d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import trimmed version of ipfilter 3.2.7.

Browse Source 
Obtained from:  Darren Reed via http://cheops.anu.edu.au/~avalon/
This commit is contained in:
Peter Wemm 1998-06-20 18:29:38 +00:00
parent f4b66beedb
commit 9b632708fe
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor/ipfilter/dist/; revision=37074
62 changed files with 1644 additions and 544 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/ipfilter/COMPILE.2.5
View File

@ -1,3 +1,7 @@
If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package. If you have any errors
relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as
shipped with Solaris 2.
If you get the following error whilst compiling:

707
contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt Normal file
View File

@ -0,0 +1,707 @@
diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
*** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998
--- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998
***************
*** 44,49 ****
--- 44,51 ----
extern char *optarg;
+ char *getdsthost();
+
#include "firewall.h"
***************
*** 88,93 ****
--- 90,97 ----
static int cmdcnt = 0;
static int timeout = PROXY_TIMEOUT;
+ static int do_transparent = 0;
+
static int cmd_user();
static int cmd_authorize();
***************
*** 101,106 ****
--- 105,111 ----
static int cmd_passthru();
static void saveline();
static void flushsaved();
+ static int connectdest();
#define OP_CONN 001 /* only valid if connected */
#define OP_WCON 002 /* writethrough if connected */
***************
*** 173,178 ****
--- 178,184 ----
char xuf[1024];
char huf[512];
char *passuser = (char *)0; /* passed user as av */
+ char *psychic, *hotline;
#ifndef LOG_DAEMON
openlog("ftp-gw",LOG_PID);
***************
*** 317,322 ****
--- 323,332 ----
} else
timeout = PROXY_TIMEOUT;
+ psychic = getdsthost(0, NULL);
+ if (psychic)
+ do_transparent++;
+
/* display a welcome file or message */
if(passuser == (char *)0) {
if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
***************
*** 324,329 ****
--- 334,345 ----
syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
exit(1);
}
+ if (do_transparent) {
+ if (sayfile2(0, cf->argv[0], 220)) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
+ exit(1);
+ }
+ } else
if(sayfile(0,cf->argv[0],220)) {
syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
exit(1);
***************
*** 336,341 ****
--- 352,360 ----
if(say(0,"220-Proxy first requires authentication"))
exit(1);
+ if (do_transparent)
+ sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
+ else
sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
if(say(0,xuf))
exit(1);
***************
*** 357,362 ****
--- 376,384 ----
exit(1);
}
+ if (do_transparent)
+ connectdest(psychic, 21);
+
/* main loop */
while(1) {
FD_ZERO(&rdy);
***************
*** 653,658 ****
--- 675,696 ----
return(sayn(0,noad,sizeof(noad)-1));
}
+ if (do_transparent) {
+ if((rfd == (-1)) && (x = connectdest(dest,port)))
+ return x;
+
+ sprintf(buf,"USER %s",user);
+
+ if (say(rfd, buf))
+ return(1);
+
+ x = getresp(rfd, buf, sizeof(buf), 1);
+ if (sendsaved(0, x))
+ return(1);
+
+ return(say(0, buf));
+ }
+
if(*dest == '\0')
dest = "localhost";
***************
*** 694,705 ****
char ebuf[512];
strcpy(ebuf,buf);
! sprintf(buf,"521 %s: %s",dest,ebuf);
rfd = -1;
return(say(0,buf));
}
! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
! saveline(buf);
/* we are now connected and need to try the autologin thing */
x = getresp(rfd,buf,sizeof(buf),1);
--- 732,748 ----
char ebuf[512];
strcpy(ebuf,buf);
! if (do_transparent)
! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
! else
! sprintf(buf,"521 %s: %s",dest,ebuf);
rfd = -1;
return(say(0,buf));
}
! if (!do_transparent) {
! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
! saveline(buf);
! }
/* we are now connected and need to try the autologin thing */
x = getresp(rfd,buf,sizeof(buf),1);
***************
*** 1889,1891 ****
--- 1932,2050 ----
dup(nread);
}
#endif
+
+ static int connectdest(dest, port)
+ char *dest;
+ short port;
+ {
+ char buf[1024], mbuf[512];
+ int msg_int, x;
+
+ if(*dest == '\0')
+ dest = "localhost";
+
+ if(validests != (char **)0) {
+ char **xp;
+ int x;
+
+ for(xp = validests; *xp != (char *)0; xp++) {
+ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
+ return(baddest(0,dest));
+ } else {
+ if(hostmatch(*xp,dest))
+ break;
+ }
+ }
+ if(*xp == (char *)0)
+ return(baddest(0,dest));
+ }
+
+ /* Extended permissions processing goes in here for destination */
+ if(extendperm) {
+ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
+ if(msg_int == 1) {
+ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
+ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
+ say(0,mbuf);
+ return(1);
+ } else {
+ if(msg_int == -1) {
+ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
+ say(0,mbuf);
+ return(1);
+ }
+ }
+ }
+
+ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
+
+ if((rfd = conn_server(dest,port,0,buf)) < 0) {
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+ if (do_transparent)
+ sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
+ else
+ sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+ if (!do_transparent) {
+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+ saveline(buf);
+ }
+
+ /* we are now connected and need to try the autologin thing */
+ x = getresp(rfd,buf,sizeof(buf),1);
+ if(x / 100 != COMPLETE) {
+ sendsaved(0,-1);
+ return(say(0,buf));
+ }
+ saveline(buf);
+
+ sendsaved(0,-1);
+ return 0;
+ }
+
+ /* quick hack */
+ sayfile2(fd,fn,code)
+ int fd;
+ char *fn;
+ int code;
+ {
+ FILE *f;
+ char buf[BUFSIZ];
+ char yuf[BUFSIZ];
+ char *c;
+ int x;
+ int saidsomething = 0;
+
+ if((f = fopen(fn,"r")) == (FILE *)0)
+ return(1);
+ while(fgets(buf,sizeof(buf),f) != (char *)0) {
+ if((c = index(buf,'\n')) != (char *)0)
+ *c = '\0';
+ x = fgetc(f);
+ if(feof(f))
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ else {
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ ungetc(x,f);
+ }
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ saidsomething++;
+ }
+ fclose(f);
+ if (!saidsomething) {
+ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
+ sprintf(yuf, "%3.3d The file to display is empty",code);
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ }
+ return(0);
+ }
diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
*** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998
--- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998
***************
*** 27,32 ****
--- 27,35 ----
static char http_buffer[8192];
static char reason[8192];
static int checkBrowserType = 1;
+ static int do_transparent = 0;
+
+ char * getdsthost();
static void do_logging()
{ char *proto = "GOPHER";
***************
*** 473,478 ****
--- 476,490 ----
/*(NOT A SPECIAL FORM)*/
if((rem_type & TYPE_LOCAL)== 0){
+ char * psychic = getdsthost(sockfd, &def_port);
+ if (psychic) {
+ if (strlen(psychic) <= MAXHOSTNAMELEN) {
+ do_transparent ++;
+ strncpy(def_httpd, psychic, strlen(psychic));
+ strncpy(def_server, psychic, strlen(psychic));
+ }
+ }
+
/* See if it can be forwarded */
if( can_forward(buf)){
***************
*** 1564,1570 ****
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }else{
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
--- 1576,1589 ----
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }
! else
! if (do_transparent) {
! sprintf(new_reply, "%s\t%s\t%s\t%s",
! parse_vec[0], parse_vec[1],
! parse_vec[2],parse_vec[3]);
! }
! else {
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
*** ./lib/hnam.c Tue Dec 10 13:08:48 1996
--- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998
***************
*** 23,28 ****
--- 23,33 ----
#include "firewall.h"
+ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
+ #include <net/if.h>
+ #include "ip_nat.h"
+ #endif /* __FreeBSD__ */
+
char *
maphostname(name)
***************
*** 49,52 ****
--- 54,132 ----
}
bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
return(inet_ntoa(sin.sin_addr));
+ }
+
+ char *getdsthost(fd, ptr)
+ int fd;
+ int *ptr;
+ {
+ struct sockaddr_in sin;
+ struct hostent * hp;
+ int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
+ char buf[255], hostbuf[255];
+ #ifdef __FreeBSD__
+ struct sockaddr_in rsin;
+ struct natlookup natlookup;
+ #endif
+
+ #ifdef linux
+ if (!(err = getsockname(0, &sin, &sl))) {
+ if(ptr)
+ * ptr = ntohs(sin.sin_port);
+
+ sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
+ gethostname(hostbuf, 254);
+ hp = gethostbyname(hostbuf);
+ while (hp->h_addr_list[i]) {
+ bzero(&sin, &sl);
+ memcpy(&sin.sin_addr, hp->h_addr_list[i++],
+ sizeof(hp->h_addr_list[i++]));
+
+ if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
+ local_h++;
+ }
+
+ if(local_h)
+ return(NULL);
+ else
+ return(buf);
+ }
+ #endif
+
+ #ifdef __FreeBSD__
+ /* The basis for this block of code is Darren Reed's
+ * patches to the TIS ftwk's ftp-gw.
+ */
+ bzero((char*)&sin, sizeof(sin));
+ bzero((char*)&rsin, sizeof(rsin));
+
+ if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
+ return NULL;
+
+ sl = sizeof(rsin);
+
+ if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
+ return NULL;
+
+ natlookup.nl_inport=sin.sin_port;
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+
+ if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
+ return NULL;
+
+ if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
+ return NULL;
+
+ close(natfd);
+
+ if (ptr)
+ *ptr = ntohs(natlookup.nl_inport);
+
+ sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
+ #endif
+
+ /* No transparent proxy support */
+ return(NULL);
}
diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
*** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998
--- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998
***************
*** 43,48 ****
--- 43,50 ----
static char **validdests = (char **)0;
static int net_write();
+ static int do_transparent = 0;
+
main(ac,av)
int ac;
char *av[];
***************
*** 198,206 ****
--- 200,220 ----
char *ptr;
int state = 0;
int ssl_plug = 0;
+ char * getdsthost();
+ int pport = 0;
struct timeval timo;
+ /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
+ * idea ..
+ */
+ dhost = getdsthost(0, &pport);
+ if (dhost) {
+ do_transparent++;
+ portid = pport;
+ }
+
+
if(c->flags & PERM_DENY) {
if (p == -1)
syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
***************
*** 220,226 ****
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! dhost = av[x];
continue;
}
--- 234,241 ----
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! if (!dhost)
! dhost = av[x];
continue;
}
diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
*** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998
--- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998
***************
*** 103,108 ****
--- 103,111 ----
static int trusted = 0;
static int doX = 0;
static char *prompt;
+ static int do_transparent = 0;
+
+ char * getdsthost();
main(ac,av)
int ac;
***************
*** 123,128 ****
--- 126,132 ----
static char *tokav[56];
int tokac;
struct timeval timo;
+ char * psychic;
#ifndef LOG_NDELAY
openlog("rlogin-gw",LOG_PID);
***************
*** 188,194 ****
xforwarder = cf->argv[0];
}
!
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
--- 192,203 ----
xforwarder = cf->argv[0];
}
! psychic = getdsthost(0, NULL);
! if (psychic) {
! do_transparent++;
! strncpy(dest, psychic, 511);
! dest[511] = '\0';
! }
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
***************
*** 266,271 ****
--- 275,281 ----
if((p = index(rusername,'@')) != (char *)0) {
char *namp;
+ dest[0] = '\0';
*p++ = '\0';
if(*p == '\0')
p = "localhost";
***************
*** 297,302 ****
--- 307,326 ----
if(dest[0] != '\0') {
/* Setup connection directly to remote machine */
+ if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+ if (cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+
+ if (sayfile(0, cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
+ exit(1);
+ }
+ }
+
+ /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
+
sprintf(buf,"connect %.1000s",dest);
tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
if (cmd_connect(tokac, tokav, buf) != 2)
***************
*** 535,548 ****
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
! if(strlen(namp) > 20)
! namp[20] = '\0';
! if(rusername[0] != '\0')
! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
! else
! sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
--- 559,574 ----
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
! if (!do_transparent) {
! if(strlen(namp) > 20)
! namp[20] = '\0';
! if(rusername[0] != '\0')
! sprintf(ebuf,"Trying %s@%s...",rusername,namp);
! else
! sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
*** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998
--- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998
***************
*** 91,96 ****
--- 91,100 ----
static int cmd_xforward();
static int cmd_timeout();
+ char * getdsthost();
+
+ static int do_transparent = 0;
+
static int tn3270 = 1; /* don't do tn3270 stuff */
static int doX;
***************
*** 144,149 ****
--- 148,155 ----
char tokbuf[BSIZ];
char *tokav[56];
int tokac;
+ int port;
+ char * psychic;
#ifndef LOG_DAEMON
openlog("tn-gw",LOG_PID);
***************
*** 325,330 ****
--- 331,362 ----
}
}
+ psychic = getdsthost(0, &port);
+ if (psychic) {
+ if ((strlen(psychic) + 10) < 510) {
+ do_transparent++;
+ if (port)
+ sprintf(dest, "%s:%d", psychic, port);
+ else
+ sprintf(dest, "%s", psychic);
+
+ if (!welcomedone)
+ if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
+ if (cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+
+ if (sayfile(0, cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
+ exit(1);
+ }
+
+ welcomedone = 1;
+ }
+ }
+ }
+
while (argc > 1) {
argc--;
argv++;
***************
*** 947,955 ****
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
--- 979,989 ----
char ebuf[512];
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
! if (!do_transparent) {
! sprintf(ebuf,"Trying %.100s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
***************
*** 991,998 ****
syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! sprintf(buf, "Connected to %.512s.", dest);
! say(0, buf);
return(2);
}
--- 1025,1034 ----
syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! if (!do_transparent) {
! sprintf(buf, "Connected to %.512s.", dest);
! say(0, buf);
! }
return(2);
}

10
contrib/ipfilter/FreeBSD-2.2/files.diffs
View File

@ -1,8 +1,8 @@
*** /sys/conf/files.orig Sat May 24 14:05:28 1997
--- /sys/conf/files Sat May 24 14:06:44 1997
*** files.orig Tue Sep 9 16:58:40 1997
--- files Sat Apr 4 10:52:58 1998
***************
*** 217,222 ****
--- 217,230 ----
*** 222,227 ****
--- 222,236 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
@ -17,4 +17,4 @@
+ netinet/ip_log.c optional ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_error.c optional ipx
netipx/ipx_input.c optional ipx

