d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import userland tools for IPFilter 3.4.31 into -current

Browse Source
This commit is contained in:
Darren Reed 2003-02-15 06:27:40 +00:00
parent f7a96e18f1
commit 965575f97c
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/ipfilter/dist/; revision=110917
75 changed files with 1714 additions and 410 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/ipfilter/BSD/Makefile
View File

@ -246,7 +246,7 @@ install:
for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
ip_frag.h ip_auth.h; do \
/bin/cp $(TOP)/$$i /usr/include/netinet/; \
-$(CHMOD) 444 /usr/include/netinet/$$i; \
$(CHMOD) 444 /usr/include/netinet/$$i; \
done
-if [ -d /lkm -a -f if_ipl.o ] ; then \
cp if_ipl.o /lkm; \

18
contrib/ipfilter/BSD/kupgrade
View File

@ -31,6 +31,24 @@ for i in ip_fil.[ch] fil.c ip_nat.[ch] ip_frag.[ch] ip_state.[ch] ip_proxy.[ch]
chmod 644 $ipfdir/$i
done
echo ""
echo -n "Installing into /usr/include/netinet"
for j in auth compat fil frag nat proxy state ; do
i=ip_$j.h
if [ -f "$i" ] ; then
echo -n " $i"
cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
fi
done
for j in ipl.h; do
if [ -f "$j" ] ; then
echo -n " $j"
cp $j /usr/include/netinet/$j
chmod 644 /usr/include/netinet/$j
fi
done
echo
if [ -f /sys/netinet/ip_fil_compat.h ] ; then
echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h"
rm /sys/netinet/ip_fil_compat.h

2
contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
View File

@ -5,7 +5,7 @@ To build a kernel with the IP filter, follow these seven steps:
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-4/kinstall" as root
3. run "FreeBSD-4.0/kinstall" as root
4. build a new kernel

46
contrib/ipfilter/HISTORY
View File

@ -22,6 +22,52 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.31 7/12/2002 - Released
Solaris 10 compatibility
fix linking into pfil in NetBSD
fix IRIX 6.2 compatibility
add code to check consistency of fr_checkp/fr_check on non-Solaris
OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2,
make LKM work for 3.2 (OpenBSD LKMs now match NetBSD)
3.4.30 26/11/2002 - Released
attempt to detect using GNU make and abort if so
OpenBSD 3.2 patches from Stefan Hermes von GMX
add MSS clamping code from NetBSD
correctly display ipv6 output with ipfstat for (accounting) rules
fix problems with ioctl handling for /dev/ipauth
set SYN bit in rcmd fake packet to create back channel
make libpcap reader capable of determining in/out (not in libpcap file)
and add more DLT types
do not allow redirects to localhost for Solaris in NAT parser
allow return-rst with auth rules
man page corrections
fix for handling ipv6 icmp errors
fix up ipfs command line option processing
only allow processing a ftp 227 response following a PASV command
NetBSD: use poll() and adapt to new cdevsw mechanism
make flushing for just ipv6 things work
3.4.29 28/8/2002 - Released
Make substantial changes to the FTP proxy to improve reliability, security

16
contrib/ipfilter/Makefile
View File

@ -3,7 +3,7 @@
#
# See the IPFILTER.LICENCE file for details on licencing.
#
# $Id: Makefile,v 2.11.2.13 2002/03/06 09:43:15 darrenr Exp $
# $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -91,7 +91,6 @@ all:
@echo "bsd - compile for generic 4.4BSD systems"
@echo "bsdi - compile for BSD/OS"
@echo "irix - compile for SGI IRIX"
@echo "linux - compile for Linux 2.0.31+"
@echo ""
tests:
@ -237,15 +236,15 @@ get:
fi \
done
sunos4 solaris1:
sunos4 solaris1: null
(cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
sunos5 solaris2:
sunos5 solaris2: null
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
sunos5x86 solaris2x86: null
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
@ -282,3 +281,10 @@ rcsget:
do-cvs:
find . -type d -name CVS -print | xargs /bin/rm -rf
find . -type f -name .cvsignore -print | xargs /bin/rm -f
null:
-@if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \
echo 'Do not use GNU make (gmake) to compile IPFilter'; \
exit 1; \
fi
-@echo make ok

450
contrib/ipfilter/bpf.h Normal file
View File

@ -0,0 +1,450 @@
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: /devel/CVS/IP-Filter/Attic/bpf.h,v 1.1.2.1 2002/11/07 13:18:35 darrenr Exp $ (LBL)
*/
#ifndef BPF_MAJOR_VERSION
#ifdef __cplusplus
extern "C" {
#endif
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int bpf_int32;
typedef u_int bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#ifndef __NetBSD__
#define BPF_ALIGNMENT sizeof(bpf_int32)
#else
#define BPF_ALIGNMENT sizeof(long)
#endif
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
/*
* Structure for BIOCSETF.
*/
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
/*
* Struct returned by BIOCGSTATS.
*/
struct bpf_stat {
u_int bs_recv; /* number of packets received */
u_int bs_drop; /* number of packets dropped */
};
/*
* Struct return by BIOCVERSION. This represents the version number of
* the filter language described by the instruction encodings below.
* bpf understands a program iff kernel_major == filter_major &&
* kernel_minor >= filter_minor, that is, if the value returned by the
* running kernel has the same major number and a minor number equal
* equal to or less than the filter being downloaded. Otherwise, the
* results are undefined, meaning an error may be returned or packets
* may be accepted haphazardly.
* It has nothing to do with the source code version.
*/
struct bpf_version {
u_short bv_major;
u_short bv_minor;
};
/* Current version number of filter architecture. */
#define BPF_MAJOR_VERSION 1
#define BPF_MINOR_VERSION 1
/*
* BPF ioctls
*
* The first set is for compatibility with Sun's pcc style
* header files. If your using gcc, we assume that you
* have run fixincludes so the latter set should work.
*/
#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
#define BIOCGBLEN _IOR(B,102, u_int)
#define BIOCSBLEN _IOWR(B,102, u_int)
#define BIOCSETF _IOW(B,103, struct bpf_program)
#define BIOCFLUSH _IO(B,104)
#define BIOCPROMISC _IO(B,105)
#define BIOCGDLT _IOR(B,106, u_int)
#define BIOCGETIF _IOR(B,107, struct ifreq)
#define BIOCSETIF _IOW(B,108, struct ifreq)
#define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
#define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
#define BIOCGSTATS _IOR(B,111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW(B,112, u_int)
#define BIOCVERSION _IOR(B,113, struct bpf_version)
#define BIOCSTCPF _IOW(B,114, struct bpf_program)
#define BIOCSUDPF _IOW(B,115, struct bpf_program)
#else
#define BIOCGBLEN _IOR('B',102, u_int)
#define BIOCSBLEN _IOWR('B',102, u_int)
#define BIOCSETF _IOW('B',103, struct bpf_program)
#define BIOCFLUSH _IO('B',104)
#define BIOCPROMISC _IO('B',105)
#define BIOCGDLT _IOR('B',106, u_int)
#define BIOCGETIF _IOR('B',107, struct ifreq)
#define BIOCSETIF _IOW('B',108, struct ifreq)
#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW('B',112, u_int)
#define BIOCVERSION _IOR('B',113, struct bpf_version)
#define BIOCSTCPF _IOW('B',114, struct bpf_program)
#define BIOCSUDPF _IOW('B',115, struct bpf_program)
#endif
/*
* Structure prepended to each packet.
*/
struct bpf_hdr {
struct timeval bh_tstamp; /* time stamp */
bpf_u_int32 bh_caplen; /* length of captured portion */
bpf_u_int32 bh_datalen; /* original length of packet */
u_short bh_hdrlen; /* length of bpf header (this struct
plus alignment padding) */
};
/*
* Because the structure above is not a multiple of 4 bytes, some compilers
* will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
* Only the kernel needs to know about it; applications use bh_hdrlen.
*/
#if defined(KERNEL) || defined(_KERNEL)
#define SIZEOF_BPF_HDR 18
#endif
/*
* Data-link level type codes.
*/
/*
* These are the types that are the same on all platforms; on other
* platforms, a <net/bpf.h> should be supplied that defines the additional
* DLT_* codes appropriately for that platform (the BSDs, for example,
* should not just pick up this version of "bpf.h"; they should also define
* the additional DLT_* codes used by their kernels, as well as the values
* defined here - and, if the values they use for particular DLT_ types
* differ from those here, they should use their values, not the ones
* here).
*/
#define DLT_NULL 0 /* no link-layer encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
#define DLT_AX25 3 /* Amateur Radio AX.25 */
#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
#define DLT_CHAOS 5 /* Chaos */
#define DLT_IEEE802 6 /* IEEE 802 Networks */
#define DLT_ARCNET 7 /* ARCNET */
#define DLT_SLIP 8 /* Serial Line IP */
#define DLT_PPP 9 /* Point-to-point Protocol */
#define DLT_FDDI 10 /* FDDI */
/*
* These are values from the traditional libpcap "bpf.h".
* Ports of this to particular platforms should replace these definitions
* with the ones appropriate to that platform, if the values are
* different on that platform.
*/
#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
#define DLT_RAW 12 /* raw IP */
/*
* These are values from BSD/OS's "bpf.h".
* These are not the same as the values from the traditional libpcap
* "bpf.h"; however, these values shouldn't be generated by any
* OS other than BSD/OS, so the correct values to use here are the
* BSD/OS values.
*
* Platforms that have already assigned these values to other
* DLT_ codes, however, should give these codes the values
* from that platform, so that programs that use these codes will
* continue to compile - even though they won't correctly read
* files of these types.
*/
#ifdef __NetBSD__
#ifndef DLT_SLIP_BSDOS
#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
#endif
#else
#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
#endif
#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
/*
* These values are defined by NetBSD; other platforms should refrain from
* using them for other purposes, so that NetBSD savefiles with link
* types of 50 or 51 can be read as this type on all platforms.
*/
#define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */
#define DLT_PPP_ETHER 51 /* PPP over Ethernet */
/*
* Values between 100 and 103 are used in capture file headers as
* link-layer types corresponding to DLT_ types that differ
* between platforms; don't use those values for new DLT_ new types.
*/
/*
* This value was defined by libpcap 0.5; platforms that have defined
* it with a different value should define it here with that value -
* a link type of 104 in a save file will be mapped to DLT_C_HDLC,
* whatever value that happens to be, so programs will correctly
* handle files with that link type regardless of the value of
* DLT_C_HDLC.
*
* The name DLT_C_HDLC was used by BSD/OS; we use that name for source
* compatibility with programs written for BSD/OS.
*
* libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
* for source compatibility with programs written for libpcap 0.5.
*/
#define DLT_C_HDLC 104 /* Cisco HDLC */
#define DLT_CHDLC DLT_C_HDLC
#define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */
/*
* Values between 106 and 107 are used in capture file headers as
* link-layer types corresponding to DLT_ types that might differ
* between platforms; don't use those values for new DLT_ new types.
*/
/*
* OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
* that the AF_ type in the link-layer header is in network byte order.
*
* OpenBSD defines it as 12, but that collides with DLT_RAW, so we
* define it as 108 here. If OpenBSD picks up this file, it should
* define DLT_LOOP as 12 in its version, as per the comment above -
* and should not use 108 as a DLT_ value.
*/
#define DLT_LOOP 108
/*
* Values between 109 and 112 are used in capture file headers as
* link-layer types corresponding to DLT_ types that might differ
* between platforms; don't use those values for new DLT_ types
* other than the corresponding DLT_ types.
*/
/*
* This is for Linux cooked sockets.
*/
#define DLT_LINUX_SLL 113
/*
* Apple LocalTalk hardware.
*/
#define DLT_LTALK 114
/*
* Acorn Econet.
*/
#define DLT_ECONET 115
/*
* Reserved for use with OpenBSD ipfilter.
*/
#define DLT_IPFILTER 116
/*
* Reserved for use in capture-file headers as a link-layer type
* corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
* but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
* in capture-file headers.
*/
#define DLT_PFLOG 117
/*
* Registered for Cisco-internal use.
*/
#define DLT_CISCO_IOS 118
/*
* Reserved for 802.11 cards using the Prism II chips, with a link-layer
* header including Prism monitor mode information plus an 802.11
* header.
*/
#define DLT_PRISM_HEADER 119
/*
* Reserved for Aironet 802.11 cards, with an Aironet link-layer header
* (see Doug Ambrisko's FreeBSD patches).
*/
#define DLT_AIRONET_HEADER 120
/*
* Reserved for Siemens HiPath HDLC.
*/
#define DLT_HHDLC 121
/*
* Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
* Don Lee <donlee@cray.com>.
*
* This is not for use with raw Fibre Channel, where the link-layer
* header starts with a Fibre Channel frame header; it's for IP-over-FC,
* where the link-layer header starts with an RFC 2625 Network_Header
* field.
*/
#define DLT_IP_OVER_FC 122
/*
* The instruction encodings.
*/
/* instruction classes */
#define BPF_CLASS(code) ((code) & 0x07)
#define BPF_LD 0x00
#define BPF_LDX 0x01
#define BPF_ST 0x02
#define BPF_STX 0x03
#define BPF_ALU 0x04
#define BPF_JMP 0x05
#define BPF_RET 0x06
#define BPF_MISC 0x07
/* ld/ldx fields */
#define BPF_SIZE(code) ((code) & 0x18)
#define BPF_W 0x00
#define BPF_H 0x08
#define BPF_B 0x10
#define BPF_MODE(code) ((code) & 0xe0)
#define BPF_IMM 0x00
#define BPF_ABS 0x20
#define BPF_IND 0x40
#define BPF_MEM 0x60
#define BPF_LEN 0x80
#define BPF_MSH 0xa0
/* alu/jmp fields */
#define BPF_OP(code) ((code) & 0xf0)
#define BPF_ADD 0x00
#define BPF_SUB 0x10
#define BPF_MUL 0x20
#define BPF_DIV 0x30
#define BPF_OR 0x40
#define BPF_AND 0x50
#define BPF_LSH 0x60
#define BPF_RSH 0x70
#define BPF_NEG 0x80
#define BPF_JA 0x00
#define BPF_JEQ 0x10
#define BPF_JGT 0x20
#define BPF_JGE 0x30
#define BPF_JSET 0x40
#define BPF_SRC(code) ((code) & 0x08)
#define BPF_K 0x00
#define BPF_X 0x08
/* ret - BPF_K and BPF_X also apply */
#define BPF_RVAL(code) ((code) & 0x18)
#define BPF_A 0x10
/* misc */
#define BPF_MISCOP(code) ((code) & 0xf8)
#define BPF_TAX 0x00
#define BPF_TXA 0x80
/*
* The instruction data structure.
*/
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_int32 k;
};
/*
* Macros for insn array initializers.
*/
#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
/*
* Systems based on non-BSD kernels don't have ifnet's (or they don't mean
* anything if it is in <net/if.h>) and won't work like this.
*/
# if __STDC__
extern void bpf_tap(struct ifnet *, u_char *, u_int);
extern void bpf_mtap(struct ifnet *, struct mbuf *);
extern void bpfattach(struct ifnet *, u_int, u_int);
extern void bpfilterattach(int);
# else
extern void bpf_tap();
extern void bpf_mtap();
extern void bpfattach();
extern void bpfilterattach();
# endif /* __STDC__ */
#endif /* BSD && (_KERNEL || KERNEL) */
#if __STDC__ || defined(__cplusplus)
extern int bpf_validate(struct bpf_insn *, int);
extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
#else
extern int bpf_validate();
extern u_int bpf_filter();
#endif
/*
* Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
#define BPF_MEMWORDS 16
#ifdef __cplusplus
}
#endif
#endif

