctly when calling
fr_addstate()
3.4.12 26/10/2000 - Released
fix installing into FreeBSD-4.1
fix FTP proxy bug where it'd hang and make NAT slightly more efficient
fix general compiling errors/warnings on various platforms
don't access ICMP data fields that aren't there
3.4.11 09/10/2000 - Released
return NULL for IPv6 access control lists if it is disabled rather than
random garbage.
fix for getting protocol & packet length for IPv6 packets for pullup.
update plog script from version 0.8 to version 0.10
patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the
capabilities for "fixing" checksums.
3.4.10 03/09/2000 - Released
merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors'
getline() adjusts linenum now
add tcphalfclosed timeout
fill in icmp_nextmtu field if it is defined on the platform
RST generation fix from guido
force 32bit compile for gcc on solaris if it can't generate 64bit code
encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG
fix up line wrap problems in plog script
fix ICMP packet handling to not drop valid ICMP errors
freebsd 5.0 compat changes
3.4.9 08/08/2000 - Released
implement new aging mechanism in fr_tcp_age()
fix icmp state checking bug
revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
if on an Ultra with a 64bit system & compiler (Caseper Dik)
open ipfilter device read only if we know we can
print out better information for ICMP packets in ipmon
move checking for source spoofed packets to a point where we can generate
logs of them
return EFAULT from ircopyptr/iwcopyptr
don't do ioctl(SIOCGETFS) for auth stats
fix up freeing mbufs for post-4.3BSD
fix returning of inc from ftp proxy
fix bugs with ipfs -R/-W (Caseper Dik)
3.4.8 19/07/2000 - Released
create fake opt_inet6.h for FreeBSD-4 compile as LKM
add #ifdef's for KLD_MODULE sanity
NAT fastroute'd packets which come out of return-*
fix upper/lower case crap in ftp proxy and get seq# checking fixed up.
3.4.7 08/07/2000 - Released
make "ipf -y" lookup NAT if's which are unknown
prepend line numbers to ioctl error messages in ipf/ipnat
don't apply patches to FreeBSD twice
allow for ip_len to be on an unaligned boundary early on in fr_precheck
fix printing of icmp code when it is 0
correct printing of port numbers in map rules with from/to
don't allow fr_func to be called at securelevel > 0 or rules to be added
if securelevel > 0 if they have a non-zero fr_func.
3.4.6 11/06/2000 - Released
add extra regression tests for new nat functionality
place restrictions on using '!' in map/rdr rules
fix up solaris compile problems
3.4.5 10/06/2000 - Released
mention -sl in ipfstat.8
fix/support '!' in from/to rules (rdr) for NAT
add from/to support to rdr NAT rules
don't send ICMP errors in response to ICMP errors
fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
input accounting list used for both outbound and inbound packets
3.4.4 23/05/2000 - Released
3.4.4 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out
RST/ICMP packets in a manner that bypasses IP Filter.
add patch to work with 4.0_STABLE delayed checksums
3.4.3 20/05/2000 - Released
3.4.3 20/05/2000 - Released
fix ipmon -F

2
contrib/ipfilter/INST.FreeBSD-2.2
View File

@ -1,3 +1,5 @@
.\" $NetBSD$
.\"
To build a kernel for use with the loadable kernel module, follow these
steps:

55
contrib/ipfilter/INSTALL.FreeBSD
View File

@ -1,7 +1,56 @@
*** IF you are using FreeBSD 2.2.x, see the file "INST.FreeBSD-2.2" ***
*** IF you are using FreeBSD 3.x, see the file "FreeBSD-3/INST.FreeBSD-3" ***
*** IF you are using FreeBSD 4.x, see the file "FreeBSD-4.0/INST.FreeBSD-4" ***
This file is for use with FreeBSD 4.x and 5.x only.
To build a kernel for use with the loadable kernel module, follow these
steps:
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. Run "BSD/kupgrade"
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8) to load the packet filter with:
modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD/kinstall" as root
4. build a new kernel
5.
b) If you are using FreeBSD-3 or later:
create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
6. install and reboot with the new kernel
Darren Reed
darrenr@pobox.com

57
contrib/ipfilter/IPFILTER.LICENCE
View File

@ -1,28 +1,29 @@
Copyright (C) 1993-2002 by Darren Reed.
The author accepts no responsibility for the use of this software and
provides it on an ``as is'' basis without express or implied warranty.
Redistribution and use, with or without modification, in source and binary
forms, are permitted provided that this notice is preserved in its entirety
and due credit is given to the original author and the contributors.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied, in part or in whole, and put under another distribution licence
[including the GNU Public Licence.]
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
I hate legalese, don't you ?
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* The author accepts no responsibility for the use of this software and
* provides it on an ``as is'' basis without express or implied warranty.
*
* Redistribution and use, with or without modification, in source and binary
* forms, are permitted provided that this notice is preserved in its entirety
* and due credit is given to the original author and the contributors.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied, in part or in whole, and put under another distribution licence
* [including the GNU Public Licence.]
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* I hate legalese, don't you ?
*/

3
contrib/ipfilter/README
View File

@ -1,5 +1,7 @@
IP Filter - What's this about ?
============================
Web site: http://coombs.anu.edu.au/~avalon/ip-filter.html
How-to: http://www.obfuscation.org/ipf/ipf-howto.txt
The idea behind this package is allow those who use Unix workstations as
routers (a common occurance in Universities it appears) to apply packet
@ -96,3 +98,4 @@ BNF
Darren Reed
darrenr@pobox.com
http://coombs.anu.edu.au/~avalon/ip-filter.html

57
contrib/ipfilter/STYLE.TXT Normal file
View File

@ -0,0 +1,57 @@
Over time, I am moving all of the IPFilter code to what I consider a better
coding style than it had before. If you submit patches, I expect them to
conform as appropriate.
Function Comments
=================
Preceeding each and every function, a comment block like this should
be present:
/* ------------------------------------------------------------------------ */
/* Function: function-name */
/* Returns: return-type */
/* Parameters: param1(I) - param1 is an input parameter */
/* p2(O) - p2 is an output parameter passed as an arg */
/* par3(IO) - par3 is a parameter which is both input and */
/* output. Pointers to things which are used and */
/* then get a result stored in them qualify here. */
/* */
/* Description about what the function does. This comment should explain */
/* any gotchas or algorithms that are used which aren't obvious to the */
/* casual reader. It should not be an excuse to not use comments inside */
/* the function. */
/* ------------------------------------------------------------------------ */
Tab spacing
===========
Tabs are to be at 8 characters.
Conditions
==========
All expressions which evaluate to a boolean for a test condition, such as
in an if()/while() statement must involve a boolean operation. Since C
has no native boolean type, this means that one of <,>,<=,>=,==,!= must
be present. Implied boolean evaluations are out.
In code, the following is banned:
if (x)
if (!x)
while ((a = b))
and should be replaced by:
if (x != 0)
if (x == 0)
while ((a = b) != 0)
If pointers are involved, always compare with NULL, ie.:
if (x != NULL)
if (x == NULL)
while ((a = b) != NULL)

90
contrib/ipfilter/WhatsNew40.txt Normal file
View File

@ -0,0 +1,90 @@
What's new in IPFilter 4.1
==========================
(Well, compared to 3.*, anyway)
In no particular order, except headline alphabetical:
Administration:
- Run-time support for modifying ipf table size parameters.
- Run-time support for tuning other ipfilter parameters.
Content Scanning:
- Simple matching of content for TCP session startup.
Firewall Synchronising:
- Master/slave programs available.
General:
- All input files allow simple 'marco' definitions and expansion,
including nesting.
- Code has been rototilled to make maintenance and enhancements
eaiser for me and you.
- More configuration files and binaries.
- Takes up more memory.
- Probably slower.
- Versioned API to support changes in the ABI without breaking
existing binaries (4.0 onward only.)
- IP-Filter framework in place for handling multiple different
types of packet matching for firewalling.
- IP Id number rewriting available.
- Verification of checksums for recognised packet types.
- Optionally enable/disable IP forwarding when enabled/disabled.
IPF:
- BPF syntax available for matching packets in ipf rules (1).
- Can convert IPv4 ipf rules into C code and either:
* load them as an LKM o;
* compile them statically into the kernel (where possible.)
- Address pools allow for simpler rules covering large numbers of
addresses/networks (IPv4 only).
- Lookup functions available to map an IPv4 address to a group.
- Groups can be referenced by multiple heads for subroutine-like use.
- NAT/ipf rules can refer to each other via a tag, creating an implied
join that forms part of the packet matching.
- Extra packet attributes available for filter rules:
* source address/routing interface mismatch;
* multicast (3);
* broadcast (2,3);
* state lookup partially failed;
* out of the TCP window for a state connection;
* NAT lookup partially failed.
- PPS (packets per second) matching available for ipf rules.
- Rule collections (cf FreeBSD numbering) supported for ipf rules.
- Groups can now be names rather than just numbers
IPV6:
- understands extension headers.
- can filter on extension headers.
Logging:
- ipmon now comes with a configuration file for more advanced logging
behaviour.
- Can append arbitrary logging tags with ipf rules for easy matching.
NAT:
- "sticky" mapping available to ensure an address translation on
a per-address basis is always the same (while known) for a set
IP address.
Operating System Support:
- HP-UX 11 added.
- Tru64 5.1a added.
- Solaris/HP-UX now use pfil STREAMS module.
- Linux 2.4 on the way.
Proxies:
- PPTP proxy added.
- IRC proxy added.
- RPCBIND proxy added.
- FTP proxy support for EPSV (IPv4 only.)
Stateful Inspection:
- Can insist that all TCP data arrives in order.
- Can insist that all fragments pass through in order.
- The number of states created per-rule can be set where the total
across all rules may exceed the maximum allowed.
- Can elect not to automatically match ICMP error packets.
- TCP sequence number rewriting supported.
(1) - Requires libpcap for rule parsing
(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
(3) - Not supported on SunOS4

452
contrib/ipfilter/bpf-ipf.h Normal file
View File

@ -0,0 +1,452 @@
/* $NetBSD$ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: /devel/CVS/IP-Filter/bpf-ipf.h,v 2.1 2002/10/26 12:14:26 darrenr Exp $ (LBL)
*/
#ifndef BPF_MAJOR_VERSION
#ifdef __cplusplus
extern "C" {
#endif
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int bpf_int32;
typedef u_int bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#ifndef __NetBSD__
#define BPF_ALIGNMENT sizeof(bpf_int32)
#else
#define BPF_ALIGNMENT sizeof(long)
#endif
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
/*
* Structure for BIOCSETF.
*/
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
/*
* Struct returned by BIOCGSTATS.
*/
struct bpf_stat {
u_int bs_recv; /* number of packets received */
u_int bs_drop; /* number of packets dropped */
};
/*
* Struct return by BIOCVERSION. This represents the version number of
* the filter language described by the instruction encodings below.
* bpf understands a program iff kernel_major == filter_major &&
* kernel_minor >= filter_minor, that is, if the value returned by the
* running kernel has the same major number and a minor number equal
* equal to or less than the filter being downloaded. Otherwise, the
* results are undefined, meaning an error may be returned or packets
* may be accepted haphazardly.
* It has nothing to do with the source code version.
*/
struct bpf_version {
u_short bv_major;
u_short bv_minor;
};
/* Current version number of filter architecture. */
#define BPF_MAJOR_VERSION 1
#define BPF_MINOR_VERSION 1
/*
* BPF ioctls
*
* The first set is for compatibility with Sun's pcc style
* header files. If your using gcc, we assume that you
* have run fixincludes so the latter set should work.
*/
#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
#define BIOCGBLEN _IOR(B,102, u_int)
#define BIOCSBLEN _IOWR(B,102, u_int)
#define BIOCSETF _IOW(B,103, struct bpf_program)
#define BIOCFLUSH _IO(B,104)
#define BIOCPROMISC _IO(B,105)
#define BIOCGDLT _IOR(B,106, u_int)
#define BIOCGETIF _IOR(B,107, struct ifreq)
#define BIOCSETIF _IOW(B,108, struct ifreq)
#define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
#define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
#define BIOCGSTATS _IOR(B,111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW(B,112, u_int)
#define BIOCVERSION _IOR(B,113, struct bpf_version)
#define BIOCSTCPF _IOW(B,114, struct bpf_program)
#define BIOCSUDPF _IOW(B,115, struct bpf_program)
#else
#define BIOCGBLEN _IOR('B',102, u_int)
#define BIOCSBLEN _IOWR('B',102, u_int)
#define BIOCSETF _IOW('B',103, struct bpf_program)
#define BIOCFLUSH _IO('B',104)
#define BIOCPROMISC _IO('B',105)
#define BIOCGDLT _IOR('B',106, u_int)
#define BIOCGETIF _IOR('B',107, struct ifreq)
#define BIOCSETIF _IOW('B',108, struct ifreq)
#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW('B',112, u_int)
#define BIOCVERSION _IOR('B',113, struct bpf_version)
#define BIOCSTCPF _IOW('B',114, struct bpf_program)
#define BIOCSUDPF _IOW('B',115, struct bpf_program)
#endif
/*
* Structure prepended to each packet.
*/
struct bpf_hdr {
struct timeval bh_tstamp; /* time stamp */
bpf_u_int32 bh_caplen; /* length of captured portion */
bpf_u_int32 bh_datalen; /* original length of packet */
u_short bh_hdrlen; /* length of bpf header (this struct
plus alignment padding) */
};
/*
* Because the structure above is not a multiple of 4 bytes, some compilers
* will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
* Only the kernel needs to know about it; applications use bh_hdrlen.
*/
#if defined(KERNEL) || defined(_KERNEL)
#define SIZEOF_BPF_HDR 18
#endif
/*
* Data-link level type codes.
*/
/*
* These are the types that are the same on all platforms; on other
* platforms, a <net/bpf.h> should be supplied that defines the additional
* DLT_* codes appropriately for that platform (the BSDs, for example,
* should not just pick up this version of "bpf.h"; they should also define
* the additional DLT_* codes used by their kernels, as well as the values
* defined here - and, if the values they use for particular DLT_ types
* differ from those here, they should use their values, not the ones
* here).
*/
#define DLT_NULL 0 /* no link-layer encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
#define DLT_AX25 3 /* Amateur Radio AX.25 */
#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
#define DLT_CHAOS 5 /* Chaos */
#define DLT_IEEE802 6 /* IEEE 802 Networks */
#define DLT_ARCNET 7 /* ARCNET */
#define DLT_SLIP 8 /* Serial Line IP */
#define DLT_PPP 9 /* Point-to-point Protocol */
#define DLT_FDDI 10 /* FDDI */
/*
* These are values from the traditional libpcap "bpf.h".
* Ports of this to particular platforms should replace these definitions
* with the ones appropriate to that platform, if the values are
* different on that platform.
*/
#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
#define DLT_RAW 12 /* raw IP */
/*
* These are values from BSD/OS's "bpf.h".
* These are not the same as the values from the traditional libpcap
* "bpf.h"; however, these values shouldn't be generated by any
* OS other than BSD/OS, so the correct values to use here are the
* BSD/OS values.
*
* Platforms that have already assigned these values to other
* DLT_ codes, however, should give these codes the values
* from that platform, so that programs that use these codes will
* continue to compile - even though they won't correctly read
* files of these types.
*/
#ifdef __NetBSD__
#ifndef DLT_SLIP_BSDOS
#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
#endif
#else
#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
#endif
#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
/*
* These values are defined by NetBSD; other platforms should refrain from
* using them for other purposes, so that NetBSD savefiles with link
* types of 50 or 51 can be read as this type on all platforms.
*/
#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */
#define DLT_PPP_ETHER 51 /* PPP over Ethernet */
/*
* Values between 100 and 103 are used in capture file headers as
* link-layer types corresponding to DLT_ types that differ
* between platforms; don't use those values for new DLT_ new types.
*/
/*
* This value was defined by libpcap 0.5; platforms that have defined
* it with a different value should define it here with that value -
* a link type of 104 in a save file will be mapped to DLT_C_HDLC,
* whatever value that happens to be, so programs will correctly
* handle files with that link type regardless of the value of
* DLT_C_HDLC.
*
* The name DLT_C_HDLC was used by BSD/OS; we use that name for source
* compatibility with programs written for BSD/OS.
*
* libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
* for source compatibility with programs written for libpcap 0.5.
*/
#define DLT_C_HDLC 104 /* Cisco HDLC */
#define DLT_CHDLC DLT_C_HDLC
#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */
/*
* Values between 106 and 107 are used in capture file headers as
* link-layer types corresponding to DLT_ types that might differ
* between platforms; don't use those values for new DLT_ new types.
*/
/*
* OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
* that the AF_ type in the link-layer header is in network byte order.
*
* OpenBSD defines it as 12, but that collides with DLT_RAW, so we
* define it as 108 here. If OpenBSD picks up this file, it should
* define DLT_LOOP as 12 in its version, as per the comment above -
* and should not use 108 as a DLT_ value.
*/
#define DLT_LOOP 108
/*
* Values between 109 and 112 are used in capture file headers as
* link-layer types corresponding to DLT_ types that might differ
* between platforms; don't use those values for new DLT_ types
* other than the corresponding DLT_ types.
*/
/*
* This is for Linux cooked sockets.
*/
#define DLT_LINUX_SLL 113
/*
* Apple LocalTalk hardware.
*/
#define DLT_LTALK 114
/*
* Acorn Econet.
*/
#define DLT_ECONET 115
/*
* Reserved for use with OpenBSD ipfilter.
*/
#define DLT_IPFILTER 116
/*
* Reserved for use in capture-file headers as a link-layer type
* corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
* but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
* in capture-file headers.
*/
#define DLT_PFLOG 117
/*
* Registered for Cisco-internal use.
*/
#define DLT_CISCO_IOS 118
/*
* Reserved for 802.11 cards using the Prism II chips, with a link-layer
* header including Prism monitor mode information plus an 802.11
* header.
*/
#define DLT_PRISM_HEADER 119
/*
* Reserved for Aironet 802.11 cards, with an Aironet link-layer header
* (see Doug Ambrisko's FreeBSD patches).
*/
#define DLT_AIRONET_HEADER 120
/*
* Reserved for Siemens HiPath HDLC.
*/
#define DLT_HHDLC 121
/*
* Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
* Don Lee <donlee@cray.com>.
*
* This is not for use with raw Fibre Channel, where the link-layer
* header starts with a Fibre Channel frame header; it's for IP-over-FC,
* where the link-layer header starts with an RFC 2625 Network_Header
* field.
*/
#define DLT_IP_OVER_FC 122
/*
* The instruction encodings.
*/
/* instruction classes */
#define BPF_CLASS(code) ((code) & 0x07)
#define BPF_LD 0x00
#define BPF_LDX 0x01
#define BPF_ST 0x02
#define BPF_STX 0x03
#define BPF_ALU 0x04
#define BPF_JMP 0x05
#define BPF_RET 0x06
#define BPF_MISC 0x07
/* ld/ldx fields */
#define BPF_SIZE(code) ((code) & 0x18)
#define BPF_W 0x00
#define BPF_H 0x08
#define BPF_B 0x10
#define BPF_MODE(code) ((code) & 0xe0)
#define BPF_IMM 0x00
#define BPF_ABS 0x20
#define BPF_IND 0x40
#define BPF_MEM 0x60
#define BPF_LEN 0x80
#define BPF_MSH 0xa0
/* alu/jmp fields */
#define BPF_OP(code) ((code) & 0xf0)
#define BPF_ADD 0x00
#define BPF_SUB 0x10
#define BPF_MUL 0x20
#define BPF_DIV 0x30
#define BPF_OR 0x40
#define BPF_AND 0x50
#define BPF_LSH 0x60
#define BPF_RSH 0x70
#define BPF_NEG 0x80
#define BPF_JA 0x00
#define BPF_JEQ 0x10
#define BPF_JGT 0x20
#define BPF_JGE 0x30
#define BPF_JSET 0x40
#define BPF_SRC(code) ((code) & 0x08)
#define BPF_K 0x00
#define BPF_X 0x08
/* ret - BPF_K and BPF_X also apply */
#define BPF_RVAL(code) ((code) & 0x18)
#define BPF_A 0x10
/* misc */
#define BPF_MISCOP(code) ((code) & 0xf8)
#define BPF_TAX 0x00
#define BPF_TXA 0x80
/*
* The instruction data structure.
*/
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_int32 k;
};
/*
* Macros for insn array initializers.
*/
#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
/*
* Systems based on non-BSD kernels don't have ifnet's (or they don't mean
* anything if it is in <net/if.h>) and won't work like this.
*/
# if __STDC__
extern void bpf_tap(struct ifnet *, u_char *, u_int);
extern void bpf_mtap(struct ifnet *, struct mbuf *);
extern void bpfattach(struct ifnet *, u_int, u_int);
extern void bpfilterattach(int);
# else
extern void bpf_tap();
extern void bpf_mtap();
extern void bpfattach();
extern void bpfilterattach();
# endif /* __STDC__ */
#endif /* BSD && (_KERNEL || KERNEL) */
#if __STDC__ || defined(__cplusplus)
extern int bpf_validate(struct bpf_insn *, int);
extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
#else
extern int bpf_validate();
extern u_int bpf_filter();
#endif
/*
* Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
#define BPF_MEMWORDS 16
#ifdef __cplusplus
}
#endif
#endif