56
contrib/ipfilter/HISTORY
View File

@ -5,6 +5,62 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
# to further support development of IP Filter under BSDI.
#
# Thanks also to all those who have contributed patches and other code,
# and especially those who have found the time to port IP Filter to new
# platforms.
3.2.7 24/05/98 - Released
u_long -> u_32_t conversions
patches from Bernd Ernesti for NetBSD
fixup ipmon to actually handle HUP's.
Linux fixes from Michael H. Warfield (mhw@wittsend.com)
update for keep state patch (not security related) - Guido
dumphex() uses stdout rather than log
3.2.6 18/05/98 - Released
fix potential security loop hole in keep state code.
update examples.
3.2.5 09/05/98 - Released
BSD/OS 3.1 .o files added for the kernel.
fix sequence # skew vs window size check.
fix minimum ICMP header size check.
remove references to Cybersource.
fix my email address.
remove ntohl in ipnat - Thomas Tornblom
3.2.4 09/04/98 - Released
add script to make devices for /dev on BSD boxes
fixup building into the kernel for FreeBSD 2.2.5
add -D command line option to ipmon to make it a daemon and SIGHUP causes
it to close and reopen the logfile
fixup make clean and make package for SunOS5 - Marc Boucher
postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
3.2.3 10/11/97 - Released
fix some iplang bugs

2
contrib/ipfilter/IMPORTANT
View File

@ -42,5 +42,5 @@ If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.
Darren
darrenr@cyber.com.au
darrenr@pobox.com
****************************************

4
contrib/ipfilter/INST.FreeBSD-2.2
View File

@ -44,6 +44,7 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
5b) For versions prior to FreeBSD 2.2:
create devices for IP Filter as follows (assuming it was
@ -51,8 +52,9 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

3
contrib/ipfilter/INSTALL.FreeBSD
View File

@ -41,8 +41,9 @@ To build a kernel with the IP filter, follow these steps:
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

11
contrib/ipfilter/INSTALL.Linux
View File

@ -19,11 +19,12 @@ The first step is to make the IP Filter binaries. Do this with a
"make linux" from the ip_fil3.2.x directory. If this completes with
no errors, install IP Filter with a "make install-linux".
Now that the user part of it is complete, it is time to work on the
kernel. To start this off, run "Linux/kinstall". This will patch your
kernel source code and configuration files so you can enabled IP Filter.
You must now go to /usr/src/linux and configure your kernel using one of
the available interfaces to enable IP Filter. IP Filter will be presented
Now that the user part of it is complete, it is time to work on the kernel.
To start this off, run "Linux/minstall". This will configure the devices
you will need for the IP Filter. Then run "Linux/kinstall". This will
patch your kernel source code and configuration files so you can enabled IP
Filter. You must now go to /usr/src/linux and configure your kernel using one
of the available interfaces to enable IP Filter. IP Filter will be presented
as a three way choice "y/m/n" - select "m" to enable it. Save your kernel
configuration file, rebuild, install and reboot with the new kernel.

12
contrib/ipfilter/INSTALL.NetBSD
View File

@ -41,8 +41,14 @@ To build a kernel with the IP filter, follow these steps:
4. build a new kernel
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
(for NetBSD-1.2, use "mknod /dev/ipl c 49 0")
5. Create device files. For NetBSD-1.2 (or later), use 49 as the
major number. For NetBSD-1.1 or earlier, use 59. Run these
commands as root, substituting <major> for the appropriate number:
mknod /dev/ipl c <major> 0
mknod /dev/ipnat c <major> 1
mknod /dev/ipstate c <major> 2
mknod /dev/ipauth c <major> 3
** NOTE: both the numbers 49 and 59 should be substituted with
whatever number you inserted it into conf.c as.
@ -50,4 +56,4 @@ To build a kernel with the IP filter, follow these steps:
6. install and reboot with the new kernel
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

2
contrib/ipfilter/INSTALL.Sol2
View File

@ -24,4 +24,4 @@ called "ipf.conf" using touch. The rc scripts have been written to look
for the configuration file here, using the installed binaries in /sbin.
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

8
contrib/ipfilter/INSTALL.SunOS
View File

@ -28,9 +28,13 @@ To install as part of a SunOS 4.1.x kernel:
NOTE: This script sets up /dev/ipl as char. device 59,0
in /sys/sun/conf.c
3. Do "mknod /dev/ipl c 59 0" as root.
3. Run the following commands as root:
mknod /dev/ipl c 59 0
mknod /dev/ipnat c 59 1
mknod /dev/ipstate c 59 2
mknod /dev/ipauth c 59 3
4. Reboot using the new kernel
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

9
contrib/ipfilter/INSTALL.xBSD
View File

@ -31,9 +31,14 @@ To build a kernel with the IP filter, follow these steps:
4. build a new kernel
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
5. create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren
darrenr@cyber.com.au
darrenr@pobox.com

50
contrib/ipfilter/Makefile
View File

@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $
# $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@ -88,7 +88,11 @@ freebsd22 freebsd30: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-rm -f BSD/$(CPUDIR)/ioconf.h
@if [ -n $(IPFILKERN) ] ; then \
if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \
ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \
else \
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \
fi \
elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
echo -n "Can't find ioconf.h in "; \
echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
@ -100,41 +104,41 @@ freebsd22 freebsd30: include
netbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
openbsd openbsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
freebsd freebsd20 freebsd21: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
bsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
bsdi bsdos: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..)
(cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= ; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
(cd IRIX/$(CPUDIR); smake build "TOP=../.." $(MFLAGS); cd ..)
(cd IRIX/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd IRIX/$(CPUDIR); smake build TOP=../.. $(MFLAGS); cd ..)
(cd IRIX/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
linux: include
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
./buildlinux
linuxrev:
(cd Linux/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..)
(cd Linux/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
(cd Linux/$(CPUDIR); make build TOP=../.. $(MFLAGS) LKM= ; cd ..)
(cd Linux/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
setup:
-if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi
@ -146,8 +150,8 @@ clean:
${RM} -rf netinet
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
vnode_if.h $(LKM)
(cd SunOS4; make clean)
(cd SunOS5; make clean)
if [ "`uname -s`" = "SunOS" ]; then (cd SunOS4; make clean); fi
if [ "`uname -s`" = "SunOS" ]; then (cd SunOS5; make clean); fi
(cd BSD; make clean)
(cd Linux; make clean)
if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; make clean); fi
@ -187,12 +191,16 @@ sunos4 solaris1:
(cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..)
sunos5 solaris2:
(cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
sunos5x86 solaris2x86:
(cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
(cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
(cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..)
install-linux:
(cd Linux/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
(cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
install-bsd:
(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)

4
contrib/ipfilter/README
View File

@ -46,7 +46,7 @@ Bugs/Problems
-------------
If you have a problem with IP Filter on your operating system, please email
a copy of the file "BugReport" with the details of your setup as required
and email to darrenr@cyber.com.au.
and email to darrenr@pobox.com.
Some general notes.
-------------------
@ -95,4 +95,4 @@ BNF
- BNF rule set for the filter rules
Darren Reed
darrenr@cyber.com.au
darrenr@pobox.com

3
contrib/ipfilter/Y2K Normal file
View File

@ -0,0 +1,3 @@
IP Filter is Year 2000 (Y2K) Compliant.
Darren

17
contrib/ipfilter/buildsunos
View File

@ -1,23 +1,24 @@
#! /bin/sh
# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
# $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $
:
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
cpu=`uname -m`
cpudir=${cpu}-`uname -r`
if [ $rev = 5 ] ; then
solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
mkdir -p SunOS5/${cpu}
/bin/rm -f SunOS5/${cpu}/Makefile
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend
ln -s ../Makefile SunOS5/${cpu}/Makefile
ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend
mkdir -p SunOS5/${cpudir}
/bin/rm -f SunOS5/${cpudir}/Makefile
/bin/rm -f SunOS5/${cpudir}/Makefile.ipsend
ln -s ../Makefile SunOS5/${cpudir}/Makefile
ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend
fi
if [ $cpu = i86pc ] ; then
make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?
fi
if [ x$solrev = x ] ; then
make ${1+"$@"} sunos$rev "ARCH=`uname -m`"
exit $?
fi
make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu}
make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir}
exit $?

62
contrib/ipfilter/fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $";
#endif
#include <sys/errno.h>
@ -21,6 +21,7 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 d
#else
# include <stdio.h>
# include <string.h>
# include <stdlib.h>
#endif
#include <sys/uio.h>
#if !defined(__SVR4) && !defined(__svr4__)
@ -194,6 +195,7 @@ fr_info_t *fin;
{
struct optlist *op;
tcphdr_t *tcp;
icmphdr_t *icmp;
fr_ip_t *fi = &fin->fin_fi;
u_short optmsk = 0, secmsk = 0, auth = 0;
int i, mv, ol, off;
@ -214,6 +216,7 @@ fr_info_t *fin;
fin->fin_hlen = hlen;
fin->fin_dlen = ip->ip_len - hlen;
tcp = (tcphdr_t *)((char *)ip + hlen);
icmp = (icmphdr_t *)tcp;
fin->fin_dp = (void *)tcp;
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
(*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3));
@ -226,12 +229,20 @@ fr_info_t *fin;
switch (ip->ip_p)
{
case IPPROTO_ICMP :
if ((!IPMINLEN(ip, icmp) && !off) ||
{
int minicmpsz = sizeof(struct icmp);
if (!off && ip->ip_len > ICMP_MINLEN + hlen &&
(icmp->icmp_type == ICMP_ECHOREPLY ||
icmp->icmp_type == ICMP_UNREACH))
minicmpsz = ICMP_MINLEN;
if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
(off && off < sizeof(struct icmp)))
fi->fi_fl |= FI_SHORT;
if (fin->fin_dlen > 1)
fin->fin_data[0] = *(u_short *)tcp;
break;
}
case IPPROTO_TCP :
fi->fi_fl |= FI_TCPUDP;
if ((!IPMINLEN(ip, tcphdr) && !off) ||
@ -418,7 +429,7 @@ void *m;
off = ip->ip_off & 0x1fff;
pass |= (fi->fi_fl << 24);
if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
portcmp = 1;
for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
@ -475,24 +486,22 @@ void *m;
* If a fragment, then only the first has what we're looking
* for here...
*/
if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
fr->fr_tcpfm))
continue;
if (fi->fi_fl & FI_TCPUDP) {
if (portcmp) {
if (!fr_tcpudpchk(fr, fin))
continue;
} else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
fr->fr_tcpfm)
if (!fr_tcpudpchk(fr, fin))
continue;
} else if (fi->fi_p == IPPROTO_ICMP) {
if (!off && (fin->fin_dlen > 1)) {
if ((fin->fin_data[0] & fr->fr_icmpm) !=
fr->fr_icmp) {
FR_DEBUG(("i. %#x & %#x != %#x\n",
fin->fin_data[0],
fr->fr_icmpm, fr->fr_icmp));
continue;
}
} else if (fr->fr_icmpm || fr->fr_icmp)
} else if (fr->fr_icmpm || fr->fr_icmp) {
if ((fi->fi_p != IPPROTO_ICMP) || off ||
(fin->fin_dlen < 2))
continue;
if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
FR_DEBUG(("i. %#x & %#x != %#x\n",
fin->fin_data[0], fr->fr_icmpm,
fr->fr_icmp));
continue;
}
}
FR_VERBOSE(("*"));
/*
@ -571,6 +580,15 @@ int out;
# endif
int up;
#ifdef M_CANFASTFWD
/*
* XXX For now, IP Filter and fast-forwarding of cached flows
* XXX are mutually exclusive. Eventually, IP Filter should
* XXX get a "can-fast-forward" filter rule.
*/
m->m_flags &= ~M_CANFASTFWD;
#endif /* M_CANFASTFWD */
if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
ip->ip_p == IPPROTO_ICMP)) {
int plen = 0;
@ -887,7 +905,7 @@ u_short ipf_cksum(addr, len)
register u_short *addr;
register int len;
{
register u_long sum = 0;
register u_32_t sum = 0;
for (sum = 0; len > 1; len -= 2)
sum += *addr++;
@ -920,7 +938,7 @@ int len;
u_char c[2];
u_short s;
} bytes;
u_long sum;
u_32_t sum;
u_short *sp;
# if SOLARIS || defined(__sgi)
int add, hlen;
@ -1019,7 +1037,7 @@ int len;
#endif /* SOLARIS */
if (len < 2)
break;
if((u_long)sp & 1) {
if((u_32_t)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
} else
@ -1073,7 +1091,7 @@ int len;
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
* $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $
* $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,

5
contrib/ipfilter/ip_auth.c
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.2 1997/11/12 10:45:51 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@ -86,6 +86,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#include "netinet/ip_auth.h"
#if !SOLARIS && !defined(linux)
# include <net/netisr.h>
# ifdef __FreeBSD__
# include <machine/cpufunc.h>
# endif
#endif

14
contrib/ipfilter/ip_compat.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
* $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $
* $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@ -123,7 +123,7 @@ typedef unsigned int u_32_t;
# else
typedef unsigned long u_32_t;
# endif
#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ */
#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
#ifndef MAX
#define MAX(a,b) (((a) > (b)) ? (a) : (b))
@ -369,6 +369,9 @@ typedef struct mbuf mb_t;
* not be in other places or maybe one day linux will grow up and some
* of these will turn up there too.
*/
#ifndef ICMP_MINLEN
# define ICMP_MINLEN 8
#endif
#ifndef ICMP_UNREACH
# define ICMP_UNREACH ICMP_DEST_UNREACH
#endif
@ -680,6 +683,12 @@ typedef struct uio {
# undef UINT_MAX
# undef LONG_MAX
# undef ULONG_MAX
# define s8 __s8
# define u8 __u8
# define s16 __s16
# define u16 __u16
# define s32 __s32
# define u32 __u32
# include <linux/netdevice.h>
# undef __KERNEL__
# endif
@ -714,4 +723,5 @@ struct ether_addr {
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
#endif /* __IP_COMPAT_H__ */