2
contrib/ipfilter/common.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/types.h>

65
contrib/ipfilter/fil.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -97,7 +97,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $";
#endif
#ifndef _KERNEL
@ -699,7 +699,8 @@ void *m;
if (!fr_tcpudpchk(&fr->fr_tuc, fin))
continue;
} else if (fr->fr_icmpm || fr->fr_icmp) {
if ((fi->fi_p != IPPROTO_ICMP) || off ||
if (((fi->fi_p != IPPROTO_ICMP) &&
(fi->fi_p != IPPROTO_ICMPV6)) || off ||
(fin->fin_dlen < 2))
continue;
if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
@ -814,6 +815,26 @@ int out;
# endif
int up;
# if !SOLARIS && !defined(NETBSD_PF) && \
((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
defined(__OpenBSD__) || defined(_BSDI_VERSION))
if (fr_checkp != fr_check && fr_running > 0) {
static int counter = 0;
if (counter == 0) {
printf("WARNING: fr_checkp corrupt: value %lx\n",
(u_long)fr_checkp);
printf("WARNING: fr_checkp should be %lx\n",
(u_long)fr_check);
printf("WARNING: fixing fr_checkp\n");
}
fr_checkp = fr_check;
counter++;
if (counter == 10000)
counter = 0;
}
# endif
# ifdef M_CANFASTFWD
/*
* XXX For now, IP Filter and fast-forwarding of cached flows
@ -1510,7 +1531,7 @@ tcphdr_t *tcp;
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
* $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@ -1716,9 +1737,9 @@ frentry_t **listp;
}
int frflush(unit, flags)
int frflush(unit, proto, flags)
minor_t unit;
int flags;
int proto, flags;
{
int flushed = 0, set;
@ -1733,19 +1754,35 @@ int flags;
if (flags & FR_OUTQUE) {
#ifdef USE_INET6
(void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]);
(void) frflushlist(set, unit, &flushed, &ipacct6[1][set]);
if (proto == 0 || proto == 6) {
(void) frflushlist(set, unit,
&flushed, &ipfilter6[1][set]);
(void) frflushlist(set, unit,
&flushed, &ipacct6[1][set]);
}
#endif
(void) frflushlist(set, unit, &flushed, &ipfilter[1][set]);
(void) frflushlist(set, unit, &flushed, &ipacct[1][set]);
if (proto == 0 || proto == 4) {
(void) frflushlist(set, unit,
&flushed, &ipfilter[1][set]);
(void) frflushlist(set, unit,
&flushed, &ipacct[1][set]);
}
}
if (flags & FR_INQUE) {
#ifdef USE_INET6
(void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]);
(void) frflushlist(set, unit, &flushed, &ipacct6[0][set]);
if (proto == 0 || proto == 6) {
(void) frflushlist(set, unit,
&flushed, &ipfilter6[0][set]);
(void) frflushlist(set, unit,
&flushed, &ipacct6[0][set]);
}
#endif
(void) frflushlist(set, unit, &flushed, &ipfilter[0][set]);
(void) frflushlist(set, unit, &flushed, &ipacct[0][set]);
if (proto == 0 || proto == 4) {
(void) frflushlist(set, unit,
&flushed, &ipfilter[0][set]);
(void) frflushlist(set, unit,
&flushed, &ipacct[0][set]);
}
}
RWLOCK_EXIT(&ipf_mutex);
return flushed;

56
contrib/ipfilter/fils.c
View File

@ -12,7 +12,7 @@
# endif
# endif
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -32,8 +32,13 @@
(!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
# undef STATETOP
# endif
# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000)
# undef STATETOP
# if defined(__NetBSD_Version__)
# if (__NetBSD_Version__ < 105000000)
# undef STATETOP
# else
# include <poll.h>
# define USE_POLL
# endif
# endif
# if defined(sun)
# if defined(__svr4__) || defined(__SVR4)
@ -94,7 +99,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.40 2002/12/06 11:40:20 darrenr Exp $";
#endif
extern char *optarg;
@ -104,7 +109,8 @@ extern int optind;
#define FPRINTF (void)fprintf
#define F_IN 0
#define F_OUT 1
#define F_AC 2
#define F_ACIN 2
#define F_ACOUT 3
static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
"ipacct(in)", "ipacct(out)" };
@ -773,13 +779,22 @@ struct friostat *fiop;
if (opts & OPT_INACTIVE)
set = 1 - set;
if (opts & OPT_ACCNT) {
i = F_AC;
#ifdef USE_INET6
if ((use_inet6) && (opts & OPT_OUTQUE)) {
i = F_ACOUT;
fp = (struct frentry *)fiop->f_acctout6[set];
} else if ((use_inet6) && (opts & OPT_INQUE)) {
i = F_ACIN;
fp = (struct frentry *)fiop->f_acctin6[set];
} else
#endif
if (opts & OPT_OUTQUE) {
i = F_ACOUT;
fp = (struct frentry *)fiop->f_acctout[set];
i++;
} else if (opts & OPT_INQUE)
} else if (opts & OPT_INQUE) {
i = F_ACIN;
fp = (struct frentry *)fiop->f_acctin[set];
else {
} else {
FPRINTF(stderr, "No -i or -o given with -a\n");
return;
}
@ -807,7 +822,7 @@ struct friostat *fiop;
if (opts & OPT_VERBOSE)
PRINTF("fp %p set %d\n", fp, set);
if (!fp) {
if (fp == NULL) {
FPRINTF(stderr, "empty list for %s%s\n",
(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
return;
@ -915,12 +930,16 @@ int topclosed;
ipstate_t *istab[IPSTATE_SIZE], ips;
ips_stat_t ipsst, *ipsstp = &ipsst;
statetop_t *tstable = NULL, *tp;
struct timeval selecttimeout;
char hostnm[HOSTNMLEN];
struct protoent *proto;
fd_set readfd;
int c = 0;
time_t t;
#ifdef USE_POLL
struct pollfd set[1];
#else
struct timeval selecttimeout;
fd_set readfd;
#endif
/* open state device */
if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) {
@ -1188,6 +1207,14 @@ int topclosed;
}
/* wait for key press or a 1 second time out period */
#ifdef USE_POLL
set[0].fd = 0;
set[0].events = POLLIN;
poll(set, 1, refreshtime * 1000);
/* if key pressed, read all waiting keys */
if (set[0].revents & POLLIN)
#else
selecttimeout.tv_sec = refreshtime;
selecttimeout.tv_usec = 0;
FD_ZERO(&readfd);
@ -1195,7 +1222,10 @@ int topclosed;
select(1, &readfd, NULL, NULL, &selecttimeout);
/* if key pressed, read all waiting keys */
if (FD_ISSET(0, &readfd)) {
if (FD_ISSET(0, &readfd))
#endif
{
c = wgetch(stdscr);
if (c == ERR)
continue;

122
contrib/ipfilter/ip_auth.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $";
#endif
@ -292,9 +292,9 @@ ip_t *ip;
cv_signal(&ipfauthwait);
#else
# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
if (!fin->fin_out) {
HTONS(ip->ip_len);
HTONS(ip->ip_off);
if (fin->fin_out == 0) {
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
}
# endif
fr_authpkts[i] = m;
@ -304,7 +304,7 @@ ip_t *ip;
}
int fr_auth_ioctl(data, mode, cmd, fr, frptr)
int fr_auth_ioctl(data, mode, cmd)
caddr_t data;
int mode;
#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
@ -312,7 +312,6 @@ u_long cmd;
#else
int cmd;
#endif
frentry_t *fr, **frptr;
{
mb_t *m;
#if defined(_KERNEL) && !SOLARIS
@ -320,12 +319,15 @@ frentry_t *fr, **frptr;
int s;
#endif
frauth_t auth, *au = &auth, *fra;
frauthent_t *fae, **faep;
int i, error = 0;
switch (cmd)
{
case SIOCSTLCK :
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
error = fr_lock(data, &fr_auth_lock);
break;
case SIOCINIFR :
@ -338,45 +340,8 @@ frentry_t *fr, **frptr;
break;
case SIOCRMAFR :
case SIOCADAFR :
for (faep = &fae_list; (fae = *faep); )
if (&fae->fae_fr == fr)
break;
else
faep = &fae->fae_next;
if (cmd == SIOCRMAFR) {
if (!fr || !frptr)
error = EINVAL;
else if (!fae)
error = ESRCH;
else {
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
*faep = fae->fae_next;
*frptr = fr->fr_next;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
KFREE(fae);
}
} else if (fr && frptr) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
*frptr = &fae->fae_fr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
} else
error = ENOMEM;
} else
error = EINVAL;
/* These commands go via request to fr_preauthcmd */
error = EINVAL;
break;
case SIOCATHST:
fr_authstats.fas_faelist = fae_list;
@ -630,3 +595,66 @@ void fr_authexpire()
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
}
int fr_preauthcmd(cmd, fr, frptr)
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
u_long cmd;
#else
int cmd;
#endif
frentry_t *fr, **frptr;
{
frauthent_t *fae, **faep;
int error = 0;
#if defined(KERNEL) && !SOLARIS
int s;
#endif
if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
/* Should not happen */
printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
return EIO;
}
for (faep = &fae_list; (fae = *faep); )
if (&fae->fae_fr == fr)
break;
else
faep = &fae->fae_next;
if (cmd == SIOCRMAFR) {
if (!fr || !frptr)
error = EINVAL;
else if (!fae)
error = ESRCH;
else {
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
*faep = fae->fae_next;
*frptr = fr->fr_next;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
KFREE(fae);
}
} else if (fr && frptr) {
KMALLOC(fae, frauthent_t *);
if (fae != NULL) {
bcopy((char *)fr, (char *)&fae->fae_fr,
sizeof(*fr));
WRITE_ENTER(&ipf_auth);
SPL_NET(s);
fae->fae_age = fr_defaultauthage;
fae->fae_fr.fr_hits = 0;
fae->fae_fr.fr_next = *frptr;
*frptr = &fae->fae_fr;
fae->fae_next = *faep;
*faep = fae;
ipauth = &fae_list->fae_fr;
SPL_X(s);
RWLOCK_EXIT(&ipf_auth);
} else
error = ENOMEM;
} else
error = EINVAL;
return error;
}

8
contrib/ipfilter/ip_auth.h
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_auth.h,v 2.3.2.5 2001/11/04 13:15:51 darrenr Exp $
* $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $
*
*/
#ifndef __IP_AUTH_H__
@ -54,8 +54,10 @@ extern mb_t *fr_authpkts[];
extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(__FreeBSD_version >= 300003)
extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **));
extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **));
extern int fr_auth_ioctl __P((caddr_t, int, u_long));
#else
extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **));
extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **));
extern int fr_auth_ioctl __P((caddr_t, int, int));
#endif
#endif /* __IP_AUTH_H__ */

4
contrib/ipfilter/ip_compat.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $
* $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@ -532,6 +532,7 @@ extern ill_t *get_unit __P((char *, int));
# ifdef sun
# if !SOLARIS
# include <sys/time.h>
# include <sys/kmem_alloc.h>
# define GETUNIT(n, v) ifunit(n, IFNAMSIZ)
# define IFNAME(x) ((struct ifnet *)x)->if_name
@ -654,6 +655,7 @@ extern vm_map_t kmem_map;
# define IWCOPYPTR iwcopyptr
# define IFNAME(x) get_ifname((struct ifnet *)x)
# define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d)
# include <sys/time.h>
extern void m_copydata __P((mb_t *, int, int, caddr_t));
extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
#endif /* KERNEL */