517
contrib/ipfilter/bpf_filter.c Normal file
View File

@ -0,0 +1,517 @@
/* $NetBSD$ */
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.c 7.5 (Berkeley) 7/15/91
*/
#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
static const char rcsid[] =
"@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2 2003/08/19 16:49:58 darrenr Exp $ (LBL)";
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/if.h>
#include "ip_compat.h"
#include "bpf-ipf.h"
#if (defined(__hpux) || SOLARIS) && (defined(_KERNEL) || defined(KERNEL))
# include <sys/sysmacros.h>
# include <sys/stream.h>
#endif
#include "pcap-ipf.h"
#if !defined(KERNEL) && !defined(_KERNEL)
#include <stdlib.h>
#endif
#define int32 bpf_int32
#define u_int32 bpf_u_int32
static int m_xword __P((mb_t *, int, int *));
static int m_xhalf __P((mb_t *, int, int *));
#ifndef LBL_ALIGN
/*
* XXX - IA-64? If not, this probably won't work on Win64 IA-64
* systems, unless LBL_ALIGN is defined elsewhere for them.
* XXX - SuperH? If not, this probably won't work on WinCE SuperH
* systems, unless LBL_ALIGN is defined elsewhere for them.
*/
#if defined(sparc) || defined(__sparc__) || defined(mips) || \
defined(ibm032) || defined(__alpha) || defined(__hpux) || \
defined(__arm__)
#define LBL_ALIGN
#endif
#endif
#ifndef LBL_ALIGN
#define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p))
#define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p))
#else
#define EXTRACT_SHORT(p)\
((u_short)\
((u_short)*((u_char *)p+0)<<8|\
(u_short)*((u_char *)p+1)<<0))
#define EXTRACT_LONG(p)\
((u_int32)*((u_char *)p+0)<<24|\
(u_int32)*((u_char *)p+1)<<16|\
(u_int32)*((u_char *)p+2)<<8|\
(u_int32)*((u_char *)p+3)<<0)
#endif
#define MINDEX(len, _m, _k) \
{ \
len = M_LEN(m); \
while ((_k) >= len) { \
(_k) -= len; \
(_m) = (_m)->m_next; \
if ((_m) == 0) \
return 0; \
len = M_LEN(m); \
} \
}
static int
m_xword(m, k, err)
register mb_t *m;
register int k, *err;
{
register int len;
register u_char *cp, *np;
register mb_t *m0;
MINDEX(len, m, k);
cp = MTOD(m, u_char *) + k;
if (len - k >= 4) {
*err = 0;
return EXTRACT_LONG(cp);
}
m0 = m->m_next;
if (m0 == 0 || M_LEN(m0) + len - k < 4)
goto bad;
*err = 0;
np = MTOD(m0, u_char *);
switch (len - k) {
case 1:
return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
case 2:
return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
default:
return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
}
bad:
*err = 1;
return 0;
}
static int
m_xhalf(m, k, err)
register mb_t *m;
register int k, *err;
{
register int len;
register u_char *cp;
register mb_t *m0;
MINDEX(len, m, k);
cp = MTOD(m, u_char *) + k;
if (len - k >= 2) {
*err = 0;
return EXTRACT_SHORT(cp);
}
m0 = m->m_next;
if (m0 == 0)
goto bad;
*err = 0;
return (cp[0] << 8) | MTOD(m0, u_char *)[0];
bad:
*err = 1;
return 0;
}
/*
* Execute the filter program starting at pc on the packet p
* wirelen is the length of the original packet
* buflen is the amount of data present
* For the kernel, p is assumed to be a pointer to an mbuf if buflen is 0,
* in all other cases, p is a pointer to a buffer and buflen is its size.
*/
u_int
bpf_filter(pc, p, wirelen, buflen)
register struct bpf_insn *pc;
register u_char *p;
u_int wirelen;
register u_int buflen;
{
register u_int32 A, X;
register int k;
int32 mem[BPF_MEMWORDS];
mb_t *m, *n;
int merr, len;
if (buflen == 0) {
m = (mb_t *)p;
p = MTOD(m, u_char *);
buflen = M_LEN(m);
} else
m = NULL;
if (pc == 0)
/*
* No filter means accept all.
*/
return (u_int)-1;
A = 0;
X = 0;
--pc;
while (1) {
++pc;
switch (pc->code) {
default:
return 0;
case BPF_RET|BPF_K:
return (u_int)pc->k;
case BPF_RET|BPF_A:
return (u_int)A;
case BPF_LD|BPF_W|BPF_ABS:
k = pc->k;
if (k + sizeof(int32) > buflen) {
if (m == NULL)
return 0;
A = m_xword(m, k, &merr);
if (merr != 0)
return 0;
continue;
}
A = EXTRACT_LONG(&p[k]);
continue;
case BPF_LD|BPF_H|BPF_ABS:
k = pc->k;
if (k + sizeof(short) > buflen) {
if (m == NULL)
return 0;
A = m_xhalf(m, k, &merr);
if (merr != 0)
return 0;
continue;
}
A = EXTRACT_SHORT(&p[k]);
continue;
case BPF_LD|BPF_B|BPF_ABS:
k = pc->k;
if (k >= buflen) {
if (m == NULL)
return 0;
n = m;
MINDEX(len, n, k);
A = MTOD(n, u_char *)[k];
continue;
}
A = p[k];
continue;
case BPF_LD|BPF_W|BPF_LEN:
A = wirelen;
continue;
case BPF_LDX|BPF_W|BPF_LEN:
X = wirelen;
continue;
case BPF_LD|BPF_W|BPF_IND:
k = X + pc->k;
if (k + sizeof(int32) > buflen) {
if (m == NULL)
return 0;
A = m_xword(m, k, &merr);
if (merr != 0)
return 0;
continue;
}
A = EXTRACT_LONG(&p[k]);
continue;
case BPF_LD|BPF_H|BPF_IND:
k = X + pc->k;
if (k + sizeof(short) > buflen) {
if (m == NULL)
return 0;
A = m_xhalf(m, k, &merr);
if (merr != 0)
return 0;
continue;
}
A = EXTRACT_SHORT(&p[k]);
continue;
case BPF_LD|BPF_B|BPF_IND:
k = X + pc->k;
if (k >= buflen) {
if (m == NULL)
return 0;
n = m;
MINDEX(len, n, k);
A = MTOD(n, u_char *)[k];
continue;
}
A = p[k];
continue;
case BPF_LDX|BPF_MSH|BPF_B:
k = pc->k;
if (k >= buflen) {
if (m == NULL)
return 0;
n = m;
MINDEX(len, n, k);
X = (MTOD(n, char *)[k] & 0xf) << 2;
continue;
}
X = (p[pc->k] & 0xf) << 2;
continue;
case BPF_LD|BPF_IMM:
A = pc->k;
continue;
case BPF_LDX|BPF_IMM:
X = pc->k;
continue;
case BPF_LD|BPF_MEM:
A = mem[pc->k];
continue;
case BPF_LDX|BPF_MEM:
X = mem[pc->k];
continue;
case BPF_ST:
mem[pc->k] = A;
continue;
case BPF_STX:
mem[pc->k] = X;
continue;
case BPF_JMP|BPF_JA:
pc += pc->k;
continue;
case BPF_JMP|BPF_JGT|BPF_K:
pc += (A > pc->k) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JGE|BPF_K:
pc += (A >= pc->k) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JEQ|BPF_K:
pc += (A == pc->k) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JSET|BPF_K:
pc += (A & pc->k) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JGT|BPF_X:
pc += (A > X) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JGE|BPF_X:
pc += (A >= X) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JEQ|BPF_X:
pc += (A == X) ? pc->jt : pc->jf;
continue;
case BPF_JMP|BPF_JSET|BPF_X:
pc += (A & X) ? pc->jt : pc->jf;
continue;
case BPF_ALU|BPF_ADD|BPF_X:
A += X;
continue;
case BPF_ALU|BPF_SUB|BPF_X:
A -= X;
continue;
case BPF_ALU|BPF_MUL|BPF_X:
A *= X;
continue;
case BPF_ALU|BPF_DIV|BPF_X:
if (X == 0)
return 0;
A /= X;
continue;
case BPF_ALU|BPF_AND|BPF_X:
A &= X;
continue;
case BPF_ALU|BPF_OR|BPF_X:
A |= X;
continue;
case BPF_ALU|BPF_LSH|BPF_X:
A <<= X;
continue;
case BPF_ALU|BPF_RSH|BPF_X:
A >>= X;
continue;
case BPF_ALU|BPF_ADD|BPF_K:
A += pc->k;
continue;
case BPF_ALU|BPF_SUB|BPF_K:
A -= pc->k;
continue;
case BPF_ALU|BPF_MUL|BPF_K:
A *= pc->k;
continue;
case BPF_ALU|BPF_DIV|BPF_K:
A /= pc->k;
continue;
case BPF_ALU|BPF_AND|BPF_K:
A &= pc->k;
continue;
case BPF_ALU|BPF_OR|BPF_K:
A |= pc->k;
continue;
case BPF_ALU|BPF_LSH|BPF_K:
A <<= pc->k;
continue;
case BPF_ALU|BPF_RSH|BPF_K:
A >>= pc->k;
continue;
case BPF_ALU|BPF_NEG:
A = -A;
continue;
case BPF_MISC|BPF_TAX:
X = A;
continue;
case BPF_MISC|BPF_TXA:
A = X;
continue;
}
}
}
/*
* Return true if the 'fcode' is a valid filter program.
* The constraints are that each jump be forward and to a valid
* code. The code must terminate with either an accept or reject.
* 'valid' is an array for use by the routine (it must be at least
* 'len' bytes long).
*
* The kernel needs to be able to verify an application's filter code.
* Otherwise, a bogus program could easily crash the system.
*/
int
bpf_validate(f, len)
struct bpf_insn *f;
int len;
{
register int i;
register struct bpf_insn *p;
for (i = 0; i < len; ++i) {
/*
* Check that that jumps are forward, and within
* the code block.
*/
p = &f[i];
if (BPF_CLASS(p->code) == BPF_JMP) {
register int from = i + 1;
if (BPF_OP(p->code) == BPF_JA) {
if (from + p->k >= (unsigned)len)
return 0;
}
else if (from + p->jt >= len || from + p->jf >= len)
return 0;
}
/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
(p->k >= BPF_MEMWORDS || p->k < 0))
return 0;
/*
* Check for constant division by 0.
*/
if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0)
return 0;
}
return BPF_CLASS(f[len - 1].code) == BPF_RET;
}

9
contrib/ipfilter/bsdinstall
View File

@ -5,8 +5,13 @@
cmd=/bin/mv
strip=""
chmod="chmod 755"
chown="chown -f root"
chgrp="chgrp -f bin"
if [ "`uname -s`" = "HP-UX" ] ; then
chown="chown root"
chgrp="chgrp bin"
else
chown="chown -f root"
chgrp="chgrp -f bin"
fi
while true ; do
case $1 in
-s ) strip="strip"

3
contrib/ipfilter/etc/protocols
View File

@ -38,9 +38,12 @@ ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
tp++ 39 TP++ # TP++ Transport Protocol
il 40 IL # IL Transport Protocol
ipv6 41 IPv6 # Internet Protocol, version 6
sip 41 SIP # Simple Internet Protocol
sdrp 42 SDRP # Source Demand Routing Protocol
ipv6-route 43 IPv6-Route # Routing Header for IPv6
sip-sr 43 SIP-SR # SIP Source Route
ipv6-frag 44 IPv6-Frag # Fragment Hedaer for IPv6
sip-frag 44 SIP-FRAG # SIP Fragment
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Reservation Protocol

2
contrib/ipfilter/etc/services
View File

@ -2359,8 +2359,8 @@ dpserve 7020/tcp # DP Serve
dpserve 7020/udp # DP Serve
dpserveadmin 7021/tcp # DP Serve Admin
dpserveadmin 7021/udp # DP Serve Admin
raudio 7070/tcp @ Real Audio
arcp 7070/tcp # ARCP
raudio 7070/tcp # Real Audio
arcp 7070/udp # ARCP
clutild 7174/tcp # Clutild
clutild 7174/udp # Clutild

1692
contrib/ipfilter/ip_fil_freebsd.c Normal file
View File

File diff suppressed because it is too large Load Diff

455
contrib/ipfilter/ip_htable.c Normal file
View File

@ -0,0 +1,455 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/errno.h>
#include <sys/time.h>
#include <sys/file.h>
#if !defined(_KERNEL)
# include <stdlib.h>
# include <string.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#endif
#include <sys/socket.h>
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
#if defined(__FreeBSD__)
# include <sys/cdefs.h>
# include <sys/proc.h>
#endif
#if !defined(__svr4__) && !defined(__SVR4) && !defined(__hpux) && \
!defined(linux)
# include <sys/mbuf.h>
#endif
#if defined(_KERNEL)
# include <sys/systm.h>
#else
# include <stdio.h>
#endif
#include <netinet/in.h>
#include <net/if.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_lookup.h"
#include "netinet/ip_htable.h"
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
static iphtent_t *fr_iphmfind __P((iphtable_t *, struct in_addr *));
static u_long ipht_nomem[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
static u_long ipf_nhtables[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
static u_long ipf_nhtnodes[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
iphtable_t *ipf_htables[IPL_LOGSIZE] = { NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL };
void fr_htable_unload()
{
iplookupflush_t fop;
fop.iplf_unit = IPL_LOGALL;
(void)fr_flushhtable(&fop);
}
int fr_gethtablestat(op)
iplookupop_t *op;
{
iphtstat_t stats;
if (op->iplo_size != sizeof(stats))
return EINVAL;
stats.iphs_tables = ipf_htables[op->iplo_unit];
stats.iphs_numtables = ipf_nhtables[op->iplo_unit];
stats.iphs_numnodes = ipf_nhtnodes[op->iplo_unit];
stats.iphs_nomem = ipht_nomem[op->iplo_unit];
return COPYOUT(&stats, op->iplo_struct, sizeof(stats));
}
/*
* Create a new hash table using the template passed.
*/
int fr_newhtable(op)
iplookupop_t *op;
{
iphtable_t *iph, *oiph;
char name[FR_GROUPLEN];
int err, i, unit;
KMALLOC(iph, iphtable_t *);
if (iph == NULL)
return ENOMEM;
err = COPYIN(op->iplo_struct, iph, sizeof(*iph));
if (err != 0) {
KFREE(iph);
return EFAULT;
}
unit = op->iplo_unit;
if (iph->iph_unit != unit) {
KFREE(iph);
return EINVAL;
}
if ((op->iplo_arg & IPHASH_ANON) == 0) {
if (fr_findhtable(op->iplo_unit, op->iplo_name) != NULL) {
KFREE(iph);
return EEXIST;
}
} else {
i = IPHASH_ANON;
do {
i++;
#if defined(SNPRINTF) && defined(_KERNEL)
SNPRINTF(name, sizeof(name), "%u", i);
#else
(void)sprintf(name, "%u", i);
#endif
for (oiph = ipf_htables[unit]; oiph != NULL;
oiph = oiph->iph_next)
if (strncmp(oiph->iph_name, name,
sizeof(oiph->iph_name)) == 0)
break;
} while (oiph != NULL);
(void)strncpy(iph->iph_name, name, sizeof(iph->iph_name));
err = COPYOUT(iph, op->iplo_struct, sizeof(*iph));
if (err != 0) {
KFREE(iph);
return EFAULT;
}
iph->iph_type |= IPHASH_ANON;
}
KMALLOCS(iph->iph_table, iphtent_t **,
iph->iph_size * sizeof(*iph->iph_table));
if (iph->iph_table == NULL) {
KFREE(iph);
ipht_nomem[unit]++;
return ENOMEM;
}
bzero((char *)iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
iph->iph_masks = 0;
iph->iph_next = ipf_htables[unit];
iph->iph_pnext = &ipf_htables[unit];
if (ipf_htables[unit] != NULL)
ipf_htables[unit]->iph_pnext = &iph->iph_next;
ipf_htables[unit] = iph;
ipf_nhtables[unit]++;
return 0;
}
/*
*/
int fr_removehtable(op)
iplookupop_t *op;
{
iphtable_t *iph;
iph = fr_findhtable(op->iplo_unit, op->iplo_name);
if (iph == NULL)
return ESRCH;
if (iph->iph_unit != op->iplo_unit) {
return EINVAL;
}
if (iph->iph_ref != 0) {
return EBUSY;
}
fr_delhtable(iph);
return 0;
}
void fr_delhtable(iph)
iphtable_t *iph;
{
iphtent_t *ipe;
int i;
for (i = 0; i < iph->iph_size; i++)
while ((ipe = iph->iph_table[i]) != NULL)
if (fr_delhtent(iph, ipe) != 0)
return;
*iph->iph_pnext = iph->iph_next;
if (iph->iph_next != NULL)
iph->iph_next->iph_pnext = iph->iph_pnext;
ipf_nhtables[iph->iph_unit]--;
if (iph->iph_ref == 0) {
KFREES(iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
KFREE(iph);
}
}
void fr_derefhtable(iph)
iphtable_t *iph;
{
iph->iph_ref--;
if (iph->iph_ref == 0)
fr_delhtable(iph);
}
iphtable_t *fr_findhtable(unit, name)
int unit;
char *name;
{
iphtable_t *iph;
for (iph = ipf_htables[unit]; iph != NULL; iph = iph->iph_next)
if (strncmp(iph->iph_name, name, sizeof(iph->iph_name)) == 0)
break;
return iph;
}
size_t fr_flushhtable(op)
iplookupflush_t *op;
{
iphtable_t *iph;
size_t freed;
int i;
freed = 0;
for (i = 0; i <= IPL_LOGMAX; i++) {
if (op->iplf_unit == i || op->iplf_unit == IPL_LOGALL) {
while ((iph = ipf_htables[i]) != NULL) {
fr_delhtable(iph);
freed++;
}
}
}
return freed;
}
/*
* Add an entry to a hash table.
*/
int fr_addhtent(iph, ipeo)
iphtable_t *iph;
iphtent_t *ipeo;
{
iphtent_t *ipe;
u_int hv;
int bits;
KMALLOC(ipe, iphtent_t *);
if (ipe == NULL)
return -1;
bcopy((char *)ipeo, (char *)ipe, sizeof(*ipe));
ipe->ipe_addr.in4_addr &= ipe->ipe_mask.in4_addr;
ipe->ipe_addr.in4_addr = ntohl(ipe->ipe_addr.in4_addr);
bits = count4bits(ipe->ipe_mask.in4_addr);
ipe->ipe_mask.in4_addr = ntohl(ipe->ipe_mask.in4_addr);
hv = IPE_HASH_FN(ipe->ipe_addr.in4_addr, ipe->ipe_mask.in4_addr,
iph->iph_size);
ipe->ipe_ref = 0;
ipe->ipe_next = iph->iph_table[hv];
ipe->ipe_pnext = iph->iph_table + hv;
if (iph->iph_table[hv] != NULL)
iph->iph_table[hv]->ipe_pnext = &ipe->ipe_next;
iph->iph_table[hv] = ipe;
if ((bits >= 0) && (bits != 32))
iph->iph_masks |= 1 << bits;
switch (iph->iph_type & ~IPHASH_ANON)
{
case IPHASH_GROUPMAP :
ipe->ipe_ptr = fr_addgroup(ipe->ipe_group, NULL,
iph->iph_flags, IPL_LOGIPF,
fr_active);
break;
default :
ipe->ipe_ptr = NULL;
ipe->ipe_value = 0;
break;
}
ipf_nhtnodes[iph->iph_unit]++;
return 0;
}
/*
* Delete an entry from a hash table.
*/
int fr_delhtent(iph, ipe)
iphtable_t *iph;
iphtent_t *ipe;
{
if (ipe->ipe_ref != 0)
return EBUSY;
*ipe->ipe_pnext = ipe->ipe_next;
if (ipe->ipe_next != NULL)
ipe->ipe_next->ipe_pnext = ipe->ipe_pnext;
switch (iph->iph_type & ~IPHASH_ANON)
{
case IPHASH_GROUPMAP :
if (ipe->ipe_group != NULL)
fr_delgroup(ipe->ipe_group, IPL_LOGIPF, fr_active);
break;
default :
ipe->ipe_ptr = NULL;
ipe->ipe_value = 0;
break;
}
KFREE(ipe);
ipf_nhtnodes[iph->iph_unit]--;
return 0;
}
void *fr_iphmfindgroup(tptr, aptr)
void *tptr, *aptr;
{
struct in_addr *addr;
iphtable_t *iph;
iphtent_t *ipe;
void *rval;
READ_ENTER(&ip_poolrw);
iph = tptr;
addr = aptr;
ipe = fr_iphmfind(iph, addr);
if (ipe != NULL)
rval = ipe->ipe_ptr;
else
rval = NULL;
RWLOCK_EXIT(&ip_poolrw);
return rval;
}
/* ------------------------------------------------------------------------ */
/* Function: fr_iphmfindip */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* aptr(I) - pointer to address information */
/* */
/* Search the hash table for a given address and return a search result. */
/* ------------------------------------------------------------------------ */
int fr_iphmfindip(tptr, version, aptr)
void *tptr, *aptr;
int version;
{
struct in_addr *addr;
iphtable_t *iph;
iphtent_t *ipe;
int rval;
if (version != 4)
return -1;
if (tptr == NULL || aptr == NULL)
return -1;
iph = tptr;
addr = aptr;
READ_ENTER(&ip_poolrw);
ipe = fr_iphmfind(iph, addr);
if (ipe != NULL)
rval = 0;
else
rval = 1;
RWLOCK_EXIT(&ip_poolrw);
return rval;
}
/* Locks: ip_poolrw */
static iphtent_t *fr_iphmfind(iph, addr)
iphtable_t *iph;
struct in_addr *addr;
{
u_32_t hmsk, msk, ips;
iphtent_t *ipe;
u_int hv;
hmsk = iph->iph_masks;
msk = 0xffffffff;
maskloop:
ips = ntohl(addr->s_addr) & msk;
hv = IPE_HASH_FN(ips, msk, iph->iph_size);
for (ipe = iph->iph_table[hv]; (ipe != NULL); ipe = ipe->ipe_next) {
if (ipe->ipe_mask.in4_addr != msk ||
ipe->ipe_addr.in4_addr != ips) {
continue;
}
break;
}
if ((ipe == NULL) && (hmsk != 0)) {
while (hmsk != 0) {
msk <<= 1;
if (hmsk & 0x80000000)
break;
hmsk <<= 1;
}
if (hmsk != 0) {
hmsk <<= 1;
goto maskloop;
}
}
return ipe;
}
#endif /* IPFILTER_LOOKUP */

71
contrib/ipfilter/ip_htable.h Normal file
View File

@ -0,0 +1,71 @@
/* $NetBSD$ */
#ifndef __IP_HTABLE_H__
#define __IP_HTABLE_H__
#include "netinet/ip_lookup.h"
typedef struct iphtent_s {
struct iphtent_s *ipe_next, **ipe_pnext;
void *ipe_ptr;
i6addr_t ipe_addr;
i6addr_t ipe_mask;
int ipe_ref;
union {
char ipeu_char[16];
u_long ipeu_long;
u_int ipeu_int;
}ipe_un;
} iphtent_t;
#define ipe_value ipe_un.ipeu_int
#define ipe_group ipe_un.ipeu_char
#define IPE_HASH_FN(a, m, s) (((a) * (m)) % (s))
typedef struct iphtable_s {
ipfrwlock_t iph_rwlock;
struct iphtable_s *iph_next, **iph_pnext;
struct iphtent_s **iph_table;
size_t iph_size; /* size of hash table */
u_long iph_seed; /* hashing seed */
u_32_t iph_flags;
u_int iph_unit; /* IPL_LOG* */
u_int iph_ref;
u_int iph_type; /* lookup or group map - IPHASH_* */
u_int iph_masks; /* IPv4 netmasks in use */
char iph_name[FR_GROUPLEN]; /* hash table number */
} iphtable_t;
/* iph_type */
#define IPHASH_LOOKUP 0
#define IPHASH_GROUPMAP 1
#define IPHASH_ANON 0x80000000
typedef struct iphtstat_s {
iphtable_t *iphs_tables;
u_long iphs_numtables;
u_long iphs_numnodes;
u_long iphs_nomem;
u_long iphs_pad[16];
} iphtstat_t;
extern iphtable_t *ipf_htables[IPL_LOGSIZE];
extern void fr_htable_unload __P((void));
extern int fr_newhtable __P((iplookupop_t *));
extern iphtable_t *fr_findhtable __P((int, char *));
extern int fr_removehtable __P((iplookupop_t *));
extern size_t fr_flushhtable __P((iplookupflush_t *));
extern int fr_addhtent __P((iphtable_t *, iphtent_t *));
extern int fr_delhtent __P((iphtable_t *, iphtent_t *));
extern void fr_derefhtable __P((iphtable_t *));
extern void fr_delhtable __P((iphtable_t *));
extern void *fr_iphmfindgroup __P((void *, void *));
extern int fr_iphmfindip __P((void *, int, void *));
extern int fr_gethtablestat __P((iplookupop_t *));
#endif /* __IP_HTABLE_H__ */

435
contrib/ipfilter/ip_irc_pxy.c Normal file
View File

@ -0,0 +1,435 @@
/* $NetBSD$ */
/*
* Copyright (C) 2000-2003 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
*/
#define IPF_IRC_PROXY
#define IPF_IRCBUFSZ 96 /* This *MUST* be >= 64! */
int ippr_irc_init __P((void));
void ippr_irc_fini __P((void));
int ippr_irc_new __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_irc_out __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_irc_send __P((fr_info_t *, nat_t *));
int ippr_irc_complete __P((ircinfo_t *, char *, size_t));
u_short ipf_irc_atoi __P((char **));
static frentry_t ircnatfr;
int irc_proxy_init = 0;
/*
* Initialize local structures.
*/
int ippr_irc_init()
{
bzero((char *)&ircnatfr, sizeof(ircnatfr));
ircnatfr.fr_ref = 1;
ircnatfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
MUTEX_INIT(&ircnatfr.fr_lock, "IRC proxy rule lock");
irc_proxy_init = 1;
return 0;
}
void ippr_irc_fini()
{
if (irc_proxy_init == 1) {
MUTEX_DESTROY(&ircnatfr.fr_lock);
irc_proxy_init = 0;
}
}
char *ippr_irc_dcctypes[] = {
"CHAT ", /* CHAT chat ipnumber portnumber */
"SEND ", /* SEND filename ipnumber portnumber */
"MOVE ",
"TSEND ",
"SCHAT ",
NULL,
};
/*
* :A PRIVMSG B :^ADCC CHAT chat 0 0^A\r\n
* PRIVMSG B ^ADCC CHAT chat 0 0^A\r\n
*/
int ippr_irc_complete(ircp, buf, len)
ircinfo_t *ircp;
char *buf;
size_t len;
{
register char *s, c;
register size_t i;
u_32_t l;
int j, k;
ircp->irc_ipnum = 0;
ircp->irc_port = 0;
if (len < 31)
return 0;
s = buf;
c = *s++;
i = len - 1;
if ((c != ':') && (c != 'P'))
return 0;
if (c == ':') {
/*
* Loosely check that the source is a nickname of some sort
*/
s++;
c = *s;
ircp->irc_snick = s;
if (!ISALPHA(c))
return 0;
i--;
for (c = *s; !ISSPACE(c) && (i > 0); i--)
c = *s++;
if (i < 31)
return 0;
if (c != 'P')
return 0;
} else
ircp->irc_snick = NULL;
/*
* Check command string
*/
if (strncmp(s, "PRIVMSG ", 8))
return 0;
i -= 8;
s += 8;
c = *s;
ircp->irc_dnick = s;
/*
* Loosely check that the destination is a nickname of some sort
*/
if (!ISALPHA(c))
return 0;
for (; !ISSPACE(c) && (i > 0); i--)
c = *s++;
if (i < 20)
return 0;
s++,
i--;
/*
* Look for a ^A to start the DCC
*/
c = *s;
if (c == ':') {
s++;
c = *s;
}
if (strncmp(s, "\001DCC ", 4))
return 0;
i -= 4;
s += 4;
/*
* Check for a recognised DCC command
*/
for (j = 0, k = 0; ippr_irc_dcctypes[j]; j++) {
k = MIN(strlen(ippr_irc_dcctypes[j]), i);
if (!strncmp(ippr_irc_dcctypes[j], s, k))
break;
}
if (!ippr_irc_dcctypes[j])
return 0;
ircp->irc_type = s;
i -= k;
s += k;
if (i < 11)
return 0;
/*
* Check for the arg
*/
c = *s;
if (ISSPACE(c))
return 0;
ircp->irc_arg = s;
for (; (c != ' ') && (c != '\001') && (i > 0); i--)
c = *s++;
if (c == '\001') /* In reality a ^A can quote another ^A...*/
return 0;
if (i < 5)
return 0;
s++;
i--;
c = *s;
if (!ISDIGIT(c))
return 0;
ircp->irc_addr = s;
/*
* Get the IP#
*/
for (l = 0; ISDIGIT(c) && (i > 0); i--) {
l *= 10;
l += c - '0';
c = *s++;
}
if (i < 4)
return 0;
if (c != ' ')
return 0;
ircp->irc_ipnum = l;
s++;
i--;
c = *s;
if (!ISDIGIT(c))
return 0;
/*
* Get the port#
*/
for (l = 0; ISDIGIT(c) && (i > 0); i--) {
l *= 10;
l += c - '0';
c = *s++;
}
if (i < 3)
return 0;
if (strncmp(s, "\001\r\n", 3))
return 0;
s += 3;
ircp->irc_len = s - buf;
ircp->irc_port = l;
return 1;
}
int ippr_irc_new(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
ircinfo_t *irc;
KMALLOC(irc, ircinfo_t *);
if (irc == NULL)
return -1;
fin = fin; /* LINT */
nat = nat; /* LINT */
aps->aps_data = irc;
aps->aps_psiz = sizeof(ircinfo_t);
bzero((char *)irc, sizeof(*irc));
return 0;
}
int ippr_irc_send(fin, nat)
fr_info_t *fin;
nat_t *nat;
{
char ctcpbuf[IPF_IRCBUFSZ], newbuf[IPF_IRCBUFSZ];
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
int off, inc = 0, i, dlen;
size_t nlen = 0, olen;
struct in_addr swip;
u_short a5, sp;
ircinfo_t *irc;
fr_info_t fi;
nat_t *nat2;
u_int a1;
ip_t *ip;
mb_t *m;
#ifdef MENTAT
mb_t *m1;
#endif
m = fin->fin_m;
ip = fin->fin_ip;
tcp = (tcphdr_t *)fin->fin_dp;
bzero(ctcpbuf, sizeof(ctcpbuf));
off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
#ifdef __sgi
dlen = fin->fin_plen - off;
#else
dlen = MSGDSIZE(m) - off;
#endif
if (dlen <= 0)
return 0;
COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
if (dlen <= 0)
return 0;
ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
*newbuf = '\0';
irc = nat->nat_aps->aps_data;
if (ippr_irc_complete(irc, ctcpbuf, dlen) == 0)
return 0;
/*
* check that IP address in the PORT/PASV reply is the same as the
* sender of the command - prevents using PORT for port scanning.
*/
if (irc->irc_ipnum != ntohl(nat->nat_inip.s_addr))
return 0;
a5 = irc->irc_port;
/*
* Calculate new address parts for the DCC command
*/
a1 = ntohl(ip->ip_src.s_addr);
olen = irc->irc_len;
i = irc->irc_addr - ctcpbuf;
i++;
(void) strncpy(newbuf, ctcpbuf, i);
/* DO NOT change these! */
#if defined(SNPRINTF) && defined(KERNEL)
SNPRINTF(newbuf, sizeof(newbuf) - i, "%u %u\001\r\n", a1, a5);
#else
(void) sprintf(newbuf, "%u %u\001\r\n", a1, a5);
#endif
nlen = strlen(newbuf);
inc = nlen - olen;
if ((inc + ip->ip_len) > 65535)
return 0;
#ifdef MENTAT
for (m1 = m; m1->b_cont; m1 = m1->b_cont)
;
if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
mblk_t *nm;
/* alloc enough to keep same trailer space for lower driver */
nm = allocb(nlen, BPRI_MED);
PANIC((!nm),("ippr_irc_out: allocb failed"));
nm->b_band = m1->b_band;
nm->b_wptr += nlen;
m1->b_wptr -= olen;
PANIC((m1->b_wptr < m1->b_rptr),
("ippr_irc_out: cannot handle fragmented data block"));
linkb(m1, nm);
} else {
# if SOLARIS && defined(ICK_VALID)
if (m1->b_datap->db_struiolim == m1->b_wptr)
m1->b_datap->db_struiolim += inc;
m1->b_datap->db_struioflag &= ~STRUIO_IP;
# endif
m1->b_wptr += inc;
}
#else
if (inc < 0)
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
#endif
COPYBACK(m, off, nlen, newbuf);
if (inc != 0) {
#if defined(MENTAT) || defined(__sgi)
register u_32_t sum1, sum2;
sum1 = ip->ip_len;
sum2 = ip->ip_len + inc;
/* Because ~1 == -2, We really need ~1 == -1 */
if (sum1 > sum2)
sum2--;
sum2 -= sum1;
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
fix_outcksum(fin, &ip->ip_sum, sum2);
#endif
ip->ip_len += inc;
}
/*
* Add skeleton NAT entry for connection which will come back the
* other way.
*/
sp = htons(a5);
/*
* Don't allow the PORT command to specify a port < 1024 due to
* security crap.
*/
if (ntohs(sp) < 1024)
return 0;
/*
* The server may not make the connection back from port 20, but
* it is the most likely so use it here to check for a conflicting
* mapping.
*/
bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
fi.fin_data[0] = sp;
fi.fin_data[1] = fin->fin_data[1];
nat2 = nat_outlookup(fin, IPN_TCP, nat->nat_p, nat->nat_inip,
ip->ip_dst);
if (nat2 == NULL) {
bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
bzero((char *)tcp2, sizeof(*tcp2));
tcp2->th_win = htons(8192);
tcp2->th_sport = sp;
tcp2->th_dport = 0; /* XXX - don't specify remote port */
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_data[0] = ntohs(sp);
fi.fin_data[1] = 0;
fi.fin_dp = (char *)tcp2;
fi.fin_fr = &ircnatfr;
fi.fin_dlen = sizeof(*tcp2);
fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
swip = ip->ip_src;
ip->ip_src = nat->nat_inip;
nat2 = nat_new(&fi, nat->nat_ptr, NULL,
NAT_SLAVE|IPN_TCP|SI_W_DPORT, NAT_OUTBOUND);
if (nat2 != NULL) {
(void) nat_proto(&fi, nat2, 0);
nat_update(&fi, nat2, nat2->nat_ptr);
(void) fr_addstate(&fi, NULL, SI_W_DPORT);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_src = swip;
}
return inc;
}
int ippr_irc_out(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
aps = aps; /* LINT */
return ippr_irc_send(fin, nat);
}