7
contrib/ipfilter/ip_fil.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $";
#endif
#ifndef SOLARIS
@ -164,7 +164,7 @@ struct devsw iplsw = {
};
#endif /* _BSDI_VERSION >= 199510 && _KERNEL */
#if defined(__NetBSD__) || defined(__OpenBSD__)
#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
# include <sys/conf.h>
# if defined(NETBSD_PF)
# include <net/pfil.h>
@ -933,7 +933,8 @@ frdest_t *fdp;
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
}
ro->ro_rt->rt_use++;
if (ro->ro_rt)
ro->ro_rt->rt_use++;
/*
* For input packets which are being "fastrouted", they won't

3
contrib/ipfilter/ip_fil.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $
* $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@ -518,4 +518,5 @@ extern int iplused[IPL_LOGMAX + 1];
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct frgroup *ipfgroups[3][2];
extern struct filterstats frstats[];
#endif /* __IP_FIL_H__ */

3
contrib/ipfilter/ip_frag.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
* $Id: ip_frag.h,v 2.0.2.12 1997/10/23 14:56:01 darrenr Exp $
* $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@ -55,4 +55,5 @@ extern void ipfr_slowtimer __P((void));
#else
extern int ipfr_slowtimer __P((void));
#endif
#endif /* __IP_FIL_H__ */

14
contrib/ipfilter/ip_ftp_pxy.c
View File

@ -54,18 +54,18 @@ tcphdr_t *tcp;
ap_session_t *aps;
nat_t *nat;
{
u_long sum1, sum2;
u_32_t sum1, sum2;
short sel;
if (tcp->th_sport == aps->aps_dport) {
sum2 = (u_long)ntohl(tcp->th_ack);
sum2 = (u_32_t)ntohl(tcp->th_ack);
sel = aps->aps_sel;
if ((aps->aps_after[!sel] > aps->aps_after[sel]) &&
(sum2 > aps->aps_after[!sel])) {
sel = aps->aps_sel = !sel; /* switch to other set */
}
if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) {
sum1 = (u_long)aps->aps_seqoff[sel];
sum1 = (u_32_t)aps->aps_seqoff[sel];
tcp->th_ack = htonl(sum2 - sum1);
return 2;
}
@ -110,7 +110,7 @@ tcphdr_t *tcp;
ap_session_t *aps;
nat_t *nat;
{
register u_long sum1, sum2;
register u_32_t sum1, sum2;
char newbuf[IPF_MAXPORTLEN+1];
char portbuf[IPF_MAXPORTLEN+1], *s;
int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2);
@ -243,17 +243,17 @@ nat_t *nat;
adjust_seqack:
if (tcp->th_dport == aps->aps_dport) {
sum2 = (u_long)ntohl(tcp->th_seq);
sum2 = (u_32_t)ntohl(tcp->th_seq);
off = aps->aps_sel;
if ((aps->aps_after[!off] > aps->aps_after[off]) &&
(sum2 > aps->aps_after[!off])) {
off = aps->aps_sel = !off; /* switch to other set */
}
if (aps->aps_seqoff[off]) {
sum1 = (u_long)aps->aps_after[off] -
sum1 = (u_32_t)aps->aps_after[off] -
aps->aps_seqoff[off];
if (sum2 > sum1) {
sum1 = (u_long)aps->aps_seqoff[off];
sum1 = (u_32_t)aps->aps_seqoff[off];
sum2 += sum1;
tcp->th_seq = htonl(sum2);
ch = 1;

20
contrib/ipfilter/ip_nat.c
View File

@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -130,10 +130,10 @@ static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *));
void fix_outcksum(sp, n)
u_short *sp;
u_long n;
u_32_t n;
{
register u_short sumshort;
register u_long sum1;
register u_32_t sum1;
if (!n)
return;
@ -149,10 +149,10 @@ u_long n;
void fix_incksum(sp, n)
u_short *sp;
u_long n;
u_32_t n;
{
register u_short sumshort;
register u_long sum1;
register u_32_t sum1;
if (!n)
return;
@ -456,7 +456,7 @@ struct in_addr *inp;
struct in_addr in;
#if SOLARIS
in.s_addr = ill->ill_ipif->ipif_local_addr;
in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr);
#else /* SOLARIS */
# if linux
;
@ -521,7 +521,7 @@ fr_info_t *fin;
u_short flags;
int direction;
{
register u_long sum1, sum2, sumd, l;
register u_32_t sum1, sum2, sumd, l;
u_short port = 0, sport = 0, dport = 0, nport = 0;
struct in_addr in;
tcphdr_t *tcp = NULL;
@ -779,7 +779,7 @@ int *nflags;
*/
if (flags & IPN_TCPUDP) {
tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
u_long sum1, sum2, sumd;
u_32_t sum1, sum2, sumd;
struct in_addr in;
if (nat->nat_dir == NAT_OUTBOUND) {
@ -964,7 +964,7 @@ int hlen;
fr_info_t *fin;
{
register ipnat_t *np;
register u_long ipa;
register u_32_t ipa;
tcphdr_t *tcp = NULL;
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
struct ifnet *ifp;
@ -1281,7 +1281,7 @@ void *ifp;
#endif
{
register nat_t *nat;
register u_long sum1, sum2, sumd;
register u_32_t sum1, sum2, sumd;
struct in_addr in;
ipnat_t *np;
#if defined(_KERNEL) && !SOLARIS

11
contrib/ipfilter/ip_nat.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
* $Id: ip_nat.h,v 2.0.2.23.2.1 1997/11/05 11:08:18 darrenr Exp $
* $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@ -44,8 +44,8 @@
typedef struct nat {
u_long nat_age;
int nat_flags;
u_long nat_sumd;
u_long nat_ipsumd;
u_32_t nat_sumd;
u_32_t nat_ipsumd;
void *nat_data;
struct in_addr nat_inip;
struct in_addr nat_outip;
@ -175,6 +175,7 @@ extern int ip_natout __P((ip_t *, int, fr_info_t *));
extern int ip_natin __P((ip_t *, int, fr_info_t *));
extern void ip_natunload __P((void)), ip_natexpire __P((void));
extern void nat_log __P((struct nat *, u_short));
extern void fix_incksum __P((u_short *, u_long));
extern void fix_outcksum __P((u_short *, u_long));
extern void fix_incksum __P((u_short *, u_32_t));
extern void fix_outcksum __P((u_short *, u_32_t));
#endif /* __IP_NAT_H__ */

42
contrib/ipfilter/ip_proxy.c
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@ -111,15 +111,37 @@ ipnat_t *nat;
}
static int
ap_matchsrcdst(aps, src, dst, tcp, sport, dport)
ap_session_t *aps;
struct in_addr src, dst;
void *tcp;
u_short sport, dport;
{
if (aps->aps_dst.s_addr == dst.s_addr) {
if ((aps->aps_src.s_addr == src.s_addr) &&
(!tcp || (sport == aps->aps_sport) &&
(dport == aps->aps_dport)))
return 1;
} else if (aps->aps_dst.s_addr == src.s_addr) {
if ((aps->aps_src.s_addr == dst.s_addr) &&
(!tcp || (sport == aps->aps_dport) &&
(dport == aps->aps_sport)))
return 1;
}
return 0;
}
static ap_session_t *ap_find(ip, tcp)
ip_t *ip;
tcphdr_t *tcp;
{
struct in_addr src, dst;
register u_long hv;
register u_short sp, dp;
register ap_session_t *aps;
register u_char p = ip->ip_p;
register ap_session_t *aps;
register u_short sp, dp;
register u_long hv;
struct in_addr src, dst;
src = ip->ip_src, dst = ip->ip_dst;
sp = dp = 0; /* XXX gcc -Wunitialized */
@ -136,14 +158,8 @@ tcphdr_t *tcp;
for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next)
if ((aps->aps_p == p) &&
IPPAIR(aps->aps_src, aps->aps_dst, src, dst)) {
if (tcp) {
if (PAIRS(aps->aps_sport, aps->aps_dport,
sp, dp))
break;
} else
break;
}
ap_matchsrcdst(aps, src, dst, tcp, sp, dp))
break;
return aps;
}

148
contrib/ipfilter/ip_state.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
@ -85,6 +85,11 @@ ips_stat_t ips_stats;
extern kmutex_t ipf_state;
#endif
static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
fr_info_t *, void *, u_short, u_short));
static int fr_state_flush __P((int));
static ips_stat_t *fr_statetstats __P((void));
#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
@ -97,7 +102,7 @@ u_long fr_tcpidletimeout = FIVE_DAYS,
fr_icmptimeout = 120;
ips_stat_t *fr_statetstats()
static ips_stat_t *fr_statetstats()
{
ips_stats.iss_active = ips_num;
ips_stats.iss_table = ips_table;
@ -111,7 +116,7 @@ ips_stat_t *fr_statetstats()
* which == 1 : flush TCP connections which have started to close but are
* stuck for some reason.
*/
int fr_state_flush(which)
static int fr_state_flush(which)
int which;
{
register int i;
@ -134,10 +139,10 @@ int which;
break;
case 1 :
if ((is->is_p == IPPROTO_TCP) &&
((is->is_state[0] <= TCPS_ESTABLISHED) &&
(is->is_state[1] > TCPS_ESTABLISHED)) ||
((is->is_state[1] <= TCPS_ESTABLISHED) &&
(is->is_state[0] > TCPS_ESTABLISHED)))
(((is->is_state[0] <= TCPS_ESTABLISHED) &&
(is->is_state[1] > TCPS_ESTABLISHED)) ||
((is->is_state[1] <= TCPS_ESTABLISHED) &&
(is->is_state[0] > TCPS_ESTABLISHED))))
delete = 1;
break;
}
@ -237,7 +242,7 @@ u_int pass;
switch (ic->icmp_type)
{
case ICMP_ECHO :
is->is_icmp.ics_type = 0;
is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */
hv += (is->is_icmp.ics_id = ic->icmp_id);
hv += (is->is_icmp.ics_seq = ic->icmp_seq);
break;
@ -301,11 +306,33 @@ u_int pass;
bcopy((char *)&ips, (char *)is, sizeof(*is));
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
is->is_next = ips_table[hv];
ips_table[hv] = is;
is->is_pass = pass;
is->is_pkts = 1;
is->is_bytes = ip->ip_len;
/*
* Copy these from the rule itself.
*/
is->is_opt = fin->fin_fr->fr_ip.fi_optmsk;
is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk;
is->is_sec = fin->fin_fr->fr_ip.fi_secmsk;
is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk;
is->is_auth = fin->fin_fr->fr_ip.fi_auth;
is->is_authmsk = fin->fin_fr->fr_mip.fi_auth;
is->is_flags = fin->fin_fr->fr_ip.fi_fl;
is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4;
/*
* add into table.
*/
is->is_next = ips_table[hv];
ips_table[hv] = is;
if (fin->fin_out) {
is->is_ifpin = NULL;
is->is_ifpout = fin->fin_ifp;
} else {
is->is_ifpin = fin->fin_ifp;
is->is_ifpout = NULL;
}
if (pass & FR_LOGFIRST)
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
ips_num++;
@ -324,12 +351,11 @@ u_int pass;
* change timeout depending on whether new packet is a SYN-ACK returning for a
* SYN or a RST or FIN which indicate time to close up shop.
*/
int fr_tcpstate(is, fin, ip, tcp, sport)
int fr_tcpstate(is, fin, ip, tcp)
register ipstate_t *is;
fr_info_t *fin;
ip_t *ip;
tcphdr_t *tcp;
u_short sport;
{
register int seqskew, ackskew;
register u_short swin, dwin;
@ -341,7 +367,7 @@ u_short sport;
*/
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
source = (sport == is->is_sport);
source = (ip->ip_src.s_addr == is->is_src.s_addr);
if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */
ack = source ? is->is_ack : is->is_seq;
@ -385,7 +411,7 @@ u_short sport;
swin = is->is_dwin;
}
if ((seqskew <= swin) && (ackskew <= dwin)) {
if ((seqskew <= dwin) && (ackskew <= swin)) {
if (source) {
is->is_seq = seq;
is->is_ack = ack;
@ -401,14 +427,81 @@ u_short sport;
/*
* Nearing end of connection, start timeout.
*/
fr_tcp_age(&is->is_age, is->is_state, ip, fin,
tcp->th_sport == is->is_sport);
fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
return 1;
}
return 0;
}
static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp)
ipstate_t *is;
struct in_addr src, dst;
fr_info_t *fin;
void *tcp;
u_short sp, dp;
{
int ret = 0, rev, out;
void *ifp;
rev = (is->is_dst.s_addr != dst.s_addr);
ifp = fin->fin_ifp;
out = fin->fin_out;
if (!rev) {
if (out) {
if (!is->is_ifpout)
is->is_ifpout = ifp;
} else {
if (!is->is_ifpin)
is->is_ifpin = ifp;
}
} else {
if (out) {
if (!is->is_ifpin)
is->is_ifpin = ifp;
} else {
if (!is->is_ifpout)
is->is_ifpout = ifp;
}
}
if (!rev) {
if (((out && is->is_ifpout == ifp) ||
(!out && is->is_ifpin == ifp)) &&
(is->is_dst.s_addr == dst.s_addr) &&
(is->is_src.s_addr == src.s_addr) &&
(!tcp || (sp == is->is_sport) &&
(dp == is->is_dport))) {
ret = 1;
}
} else {
if (((out && is->is_ifpin == ifp) ||
(!out && is->is_ifpout == ifp)) &&
(is->is_dst.s_addr == src.s_addr) &&
(is->is_src.s_addr == dst.s_addr) &&
(!tcp || (sp == is->is_dport) &&
(dp == is->is_sport))) {
ret = 1;
}
}
/*
* Whether or not this should be here, is questionable, but the aim
* is to get this out of the main line.
*/
if (ret) {
if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) ||
((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) ||
((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) ||
((fin->fin_fi.fi_fl & (is->is_flags >> 4)) !=
(is->is_flags & 0xf)))
ret = 0;
}
return ret;
}
/*
* Check if a packet has a registered state.
*/
@ -447,13 +540,8 @@ fr_info_t *fin;
if ((is->is_p == pr) &&
(ic->icmp_id == is->is_icmp.ics_id) &&
(ic->icmp_seq == is->is_icmp.ics_seq) &&
IPPAIR(src, dst, is->is_src, is->is_dst)) {
/*
* If we have type 0 stored, allow any icmp
* replies through.
*/
if (is->is_icmp.ics_type &&
is->is_icmp.ics_type != ic->icmp_type)
fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) {
if (is->is_icmp.ics_type != ic->icmp_type)
continue;
is->is_age = fr_icmptimeout;
is->is_pkts++;
@ -473,11 +561,11 @@ fr_info_t *fin;
hv += sport;
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) {
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
if ((is->is_p == pr) &&
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
IPPAIR(src, dst, is->is_src, is->is_dst))
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
fr_matchsrcdst(is, src, dst, fin, tcp,
sport, dport)) {
if (fr_tcpstate(is, fin, ip, tcp)) {
pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
@ -491,7 +579,7 @@ fr_info_t *fin;
#endif
return pass;
}
}
}
MUTEX_EXIT(&ipf_state);
break;
}
@ -508,8 +596,8 @@ fr_info_t *fin;
MUTEX_ENTER(&ipf_state);
for (is = ips_table[hv]; is; is = is->is_next)
if ((is->is_p == pr) &&
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
IPPAIR(src, dst, is->is_src, is->is_dst)) {
fr_matchsrcdst(is, src, dst, fin,
tcp, sport, dport)) {
ips_stats.iss_hits++;
is->is_pkts++;
is->is_bytes += ip->ip_len;