113
contrib/ipfilter/ip_fil.c
View File

@ -24,7 +24,7 @@
# include <osreldate.h>
# endif
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# define _KMEMUSER
# include <sys/ptimers.h>
#endif
@ -117,10 +117,14 @@
# include <sys/kernel.h>
extern int ip_optcopy __P((struct ip *, struct ip *));
#endif
#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
struct ifnet *, struct in6_addr *, u_long *);
#endif
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $";
#endif
@ -192,6 +196,15 @@ struct timeout ipfr_slowtimer_ch;
toid_t ipfr_slowtimer_ch;
#endif
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
defined(_KERNEL)
# include <sys/conf.h>
const struct cdevsw ipl_cdevsw = {
iplopen, iplclose, iplread, nowrite, iplioctl,
nostop, notty, nopoll, nommap,
};
#endif
#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
# include <sys/device.h>
# include <sys/conf.h>
@ -319,7 +332,7 @@ int count;
# endif
# if defined(__NetBSD__)
# if defined(__NetBSD__) || defined(__OpenBSD__)
int ipl_enable()
# else
int iplattach()
@ -363,10 +376,13 @@ int iplattach()
# ifdef NETBSD_PF
# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)
# if __NetBSD_Version__ >= 105110000
if (
!(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET))
ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
# ifdef USE_INET6
&& !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6))
ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
# endif
if (ph_inet == NULL
# ifdef USE_INET6
&& ph_inet6 == NULL
# endif
)
return ENODEV;
@ -484,7 +500,8 @@ int ipldetach()
# endif
{
int s, i;
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
#if defined(NETBSD_PF) && \
((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
int error = 0;
# if __NetBSD_Version__ >= 105150000
struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
@ -524,8 +541,8 @@ int ipldetach()
printf("%s unloaded\n", ipfilter_version);
fr_checkp = fr_savep;
i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
fr_running = 0;
# ifdef NETBSD_PF
@ -670,7 +687,16 @@ int mode;
if (!fr_running)
error = EIO;
else
error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
if (!(mode & FWRITE)) {
error = EPERM;
} else {
error = frrequest(unit, cmd, data,
fr_active);
}
} else {
error = fr_auth_ioctl(data, mode, cmd);
}
SPL_X(s);
return error;
}
@ -694,7 +720,7 @@ int mode;
if (error)
break;
if (enable)
# if defined(__NetBSD__)
# if defined(__NetBSD__) || defined(__OpenBSD__)
error = ipl_enable();
# else
error = iplattach();
@ -767,12 +793,26 @@ int mode;
else {
error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
tmp = frflush(unit, tmp);
tmp = frflush(unit, 4, tmp);
error = IWCOPY((caddr_t)&tmp, data,
sizeof(tmp));
}
}
break;
#ifdef USE_INET6
case SIOCIPFL6 :
if (!(mode & FWRITE))
error = EPERM;
else {
error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
tmp = frflush(unit, 6, tmp);
error = IWCOPY((caddr_t)&tmp, data,
sizeof(tmp));
}
}
break;
#endif
case SIOCSTLCK :
error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
@ -797,12 +837,6 @@ int mode;
if (error)
error = EFAULT;
break;
case SIOCAUTHW :
case SIOCAUTHR :
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
case SIOCFRSYN :
if (!(mode & FWRITE))
error = EPERM;
@ -1008,6 +1042,9 @@ caddr_t data;
return EBUSY;
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH) {
return fr_preauthcmd(req, f, ftail);
}
if (f->fr_grhead)
fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
unit, set);
@ -1022,6 +1059,9 @@ caddr_t data;
if (f)
error = EEXIST;
else {
if (unit == IPL_LOGAUTH) {
return fr_preauthcmd(req, fp, ftail);
}
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)
@ -1247,7 +1287,8 @@ struct mbuf **mp;
ip->ip_tos = oip->ip_tos;
ip->ip_id = oip->ip_id;
# if defined(__NetBSD__) || defined(__OpenBSD__)
# if defined(__NetBSD__) || \
(defined(__OpenBSD__) && (OpenBSD >= 200012))
if (ip_mtudisc != 0)
ip->ip_off = IP_DF;
# else
@ -1482,7 +1523,7 @@ void
iplinit()
{
# if defined(__NetBSD__)
# if defined(__NetBSD__) || defined(__OpenBSD__)
if (ipl_enable() != 0)
# else
if (iplattach() != 0)
@ -1587,7 +1628,7 @@ frdest_t *fdp;
/*
* Route packet.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX >= 605)
ROUTE_RDLOCK();
#endif
bzero((caddr_t)ro, sizeof (*ro));
@ -1627,7 +1668,7 @@ frdest_t *fdp;
rtalloc(ro);
# endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
ROUTE_UNLOCK();
#endif
@ -1898,6 +1939,12 @@ frdest_t *fdp;
struct route_in6 *ro;
struct ifnet *ifp;
frentry_t *fr;
#if defined(OpenBSD) && (OpenBSD >= 200211)
struct route_in6 *ro_pmtu = NULL;
struct in6_addr finaldst;
ip6_t *ip6;
#endif
u_long mtu;
int error;
ifp = NULL;
@ -1935,11 +1982,23 @@ frdest_t *fdp;
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
ro->ro_rt->rt_use++;
if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu)
error = nd6_output(ifp, fin->fin_ifp, m0, dst6,
ro->ro_rt);
else
error = EMSGSIZE;
#if defined(OpenBSD) && (OpenBSD >= 200211)
ip6 = mtod(m0, ip6_t *);
ro_pmtu = ro;
finaldst = ip6->ip6_dst;
error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
if (error == 0) {
#else
mtu = nd_ifinfo[ifp->if_index].linkmtu;
#endif
if (m0->m_pkthdr.len <= mtu)
error = nd6_output(ifp, fin->fin_ifp, m0,
dst6, ro->ro_rt);
else
error = EMSGSIZE;
#if defined(OpenBSD) && (OpenBSD >= 200211)
}
#endif
}
if (ro->ro_rt != NULL) {

18
contrib/ipfilter/ip_fil.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $
* $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@ -63,6 +63,7 @@
# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR('r', 82, struct natget)
# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *)
# define SIOCIPFL6 _IOWR('r', 84, int)
#else
# define SIOCADAFR _IOW(r, 60, struct frentry *)
# define SIOCRMAFR _IOW(r, 61, struct frentry *)
@ -88,6 +89,7 @@
# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR(r, 82, struct natget)
# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *)
# define SIOCIPFL6 _IOWR(r, 84, int)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
@ -412,14 +414,16 @@ typedef struct frgroup {
* structure which is then followed by any packet data.
*/
typedef struct iplog {
u_32_t ipl_magic;
u_int ipl_count;
u_long ipl_sec;
u_long ipl_usec;
size_t ipl_dsize;
u_32_t ipl_magic;
u_int ipl_count;
struct timeval ipl_tv;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
#define ipl_sec ipl_tv.tv_sec
#define ipl_usec ipl_tv.tv_usec
#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
#define IPLOG_SIZE sizeof(iplog_t)
@ -612,7 +616,7 @@ extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
extern int ipflog_read __P((minor_t, struct uio *));
extern int frflush __P((minor_t, int));
extern int frflush __P((minor_t, int, int));
extern void frsync __P((void));
extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int));

4
contrib/ipfilter/ip_frag.c
View File

@ -7,7 +7,7 @@
# define _KERNEL
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $";
#endif