530
contrib/ipfilter/ip_lookup.c Normal file
View File

@ -0,0 +1,530 @@
/* $NetBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#if defined(__osf__)
# define _PROTO_NET_H_
#endif
#include <sys/param.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/file.h>
#if __FreeBSD_version >= 220000 && defined(_KERNEL)
# include <sys/fcntl.h>
# include <sys/filio.h>
#else
# include <sys/ioctl.h>
#endif
#if !defined(_KERNEL)
# include <string.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#endif
#include <sys/socket.h>
#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
# ifdef __osf__
# include <net/radix.h>
# endif
# include "radix_ipf_local.h"
# define _RADIX_H_
#endif
#include <net/if.h>
#if defined(__FreeBSD__)
# include <sys/cdefs.h>
# include <sys/proc.h>
#endif
#if defined(_KERNEL)
# include <sys/systm.h>
# if !defined(__SVR4) && !defined(__svr4__)
# include <sys/mbuf.h>
# endif
#endif
#include <netinet/in.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_pool.h"
#include "netinet/ip_htable.h"
#include "netinet/ip_lookup.h"
/* END OF INCLUDES */
#if !defined(lint)
static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
int ip_lookup_inited = 0;
static int iplookup_addnode __P((caddr_t));
static int iplookup_delnode __P((caddr_t data));
static int iplookup_addtable __P((caddr_t));
static int iplookup_deltable __P((caddr_t));
static int iplookup_stats __P((caddr_t));
static int iplookup_flush __P((caddr_t));
/* ------------------------------------------------------------------------ */
/* Function: iplookup_init */
/* Returns: int - 0 = success, else error */
/* Parameters: Nil */
/* */
/* Initialise all of the subcomponents of the lookup infrstructure. */
/* ------------------------------------------------------------------------ */
int ip_lookup_init()
{
if (ip_pool_init() == -1)
return -1;
RWLOCK_INIT(&ip_poolrw, "ip pool rwlock");
ip_lookup_inited = 1;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_unload */
/* Returns: int - 0 = success, else error */
/* Parameters: Nil */
/* */
/* Free up all pool related memory that has been allocated whilst IPFilter */
/* has been running. Also, do any other deinitialisation required such */
/* ip_lookup_init() can be called again, safely. */
/* ------------------------------------------------------------------------ */
void ip_lookup_unload()
{
ip_pool_fini();
fr_htable_unload();
if (ip_lookup_inited == 1) {
RW_DESTROY(&ip_poolrw);
ip_lookup_inited = 0;
}
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_ioctl */
/* Returns: int - 0 = success, else error */
/* Parameters: data(IO) - pointer to ioctl data to be copied to/from user */
/* space. */
/* cmd(I) - ioctl command number */
/* mode(I) - file mode bits used with open */
/* */
/* Handle ioctl commands sent to the ioctl device. For the most part, this */
/* involves just calling another function to handle the specifics of each */
/* command. */
/* ------------------------------------------------------------------------ */
int ip_lookup_ioctl(data, cmd, mode)
caddr_t data;
ioctlcmd_t cmd;
int mode;
{
int err;
# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
int s;
# endif
mode = mode; /* LINT */
SPL_NET(s);
switch (cmd)
{
case SIOCLOOKUPADDNODE :
case SIOCLOOKUPADDNODEW :
WRITE_ENTER(&ip_poolrw);
err = iplookup_addnode(data);
RWLOCK_EXIT(&ip_poolrw);
break;
case SIOCLOOKUPDELNODE :
case SIOCLOOKUPDELNODEW :
WRITE_ENTER(&ip_poolrw);
err = iplookup_delnode(data);
RWLOCK_EXIT(&ip_poolrw);
break;
case SIOCLOOKUPADDTABLE :
WRITE_ENTER(&ip_poolrw);
err = iplookup_addtable(data);
RWLOCK_EXIT(&ip_poolrw);
break;
case SIOCLOOKUPDELTABLE :
WRITE_ENTER(&ip_poolrw);
err = iplookup_deltable(data);
RWLOCK_EXIT(&ip_poolrw);
break;
case SIOCLOOKUPSTAT :
case SIOCLOOKUPSTATW :
WRITE_ENTER(&ip_poolrw);
err = iplookup_stats(data);
RWLOCK_EXIT(&ip_poolrw);
break;
case SIOCLOOKUPFLUSH :
WRITE_ENTER(&ip_poolrw);
err = iplookup_flush(data);
RWLOCK_EXIT(&ip_poolrw);
break;
default :
err = EINVAL;
break;
}
SPL_X(s);
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_addnode */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* Add a new data node to a lookup structure. First, check to see if the */
/* parent structure refered to by name exists and if it does, then go on to */
/* add a node to it. */
/* ------------------------------------------------------------------------ */
static int iplookup_addnode(data)
caddr_t data;
{
ip_pool_node_t node, *m;
iplookupop_t op;
iphtable_t *iph;
iphtent_t hte;
ip_pool_t *p;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
{
case IPLT_POOL :
if (op.iplo_size != sizeof(node))
return EINVAL;
err = COPYIN(op.iplo_struct, &node, sizeof(node));
if (err != 0)
return EFAULT;
p = ip_pool_find(op.iplo_unit, op.iplo_name);
if (p == NULL)
return ESRCH;
/*
* add an entry to a pool - return an error if it already
* exists remove an entry from a pool - if it exists
* - in both cases, the pool *must* exist!
*/
m = ip_pool_findeq(p, &node.ipn_addr, &node.ipn_mask);
if (m)
return EEXIST;
err = ip_pool_insert(p, &node.ipn_addr.adf_addr,
&node.ipn_mask.adf_addr, node.ipn_info);
break;
case IPLT_HASH :
if (op.iplo_size != sizeof(hte))
return EINVAL;
err = COPYIN(op.iplo_struct, &hte, sizeof(hte));
if (err != 0)
return EFAULT;
iph = fr_findhtable(op.iplo_unit, op.iplo_name);
if (iph == NULL)
return ESRCH;
err = fr_addhtent(iph, &hte);
break;
default :
err = EINVAL;
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_delnode */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* Delete a node from a lookup table by first looking for the table it is */
/* in and then deleting the entry that gets found. */
/* ------------------------------------------------------------------------ */
static int iplookup_delnode(data)
caddr_t data;
{
ip_pool_node_t node, *m;
iplookupop_t op;
iphtable_t *iph;
iphtent_t hte;
ip_pool_t *p;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
{
case IPLT_POOL :
if (op.iplo_size != sizeof(node))
return EINVAL;
err = COPYIN(op.iplo_struct, &node, sizeof(node));
if (err != 0)
return EFAULT;
p = ip_pool_find(op.iplo_unit, op.iplo_name);
if (!p)
return ESRCH;
m = ip_pool_findeq(p, &node.ipn_addr, &node.ipn_mask);
if (m == NULL)
return ENOENT;
err = ip_pool_remove(p, m);
break;
case IPLT_HASH :
if (op.iplo_size != sizeof(hte))
return EINVAL;
err = COPYIN(op.iplo_struct, &hte, sizeof(hte));
if (err != 0)
return EFAULT;
iph = fr_findhtable(op.iplo_unit, op.iplo_name);
if (iph == NULL)
return ESRCH;
err = fr_delhtent(iph, &hte);
break;
default :
err = EINVAL;
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_addtable */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* Create a new lookup table, if one doesn't already exist using the name */
/* for this one. */
/* ------------------------------------------------------------------------ */
static int iplookup_addtable(data)
caddr_t data;
{
iplookupop_t op;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
switch (op.iplo_type)
{
case IPLT_POOL :
if (ip_pool_find(op.iplo_unit, op.iplo_name) != NULL)
err = EEXIST;
else
err = ip_pool_create(&op);
break;
case IPLT_HASH :
if (fr_findhtable(op.iplo_unit, op.iplo_name) != NULL)
err = EEXIST;
else
err = fr_newhtable(&op);
break;
default :
err = EINVAL;
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_deltable */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* Decodes ioctl request to remove a particular hash table or pool and */
/* calls the relevant function to do the cleanup. */
/* ------------------------------------------------------------------------ */
static int iplookup_deltable(data)
caddr_t data;
{
iplookupop_t op;
int err;
BCOPYIN(data, &op, sizeof(op));
op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
if (op.iplo_arg & IPLT_ANON)
op.iplo_arg &= IPLT_ANON;
/*
* create a new pool - fail if one already exists with
* the same #
*/
switch (op.iplo_type)
{
case IPLT_POOL :
err = ip_pool_destroy(&op);
break;
case IPLT_HASH :
err = fr_removehtable(&op);
break;
default :
err = EINVAL;
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_stats */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* Copy statistical information from inside the kernel back to user space. */
/* ------------------------------------------------------------------------ */
static int iplookup_stats(data)
caddr_t data;
{
iplookupop_t op;
int err;
err = 0;
BCOPYIN(data, &op, sizeof(op));
switch (op.iplo_type)
{
case IPLT_POOL :
err = ip_pool_statistics(&op);
break;
case IPLT_HASH :
err = fr_gethtablestat(&op);
break;
default :
err = EINVAL;
break;
}
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: iplookup_flush */
/* Returns: int - 0 = success, else error */
/* Parameters: data(I) - pointer to data from ioctl call */
/* */
/* A flush is called when we want to flush all the nodes from a particular */
/* entry in the hash table/pool or want to remove all groups from those. */
/* ------------------------------------------------------------------------ */
static int iplookup_flush(data)
caddr_t data;
{
int err, unit, num, type;
iplookupflush_t flush;
err = 0;
BCOPYIN(data, &flush, sizeof(flush));
flush.iplf_name[sizeof(flush.iplf_name) - 1] = '\0';
unit = flush.iplf_unit;
if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL))
return EINVAL;
type = flush.iplf_type;
err = EINVAL;
num = 0;
if (type == IPLT_POOL || type == IPLT_ALL) {
err = 0;
num = ip_pool_flush(&flush);
}
if (type == IPLT_HASH || type == IPLT_ALL) {
err = 0;
num += fr_flushhtable(&flush);
}
if (err == 0) {
flush.iplf_count = num;
err = COPYOUT(&flush, data, sizeof(flush));
}
return err;
}
void ip_lookup_deref(type, ptr)
int type;
void *ptr;
{
if (ptr == NULL)
return;
WRITE_ENTER(&ip_poolrw);
switch (type)
{
case IPLT_POOL :
ip_pool_deref(ptr);
break;
case IPLT_HASH :
fr_derefhtable(ptr);
break;
}
RWLOCK_EXIT(&ip_poolrw);
}
#else /* IPFILTER_LOOKUP */
/*ARGSUSED*/
int ip_lookup_ioctl(data, cmd, mode)
caddr_t data;
ioctlcmd_t cmd;
int mode;
{
return EIO;
}
#endif /* IPFILTER_LOOKUP */

65
contrib/ipfilter/ip_lookup.h Normal file
View File

@ -0,0 +1,65 @@
/* $NetBSD$ */
#ifndef __IP_LOOKUP_H__
#define __IP_LOOKUP_H__
#if defined(__STDC__) || defined(__GNUC__)
# define SIOCLOOKUPADDTABLE _IOWR('r', 60, struct iplookupop)
# define SIOCLOOKUPDELTABLE _IOWR('r', 61, struct iplookupop)
# define SIOCLOOKUPSTAT _IOWR('r', 64, struct iplookupop)
# define SIOCLOOKUPSTATW _IOW('r', 64, struct iplookupop)
# define SIOCLOOKUPFLUSH _IOWR('r', 65, struct iplookupflush)
# define SIOCLOOKUPADDNODE _IOWR('r', 67, struct iplookupop)
# define SIOCLOOKUPADDNODEW _IOW('r', 67, struct iplookupop)
# define SIOCLOOKUPDELNODE _IOWR('r', 68, struct iplookupop)
# define SIOCLOOKUPDELNODEW _IOW('r', 68, struct iplookupop)
#else
# define SIOCLOOKUPADDTABLE _IOWR(r, 60, struct iplookupop)
# define SIOCLOOKUPDELTABLE _IOWR(r, 61, struct iplookupop)
# define SIOCLOOKUPSTAT _IOWR(r, 64, struct iplookupop)
# define SIOCLOOKUPSTATW _IOW(r, 64, struct iplookupop)
# define SIOCLOOKUPFLUSH _IOWR(r, 65, struct iplookupflush)
# define SIOCLOOKUPADDNODE _IOWR(r, 67, struct iplookupop)
# define SIOCLOOKUPADDNODEW _IOW(r, 67, struct iplookupop)
# define SIOCLOOKUPDELNODE _IOWR(r, 68, struct iplookupop)
# define SIOCLOOKUPDELNODEW _IOW(r, 68, struct iplookupop)
#endif
typedef struct iplookupop {
int iplo_type; /* IPLT_* */
int iplo_unit; /* IPL_LOG* */
u_int iplo_arg;
char iplo_name[FR_GROUPLEN];
size_t iplo_size; /* sizeof struct at iplo_struct */
void *iplo_struct;
} iplookupop_t;
typedef struct iplookupflush {
int iplf_type; /* IPLT_* */
int iplf_unit; /* IPL_LOG* */
u_int iplf_arg;
size_t iplf_count;
char iplf_name[FR_GROUPLEN];
} iplookupflush_t;
typedef struct iplookuplink {
int ipll_type; /* IPLT_* */
int ipll_unit; /* IPL_LOG* */
u_int ipll_num;
char ipll_group[FR_GROUPLEN];
} iplookuplink_t;
#define IPLT_ALL -1
#define IPLT_NONE 0
#define IPLT_POOL 1
#define IPLT_HASH 2
#define IPLT_ANON 0x80000000
extern int ip_lookup_init __P((void));
extern int ip_lookup_ioctl __P((caddr_t, ioctlcmd_t, int));
extern void ip_lookup_unload __P((void));
extern void ip_lookup_deref __P((int, void *));
#endif /* __IP_LOOKUP_H__ */

328
contrib/ipfilter/ip_msnrpc_pxy.c Normal file
View File

@ -0,0 +1,328 @@
/* $NetBSD$ */
/*
* Copyright (C) 2000-2003 by Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Simple DCE transparent proxy for MSN RPC.
*
* ******* NOTE: THIS PROXY DOES NOT DO ADDRESS TRANSLATION ********
*
* Id: ip_msnrpc_pxy.c,v 2.17.2.1 2005/02/04 10:22:55 darrenr Exp
*/
#define IPF_MSNRPC_PROXY
#define IPF_MINMSNRPCLEN 24
#define IPF_MSNRPCSKIP (2 + 19 + 2 + 2 + 2 + 19 + 2 + 2)
typedef struct msnrpchdr {
u_char mrh_major; /* major # == 5 */
u_char mrh_minor; /* minor # == 0 */
u_char mrh_type;
u_char mrh_flags;
u_32_t mrh_endian;
u_short mrh_dlen; /* data size */
u_short mrh_alen; /* authentication length */
u_32_t mrh_cid; /* call identifier */
u_32_t mrh_hint; /* allocation hint */
u_short mrh_ctxt; /* presentation context hint */
u_char mrh_ccnt; /* cancel count */
u_char mrh_ans;
} msnrpchdr_t;
int ippr_msnrpc_init __P((void));
void ippr_msnrpc_fini __P((void));
int ippr_msnrpc_new __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_msnrpc_out __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_msnrpc_in __P((fr_info_t *, ap_session_t *, nat_t *));
int ippr_msnrpc_check __P((ip_t *, msnrpchdr_t *));
static frentry_t msnfr;
int msn_proxy_init = 0;
/*
* Initialize local structures.
*/
int ippr_msnrpc_init()
{
bzero((char *)&msnfr, sizeof(msnfr));
msnfr.fr_ref = 1;
msnfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
MUTEX_INIT(&msnfr.fr_lock, "MSN RPC proxy rule lock");
msn_proxy_init = 1;
return 0;
}
void ippr_msnrpc_fini()
{
if (msn_proxy_init == 1) {
MUTEX_DESTROY(&msnfr.fr_lock);
msn_proxy_init = 0;
}
}
int ippr_msnrpc_new(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
msnrpcinfo_t *mri;
KMALLOC(mri, msnrpcinfo_t *);
if (mri == NULL)
return -1;
aps->aps_data = mri;
aps->aps_psiz = sizeof(msnrpcinfo_t);
bzero((char *)mri, sizeof(*mri));
mri->mri_cmd[0] = 0xff;
mri->mri_cmd[1] = 0xff;
return 0;
}
int ippr_msnrpc_check(ip, mrh)
ip_t *ip;
msnrpchdr_t *mrh;
{
if (mrh->mrh_major != 5)
return -1;
if (mrh->mrh_minor != 0)
return -1;
if (mrh->mrh_alen != 0)
return -1;
if (mrh->mrh_endian == 0x10) {
/* Both gateway and packet match endian */
if (mrh->mrh_dlen > ip->ip_len)
return -1;
if (mrh->mrh_type == 0 || mrh->mrh_type == 2)
if (mrh->mrh_hint > ip->ip_len)
return -1;
} else if (mrh->mrh_endian == 0x10000000) {
/* XXX - Endian mismatch - should be swapping! */
return -1;
} else {
return -1;
}
return 0;
}
int ippr_msnrpc_out(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
msnrpcinfo_t *mri;
msnrpchdr_t *mrh;
tcphdr_t *tcp;
int dlen;
mri = aps->aps_data;
if (mri == NULL)
return 0;
tcp = (tcphdr_t *)fin->fin_dp;
dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
if (dlen < IPF_MINMSNRPCLEN)
return 0;
mrh = (msnrpchdr_t *)((char *)tcp + (TCP_OFF(tcp) << 2));
if (ippr_msnrpc_check(ip, mrh))
return 0;
mri->mri_valid++;
switch (mrh->mrh_type)
{
case 0x0b : /* BIND */
case 0x00 : /* REQUEST */
break;
case 0x0c : /* BIND ACK */
case 0x02 : /* RESPONSE */
default:
return 0;
}
mri->mri_cmd[1] = mrh->mrh_type;
return 0;
}
int ippr_msnrpc_in(fin, ip, aps, nat)
fr_info_t *fin;
ip_t *ip;
ap_session_t *aps;
nat_t *nat;
{
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
int dlen, sz, sz2, i;
msnrpcinfo_t *mri;
msnrpchdr_t *mrh;
fr_info_t fi;
u_short len;
char *s;
mri = aps->aps_data;
if (mri == NULL)
return 0;
tcp = (tcphdr_t *)fin->fin_dp;
dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
if (dlen < IPF_MINMSNRPCLEN)
return 0;
mrh = (msnrpchdr_t *)((char *)tcp + (TCP_OFF(tcp) << 2));
if (ippr_msnrpc_check(ip, mrh))
return 0;
mri->mri_valid++;
switch (mrh->mrh_type)
{
case 0x0c : /* BIND ACK */
if (mri->mri_cmd[1] != 0x0b)
return 0;
break;
case 0x02 : /* RESPONSE */
if (mri->mri_cmd[1] != 0x00)
return 0;
break;
case 0x0b : /* BIND */
case 0x00 : /* REQUEST */
default:
return 0;
}
mri->mri_cmd[0] = mrh->mrh_type;
dlen -= sizeof(*mrh);
/*
* Only processes RESPONSE's
*/
if (mrh->mrh_type != 0x02)
return 0;
/*
* Skip over some bytes...what are these really ?
*/
if (dlen <= 44)
return 0;
s = (char *)(mrh + 1) + 20;
dlen -= 20;
bcopy(s, (char *)&len, sizeof(len));
if (len == 1) {
s += 20;
dlen -= 20;
} else if (len == 2) {
s += 24;
dlen -= 24;
} else
return 0;
if (dlen <= 10)
return 0;
dlen -= 10;
bcopy(s, (char *)&sz, sizeof(sz));
s += sizeof(sz);
bcopy(s, (char *)&sz2, sizeof(sz2));
s += sizeof(sz2);
if (sz2 != sz)
return 0;
if (sz > dlen)
return 0;
if (*s++ != 5)
return 0;
if (*s++ != 0)
return 0;
sz -= IPF_MSNRPCSKIP;
s += IPF_MSNRPCSKIP;
dlen -= IPF_MSNRPCSKIP;
do {
if (sz < 7 || dlen < 7)
break;
bcopy(s, (char *)&len, sizeof(len));
if (dlen < len)
break;
if (sz < len)
break;
if (len != 1)
break;
sz -= 3;
i = *(s + 2);
s += 3;
dlen -= 3;
bcopy(s, (char *)&len, sizeof(len));
if (dlen < len)
break;
if (sz < len)
break;
s += sizeof(len);
switch (i)
{
case 7 :
if (len == 2) {
bcopy(s, (char *)&mri->mri_rport, 2);
mri->mri_flags |= 1;
}
break;
case 9 :
if (len == 4) {
bcopy(s, (char *)&mri->mri_raddr, 4);
mri->mri_flags |= 2;
}
break;
default :
break;
}
sz -= len;
s += len;
dlen -= len;
} while (sz > 0);
if (mri->mri_flags == 3) {
int slen;
bcopy((char *)fin, (char *)&fi, sizeof(fi));
bzero((char *)tcp2, sizeof(*tcp2));
slen = ip->ip_len;
ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
bcopy((char *)fin, (char *)&fi, sizeof(fi));
bzero((char *)tcp2, sizeof(*tcp2));
tcp2->th_win = htons(8192);
TCP_OFF_A(tcp2, 5);
fi.fin_data[0] = htons(mri->mri_rport);
tcp2->th_sport = mri->mri_rport;
fi.fin_data[1] = 0;
tcp2->th_dport = 0;
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_dlen = sizeof(*tcp2);
fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
fi.fin_dp = (char *)tcp2;
fi.fin_fi.fi_daddr = ip->ip_dst.s_addr;
fi.fin_fi.fi_saddr = mri->mri_raddr.s_addr;
if (!fi.fin_fr)
fi.fin_fr = &msnfr;
if (fr_stlookup(&fi, NULL, NULL)) {
RWLOCK_EXIT(&ipf_state);
} else {
(void) fr_addstate(&fi, NULL, SI_W_DPORT|SI_CLONE);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_len = slen;
}
mri->mri_flags = 0;
return 0;
}