16
contrib/ipfilter/ip_state.h
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $Id: ip_state.h,v 2.0.2.14.2.1 1997/11/06 21:23:15 darrenr Exp $
* $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@ -47,10 +47,18 @@ typedef struct ipstate {
u_int is_pass;
U_QUAD_T is_pkts;
U_QUAD_T is_bytes;
void *is_ifpin;
void *is_ifpout;
struct in_addr is_src;
struct in_addr is_dst;
u_char is_p;
u_char is_flags;
u_32_t is_opt;
u_32_t is_optmsk;
u_short is_sec;
u_short is_secmsk;
u_short is_auth;
u_short is_authmsk;
union {
icmpstate_t is_ics;
tcpstate_t is_ts;
@ -120,14 +128,11 @@ extern u_long fr_tcptimeout;
extern u_long fr_tcpclosed;
extern u_long fr_udptimeout;
extern u_long fr_icmptimeout;
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
tcphdr_t *, u_short));
extern ips_stat_t *fr_statetstats __P((void));
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
extern int fr_addstate __P((ip_t *, fr_info_t *, u_int));
extern int fr_checkstate __P((ip_t *, fr_info_t *));
extern void fr_timeoutstate __P((void));
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
extern int fr_state_flush __P((int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_short));
#if defined(__NetBSD__) || defined(__OpenBSD__)
@ -135,4 +140,5 @@ extern int fr_state_ioctl __P((caddr_t, u_long, int));
#else
extern int fr_state_ioctl __P((caddr_t, int, int));
#endif
#endif /* __IP_STATE_H__ */

38
contrib/ipfilter/ipf.c
View File

@ -40,7 +40,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.2 1997/11/06 21:23:36 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $";
#endif
static void frsync __P((void));
@ -204,12 +204,10 @@ char *name, *file;
exit(1);
}
while (getline(line, sizeof(line)-1, fp)) {
while (getline(line, sizeof(line), fp)) {
/*
* treat both CR and LF as EOL
* treat CR as EOL. LF is converted to NUL by getline().
*/
if ((s = index(line, '\n')))
*s = '\0';
if ((s = index(line, '\r')))
*s = '\0';
/*
@ -222,7 +220,7 @@ char *name, *file;
continue;
if (opts & OPT_VERBOSE)
(void)fprintf(stderr, "[%s]\n",line);
(void)fprintf(stderr, "[%s]\n", line);
fr = parse(line);
(void)fflush(stdout);
@ -269,24 +267,34 @@ char *name, *file;
}
}
}
if (ferror(fp) || !feof(fp)) {
fprintf(stderr, "%s: %s: file error or line too long\n",
name, file);
exit(1);
}
(void)fclose(fp);
}
/*
* Similar to fgets(3) but can handle '\\'
* Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
* Returns NULL if error occured, EOF encounterd or input line is too long.
*/
static char *getline(str, size, file)
register char *str;
size_t size;
FILE *file;
{
register char *p;
register int len;
char *p;
int s, len;
do {
for (p = str; ; p += strlen(p) - 1) {
if (!fgets(p, size, file))
return(NULL);
for (p = str, s = size;; p += len, s -= len) {
/*
* if an error occured, EOF was encounterd, or there
* was no room to put NUL, return NULL.
*/
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
p[len - 1] = '\0';
if (p[len - 1] != '\\')
@ -294,7 +302,7 @@ FILE *file;
size -= len;
}
} while (*str == '\0' || *str == '\n');
return(str);
return (str);
}
@ -398,7 +406,9 @@ static void swapactive()
static void frsync()
{
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
int frsyn = 0;
if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
perror("SIOCFRSYN");
else
printf("filter sync'd\n");

8
contrib/ipfilter/ipft_tx.c
View File

@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.1 1997/11/12 10:56:11 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $";
#endif
extern int opts;
@ -62,7 +62,7 @@ struct ipread iptext = { text_open, text_close, text_readip };
static FILE *tfp = NULL;
static int tfd = -1;
static u_long tx_hostnum __P((char *, int *));
static u_32_t tx_hostnum __P((char *, int *));
static u_short tx_portnum __P((char *));
@ -70,7 +70,7 @@ static u_short tx_portnum __P((char *));
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
static u_long tx_hostnum(host, resolved)
static u_32_t tx_hostnum(host, resolved)
char *host;
int *resolved;
{
@ -89,7 +89,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
return np->n_net;
return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}

2
contrib/ipfilter/ipl.h
View File

@ -11,6 +11,6 @@
#ifndef __IPL_H__
#define __IPL_H__
#define IPL_VERSION "IP Filter v3.2.3"
#define IPL_VERSION "IP Filter v3.2.7"
#endif