286
contrib/ipfilter/ip_ftp_pxy.c
View File

@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
* $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $
* $Id: ip_ftp_pxy.c,v 2.7.2.42 2002/11/25 21:42:35 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@ -39,24 +39,30 @@ extern kmutex_t ipf_rw;
#define FTPXY_PASS_2 14
#define FTPXY_PAOK_2 15
/*
* Values for FTP commands. Numerics cover 0-999
*/
#define FTPXY_C_PASV 1000
int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_complete __P((char *, size_t));
int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_init __P((void));
int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_valid __P((int, char *, size_t));
int ippr_ftp_server_valid __P((char *, size_t));
int ippr_ftp_client_valid __P((char *, size_t));
int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t));
int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t));
int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t));
u_short ippr_ftp_atoi __P((char **));
static frentry_t ftppxyfr;
int ippr_ftp_pasvonly = 0;
int ippr_ftp_insecure = 0;
int ippr_ftp_forcepasv = 0;
/*
@ -123,8 +129,13 @@ int dlen;
/*
* Check for client sending out PORT message.
*/
if (dlen < IPF_MINPORTLEN)
if (dlen < IPF_MINPORTLEN) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen);
#endif
return 0;
}
off = fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
@ -134,23 +145,39 @@ int dlen;
* Pick out the address components, two at a time.
*/
a1 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(1) failed\n");
#endif
return 0;
}
a2 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(2) failed\n");
#endif
return 0;
}
/*
* check that IP address in the PORT/PASV reply is the same as the
* sender of the command - prevents using PORT for port scanning.
*/
a1 <<= 16;
a1 |= a2;
if (a1 != ntohl(nat->nat_inip.s_addr))
if (a1 != ntohl(nat->nat_inip.s_addr)) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:a1 != nat->nat_inip\n");
#endif
return 0;
}
a5 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(3) failed\n");
#endif
return 0;
}
if (*s == ')')
s++;
@ -162,8 +189,12 @@ int dlen;
if ((*s == '\r') && (*(s + 1) == '\n')) {
s += 2;
a6 = a5 & 0xff;
} else
} else {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:missing cr-lf\n");
#endif
return 0;
}
a5 >>= 8;
a5 &= 0xff;
/*
@ -181,8 +212,13 @@ int dlen;
nlen = strlen(newbuf);
inc = nlen - olen;
if ((inc + ip->ip_len) > 65535)
if ((inc + ip->ip_len) > 65535) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc);
#endif
return 0;
}
#if !defined(_KERNEL)
m = *((mb_t **)fin->fin_mp);
@ -253,8 +289,13 @@ int dlen;
* Don't allow the PORT command to specify a port < 1024 due to
* security crap.
*/
if (sp < 1024)
if (sp < 1024) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_port:sp(%d) < 1024\n", sp);
#endif
return 0;
}
/*
* The server may not make the connection back from port 20, but
* it is the most likely so use it here to check for a conflicting
@ -369,11 +410,11 @@ int dlen;
}
int ippr_ftp_pasv(fin, ip, nat, f, dlen)
int ippr_ftp_pasv(fin, ip, nat, ftp, dlen)
fr_info_t *fin;
ip_t *ip;
nat_t *nat;
ftpside_t *f;
ftpinfo_t *ftp;
int dlen;
{
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
@ -381,23 +422,45 @@ int dlen;
u_int a1, a2, a3, a4;
u_short a5, a6, dp;
fr_info_t fi;
ftpside_t *f;
nat_t *ipn;
int inc;
char *s;
if (ippr_ftp_forcepasv != 0 &&
ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
ftp->ftp_side[0].ftps_cmds);
#endif
return 0;
}
f = &ftp->ftp_side[1];
#define PASV_REPLEN 24
/*
* Check for PASV reply message.
*/
if (dlen < IPF_MIN227LEN)
if (dlen < IPF_MIN227LEN) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen);
#endif
return 0;
else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN))
} else if (strncmp(f->ftps_rptr,
"227 Entering Passive Mod", PASV_REPLEN)) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:227 reply wrong\n");
#endif
return 0;
}
tcp = (tcphdr_t *)fin->fin_dp;
/*
* Skip the PORT command + space
* Skip the PASV reply + space
*/
s = f->ftps_rptr + PASV_REPLEN;
while (*s && !isdigit(*s))
@ -406,11 +469,19 @@ int dlen;
* Pick out the address components, two at a time.
*/
a1 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(1) failed\n");
#endif
return 0;
}
a2 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(2) failed\n");
#endif
return 0;
}
/*
* check that IP address in the PORT/PASV reply is the same as the
@ -418,12 +489,20 @@ int dlen;
*/
a1 <<= 16;
a1 |= a2;
if (a1 != ntohl(nat->nat_oip.s_addr))
if (a1 != ntohl(nat->nat_oip.s_addr)) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:a1 != nat->nat_oip\n");
#endif
return 0;
}
a5 = ippr_ftp_atoi(&s);
if (!s)
if (s == NULL) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(3) failed\n");
#endif
return 0;
}
if (*s == ')')
s++;
@ -437,8 +516,12 @@ int dlen;
if ((*s == '\r') && (*(s + 1) == '\n')) {
s += 2;
a6 = a5 & 0xff;
} else
} else {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_pasv:missing cr-lf\n");
#endif
return 0;
}
a5 >>= 8;
/*
* Calculate new address parts for 227 reply
@ -580,9 +663,9 @@ int dlen;
return 0;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
} else if (*rptr == '5' || *rptr == '4')
ftp->ftp_passok = FTPXY_INIT;
else if (ftp->ftp_incok) {
@ -608,6 +691,7 @@ int dlen;
}
}
ftp->ftp_incok = 0;
while ((*rptr++ != '\n') && (rptr < wptr))
;
f->ftps_rptr = rptr;
@ -619,100 +703,150 @@ int dlen;
* Look to see if the buffer starts with something which we recognise as
* being the correct syntax for the FTP protocol.
*/
int ippr_ftp_client_valid(buf, len)
int ippr_ftp_client_valid(ftps, buf, len)
ftpside_t *ftps;
char *buf;
size_t len;
{
register char *s, c;
register size_t i = len;
char cmd[5];
if (i < 5)
if (i < 5) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_client_valid:i(%d) < 5\n", i);
#endif
return 2;
}
s = buf;
c = *s++;
i--;
if (isalpha(c)) {
cmd[0] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
cmd[1] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
cmd[2] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
cmd[3] = toupper(c);
c = *s++;
i--;
if ((c != ' ') && (c != '\r'))
return 1;
goto bad_client_command;
} else if ((c != ' ') && (c != '\r'))
return 1;
goto bad_client_command;
} else
return 1;
goto bad_client_command;
} else
return 1;
} else
goto bad_client_command;
} else {
bad_client_command:
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_client_valid:bad cmd:len %d i %d c 0x%x\n",
i, len, c);
#endif
return 1;
}
for (; i; i--) {
c = *s++;
if (c == '\n')
if (c == '\n') {
cmd[4] = '\0';
if (!strcmp(cmd, "PASV"))
ftps->ftps_cmds = FTPXY_C_PASV;
else
ftps->ftps_cmds = 0;
return 0;
}
}
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_client_valid:junk after cmd[%s]\n", buf);
#endif
return 2;
}
int ippr_ftp_server_valid(buf, len)
int ippr_ftp_server_valid(ftps, buf, len)
ftpside_t *ftps;
char *buf;
size_t len;
{
register char *s, c;
register size_t i = len;
int cmd;
if (i < 5)
return 2;
s = buf;
c = *s++;
cmd = 0;
i--;
if (isdigit(c)) {
cmd = (c - '0') * 100;
c = *s++;
i--;
if (isdigit(c)) {
cmd += (c - '0') * 10;
c = *s++;
i--;
if (isdigit(c)) {
cmd += (c - '0');
c = *s++;
i--;
if ((c != '-') && (c != ' '))
return 1;
goto bad_server_command;
} else
return 1;
goto bad_server_command;
} else
return 1;
} else
goto bad_server_command;
} else {
bad_server_command:
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_server_valid:bad cmd:len %d i %d c 0x%x\n",
i, len, c);
#endif
return 1;
}
for (; i; i--) {
c = *s++;
if (c == '\n')
if (c == '\n') {
ftps->ftps_cmds = cmd;
return 0;
}
}
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout, "ippr_ftp_server_valid:junk after cmd[%s]\n", buf);
#endif
return 2;
}
int ippr_ftp_valid(side, buf, len)
int ippr_ftp_valid(ftp, side, buf, len)
ftpinfo_t *ftp;
int side;
char *buf;
size_t len;
{
ftpside_t *ftps;
int ret;
ftps = &ftp->ftp_side[side];
if (side == 0)
ret = ippr_ftp_client_valid(buf, len);
ret = ippr_ftp_client_valid(ftps, buf, len);
else
ret = ippr_ftp_server_valid(buf, len);
ret = ippr_ftp_server_valid(ftps, buf, len);
return ret;
}
@ -814,9 +948,10 @@ int rv;
#endif
ok = 0;
if (t->ftps_seq[0] == 0)
t->ftps_seq[0] = thack, ok = 1;
else {
if (t->ftps_seq[0] == 0) {
t->ftps_seq[0] = thack;
ok = 1;
} else {
if (ackoff == 0) {
if (t->ftps_seq[0] == thack)
ok = 1;
@ -845,20 +980,24 @@ int rv;
#endif
if (!mlen) {
if (t->ftps_seq[0] + ackoff != thack)
if (t->ftps_seq[0] + ackoff != thack) {
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n",
t->ftps_seq[0], ackoff, thack);
#endif
return APR_ERR(1);
}
#if PROXY_DEBUG
printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
#endif
if (tcp->th_flags & TH_FIN) {
if (thseq + seqoff == f->ftps_seq[0] + 1 ||
f->ftps_seq[0] + seqoff + 1 == thseq ||
thseq + seqoff == f->ftps_seq[0] ||
thseq == f->ftps_seq[0] + seqoff)
;
else {
#if PROXY_DEBUG
if (thseq == f->ftps_seq[1]) {
f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
f->ftps_seq[1] = thseq + 1 - seqoff;
} else {
#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
thseq, seqoff, f->ftps_seq[0]);
#endif
@ -870,17 +1009,19 @@ int rv;
}
ok = 0;
if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1])
if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) {
ok = 1;
/*
* Retransmitted data packet.
*/
else if (thseq + mlen == f->ftps_seq[0] ||
thseq + mlen == f->ftps_seq[1])
} else if ((thseq + mlen == f->ftps_seq[0]) ||
(thseq + mlen == f->ftps_seq[1])) {
ok = 1;
}
if (ok == 0) {
inc = thseq - f->ftps_seq[0];
#if PROXY_DEBUG
#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("inc %d sel %d rv %d\n", inc, sel, rv);
printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
f->ftps_seq[1]);
@ -917,10 +1058,12 @@ int rv;
wptr += len;
f->ftps_wptr = wptr;
if (f->ftps_junk == 2)
f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr);
f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
wptr - rptr);
while ((f->ftps_junk == 0) && (wptr > rptr)) {
f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr);
f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
wptr - rptr);
if (f->ftps_junk == 0) {
f->ftps_cmds++;
len = wptr - rptr;
@ -942,6 +1085,10 @@ int rv;
*/
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
/* f->ftps_seq[1] += inc; */
#if !defined(_KERNEL) && !defined(KERNEL)
fprintf(stdout,
"ippr_ftp_process:cmds == 0 junk == 1\n");
#endif
return APR_ERR(2);
}
@ -985,18 +1132,17 @@ int rv;
/* f->ftps_seq[1] += inc; */
if (tcp->th_flags & TH_FIN)
f->ftps_seq[1]++;
#ifndef _KERNEL
mlen = mbuflen(m);
#else
# if SOLARIS
mlen = msgdsize(m);
# else
mlen = mbufchainlen(m);
# endif
#endif
off = fin->fin_hlen + (tcp->th_off << 2);
mlen -= off;
#if PROXY_DEBUG
# ifndef _KERNEL
mlen = mbuflen(m);
# else
# if SOLARIS
mlen = msgdsize(m);
# else
mlen = mbufchainlen(m);
# endif
# endif
mlen -= off;
printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
#endif

11
contrib/ipfilter/ip_lfil.c
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.4 2002/03/06 09:44:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.5 2002/10/03 13:47:19 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@ -327,15 +327,6 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
sizeof(ipfrstat_t));
break;
case SIOCAUTHW :
case SIOCAUTHR :
if (!(mode & FWRITE)) {
error = EPERM;
break;
}
case SIOCATHST :
error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
break;
case SIOCFRSYN :
if (!(mode & FWRITE))
error = EPERM;

29
contrib/ipfilter/ip_log.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $
* $Id: ip_log.c,v 2.5.2.21 2002/10/26 06:21:30 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@ -99,6 +99,9 @@
# include <netinet/tcp.h>
# include <netinet/udp.h>
# include <netinet/ip_icmp.h>
# ifdef USE_INET6
# include <netinet/icmp6.h>
# endif
# include <netinet/ip_var.h>
# ifndef _KERNEL
# include <syslog.h>
@ -211,6 +214,26 @@ mb_t *m;
break;
}
}
#ifdef USE_INET6
else if (p == IPPROTO_ICMPV6) {
struct icmp6_hdr *icmp;
icmp = (struct icmp6_hdr *)fin->fin_dp;
/*
* For ICMPV6, if the packet is an error packet, also
* include the information about the packet which
* caused the error.
*/
if (icmp->icmp6_type < 128) {
hlen += MIN(sizeof(struct icmp6_hdr) + 8,
fin->fin_dlen);
} else {
hlen += MIN(sizeof(struct icmp6_hdr),
fin->fin_dlen);
}
}
#endif
}
/*
* Get the interface number and name to which this packet is
@ -334,10 +357,10 @@ int *types, cnt;
ipl->ipl_dsize = len;
# ifdef _KERNEL
# if SOLARIS || defined(sun)
uniqtime((struct timeval *)&ipl->ipl_sec);
uniqtime(&ipl->ipl_tv);
# else
# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
microtime((struct timeval *)&ipl->ipl_sec);
microtime(&ipl->ipl_tv);
# endif
# endif
# else

88
contrib/ipfilter/ip_nat.c
View File

@ -9,7 +9,7 @@
#define _KERNEL
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.74 2002/12/06 11:40:21 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
@ -148,6 +148,7 @@ static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
struct in_addr));
static void nat_hostmapdel __P((struct hostmap *));
static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *));
int nat_init()
@ -456,8 +457,9 @@ int mode;
/*
* For add/delete, look to see if the NAT entry is already present
*/
if (getlock == 1)
if (getlock == 1) {
WRITE_ENTER(&ipf_nat);
}
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
nat = &natd;
nat->in_flags &= IPN_USERFLAGS;
@ -726,8 +728,9 @@ int mode;
error = EINVAL;
break;
}
if (getlock == 1)
if (getlock == 1) {
RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
}
done:
if (nt)
KFREE(nt);
@ -1465,6 +1468,7 @@ int direction;
nat->nat_p = fin->fin_p;
nat->nat_bytes = 0;
nat->nat_pkts = 0;
nat->nat_mssclamp = np->in_mssclamp;
nat->nat_fr = fin->fin_fr;
if (nat->nat_fr != NULL) {
ATOMIC_INC32(nat->nat_fr->fr_ref);
@ -2517,6 +2521,16 @@ fr_info_t *fin;
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
/*
* Do a MSS CLAMPING on a SYN packet,
* only deal IPv4 for now.
*/
if (nat->nat_mssclamp &&
(tcp->th_flags & TH_SYN) != 0)
nat_mssclamp(tcp, nat->nat_mssclamp,
fin, csump);
MUTEX_EXIT(&nat->nat_lock);
} else if (fin->fin_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@ -2728,6 +2742,15 @@ fr_info_t *fin;
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
/*
* Do a MSS CLAMPING on a SYN packet,
* only deal IPv4 for now.
*/
if (nat->nat_mssclamp &&
(tcp->th_flags & TH_SYN) != 0)
nat_mssclamp(tcp, nat->nat_mssclamp,
fin, csump);
MUTEX_EXIT(&nat->nat_lock);
} else if (fin->fin_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@ -2927,3 +2950,60 @@ void *ifp;
return;
}
#endif
/*
* Check for MSS option and clamp it if necessary.
*/
static void nat_mssclamp(tcp, maxmss, fin, csump)
tcphdr_t *tcp;
u_32_t maxmss;
fr_info_t *fin;
u_short *csump;
{
u_char *cp, *ep, opt;
int hlen, advance;
u_32_t mss, sumd;
u_short v;
hlen = tcp->th_off << 2;
if (hlen > sizeof(*tcp)) {
cp = (u_char *)tcp + sizeof(*tcp);
ep = (u_char *)tcp + hlen;
while (cp < ep) {
opt = cp[0];
if (opt == TCPOPT_EOL)
break;
else if (opt == TCPOPT_NOP) {
cp++;
continue;
}
if (&cp[1] >= ep)
break;
advance = cp[1];
if (&cp[advance] >= ep)
break;
switch (opt) {
case TCPOPT_MAXSEG:
if (advance != 4)
break;
bcopy(&cp[2], &v, sizeof(v));
mss = ntohs(v);
if (mss > maxmss) {
v = htons(maxmss);
bcopy(&v, &cp[2], sizeof(v));
CALC_SUMD(mss, maxmss, sumd);
fix_outcksum(fin, csump, sumd);
}
break;
default:
/* ignore unknown options */
break;
}
cp += advance;
}
}
}

4
contrib/ipfilter/ip_nat.h
View File

@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $
* $Id: ip_nat.h,v 2.17.2.28 2002/11/03 13:06:21 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@ -84,6 +84,7 @@ typedef struct nat {
u_short nat_use;
u_char nat_tcpstate[2];
u_char nat_p; /* protocol for NAT */
u_32_t nat_mssclamp; /* if != zero clamp MSS to this */
struct ipnat *nat_ptr; /* pointer back to the rule */
struct hostmap *nat_hm;
struct nat *nat_next;
@ -113,6 +114,7 @@ typedef struct ipnat {
u_short in_pnext;
u_short in_ippip; /* IP #'s per IP# */
u_32_t in_flags; /* From here to in_dport must be reflected */
u_32_t in_mssclamp; /* if != zero clamp MSS to this */
u_short in_spare;
u_short in_ppip; /* ports per IP */
u_short in_port[2]; /* correctly in IPN_CMPSIZ */