786
contrib/ipfilter/ip_pool.c Normal file
View File

@ -0,0 +1,786 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#if defined(__osf__)
# define _PROTO_NET_H_
#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
#if !defined(_KERNEL) && !defined(__KERNEL__)
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#else
# include <sys/systm.h>
# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000)
# include <sys/proc.h>
# endif
#endif
#include <sys/time.h>
#if !defined(linux)
# include <sys/protosw.h>
#endif
#include <sys/socket.h>
#if defined(_KERNEL) && (!defined(__SVR4) && !defined(__svr4__))
# include <sys/mbuf.h>
#endif
#if defined(__SVR4) || defined(__svr4__)
# include <sys/filio.h>
# include <sys/byteorder.h>
# ifdef _KERNEL
# include <sys/dditypes.h>
# endif
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
# ifdef __osf__
# include <net/radix.h>
# endif
# include "radix_ipf_local.h"
# define _RADIX_H_
#endif
#include <net/if.h>
#include <netinet/in.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_pool.h"
#if defined(IPFILTER_LOOKUP) && defined(_KERNEL) && \
((BSD >= 198911) && !defined(__osf__) && \
!defined(__hpux) && !defined(__sgi))
static int rn_freenode __P((struct radix_node *, void *));
#endif
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
#endif
#ifdef IPFILTER_LOOKUP
# ifndef RADIX_NODE_HEAD_LOCK
# define RADIX_NODE_HEAD_LOCK(x) ;
# endif
# ifndef RADIX_NODE_HEAD_UNLOCK
# define RADIX_NODE_HEAD_UNLOCK(x) ;
# endif
ip_pool_stat_t ipoolstat;
ipfrwlock_t ip_poolrw;
/*
* Binary tree routines from Sedgewick and enhanced to do ranges of addresses.
* NOTE: Insertion *MUST* be from greatest range to least for it to work!
* These should be replaced, eventually, by something else - most notably a
* interval searching method. The important feature is to be able to find
* the best match.
*
* So why not use a radix tree for this? As the first line implies, it
* has been written to work with a _range_ of addresses. A range is not
* necessarily a match with any given netmask so what we end up dealing
* with is an interval tree. Implementations of these are hard to find
* and the one herein is far from bug free.
*
* Sigh, in the end I became convinced that the bugs the code contained did
* not make it worthwhile not using radix trees. For now the radix tree from
* 4.4 BSD is used, but this is not viewed as a long term solution.
*/
ip_pool_t *ip_pool_list[IPL_LOGSIZE] = { NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL };
#ifdef TEST_POOL
void treeprint __P((ip_pool_t *));
int
main(argc, argv)
int argc;
char *argv[];
{
addrfamily_t a, b;
iplookupop_t op;
ip_pool_t *ipo;
i6addr_t ip;
RWLOCK_INIT(&ip_poolrw, "poolrw");
ip_pool_init();
bzero((char *)&a, sizeof(a));
bzero((char *)&b, sizeof(b));
bzero((char *)&ip, sizeof(ip));
bzero((char *)&op, sizeof(op));
strcpy(op.iplo_name, "0");
if (ip_pool_create(&op) == 0)
ipo = ip_pool_find(0, "0");
a.adf_addr.in4.s_addr = 0x0a010203;
b.adf_addr.in4.s_addr = 0xffffffff;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
a.adf_addr.in4.s_addr = 0x0a000000;
b.adf_addr.in4.s_addr = 0xff000000;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
a.adf_addr.in4.s_addr = 0x0a010100;
b.adf_addr.in4.s_addr = 0xffffff00;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
a.adf_addr.in4.s_addr = 0x0a010200;
b.adf_addr.in4.s_addr = 0xffffff00;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
a.adf_addr.in4.s_addr = 0x0a010000;
b.adf_addr.in4.s_addr = 0xffff0000;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
a.adf_addr.in4.s_addr = 0x0a01020f;
b.adf_addr.in4.s_addr = 0xffffffff;
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
#ifdef DEBUG_POOL
treeprint(ipo);
#endif
ip.in4.s_addr = 0x0a00aabb;
printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a000001;
printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a000101;
printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a010001;
printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a010101;
printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a010201;
printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a010203;
printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0a01020f;
printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
ip.in4.s_addr = 0x0b00aabb;
printf("search(%#x) = %d (-1)\n", ip.in4.s_addr,
ip_pool_search(ipo, 4, &ip));
#ifdef DEBUG_POOL
treeprint(ipo);
#endif
ip_pool_fini();
return 0;
}
void
treeprint(ipo)
ip_pool_t *ipo;
{
ip_pool_node_t *c;
for (c = ipo->ipo_list; c != NULL; c = c->ipn_next)
printf("Node %p(%s) (%#x/%#x) = %d hits %lu\n",
c, c->ipn_name, c->ipn_addr.adf_addr.in4.s_addr,
c->ipn_mask.adf_addr.in4.s_addr,
c->ipn_info, c->ipn_hits);
}
#endif /* TEST_POOL */
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_init */
/* Returns: int - 0 = success, else error */
/* */
/* Initialise the routing table data structures where required. */
/* ------------------------------------------------------------------------ */
int ip_pool_init()
{
bzero((char *)&ipoolstat, sizeof(ipoolstat));
#if (!defined(_KERNEL) || (BSD < 199306))
rn_init();
#endif
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_fini */
/* Returns: int - 0 = success, else error */
/* Locks: WRITE(ipf_global) */
/* */
/* Clean up all the pool data structures allocated and call the cleanup */
/* function for the radix tree that supports the pools. ip_pool_destroy() is*/
/* used to delete the pools one by one to ensure they're properly freed up. */
/* ------------------------------------------------------------------------ */
void ip_pool_fini()
{
ip_pool_t *p, *q;
iplookupop_t op;
int i;
ASSERT(rw_read_locked(&ipf_global.ipf_lk) == 0);
for (i = 0; i <= IPL_LOGMAX; i++) {
for (q = ip_pool_list[i]; (p = q) != NULL; ) {
op.iplo_unit = i;
(void)strncpy(op.iplo_name, p->ipo_name,
sizeof(op.iplo_name));
q = p->ipo_next;
(void) ip_pool_destroy(&op);
}
}
#if (!defined(_KERNEL) || (BSD < 199306))
rn_fini();
#endif
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_statistics */
/* Returns: int - 0 = success, else error */
/* Parameters: op(I) - pointer to lookup operation arguments */
/* */
/* Copy the current statistics out into user space, collecting pool list */
/* pointers as appropriate for later use. */
/* ------------------------------------------------------------------------ */
int ip_pool_statistics(op)
iplookupop_t *op;
{
ip_pool_stat_t stats;
int unit, i, err = 0;
if (op->iplo_size != sizeof(ipoolstat))
return EINVAL;
bcopy((char *)&ipoolstat, (char *)&stats, sizeof(stats));
unit = op->iplo_unit;
if (unit == IPL_LOGALL) {
for (i = 0; i < IPL_LOGSIZE; i++)
stats.ipls_list[i] = ip_pool_list[i];
} else if (unit >= 0 && unit < IPL_LOGSIZE) {
if (op->iplo_name[0] != '\0')
stats.ipls_list[unit] = ip_pool_find(unit,
op->iplo_name);
else
stats.ipls_list[unit] = ip_pool_list[unit];
} else
err = EINVAL;
if (err == 0)
err = COPYOUT(&stats, op->iplo_struct, sizeof(stats));
return err;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_find */
/* Returns: int - 0 = success, else error */
/* Parameters: ipo(I) - pointer to the pool getting the new node. */
/* */
/* Find a matching pool inside the collection of pools for a particular */
/* device, indicated by the unit number. */
/* ------------------------------------------------------------------------ */
void *ip_pool_find(unit, name)
int unit;
char *name;
{
ip_pool_t *p;
for (p = ip_pool_list[unit]; p != NULL; p = p->ipo_next)
if (strncmp(p->ipo_name, name, sizeof(p->ipo_name)) == 0)
break;
return p;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_findeq */
/* Returns: int - 0 = success, else error */
/* Parameters: ipo(I) - pointer to the pool getting the new node. */
/* addr(I) - pointer to address information to delete */
/* mask(I) - */
/* */
/* Searches for an exact match of an entry in the pool. */
/* ------------------------------------------------------------------------ */
ip_pool_node_t *ip_pool_findeq(ipo, addr, mask)
ip_pool_t *ipo;
addrfamily_t *addr, *mask;
{
struct radix_node *n;
#ifdef USE_SPL
int s;
SPL_NET(s);
#endif
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
SPL_X(s);
return (ip_pool_node_t *)n;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_search */
/* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */
/* Parameters: tptr(I) - pointer to the pool to search */
/* version(I) - IP protocol version (4 or 6) */
/* dptr(I) - pointer to address information */
/* */
/* Search the pool for a given address and return a search result. */
/* ------------------------------------------------------------------------ */
int ip_pool_search(tptr, version, dptr)
void *tptr;
int version;
void *dptr;
{
struct radix_node *rn;
ip_pool_node_t *m;
i6addr_t *addr;
addrfamily_t v;
ip_pool_t *ipo;
int rv;
ipo = tptr;
if (ipo == NULL)
return -1;
rv = 1;
m = NULL;
addr = (i6addr_t *)dptr;
bzero(&v, sizeof(v));
v.adf_len = offsetof(addrfamily_t, adf_addr);
if (version == 4) {
v.adf_len += sizeof(addr->in4);
v.adf_addr.in4 = addr->in4;
#ifdef USE_INET6
} else if (version == 6) {
v.adf_len += sizeof(addr->in6);
v.adf_addr.in6 = addr->in6;
#endif
} else
return -1;
READ_ENTER(&ip_poolrw);
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
rn = ipo->ipo_head->rnh_matchaddr(&v, ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
if ((rn != NULL) && ((rn->rn_flags & RNF_ROOT) == 0)) {
m = (ip_pool_node_t *)rn;
ipo->ipo_hits++;
m->ipn_hits++;
rv = m->ipn_info;
}
RWLOCK_EXIT(&ip_poolrw);
return rv;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_insert */
/* Returns: int - 0 = success, else error */
/* Parameters: ipo(I) - pointer to the pool getting the new node. */
/* addr(I) - address being added as a node */
/* mask(I) - netmask to with the node being added */
/* info(I) - extra information to store in this node. */
/* Locks: WRITE(ip_poolrw) */
/* */
/* Add another node to the pool given by ipo. The three parameters passed */
/* in (addr, mask, info) shold all be stored in the node. */
/* ------------------------------------------------------------------------ */
int ip_pool_insert(ipo, addr, mask, info)
ip_pool_t *ipo;
i6addr_t *addr, *mask;
int info;
{
struct radix_node *rn;
ip_pool_node_t *x;
ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
KMALLOC(x, ip_pool_node_t *);
if (x == NULL) {
return ENOMEM;
}
bzero(x, sizeof(*x));
x->ipn_info = info;
(void)strncpy(x->ipn_name, ipo->ipo_name, sizeof(x->ipn_name));
bcopy(addr, &x->ipn_addr.adf_addr, sizeof(*addr));
x->ipn_addr.adf_len = sizeof(x->ipn_addr);
bcopy(mask, &x->ipn_mask.adf_addr, sizeof(*mask));
x->ipn_mask.adf_len = sizeof(x->ipn_mask);
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
rn = ipo->ipo_head->rnh_addaddr(&x->ipn_addr, &x->ipn_mask,
ipo->ipo_head, x->ipn_nodes);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
#ifdef DEBUG_POOL
printf("Added %p at %p\n", x, rn);
#endif
if (rn == NULL) {
KFREE(x);
return ENOMEM;
}
x->ipn_next = ipo->ipo_list;
x->ipn_pnext = &ipo->ipo_list;
if (ipo->ipo_list != NULL)
ipo->ipo_list->ipn_pnext = &x->ipn_next;
ipo->ipo_list = x;
ipoolstat.ipls_nodes++;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_create */
/* Returns: int - 0 = success, else error */
/* Parameters: op(I) - pointer to iplookup struct with call details */
/* Locks: WRITE(ip_poolrw) */
/* */
/* Creates a new group according to the paramters passed in via the */
/* iplookupop structure. Does not check to see if the group already exists */
/* when being inserted - assume this has already been done. If the pool is */
/* marked as being anonymous, give it a new, unique, identifier. Call any */
/* other functions required to initialise the structure. */
/* ------------------------------------------------------------------------ */
int ip_pool_create(op)
iplookupop_t *op;
{
char name[FR_GROUPLEN];
int poolnum, unit;
ip_pool_t *h;
ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
KMALLOC(h, ip_pool_t *);
if (h == NULL)
return ENOMEM;
bzero(h, sizeof(*h));
if (rn_inithead((void **)&h->ipo_head,
offsetof(addrfamily_t, adf_addr) << 3) == 0) {
KFREE(h);
return ENOMEM;
}
unit = op->iplo_unit;
if ((op->iplo_arg & IPOOL_ANON) != 0) {
ip_pool_t *p;
poolnum = IPOOL_ANON;
#if defined(SNPRINTF) && defined(_KERNEL)
SNPRINTF(name, sizeof(name), "%x", poolnum);
#else
(void)sprintf(name, "%x", poolnum);
#endif
for (p = ip_pool_list[unit]; p != NULL; ) {
if (strncmp(name, p->ipo_name,
sizeof(p->ipo_name)) == 0) {
poolnum++;
#if defined(SNPRINTF) && defined(_KERNEL)
SNPRINTF(name, sizeof(name), "%x", poolnum);
#else
(void)sprintf(name, "%x", poolnum);
#endif
p = ip_pool_list[unit];
} else
p = p->ipo_next;
}
(void)strncpy(h->ipo_name, name, sizeof(h->ipo_name));
} else {
(void) strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name));
}
h->ipo_ref = 1;
h->ipo_list = NULL;
h->ipo_unit = unit;
h->ipo_next = ip_pool_list[unit];
if (ip_pool_list[unit] != NULL)
ip_pool_list[unit]->ipo_pnext = &h->ipo_next;
h->ipo_pnext = &ip_pool_list[unit];
ip_pool_list[unit] = h;
ipoolstat.ipls_pools++;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_remove */
/* Returns: int - 0 = success, else error */
/* Parameters: ipo(I) - pointer to the pool to remove the node from. */
/* ipe(I) - address being deleted as a node */
/* Locks: WRITE(ip_poolrw) */
/* */
/* Add another node to the pool given by ipo. The three parameters passed */
/* in (addr, mask, info) shold all be stored in the node. */
/* ------------------------------------------------------------------------ */
int ip_pool_remove(ipo, ipe)
ip_pool_t *ipo;
ip_pool_node_t *ipe;
{
ip_pool_node_t **ipp, *n;
ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
for (ipp = &ipo->ipo_list; (n = *ipp) != NULL; ipp = &n->ipn_next) {
if (ipe == n) {
*n->ipn_pnext = n->ipn_next;
if (n->ipn_next)
n->ipn_next->ipn_pnext = n->ipn_pnext;
break;
}
}
if (n == NULL)
return ENOENT;
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
ipo->ipo_head);
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
KFREE(n);
ipoolstat.ipls_nodes--;
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_destroy */
/* Returns: int - 0 = success, else error */
/* Parameters: op(I) - information about the pool to remove */
/* Locks: WRITE(ip_poolrw) or WRITE(ipf_global) */
/* */
/* Search for a pool using paramters passed in and if it's not otherwise */
/* busy, free it. */
/* */
/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
/* may not be initialised, we can't use an ASSERT to enforce the locking */
/* assertion that one of the two (ip_poolrw,ipf_global) is held. */
/* ------------------------------------------------------------------------ */
int ip_pool_destroy(op)
iplookupop_t *op;
{
ip_pool_t *ipo;
ipo = ip_pool_find(op->iplo_unit, op->iplo_name);
if (ipo == NULL)
return ESRCH;
if (ipo->ipo_ref != 1)
return EBUSY;
ip_pool_free(ipo);
return 0;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_flush */
/* Returns: int - number of pools deleted */
/* Parameters: fp(I) - which pool(s) to flush */
/* Locks: WRITE(ip_poolrw) or WRITE(ipf_global) */
/* */
/* Free all pools associated with the device that matches the unit number */
/* passed in with operation. */
/* */
/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
/* may not be initialised, we can't use an ASSERT to enforce the locking */
/* assertion that one of the two (ip_poolrw,ipf_global) is held. */
/* ------------------------------------------------------------------------ */
int ip_pool_flush(fp)
iplookupflush_t *fp;
{
int i, num = 0, unit, err;
ip_pool_t *p, *q;
iplookupop_t op;
unit = fp->iplf_unit;
for (i = 0; i <= IPL_LOGMAX; i++) {
if (unit != IPLT_ALL && i != unit)
continue;
for (q = ip_pool_list[i]; (p = q) != NULL; ) {
op.iplo_unit = i;
(void)strncpy(op.iplo_name, p->ipo_name,
sizeof(op.iplo_name));
q = p->ipo_next;
err = ip_pool_destroy(&op);
if (err == 0)
num++;
else
break;
}
}
return num;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_free */
/* Returns: void */
/* Parameters: ipo(I) - pointer to pool structure */
/* Locks: WRITE(ip_poolrw) or WRITE(ipf_global) */
/* */
/* Deletes the pool strucutre passed in from the list of pools and deletes */
/* all of the address information stored in it, including any tree data */
/* structures also allocated. */
/* */
/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
/* may not be initialised, we can't use an ASSERT to enforce the locking */
/* assertion that one of the two (ip_poolrw,ipf_global) is held. */
/* ------------------------------------------------------------------------ */
void ip_pool_free(ipo)
ip_pool_t *ipo;
{
ip_pool_node_t *n;
RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
while ((n = ipo->ipo_list) != NULL) {
ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
ipo->ipo_head);
*n->ipn_pnext = n->ipn_next;
if (n->ipn_next)
n->ipn_next->ipn_pnext = n->ipn_pnext;
KFREE(n);
ipoolstat.ipls_nodes--;
}
RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
ipo->ipo_list = NULL;
if (ipo->ipo_next != NULL)
ipo->ipo_next->ipo_pnext = ipo->ipo_pnext;
*ipo->ipo_pnext = ipo->ipo_next;
rn_freehead(ipo->ipo_head);
KFREE(ipo);
ipoolstat.ipls_pools--;
}
/* ------------------------------------------------------------------------ */
/* Function: ip_pool_deref */
/* Returns: void */
/* Parameters: ipo(I) - pointer to pool structure */
/* Locks: WRITE(ip_poolrw) */
/* */
/* Drop the number of known references to this pool structure by one and if */
/* we arrive at zero known references, free it. */
/* ------------------------------------------------------------------------ */
void ip_pool_deref(ipo)
ip_pool_t *ipo;
{
ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
ipo->ipo_ref--;
if (ipo->ipo_ref == 0)
ip_pool_free(ipo);
}
# if defined(_KERNEL) && ((BSD >= 198911) && !defined(__osf__) && \
!defined(__hpux) && !defined(__sgi))
static int
rn_freenode(struct radix_node *n, void *p)
{
struct radix_node_head *rnh = p;
struct radix_node *d;
d = rnh->rnh_deladdr(n->rn_key, NULL, rnh);
if (d != NULL) {
FreeS(d, max_keylen + 2 * sizeof (*d));
}
return 0;
}
void
rn_freehead(rnh)
struct radix_node_head *rnh;
{
RADIX_NODE_HEAD_LOCK(rnh);
(*rnh->rnh_walktree)(rnh, rn_freenode, rnh);
rnh->rnh_addaddr = NULL;
rnh->rnh_deladdr = NULL;
rnh->rnh_matchaddr = NULL;
rnh->rnh_lookup = NULL;
rnh->rnh_walktree = NULL;
RADIX_NODE_HEAD_UNLOCK(rnh);
Free(rnh);
}
# endif
#endif /* IPFILTER_LOOKUP */

87
contrib/ipfilter/ip_pool.h Normal file
View File

@ -0,0 +1,87 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: ip_pool.h,v 2.26.2.2 2004/03/23 12:44:34 darrenr Exp
*/
#ifndef __IP_POOL_H__
#define __IP_POOL_H__
#if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \
!defined(linux) && !defined(sun)
# include <net/radix.h>
extern void rn_freehead __P((struct radix_node_head *));
# define FreeS(p, z) KFREES(p, z)
extern int max_keylen;
#else
# if defined(__osf__) || defined(__hpux)
# include "radix_ipf_local.h"
# define radix_mask ipf_radix_mask
# define radix_node ipf_radix_node
# define radix_node_head ipf_radix_node_head
# else
# include "radix_ipf.h"
# endif
#endif
#include "netinet/ip_lookup.h"
#define IP_POOL_NOMATCH 0
#define IP_POOL_POSITIVE 1
typedef struct ip_pool_node {
struct radix_node ipn_nodes[2];
addrfamily_t ipn_addr;
addrfamily_t ipn_mask;
int ipn_info;
char ipn_name[FR_GROUPLEN];
u_long ipn_hits;
struct ip_pool_node *ipn_next, **ipn_pnext;
} ip_pool_node_t;
typedef struct ip_pool_s {
struct ip_pool_s *ipo_next;
struct ip_pool_s **ipo_pnext;
struct radix_node_head *ipo_head;
ip_pool_node_t *ipo_list;
u_long ipo_hits;
int ipo_unit;
int ipo_flags;
int ipo_ref;
char ipo_name[FR_GROUPLEN];
} ip_pool_t;
#define IPOOL_ANON 0x80000000
typedef struct ip_pool_stat {
u_long ipls_pools;
u_long ipls_tables;
u_long ipls_nodes;
ip_pool_t *ipls_list[IPL_LOGSIZE];
} ip_pool_stat_t;
extern ip_pool_stat_t ipoolstat;
extern ip_pool_t *ip_pool_list[IPL_LOGSIZE];
extern int ip_pool_search __P((void *, int, void *));
extern int ip_pool_init __P((void));
extern void ip_pool_fini __P((void));
extern int ip_pool_create __P((iplookupop_t *));
extern int ip_pool_insert __P((ip_pool_t *, i6addr_t *, i6addr_t *, int));
extern int ip_pool_remove __P((ip_pool_t *, ip_pool_node_t *));
extern int ip_pool_destroy __P((iplookupop_t *));
extern void ip_pool_free __P((ip_pool_t *));
extern void ip_pool_deref __P((ip_pool_t *));
extern void *ip_pool_find __P((int, char *));
extern ip_pool_node_t *ip_pool_findeq __P((ip_pool_t *,
addrfamily_t *, addrfamily_t *));
extern int ip_pool_flush __P((iplookupflush_t *));
extern int ip_pool_statistics __P((iplookupop_t *));
#endif /* __IP_POOL_H__ */