269
contrib/ipfilter/iplang/iplang_l.l
View File

@ -1,7 +1,3 @@
%e 1500
%p 4000
%a 4000
%o 6000
%{
/*
* Copyright (C) 1997 by Darren Reed.
@ -10,7 +6,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $
* $Id: iplang_l.l,v 2.0.2.15.2.5 1997/12/28 01:32:13 darrenr Exp $
*/
#include <stdio.h>
#include <string.h>
@ -46,134 +42,143 @@ int next_item __P((int));
int save_token __P((void));
void swallow __P((void));
int yylex __P((void));
%}
struct wordtab {
char *word;
int state;
int next;
};
struct wordtab words[] = {
{ "interface", IL_INTERFACE, -1 },
{ "iface", IL_INTERFACE, -1 },
{ "name", IL_IFNAME, IL_TOKEN },
{ "ifname", IL_IFNAME, IL_TOKEN },
{ "router", IL_DEFROUTER, IL_TOKEN },
{ "mtu", IL_MTU, IL_NUMBER },
{ "eaddr", IL_EADDR, IL_TOKEN },
{ "v4addr", IL_V4ADDR, IL_TOKEN },
{ "ipv4", IL_IPV4, -1 },
{ "v", IL_V4V, IL_TOKEN },
{ "proto", IL_V4PROTO, IL_TOKEN },
{ "hl", IL_V4HL, IL_TOKEN },
{ "id", IL_V4ID, IL_TOKEN },
{ "ttl", IL_V4TTL, IL_TOKEN },
{ "tos", IL_V4TOS, IL_TOKEN },
{ "src", IL_V4SRC, IL_TOKEN },
{ "dst", IL_V4DST, IL_TOKEN },
{ "opt", IL_OPT, -1 },
{ "len", IL_LEN, IL_TOKEN },
{ "off", IL_OFF, IL_TOKEN },
{ "sum", IL_SUM, IL_TOKEN },
{ "tcp", IL_TCP, -1 },
{ "sport", IL_SPORT, IL_TOKEN },
{ "dport", IL_DPORT, IL_TOKEN },
{ "seq", IL_TCPSEQ, IL_TOKEN },
{ "ack", IL_TCPACK, IL_TOKEN },
{ "flags", IL_TCPFL, IL_TOKEN },
{ "urp", IL_TCPURP, IL_TOKEN },
{ "win", IL_TCPWIN, IL_TOKEN },
{ "udp", IL_UDP, -1 },
{ "send", IL_SEND, -1 },
{ "via", IL_VIA, IL_TOKEN },
{ "arp", IL_ARP, -1 },
{ "data", IL_DATA, -1 },
{ "value", IL_DVALUE, IL_TOKEN },
{ "file", IL_DFILE, IL_TOKEN },
{ "nop", IL_IPO_NOP, -1 },
{ "eol", IL_IPO_EOL, -1 },
{ "rr", IL_IPO_RR, -1 },
{ "zsu", IL_IPO_ZSU, -1 },
{ "mtup", IL_IPO_MTUP, -1 },
{ "mtur", IL_IPO_MTUR, -1 },
{ "encode", IL_IPO_ENCODE, -1 },
{ "ts", IL_IPO_TS, -1 },
{ "tr", IL_IPO_TR, -1 },
{ "sec", IL_IPO_SEC, -1 },
{ "secclass", IL_IPO_SECCLASS, IL_TOKEN },
{ "lsrr", IL_IPO_LSRR, -1 },
{ "esec", IL_IPO_ESEC, -1 },
{ "cipso", IL_IPO_CIPSO, -1 },
{ "satid", IL_IPO_SATID, -1 },
{ "ssrr", IL_IPO_SSRR, -1 },
{ "addext", IL_IPO_ADDEXT, -1 },
{ "visa", IL_IPO_VISA, -1 },
{ "imitd", IL_IPO_IMITD, -1 },
{ "eip", IL_IPO_EIP, -1 },
{ "finn", IL_IPO_FINN, -1 },
{ "mss", IL_TCPO_MSS, IL_TOKEN },
{ "wscale", IL_TCPO_WSCALE, IL_TOKEN },
{ "reserv-4", IL_IPS_RESERV4, -1 },
{ "topsecret", IL_IPS_TOPSECRET, -1 },
{ "secret", IL_IPS_SECRET, -1 },
{ "reserv-3", IL_IPS_RESERV3, -1 },
{ "confid", IL_IPS_CONFID, -1 },
{ "unclass", IL_IPS_UNCLASS, -1 },
{ "reserv-2", IL_IPS_RESERV2, -1 },
{ "reserv-1", IL_IPS_RESERV1, -1 },
{ "icmp", IL_ICMP, -1 },
{ "type", IL_ICMPTYPE, -1 },
{ "code", IL_ICMPCODE, -1 },
{ "echorep", IL_ICMP_ECHOREPLY, -1 },
{ "unreach", IL_ICMP_UNREACH, -1 },
{ "squench", IL_ICMP_SOURCEQUENCH, -1 },
{ "redir", IL_ICMP_REDIRECT, -1 },
{ "echo", IL_ICMP_ECHO, -1 },
{ "routerad", IL_ICMP_ROUTERADVERT, -1 },
{ "routersol", IL_ICMP_ROUTERSOLICIT, -1 },
{ "timex", IL_ICMP_TIMXCEED, -1 },
{ "paramprob", IL_ICMP_PARAMPROB, -1 },
{ "timest", IL_ICMP_TSTAMP, -1 },
{ "timestrep", IL_ICMP_TSTAMPREPLY, -1 },
{ "inforeq", IL_ICMP_IREQ, -1 },
{ "inforep", IL_ICMP_IREQREPLY, -1 },
{ "maskreq", IL_ICMP_MASKREQ, -1 },
{ "maskrep", IL_ICMP_MASKREPLY, -1 },
{ "net-unr", IL_ICMP_UNREACH_NET, -1 },
{ "host-unr", IL_ICMP_UNREACH_HOST, -1 },
{ "proto-unr", IL_ICMP_UNREACH_PROTOCOL, -1 },
{ "port-unr", IL_ICMP_UNREACH_PORT, -1 },
{ "needfrag", IL_ICMP_UNREACH_NEEDFRAG, -1 },
{ "srcfail", IL_ICMP_UNREACH_SRCFAIL, -1 },
{ "net-unk", IL_ICMP_UNREACH_NET_UNKNOWN, -1 },
{ "host-unk", IL_ICMP_UNREACH_HOST_UNKNOWN, -1 },
{ "isolate", IL_ICMP_UNREACH_ISOLATED, -1 },
{ "net-prohib", IL_ICMP_UNREACH_NET_PROHIB, -1 },
{ "host-prohib", IL_ICMP_UNREACH_HOST_PROHIB, -1 },
{ "net-tos", IL_ICMP_UNREACH_TOSNET, -1 },
{ "host-tos", IL_ICMP_UNREACH_TOSHOST, -1 },
{ "filter-prohib", IL_ICMP_UNREACH_FILTER_PROHIB, -1 },
{ "host-preced", IL_ICMP_UNREACH_HOST_PRECEDENCE, -1 },
{ "cutoff-preced", IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1 },
{ "net-redir", IL_ICMP_REDIRECT_NET, -1 },
{ "host-redir", IL_ICMP_REDIRECT_HOST, -1 },
{ "tos-net-redir", IL_ICMP_REDIRECT_TOSNET, -1 },
{ "tos-host-redir", IL_ICMP_REDIRECT_TOSHOST, -1 },
{ "intrans", IL_ICMP_TIMXCEED_INTRANS, -1 },
{ "reass", IL_ICMP_TIMXCEED_REASS, -1 },
{ "optabsent", IL_ICMP_PARAMPROB_OPTABSENT, -1 },
{ "otime", IL_ICMP_OTIME, -1 },
{ "rtime", IL_ICMP_RTIME, -1 },
{ "ttime", IL_ICMP_TTIME, -1 },
{ "icmpseq", IL_ICMP_SEQ, -1 },
{ "icmpid", IL_ICMP_SEQ, -1 },
{ ".", IL_DOT, -1 },
{ NULL, 0, 0 }
};
%}
white [ \t\r]+
%%
[ \t\r] ;
{white} ;
\n { lineNum++; swallow(); }
interface |
iface { return next_state(IL_INTERFACE, -1); }
name |
ifname { return next_state(IL_IFNAME, IL_TOKEN); }
router { return next_state(IL_DEFROUTER, IL_TOKEN); }
mtu { return next_state(IL_MTU, IL_NUMBER); }
eaddr { return next_state(IL_EADDR, IL_TOKEN); }
v4addr { return next_state(IL_V4ADDR, IL_TOKEN); }
ipv4 { return next_state(IL_IPV4, -1); }
v { return next_state(IL_V4V, IL_TOKEN); }
proto { return next_state(IL_V4PROTO, IL_TOKEN); }
hl { return next_state(IL_V4HL, IL_TOKEN); }
id { return next_state(IL_V4ID, IL_TOKEN); }
ttl { return next_state(IL_V4TTL, IL_TOKEN); }
tos { return next_state(IL_V4TOS, IL_TOKEN); }
src { return next_state(IL_V4SRC, IL_TOKEN); }
dst { return next_state(IL_V4DST, IL_TOKEN); }
opt { return next_state(IL_OPT, -1); }
len { return next_state(IL_LEN, IL_TOKEN); }
off { return next_state(IL_OFF, IL_TOKEN); }
sum { return next_state(IL_SUM, IL_TOKEN); }
tcp { return next_state(IL_TCP, -1); }
sport { return next_state(IL_SPORT, IL_TOKEN); }
dport { return next_state(IL_DPORT, IL_TOKEN); }
seq { return next_state(IL_TCPSEQ, IL_TOKEN); }
ack { return next_state(IL_TCPACK, IL_TOKEN); }
flags { return next_state(IL_TCPFL, IL_TOKEN); }
urp { return next_state(IL_TCPURP, IL_TOKEN); }
win { return next_state(IL_TCPWIN, IL_TOKEN); }
udp { return next_state(IL_UDP, -1); }
send { return next_state(IL_SEND, -1); }
via { return next_state(IL_VIA, IL_TOKEN); }
arp { return next_state(IL_ARP, -1); }
data { return next_state(IL_DATA, -1); }
value { return next_state(IL_DVALUE, IL_TOKEN); }
file { return next_state(IL_DFILE, IL_TOKEN); }
nop { return next_state(IL_IPO_NOP, -1); }
eol { return next_state(IL_IPO_EOL, -1); }
rr { return next_state(IL_IPO_RR, -1); }
zsu { return next_state(IL_IPO_ZSU, -1); }
mtup { return next_state(IL_IPO_MTUP, -1); }
mtur { return next_state(IL_IPO_MTUR, -1); }
encode { return next_state(IL_IPO_ENCODE, -1); }
ts { return next_state(IL_IPO_TS, -1); }
tr { return next_state(IL_IPO_TR, -1); }
sec { return next_state(IL_IPO_SEC, -1); }
secclass { return next_state(IL_IPO_SECCLASS, IL_TOKEN); }
lsrr { return next_state(IL_IPO_LSRR, -1); }
esec { return next_state(IL_IPO_ESEC, -1); }
cipso { return next_state(IL_IPO_CIPSO, -1); }
satid { return next_state(IL_IPO_SATID, -1); }
ssrr { return next_state(IL_IPO_SSRR, -1); }
addext { return next_state(IL_IPO_ADDEXT, -1); }
visa { return next_state(IL_IPO_VISA, -1); }
imitd { return next_state(IL_IPO_IMITD, -1); }
eip { return next_state(IL_IPO_EIP, -1); }
finn { return next_state(IL_IPO_FINN, -1); }
mss { return next_state(IL_TCPO_MSS, IL_TOKEN); }
wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); }
reserv-4 { return next_state(IL_IPS_RESERV4, -1); }
topsecret { return next_state(IL_IPS_TOPSECRET, -1); }
secret { return next_state(IL_IPS_SECRET, -1); }
reserv-3 { return next_state(IL_IPS_RESERV3, -1); }
confid { return next_state(IL_IPS_CONFID, -1); }
unclass { return next_state(IL_IPS_UNCLASS, -1); }
reserv-2 { return next_state(IL_IPS_RESERV2, -1); }
reserv-1 { return next_state(IL_IPS_RESERV1, -1); }
icmp { return next_state(IL_ICMP, -1); }
type { return next_state(IL_ICMPTYPE, -1); }
code { return next_state(IL_ICMPCODE, -1); }
echorep { return next_state(IL_ICMP_ECHOREPLY, -1); }
unreach { return next_state(IL_ICMP_UNREACH, -1); }
squench { return next_state(IL_ICMP_SOURCEQUENCH, -1); }
redir { return next_state(IL_ICMP_REDIRECT, -1); }
echo { return next_state(IL_ICMP_ECHO, -1); }
routerad { return next_state(IL_ICMP_ROUTERADVERT, -1); }
routersol { return next_state(IL_ICMP_ROUTERSOLICIT, -1); }
timex { return next_state(IL_ICMP_TIMXCEED, -1); }
paramprob { return next_state(IL_ICMP_PARAMPROB, -1); }
timest { return next_state(IL_ICMP_TSTAMP, -1); }
timestrep { return next_state(IL_ICMP_TSTAMPREPLY, -1); }
inforeq { return next_state(IL_ICMP_IREQ, -1); }
inforep { return next_state(IL_ICMP_IREQREPLY, -1); }
maskreq { return next_state(IL_ICMP_MASKREQ, -1); }
maskrep { return next_state(IL_ICMP_MASKREPLY, -1); }
net-unr { return next_state(IL_ICMP_UNREACH_NET, -1); }
host-unr { return next_state(IL_ICMP_UNREACH_HOST, -1); }
proto-unr { return next_state(IL_ICMP_UNREACH_PROTOCOL, -1); }
port-unr { return next_state(IL_ICMP_UNREACH_PORT, -1); }
needfrag { return next_state(IL_ICMP_UNREACH_NEEDFRAG, -1); }
srcfail { return next_state(IL_ICMP_UNREACH_SRCFAIL, -1); }
net-unk { return next_state(IL_ICMP_UNREACH_NET_UNKNOWN, -1); }
host-unk { return next_state(IL_ICMP_UNREACH_HOST_UNKNOWN, -1); }
isolate { return next_state(IL_ICMP_UNREACH_ISOLATED, -1); }
net-prohib { return next_state(IL_ICMP_UNREACH_NET_PROHIB, -1); }
host-prohib { return next_state(IL_ICMP_UNREACH_HOST_PROHIB, -1); }
net-tos { return next_state(IL_ICMP_UNREACH_TOSNET, -1); }
host-tos { return next_state(IL_ICMP_UNREACH_TOSHOST, -1); }
filter-prohib { return next_state(IL_ICMP_UNREACH_FILTER_PROHIB, -1); }
host-preced { return next_state(IL_ICMP_UNREACH_HOST_PRECEDENCE, -1); }
cutoff-preced { return next_state(IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1); }
net-redir { return next_state(IL_ICMP_REDIRECT_NET, -1); }
host-redir { return next_state(IL_ICMP_REDIRECT_HOST, -1); }
tos-net-redir { return next_state(IL_ICMP_REDIRECT_TOSNET, -1); }
tos-host-redir { return next_state(IL_ICMP_REDIRECT_TOSHOST, -1); }
intrans { return next_state(IL_ICMP_TIMXCEED_INTRANS, -1); }
reass { return next_state(IL_ICMP_TIMXCEED_REASS, -1); }
optabsent { return next_state(IL_ICMP_PARAMPROB_OPTABSENT, -1); }
otime { return next_state(IL_ICMP_OTIME, -1); }
rtime { return next_state(IL_ICMP_RTIME, -1); }
ttime { return next_state(IL_ICMP_TTIME, -1); }
icmpseq { return next_state(IL_ICMP_SEQ, -1); }
icmpid { return next_state(IL_ICMP_SEQ, -1); }
\377 { return 0; } /* EOF */
\{ { push_proto(); return next_item('{'); }
\} { pop_proto(); return next_item('}'); }
\. { return next_item(IL_DOT); }
; { return next_item(';'); }
[0-9]+ { return next_item(IL_NUMBER); }
[0-9a-fA-F] { return next_item(IL_HEXDIGIT); }
: { return next_item(IL_COLON); }
#[^\n]* { return next_item(IL_COMMENT); }
[^ {}\n\t;]* { return next_item(IL_TOKEN); }
[^ \{\}\n\t;:{}]* { return next_item(IL_TOKEN); }
\"[^\"]*\" { return next_item(IL_TOKEN); }
%%
void yyerror(msg)
@ -220,10 +225,21 @@ int save_token()
int next_item(nstate)
int nstate;
{
struct wordtab *wt;
if (opts & OPT_DEBUG)
printf("text=[%s] id=%d next=%d\n", yytext, nstate, next);
if (next == IL_TOKEN) {
next = -1;
return save_token();
}
token++;
for (wt = words; wt->word; wt++)
if (!strcasecmp(wt->word, yytext))
return next_state(wt->state, wt->next);
if (opts & OPT_DEBUG)
printf("unknown keyword=[%s]\n", yytext);
next = -1;
if (nstate == IL_NUMBER)
yylval.num = atoi(yytext);
@ -235,13 +251,6 @@ int nstate;
int next_state(nstate, fornext)
int nstate, fornext;
{
token++;
if (next == IL_TOKEN) {
next = -1;
return save_token();
}
next = fornext;
switch (nstate)

53
contrib/ipfilter/iplang/iplang_y.y
View File

@ -6,7 +6,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $
* $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $
*/
#include <stdio.h>
@ -48,7 +48,9 @@
#include "ipf.h"
#include "iplang.h"
#ifndef __NetBSD__
extern struct ether_addr *ether_aton __P((char *));
#endif
extern int opts;
extern struct ipopt_names ionames[];
@ -345,7 +347,7 @@ tcpopts:
tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); }
| IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); }
| IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);}
| IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_WSCALE,&$2);}
| IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);}
;
@ -779,6 +781,8 @@ char **arg;
*t++ = (u_char)(val & 0xff);
todo = 0;
}
if (todo)
continue;
}
if (quote) {
if (isdigit(c)) {
@ -807,8 +811,8 @@ char **arg;
*t++ = '\t';
break;
}
quote = 0;
}
quote = 0;
continue;
}
@ -817,6 +821,8 @@ char **arg;
else
*t++ = c;
}
if (todo)
*t++ = (u_char)(val & 0xff);
if (quote)
*t++ = '\\';
len = t - (u_char *)canip->ah_data;
@ -910,7 +916,7 @@ char **arg;
void set_ipv4off(arg)
char **arg;
{
ip->ip_off = strtol(*arg, NULL, 0);
ip->ip_off = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -961,7 +967,7 @@ char **arg;
void set_ipv4id(arg)
char **arg;
{
ip->ip_id = strtol(*arg, NULL, 0);
ip->ip_id = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -999,7 +1005,7 @@ void new_tcpheader()
ip->ip_p = IPPROTO_TCP;
tcp = (tcphdr_t *)new_header(IPPROTO_TCP);
tcp->th_win = 4096;
tcp->th_win = htons(4096);
tcp->th_off = sizeof(*tcp) >> 2;
}
@ -1047,7 +1053,7 @@ char **arg;
void set_tcpseq(arg)
char **arg;
{
tcp->th_seq = strtol(*arg, NULL, 0);
tcp->th_seq = htonl(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -1056,7 +1062,7 @@ char **arg;
void set_tcpack(arg)
char **arg;
{
tcp->th_ack = strtol(*arg, NULL, 0);
tcp->th_ack = htonl(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -1078,7 +1084,7 @@ char **arg;
void set_tcpurp(arg)
char **arg;
{
tcp->th_urp = strtol(*arg, NULL, 0);
tcp->th_urp = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -1087,7 +1093,7 @@ char **arg;
void set_tcpwin(arg)
char **arg;
{
tcp->th_win = strtol(*arg, NULL, 0);
tcp->th_win = htons(strtol(*arg, NULL, 0));
free(*arg);
*arg = NULL;
}
@ -1298,7 +1304,8 @@ void packet_done()
u_char *s = (u_char *)ipbuffer, *t = (u_char *)outline;
if (opts & OPT_VERBOSE) {
for (i = ip->ip_len, j = 0; i; i--, j++, s++) {
ip->ip_len = htons(ip->ip_len);
for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) {
if (j && !(j & 0xf)) {
*t++ = '\n';
*t = '\0';
@ -1338,6 +1345,7 @@ void packet_done()
}
fputs(outline, stdout);
fflush(stdout);
ip->ip_len = ntohs(ip->ip_len);
}
prep_packet();
@ -1542,35 +1550,35 @@ char **type;
void set_icmpid(arg)
int arg;
{
icmp->icmp_id = arg;
icmp->icmp_id = htons(arg);
}
void set_icmpseq(arg)
int arg;
{
icmp->icmp_seq = arg;
icmp->icmp_seq = htons(arg);
}
void set_icmpotime(arg)
int arg;
{
icmp->icmp_otime = arg;
icmp->icmp_otime = htonl(arg);
}
void set_icmprtime(arg)
int arg;
{
icmp->icmp_rtime = arg;
icmp->icmp_rtime = htonl(arg);
}
void set_icmpttime(arg)
int arg;
{
icmp->icmp_ttime = arg;
icmp->icmp_ttime = htonl(arg);
}
@ -1578,7 +1586,7 @@ void set_icmpmtu(arg)
int arg;
{
#if BSD >= 199306
icmp->icmp_nextmtu = arg;
icmp->icmp_nextmtu = htons(arg);
#endif
}
@ -1730,7 +1738,9 @@ void end_ipv4()
aniphdr_t *aip;
ip->ip_sum = 0;
ip->ip_len = htons(ip->ip_len);
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
ip->ip_len = ntohs(ip->ip_len);
free_anipheader();
for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_IP)
@ -1761,9 +1771,10 @@ void end_udp()
iptmp.ip_p = ip->ip_p;
iptmp.ip_src = ip->ip_src;
iptmp.ip_dst = ip->ip_dst;
iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2);
iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
udp->uh_sum = c_chksum((u_short *)udp, (u_int)iptmp.ip_len, sum);
udp->uh_ulen = htons(udp->uh_ulen);
udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum);
free_anipheader();
for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_UDP)
@ -1781,10 +1792,10 @@ void end_tcp()
iptmp.ip_p = ip->ip_p;
iptmp.ip_src = ip->ip_src;
iptmp.ip_dst = ip->ip_dst;
iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2);
iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
tcp->th_sum = 0;
tcp->th_sum = c_chksum((u_short *)tcp, (u_int)iptmp.ip_len, sum);
tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum);
free_anipheader();
for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next)
if (aip->ah_p == IPPROTO_TCP)