24
contrib/ipfilter/ip_proxy.c
View File

@ -7,7 +7,7 @@
# define _KERNEL
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -75,7 +75,7 @@
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.26 2002/12/06 11:40:23 darrenr Exp $";
#endif
#if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@ -315,7 +315,7 @@ nat_t *nat;
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
if (sum != tcp->th_sum) {
#if PROXY_DEBUG
#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy tcp checksum failure\n");
#endif
frstats[fin->fin_out].fr_tcpbad++;
@ -323,8 +323,8 @@ nat_t *nat;
}
/*
* Don't both the proxy with these...or in fact, should
* we free up proxy stuff when seen?
* Don't bother the proxy with these...or in fact,
* should we free up proxy stuff when seen?
*/
if ((tcp->th_flags & TH_RST) != 0)
return 0;
@ -342,13 +342,13 @@ nat_t *nat;
rv = APR_EXIT(err);
if (rv == 1) {
#if PROXY_DEBUG
#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy says bad packet received\n");
#endif
return -1;
}
if (rv == 2) {
#if PROXY_DEBUG
#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy says free app proxy data\n");
#endif
appr_free(apr);
@ -424,7 +424,7 @@ ap_session_t *aps;
apr = aps->aps_apr;
if ((apr != NULL) && (apr->apr_del != NULL))
(*apr->apr_del)(aps);
if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
KFREES(aps->aps_data, aps->aps_psiz);
KFREE(aps);
@ -468,7 +468,7 @@ int inc;
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
}
}
if (aps->aps_seqoff[sel]) {
seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
@ -503,7 +503,7 @@ int inc;
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
}
}
if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
seq2 = aps->aps_ackoff[sel];
@ -522,7 +522,7 @@ int inc;
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
}
}
if (aps->aps_ackoff[sel]) {
seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
@ -557,7 +557,7 @@ int inc;
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
}
}
if (aps->aps_seqoff[sel] != 0) {
#if PROXY_DEBUG

3
contrib/ipfilter/ip_proxy.h
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $
* $Id: ip_proxy.h,v 2.8.2.14 2002/09/02 12:19:26 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@ -99,6 +99,7 @@ typedef struct ftpside {
u_32_t ftps_len;
int ftps_junk;
int ftps_cmds;
int ftps_cmd;
char ftps_buf[FTP_BUFSZ];
} ftpside_t;

3
contrib/ipfilter/ip_rcmd_pxy.c
View File

@ -1,5 +1,5 @@
/*
* $Id: ip_rcmd_pxy.c,v 1.4.2.5 2001/10/30 16:38:14 darrenr Exp $
* $Id: ip_rcmd_pxy.c,v 1.4.2.6 2002/10/01 15:24:59 darrenr Exp $
*/
/*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
@ -143,6 +143,7 @@ nat_t *nat;
tcp2->th_sport = htons(sp);
tcp2->th_dport = 0; /* XXX - don't specify remote port */
tcp2->th_off = 5;
tcp2->th_flags = TH_SYN;
fi.fin_data[1] = 0;
fi.fin_dp = (char *)tcp2;
fi.fin_dlen = sizeof(*tcp2);

49
contrib/ipfilter/ip_sfil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.24 2002/12/06 11:42:22 darrenr Exp $";
#endif
#include <sys/types.h>
@ -88,8 +88,8 @@ int ipldetach()
for (i = IPL_LOGMAX; i >= 0; i--)
ipflog_clear(i);
#endif
i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
ipfr_unload();
fr_stateunload();
ip_natunload();
@ -226,7 +226,16 @@ int *rp;
return error;
}
if (unit == IPL_LOGAUTH) {
error = fr_auth_ioctl((caddr_t)data, mode, cmd, NULL, NULL);
if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
if (!(mode & FWRITE)) {
error = EPERM;
} else {
error = frrequest(unit, cmd, (caddr_t)data,
fr_active);
}
} else {
error = fr_auth_ioctl((caddr_t)data, mode, cmd);
}
RWLOCK_EXIT(&ipf_solaris);
return error;
}
@ -316,7 +325,7 @@ int *rp;
error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (!error) {
tmp = frflush(unit, tmp);
tmp = frflush(unit, 4, tmp);
error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error)
@ -324,6 +333,23 @@ int *rp;
}
}
break;
#ifdef USE_INET6
case SIOCIPFL6 :
if (!(mode & FWRITE))
error = EPERM;
else {
error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
sizeof(tmp));
if (!error) {
tmp = frflush(unit, 6, tmp);
error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
sizeof(tmp));
if (error)
error = EFAULT;
}
}
break;
#endif
case SIOCSTLCK :
error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
@ -383,6 +409,9 @@ int v;
{
size_t len = strlen(name) + 1; /* includes \0 */
ill_t *il;
#if SOLARIS2 >= 10
ill_walk_context_t ctx;
#endif
int sap;
if (v == 4)
@ -391,7 +420,11 @@ int v;
sap = 0x86dd;
else
return NULL;
#if SOLARIS2 >= 10
for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il))
#else
for (il = ill_g_head; il; il = il->ill_next)
#endif
if ((len == il->ill_name_length) && (il->ill_sap == sap) &&
!strncmp(il->ill_name, name, len))
return il;
@ -614,6 +647,9 @@ caddr_t data;
}
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
if (unit == IPL_LOGAUTH) {
return fr_preauthcmd(req, f, ftail);
}
if (f->fr_grhead)
fr_delgroup(f->fr_grhead, fp->fr_flags,
unit, set);
@ -628,6 +664,9 @@ caddr_t data;
if (f) {
error = EEXIST;
} else {
if (unit == IPL_LOGAUTH) {
return fr_preauthcmd(req, fp, ftail);
}
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)

49
contrib/ipfilter/ip_state.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@ -93,7 +93,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.77 2002/12/06 11:40:24 darrenr Exp $";
#endif
#ifndef MIN
@ -117,8 +117,8 @@ static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *));
static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr,
fr_info_t *, tcphdr_t *));
static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *));
static int fr_state_flush __P((int));
static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *, int));
static int fr_state_flush __P((int, int));
static ips_stat_t *fr_statetstats __P((void));
static void fr_delstate __P((ipstate_t *));
static int fr_state_remove __P((caddr_t));
@ -203,8 +203,8 @@ static ips_stat_t *fr_statetstats()
* starting at > 4 days idle and working back in successive half-
* days to at most 12 hours old.
*/
static int fr_state_flush(which)
int which;
static int fr_state_flush(which, proto)
int which, proto;
{
ipstate_t *is, **isp;
#if defined(_KERNEL) && !SOLARIS
@ -216,6 +216,9 @@ int which;
for (isp = &ips_list; (is = *isp); ) {
delete = 0;
if ((proto != 0) && (is->is_v != proto))
continue;
switch (which)
{
case 0 :
@ -337,12 +340,26 @@ int mode;
break;
if (arg == 0 || arg == 1) {
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg);
ret = fr_state_flush(arg, 4);
RWLOCK_EXIT(&ipf_state);
error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
} else
error = EINVAL;
break;
#ifdef USE_INET6
case SIOCIPFL6 :
error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
if (error)
break;
if (arg == 0 || arg == 1) {
WRITE_ENTER(&ipf_state);
ret = fr_state_flush(arg, 6);
RWLOCK_EXIT(&ipf_state);
error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
} else
error = EINVAL;
break;
#endif
#ifdef IPFILTER_LOG
case SIOCIPFFB :
if (!(mode & FWRITE))
@ -1118,7 +1135,7 @@ tcphdr_t *tcp;
return 1;
}
static int fr_matchicmpqueryreply(v, is, icmp)
static int fr_matchicmpqueryreply(v, is, icmp, rev)
int v;
ipstate_t *is;
icmphdr_t *icmp;
@ -1128,8 +1145,8 @@ icmphdr_t *icmp;
* If we matched its type on the way in, then when going out
* it will still be the same type.
*/
if (((icmp->icmp_type == is->is_type) ||
(icmpreplytype4[is->is_type] == icmp->icmp_type))) {
if ((!rev && (icmp->icmp_type == is->is_type)) ||
(rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP_ECHOREPLY)
return 1;
if ((icmp->icmp_id == is->is_icmp.ics_id) &&
@ -1139,8 +1156,8 @@ icmphdr_t *icmp;
}
#ifdef USE_INET6
else if (is->is_v == 6) {
if (((icmp->icmp_type == is->is_type) ||
(icmpreplytype6[is->is_type] == icmp->icmp_type))) {
if ((!rev && (icmp->icmp_type == is->is_type)) ||
(rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP6_ECHO_REPLY)
return 1;
if ((icmp->icmp_id == is->is_icmp.ics_id) &&
@ -1278,7 +1295,7 @@ fr_info_t *fin;
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == 4) &&
fr_matchsrcdst(is, src, dst, &ofin, NULL) &&
fr_matchicmpqueryreply(is->is_v, is, icmp)) {
fr_matchicmpqueryreply(is->is_v, is, icmp, fin->fin_rev)) {
ips_stats.iss_hits++;
is->is_pkts++;
is->is_bytes += ip->ip_len;
@ -1460,7 +1477,7 @@ fr_info_t *fin;
for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == v) &&
fr_matchsrcdst(is, src, dst, fin, NULL) &&
fr_matchicmpqueryreply(v, is, ic)) {
fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
@ -1515,7 +1532,7 @@ fr_info_t *fin;
for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == v) &&
fr_matchsrcdst(is, src, dst, fin, NULL) &&
fr_matchicmpqueryreply(v, is, ic)) {
fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
@ -1750,7 +1767,7 @@ void fr_timeoutstate()
} else
isp = &is->is_next;
if (fr_state_doflush) {
(void) fr_state_flush(2);
(void) fr_state_flush(2, 0);
fr_state_doflush = 0;
}
RWLOCK_EXIT(&ipf_state);

27
contrib/ipfilter/ipf.c
View File

@ -12,7 +12,7 @@
# endif
# endif
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -50,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.19 2002/12/06 11:41:13 darrenr Exp $";
#endif
#if SOLARIS
@ -440,9 +440,15 @@ char *arg;
rem = fl;
closedevice();
if (opendevice(IPL_STATE) != -2 &&
ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if (opendevice(IPL_STATE) != -2) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1)
perror("ioctl(SIOCIPFL6)");
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s (%d)\n", arg, rem);
printf("removed %d filter rules\n", fl);
@ -459,8 +465,15 @@ char *arg;
fl |= (opts & FR_INACTIVE);
rem = fl;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
if (opendevice(ipfname) != -2) {
if (use_inet6) {
if (ioctl(fd, SIOCIPFL6, &fl) == -1)
perror("ioctl(SIOCIPFL6)");
} else {
if (ioctl(fd, SIOCIPFFL, &fl) == -1)
perror("ioctl(SIOCIPFFL)");
}
}
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
(rem & FR_OUTQUE) ? "O" : "", rem);

61
contrib/ipfilter/ipfs.c
View File

@ -45,7 +45,7 @@
#include "ipf.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.12 2002/09/26 12:25:19 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
@ -77,19 +77,25 @@ int setlock __P((int, int));
int writeall __P((char *));
int readall __P((char *));
int writenat __P((int, char *));
char *concat __P((char *, char *));
int opts = 0;
void usage()
{
fprintf(stderr, "usage: ipfs [-nv] -l\n");
fprintf(stderr, "usage: ipfs [-nv] -u\n");
fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -R\n");
fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -W\n");
fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -r\n");
fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -w\n");
fprintf(stderr, "usage: ipfs [-nNSv] -f <filename> -i <if1>,<if2>\n");
fprintf(stderr, "\
usage: ipfs [-nv] -l\n\
usage: ipfs [-nv] -u\n\
usage: ipfs [-nv] [-d <dir>] -R\n\
usage: ipfs [-nv] [-d <dir>] -W\n\
usage: ipfs [-nv] -N [-f <file> | -d <dir>] -r\n\
usage: ipfs [-nv] -S [-f <file> | -d <dir>] -r\n\
usage: ipfs [-nv] -N [-f <file> | -d <dir>] -w\n\
usage: ipfs [-nv] -S [-f <file> | -d <dir>] -w\n\
usage: ipfs [-nv] -N [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
usage: ipfs [-nv] -S [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
");
exit(1);
}
@ -218,7 +224,7 @@ char *argv[];
usage();
break;
case 'f' :
if ((set == 0) && !dirname && !filename)
if ((set == 1) && !dirname && !filename && !(rw & 2))
filename = optarg;
else
usage();
@ -243,12 +249,14 @@ char *argv[];
set = 1;
break;
case 'r' :
if ((ns >= 0) || dirname || (rw != -1))
if (dirname || (rw != -1) || (ns == -1))
usage();
rw = 0;
set = 1;
break;
case 'R' :
if (filename || (ns != -1))
usage();
rw = 2;
set = 1;
break;
@ -274,14 +282,31 @@ char *argv[];
set = 1;
break;
case 'W' :
if (filename || (ns != -1))
usage();
rw = 3;
set = 1;
break;
case '?' :
default :
usage();
}
if (filename == NULL) {
if (ns == 0) {
if (dirname == NULL)
dirname = IPF_SAVEDIR;
if (dirname[strlen(dirname) - 1] != '/')
dirname = concat(dirname, "/");
filename = concat(dirname, IPF_NATFILE);
} else if (ns == 1) {
if (dirname == NULL)
dirname = IPF_SAVEDIR;
if (dirname[strlen(dirname) - 1] != '/')
dirname = concat(dirname, "/");
filename = concat(dirname, IPF_STATEFILE);
}
}
if (ifs) {
if (!filename || ns < 0)
usage();
@ -331,6 +356,20 @@ char *argv[];
}
char *concat(base, append)
char *base, *append;
{
char *str;
str = malloc(strlen(base) + strlen(append) + 1);
if (str != NULL) {
strcpy(str, base);
strcat(str, append);
}
return str;
}
int opendevice(ipfdev)
char *ipfdev;
{