527
contrib/ipfilter/ip_pptp_pxy.c Normal file
View File

@ -0,0 +1,527 @@
/* $NetBSD$ */
/*
* Copyright (C) 2002-2003 by Darren Reed
*
* Simple PPTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* Id: ip_pptp_pxy.c,v 2.10.2.9 2005/03/16 18:17:34 darrenr Exp
*
*/
#define IPF_PPTP_PROXY
typedef struct pptp_hdr {
u_short pptph_len;
u_short pptph_type;
u_32_t pptph_cookie;
} pptp_hdr_t;
#define PPTP_MSGTYPE_CTL 1
#define PPTP_MTCTL_STARTREQ 1
#define PPTP_MTCTL_STARTREP 2
#define PPTP_MTCTL_STOPREQ 3
#define PPTP_MTCTL_STOPREP 4
#define PPTP_MTCTL_ECHOREQ 5
#define PPTP_MTCTL_ECHOREP 6
#define PPTP_MTCTL_OUTREQ 7
#define PPTP_MTCTL_OUTREP 8
#define PPTP_MTCTL_INREQ 9
#define PPTP_MTCTL_INREP 10
#define PPTP_MTCTL_INCONNECT 11
#define PPTP_MTCTL_CLEAR 12
#define PPTP_MTCTL_DISCONNECT 13
#define PPTP_MTCTL_WANERROR 14
#define PPTP_MTCTL_LINKINFO 15
int ippr_pptp_init __P((void));
void ippr_pptp_fini __P((void));
int ippr_pptp_new __P((fr_info_t *, ap_session_t *, nat_t *));
void ippr_pptp_del __P((ap_session_t *));
int ippr_pptp_inout __P((fr_info_t *, ap_session_t *, nat_t *));
void ippr_pptp_donatstate __P((fr_info_t *, nat_t *, pptp_pxy_t *));
int ippr_pptp_message __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *));
int ippr_pptp_nextmessage __P((fr_info_t *, nat_t *, pptp_pxy_t *, int));
int ippr_pptp_mctl __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *));
static frentry_t pptpfr;
int pptp_proxy_init = 0;
int ippr_pptp_debug = 0;
int ippr_pptp_gretimeout = IPF_TTLVAL(120); /* 2 minutes */
/*
* PPTP application proxy initialization.
*/
int ippr_pptp_init()
{
bzero((char *)&pptpfr, sizeof(pptpfr));
pptpfr.fr_ref = 1;
pptpfr.fr_age[0] = ippr_pptp_gretimeout;
pptpfr.fr_age[1] = ippr_pptp_gretimeout;
pptpfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
MUTEX_INIT(&pptpfr.fr_lock, "PPTP proxy rule lock");
pptp_proxy_init = 1;
return 0;
}
void ippr_pptp_fini()
{
if (pptp_proxy_init == 1) {
MUTEX_DESTROY(&pptpfr.fr_lock);
pptp_proxy_init = 0;
}
}
/*
* Setup for a new PPTP proxy.
*/
int ippr_pptp_new(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
pptp_pxy_t *pptp;
ipnat_t *ipn;
ip_t *ip;
int off;
ip = fin->fin_ip;
off = fin->fin_hlen + sizeof(udphdr_t);
if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
ip->ip_dst) != NULL) {
if (ippr_pptp_debug > 0)
printf("ippr_pptp_new: GRE session already exists\n");
return -1;
}
aps->aps_psiz = sizeof(*pptp);
KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp));
if (aps->aps_data == NULL) {
if (ippr_pptp_debug > 0)
printf("ippr_pptp_new: malloc for aps_data failed\n");
return -1;
}
/*
* Create NAT rule against which the tunnel/transport mapping is
* created. This is required because the current NAT rule does not
* describe GRE but TCP instead.
*/
pptp = aps->aps_data;
bzero((char *)pptp, sizeof(*pptp));
ipn = &pptp->pptp_rule;
ipn->in_ifps[0] = fin->fin_ifp;
ipn->in_apr = NULL;
ipn->in_use = 1;
ipn->in_hits = 1;
ipn->in_ippip = 1;
if (nat->nat_dir == NAT_OUTBOUND) {
ipn->in_nip = ntohl(nat->nat_outip.s_addr);
ipn->in_outip = fin->fin_saddr;
ipn->in_redir = NAT_MAP;
} else if (nat->nat_dir == NAT_INBOUND) {
ipn->in_nip = 0;
ipn->in_outip = nat->nat_outip.s_addr;
ipn->in_redir = NAT_REDIRECT;
}
ipn->in_inip = nat->nat_inip.s_addr;
ipn->in_inmsk = 0xffffffff;
ipn->in_outmsk = 0xffffffff;
ipn->in_srcip = fin->fin_saddr;
ipn->in_srcmsk = 0xffffffff;
bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
sizeof(ipn->in_ifnames[0]));
ipn->in_p = IPPROTO_GRE;
pptp->pptp_side[0].pptps_wptr = pptp->pptp_side[0].pptps_buffer;
pptp->pptp_side[1].pptps_wptr = pptp->pptp_side[1].pptps_buffer;
return 0;
}
void ippr_pptp_donatstate(fin, nat, pptp)
fr_info_t *fin;
nat_t *nat;
pptp_pxy_t *pptp;
{
fr_info_t fi;
grehdr_t gre;
nat_t *nat2;
u_char p;
ip_t *ip;
ip = fin->fin_ip;
p = ip->ip_p;
nat2 = pptp->pptp_nat;
if ((nat2 == NULL) || (pptp->pptp_state == NULL)) {
bcopy((char *)fin, (char *)&fi, sizeof(fi));
bzero((char *)&gre, sizeof(gre));
fi.fin_state = NULL;
fi.fin_nat = NULL;
fi.fin_fi.fi_p = IPPROTO_GRE;
fi.fin_fr = &pptpfr;
if ((nat->nat_dir == NAT_OUTBOUND && fin->fin_out) ||
(nat->nat_dir == NAT_INBOUND && !fin->fin_out)) {
fi.fin_data[0] = pptp->pptp_call[0];
fi.fin_data[1] = pptp->pptp_call[1];
} else {
fi.fin_data[0] = pptp->pptp_call[1];
fi.fin_data[1] = pptp->pptp_call[0];
}
ip = fin->fin_ip;
ip->ip_p = IPPROTO_GRE;
fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
fi.fin_flx |= FI_IGNORE;
fi.fin_dp = &gre;
gre.gr_flags = htons(1 << 13);
if (fin->fin_out && nat->nat_dir == NAT_INBOUND) {
fi.fin_fi.fi_saddr = fin->fin_fi.fi_daddr;
fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
} else if (!fin->fin_out && nat->nat_dir == NAT_OUTBOUND) {
fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
fi.fin_fi.fi_daddr = fin->fin_fi.fi_saddr;
}
}
/*
* Update NAT timeout/create NAT if missing.
*/
if (nat2 != NULL)
fr_queueback(&nat2->nat_tqe);
else {
nat2 = nat_new(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
NAT_SLAVE, nat->nat_dir);
pptp->pptp_nat = nat2;
if (nat2 != NULL) {
(void) nat_proto(&fi, nat2, 0);
nat_update(&fi, nat2, nat2->nat_ptr);
}
}
READ_ENTER(&ipf_state);
if (pptp->pptp_state != NULL) {
fr_queueback(&pptp->pptp_state->is_sti);
RWLOCK_EXIT(&ipf_state);
} else {
RWLOCK_EXIT(&ipf_state);
if (nat->nat_dir == NAT_INBOUND)
fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr;
else
fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr;
fi.fin_ifp = NULL;
pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
0);
if (fi.fin_state != NULL)
fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
}
ip->ip_p = p;
return;
}
/*
* Try and build up the next PPTP message in the TCP stream and if we can
* build it up completely (fits in our buffer) then pass it off to the message
* parsing function.
*/
int ippr_pptp_nextmessage(fin, nat, pptp, rev)
fr_info_t *fin;
nat_t *nat;
pptp_pxy_t *pptp;
int rev;
{
static char *funcname = "ippr_pptp_nextmessage";
pptp_side_t *pptps;
u_32_t start, end;
pptp_hdr_t *hdr;
tcphdr_t *tcp;
int dlen, off;
u_short len;
char *msg;
tcp = fin->fin_dp;
dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
start = ntohl(tcp->th_seq);
pptps = &pptp->pptp_side[rev];
off = (char *)tcp - (char *)fin->fin_ip + (TCP_OFF(tcp) << 2) +
fin->fin_ipoff;
if (dlen <= 0)
return 0;
/*
* If the complete data packet is before what we expect to see
* "next", just ignore it as the chances are we've already seen it.
* The next if statement following this one really just causes packets
* ahead of what we've seen to be dropped, implying that something in
* the middle went missing and we want to see that first.
*/
end = start + dlen;
if (pptps->pptps_next > end && pptps->pptps_next > start)
return 0;
if (pptps->pptps_next != start) {
if (ippr_pptp_debug > 5)
printf("%s: next (%x) != start (%x)\n", funcname,
pptps->pptps_next, start);
return -1;
}
msg = (char *)fin->fin_dp + (TCP_OFF(tcp) << 2);
while (dlen > 0) {
off += pptps->pptps_bytes;
if (pptps->pptps_gothdr == 0) {
/*
* PPTP has an 8 byte header that inclues the cookie.
* The start of every message should include one and
* it should match 1a2b3c4d. Byte order is ignored,
* deliberately, when printing out the error.
*/
len = MIN(8 - pptps->pptps_bytes, dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;
hdr = (pptp_hdr_t *)pptps->pptps_buffer;
if (pptps->pptps_bytes == 8) {
pptps->pptps_next += 8;
if (ntohl(hdr->pptph_cookie) != 0x1a2b3c4d) {
if (ippr_pptp_debug > 1)
printf("%s: bad cookie (%x)\n",
funcname,
hdr->pptph_cookie);
return -1;
}
}
dlen -= len;
msg += len;
off += len;
pptps->pptps_gothdr = 1;
len = ntohs(hdr->pptph_len);
pptps->pptps_len = len;
pptps->pptps_nexthdr += len;
/*
* If a message is too big for the buffer, just set
* the fields for the next message to come along.
* The messages defined in RFC 2637 will not exceed
* 512 bytes (in total length) so this is likely a
* bad data packet, anyway.
*/
if (len > sizeof(pptps->pptps_buffer)) {
if (ippr_pptp_debug > 3)
printf("%s: message too big (%d)\n",
funcname, len);
pptps->pptps_next = pptps->pptps_nexthdr;
pptps->pptps_wptr = pptps->pptps_buffer;
pptps->pptps_gothdr = 0;
pptps->pptps_bytes = 0;
pptps->pptps_len = 0;
break;
}
}
len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;
pptps->pptps_next += len;
if (pptps->pptps_len > pptps->pptps_bytes)
break;
ippr_pptp_message(fin, nat, pptp, pptps);
pptps->pptps_wptr = pptps->pptps_buffer;
pptps->pptps_gothdr = 0;
pptps->pptps_bytes = 0;
pptps->pptps_len = 0;
start += len;
msg += len;
dlen -= len;
}
return 0;
}
/*
* handle a complete PPTP message
*/
int ippr_pptp_message(fin, nat, pptp, pptps)
fr_info_t *fin;
nat_t *nat;
pptp_pxy_t *pptp;
pptp_side_t *pptps;
{
pptp_hdr_t *hdr = (pptp_hdr_t *)pptps->pptps_buffer;
switch (ntohs(hdr->pptph_type))
{
case PPTP_MSGTYPE_CTL :
ippr_pptp_mctl(fin, nat, pptp, pptps);
break;
default :
break;
}
return 0;
}
/*
* handle a complete PPTP control message
*/
int ippr_pptp_mctl(fin, nat, pptp, pptps)
fr_info_t *fin;
nat_t *nat;
pptp_pxy_t *pptp;
pptp_side_t *pptps;
{
u_short *buffer = (u_short *)(pptps->pptps_buffer);
pptp_side_t *pptpo;
if (pptps == &pptp->pptp_side[0])
pptpo = &pptp->pptp_side[1];
else
pptpo = &pptp->pptp_side[0];
/*
* Breakout to handle all the various messages. Most are just state
* transition.
*/
switch (ntohs(buffer[4]))
{
case PPTP_MTCTL_STARTREQ :
pptps->pptps_state = PPTP_MTCTL_STARTREQ;
break;
case PPTP_MTCTL_STARTREP :
if (pptpo->pptps_state == PPTP_MTCTL_STARTREQ)
pptps->pptps_state = PPTP_MTCTL_STARTREP;
break;
case PPTP_MTCTL_STOPREQ :
pptps->pptps_state = PPTP_MTCTL_STOPREQ;
break;
case PPTP_MTCTL_STOPREP :
if (pptpo->pptps_state == PPTP_MTCTL_STOPREQ)
pptps->pptps_state = PPTP_MTCTL_STOPREP;
break;
case PPTP_MTCTL_ECHOREQ :
pptps->pptps_state = PPTP_MTCTL_ECHOREQ;
break;
case PPTP_MTCTL_ECHOREP :
if (pptpo->pptps_state == PPTP_MTCTL_ECHOREQ)
pptps->pptps_state = PPTP_MTCTL_ECHOREP;
break;
case PPTP_MTCTL_OUTREQ :
pptps->pptps_state = PPTP_MTCTL_OUTREQ;
break;
case PPTP_MTCTL_OUTREP :
if (pptpo->pptps_state == PPTP_MTCTL_OUTREQ) {
pptps->pptps_state = PPTP_MTCTL_OUTREP;
pptp->pptp_call[0] = buffer[7];
pptp->pptp_call[1] = buffer[6];
ippr_pptp_donatstate(fin, nat, pptp);
}
break;
case PPTP_MTCTL_INREQ :
pptps->pptps_state = PPTP_MTCTL_INREQ;
break;
case PPTP_MTCTL_INREP :
if (pptpo->pptps_state == PPTP_MTCTL_INREQ) {
pptps->pptps_state = PPTP_MTCTL_INREP;
pptp->pptp_call[0] = buffer[7];
pptp->pptp_call[1] = buffer[6];
ippr_pptp_donatstate(fin, nat, pptp);
}
break;
case PPTP_MTCTL_INCONNECT :
pptps->pptps_state = PPTP_MTCTL_INCONNECT;
break;
case PPTP_MTCTL_CLEAR :
pptps->pptps_state = PPTP_MTCTL_CLEAR;
break;
case PPTP_MTCTL_DISCONNECT :
pptps->pptps_state = PPTP_MTCTL_DISCONNECT;
break;
case PPTP_MTCTL_WANERROR :
pptps->pptps_state = PPTP_MTCTL_WANERROR;
break;
case PPTP_MTCTL_LINKINFO :
pptps->pptps_state = PPTP_MTCTL_LINKINFO;
break;
}
return 0;
}
/*
* For outgoing PPTP packets. refresh timeouts for NAT & state entries, if
* we can. If they have disappeared, recreate them.
*/
int ippr_pptp_inout(fin, aps, nat)
fr_info_t *fin;
ap_session_t *aps;
nat_t *nat;
{
pptp_pxy_t *pptp;
tcphdr_t *tcp;
int rev;
if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
rev = 1;
else if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
rev = 1;
else
rev = 0;
tcp = (tcphdr_t *)fin->fin_dp;
if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
pptp = (pptp_pxy_t *)aps->aps_data;
pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack);
pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack);
pptp->pptp_side[rev].pptps_next = ntohl(tcp->th_seq) + 1;
pptp->pptp_side[rev].pptps_nexthdr = ntohl(tcp->th_seq) + 1;
}
return ippr_pptp_nextmessage(fin, nat, (pptp_pxy_t *)aps->aps_data,
rev);
}
/*
* clean up after ourselves.
*/
void ippr_pptp_del(aps)
ap_session_t *aps;
{
pptp_pxy_t *pptp;
pptp = aps->aps_data;
if (pptp != NULL) {
/*
* Don't bother changing any of the NAT structure details,
* *_del() is on a callback from aps_free(), from nat_delete()
*/
READ_ENTER(&ipf_state);
if (pptp->pptp_state != NULL) {
pptp->pptp_state->is_die = fr_ticks + 1;
pptp->pptp_state->is_me = NULL;
fr_queuefront(&pptp->pptp_state->is_sti);
}
RWLOCK_EXIT(&ipf_state);
pptp->pptp_state = NULL;
pptp->pptp_nat = NULL;
}
}

1460
contrib/ipfilter/ip_rpcb_pxy.c Normal file
View File

File diff suppressed because it is too large Load Diff

594
contrib/ipfilter/ip_scan.c Normal file
View File

@ -0,0 +1,594 @@
/* $NetBSD$ */
/*
* Copyright (C) 1995-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(KERNEL) || defined(_KERNEL)
# undef KERNEL
# undef _KERNEL
# define KERNEL 1
# define _KERNEL 1
#endif
#include <sys/param.h>
#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL)
# include <sys/kern_svcs.h>
#endif
#include <sys/types.h>
#include <sys/time.h>
#include <sys/errno.h>
#if !defined(_KERNEL)
# include <stdlib.h>
# include <string.h>
# define _KERNEL
# ifdef __OpenBSD__
struct file;
# endif
# include <sys/uio.h>
# undef _KERNEL
#else
# include <sys/systm.h>
# if !defined(__svr4__) && !defined(__SVR4)
# include <sys/mbuf.h>
# endif
#endif
#include <sys/socket.h>
#if !defined(__hpux) && !defined(__osf__) && !defined(linux)
# include <sys/ioccom.h>
#endif
#ifdef __FreeBSD__
# include <sys/filio.h>
# include <sys/malloc.h>
#else
# include <sys/ioctl.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <net/if.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_state.h"
#include "netinet/ip_scan.h"
/* END OF INCLUDES */
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
#endif
#ifdef IPFILTER_SCAN /* endif at bottom of file */
ipscan_t *ipsc_list = NULL,
*ipsc_tail = NULL;
ipscanstat_t ipsc_stat;
# ifdef USE_MUTEXES
ipfrwlock_t ipsc_rwlock;
# endif
# ifndef isalpha
# define isalpha(x) (((x) >= 'A' && 'Z' >= (x)) || \
((x) >= 'a' && 'z' >= (x)))
# endif
int ipsc_add __P((caddr_t));
int ipsc_delete __P((caddr_t));
struct ipscan *ipsc_lookup __P((char *));
int ipsc_matchstr __P((sinfo_t *, char *, int));
int ipsc_matchisc __P((ipscan_t *, ipstate_t *, int, int, int *));
int ipsc_match __P((ipstate_t *));
int ipsc_init()
{
RWLOCK_INIT(&ipsc_rwlock, "ip scan rwlock");
return 0;
}
void fr_scanunload()
{
RW_DESTROY(&ipsc_rwlock);
}
int ipsc_add(data)
caddr_t data;
{
ipscan_t *i, *isc;
int err;
KMALLOC(isc, ipscan_t *);
if (!isc)
return ENOMEM;
err = copyinptr(data, isc, sizeof(*isc));
if (err)
return err;
WRITE_ENTER(&ipsc_rwlock);
i = ipsc_lookup(isc->ipsc_tag);
if (i) {
RWLOCK_EXIT(&ipsc_rwlock);
KFREE(isc);
return EEXIST;
}
if (ipsc_tail) {
ipsc_tail->ipsc_next = isc;
isc->ipsc_pnext = &ipsc_tail->ipsc_next;
ipsc_tail = isc;
} else {
ipsc_list = isc;
ipsc_tail = isc;
isc->ipsc_pnext = &ipsc_list;
}
isc->ipsc_next = NULL;
isc->ipsc_hits = 0;
isc->ipsc_fref = 0;
isc->ipsc_sref = 0;
isc->ipsc_active = 0;
ipsc_stat.iscs_entries++;
RWLOCK_EXIT(&ipsc_rwlock);
return 0;
}
int ipsc_delete(data)
caddr_t data;
{
ipscan_t isc, *i;
int err;
err = copyinptr(data, &isc, sizeof(isc));
if (err)
return err;
WRITE_ENTER(&ipsc_rwlock);
i = ipsc_lookup(isc.ipsc_tag);
if (i == NULL)
err = ENOENT;
else {
if (i->ipsc_fref) {
RWLOCK_EXIT(&ipsc_rwlock);
return EBUSY;
}
*i->ipsc_pnext = i->ipsc_next;
if (i->ipsc_next)
i->ipsc_next->ipsc_pnext = i->ipsc_pnext;
else {
if (i->ipsc_pnext == &ipsc_list)
ipsc_tail = NULL;
else
ipsc_tail = *(*i->ipsc_pnext)->ipsc_pnext;
}
ipsc_stat.iscs_entries--;
KFREE(i);
}
RWLOCK_EXIT(&ipsc_rwlock);
return err;
}
struct ipscan *ipsc_lookup(tag)
char *tag;
{
ipscan_t *i;
for (i = ipsc_list; i; i = i->ipsc_next)
if (!strcmp(i->ipsc_tag, tag))
return i;
return NULL;
}
int ipsc_attachfr(fr)
struct frentry *fr;
{
ipscan_t *i;
if (fr->fr_isctag[0]) {
READ_ENTER(&ipsc_rwlock);
i = ipsc_lookup(fr->fr_isctag);
if (i != NULL) {
ATOMIC_INC32(i->ipsc_fref);
}
RWLOCK_EXIT(&ipsc_rwlock);
if (i == NULL)
return ENOENT;
fr->fr_isc = i;
}
return 0;
}
int ipsc_attachis(is)
struct ipstate *is;
{
frentry_t *fr;
ipscan_t *i;
READ_ENTER(&ipsc_rwlock);
fr = is->is_rule;
if (fr) {
i = fr->fr_isc;
if (!i || (i != (ipscan_t *)-1)) {
is->is_isc = i;
if (i) {
ATOMIC_INC32(i->ipsc_sref);
if (i->ipsc_clen)
is->is_flags |= IS_SC_CLIENT;
else
is->is_flags |= IS_SC_MATCHC;
if (i->ipsc_slen)
is->is_flags |= IS_SC_SERVER;
else
is->is_flags |= IS_SC_MATCHS;
} else
is->is_flags |= (IS_SC_CLIENT|IS_SC_SERVER);
}
}
RWLOCK_EXIT(&ipsc_rwlock);
return 0;
}
int ipsc_detachfr(fr)
struct frentry *fr;
{
ipscan_t *i;
i = fr->fr_isc;
if (i != NULL) {
ATOMIC_DEC32(i->ipsc_fref);
}
return 0;
}
int ipsc_detachis(is)
struct ipstate *is;
{
ipscan_t *i;
READ_ENTER(&ipsc_rwlock);
if ((i = is->is_isc) && (i != (ipscan_t *)-1)) {
ATOMIC_DEC32(i->ipsc_sref);
is->is_isc = NULL;
is->is_flags &= ~(IS_SC_CLIENT|IS_SC_SERVER);
}
RWLOCK_EXIT(&ipsc_rwlock);
return 0;
}
/*
* 'string' compare for scanning
*/
int ipsc_matchstr(sp, str, n)
sinfo_t *sp;
char *str;
int n;
{
char *s, *t, *up;
int i = n;
if (i > sp->s_len)
i = sp->s_len;
up = str;
for (s = sp->s_txt, t = sp->s_msk; i; i--, s++, t++, up++)
switch ((int)*t)
{
case '.' :
if (*s != *up)
return 1;
break;
case '?' :
if (!ISALPHA(*up) || ((*s & 0x5f) != (*up & 0x5f)))
return 1;
break;
case '*' :
break;
}
return 0;
}
/*
* Returns 3 if both server and client match, 2 if just server,
* 1 if just client
*/
int ipsc_matchisc(isc, is, cl, sl, maxm)
ipscan_t *isc;
ipstate_t *is;
int cl, sl, maxm[2];
{
int i, j, k, n, ret = 0, flags;
flags = is->is_flags;
/*
* If we've already matched more than what is on offer, then
* assume we have a better match already and forget this one.
*/
if (maxm != NULL) {
if (isc->ipsc_clen < maxm[0])
return 0;
if (isc->ipsc_slen < maxm[1])
return 0;
j = maxm[0];
k = maxm[1];
} else {
j = 0;
k = 0;
}
if (!isc->ipsc_clen)
ret = 1;
else if (((flags & (IS_SC_MATCHC|IS_SC_CLIENT)) == IS_SC_CLIENT) &&
cl && isc->ipsc_clen) {
i = 0;
n = MIN(cl, isc->ipsc_clen);
if ((n > 0) && (!maxm || (n >= maxm[1]))) {
if (!ipsc_matchstr(&isc->ipsc_cl, is->is_sbuf[0], n)) {
i++;
ret |= 1;
if (n > j)
j = n;
}
}
}
if (!isc->ipsc_slen)
ret |= 2;
else if (((flags & (IS_SC_MATCHS|IS_SC_SERVER)) == IS_SC_SERVER) &&
sl && isc->ipsc_slen) {
i = 0;
n = MIN(cl, isc->ipsc_slen);
if ((n > 0) && (!maxm || (n >= maxm[1]))) {
if (!ipsc_matchstr(&isc->ipsc_sl, is->is_sbuf[1], n)) {
i++;
ret |= 2;
if (n > k)
k = n;
}
}
}
if (maxm && (ret == 3)) {
maxm[0] = j;
maxm[1] = k;
}
return ret;
}
int ipsc_match(is)
ipstate_t *is;
{
int i, j, k, n, cl, sl, maxm[2];
ipscan_t *isc, *lm;
tcpdata_t *t;
for (cl = 0, n = is->is_smsk[0]; n & 1; n >>= 1)
cl++;
for (sl = 0, n = is->is_smsk[1]; n & 1; n >>= 1)
sl++;
j = 0;
isc = is->is_isc;
if (isc != NULL) {
/*
* Known object to scan for.
*/
i = ipsc_matchisc(isc, is, cl, sl, NULL);
if (i & 1) {
is->is_flags |= IS_SC_MATCHC;
is->is_flags &= ~IS_SC_CLIENT;
} else if (cl >= isc->ipsc_clen)
is->is_flags &= ~IS_SC_CLIENT;
if (i & 2) {
is->is_flags |= IS_SC_MATCHS;
is->is_flags &= ~IS_SC_SERVER;
} else if (sl >= isc->ipsc_slen)
is->is_flags &= ~IS_SC_SERVER;
} else {
i = 0;
lm = NULL;
maxm[0] = 0;
maxm[1] = 0;
for (k = 0, isc = ipsc_list; isc; isc = isc->ipsc_next) {
i = ipsc_matchisc(isc, is, cl, sl, maxm);
if (i) {
/*
* We only want to remember the best match
* and the number of times we get a best
* match.
*/
if ((j == 3) && (i < 3))
continue;
if ((i == 3) && (j != 3))
k = 1;
else
k++;
j = i;
lm = isc;
}
}
if (k == 1)
isc = lm;
/*
* No matches or partial matches, so reset the respective
* search flag.
*/
if (!(j & 1))
is->is_flags &= ~IS_SC_CLIENT;
if (!(j & 2))
is->is_flags &= ~IS_SC_SERVER;
/*
* If we found the best match, then set flags appropriately.
*/
if ((j == 3) && (k == 1)) {
is->is_flags &= ~(IS_SC_SERVER|IS_SC_CLIENT);
is->is_flags |= (IS_SC_MATCHS|IS_SC_MATCHC);
}
}
/*
* If the acknowledged side of a connection has moved past the data in
* which we are interested, then reset respective flag.
*/
t = &is->is_tcp.ts_data[0];
if (t->td_end > is->is_s0[0] + 15)
is->is_flags &= ~IS_SC_CLIENT;
t = &is->is_tcp.ts_data[1];
if (t->td_end > is->is_s0[1] + 15)
is->is_flags &= ~IS_SC_SERVER;
/*
* Matching complete ?
*/
j = ISC_A_NONE;
if ((is->is_flags & IS_SC_MATCHALL) == IS_SC_MATCHALL) {
j = isc->ipsc_action;
ipsc_stat.iscs_acted++;
} else if ((is->is_isc != NULL) &&
((is->is_flags & IS_SC_MATCHALL) != IS_SC_MATCHALL) &&
!(is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER))) {
/*
* Matching failed...
*/
j = isc->ipsc_else;
ipsc_stat.iscs_else++;
}
switch (j)
{
case ISC_A_CLOSE :
/*
* If as a result of a successful match we are to
* close a connection, change the "keep state" info.
* to block packets and generate TCP RST's.
*/
is->is_pass &= ~FR_RETICMP;
is->is_pass |= FR_RETRST;
break;
default :
break;
}
return i;
}
/*
* check if a packet matches what we're scanning for
*/
int ipsc_packet(fin, is)
fr_info_t *fin;
ipstate_t *is;
{
int i, j, rv, dlen, off, thoff;
u_32_t seq, s0;
tcphdr_t *tcp;
rv = !IP6_EQ(&fin->fin_fi.fi_src, &is->is_src);
tcp = fin->fin_dp;
seq = ntohl(tcp->th_seq);
if (!is->is_s0[rv])
return 1;
/*
* check if this packet has more data that falls within the first
* 16 bytes sent in either direction.
*/
s0 = is->is_s0[rv];
off = seq - s0;
if ((off > 15) || (off < 0))
return 1;
thoff = TCP_OFF(tcp) << 2;
dlen = fin->fin_dlen - thoff;
if (dlen <= 0)
return 1;
if (dlen > 16)
dlen = 16;
if (off + dlen > 16)
dlen = 16 - off;
j = 0xffff >> (16 - dlen);
i = (0xffff & j) << off;
#ifdef _KERNEL
COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_hlen + thoff, dlen,
(caddr_t)is->is_sbuf[rv] + off);
#endif
is->is_smsk[rv] |= i;
for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1)
j++;
if (j == 0)
return 1;
(void) ipsc_match(is);
#if 0
/*
* There is the potential here for plain text passwords to get
* buffered and stored for some time...
*/
if (!(is->is_flags & IS_SC_CLIENT))
bzero(is->is_sbuf[0], sizeof(is->is_sbuf[0]));
if (!(is->is_flags & IS_SC_SERVER))
bzero(is->is_sbuf[1], sizeof(is->is_sbuf[1]));
#endif
return 0;
}
int fr_scan_ioctl(data, cmd, mode)
caddr_t data;
ioctlcmd_t cmd;
int mode;
{
ipscanstat_t ipscs;
int err = 0;
switch (cmd)
{
case SIOCADSCA :
err = ipsc_add(data);
break;
case SIOCRMSCA :
err = ipsc_delete(data);
break;
case SIOCGSCST :
bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs));
ipscs.iscs_list = ipsc_list;
BCOPYOUT(&ipscs, data, sizeof(ipscs));
break;
default :
err = EINVAL;
break;
}
return err;
}
#endif /* IPFILTER_SCAN */