124
contrib/ipfilter/ipmon.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $";
#endif
#include <stdio.h>
@ -18,6 +18,7 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
#include <signal.h>
#include <sys/dir.h>
#else
#include <sys/filio.h>
@ -87,7 +88,11 @@ struct flags tcpfl[] = {
static char line[2048];
static int opts = 0;
static FILE *newlog = NULL;
static char *logfile = NULL;
static int donehup = 0;
static void usage __P((char *));
static void handlehup __P((void));
static void flushlogs __P((char *, FILE *));
static void print_log __P((int, FILE *, char *, int));
static void print_ipflog __P((FILE *, char *, int));
@ -99,6 +104,8 @@ char *hostname __P((int, struct in_addr));
char *portname __P((int, char *, u_short));
int main __P((int, char *[]));
static void logopts __P((int, char *));
#define OPT_SYSLOG 0x001
#define OPT_RESOLVE 0x002
@ -117,6 +124,17 @@ int main __P((int, char *[]));
#endif
static void handlehup()
{
FILE *fp;
signal(SIGHUP, handlehup);
if (logfile && (fp = fopen(logfile, "a")))
newlog = fp;
donehup = 1;
}
static int read_log(fd, lenp, buf, bufsize, log)
int fd, bufsize, *lenp;
char *buf;
@ -181,7 +199,7 @@ int len;
*t++ = '\n';
*t = '\0';
if (!(opts & OPT_SYSLOG))
fputs(line, stdout);
fputs(line, log);
else
syslog(LOG_INFO, "%s", line);
t = (u_char *)line;
@ -217,8 +235,8 @@ int len;
*t = '\0';
}
if (!(opts & OPT_SYSLOG)) {
fputs(line, stdout);
fflush(stdout);
fputs(line, log);
fflush(log);
} else
syslog(LOG_INFO, "%s", line);
}
@ -232,19 +250,21 @@ int blen;
iplog_t *ipl = (iplog_t *)buf;
char *t = line;
struct tm *tm;
int res;
int res, i, len;
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
t += i;
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ",
tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec,
nl->nl_rule+1);
(void) strftime(t, len, "%T", tm);
t += strlen(t);
(void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
t += strlen(t);
if (nl->nl_type == NL_NEWMAP)
@ -295,18 +315,21 @@ int blen;
struct protoent *pr;
char *t = line, *proto, pname[6];
struct tm *tm;
int res;
int res, i, len;
sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
res = (opts & OPT_RESOLVE) ? 1 : 0;
tm = localtime((time_t *)&ipl->ipl_sec);
len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
t += i;
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld ",
tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec);
(void) strftime(t, len, "%T", tm);
t += strlen(t);
(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (sl->isl_type == ISL_NEW)
@ -364,13 +387,26 @@ char *buf;
int logtype, blen;
{
iplog_t *ipl;
char *bp = NULL, *bpo = NULL;
int psize;
while (blen > 0) {
ipl = (iplog_t *)buf;
if ((u_long)ipl & (sizeof(long)-1)) {
if (bp)
bpo = bp;
bp = (char *)malloc(blen);
bcopy((char *)ipl, bp, blen);
if (bpo) {
free(bpo);
bpo = NULL;
}
buf = bp;
continue;
}
if (ipl->ipl_magic != IPL_MAGIC) {
/* invalid data or out of sync */
return;
break;
}
psize = ipl->ipl_dsize;
switch (logtype)
@ -389,6 +425,9 @@ int logtype, blen;
blen -= psize;
buf += psize;
}
if (bp)
free(bp);
return;
}
@ -421,13 +460,16 @@ int blen;
ip->ip_len = ntohs(ip->ip_len);
#endif
len = sizeof(line);
if (!(opts & OPT_SYSLOG)) {
(void) sprintf(t, "%2d/%02d/%4d ",
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
(void) strftime(t, len, "%d/%m/%Y ", tm);
i = strlen(t);
len -= i;
t += i;
}
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min,
tm->tm_sec, ipl->ipl_usec);
(void) strftime(t, len, "%T", tm);
t += strlen(t);
(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
(void) sprintf(t, "%dx ", ipl->ipl_count);
@ -519,9 +561,9 @@ int blen;
ic = (struct icmp *)((char *)ip + hl);
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
t += strlen(t);
(void) sprintf(t, "%s PR icmp len %hu (%hu) icmp %d/%d",
hostname(res, ip->ip_dst), hl,
ntohs(ip->ip_len), ic->icmp_type, ic->icmp_code);
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d",
hostname(res, ip->ip_dst), hl, ip->ip_len,
ic->icmp_type, ic->icmp_code);
if (ic->icmp_type == ICMP_UNREACH ||
ic->icmp_type == ICMP_SOURCEQUENCH ||
ic->icmp_type == ICMP_PARAMPROB ||
@ -663,7 +705,7 @@ char *argv[];
FILE *log = stdout;
int fd[3], doread, n, i;
int tr, nr, regular[3], c;
int fdt[3], devices = 0;
int fdt[3], devices = 0, make_daemon = 0;
char buf[512], *iplfile[3];
extern int optind;
extern char *optarg;
@ -674,12 +716,15 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1)
while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
opts |= OPT_ALL;
break;
case 'D' :
make_daemon = 1;
break;
case 'f' : case 'I' :
opts |= OPT_FILTER;
fdt[0] = IPL_LOGIPF;
@ -768,7 +813,8 @@ char *argv[];
}
if (!(opts & OPT_SYSLOG)) {
log = argv[optind] ? fopen(argv[optind], "a") : stdout;
logfile = argv[optind];
log = logfile ? fopen(logfile, "a") : stdout;
if (log == NULL) {
(void) fprintf(stderr, "%s: fopen: %s\n", argv[optind],
@ -778,6 +824,17 @@ char *argv[];
setvbuf(log, NULL, _IONBF, 0);
}
if (make_daemon && (log != stdout)) {
if (fork() > 0)
exit(0);
close(0);
close(1);
close(2);
setsid();
}
signal(SIGHUP, handlehup);
for (doread = 1; doread; ) {
nr = 0;
@ -800,6 +857,15 @@ char *argv[];
nr += tr;
tr = read_log(fd[i], &n, buf, sizeof(buf), log);
if (donehup) {
donehup = 0;
if (newlog) {
fclose(log);
log = newlog;
newlog = NULL;
}
}
switch (tr)
{
case -1 :

40
contrib/ipfilter/ipnat.c
View File

@ -19,6 +19,7 @@
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
#include <strings.h>
@ -52,9 +53,16 @@
#include "netinet/ip_nat.h"
#include "kmem.h"
#if defined(sun) && !SOLARIS2
# define STRERROR(x) sys_errlist[x]
extern char *sys_errlist[];
#else
# define STRERROR(x) strerror(x)
#endif
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $";
#endif
@ -65,14 +73,14 @@ static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55
extern char *optarg;
ipnat_t *parse __P((char *));
u_long hostnum __P((char *, int *));
u_long hostmask __P((char *));
u_32_t hostnum __P((char *, int *));
u_32_t hostmask __P((char *));
u_short portnum __P((char *, char *));
void dostats __P((int, int)), flushtable __P((int, int));
void printnat __P((ipnat_t *, int, void *));
void parsefile __P((int, char *, int));
void usage __P((char *));
int countbits __P((u_long));
int countbits __P((u_32_t));
char *getnattype __P((ipnat_t *));
int main __P((int, char*[]));
@ -133,7 +141,8 @@ char *argv[];
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) &&
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
perror("open");
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
exit(-1);
}
@ -153,9 +162,9 @@ char *argv[];
* of bits.
*/
int countbits(ip)
u_long ip;
u_32_t ip;
{
u_long ipn;
u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);
@ -233,7 +242,7 @@ void *ptr;
else
printf("%s", inet_ntoa(np->in_in[1]));
printf(" -> %s/", inet_ntoa(np->in_out[0]));
bits = countbits(ntohl(np->in_out[1].s_addr));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
printf("%d ", bits);
else
@ -408,18 +417,18 @@ char *name, *proto;
}
u_long hostmask(msk)
u_32_t hostmask(msk)
char *msk;
{
int bits = -1;
u_long mask;
u_32_t mask;
if (!isdigit(*msk))
return (u_long)-1;
return (u_32_t)-1;
if (strchr(msk, '.'))
return inet_addr(msk);
if (strchr(msk, 'x'))
return (u_long)strtol(msk, NULL, 0);
return (u_32_t)strtol(msk, NULL, 0);
/*
* set x most significant bits
*/
@ -436,7 +445,7 @@ char *msk;
* returns an ip address as a long var as a result of either a DNS lookup or
* straight inet_addr() call
*/
u_long hostnum(host, resolved)
u_32_t hostnum(host, resolved)
char *host;
int *resolved;
{
@ -455,7 +464,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
return np->n_net;
return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
@ -760,7 +769,8 @@ int opts;
if (strcmp(file, "-")) {
if (!(fp = fopen(file, "r"))) {
perror(file);
(void) fprintf(stderr, "%s: open: %s\n", file,
STRERROR(errno));
exit(1);
}
} else

2
contrib/ipfilter/ipsd/README
View File

@ -29,4 +29,4 @@ Lastly, being passive means that no action is taken to stop port scans being
done or discourage them.
Darren
darrenr@cyber.com.au
darrenr@pobox.com

2
contrib/ipfilter/ipsend/README
View File

@ -5,4 +5,4 @@ http://coombs.anu.edu.au/~avalon/ip-filter.html
Patches, bugs, etc, please send to:
darrenr@cyber.com.au
darrenr@pobox.com

5
contrib/ipfilter/ipsend/ip.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.3 1997/12/21 12:17:37 darrenr Exp $";
#endif
#include <errno.h>
#include <stdio.h>
@ -117,7 +117,6 @@ int frag;
last_gw.s_addr = gwip.s_addr;
iplen = ip->ip_len;
ip->ip_len = htons(iplen);
ip->ip_off = htons(ip->ip_off);
if (!(frag & 2)) {
if (!ip->ip_v)
ip->ip_v = IPVERSION;
@ -260,7 +259,7 @@ struct in_addr gwip;
i = sizeof(struct tcpiphdr) / sizeof(long);
if ((ti->ti_flags == TH_SYN) && !ip->ip_off &&
if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) &&
(lbuf[i] != htonl(0x020405b4))) {
lbuf[i] = htonl(0x020405b4);
bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,

4
contrib/ipfilter/ipsend/ipresend.1
View File

@ -92,8 +92,6 @@ option combinations:
.B \-X
The input file is composed of text descriptions of IP packets.
.TP
.SH FILES
.DT
.SH SEE ALSO
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
.SH DIAGNOSTICS
@ -103,5 +101,5 @@ Needs to be run as root.
.PP
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.
If you find any, please send email to me at darrenr@cyber.com.au
If you find any, please send email to me at darrenr@pobox.com

2
contrib/ipfilter/ipsend/ipsend.1
View File

@ -106,4 +106,4 @@ ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
Needs to be run as root.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@cyber.com.au
If you find any, please send email to me at darrenr@pobox.com

7
contrib/ipfilter/ipsend/ipsend.5
View File

@ -392,7 +392,10 @@ Address mask request.
.B maskrep
Address mask reply.
.SH FILES
/etc/protocols
/etc/services
/etc/hosts
.br
/etc/protocols
.br
/etc/services
.SH SEE ALSO
ipsend(1), iptest(1), hosts(5), protocols(5), services(5)

4
contrib/ipfilter/ipsend/ipsend.c
View File

@ -12,7 +12,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19 1997/10/12 09:48:38 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
@ -357,7 +357,7 @@ char **argv;
}
if (ip->ip_p == IPPROTO_TCP)
for (s = argv[optind]; (c = *s); s++)
for (s = argv[optind]; s && (c = *s); s++)
switch(c)
{
case 'S' : case 's' :

4
contrib/ipfilter/ipsend/iptest.1
View File

@ -91,11 +91,11 @@ MTU's without setting them so.
Run a...
.DT
.SH SEE ALSO
ipsend(1), ipresend(1), bpf(4), dlpi(7p)
ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
Needs to be run as root.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@cyber.com.au
If you find any, please send email to me at darrenr@pobox.com