4
contrib/ipfilter/ipft_ef.c
View File

@ -17,7 +17,7 @@ etherfind -n -t
0.32 91 04 131.170.1.10 128.250.133.13
0.33 566 udp 128.250.37.155 128.250.133.3 901 901
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -52,7 +52,7 @@ etherfind -n -t
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.4 2002/12/06 11:40:25 darrenr Exp $";
#endif
static int etherf_open __P((char *));

4
contrib/ipfilter/ipft_hx.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.5 2002/02/22 15:32:54 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.6 2002/12/06 11:40:25 darrenr Exp $";
#endif
extern int opts;

86
contrib/ipfilter/ipft_pc.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -31,13 +31,15 @@
#include <netinet/tcpip.h>
#include "ipf.h"
#include "pcap.h"
#include "bpf.h"
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.5 2002/12/06 11:40:25 darrenr Exp $";
#endif
struct llc {
int lc_type;
int lc_sz; /* LLC header length */
int lc_to; /* LLC Type offset */
int lc_tl; /* LLC Type length */
@ -47,23 +49,48 @@ struct llc {
* While many of these maybe the same, some do have different header formats
* which make this useful.
*/
#define DLT_MAX 14
static struct llc llcs[DLT_MAX+1] = {
{ 0, 0, 0 }, /* DLT_NULL */
{ 14, 12, 2 }, /* DLT_E10MB */
{ 0, 0, 0 }, /* DLT_EN3MB */
{ 0, 0, 0 }, /* DLT_AX25 */
{ 0, 0, 0 }, /* DLT_PRONET */
{ 0, 0, 0 }, /* DLT_CHAOS */
{ 0, 0, 0 }, /* DLT_IEEE802 */
{ 0, 0, 0 }, /* DLT_ARCNET */
{ 0, 0, 0 }, /* DLT_SLIP */
{ 0, 0, 0 }, /* DLT_PPP */
{ 0, 0, 0 }, /* DLT_FDDI */
{ 0, 0, 0 }, /* DLT_ATMRFC1483 */
{ 0, 0, 0 }, /* DLT_LOOP */
{ 0, 0, 0 } /* DLT_ENC */
static struct llc llcs[] = {
{ DLT_NULL, 0, 0, 0 },
{ DLT_EN10MB, 14, 12, 2 },
{ DLT_EN3MB, 0, 0, 0 },
{ DLT_AX25, 0, 0, 0 },
{ DLT_PRONET, 0, 0, 0 },
{ DLT_CHAOS, 0, 0, 0 },
{ DLT_IEEE802, 0, 0, 0 },
{ DLT_ARCNET, 0, 0, 0 },
{ DLT_SLIP, 0, 0, 0 },
{ DLT_PPP, 0, 0, 0 },
{ DLT_FDDI, 0, 0, 0 },
#ifdef DLT_ATMRFC1483
{ DLT_ATMRFC1483, 0, 0, 0 },
#endif
{ DLT_RAW, 0, 0, 0 },
#ifdef DLT_ENC
{ DLT_ENC, 0, 0, 0 },
#endif
#ifdef DLT_SLIP_BSDOS
{ DLT_SLIP_BSDOS, 0, 0, 0 },
#endif
#ifdef DLT_PPP_BSDOS
{ DLT_PPP_BSDOS, 0, 0, 0 },
#endif
#ifdef DLT_HIPPI
{ DLT_HIPPI, 0, 0, 0 },
#endif
#ifdef DLT_HDLC
{ DLT_HDLC, 0, 0, 0 },
#endif
#ifdef DLT_PPP_SERIAL
{ DLT_PPP_SERIAL, 4, 4, 0 },
#endif
#ifdef DLT_PPP_ETHER
{ DLT_PPP_ETHER, 8, 8, 0 },
#endif
#ifdef DLT_ECONET
{ DLT_ECONET, 0, 0, 0 },
#endif
{ -1, -1, -1, -1 }
};
static int pcap_open __P((char *));
@ -73,6 +100,7 @@ static void swap_hdr __P((pcaphdr_t *));
static int pcap_read_rec __P((struct pcap_pkthdr *));
static int pfd = -1, s_type = -1, swapped = 0;
static struct llc *llcp = NULL;
struct ipread pcap = { pcap_open, pcap_close, pcap_readip };
@ -96,7 +124,7 @@ static int pcap_open(fname)
char *fname;
{
pcaphdr_t ph;
int fd;
int fd, i;
if (pfd != -1)
return pfd;
@ -118,7 +146,18 @@ char *fname;
swap_hdr(&ph);
}
if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) {
if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
(void) close(fd);
return -2;
}
for (i = 0; llcs[i].lc_type != -1; i++)
if (llcs[i].lc_type == ph.pc_type) {
llcp = llcs + i;
break;
}
if (llcp == NULL) {
(void) close(fd);
return -2;
}
@ -210,7 +249,9 @@ int cnt, *dir;
char *s, ty[4];
int i, n;
do {
l = llcp;
/* do { */
if ((i = pcap_read_rec(&rec)) <= 0)
return i;
@ -223,12 +264,11 @@ int cnt, *dir;
if (read(pfd, s, i) != i)
return -2;
l = &llcs[s_type];
i -= l->lc_sz;
s += l->lc_to;
bcopy(s, ty, l->lc_tl);
s += l->lc_tl;
} while (ty[0] != 0x8 && ty[1] != 0);
/* } while (ty[0] != 0x8 && ty[1] != 0); */
n = MIN(i, cnt);
bcopy(s, buf, n);
return n;

4
contrib/ipfilter/ipft_sn.c
View File

@ -7,7 +7,7 @@
/*
* Written to comply with the recent RFC 1761 from Sun.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -38,7 +38,7 @@
#include "ipt.h"
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.3 2002/02/22 15:32:54 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $";
#endif
struct llc {

4
contrib/ipfilter/ipft_td.c
View File

@ -26,7 +26,7 @@ tcpdump -nqte
8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -61,7 +61,7 @@ tcpdump -nqte
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $";
#endif
static int tcpd_open __P((char *));

4
contrib/ipfilter/ipft_tx.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -44,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.8 2002/12/06 11:40:26 darrenr Exp $";
#endif
extern int opts;

4
contrib/ipfilter/ipl.h
View File

@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
* $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $
* $Id: ipl.h,v 2.15.2.38 2002/12/07 02:40:05 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter: v3.4.29"
#define IPL_VERSION "IP Filter: v3.4.31"
#endif

6
contrib/ipfilter/iplang/iplang_y.y
View File

@ -6,10 +6,10 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: iplang_y.y,v 2.2.2.2 2002/02/22 15:32:57 darrenr Exp $
* $Id: iplang_y.y,v 2.2.2.3 2002/12/06 11:41:14 darrenr Exp $
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -52,7 +52,7 @@
#include "iplang.h"
#if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \
__FreeBSD_version < 400020)
__FreeBSD_version < 400020 ) && SOLARIS2 < 10
extern struct ether_addr *ether_aton __P((char *));
#endif

4
contrib/ipfilter/ipmon.c
View File

@ -7,7 +7,7 @@
#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
@ -68,7 +68,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.37 2002/12/06 11:40:26 darrenr Exp $";
#endif

4
contrib/ipfilter/ipnat.c
View File

@ -5,7 +5,7 @@
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -60,7 +60,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.22 2002/12/06 11:40:26 darrenr Exp $";
#endif

2
contrib/ipfilter/ipsend/44arp.c
View File

@ -1,7 +1,7 @@
/*
* Based upon 4.4BSD's /usr/sbin/arp
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <unistd.h>

4
contrib/ipfilter/ipsend/arp.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -29,7 +29,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $";
#endif

4
contrib/ipfilter/ipsend/ip.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <errno.h>
@ -32,7 +32,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.4 2002/02/22 15:32:57 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.5 2002/12/06 11:40:35 darrenr Exp $";
#endif
static char *ipbuf = NULL, *ethbuf = NULL;

4
contrib/ipfilter/ipsend/ipresend.c
View File

@ -8,7 +8,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -34,7 +34,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.3 2002/02/22 15:32:57 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $";
#endif

4
contrib/ipfilter/ipsend/ipsend.c
View File

@ -8,7 +8,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -34,7 +34,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.6 2002/12/06 11:40:35 darrenr Exp $";
#endif

4
contrib/ipfilter/ipsend/ipsopt.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/param.h>
@ -25,7 +25,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.3 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.4 2002/12/06 11:40:35 darrenr Exp $";
#endif

4
contrib/ipfilter/ipsend/iptest.c
View File

@ -8,7 +8,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -37,7 +37,7 @@
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.3 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.4 2002/12/06 11:40:35 darrenr Exp $";
#endif

46
contrib/ipfilter/ipsend/iptests.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -75,16 +75,24 @@
#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
# include <sys/sysmacros.h>
#endif
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
# define USE_NANOSLEEP
#endif
#include "ipsend.h"
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.8 2002/12/06 11:40:35 darrenr Exp $";
#endif
#define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \
(void) select(0, NULL, NULL, NULL, &tv)
#ifdef USE_NANOSLEEP
# define PAUSE() ts.tv_sec = 0; ts.tv_nsec = 10000000; \
(void) nanosleep(&ts, NULL)
#else
# define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \
(void) select(0, NULL, NULL, NULL, &tv)
#endif
void ip_test1(dev, mtu, ip, gwip, ptest)
@ -94,7 +102,11 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
udphdr_t *u;
int nfd, i = 0, len, id = getpid();
@ -438,7 +450,11 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
int nfd;
u_char *s;
@ -529,7 +545,11 @@ int ptest;
{
static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 };
static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 };
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
struct icmp *icp;
int nfd, i;
@ -721,7 +741,11 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
udphdr_t *u;
int nfd, i;
@ -879,7 +903,11 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
tcphdr_t *t;
int nfd, i;
@ -1222,7 +1250,11 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
udphdr_t *u;
int nfd, i, j, k;
@ -1297,8 +1329,12 @@ ip_t *ip;
struct in_addr gwip;
int ptest;
{
ip_t *pip;
#ifdef USE_NANOSLEEP
struct timespec ts;
#else
struct timeval tv;
#endif
ip_t *pip;
int nfd, i, j;
u_char *s;

4
contrib/ipfilter/ipsend/lsock.c
View File

@ -5,9 +5,9 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.2 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.3 2002/12/06 11:40:36 darrenr Exp $";
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>

4
contrib/ipfilter/ipsend/resend.c
View File

@ -8,7 +8,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -38,7 +38,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.4 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.5 2002/12/06 11:40:36 darrenr Exp $";
#endif

2
contrib/ipfilter/ipsend/sirix.c
View File

@ -4,7 +4,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>

4
contrib/ipfilter/ipsend/sock.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -65,7 +65,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.5 2002/02/22 15:32:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.6 2002/12/06 11:40:36 darrenr Exp $";
#endif

21
contrib/ipfilter/ipt.c
View File

@ -12,7 +12,7 @@
# endif
# endif
#endif
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# define _KMEMUSER
# include <sys/ptimers.h>
#endif
@ -64,7 +64,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.24 2002/12/06 11:40:26 darrenr Exp $";
#endif
extern char *optarg;
@ -92,6 +92,7 @@ char *argv[];
{
char *datain, *iface, *ifname, *packet, *logout;
int fd, i, dir, c, loaded, dump, hlen;
struct in_addr src;
struct ifnet *ifp;
struct ipread *r;
u_long buf[2048];
@ -103,6 +104,7 @@ char *argv[];
r = &iptext;
iface = NULL;
logout = NULL;
src.s_addr = 0;
ifname = "anon0";
datain = NULL;
@ -112,7 +114,7 @@ char *argv[];
ipflog_init();
fr_running = 1;
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1)
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:Rs:STvxX")) != -1)
switch (c)
{
case '6' :
@ -149,6 +151,9 @@ char *argv[];
return -1;
loaded = 1;
break;
case 's' :
src.s_addr = inet_addr(optarg);
break;
case 'v' :
opts |= OPT_VERBOSE;
break;
@ -208,11 +213,21 @@ char *argv[];
ip->ip_off = ntohs(ip->ip_off);
ip->ip_len = ntohs(ip->ip_len);
hlen = ip->ip_hl << 2;
if (src.s_addr != 0) {
if (src.s_addr == ip->ip_src.s_addr)
dir = 1;
else if (src.s_addr == ip->ip_dst.s_addr)
dir = 0;
}
}
#ifdef USE_INET6
else
hlen = sizeof(ip6_t);
#endif
if (opts & OPT_VERBOSE) {
printf("%s on [%s]: ", dir ? "out" : "in",
(iface && *iface) ? iface : "??");
}
packet = (char *)buf;
/* ipfr_slowtimer(); */
i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);

4
contrib/ipfilter/kmem.c
View File

@ -8,7 +8,7 @@
* returns 0 on success, -1 on error.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -46,7 +46,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.16 2002/12/06 11:40:27 darrenr Exp $";
#endif
#ifdef __sgi

2
contrib/ipfilter/man/ipf.4
View File

@ -162,7 +162,7 @@ and FR_OUTQUE (see above). This ioctl is also implemented for
or just all those which are not established if passed 1.
.IP "\fBGeneral Logging Flags\fP" 0
There are two flags which can be set to log packets independantly of the
There are two flags which can be set to log packets independently of the
rules used. These allow for packets which are either passed or blocked
to be logged. To set (and clear)/get these flags, two ioctls are
provided:

2
contrib/ipfilter/man/ipf.5
View File

@ -61,7 +61,7 @@ host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
opttype = "ipopts" | "short" | "frag" | "opt" optname .
optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
secname = seclvl [ "," secname ] .