108
contrib/ipfilter/ip_scan.h Normal file
View File

@ -0,0 +1,108 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_scan.h,v 2.9 2003/07/25 22:05:01 darrenr Exp
*/
#ifndef __IP_SCAN_H__
#define __IP_SCAN_H__ 1
#ifdef sun
# include <sys/ioccom.h>
#endif
#define IPSCAN_NAME "/dev/ipscan"
#define IPL_SCAN IPSCAN_NAME
#define ISC_TLEN 16
struct fr_info;
struct frentry;
struct ip;
struct ipstate;
#if defined(__STDC__) || defined(__GNUC__)
# define SIOCADSCA _IOWR('r', 60, struct ipscan *)
# define SIOCRMSCA _IOWR('r', 61, struct ipscan *)
# define SIOCGSCST _IOWR('r', 62, struct ipscan *)
#else
# define SIOCADSCA _IOWR(r, 60, struct ipscan *)
# define SIOCRMSCA _IOWR(r, 61, struct ipscan *)
# define SIOCGSCST _IOWR(r, 62, struct ipscan *)
#endif
struct action {
int act_val; /* what to do */
struct in_addr act_ip; /* redirect IP# */
u_short act_port; /* redirect port number */
int act_else; /* what to do */
struct in_addr act_eip; /* redirect IP# */
u_short act_eport; /* redirect port number */
};
typedef struct sinfo {
char s_txt[ISC_TLEN]; /* text to match */
char s_msk[ISC_TLEN]; /* mask of the above to check */
int s_len; /* length of server text */
} sinfo_t;
typedef struct ipscan {
struct ipscan *ipsc_next;
struct ipscan **ipsc_pnext;
char ipsc_tag[ISC_TLEN]; /* table entry protocol tag */
sinfo_t ipsc_si[2]; /* client/server side information */
int ipsc_hits; /* times this has been matched */
int ipsc_active; /* # of active matches */
int ipsc_fref; /* # of references from filter rules */
int ipsc_sref; /* # of references from state entries */
struct action ipsc_act;
} ipscan_t;
#define ipsc_cl ipsc_si[0]
#define ipsc_sl ipsc_si[1]
#define ipsc_ctxt ipsc_cl.s_txt
#define ipsc_cmsk ipsc_cl.s_msk
#define ipsc_clen ipsc_cl.s_len
#define ipsc_stxt ipsc_sl.s_txt
#define ipsc_smsk ipsc_sl.s_msk
#define ipsc_slen ipsc_sl.s_len
#define ipsc_action ipsc_act.act_val
#define ipsc_ip ipsc_act.act_ip
#define ipsc_port ipsc_act.act_port
#define ipsc_else ipsc_act.act_else
#define ipsc_eip ipsc_act.act_eip
#define ipsc_eport ipsc_act.act_eport
#define ISC_A_NONE 0
#define ISC_A_TRACK 1
#define ISC_A_CLOSE 2
#define ISC_A_REDIRECT 3
typedef struct ipscanstat {
struct ipscan *iscs_list;
u_long iscs_acted;
u_long iscs_else;
int iscs_entries;
} ipscanstat_t;
extern int fr_scan_ioctl __P((caddr_t, ioctlcmd_t, int));
extern int ipsc_init __P((void));
extern int ipsc_attachis __P((struct ipstate *));
extern int ipsc_attachfr __P((struct frentry *));
extern int ipsc_detachis __P((struct ipstate *));
extern int ipsc_detachfr __P((struct frentry *));
extern int ipsc_packet __P((struct fr_info *, struct ipstate *));
extern void fr_scanunload __P((void));
#endif /* __IP_SCAN_H__ */

1001
contrib/ipfilter/ip_sync.c Normal file
View File

File diff suppressed because it is too large Load Diff

117
contrib/ipfilter/ip_sync.h Normal file
View File

@ -0,0 +1,117 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
*/
#ifndef __IP_SYNC_H__
#define __IP_SYNC_H__
typedef struct synchdr {
u_32_t sm_magic; /* magic */
u_char sm_v; /* version: 4,6 */
u_char sm_p; /* protocol */
u_char sm_cmd; /* command */
u_char sm_table; /* NAT, STATE, etc */
u_int sm_num; /* table entry number */
int sm_rev; /* forward/reverse */
int sm_len; /* length of the data section */
struct synclist *sm_sl; /* back pointer to parent */
} synchdr_t;
#define SYNHDRMAGIC 0x0FF51DE5
/*
* Commands
* No delete required as expirey will take care of that!
*/
#define SMC_CREATE 0 /* pass ipstate_t after synchdr_t */
#define SMC_UPDATE 1
#define SMC_MAXCMD 1
/*
* Tables
*/
#define SMC_NAT 0
#define SMC_STATE 1
#define SMC_MAXTBL 1
/*
* Only TCP requires "more" information than just a reference to the entry
* for which an update is being made.
*/
typedef struct synctcp_update {
u_long stu_age;
tcpdata_t stu_data[2];
int stu_state[2];
} synctcp_update_t;
typedef struct synclist {
struct synclist *sl_next;
struct synclist **sl_pnext;
int sl_idx; /* update index */
struct synchdr sl_hdr;
union {
struct ipstate *slu_ips;
struct nat *slu_ipn;
void *slu_ptr;
} sl_un;
} synclist_t;
#define sl_ptr sl_un.slu_ptr
#define sl_ips sl_un.slu_ips
#define sl_ipn sl_un.slu_ipn
#define sl_magic sl_hdr.sm_magic
#define sl_v sl_hdr.sm_v
#define sl_p sl_hdr.sm_p
#define sl_cmd sl_hdr.sm_cmd
#define sl_rev sl_hdr.sm_rev
#define sl_table sl_hdr.sm_table
#define sl_num sl_hdr.sm_num
#define sl_len sl_hdr.sm_len
/*
* NOTE: SYNCLOG_SZ is defined *low*. It should be the next power of two
* up for whatever number of packets per second you expect to see. Be
* warned: this index's a table of large elements (upto 272 bytes in size
* each), and thus a size of 8192, for example, results in a 2MB table.
* The lesson here is not to use small machines for running fast firewalls
* (100BaseT) in sync, where you might have upwards of 10k pps.
*/
#define SYNCLOG_SZ 256
typedef struct synclogent {
struct synchdr sle_hdr;
union {
struct ipstate sleu_ips;
struct nat sleu_ipn;
} sle_un;
} synclogent_t;
typedef struct syncupdent { /* 28 or 32 bytes */
struct synchdr sup_hdr;
struct synctcp_update sup_tcp;
} syncupdent_t;
extern synclogent_t synclog[SYNCLOG_SZ];
extern int fr_sync_ioctl __P((caddr_t, ioctlcmd_t, int));
extern synclist_t *ipfsync_new __P((int, fr_info_t *, void *));
extern void ipfsync_del __P((synclist_t *));
extern void ipfsync_update __P((int, fr_info_t *, synclist_t *));
extern int ipfsync_init __P((void));
extern int ipfsync_nat __P((synchdr_t *sp, void *data));
extern int ipfsync_state __P((synchdr_t *sp, void *data));
extern int ipfsync_read __P((struct uio *uio));
extern int ipfsync_write __P((struct uio *uio));
#endif /* IP_SYNC */

347
contrib/ipfilter/ipf.h
View File

@ -1,72 +1,124 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipf.h 1.12 6/5/96
* $Id: ipf.h,v 2.9.2.7 2003/05/15 17:45:33 darrenr Exp $
* Id: ipf.h,v 2.71.2.6 2005/02/21 05:05:29 darrenr Exp
*/
#ifndef __IPF_H__
#define __IPF_H__
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#if defined(__osf__)
# define radix_mask ipf_radix_mask
# define radix_node ipf_radix_node
# define radix_node_head ipf_radix_node_head
#endif
#define OPT_REMOVE 0x000001
#define OPT_DEBUG 0x000002
#define OPT_OUTQUE FR_OUTQUE /* 0x00004 */
#define OPT_INQUE FR_INQUE /* 0x00008 */
#define OPT_LOG FR_LOG /* 0x00010 */
#define OPT_SHOWLIST 0x000020
#define OPT_VERBOSE 0x000040
#define OPT_DONOTHING 0x000080
#define OPT_HITS 0x000100
#define OPT_BRIEF 0x000200
#define OPT_ACCNT FR_ACCOUNT /* 0x0400 */
#define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */
#define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */
#define OPT_INACTIVE FR_INACTIVE /* 0x2000 */
#define OPT_SHOWLINENO 0x004000
#define OPT_PRINTFR 0x008000
#define OPT_ZERORULEST 0x010000
#define OPT_SAVEOUT 0x020000
#define OPT_AUTHSTATS 0x040000
#define OPT_RAW 0x080000
#define OPT_NAT 0x100000
#define OPT_GROUPS 0x200000
#define OPT_STATETOP 0x400000
#define OPT_FLUSH 0x800000
#define OPT_CLEAR 0x1000000
#define OPT_HEX 0x2000000
#define OPT_NODO 0x80000000
#define OPT_STAT OPT_FRSTATES
#define OPT_LIST OPT_SHOWLIST
#include <sys/param.h>
#include <sys/types.h>
#include <sys/file.h>
/*
* This is a workaround for <sys/uio.h> troubles on FreeBSD, HPUX, OpenBSD.
* Needed here because on some systems <sys/uio.h> gets included by things
* like <sys/socket.h>
*/
#ifndef _KERNEL
# define ADD_KERNEL
# define _KERNEL
# define KERNEL
#endif
#ifdef __OpenBSD__
struct file;
#endif
#include <sys/uio.h>
#ifdef ADD_KERNEL
# undef _KERNEL
# undef KERNEL
#endif
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#ifndef TCP_PAWS_IDLE /* IRIX */
# include <netinet/tcp.h>
#endif
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <limits.h>
#include <netdb.h>
#include <stdlib.h>
#include <stddef.h>
#include <stdio.h>
#if !defined(__SVR4) && !defined(__svr4__) && defined(sun)
# include <strings.h>
#endif
#include <string.h>
#include <unistd.h>
#include "netinet/ip_compat.h"
#include "netinet/ip_fil.h"
#include "netinet/ip_nat.h"
#include "netinet/ip_frag.h"
#include "netinet/ip_state.h"
#include "netinet/ip_proxy.h"
#include "netinet/ip_auth.h"
#include "netinet/ip_lookup.h"
#include "netinet/ip_pool.h"
#include "netinet/ip_scan.h"
#include "netinet/ip_htable.h"
#include "netinet/ip_sync.h"
#include "opts.h"
#ifndef __P
# ifdef __STDC__
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
struct ipstate;
struct frpcmp;
struct ipnat;
struct nat;
#ifdef ultrix
extern char *strdup __P((char *));
#ifndef __STDC__
# undef const
# define const
#endif
extern struct frentry *parse __P((char *, int, int *));
#ifndef U_32_T
# define U_32_T 1
# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
defined(__sgi)
typedef u_int32_t u_32_t;
# else
# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
typedef unsigned int u_32_t;
# else
# if SOLARIS2 >= 6
typedef uint32_t u_32_t;
# else
typedef unsigned int u_32_t;
# endif
# endif
# endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
#endif /* U_32_T */
extern void printfr __P((struct frentry *));
extern void binprint __P((struct frentry *)), initparse __P((void));
extern int portnum __P((char *, u_short *, int));
#ifndef MAXHOSTNAMELEN
# define MAXHOSTNAMELEN 256
#endif
#define MAX_ICMPCODE 16
#define MAX_ICMPTYPE 19
struct ipopt_names {
@ -77,47 +129,178 @@ struct ipopt_names {
};
extern char *proto;
typedef struct alist_s {
struct alist_s *al_next;
int al_not;
i6addr_t al_i6addr;
i6addr_t al_i6mask;
} alist_t;
#define al_addr al_i6addr.in4_addr
#define al_mask al_i6mask.in4_addr
#define al_1 al_addr
#define al_2 al_mask
typedef struct {
u_short fb_c;
u_char fb_t;
u_char fb_f;
u_32_t fb_k;
} fakebpf_t;
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux)
# include <stdarg.h>
typedef int (* ioctlfunc_t) __P((int, ioctlcmd_t, ...));
#else
typedef int (* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *));
#endif
typedef void (* addfunc_t) __P((int, ioctlfunc_t, void *));
typedef int (* copyfunc_t) __P((void *, void *, size_t));
/*
* SunOS4
*/
#if defined(sun) && !defined(__SVR4) && !defined(__svr4__)
extern int ioctl __P((int, int, void *));
#endif
extern char thishost[];
extern char flagset[];
extern u_char flags[];
extern struct ipopt_names ionames[];
extern struct ipopt_names secclass[];
extern char *icmpcodes[MAX_ICMPCODE + 1];
extern char *icmptypes[MAX_ICMPTYPE + 1];
extern int use_inet6;
extern int lineNum;
extern struct ipopt_names v6ionames[];
extern u_char tcp_flags __P((char *, u_char *, int));
extern int countbits __P((u_32_t));
extern int ratoi __P((char *, int *, int, int));
extern int ratoui __P((char *, u_int *, u_int, u_int));
extern int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, int *,
u_short *, int));
extern int ports __P((char ***, u_short *, int *, u_short *, int));
extern char *portname __P((int, int));
extern u_32_t buildopts __P((char *, char *, int));
extern int genmask __P((char *, u_32_t *));
extern int hostnum __P((u_32_t *, char *, int));
extern u_32_t optname __P((char ***, u_short *, int));
extern void printpacket __P((ip_t *));
extern void printpacket6 __P((ip_t *));
extern void printportcmp __P((int, struct frpcmp *));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
extern void printbuf __P((char *, int, int));
extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
extern int addicmp __P((char ***, struct frentry *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int addkeep __P((char ***, struct frentry *, int));
extern int bcopywrap __P((void *, void *, size_t));
extern void binprint __P((void *, size_t));
extern void initparse __P((void));
extern u_32_t buildopts __P((char *, char *, int));
extern int checkrev __P((char *));
extern int count6bits __P((u_32_t *));
extern int count4bits __P((u_32_t));
extern int extras __P((char ***, struct frentry *, int));
extern char *fac_toname __P((int));
extern int fac_findname __P((char *));
extern void fill6bits __P((int, u_int *));
extern int gethost __P((char *, u_32_t *));
extern int getport __P((struct frentry *, char *, u_short *));
extern int getportproto __P((char *, int));
extern int getproto __P((char *));
extern char *getline __P((char *, size_t, FILE *, int *));
extern int genmask __P((char *, u_32_t *));
extern char *getnattype __P((struct ipnat *));
extern char *getsumd __P((u_32_t));
extern u_32_t getoptbyname __P((char *));
extern u_32_t getoptbyvalue __P((int));
extern u_32_t getv6optbyname __P((char *));
extern u_32_t getv6optbyvalue __P((int));
extern void hexdump __P((FILE *, void *, int, int));
extern int hostmask __P((char ***, char *, char *, u_32_t *, u_32_t *, int));
extern int hostnum __P((u_32_t *, char *, int, char *));
extern int icmpcode __P((char *));
extern int icmpidnum __P((char *, u_short *, int));
extern void initparse __P((void));
extern void ipf_dotuning __P((int, char *, ioctlfunc_t));
extern void ipf_addrule __P((int, ioctlfunc_t, void *));
extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *));
extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *));
extern int ipmon_parsefile __P((char *));
extern int ipmon_parsesome __P((FILE *));
extern void ipnat_addrule __P((int, ioctlfunc_t, void *));
extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *));
extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *));
extern int ippool_parsefile __P((int, char *, ioctlfunc_t));
extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t));
extern int kmemcpywrap __P((void *, void *, size_t));
extern char *kvatoname __P((ipfunc_t, ioctlfunc_t));
extern int load_hash __P((struct iphtable_s *, struct iphtent_s *,
ioctlfunc_t));
extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t));
extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern int loglevel __P((char **, u_int *, int));
extern alist_t *make_range __P((int, struct in_addr, struct in_addr));
extern ipfunc_t nametokva __P((char *, ioctlfunc_t));
extern ipnat_t *natparse __P((char *, int));
extern void natparsefile __P((int, char *, int));
extern void nat_setgroupmap __P((struct ipnat *));
extern int ntomask __P((int, int, u_32_t *));
extern u_32_t optname __P((char ***, u_short *, int));
extern struct frentry *parse __P((char *, int));
extern char *portname __P((int, int));
extern int portnum __P((char *, char *, u_short *, int));
extern int ports __P((char ***, char *, u_short *, int *, u_short *, int));
extern int pri_findname __P((char *));
extern char *pri_toname __P((int));
extern void print_toif __P((char *, struct frdest *));
extern void printaps __P((ap_session_t *, int));
extern void printbuf __P((char *, int, int));
extern void printfr __P((struct frentry *, ioctlfunc_t));
extern void printtunable __P((ipftune_t *));
extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t,
char *, int));
extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
struct iphtent_s *,
copyfunc_t, int));
extern void printhostmask __P((int, u_32_t *, u_32_t *));
extern void printip __P((u_32_t *));
extern void printlog __P((struct frentry *));
extern void printlookup __P((i6addr_t *addr, i6addr_t *mask));
extern void printmask __P((u_32_t *));
extern void printpacket __P((struct ip *));
extern void printpacket6 __P((struct ip *));
extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t,
char *, int));
extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
extern void printportcmp __P((int, struct frpcmp *));
extern void optprint __P((u_short *, u_long, u_long));
#ifdef USE_INET6
extern void optprintv6 __P((u_short *, u_long, u_long));
#endif
extern int ratoi __P((char *, int *, int, int));
extern int ratoui __P((char *, u_int *, u_int, u_int));
extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t));
extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
extern int remove_pool __P((ip_pool_t *, ioctlfunc_t));
extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
extern u_char tcp_flags __P((char *, u_char *, int));
extern u_char tcpflags __P((char *));
extern int to_interface __P((struct frdest *, char *, int));
extern void printc __P((struct frentry *));
extern void printC __P((int));
extern void emit __P((int, int, void *, struct frentry *));
extern u_char secbit __P((int));
extern u_char seclevel __P((char *));
extern void printfraginfo __P((char *, struct ipfr *));
extern void printifname __P((char *, char *, void *));
extern char *hostname __P((int, void *));
extern struct ipstate *printstate __P((struct ipstate *, int, u_long));
extern void printsbuf __P((char *));
extern void printnat __P((struct ipnat *, int));
extern void printactivenat __P((struct nat *, int));
extern void printhostmap __P((struct hostmap *, u_int));
extern void printpacket __P((struct ip *));
extern void set_variable __P((char *, char *));
extern char *get_variable __P((char *, char **, int));
extern void resetlexer __P((void));
#if SOLARIS
extern int inet_aton __P((const char *, struct in_addr *));
extern int gethostname __P((char *, int ));
extern void sync __P((void));
#endif
#if defined(sun) && !SOLARIS
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#ifndef MIN
#define MIN(a,b) ((a) > (b) ? (b) : (a))
extern int gethostname __P((char *, int ));
extern void sync __P((void));
#endif
#endif /* __IPF_H__ */

9
contrib/ipfilter/iplang/.cvsignore Normal file
View File

@ -0,0 +1,9 @@
y.tab.h
y.output
lex.yy.c
y.tab.c
y.tab.o
lex.yy.o
iplang_y.output
iplang_y.tab.c
iplang_y.tab.h

35
contrib/ipfilter/iplang/Makefile
View File

@ -1,36 +1,31 @@
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
CFLAGS=-I..
all: $(DESTDIR)/y.tab.o $(DESTDIR)/lex.yy.o
all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
$(DESTDIR)/y.tab.o: $(DESTDIR)/y.tab.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@
$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
$(DESTDIR)/$(OBJ)/y.tab.o: $(DESTDIR)/y.tab.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/y.tab.c -o $@
$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
$(DESTDIR)/lex.yy.o: $(DESTDIR)/lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/lex.yy.c -o $@
iplang_y.o: iplang_y.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
y.tab.o: y.tab.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c y.tab.c -o $@
iplang_l.o: iplang_l.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
lex.yy.o: lex.yy.c
$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c lex.yy.c -o $@
$(DESTDIR)/lex.yy.c: iplang_l.l $(DESTDIR)/y.tab.h
$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
lex iplang_l.l
mv lex.yy.c $(DESTDIR)
mv lex.yy.c $(DESTDIR)/iplang_l.c
$(DESTDIR)/y.tab.c $(DESTDIR)/y.tab.h: iplang_y.y
$(DESTDIR)/iplang_y.c $(DESTDIR)/iplang_y.h: iplang_y.y
yacc -d iplang_y.y
mv y.tab.c $(DESTDIR)
mv y.tab.h $(DESTDIR)
mv y.tab.c $(DESTDIR)/iplang_y.c
mv y.tab.h $(DESTDIR)/iplang_y.h
clean:
/bin/rm -f *.o lex.yy.c y.tab.c y.tab.h

2
contrib/ipfilter/iplang/iplang.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* Copyright (C) 1997-1998 by Darren Reed.
*

23
contrib/ipfilter/iplang/iplang_l.l
View File

@ -1,12 +1,12 @@
/* $NetBSD$ */
%{
/*
* Copyright (C) 1997-1998 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: iplang_l.l,v 2.2.2.1 2003/07/28 01:15:59 darrenr Exp $
* Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp
*/
#include <stdio.h>
#include <string.h>
@ -17,8 +17,7 @@
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include "y.tab.h"
#include "ip_compat.h"
#include "iplang_y.h"
#include "ipf.h"
#ifndef __P
@ -43,13 +42,13 @@ int save_token __P((void));
void swallow __P((void));
int yylex __P((void));
struct wordtab {
struct lwordtab {
char *word;
int state;
int next;
};
struct wordtab words[] = {
struct lwordtab words[] = {
{ "interface", IL_INTERFACE, -1 },
{ "iface", IL_INTERFACE, -1 },
{ "name", IL_IFNAME, IL_TOKEN },
@ -217,7 +216,7 @@ void pop_proto()
int save_token()
{
yylval.str = strdup(yytext);
yylval.str = strdup((char *)yytext);
return IL_TOKEN;
}
@ -225,7 +224,7 @@ int save_token()
int next_item(nstate)
int nstate;
{
struct wordtab *wt;
struct lwordtab *wt;
if (opts & OPT_DEBUG)
printf("text=[%s] id=%d next=%d\n", yytext, nstate, next);
@ -236,13 +235,13 @@ int nstate;
token++;
for (wt = words; wt->word; wt++)
if (!strcasecmp(wt->word, yytext))
if (!strcasecmp(wt->word, (char *)yytext))
return next_state(wt->state, wt->next);
if (opts & OPT_DEBUG)
printf("unknown keyword=[%s]\n", yytext);
next = -1;
if (nstate == IL_NUMBER)
yylval.num = atoi(yytext);
yylval.num = atoi((char *)yytext);
token++;
return nstate;
}