179
contrib/ipfilter/ipsend/iptests.c
View File

@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17:38 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@ -98,24 +98,21 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)(ip + 1);
u->uh_sport = 1;
u->uh_dport = 9;
u->uh_sport = htons(1);
u->uh_dport = htons(9);
u->uh_sum = 0;
u->uh_ulen = sizeof(*u) + 4;
ip->ip_len = sizeof(*ip) + u->uh_ulen;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
len = ip->ip_len;
nfd = initdevice(dev, u->uh_sport, 1);
u->uh_sport = htons(u->uh_sport);
u->uh_dport = htons(u->uh_dport);
u->uh_ulen = htons(u->uh_ulen);
if (!ptest || (ptest == 1)) {
/*
* Part1: hl < len
*/
ip->ip_id = 0;
printf("1.1. sending packets with ip_hl < ip_len\n");
for (i = 0; i < ((sizeof(*ip) + u->uh_ulen) >> 2); i++) {
for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
@ -131,7 +128,7 @@ int ptest;
*/
ip->ip_id = 0;
printf("1.2. sending packets with ip_hl > ip_len\n");
for (; i < ((sizeof(*ip) * 2 + u->uh_ulen) >> 2); i++) {
for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) {
ip->ip_hl = i >> 2;
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d\r", i);
@ -181,10 +178,8 @@ int ptest;
ip->ip_id = 0;
ip->ip_v = IPVERSION;
i = ip->ip_len + 1;
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
printf("1.5.0 ip_len < packet size (size++, long packets)\n");
for (; i < (ntohs(ip->ip_len) * 2); i++) {
for (; i < (ip->ip_len * 2); i++) {
ip->ip_id = htons(id++);
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
@ -197,7 +192,7 @@ int ptest;
printf("1.5.1 ip_len < packet size (ip_len-, short packets)\n");
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
ip->ip_len = htons(i);
ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
@ -216,7 +211,7 @@ int ptest;
printf("1.6.0 ip_len > packet size (increase ip_len)\n");
for (i = len + 1; i < (len * 2); i++) {
ip->ip_id = htons(id++);
ip->ip_len = htons(i);
ip->ip_len = i;
ip->ip_sum = 0;
ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
(void) send_ether(nfd, (char *)ip, len, gwip);
@ -225,7 +220,7 @@ int ptest;
PAUSE();
}
putchar('\n');
ip->ip_len = htons(len);
ip->ip_len = len;
printf("1.6.1 ip_len > packet size (size--, short packets)\n");
for (i = len; i > 0; i--) {
ip->ip_id = htons(id++);
@ -288,7 +283,7 @@ int ptest;
* about that here.
*/
ip->ip_p = IPPROTO_ICMP;
ip->ip_off = IP_MF;
ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.1 63k packet + 1k fragment at offset 0x1ffe\n");
@ -299,14 +294,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = (i >> 3);
ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@ -319,7 +314,7 @@ int ptest;
* about that here. (Lossage here)
*/
ip->ip_p = IPPROTO_ICMP;
ip->ip_off = IP_MF;
ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.2 63k packet + 1k fragment at offset 0x1ffe\n");
@ -333,7 +328,7 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = htons(IP_MF | (i >> 3));
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@ -343,7 +338,7 @@ int ptest;
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = (i >> 3);
ip->ip_off = htons(i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
@ -359,7 +354,7 @@ int ptest;
* about that here.
*/
ip->ip_p = IPPROTO_ICMP;
ip->ip_off = IP_MF;
ip->ip_off = htons(IP_MF);
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8.3 33k packet\n");
@ -370,14 +365,14 @@ int ptest;
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (32 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = htons(IP_MF | (i >> 3));
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = (i >> 3);
ip->ip_off = htons(i >> 3);
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
putchar('\n');
@ -391,7 +386,7 @@ int ptest;
* Part9: off & 0x8000 == 0x8000
*/
ip->ip_id = 0;
ip->ip_off = 0x8000;
ip->ip_off = htons(0x8000);
printf("1.9. ip_off & 0x8000 == 0x8000\n");
(void) send_ip(nfd, mtu, ip, gwip, 1);
fflush(stdout);
@ -440,7 +435,7 @@ int ptest;
u_char *s;
s = (u_char *)(ip + 1);
nfd = initdevice(dev, 1, 1);
nfd = initdevice(dev, htons(1), 1);
ip->ip_hl = 6;
ip->ip_len = ip->ip_hl << 2;
@ -539,7 +534,7 @@ int ptest;
ip->ip_sum = 0;
ip->ip_len = sizeof(*ip) + sizeof(*icp);
icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
nfd = initdevice(dev, 1, 1);
nfd = initdevice(dev, htons(1), 1);
if (!ptest || (ptest == 1)) {
/*
@ -731,20 +726,20 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2));
u->uh_sport = 1;
u->uh_dport = 1;
u->uh_ulen = sizeof(*u) + 4;
u->uh_sport = htons(1);
u->uh_dport = htons(1);
u->uh_ulen = htons(sizeof(*u) + 4);
nfd = initdevice(dev, u->uh_sport, 1);
if (!ptest || (ptest == 1)) {
/*
* Test 1. ulen > packet
*/
u->uh_ulen = sizeof(*u) + 4;
ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.1 UDP uh_ulen > packet size - short packets\n");
for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) {
u->uh_ulen = i;
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
u->uh_ulen = htons(i);
(void) send_udp(nfd, 1500, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@ -757,10 +752,10 @@ int ptest;
/*
* Test 2. ulen < packet
*/
u->uh_ulen = sizeof(*u) + 4;
ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
u->uh_ulen = htons(sizeof(*u) + 4);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.2 UDP uh_ulen < packet size - short packets\n");
for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) {
for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
ip->ip_len = i;
(void) send_udp(nfd, 1500, ip, gwip);
printf("%d\r", i);
@ -776,7 +771,7 @@ int ptest;
* sport = 32768, sport = 65535
*/
u->uh_ulen = sizeof(*u) + 4;
ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.3.1 UDP sport = 0\n");
u->uh_sport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@ -784,26 +779,26 @@ int ptest;
fflush(stdout);
PAUSE();
printf("4.3.2 UDP sport = 1\n");
u->uh_sport = 1;
u->uh_sport = htons(1);
(void) send_udp(nfd, 1500, ip, gwip);
printf("1\n");
fflush(stdout);
PAUSE();
printf("4.3.3 UDP sport = 32767\n");
u->uh_sport = 32767;
u->uh_sport = htons(32767);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32767\n");
fflush(stdout);
PAUSE();
printf("4.3.4 UDP sport = 32768\n");
u->uh_sport = 32768;
u->uh_sport = htons(32768);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32768\n");
putchar('\n');
fflush(stdout);
PAUSE();
printf("4.3.5 UDP sport = 65535\n");
u->uh_sport = 65535;
u->uh_sport = htons(65535);
(void) send_udp(nfd, 1500, ip, gwip);
printf("65535\n");
fflush(stdout);
@ -815,9 +810,9 @@ int ptest;
* Test 4: dport = 0, dport = 1, dport = 32767
* dport = 32768, dport = 65535
*/
u->uh_ulen = sizeof(*u) + 4;
u->uh_sport = 1;
ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen;
u->uh_ulen = ntohs(sizeof(*u) + 4);
u->uh_sport = htons(1);
ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen);
printf("4.4.1 UDP dport = 0\n");
u->uh_dport = 0;
(void) send_udp(nfd, 1500, ip, gwip);
@ -825,25 +820,25 @@ int ptest;
fflush(stdout);
PAUSE();
printf("4.4.2 UDP dport = 1\n");
u->uh_dport = 1;
u->uh_dport = htons(1);
(void) send_udp(nfd, 1500, ip, gwip);
printf("1\n");
fflush(stdout);
PAUSE();
printf("4.4.3 UDP dport = 32767\n");
u->uh_dport = 32767;
u->uh_dport = htons(32767);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32767\n");
fflush(stdout);
PAUSE();
printf("4.4.4 UDP dport = 32768\n");
u->uh_dport = 32768;
u->uh_dport = htons(32768);
(void) send_udp(nfd, 1500, ip, gwip);
printf("32768\n");
fflush(stdout);
PAUSE();
printf("4.4.5 UDP dport = 65535\n");
u->uh_dport = 65535;
u->uh_dport = htons(65535);
(void) send_udp(nfd, 1500, ip, gwip);
printf("65535\n");
fflush(stdout);
@ -856,7 +851,7 @@ int ptest;
* sizeof(ip_t)
*/
printf("4.5 UDP 20 <= MTU <= 32\n");
for (i = sizeof(*ip); i <= u->uh_ulen; i++) {
for (i = sizeof(*ip); i <= ntohs(u->uh_ulen); i++) {
(void) send_udp(nfd, i, ip, gwip);
printf("%d\r", i);
fflush(stdout);
@ -885,12 +880,12 @@ int ptest;
t->th_x2 = 0;
#endif
t->th_off = 0;
t->th_sport = 1;
t->th_dport = 1;
t->th_win = 4096;
t->th_sport = htons(1);
t->th_dport = htons(1);
t->th_win = htons(4096);
t->th_urp = 0;
t->th_sum = 0;
t->th_seq = 1;
t->th_seq = htonl(1);
t->th_ack = 0;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
nfd = initdevice(dev, t->th_sport, 1);
@ -919,37 +914,37 @@ int ptest;
* seq = 0xa000000, seq = 0xffffffff
*/
printf("5.2.1 TCP seq = 0\n");
t->th_seq = 0;
t->th_seq = htonl(0);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.2 TCP seq = 1\n");
t->th_seq = 1;
t->th_seq = htonl(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.3 TCP seq = 0x7fffffff\n");
t->th_seq = 0x7fffffff;
t->th_seq = htonl(0x7fffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.4 TCP seq = 0x80000000\n");
t->th_seq = 0x80000000;
t->th_seq = htonl(0x80000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.5 TCP seq = 0xc0000000\n");
t->th_seq = 0xc0000000;
t->th_seq = htonl(0xc0000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.2.6 TCP seq = 0xffffffff\n");
t->th_seq = 0xffffffff;
t->th_seq = htonl(0xffffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@ -968,31 +963,31 @@ int ptest;
PAUSE();
printf("5.3.2 TCP ack = 1\n");
t->th_ack = 1;
t->th_ack = htonl(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.3 TCP ack = 0x7fffffff\n");
t->th_ack = 0x7fffffff;
t->th_ack = htonl(0x7fffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.4 TCP ack = 0x80000000\n");
t->th_ack = 0x80000000;
t->th_ack = htonl(0x80000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.5 TCP ack = 0xc0000000\n");
t->th_ack = 0xc0000000;
t->th_ack = htonl(0xc0000000);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.3.6 TCP ack = 0xffffffff\n");
t->th_ack = 0xffffffff;
t->th_ack = htonl(0xffffffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@ -1004,19 +999,19 @@ int ptest;
* Test 4: win = 0, win = 32768, win = 65535
*/
printf("5.4.1 TCP win = 0\n");
t->th_seq = 0;
t->th_seq = htonl(0);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.4.2 TCP win = 32768\n");
t->th_seq = 0x7fff;
t->th_seq = htonl(0x7fff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.4.3 TCP win = 65535\n");
t->th_win = 0xffff;
t->th_win = htons(0xffff);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@ -1061,7 +1056,7 @@ int ptest;
}
KMCPY(&tcb, tcbp, sizeof(tcb));
ti.ti_win = tcb.rcv_adv;
ti.ti_seq = tcb.snd_nxt - 1;
ti.ti_seq = htonl(tcb.snd_nxt - 1);
ti.ti_ack = tcb.rcv_nxt;
if (!ptest || (ptest == 5)) {
@ -1075,7 +1070,7 @@ int ptest;
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
t->th_seq = tcb.snd_nxt;
t->th_seq = htonl(tcb.snd_nxt);
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1;
t->th_urp = htons(0x7fff);
(void) send_tcp(nfd, mtu, ip, gwip);
@ -1086,7 +1081,7 @@ int ptest;
t->th_urp = htons(0xffff);
(void) send_tcp(nfd, mtu, ip, gwip);
PAUSE();
t->th_urp = htons(0);
t->th_urp = 0;
t->th_flags &= ~TH_URG;
ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
}
@ -1112,8 +1107,8 @@ int ptest;
}
skip_five_and_six:
#endif
t->th_seq = 1;
t->th_ack = 1;
t->th_seq = htonl(1);
t->th_ack = htonl(1);
t->th_off = 0;
if (!ptest || (ptest == 7)) {
@ -1129,32 +1124,32 @@ int ptest;
PAUSE();
printf("5.7.2 TCP sport = 1\n");
t->th_sport = 1;
t->th_sport = htons(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.3 TCP sport = 32767\n");
t->th_sport = 32767;
t->th_sport = htons(32767);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.4 TCP sport = 32768\n");
t->th_sport = 32768;
t->th_sport = htons(32768);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.7.5 TCP sport = 65535\n");
t->th_sport = 65535;
t->th_sport = htons(65535);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
}
if (!ptest || (ptest == 8)) {
t->th_sport = 1;
t->th_sport = htons(1);
t->th_flags = TH_SYN;
/*
* Test 8: dport = 0, dport = 1, dport = 32767
@ -1167,25 +1162,25 @@ int ptest;
PAUSE();
printf("5.8.2 TCP dport = 1\n");
t->th_dport = 1;
t->th_dport = htons(1);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.3 TCP dport = 32767\n");
t->th_dport = 32767;
t->th_dport = htons(32767);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.4 TCP dport = 32768\n");
t->th_dport = 32768;
t->th_dport = htons(32768);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
printf("5.8.5 TCP dport = 65535\n");
t->th_dport = 65535;
t->th_dport = htons(65535);
(void) send_tcp(nfd, mtu, ip, gwip);
fflush(stdout);
PAUSE();
@ -1229,14 +1224,12 @@ int ptest;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
u = (udphdr_t *)(ip + 1);
u->uh_sport = 1;
u->uh_dport = 9;
u->uh_sport = htons(1);
u->uh_dport = htons(9);
u->uh_sum = 0;
nfd = initdevice(dev, u->uh_sport, 1);
u->uh_sport = htons(u->uh_sport);
u->uh_dport = htons(u->uh_dport);
u->uh_ulen = 7168;
u->uh_ulen = htons(7168);
printf("6. Exhaustive mbuf test.\n");
printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n");
@ -1247,7 +1240,7 @@ int ptest;
*/
ip->ip_len = sizeof(*ip) + 768 + sizeof(*u);
ip->ip_hl = sizeof(*ip) >> 2;
ip->ip_off = IP_MF;
ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
fflush(stdout);
@ -1256,7 +1249,7 @@ int ptest;
* And again using 128 byte chunks.
*/
ip->ip_len = sizeof(*ip) + 128 + sizeof(*u);
ip->ip_off = IP_MF;
ip->ip_off = htons(IP_MF);
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, 0);
fflush(stdout);
@ -1264,7 +1257,7 @@ int ptest;
for (j = 768; j < 3584; j += 768) {
ip->ip_len = sizeof(*ip) + 768;
ip->ip_off = IP_MF|(j>>3);
ip->ip_off = htons(IP_MF|(j>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, j);
fflush(stdout);
@ -1272,7 +1265,7 @@ int ptest;
ip->ip_len = sizeof(*ip) + 128;
for (k = j - 768; k < j; k += 128) {
ip->ip_off = IP_MF|(k>>3);
ip->ip_off = htons(IP_MF|(k>>3));
(void) send_ip(nfd, 1500, ip, gwip, 1);
printf("%d %d\r", i, k);
fflush(stdout);
@ -1326,7 +1319,7 @@ int ptest;
for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
*s = (rand() >> 13) & 0xff;
pip->ip_v = IPVERSION;
pip->ip_off &= 0xc000;
pip->ip_off &= htons(0xc000);
bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
sizeof(struct in_addr));
pip->ip_sum = 0;