2
contrib/ipfilter/man/ipf.8
View File

@ -55,7 +55,7 @@ the order on the command line being that used to execute options.
.TP
.BR \-F \0<s|S>
To flush entries from the state table, the \fB-F\fP option is used in
conjuction with either "s" (removes state information about any non-fully
conjunction with either "s" (removes state information about any non-fully
established connections) or "S" (deletes the entire state table). Only
one of the two options may be given. A fully established connection
will show up in \fBipfstat -s\fP output as 4/4, with deviations either

4
contrib/ipfilter/man/ipfs.8
View File

@ -80,12 +80,12 @@ Lock state tables in the kernel.
.B \-r
Read information in from the specified file and load it into the
kernel. This requires the state tables to have already been locked
and does not change the lock once comlete.
and does not change the lock once complete.
.TP
.B \-w
Write information out to the specified file and from the kernel.
This requires the state tables to have already been locked
and does not change the lock once comlete.
and does not change the lock once complete.
.TP
.B \-R
Restores all saved state information, if any, from two files,

4
contrib/ipfilter/man/ipfstat.8
View File

@ -122,7 +122,7 @@ be used while ipfstat is in top mode.
.BR \-T \0<refreshtime>
This option is only valid in combination with \fB\-t\fP. Specifies how often
the state top display should be updated. The refresh time is the number of
seconds between an update. Any postive integer can be used. The default (and
seconds between an update. Any positive integer can be used. The default (and
minimal update time) is 1.
.TP
.B \-v
@ -162,7 +162,7 @@ the number of bytes. States are sorted in descending order, but you can use
the \fBr\fP key to sort them in ascending order.
.SH STATE TOP LIMITATIONS
It is currently not possible to interactively change the source, destination
and protocol filters or the refreh frequency. This must be done from the
and protocol filters or the refresh frequency. This must be done from the
command line.
.PP
The screen must have at least 80 columns. This is however not checked.

8
contrib/ipfilter/man/ipftest.1
View File

@ -14,6 +14,9 @@ interface
[
.B \-i
<filename>
] [
.B \-s
<ipaddress>
]
.SH DESCRIPTION
.PP
@ -128,6 +131,11 @@ Specify the filename from which to take input. Default is stdin.
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules.
.TP
.BR \-s \0<ipaddress>
Where the input format is incapable of telling \fBipftest\fP whther a packet is
going in or out, setting this option to an IP address results in the direction
being set to out if the source matches or in if the destination matches.
.SH SEE ALSO
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS

4
contrib/ipfilter/man/ipmon.8
View File

@ -54,7 +54,7 @@ setting, not a particular rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
(separted by a comma), the \fB->\fP symbol, and the destination address
(separated by a comma), the \fB->\fP symbol, and the destination address
and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
.LP
7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
@ -110,7 +110,7 @@ equivalent to using \fB-o NSI\fP.
.TP
.B \-O
Specify which log files you do not wish to read from. This is most sensibly
used with the \fB-a\fP. Letters available as paramters to this are the same
used with the \fB-a\fP. Letters available as parameters to this are the same
as for \fB-o\fP.
.TP
.B \-p

39
contrib/ipfilter/man/ipnat.5
View File

@ -7,10 +7,10 @@ The format for files accepted by ipnat is described by the following grammar:
.nf
ipmap :: = mapblock | redir | map .
map ::= mapit ifname ipmask "->" dstipmask [ mapport ] .
map ::= mapit ifname fromto "->" dstipmask [ mapport ] .
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
map ::= mapit ifname ipmask "->" dstipmask [ mapport ] mapoptions.
map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions.
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions.
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions .
dport ::= "port" portnum [ "-" portnum ] .
ports ::= "ports" numports | "auto" .
@ -20,7 +20,8 @@ fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
dstipmask ::= ipmask | "range" ip "-" ip .
mapport ::= "portmap" tcpudp portspec .
options ::= [ tcpudp ] [ rr ] .
mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
rdroptions ::= [ tcpudp ] [ rr ] [ "frag" ] [ age ] [ clamp ] .
object :: = addr [ port-comp | port-range ] .
addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
@ -28,8 +29,12 @@ port-comp :: = "port" compare port-num .
port-range :: = "port" port-num range port-num .
rr ::= "round-robin" .
nummask = host-name [ "/" decnumber ] .
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
age ::= "age" decnumber [ "/" decnumber ] .
clamp ::= "mssclamp" decnumber .
tcpudp ::= "tcp/udp" | protocol .
protocol ::= protocol-name | decnumber .
nummask ::= host-name [ "/" decnumber ] .
portspec ::= "auto" | portnumber ":" portnumber .
portnumber ::= number { numbers } .
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
@ -107,6 +112,26 @@ rule. Such a rule might look like the following:
.PP
Only IP address and port numbers can be compared against. This is available
with all NAT rules.
.SH COMMAND QUALIFIERS
At the end of each rule, a number of qualifiers can be used to change how
the rule works. They are as follows:
.TP
protocol
A specific protocol may be given either by its name (as found in
/etc/protocols) or its number. A special case for supporting both
TCP and UDP is allowed with the name \fBtcp/udp\fP.
.TP
.B round-robin
Once a rule with this term has been successfully used, it is put at the
bottom of the list of those available so that each one will get used, in
turn, in a list of matching left hand sides.
.TP
.B frag
This qualifier is currently has no impact on NAT operation.
.TP
.B age
If more refined timeouts are required than those available globally for
NAT settings, this allows you to set them for \fBnon-TCP\fP use.
.SH TRANSLATION
.PP
To the right of the "->" is the address and port specificaton which will be

2
contrib/ipfilter/man/ipnat.8
View File

@ -29,7 +29,7 @@ active NAT mappings)
Show the list of current NAT table entry mappings.
.TP
.B \-n
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
This flag (no-change) prevents \fBipnat\fP from actually making any ioctl
calls or doing anything which would alter the currently running kernel.
.TP
.B \-s

4
contrib/ipfilter/misc.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#if (SOLARIS2 >= 7)
@ -53,7 +53,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.8 2002/04/26 10:24:24 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.9 2002/12/06 11:40:27 darrenr Exp $";
#endif
extern int opts;

4
contrib/ipfilter/mli_ipl.c
View File

@ -274,10 +274,10 @@ ipfilterattach(void)
static void
nifattach()
{
nif_t *nif, *qf2;
struct ifnet *ifp;
struct frentry *f;
ipnat_t *np;
nif_t *nif;
MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
@ -430,8 +430,8 @@ ipfsync(void)
static void
nifdetach()
{
nif_t *nif, *qf2, **qp;
struct ifnet *ifp;
nif_t *nif, **qp;
MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
/*

34
contrib/ipfilter/mln_ipl.c
View File

@ -61,7 +61,7 @@
extern int lkmenodev __P((void));
#if NetBSD >= 199706
#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
int if_ipl_lkmentry __P((struct lkm_table *, int, int));
#else
#if defined(OpenBSD)
@ -80,6 +80,9 @@ static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
extern const struct cdevsw ipl_cdevsw;
# else
struct cdevsw ipldevsw =
{
iplopen, /* open */
@ -93,6 +96,7 @@ struct cdevsw ipldevsw =
0, /* mmap */
NULL /* strategy */
};
# endif
#else
struct cdevsw ipldevsw =
{
@ -113,14 +117,18 @@ struct cdevsw ipldevsw =
#endif
int ipl_major = 0;
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
MOD_DEV(IPL_VERSION, "ipl", NULL, -1, &ipl_cdevsw, -1);
#else
MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
#endif
extern int vd_unuseddev __P((void));
extern struct cdevsw cdevsw[];
extern int nchrdev;
#if NetBSD >= 199706
#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
int if_ipl_lkmentry(lkmtp, cmd, ver)
#else
#if defined(OpenBSD)
@ -143,9 +151,11 @@ static int iplaction(lkmtp, cmd)
struct lkm_table *lkmtp;
int cmd;
{
int i;
struct lkm_dev *args = lkmtp->private.lkm_dev;
int err = 0;
#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
int i;
#endif
switch (cmd)
{
@ -153,6 +163,7 @@ int cmd;
if (lkmexists(lkmtp))
return EEXIST;
#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
for (i = 0; i < nchrdev; i++)
if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev ||
cdevsw[i].d_open == iplopen)
@ -164,9 +175,22 @@ int cmd;
ipl_major = i;
args->lkm_offset = i; /* slot in cdevsw[] */
#else
err = devsw_attach(args->lkm_devname,
args->lkm_bdev, &args->lkm_bdevmaj,
args->lkm_cdev, &args->lkm_cdevmaj);
if (err != 0)
return (err);
ipl_major = args->lkm_cdevmaj;
#endif
printf("IP Filter: loaded into slot %d\n", ipl_major);
return ipl_load();
case LKM_E_UNLOAD :
#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
devsw_detach(args->lkm_bdev, args->lkm_cdev);
args->lkm_bdevmaj = -1;
args->lkm_cdevmaj = -1;
#endif
err = ipl_unload();
if (!err)
printf("IP Filter: unloaded from slot %d\n",
@ -213,7 +237,11 @@ static int ipl_unload()
* Unloading - remove the filter rule check from the IP
* input/output stream.
*/
#if defined(__NetBSD__)
error = ipl_disable();
#else
error = ipldetach();
#endif
if (!error)
error = ipl_remove();

51
contrib/ipfilter/natparse.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -12,9 +12,9 @@
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
# include <strings.h>
#else
#include <sys/byteorder.h>
# include <sys/byteorder.h>
#endif
#include <sys/time.h>
#include <sys/param.h>
@ -56,7 +56,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.27 2002/12/06 11:40:27 darrenr Exp $";
#endif
@ -385,6 +385,13 @@ int linenum;
}
if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
return NULL;
#if SOLARIS
if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) {
fprintf(stderr,
"localhost as destination not supported\n");
return NULL;
}
#endif
} else {
if (!strcmp(*cpp, ipn.in_ifname))
*cpp = "0";
@ -525,6 +532,19 @@ int linenum;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
cpp++;
if (*cpp) {
ipn.in_mssclamp = atoi(*cpp);
cpp++;
} else {
fprintf(stderr,
"%d: mssclamp with no parameters\n",
linenum);
return NULL;
}
}
if (*cpp) {
fprintf(stderr,
"%d: extra junk at the end of the line: %s\n",
@ -569,14 +589,7 @@ int linenum;
if (!*cpp)
return &ipn;
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr,
"%d: extra words at the end of bimap line: %s\n",
linenum, *cpp);
return NULL;
}
if (!strcasecmp(*cpp, "proxy")) {
if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use proxy with bimap\n",
linenum);
@ -631,7 +644,7 @@ int linenum;
(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
cpp++;
} else if (!strcasecmp(*cpp, "portmap")) {
} else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use portmap with bimap\n",
linenum);
@ -711,6 +724,18 @@ int linenum;
cpp++;
}
if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
cpp++;
if (*cpp) {
ipn.in_mssclamp = atoi(*cpp);
cpp++;
} else {
fprintf(stderr, "%d: mssclamp with no parameters\n",
linenum);
return NULL;
}
}
if (*cpp) {
fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
linenum, *cpp);

4
contrib/ipfilter/opt.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -28,7 +28,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.2 2002/02/22 15:32:56 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.3 2002/12/06 11:40:27 darrenr Exp $";
#endif
extern int opts;

16
contrib/ipfilter/parse.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/types.h>
@ -158,7 +158,11 @@ int linenum;
} else if (!strcasecmp("nomatch", *cpp)) {
fil.fr_flags |= FR_NOMATCH;
} else if (!strcasecmp("auth", *cpp)) {
fil.fr_flags |= FR_AUTH;
fil.fr_flags |= FR_AUTH;
if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
fil.fr_flags |= FR_RETRST;
cpp++;
}
} else if (!strcasecmp("preauth", *cpp)) {
fil.fr_flags |= FR_PREAUTH;
} else if (!strcasecmp("skip", *cpp)) {
@ -1027,7 +1031,7 @@ int linenum;
}
} else if (fp->fr_proto == IPPROTO_ICMPV6) {
fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
linenum, **cp, "(use numeric value instead\n");
linenum, **cp, "(use numeric value instead)\n");
return -1;
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
@ -1214,9 +1218,11 @@ struct frentry *fp;
printlog(fp);
} else if (fp->fr_flags & FR_ACCOUNT)
printf("count");
else if (fp->fr_flags & FR_AUTH)
else if (fp->fr_flags & FR_AUTH) {
printf("auth");
else if (fp->fr_flags & FR_PREAUTH)
if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
printf(" return-rst");
} else if (fp->fr_flags & FR_PREAUTH)
printf("preauth");
else if (fp->fr_skip)
printf("skip %hu", fp->fr_skip);

18
contrib/ipfilter/printnat.c
View File

@ -5,7 +5,7 @@
*
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@ -58,7 +58,7 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.13 2002/12/06 11:40:27 darrenr Exp $";
#endif
@ -145,14 +145,18 @@ int opts;
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
printf("\tClient:\n");
printf("\t\tseq %x len %d junk %d cmds %d\n",
ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
ftp.ftp_side[0].ftps_seq[1],
ftp.ftp_side[0].ftps_seq[0],
ftp.ftp_side[0].ftps_len,
ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
printf("]\n\tServer:\n");
printf("\t\tseq %x len %d junk %d cmds %d\n",
ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
ftp.ftp_side[1].ftps_seq[1],
ftp.ftp_side[1].ftps_seq[0],
ftp.ftp_side[1].ftps_len,
ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
@ -387,6 +391,8 @@ int opts;
printf(" frag");
if (np->in_age[0])
printf(" age %d/%d", np->in_age[0], np->in_age[1]);
if (np->in_mssclamp)
printf(" mssclamp %u", np->in_mssclamp);
printf("\n");
if (opts & OPT_DEBUG)
printf("\tspc %lu flg %#x max %u use %d\n",