96
contrib/ipfilter/ipmon.h Normal file
View File

@ -0,0 +1,96 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp
*/
typedef struct ipmon_action {
struct ipmon_action *ac_next;
int ac_mflag; /* collection of things to compare */
int ac_dflag; /* flags to compliment the doing fields */
int ac_syslog; /* = 1 to syslog rules. */
char *ac_savefile; /* filename to save log records to */
FILE *ac_savefp;
int ac_direction;
char ac_group[FR_GROUPLEN];
char ac_nattag[16];
u_32_t ac_logtag;
int ac_type; /* nat/state/ipf */
int ac_proto;
int ac_rule;
int ac_packet;
int ac_second;
int ac_result;
u_32_t ac_sip;
u_32_t ac_smsk;
u_32_t ac_dip;
u_32_t ac_dmsk;
u_short ac_sport;
u_short ac_dport;
char *ac_exec; /* execute argument */
char *ac_run; /* actual command that gets run */
char *ac_iface;
/*
* used with ac_packet/ac_second
*/
struct timeval ac_last;
int ac_pktcnt;
} ipmon_action_t;
#define ac_lastsec ac_last.tv_sec
#define ac_lastusec ac_last.tv_usec
/*
* Flags indicating what fields to do matching upon (ac_mflag).
*/
#define IPMAC_DIRECTION 0x0001
#define IPMAC_DSTIP 0x0002
#define IPMAC_DSTPORT 0x0004
#define IPMAC_EVERY 0x0008
#define IPMAC_GROUP 0x0010
#define IPMAC_INTERFACE 0x0020
#define IPMAC_LOGTAG 0x0040
#define IPMAC_NATTAG 0x0080
#define IPMAC_PROTOCOL 0x0100
#define IPMAC_RESULT 0x0200
#define IPMAC_RULE 0x0400
#define IPMAC_SRCIP 0x0800
#define IPMAC_SRCPORT 0x1000
#define IPMAC_TYPE 0x2000
#define IPMAC_WITH 0x4000
#define IPMR_BLOCK 1
#define IPMR_PASS 2
#define IPMR_NOMATCH 3
#define IPMR_LOG 4
#define IPMDO_SAVERAW 0x0001
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
#define OPT_HEXBODY 0x004
#define OPT_VERBOSE 0x008
#define OPT_HEXHDR 0x010
#define OPT_TAIL 0x020
#define OPT_NAT 0x080
#define OPT_STATE 0x100
#define OPT_FILTER 0x200
#define OPT_PORTNUM 0x400
#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b))
#ifndef LOGFAC
#define LOGFAC LOG_LOCAL0
#endif
extern int load_config __P((char *));
extern void dumphex __P((FILE *, int, char *, int));
extern int check_action __P((char *, char *, int, int));
extern char *getword __P((int));

2
contrib/ipfilter/ipsd/Celler/ip_compat.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* (C)opyright 1995 by Darren Reed.
*

4
contrib/ipfilter/ipsd/Makefile
View File

@ -1,9 +1,7 @@
#
# Copyright (C) 1993-1998 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
OBJS=ipsd.o
BINDEST=/usr/local/bin

7
contrib/ipfilter/ipsd/ipsd.c
View File

@ -1,11 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>
#include <fcntl.h>
@ -35,7 +34,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $";
static const char rcsid[] = "@(#)Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp";
#endif
extern char *optarg;

5
contrib/ipfilter/ipsd/ipsd.h
View File

@ -1,11 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
* @(#)ipsd.h 1.3 12/3/95
*/

7
contrib/ipfilter/ipsd/ipsdr.c
View File

@ -1,11 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>
#include <fcntl.h>
@ -36,7 +35,7 @@
#ifndef lint
static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $";
static const char rcsid[] = "@(#)Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp";
#endif
extern char *optarg;

2
contrib/ipfilter/ipsd/linux.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* Copyright (C) 1997-1998 by Darren Reed.
*

2
contrib/ipfilter/ipsd/sbpf.c
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
*

4
contrib/ipfilter/ipsd/sdlpi.c
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
@ -158,7 +160,7 @@ int tout;
(void) sprintf(devname, "/dev/%s", device);
s = devname + 5;
while (*s && !isdigit(*s))
while (*s && !ISDIGIT(*s))
s++;
if (!*s)
{

5
contrib/ipfilter/ipsd/slinux.c
View File

@ -1,11 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>

5
contrib/ipfilter/ipsd/snit.c
View File

@ -1,11 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* The author of this software makes no garuntee about the
* performance of this package or its suitability to fulfill any purpose.
*
*/
#include <stdio.h>

2
contrib/ipfilter/ipsend/.OLD/ip_compat.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* (C)opyright 1995 by Darren Reed.
*

3
contrib/ipfilter/ipsend/.cvsignore Normal file
View File

@ -0,0 +1,3 @@
ipsend
ipresend
iptest

37
contrib/ipfilter/ipsend/44arp.c
View File

@ -1,33 +1,37 @@
/* $NetBSD$ */
/*
* Based upon 4.4BSD's /usr/sbin/arp
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/param.h>
#include <sys/file.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <net/if.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include <net/if_dl.h>
#include <net/if_types.h>
#if defined(__FreeBSD__)
# include "radix_ipf.h"
#endif
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <nlist.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#if __FreeBSD_version >= 300000
# include <net/if_var.h>
#endif
#include "ipsend.h"
#include "iplang/iplang.h"
@ -37,7 +41,7 @@
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;
@ -74,6 +78,9 @@ char *addr, *eaddr;
return 0;
#endif
if (!addr)
return -1;
mib[0] = CTL_NET;
mib[1] = PF_ROUTE;
mib[2] = 0;
@ -101,8 +108,8 @@ char *addr, *eaddr;
rtm = (struct rt_msghdr *)next;
sin = (struct sockaddr_inarp *)(rtm + 1);
sdl = (struct sockaddr_dl *)(sin + 1);
if (addr && !bcmp(addr, (char *)&sin->sin_addr,
sizeof(struct in_addr)))
if (!bcmp(addr, (char *)&sin->sin_addr,
sizeof(struct in_addr)))
{
bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen);
return 0;

12
contrib/ipfilter/ipsend/Makefile
View File

@ -1,9 +1,7 @@
#
# Copyright (C) 1993-1998 by Darren Reed.
#
# Redistribution and use in source and binary forms are permitted
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
# See the IPFILTER.LICENCE file for details on licencing.
#
IPFT=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o opt.o
OBJS=ipsend.o ip.o ipsopt.o y.tab.o lex.yy.o
@ -134,6 +132,14 @@ hpux9 :
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
CFLAGS="$(CFLAGS)" "LIBS="
hpux11 :
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
CFLAGS="$(CFLAGS) -DIPSEND" "LIBS="
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
CFLAGS="$(CFLAGS)" "LIBS="
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
CFLAGS="$(CFLAGS)" "LIBS="
ipsend: ipf $(OBJS) $(UNIXOBJS)
$(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) $(LLIB) $(ELIB)

35
contrib/ipfilter/ipsend/arp.c
View File

@ -1,20 +1,21 @@
/* $NetBSD$ */
/*
* arp.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: arp.c,v 2.8 2003/12/01 02:01:15 darrenr Exp";
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#if !defined(ultrix) && !defined(hpux)
#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__)
#include <sys/sockio.h>
#endif
#include <sys/ioctl.h>
#include <netdb.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <net/if.h>
#include <netinet/if_ether.h>
@ -22,23 +23,22 @@
#include <net/if_arp.h>
#endif
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include "ipsend.h"
#include "iplang/iplang.h"
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $";
#endif
/*
* lookup host and return
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;
@ -90,7 +90,11 @@ char *ether;
bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
#ifndef hpux
if ((hp = gethostbyaddr(ip, 4, AF_INET)))
# if SOLARIS && (SOLARIS2 >= 10)
if (!(ether_hostton(hp->h_name, (struct ether_addr *)ether)))
# else
if (!(ether_hostton(hp->h_name, ether)))
# endif
goto savearp;
#endif
@ -122,6 +126,13 @@ char *ether;
return -1;
}
if ((ar.arp_ha.sa_data[0] == 0) && (ar.arp_ha.sa_data[1] == 0) &&
(ar.arp_ha.sa_data[2] == 0) && (ar.arp_ha.sa_data[3] == 0) &&
(ar.arp_ha.sa_data[4] == 0) && (ar.arp_ha.sa_data[5] == 0)) {
fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
return -1;
}
bcopy(ar.arp_ha.sa_data, ether, 6);
savearp:
bcopy(ether, ethersave, 6);

30
contrib/ipfilter/ipsend/dlcommon.c
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* Common (shared) DLPI test routines.
* Mostly pretty boring boilerplate sorta stuff.
@ -18,7 +20,11 @@ typedef unsigned long ulong;
#include <sys/types.h>
#include <sys/stream.h>
#include <sys/stropts.h>
#include <sys/dlpi.h>
#ifdef __osf__
# include <sys/dlpihdr.h>
#else
# include <sys/dlpi.h>
#endif
#include <sys/signal.h>
#include <stdio.h>
#include <string.h>
@ -35,6 +41,7 @@ char *dlstyle();
char *dlmactype();
void
dlinforeq(fd)
int fd;
{
@ -54,6 +61,7 @@ int fd;
syserr("dlinforeq: putmsg");
}
void
dlinfoack(fd, bufp)
int fd;
char *bufp;
@ -82,6 +90,7 @@ char *bufp;
err("dlinfoack: short response ctl.len: %d", ctl.len);
}
void
dlattachreq(fd, ppa)
int fd;
u_long ppa;
@ -103,6 +112,7 @@ u_long ppa;
syserr("dlattachreq: putmsg");
}
void
dlenabmultireq(fd, addr, length)
int fd;
char *addr;
@ -131,6 +141,7 @@ int length;
syserr("dlenabmultireq: putmsg");
}
void
dldisabmultireq(fd, addr, length)
int fd;
char *addr;
@ -159,6 +170,7 @@ int length;
syserr("dldisabmultireq: putmsg");
}
void
dlpromisconreq(fd, level)
int fd;
u_long level;
@ -181,6 +193,7 @@ u_long level;
}
void
dlpromiscoff(fd, level)
int fd;
u_long level;
@ -202,6 +215,7 @@ u_long level;
syserr("dlpromiscoff: putmsg");
}
void
dlphysaddrreq(fd, addrtype)
int fd;
u_long addrtype;
@ -223,6 +237,7 @@ u_long addrtype;
syserr("dlphysaddrreq: putmsg");
}
void
dlsetphysaddrreq(fd, addr, length)
int fd;
char *addr;
@ -251,6 +266,7 @@ int length;
syserr("dlsetphysaddrreq: putmsg");
}
void
dldetachreq(fd)
int fd;
{
@ -270,6 +286,7 @@ int fd;
syserr("dldetachreq: putmsg");
}
void
dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest)
int fd;
u_long sap;
@ -299,6 +316,7 @@ u_long xidtest;
syserr("dlbindreq: putmsg");
}
void
dlunitdatareq(fd, addrp, addrlen, minpri, maxpri, datap, datalen)
int fd;
u_char *addrp;
@ -333,6 +351,7 @@ int datalen;
syserr("dlunitdatareq: putmsg");
}
void
dlunbindreq(fd)
int fd;
{
@ -352,6 +371,7 @@ int fd;
syserr("dlunbindreq: putmsg");
}
void
dlokack(fd, bufp)
int fd;
char *bufp;
@ -380,6 +400,7 @@ char *bufp;
err("dlokack: short response ctl.len: %d", ctl.len);
}
void
dlerrorack(fd, bufp)
int fd;
char *bufp;
@ -408,6 +429,7 @@ char *bufp;
err("dlerrorack: short response ctl.len: %d", ctl.len);
}
void
dlbindack(fd, bufp)
int fd;
char *bufp;
@ -433,6 +455,7 @@ char *bufp;
err("dlbindack: short response ctl.len: %d", ctl.len);
}
void
dlphysaddrack(fd, bufp)
int fd;
char *bufp;
@ -695,10 +718,11 @@ union DL_primitives *dlp;
printdlerrorack(dlp)
union DL_primitives *dlp;
{
(void) printf("DL_ERROR_ACK: error_primitive %s errno %s unix_errno %d\n",
(void) printf("DL_ERROR_ACK: error_primitive %s errno %s unix_errno %d: %s\n",
dlprim(dlp->error_ack.dl_error_primitive),
dlerrno(dlp->error_ack.dl_errno),
dlp->error_ack.dl_unix_errno);
dlp->error_ack.dl_unix_errno,
strerror(dlp->error_ack.dl_unix_errno));
}
printdlenabmultireq(dlp)

2
contrib/ipfilter/ipsend/dltest.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* Common DLPI Test Suite header file
*

6
contrib/ipfilter/ipsend/hpux.c
View File

@ -1,7 +1,11 @@
/* $NetBSD$ */
/*
* (C)opyright 1997-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*/
#include <stdio.h>
#include <strings.h>

4
contrib/ipfilter/ipsend/in_var.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/* @(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86 */
/*
@ -173,5 +175,5 @@ struct in_multistep {
}
struct in_multi *in_addmulti();
#endif KERNEL
#endif /* KERNEL */
#endif /*!_netinet_in_var_h*/

98
contrib/ipfilter/ipsend/ip.c
View File

@ -1,25 +1,21 @@
/* $NetBSD$ */
/*
* ip.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp";
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <netinet/in_systm.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <sys/param.h>
#ifndef linux
# include <netinet/if_ether.h>
@ -28,12 +24,13 @@
# include <net/if_var.h>
# endif
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.5 2002/12/06 11:40:35 darrenr Exp $";
#endif
static char *ipbuf = NULL, *ethbuf = NULL;
@ -71,7 +68,9 @@ struct in_addr gwip;
bcopy((char *)buf, s + sizeof(*eh), len);
if (gwip.s_addr == last_gw.s_addr)
{
bcopy(last_arp, (char *)A_A eh->ether_dhost, 6);
}
else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1)
{
perror("arp");
@ -92,7 +91,8 @@ ip_t *ip;
struct in_addr gwip;
int frag;
{
static struct in_addr last_gw;
static struct in_addr last_gw, local_ip;
static char local_arp[6] = { 0, 0, 0, 0, 0, 0};
static char last_arp[6] = { 0, 0, 0, 0, 0, 0};
static u_short id = 0;
ether_header_t *eh;
@ -102,7 +102,7 @@ int frag;
if (!ipbuf)
{
ipbuf = (char *)malloc(65536);
if(!ipbuf)
if (!ipbuf)
{
perror("malloc failed");
return -2;
@ -113,7 +113,9 @@ int frag;
bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost));
if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr))
{
bcopy(last_arp, (char *)A_A eh->ether_dhost, 6);
}
else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1)
{
perror("arp");
@ -127,18 +129,25 @@ int frag;
iplen = ip->ip_len;
ip->ip_len = htons(iplen);
if (!(frag & 2)) {
if (!ip->ip_v)
ip->ip_v = IPVERSION;
if (!IP_V(ip))
IP_V_A(ip, IPVERSION);
if (!ip->ip_id)
ip->ip_id = htons(id++);
if (!ip->ip_ttl)
ip->ip_ttl = 60;
}
if (ip->ip_src.s_addr != local_ip.s_addr) {
(void) arp((char *)&ip->ip_src, (char *)A_A local_arp);
bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp));
local_ip = ip->ip_src;
} else
bcopy(local_arp, (char *)A_A eh->ether_shost, 6);
if (!frag || (sizeof(*eh) + iplen < mtu))
{
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
bcopy((char *)ip, ipbuf + sizeof(*eh), iplen);
err = sendip(nfd, ipbuf, sizeof(*eh) + iplen);
@ -155,14 +164,14 @@ int frag;
char *s;
int i, sent = 0, ts, hlen, olen;
hlen = ip->ip_hl << 2;
hlen = IP_HL(ip) << 2;
if (mtu < (hlen + 8)) {
fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n",
mtu, hlen);
fprintf(stderr, "can't fragment data\n");
return -2;
}
ol = (ip->ip_hl << 2) - sizeof(*ip);
ol = (IP_HL(ip) << 2) - sizeof(*ip);
for (i = 0, s = (char*)(ip + 1); ol > 0; )
if (*s == IPOPT_EOL) {
optcpy[i++] = *s;
@ -223,7 +232,7 @@ int frag;
else if (!(ip->ip_off & htons(0x1fff)))
{
hlen = i + sizeof(*ip);
ip->ip_hl = (sizeof(*ip) + i) >> 2;
IP_HL_A(ip, (sizeof(*ip) + i) >> 2);
bcopy(optcpy, (char *)(ip + 1), i);
}
}
@ -243,45 +252,46 @@ ip_t *ip;
struct in_addr gwip;
{
static tcp_seq iss = 2;
struct tcpiphdr *ti;
tcphdr_t *t;
tcphdr_t *t, *t2;
int thlen, i, iplen, hlen;
u_32_t lbuf[20];
ip_t *ip2;
iplen = ip->ip_len;
hlen = ip->ip_hl << 2;
hlen = IP_HL(ip) << 2;
t = (tcphdr_t *)((char *)ip + hlen);
ti = (struct tcpiphdr *)lbuf;
thlen = t->th_off << 2;
ip2 = (struct ip *)lbuf;
t2 = (tcphdr_t *)((char *)ip2 + hlen);
thlen = TCP_OFF(t) << 2;
if (!thlen)
thlen = sizeof(tcphdr_t);
bzero((char *)ti, sizeof(*ti));
bzero((char *)ip2, sizeof(*ip2) + sizeof(*t2));
ip->ip_p = IPPROTO_TCP;
ti->ti_pr = ip->ip_p;
ti->ti_src = ip->ip_src;
ti->ti_dst = ip->ip_dst;
bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen);
ip2->ip_p = ip->ip_p;
ip2->ip_src = ip->ip_src;
ip2->ip_dst = ip->ip_dst;
bcopy((char *)ip + hlen, (char *)t2, thlen);
if (!ti->ti_win)
ti->ti_win = htons(4096);
if (!t2->th_win)
t2->th_win = htons(4096);
iss += 63;
i = sizeof(struct tcpiphdr) / sizeof(long);
if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) &&
if ((t2->th_flags == TH_SYN) && !ntohs(ip->ip_off) &&
(lbuf[i] != htonl(0x020405b4))) {
lbuf[i] = htonl(0x020405b4);
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
iplen - thlen - hlen);
thlen += 4;
}
ti->ti_off = thlen >> 2;
ti->ti_len = htons(thlen);
TCP_OFF_A(t2, thlen >> 2);
ip2->ip_len = htons(thlen);
ip->ip_len = hlen + thlen;
ti->ti_sum = 0;
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
t2->th_sum = 0;
t2->th_sum = chksum((u_short *)ip2, thlen + sizeof(ip_t));
bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen);
bcopy((char *)t2, (char *)ip + hlen, thlen);
return send_ip(nfd, mtu, ip, gwip, 1);
}
@ -304,16 +314,16 @@ struct in_addr gwip;
ti->ti_pr = ip->ip_p;
ti->ti_src = ip->ip_src;
ti->ti_dst = ip->ip_dst;
bcopy((char *)ip + (ip->ip_hl << 2),
bcopy((char *)ip + (IP_HL(ip) << 2),
(char *)&ti->ti_sport, sizeof(udphdr_t));
ti->ti_len = htons(thlen);
ip->ip_len = (ip->ip_hl << 2) + thlen;
ip->ip_len = (IP_HL(ip) << 2) + thlen;
ti->ti_sum = 0;
ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
bcopy((char *)&ti->ti_sport,
(char *)ip + (ip->ip_hl << 2), sizeof(udphdr_t));
(char *)ip + (IP_HL(ip) << 2), sizeof(udphdr_t));
return send_ip(nfd, mtu, ip, gwip, 1);
}
@ -328,7 +338,7 @@ struct in_addr gwip;
{
struct icmp *ic;
ic = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
ic = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
ic->icmp_cksum = 0;
ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp));

4
contrib/ipfilter/ipsend/ip_var.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */
/*
@ -44,7 +46,7 @@ struct ipq {
* Note: ipf_next must be at same offset as ipq_next above
*/
struct ipasfrag {
#if defined(vax) || defined(i386) || defined(__i386__)
#if defined(vax) || defined(i386)
u_char ip_hl:4,
ip_v:4;
#endif

2
contrib/ipfilter/ipsend/ipresend.1
View File

@ -1,3 +1,5 @@
.\" $NetBSD$
.\"
.TH IPRESEND 1
.SH NAME
ipresend \- resend IP packets out to network

33
contrib/ipfilter/ipsend/ipresend.c
View File

@ -1,42 +1,33 @@
/* $NetBSD$ */
/*
* ipresend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;

2
contrib/ipfilter/ipsend/ipsend.1
View File

@ -1,3 +1,5 @@
.\" $NetBSD$
.\"
.TH IPSEND 1
.SH NAME
ipsend \- sends IP packets

24
contrib/ipfilter/ipsend/ipsend.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* ipsend.h (C) 1997-1998 Darren Reed
*
@ -6,7 +8,11 @@
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
* The author provides this program as-is, with no gaurantee for its
* suitability for any specific purpose. The author takes no responsibility
* for the misuse/abuse of this program and provides it for the sole purpose
* of testing packet filter policies. This file maybe distributed freely
* providing it is not modified and that this notice remains in tact.
*
*/
#ifndef __P
@ -17,13 +23,14 @@
# endif
#endif
#include "ip_compat.h"
#include <net/if.h>
#include "ipf.h"
#ifdef linux
#include <linux/sockios.h>
#endif
#include "tcpip.h"
#include "ipt.h"
#include "ipf.h"
extern int resolve __P((char *, char *));
extern int arp __P((char *, char *));
@ -35,10 +42,10 @@ extern int send_udp __P((int, int, ip_t *, struct in_addr));
extern int send_icmp __P((int, int, ip_t *, struct in_addr));
extern int send_packet __P((int, int, ip_t *, struct in_addr));
extern int send_packets __P((char *, int, ip_t *, struct in_addr));
extern u_short seclevel __P((char *));
extern u_short ipseclevel __P((char *));
extern u_32_t buildopts __P((char *, char *, int));
extern int addipopt __P((char *, struct ipopt_names *, int, char *));
extern int initdevice __P((char *, int, int));
extern int initdevice __P((char *, int));
extern int sendip __P((int, char *, int));
#ifdef linux
extern struct sock *find_tcp __P((int, struct tcpiphdr *));
@ -55,7 +62,6 @@ extern void ip_test5 __P((char *, int, ip_t *, struct in_addr, int));
extern void ip_test6 __P((char *, int, ip_t *, struct in_addr, int));
extern void ip_test7 __P((char *, int, ip_t *, struct in_addr, int));
extern int do_socket __P((char *, int, struct tcpiphdr *, struct in_addr));
extern int openkmem __P((void));
extern int kmemcpy __P((char *, void *, int));
#define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c))
@ -63,9 +69,3 @@ extern int kmemcpy __P((char *, void *, int));
#ifndef OPT_RAW
#define OPT_RAW 0x80000
#endif
#ifndef __STDC__
# ifndef const
# define const
# endif
#endif

28
contrib/ipfilter/ipsend/ipsopt.c
View File

@ -1,21 +1,25 @@
/* $NetBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: ipsopt.c,v 2.4.4.1 2004/03/23 12:58:05 darrenr Exp";
#endif
#include <sys/param.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
@ -23,9 +27,13 @@
#include <arpa/inet.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.5 2004/04/10 11:50:52 darrenr Exp $";
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
@ -53,7 +61,7 @@ struct ipopt_names secnames[] = {
};
u_short seclevel(slevel)
u_short ipseclevel(slevel)
char *slevel;
{
struct ipopt_names *so;
@ -108,7 +116,7 @@ char *class;
switch (io->on_value)
{
case IPOPT_SECURITY :
lvl = seclevel(class);
lvl = ipseclevel(class);
*(op - 1) = lvl;
break;
case IPOPT_LSRR :

33
contrib/ipfilter/ipsend/iptest.c
View File

@ -1,21 +1,15 @@
/* $NetBSD$ */
/*
* ipsend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: iptest.c,v 2.6 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
@ -24,22 +18,19 @@
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
#include <netinet/ip_var.h>
#endif
#ifdef linux
#include <linux/sockios.h>
#endif
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.4 2002/12/06 11:40:35 darrenr Exp $";
#endif
extern char *optarg;
extern int optind;
@ -111,7 +102,7 @@ char **argv;
ip = (ip_t *)calloc(1, 65536);
ti = (struct tcpiphdr *)ip;
ip->ip_len = sizeof(*ip);
ip->ip_hl = sizeof(*ip) >> 2;
IP_HL_A(ip, sizeof(*ip) >> 2);
while ((c = getopt(argc, argv, "1234567d:g:m:p:s:")) != -1)
switch (c)

14
contrib/ipfilter/ipsend/larp.c
View File

@ -1,21 +1,25 @@
/* $NetBSD$ */
/*
* larp.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if !defined(lint)
static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
static const char rcsid[] = "@(#)Id: larp.c,v 2.4 2003/12/01 02:01:16 darrenr Exp";
#endif
#include <stdio.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <stdio.h>
#include <netdb.h>
#include <errno.h>
#include "ip_compat.h"
#include "iplang/iplang.h"
@ -25,7 +29,7 @@ static const char rcsid[] = "@(#)$Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darre
* its IP address in address
* (4 bytes)
*/
int resolve(host, address)
int resolve(host, address)
char *host, *address;
{
struct hostent *hp;

6
contrib/ipfilter/ipsend/linux.h
View File

@ -1,7 +1,11 @@
/* $NetBSD$ */
/*
* Copyright (C) 1995-1998 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* This code may be freely distributed as long as it retains this notice
* and is not changed in any way. The author accepts no responsibility
* for the use of this software. I hate legaleese, don't you ?
*
* @(#)linux.h 1.1 8/19/95
*/

10
contrib/ipfilter/ipsend/lsock.c
View File

@ -1,14 +1,14 @@
/* $NetBSD$ */
/*
* lsock.c (C) 1995-1998 Darren Reed
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.3 2002/12/06 11:40:36 darrenr Exp $";
#endif
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
static const char rcsid[] = "@(#)Id: lsock.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#include <stdio.h>
#include <unistd.h>
@ -226,7 +226,7 @@ struct in_addr gwip;
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
ti->ti_sport = lsin.sin_port;
printf("sport %d\n", ntohs(lsin.sin_port));
nfd = initdevice(dev, ntohs(lsin.sin_port), 0);
nfd = initdevice(dev, 0);
if (!(s = find_tcp(fd, ti)))
return -1;