11
contrib/ipfilter/man/ipf.4
View File

@ -3,6 +3,7 @@
ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
.br
#include <netinet/ip_fil.h>
.SH IOCTLS
.PP
@ -200,5 +201,13 @@ struct filterstats {
#endif
};
.fi
.SH FILES
/dev/ipauth
.br
/dev/ipl
.br
/dev/ipnat
.br
/dev/ipstate
.SH SEE ALSO
ipfstat(8), ipf(8), ipf(5)
ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)

12
contrib/ipfilter/man/ipf.5
View File

@ -1,6 +1,6 @@
.TH IPF 5
.SH NAME
ipf \- IP packet filter rule syntax
ipf, ipf.conf \- IP packet filter rule syntax
.SH DESCRIPTION
.PP
A rule file for \fBipf\fP may have any name or even be stdin. As
@ -477,8 +477,14 @@ Note, that if we wanted to say "port = telnet", "proto tcp" would
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
.SH FILES
/etc/services
/dev/ipauth
.br
/dev/ipl
.br
/dev/ipstate
.br
/etc/hosts
.br
/etc/services
.SH SEE ALSO
ipf(8), ipftest(1), mkfilters(1), ipmon(8)
ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)

12
contrib/ipfilter/man/ipf.8
View File

@ -66,7 +66,7 @@ lists.
.B \-I
Set the list to make changes to the inactive list.
.TP
.B \-l \0<param>
.B \-l \0<pass|block|nomatch>
Use of the \fB-l\fP flag toggles default logging of packets. Valid
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
When an option is set, any packet which exits filtering and matches the
@ -106,12 +106,18 @@ display the statistics prior to them being zero'd.
Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
.SH FILES
/dev/ipauth
.br
/dev/ipl
.br
/dev/ipstate
.SH SEE ALSO
ipfstat(8), ipftest(1), ipf(5), mkfilters(1)
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
.SH DIAGNOSTICS
.PP
Needs to be run as root for the packet filtering lists to actually
be affected inside the kernel.
.SH BUGS
.PP
If you find any, please send email to me at darrenr@cyber.com.au
If you find any, please send email to me at darrenr@pobox.com

4
contrib/ipfilter/man/ipfstat.8
View File

@ -69,6 +69,10 @@ kernel.
.SH FILES
/dev/kmem
.br
/dev/ipl
.br
/dev/ipstate
.br
/vmunix
.SH SEE ALSO
ipf(8)

5
contrib/ipfilter/man/ipftest.1
View File

@ -1,4 +1,4 @@
.TH ipftest 8
.TH ipftest 1
.SH NAME
ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
@ -119,9 +119,8 @@ Specify the filename from which to take input. Default is stdin.
.TP
.BR \-r \0<filename>
Specify the filename from which to read filter rules.
.SH FILES
.SH SEE ALSO
ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
.SH BUGS
Not all of the input formats are sufficiently capable of introducing a
wide enough variety of packets for them to be all useful in testing.

6
contrib/ipfilter/man/ipmon.8
View File

@ -101,6 +101,10 @@ saved and will abort if it fails an assertion which detects an anomoly in the
recorded data.
.SH FILES
/dev/ipl
.br
/dev/ipnat
.br
/dev/ipstate
.SH SEE ALSO
ipf(8), ipfstat(8)
ipl(4), ipf(8), ipfstat(8), ipnat(8)
.SH BUGS

4
contrib/ipfilter/man/ipnat.1
View File

@ -41,5 +41,7 @@ Remove matching NAT rules rather than add them to the internal lists
.B \-v
Turn verbose mode on. Displays information relating to rule processing.
.DT
.SH FILES
/dev/ipnat
.SH SEE ALSO
ipfstat(1), ipftest(8), ipf(8), ipnat(5)
ipnat(5), ipf(8), ipfstat(8)

7
contrib/ipfilter/man/ipnat.4
View File

@ -3,8 +3,11 @@
ipnat \- Network Address Translation kernel interface
.SH SYNOPSIS
#include <netinet/ip_compat.h>
.br
#include <netinet/ip_fil.h>
.br
#include <netinet/ip_proxy.h>
.br
#include <netinet/ip_nat.h>
.SH IOCTLS
.PP
@ -87,5 +90,7 @@ typedef struct natstat {
.SH BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
.SH FILES
/dev/ipnat
.SH SEE ALSO
ipfstat(8), ipf(8), ipf(4), ipnat(5)
ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)

16
contrib/ipfilter/man/ipnat.5
View File

@ -1,6 +1,6 @@
.TH IPNAT 5
.SH NAME
ipnat \- IP NAT file format
ipnat, ipnat.conf \- IP NAT file format
.SH DESCRIPTION
The format for files accepted by ipnat is described by the following grammar:
.LP
@ -37,10 +37,10 @@ range of port numbers to remap into given as \fBport-number:port-number\fP.
.SH Examples
.PP
To change IP#'s used internally from network 10 into an ISP provided 8 bit
subnet at 209.1.2.0, the following would be used:
subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
.LP
.nf
map 10.0.0.0/8 -> 209.1.2.0/24
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
The obvious problem here is we're trying to squeeze over 16,000,000 IP
@ -48,7 +48,7 @@ addresses into a 254 address space. To increase the scope, remapping for TCP
and/or UDP, port remapping can be used;
.LP
.nf
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
.fi
.PP
which falls only 527,566 `addresses' short of the space available in network
@ -56,15 +56,17 @@ which falls only 527,566 `addresses' short of the space available in network
follows:
.LP
.nf
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
map 10.0.0.0/8 -> 209.1.2.0/24
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
.fi
.PP
so that all TCP/UDP packets were port mapped and only other protocols, such as
ICMP, only have their IP# changed.
.SH FILES
/dev/ipnat
.br
/etc/services
.br
/etc/hosts
.SH SEE ALSO
ipnat(1), ipf(5), ipnat(4)
ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)

6
contrib/ipfilter/mlf_ipl.c
View File

@ -27,6 +27,9 @@
# include <sys/kernel.h>
# ifdef DEVFS
# include <sys/devfsext.h>
# if defined(IPFILTER) && defined(_KERNEL)
# include "opt_devfs.h"
# endif
# endif /*DEVFS*/
#endif
#include <sys/conf.h>
@ -375,7 +378,8 @@ static void ipl_drvinit __P((void *unused))
}
}
# ifdef IPFILTER_LKM
# if defined(IPFILTER_LKM) || \
defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
# endif /* IPFILTER_LKM */
#endif /* _FreeBSD_version */

5
contrib/ipfilter/mln_ipl.c
View File

@ -48,6 +48,9 @@
#include "ip_compat.h"
#include "ip_fil.h"
#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
#define vn_lock(v,f) VOP_LOCK(v)
#endif
#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
#define VOP_LEASE LEASE_CHECK
@ -179,7 +182,7 @@ static int ipl_remove()
if ((error = namei(&nd)))
return (error);
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
VOP_LOCK(nd.ni_vp);
vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
}

28
contrib/ipfilter/parse.c
View File

@ -35,7 +35,7 @@
#if !defined(lint)
static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $";
static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@ -57,7 +57,7 @@ int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *));
int to_interface __P((frdest_t *, char *));
void print_toif __P((char *, frdest_t *));
void optprint __P((u_short, u_short, u_long, u_long));
int countbits __P((u_long));
int countbits __P((u_32_t));
char *portname __P((int, int));
@ -475,12 +475,21 @@ char *line;
/*
* lazy users...
*/
if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) &&
(fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) {
(void)fprintf(stderr,
"no protocol given for TCP/UDP comparisons\n");
if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
(void)fprintf(stderr, "TCP protocol not specified\n");
return NULL;
}
if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
(fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
if (!fil.fr_proto) {
fil.fr_ip.fi_fl |= FI_TCPUDP;
fil.fr_mip.fi_fl |= FI_TCPUDP;
} else {
(void)fprintf(stderr,
"port comparisons for non-TCP/UDP\n");
return NULL;
}
}
/*
if ((fil.fr_flags & FR_KEEPFRAG) &&
(!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
@ -621,7 +630,7 @@ int *resolved;
fprintf(stderr, "can't resolve hostname: %s\n", host);
return 0;
}
return np->n_net;
return htonl(np->n_net);
}
return *(u_32_t *)hp->h_addr;
}
@ -980,7 +989,6 @@ struct frentry *fp;
fp->fr_proto = IPPROTO_ICMP;
if (isdigit(***cp)) {
i = atoi(**cp);
(*cp)++;
} else {
for (t = icmptypes, i = 0; ; t++, i++) {
if (!*t)
@ -1082,9 +1090,9 @@ struct frentry *fp;
* of bits.
*/
int countbits(ip)
u_long ip;
u_32_t ip;
{
u_long ipn;
u_32_t ipn;
int cnt = 0, i, j;
ip = ipn = ntohl(ip);

2
contrib/ipfilter/rules/BASIC_1.FW
View File

@ -48,7 +48,7 @@ pass out quick on lo0 all
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#

2
contrib/ipfilter/rules/BASIC_2.FW
View File

@ -33,7 +33,7 @@ block out log on ed0 all head 250
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
# Prevent IP spoofing.
#

15
contrib/ipfilter/solaris.c
View File

@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $";
#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.4 1998/02/28 02:35:21 darrenr Exp $";
#include <sys/systm.h>
#include <sys/types.h>
@ -190,15 +190,16 @@ static int ipf_attach(dip, cmd)
dev_info_t *dip;
ddi_attach_cmd_t cmd;
{
#ifdef IPFDEBUG
int instance;
#ifdef IPFDEBUG
cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
#endif
switch (cmd) {
case DDI_ATTACH:
instance = ddi_get_instance(dip);
#ifdef IPFDEBUG
instance = ddi_get_instance(dip);
cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
#endif
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
@ -895,7 +896,7 @@ void solattach()
* Activate any rules directly associated with this interface
*/
mutex_enter(&ipf_mutex);
for (f = ipfilter[0][0]; f; f = f->fr_next) {
for (f = ipfilter[0][fr_active]; f; f = f->fr_next) {
if ((f->fr_ifa == (struct ifnet *)-1)) {
len = strlen(f->fr_ifname)+1; /* includes \0 */
if (len && (len == il->ill_name_length) &&
@ -903,7 +904,7 @@ void solattach()
f->fr_ifa = il;
}
}
for (f = ipfilter[1][0]; f; f = f->fr_next) {
for (f = ipfilter[1][fr_active]; f; f = f->fr_next) {
if ((f->fr_ifa == (struct ifnet *)-1)) {
len = strlen(f->fr_ifname)+1; /* includes \0 */
if (len && (len == il->ill_name_length) &&
@ -996,10 +997,10 @@ int ipfsync()
np->in_ifp = (struct ifnet *)-1;
mutex_exit(&ipf_nat);
mutex_enter(&ipf_mutex);
for (f = ipfilter[0][0]; f; f = f->fr_next)
for (f = ipfilter[0][fr_active]; f; f = f->fr_next)
if (f->fr_ifa == (void *)qif->qf_ill)
f->fr_ifa = (struct ifnet *)-1;
for (f = ipfilter[1][0]; f; f = f->fr_next)
for (f = ipfilter[1][fr_active]; f; f = f->fr_next)
if (f->fr_ifa == (void *)qif->qf_ill)
f->fr_ifa = (struct ifnet *)-1;

22
contrib/ipfilter/test/input/11
View File

@ -1,11 +1,11 @@
in tcp 1.1.1.1,1 2.1.2.2,23 S
in tcp 1.1.1.1,1 2.1.2.2,23 A
in tcp 2.1.2.2,23 1.1.1.1,1 A
in tcp 1.1.1.1,1 2.1.2.2,23 F
in tcp 1.1.1.1,1 2.1.2.2,23 A
in tcp 1.1.1.1,2 2.1.2.2,23 A
in udp 1.1.1.1,1 4.4.4.4,53
in udp 2.2.2.2,2 4.4.4.4,53
in udp 4.4.4.4,53 1.1.1.1,1
in udp 4.4.4.4,1023 1.1.1.1,2049
in udp 4.4.4.4,2049 1.1.1.1,1023
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
in on e1 udp 1.1.1.1,1 4.4.4.4,53
in on e1 udp 2.2.2.2,2 4.4.4.4,53
in on e0 udp 4.4.4.4,53 1.1.1.1,1
in on e0 udp 4.4.4.4,1023 1.1.1.1,2049
in on e0 udp 4.4.4.4,2049 1.1.1.1,1023

36
contrib/ipfilter/test/regress/10
View File

@ -1,18 +1,18 @@
block in from any to any and not ipopts
pass in from any to any and not opt sec-class topsecret
block in from any to any and not opt ssrr,sec-class topsecret
pass in from any to any and not opt ssrr,sec-class topsecret
block in from any to any and not opt ts,sec-class topsecret
pass in from any to any and not opt ts,sec-class topsecret
block in from any to any and not opt sec-class secret
pass in from any to any and not opt sec-class secret
block in from any to any and not opt lsrr,ssrr
pass in from any to any and not opt lsrr,ssrr
pass in from any to any and not ipopts
block in from any to any and not opt lsrr
pass in from any to any and not opt lsrr
block in from any to any and not opt ssrr,ts
pass in from any to any and not opt ssrr,ts
block in from any to any and not opt rr
pass in from any to any and not opt rr
block in from any to any and not opt sec-class topsecret
block in from any to any with not ipopts
pass in from any to any with not opt sec-class topsecret
block in from any to any with not opt ssrr,sec-class topsecret
pass in from any to any with not opt ssrr,sec-class topsecret
block in from any to any with not opt ts,sec-class topsecret
pass in from any to any with not opt ts,sec-class topsecret
block in from any to any with not opt sec-class secret
pass in from any to any with not opt sec-class secret
block in from any to any with not opt lsrr,ssrr
pass in from any to any with not opt lsrr,ssrr
pass in from any to any with not ipopts
block in from any to any with not opt lsrr
pass in from any to any with not opt lsrr
block in from any to any with not opt ssrr,ts
pass in from any to any with not opt ssrr,ts
block in from any to any with not opt rr
pass in from any to any with not opt rr
block in from any to any with not opt sec-class topsecret

5
contrib/ipfilter/todo
View File

@ -34,3 +34,8 @@ done
* ipfsync() should change IP#'s in current mappings as well as what's
in rules.
document bimap
document NAT rule order processing
add more docs