2
contrib/ipfilter/printstate.c
View File

@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
#ifdef __sgi
#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/types.h>

51
contrib/ipfilter/relay.c
View File

@ -16,6 +16,10 @@
#include <netinet/in.h>
#include <net/if.h>
#include <sys/socket.h>
#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)
# include <poll.h>
# define USE_POLL
#endif
#include "ip_nat.h"
#define RELAY_BUFSZ 8192
@ -26,7 +30,11 @@ char obuff[RELAY_BUFSZ];
int relay(ifd, ofd, rfd)
int ifd, ofd, rfd;
{
#ifdef USE_POLL
struct pollfd set[3];
#else
fd_set rfds, wfds;
#endif
char *irh, *irt, *rrh, *rrt;
char *iwh, *iwt, *rwh, *rwt;
int nfd, n, rw;
@ -39,7 +47,21 @@ int ifd, ofd, rfd;
if (nfd < rfd)
nfd = rfd;
#ifdef USE_POLL
set[0].fd = rfd;
set[1].fd = ifd;
set[2].fd = ofd;
#endif
while (1) {
#ifdef USE_POLL
set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) |
(irh > irt ? POLLOUT : 0);
set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0);
set[2].events = (iwh > iwt ? POLLOUT : 0);
switch ((n = poll(set, 3, INFTIM)))
#else
FD_ZERO(&rfds);
FD_ZERO(&wfds);
if (irh > irt)
@ -52,12 +74,18 @@ int ifd, ofd, rfd;
FD_SET(rfd, &rfds);
switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
#endif
{
case -1 :
case 0 :
return -1;
default :
if (FD_ISSET(ifd, &rfds)) {
#ifdef USE_POLL
if (set[1].revents & POLLIN)
#else
if (FD_ISSET(ifd, &rfds))
#endif
{
rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
if (rw == -1)
return -1;
@ -66,14 +94,24 @@ int ifd, ofd, rfd;
irh += rw;
n--;
}
if (n && FD_ISSET(ofd, &wfds)) {
#ifdef USE_POLL
if (set[2].revents & POLLOUT)
#else
if (n && FD_ISSET(ofd, &wfds))
#endif
{
rw = write(ofd, iwt, iwh - iwt);
if (rw == -1)
return -1;
iwt += rw;
n--;
}
if (n && FD_ISSET(rfd, &rfds)) {
#ifdef USE_POLL
if (set[0].revents & POLLIN)
#else
if (n && FD_ISSET(rfd, &rfds))
#endif
{
rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
if (rw == -1)
return -1;
@ -82,7 +120,12 @@ int ifd, ofd, rfd;
iwh += rw;
n--;
}
if (n && FD_ISSET(rfd, &wfds)) {
#ifdef USE_POLL
if (set[0].revents & POLLOUT)
#else
if (n && FD_ISSET(rfd, &wfds))
#endif
{
rw = write(rfd, irt, irh - irt);
if (rw == -1)
return -1;

6
contrib/ipfilter/test/Makefile
View File

@ -28,7 +28,7 @@ intests: in1 in2 in3 in4
logtests: l1
ipv6: ipv6.1 ipv6.2
ipv6: ipv6.1 ipv6.2 ipv6.3
0:
@(cd ..; make ipftest; )
@ -60,7 +60,7 @@ in1 in2 in3 in4:
l1:
@/bin/sh ./logtest $@
ipv6.1 ipv6.2:
ipv6.1 ipv6.2 ipv6.3:
@/bin/sh ./dotest6 $@
clean:
@ -70,5 +70,5 @@ clean:
/bin/rm -f ni1 ni2 ni3 ni4 ni5
/bin/rm -f in1 in2 in3 in4
/bin/rm -f l1
/bin/rm -f ipv6.1 ipv6.2
/bin/rm -f ipv6.1 ipv6.2 ipv6.3
/bin/rm -f results/*

6
contrib/ipfilter/test/expected/ipv6.3 Normal file
View File

@ -0,0 +1,6 @@
pass
nomatch
nomatch
nomatch
pass
--------

1
contrib/ipfilter/test/expected/ni5
View File

@ -3,6 +3,7 @@
4500 0028 10ca 4000 ff06 328c 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 5aa0 0000
4500 006f ffde 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 76c5 bd6b c9c9 5018 269c 967e 0000 3232 302d 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 7520 4e63 4654 5064 2053 6572 7665 7220 2866 7265 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a
4500 0028 10cb 4000 ff06 328b 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 5a59 0000
ippr_ftp_server_valid:junk after cmd[220-Maintained by RSSS and RSPAS IT Staff (previously known as Coombs Comp]
4500 00c7 ffdf 4000 ef06 52d7 96cb e002 c0a8 0103 0015 8032 3786 770c bd6b c9c9 5018 269c 1087 0000 3232 302d 0d0a 3232 302d 4d61 696e 7461 696e 6564 2062 7920 5253 5353 2061 6e64 2052 5350 4153 2049 5420 5374 6166 6620 2870 7265 7669 6f75 736c 7920 6b6e 6f77 6e20 6173 2043 6f6f 6d62 7320 436f 6d70 7574 696e 6720 556e 6974 290d 0a32 3230 2d41 6e79 2070 726f 626c 656d 7320 636f 6e74 6163 7420 6674 706d 6173 7465 7240 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 750d 0a32 3230 2d0d 0a32 3230 200d 0a
4500 0028 10cc 4000 ff06 328a 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5010 269c 59ba 0000
4500 0038 10cd 4000 ff06 3279 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5018 269c d1c5 0000 5553 4552 2061 6e6f 6e79 6d6f 7573 0d0a

30
contrib/ipfilter/test/input/ipv6.3 Normal file
View File

@ -0,0 +1,30 @@
[out,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4395 3ffe 8280 0000 2001
0000 0000 0000 4394 8000 3f77 085c 0038
0c06 b73d 1b3d 0d00
[in,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4393 3ffe 8280 0000 2001
0000 0000 0000 4395 8100 3e77 085c 0038
0c06 b73d 1b3d 0d00
[in,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4394 3ffe 8280 0000 2001
0000 0000 0000 4395 8300 3e77 085c 0038
0c06 b73d 1b3d 0d00
[in,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4394 3ffe 8280 0000 2001
0000 0000 0000 4395 8000 3e77 085c 0038
0c06 b73d 1b3d 0d00
[in,gif0]
6000 0000 0010 3a40 3ffe 8280 0000 2001
0000 0000 0000 4394 3ffe 8280 0000 2001
0000 0000 0000 4395 8100 3e77 085c 0038
0c06 b73d 1b3d 0d00

34
contrib/ipfilter/test/input/ni5
View File

@ -1,7 +1,7 @@
[out,ppp0]
4500 002c 10c9 4000 ff06 3289 c0a8 0103
96cb e002 8032 0015 bd6b c9c8 0000 0000
6002 2238 35f9 0000 0204 05b4 3cb9
6002 2238 35f9 0000 0204 05b4
[in,ppp0]
4500 002c ffdd 4000 ef06 5374 96cb e002
@ -11,7 +11,7 @@
[out,ppp0]
4500 0028 10ca 4000 ff06 328c c0a8 0103
96cb e002 8032 0015 bd6b c9c9 3786 76c5
5010 269c 9af6 0000 c0a8 0103 0015
5010 269c 9af6 0000
[in,ppp0]
4500 006f ffde 4000 ef06 5330 96cb e002
@ -25,7 +25,7 @@
[out,ppp0]
4500 0028 10cb 4000 ff06 328b c0a8 0103
96cb e002 8032 0015 bd6b c9c9 3786 770c
5010 269c 9aaf 0000 0111 aa28 c0a8
5010 269c 9aaf 0000
[in,ppp0]
4500 00c7 ffdf 4000 ef06 52d7 96cb e002
@ -45,7 +45,7 @@
[out,ppp0]
4500 0028 10cc 4000 ff06 328a c0a8 0103
96cb e002 8032 0015 bd6b c9c9 3786 77ab
5010 269c 9a10 0000 c0a8 0103 206c
5010 269c 9a10 0000
[out,ppp0]
4500 0038 10cd 4000 ff06 3279 c0a8 0103
@ -70,7 +70,7 @@
[out,ppp0]
4500 0028 10ce 4000 ff06 3288 c0a8 0103
96cb e002 8032 0015 bd6b c9d9 3786 77ef
5010 269c 99bc 0000 c0a8 0103 0015
5010 269c 99bc 0000
[out,ppp0]
4500 0036 10cf 4000 ff06 3279 c0a8 0103
@ -89,7 +89,7 @@
[out,ppp0]
4500 0028 10d0 4000 ff06 3286 c0a8 0103
96cb e002 8032 0015 bd6b c9e7 3786 7826
5010 269c 9977 0000 0000 0800 207a
5010 269c 9977 0000
[in,ppp0]
4500 0099 ffe3 4000 ef06 5301 96cb e002
@ -106,7 +106,7 @@
[out,ppp0]
4500 0028 10d1 4000 ff06 3285 c0a8 0103
96cb e002 8032 0015 bd6b c9e7 3786 7897
5010 269c 9906 0000 c0a8 0103 0015
5010 269c 9906 0000
[out,ppp0]
4500 0030 10d2 4000 ff06 327c c0a8 0103
@ -122,7 +122,7 @@
[out,ppp0]
4500 0028 10d3 4000 ff06 3283 c0a8 0103
96cb e002 8032 0015 bd6b c9ef 3786 78a7
5010 269c 98ee 0000 c0a8 0103 0015
5010 269c 98ee 0000
[out,ppp0]
4500 0041 10d4 4000 ff06 3269 c0a8 0103
@ -162,7 +162,7 @@
[out,ppp0]
4500 002c 10d7 4000 ff06 327b c0a8 0103
96cb e002 8033 0014 bd78 5c12 d9f8 11d5
6012 02f8 d734 0000 0204 0584 3cc7
6012 02f8 d734 0000 0204 0584
[in,ppp0]
4500 0028 ffe8 4000 ef06 536d 96cb e002
@ -180,7 +180,7 @@
[out,ppp0]
4500 0028 10d8 4000 ff06 327e c0a8 0103
96cb e002 8033 0014 bd78 5c13 d9f8 11d5
5010 6348 8e71 0000 c0a8 0103 0015
5010 6348 8e71 0000
[in,ppp0]
4500 0063 ffea 4000 ef06 5330 96cb e002
@ -194,7 +194,7 @@
[out,ppp0]
4500 0028 10d9 4000 ff06 327d c0a8 0103
96cb e002 8033 0014 bd78 5c13 d9f8 1210
5010 6348 8e36 0000 c0a8 0103 0014
5010 6348 8e36 0000
[in,ppp0]
4500 0028 ffeb 4000 ef06 536a 96cb e002
@ -204,12 +204,12 @@
[out,ppp0]
4500 0028 10da 4000 ff06 327c c0a8 0103
96cb e002 8033 0014 bd78 5c13 d9f8 1211
5010 6348 8e35 0000 c0a8 0103 0014
5010 6348 8e35 0000
[out,ppp0]
4500 0028 10db 4000 ff06 327b c0a8 0103
96cb e002 8033 0014 bd78 5c13 d9f8 1211
5011 6348 8e34 0000 c0a8 0103 0014
5011 6348 8e34 0000
[in,ppp0]
4500 0028 ffec 4000 ef06 5369 96cb e002
@ -219,7 +219,7 @@
[out,ppp0]
4500 0028 10dc 4000 ff06 327a c0a8 0103
96cb e002 8032 0015 bd6b ca16 3786 790a
5010 269c 9864 0000 c0a8 0103 0014
5010 269c 9864 0000
[in,ppp0]
4500 0040 ffed 4000 ef06 5350 96cb e002
@ -241,7 +241,7 @@
[out,ppp0]
4500 0028 10de 4000 ff06 3278 c0a8 0103
96cb e002 8032 0015 bd6b ca1e 3786 7932
5010 269c 9834 0000 6720 636f 6d70
5010 269c 9834 0000
[out,ppp0]
4500 002e 10df 4000 ff06 3271 c0a8 0103
@ -257,7 +257,7 @@
[out,ppp0]
4500 0028 10e0 4000 ff06 3276 c0a8 0103
96cb e002 8032 0015 bd6b ca24 3786 7940
5011 269c 981f 0000 c0a8 0103 0015
5011 269c 981f 0000
[in,ppp0]
4500 0028 fff0 4000 ef06 5365 96cb e002
@ -267,7 +267,7 @@
[out,ppp0]
4500 0028 10e1 4000 ff06 3275 c0a8 0103
96cb e002 8032 0015 bd6b ca25 3786 7941
5010 269c 981e 0000 0663 6f6f 6d62
5010 269c 981e 0000
[in,ppp0]
4500 0028 fff1 4000 ef06 5364 96cb e002

1
contrib/ipfilter/test/regress/ipv6.3 Normal file
View File

@ -0,0 +1 @@
pass out log quick on gif0 proto ipv6-icmp from any to any icmp-type 128 keep state