41
contrib/ipfilter/ipsend/resend.c
View File

@ -1,21 +1,16 @@
/* $NetBSD$ */
/*
* resend.c (C) 1995-1998 Darren Reed
*
* This was written to test what size TCP fragments would get through
* various TCP/IP packet filters, as used in IP firewalls. In certain
* conditions, enough of the TCP header is missing for unpredictable
* results unless the filter is aware that this can happen.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)Id: resend.c,v 2.8 2004/01/08 13:34:31 darrenr Exp";
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
@ -24,9 +19,6 @@
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#ifndef linux
# include <netinet/ip_var.h>
# include <netinet/if_ether.h>
@ -34,14 +26,13 @@
# include <net/if_var.h>
# endif
#endif
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.5 2002/12/06 11:40:36 darrenr Exp $";
#endif
extern int opts;
static u_char pbuf[65536]; /* 1 big packet */
@ -54,7 +45,7 @@ ip_t *ip;
tcphdr_t *t;
int i, j;
t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2));
t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
if (ip->ip_tos)
printf("tos %#x ", ip->ip_tos);
if (ip->ip_off & 0x3fff)
@ -88,13 +79,13 @@ char *datain;
ether_header_t *eh;
char dhost[6];
ip_t *ip;
int fd, wfd = initdevice(dev, 0, 5), len, i;
int fd, wfd = initdevice(dev, 5), len, i;
if (datain)
fd = (*r->r_open)(datain);
else
fd = (*r->r_open)("-");
if (fd < 0)
exit(-1);
@ -130,7 +121,7 @@ char *datain;
sizeof(dhost));
if (!ip->ip_sum)
ip->ip_sum = chksum((u_short *)ip,
ip->ip_hl << 2);
IP_HL(ip) << 2);
bcopy(ip, (char *)(eh + 1), len);
len += sizeof(*eh);
printpacket(ip);

69
contrib/ipfilter/ipsend/sdlpi.c
View File

@ -1,7 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -19,10 +22,17 @@
#include <sys/stropts.h>
#ifdef sun
#include <sys/pfmod.h>
#include <sys/bufmod.h>
# include <sys/pfmod.h>
# include <sys/bufmod.h>
#endif
#ifdef __osf__
# include <sys/dlpihdr.h>
#else
# include <sys/dlpi.h>
#endif
#ifdef __hpux
# include <sys/dlpi_ext.h>
#endif
#include <sys/dlpi.h>
#include <net/if.h>
#include <netinet/in.h>
@ -38,7 +48,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darrenr Exp $";
static const char rcsid[] = "@(#)Id: sdlpi.c,v 2.8.2.1 2004/12/09 19:41:13 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -49,9 +59,9 @@ static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darr
* Be careful to only include those defined in the flags option for the
* interface are included in the header size.
*/
int initdevice(device, sport, tout)
int initdevice(device, tout)
char *device;
int sport, tout;
int tout;
{
char devname[16], *s, buf[256];
int i, fd;
@ -60,7 +70,7 @@ int sport, tout;
(void) strncat(devname, device, sizeof(devname) - strlen(devname));
s = devname + 5;
while (*s && !isdigit(*s))
while (*s && !ISDIGIT(*s))
s++;
if (!*s)
{
@ -79,24 +89,43 @@ int sport, tout;
exit(-1);
}
if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1)
if (dlattachreq(fd, i) == -1)
{
fprintf(stderr, "DLPI error\n");
fprintf(stderr, "dlattachreq: DLPI error\n");
exit(-1);
}
else if (dlokack(fd, buf) == -1)
{
fprintf(stderr, "dlokack(attach): DLPI error\n");
exit(-1);
}
#ifdef DL_HP_RAWDLS
if (dlpromisconreq(fd, DL_PROMISC_SAP) < 0)
{
fprintf(stderr, "dlpromisconreq: DL_PROMISC_PHYS error\n");
exit(-1);
}
else if (dlokack(fd, buf) < 0)
{
fprintf(stderr, "dlokack(promisc): DLPI error\n");
exit(-1);
}
/* 22 is INSAP as per the HP-UX DLPI Programmer's Guide */
dlbindreq(fd, 22, 1, DL_HP_RAWDLS, 0, 0);
#else
dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
#endif
dlbindack(fd, buf);
/*
* write full headers
*/
#ifdef sun /* we require RAW DLPI mode, which is a Sun extension */
#ifdef DLIOCRAW /* we require RAW DLPI mode, which is a Sun extension */
if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
{
fprintf(stderr, "DLIOCRAW error\n");
exit(-1);
}
#else
you lose
#endif
return fd;
}
@ -109,8 +138,19 @@ int sendip(fd, pkt, len)
int fd, len;
char *pkt;
{
struct strbuf dbuf, *dp = &dbuf;
struct strbuf dbuf, *dp = &dbuf, *cp = NULL;
int pri = 0;
#ifdef DL_HP_RAWDLS
struct strbuf cbuf;
dl_hp_rawdata_req_t raw;
cp = &cbuf;
raw.dl_primitive = DL_HP_RAWDATA_REQ;
cp->len = sizeof(raw);
cp->buf = (char *)&raw;
cp->maxlen = cp->len;
pri = MSG_HIPRI;
#endif
/*
* construct NIT STREAMS messages, first control then data.
*/
@ -118,7 +158,7 @@ char *pkt;
dp->len = len;
dp->maxlen = dp->len;
if (putmsg(fd, NULL, dp, 0) == -1)
if (putmsg(fd, cp, dp, pri) == -1)
{
perror("putmsg");
return -1;
@ -130,3 +170,4 @@ char *pkt;
}
return len;
}

12
contrib/ipfilter/ipsend/sirix.c
View File

@ -1,12 +1,12 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed.
* (C)opyright 1997 Marc Boucher.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
@ -23,17 +23,15 @@
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include "ipsend.h"
#include <netinet/udp_var.h>
#if !defined(lint) && defined(LIBC_SCCS)
static char sirix[] = "@(#)sirix.c 1.0 10/9/97 (C)1997 Marc Boucher";
#endif
int initdevice(char *device, int sport, int tout)
int initdevice(char *device, int tout)
{
int fd;
struct sockaddr_raw sr;

9
contrib/ipfilter/ipsend/slinux.c
View File

@ -1,7 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -27,7 +30,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95";
static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
static const char rcsid[] = "@(#)Id: slinux.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -42,9 +45,9 @@ static int timeout;
static char *eth_dev = NULL;
int initdevice(dev, sport, spare)
int initdevice(dev, spare)
char *dev;
int sport, spare;
int spare;
{
int fd;

9
contrib/ipfilter/ipsend/snit.c
View File

@ -1,7 +1,10 @@
/* $NetBSD$ */
/*
* (C)opyright 1992-1998 Darren Reed. (from tcplog)
*
* See the IPFILTER.LICENCE file for details on licencing.
*
*/
#include <stdio.h>
@ -38,7 +41,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $";
static const char rcsid[] = "@(#)Id: snit.c,v 2.3 2001/06/09 17:09:26 darrenr Exp";
#endif
#define CHUNKSIZE 8192
@ -54,9 +57,9 @@ static const char rcsid[] = "@(#)$Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darre
static int timeout;
int initdevice(device, sport, tout)
int initdevice(device, tout)
char *device;
int sport, tout;
int tout;
{
struct strioctl si;
struct timeval to;

89
contrib/ipfilter/ipsend/sockraw.c Normal file
View File

@ -0,0 +1,89 @@
/* $NetBSD$ */
/*
* (C)opyright 2000 Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* WARNING: Attempting to use this .c file on HP-UX 11.00 will cause the
* system to crash.
*/
#include <sys/param.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include "ipsend.h"
#if !defined(lint) && defined(LIBC_SCCS)
static char sirix[] = "@(#)sirix.c 1.0 10/9/97 (C)1997 Marc Boucher";
#endif
int initdevice(char *device, int tout)
{
struct sockaddr s;
struct ifreq ifr;
int fd;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, device, sizeof ifr.ifr_name);
if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("socket(AF_INET, SOCK_RAW, IPPROTO_RAW)");
return -1;
}
if (ioctl(fd, SIOCGIFADDR, &ifr) == -1)
{
perror("ioctl SIOCGIFADDR");
return -1;
}
bzero((char *)&s, sizeof(s));
s.sa_family = AF_INET;
bcopy(&ifr.ifr_addr, s.sa_data, 4);
if (bind(fd, &s, sizeof(s)) == -1)
perror("bind");
return fd;
}
/*
* output an IP packet
*/
int sendip(int fd, char *pkt, int len)
{
struct ether_header *eh;
struct sockaddr_in sin;
eh = (struct ether_header *)pkt;
bzero((char *)&sin, sizeof(sin));
sin.sin_family = AF_INET;
pkt += 14;
len -= 14;
bcopy(pkt + 12, (char *)&sin.sin_addr, 4);
if (sendto(fd, pkt, len, 0, &sin, sizeof(sin)) == -1)
{
perror("send");
return -1;
}
return len;
}

15
contrib/ipfilter/ipsend/tcpip.h
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
@ -10,11 +12,7 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
@ -31,7 +29,7 @@
* SUCH DAMAGE.
*
* @(#)tcpip.h 8.1 (Berkeley) 6/10/93
* $Id: tcpip.h,v 2.1 1999/08/04 17:31:16 darrenr Exp $
* Id: tcpip.h,v 2.2.2.3 2004/05/26 15:45:48 darrenr Exp
*/
#ifndef _NETINET_TCPIP_H_
@ -54,12 +52,9 @@ struct ipovly {
*/
struct tcpiphdr {
struct ipovly ti_i; /* overlaid ip structure */
#ifdef linux
tcphdr_t ti_t;
#else
struct tcphdr ti_t; /* tcp header */
#endif
};
#ifdef notyet
/*
* Tcp+ip header, after ip options removed but including TCP options.

8
contrib/ipfilter/ipt.h
View File

@ -1,8 +1,11 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: ipt.h,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $
*
* Id: ipt.h,v 2.6 2003/02/16 02:33:09 darrenr Exp
*/
#ifndef __IPT_H__
@ -24,8 +27,11 @@ struct ipread {
int (*r_open) __P((char *));
int (*r_close) __P((void));
int (*r_readip) __P((char *, int, char **, int *));
int r_flags;
};
#define R_DO_CKSUM 0x01
extern void debug __P((char *, ...));
extern void verbose __P((char *, ...));

5
contrib/ipfilter/kmem.h
View File

@ -1,8 +1,10 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
* $Id: kmem.h,v 2.2.2.4 2002/01/01 13:43:48 darrenr Exp $
* Id: kmem.h,v 2.5 2002/08/21 22:57:36 darrenr Exp
*/
#ifndef __KMEM_H__
@ -18,7 +20,6 @@
extern int openkmem __P((char *, char *));
extern int kmemcpy __P((char *, long, int));
extern int kstrncpy __P((char *, long, int));
extern char *getifname __P((void *));
#if defined(__NetBSD__) || defined(__OpenBSD)
# include <paths.h>

2
contrib/ipfilter/l4check/http.ok
View File

@ -1 +1 @@
<HTML>
<HTML>

25
contrib/ipfilter/l4check/l4check.c
View File

@ -1,3 +1,5 @@
/* $NetBSD$ */
/*
* (C)Copyright March, 2000 - Darren Reed.
*/
@ -141,8 +143,7 @@ void closel4(l4, dead)
l4cfg_t *l4;
int dead;
{
if (l4->l4_fd != -1)
close(l4->l4_fd);
close(l4->l4_fd);
l4->l4_fd = -1;
l4->l4_rw = -1;
if (dead && l4->l4_alive) {
@ -308,7 +309,7 @@ int runconfig()
if (opts & OPT_VERBOSE)
fprintf(stderr, "failed\n");
perror("connect");
closel4(l4, 1);
close(fd);
fd = -1;
} else {
if (opts & OPT_VERBOSE)
@ -417,10 +418,10 @@ u_short *portp;
*port++ = '\0';
#ifdef HAVE_INET_ATON
if (isdigit(*host) && inet_aton(host, &ip))
if (ISDIGIT(*host) && inet_aton(host, &ip))
*ipp = ip.s_addr;
#else
if (isdigit(*host))
if (ISDIGIT(*host))
*ipp = inet_addr(host);
#endif
else {
@ -433,7 +434,7 @@ u_short *portp;
}
if (port) {
if (isdigit(*port))
if (ISDIGIT(*port))
*portp = htons(atoi(port));
else {
sp = getservbyname(port, "tcp");
@ -526,7 +527,7 @@ char *filename;
/*
* Skip leading whitespace
*/
for (line = buf; (c = *line) && isspace(c); line++)
for (line = buf; (c = *line) && ISSPACE(c); line++)
;
if (!*line)
continue;
@ -606,14 +607,14 @@ char *filename;
}
bcopy((char *)&template, (char *)l4, sizeof(*l4));
l4->l4_sin.sin_addr = ipn->in_in[0];
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_sin.sin_port = ipn->in_pnext;
l4->l4_next = l4list;
l4list = l4;
} else if (!strcasecmp(t, "connect")) {
s = strtok(NULL, " \t");
if (s)
t = strtok(NULL, "\t");
if (!s || !t) {
if (!s || !t) {
errtxt = line;
err = -1;
break;
@ -635,7 +636,7 @@ char *filename;
}
} else if (!strcasecmp(t, "probe")) {
s = strtok(NULL, " \t");
if (!s) {
if (!s) {
errtxt = line;
err = -1;
break;
@ -683,13 +684,13 @@ char *filename;
}
} else if (!strcasecmp(t, "response")) {
s = strtok(NULL, " \t");
if (!s) {
if (!s) {
errtxt = line;
err = -1;
break;
} else if (!strcasecmp(s, "timeout")) {
t = strtok(NULL, " \t");
if (!t) {
if (!t) {
errtxt = line;
err = -1;
break;

309
contrib/ipfilter/lib/Makefile Normal file
View File

@ -0,0 +1,309 @@
INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
LIBOBJS=$(DEST)/addicmp.o \
$(DEST)/addipopt.o \
$(DEST)/addkeep.o \
$(DEST)/bcopywrap.o \
$(DEST)/binprint.o \
$(DEST)/buildopts.o \
$(DEST)/checkrev.o \
$(DEST)/count6bits.o \
$(DEST)/count4bits.o \
$(DEST)/debug.o \
$(DEST)/extras.o \
$(DEST)/facpri.o \
$(DEST)/flags.o \
$(DEST)/fill6bits.o \
$(DEST)/genmask.o \
$(DEST)/gethost.o \
$(DEST)/getifname.o \
$(DEST)/getline.o \
$(DEST)/getnattype.o \
$(DEST)/getport.o \
$(DEST)/getportproto.o \
$(DEST)/getproto.o \
$(DEST)/getsumd.o \
$(DEST)/hexdump.o \
$(DEST)/hostmask.o \
$(DEST)/hostname.o \
$(DEST)/hostnum.o \
$(DEST)/icmpcode.o \
$(DEST)/inet_addr.o \
$(DEST)/initparse.o \
$(DEST)/ionames.o \
$(DEST)/ipoptsec.o \
$(DEST)/ipf_dotuning.o \
$(DEST)/ipft_ef.o \
$(DEST)/ipft_hx.o \
$(DEST)/ipft_pc.o \
$(DEST)/ipft_sn.o \
$(DEST)/ipft_td.o \
$(DEST)/ipft_tx.o \
$(DEST)/kmem.o \
$(DEST)/kmemcpywrap.o \
$(DEST)/kvatoname.o \
$(DEST)/load_hash.o \
$(DEST)/load_hashnode.o \
$(DEST)/load_pool.o \
$(DEST)/load_poolnode.o \
$(DEST)/loglevel.o \
$(DEST)/make_range.o \
$(DEST)/mutex_emul.o \
$(DEST)/nametokva.o \
$(DEST)/nat_setgroupmap.o \
$(DEST)/ntomask.o \
$(DEST)/optname.o \
$(DEST)/optprint.o \
$(DEST)/optprintv6.o \
$(DEST)/optvalue.o \
$(DEST)/portname.o \
$(DEST)/portnum.o \
$(DEST)/ports.o \
$(DEST)/print_toif.o \
$(DEST)/printactivenat.o \
$(DEST)/printaps.o \
$(DEST)/printbuf.o \
$(DEST)/printhash.o \
$(DEST)/printhashnode.o \
$(DEST)/printip.o \
$(DEST)/printpool.o \
$(DEST)/printpoolnode.o \
$(DEST)/printfr.o \
$(DEST)/printfraginfo.o \
$(DEST)/printhostmap.o \
$(DEST)/printifname.o \
$(DEST)/printhostmask.o \
$(DEST)/printlog.o \
$(DEST)/printmask.o \
$(DEST)/printnat.o \
$(DEST)/printportcmp.o \
$(DEST)/printpacket.o \
$(DEST)/printpacket6.o \
$(DEST)/printsbuf.o \
$(DEST)/printstate.o \
$(DEST)/printtunable.o \
$(DEST)/ratoi.o \
$(DEST)/ratoui.o \
$(DEST)/remove_hash.o \
$(DEST)/remove_hashnode.o \
$(DEST)/remove_pool.o \
$(DEST)/remove_poolnode.o \
$(DEST)/resetlexer.o \
$(DEST)/rwlock_emul.o \
$(DEST)/tcpflags.o \
$(DEST)/tcp_flags.o \
$(DEST)/to_interface.o \
$(DEST)/var.o \
$(DEST)/verbose.o \
$(DEST)/v6ionames.o \
$(DEST)/v6optvalue.o
$(DEST)/libipf.a: $(LIBOBJS)
/bin/rm -f $@
ar $(AROPTS) $@ $(LIBOBJS)
$(RANLIB) $@
$(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@
$(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@
$(DEST)/addkeep.o: $(LIBSRC)/addkeep.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/addkeep.c -o $@
$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@
$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/binprint.c -o $@
$(DEST)/buildopts.o: $(LIBSRC)/buildopts.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/buildopts.c -o $@
$(DEST)/count6bits.o: $(LIBSRC)/count6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/count6bits.c -o $@
$(DEST)/checkrev.o: $(LIBSRC)/checkrev.c $(INCDEP) $(TOP)/ipl.h
$(CC) $(CCARGS) -c $(LIBSRC)/checkrev.c -o $@
$(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@
$(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@
$(DEST)/extras.o: $(LIBSRC)/extras.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/extras.c -o $@
$(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@
$(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@
$(DEST)/getline.o: $(LIBSRC)/getline.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getline.c -o $@
$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getifname.c -o $@
$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getnattype.c -o $@
$(DEST)/getport.o: $(LIBSRC)/getport.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getport.c -o $@
$(DEST)/getportproto.o: $(LIBSRC)/getportproto.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getportproto.c -o $@
$(DEST)/getproto.o: $(LIBSRC)/getproto.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getproto.c -o $@
$(DEST)/getsumd.o: $(LIBSRC)/getsumd.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/getsumd.c -o $@
$(DEST)/hexdump.o: $(LIBSRC)/hexdump.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hexdump.c -o $@
$(DEST)/hostmask.o: $(LIBSRC)/hostmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostmask.c -o $@
$(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@
$(DEST)/hostnum.o: $(LIBSRC)/hostnum.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/hostnum.c -o $@
$(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@
$(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipoptsec.c -o $@
$(DEST)/inet_addr.o: $(LIBSRC)/inet_addr.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/inet_addr.c -o $@
$(DEST)/initparse.o: $(LIBSRC)/initparse.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/initparse.c -o $@
$(DEST)/ionames.o: $(LIBSRC)/ionames.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ionames.c -o $@
$(DEST)/ipf_dotuning.o: $(LIBSRC)/ipf_dotuning.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipf_dotuning.c -o $@
$(DEST)/ipft_ef.o: $(LIBSRC)/ipft_ef.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_ef.c -o $@
$(DEST)/ipft_hx.o: $(LIBSRC)/ipft_hx.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_hx.c -o $@
$(DEST)/ipft_pc.o: $(LIBSRC)/ipft_pc.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_pc.c -o $@
$(DEST)/ipft_sn.o: $(LIBSRC)/ipft_sn.c $(TOP)/snoop.h
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_sn.c -o $@
$(DEST)/ipft_td.o: $(LIBSRC)/ipft_td.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_td.c -o $@
$(DEST)/ipft_tx.o: $(LIBSRC)/ipft_tx.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ipft_tx.c -o $@
$(DEST)/kmem.o: $(LIBSRC)/kmem.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/kmem.c -o $@
$(DEST)/kmemcpywrap.o: $(LIBSRC)/kmemcpywrap.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/kmemcpywrap.c -o $@
$(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@
$(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@
$(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_hashnode.c -o $@
$(DEST)/load_pool.o: $(LIBSRC)/load_pool.c $(INCDEP) $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_pool.c -o $@
$(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@
$(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@
$(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/mutex_emul.c -o $@
$(DEST)/nametokva.o: $(LIBSRC)/nametokva.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/nametokva.c -o $@
$(DEST)/nat_setgroupmap.o: $(LIBSRC)/nat_setgroupmap.c $(TOP)/ip_compat.h \
$(TOP)/ipf.h $(TOP)/ip_nat.h
$(CC) $(CCARGS) -c $(LIBSRC)/nat_setgroupmap.c -o $@
$(DEST)/ntomask.o: $(LIBSRC)/ntomask.c $(TOP)/ip_compat.h
$(CC) $(CCARGS) -c $(LIBSRC)/ntomask.c -o $@
$(DEST)/loglevel.o: $(LIBSRC)/loglevel.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/loglevel.c -o $@
$(DEST)/optname.o: $(LIBSRC)/optname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optname.c -o $@
$(DEST)/optprint.o: $(LIBSRC)/optprint.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optprint.c -o $@
$(DEST)/optprintv6.o: $(LIBSRC)/optprintv6.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optprintv6.c -o $@
$(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
$(DEST)/portnum.o: $(LIBSRC)/portnum.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/portnum.c -o $@
$(DEST)/ports.o: $(LIBSRC)/ports.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ports.c -o $@
$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printactivenat.c -o $@
$(DEST)/printaps.o: $(LIBSRC)/printaps.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printaps.c -o $@
$(DEST)/printbuf.o: $(LIBSRC)/printbuf.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printbuf.c -o $@
$(DEST)/printfr.o: $(LIBSRC)/printfr.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printfr.c -o $@
$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@
$(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@
$(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_htable.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@
$(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@
$(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@
$(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_lookup.h
$(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@
$(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h
$(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@
$(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printifname.c -o $@
$(DEST)/printmask.o: $(LIBSRC)/printmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printmask.c -o $@
$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printnat.c -o $@
$(DEST)/printhostmask.o: $(LIBSRC)/printhostmask.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printhostmask.c -o $@
$(DEST)/printlog.o: $(LIBSRC)/printlog.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printlog.c -o $@
$(DEST)/printpacket.o: $(LIBSRC)/printpacket.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printpacket.c -o $@
$(DEST)/printpacket6.o: $(LIBSRC)/printpacket6.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printpacket6.c -o $@
$(DEST)/printportcmp.o: $(LIBSRC)/printportcmp.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printportcmp.c -o $@
$(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@
$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h
$(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@
$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@
$(DEST)/ratoi.o: $(LIBSRC)/ratoi.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ratoi.c -o $@
$(DEST)/ratoui.o: $(LIBSRC)/ratoui.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/ratoui.c -o $@
$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@
$(DEST)/remove_hashnode.o: $(LIBSRC)/remove_hashnode.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_hashnode.c -o $@
$(DEST)/remove_pool.o: $(LIBSRC)/remove_pool.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_pool.c -o $@
$(DEST)/remove_poolnode.o: $(LIBSRC)/remove_poolnode.c $(INCDEP) \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) -c $(LIBSRC)/remove_poolnode.c -o $@
$(DEST)/resetlexer.o: $(LIBSRC)/resetlexer.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/resetlexer.c -o $@
$(DEST)/rwlock_emul.o: $(LIBSRC)/rwlock_emul.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/rwlock_emul.c -o $@
$(DEST)/to_interface.o: $(LIBSRC)/to_interface.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/to_interface.c -o $@
$(DEST)/tcpflags.o: $(LIBSRC)/tcpflags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/tcpflags.c -o $@
$(DEST)/tcp_flags.o: $(LIBSRC)/tcp_flags.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/tcp_flags.c -o $@
$(DEST)/var.o: $(LIBSRC)/var.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/var.c -o $@
$(DEST)/verbose.o: $(LIBSRC)/verbose.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/verbose.c -o $@
$(DEST)/v6ionames.o: $(LIBSRC)/v6ionames.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/v6ionames.c -o $@
$(DEST)/v6optvalue.o: $(LIBSRC)/v6optvalue.c $(INCDEP)
$(CC) $(CCARGS) -c $(LIBSRC)/v6optvalue.c -o $@
clean-lib:
/bin/rm -f ${LIBOBJS} ${LIB}

94
contrib/ipfilter/lib/addicmp.c Normal file
View File

@ -0,0 +1,94 @@
/* $NetBSD$ */
/*
* Copyright (C) 1993-2001 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp
*/
#include <ctype.h>
#include "ipf.h"
char *icmptypes[MAX_ICMPTYPE + 1] = {
"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
"routersol", "timex", "paramprob", "timest", "timestrep",
"inforeq", "inforep", "maskreq", "maskrep", "END"
};
/*
* set the icmp field to the correct type if "icmp" word is found
*/
int addicmp(cp, fp, linenum)
char ***cp;
struct frentry *fp;
int linenum;
{
char **t;
int i;
(*cp)++;
if (!**cp)
return -1;
if (!fp->fr_proto) /* to catch lusers */
fp->fr_proto = IPPROTO_ICMP;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
continue;
if (!strcasecmp("END", *t)) {
i = -1;
break;
}
if (!strcasecmp(*t, **cp))
break;
}
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp-type (%s) specified\n",
linenum, **cp);
return -1;
}
}
fp->fr_icmp = (u_short)(i << 8);
fp->fr_icmpm = (u_short)0xff00;
(*cp)++;
if (!**cp)
return 0;
if (**cp && strcasecmp("code", **cp))
return 0;
(*cp)++;
if (ISDIGIT(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
"%d: Invalid icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
} else {
i = icmpcode(**cp);
if (i == -1) {
fprintf(stderr,
"%d: Unknown icmp code (%s) specified\n",
linenum, **cp);
return -1;
}
}
i &= 0xff;
fp->fr_icmp |= (u_short)i;
fp->fr_icmpm = (u_short)0xffff;
(*cp)++;
return 0;
}

Some files were not shown because too many files have changed in this diff Show More