From 9b632708fe7d7ae0badd09f08d11857ca24400f7 Mon Sep 17 00:00:00 2001 From: Peter Wemm Date: Sat, 20 Jun 1998 18:29:38 +0000 Subject: [PATCH] Import trimmed version of ipfilter 3.2.7. Obtained from: Darren Reed via http://cheops.anu.edu.au/~avalon/ --- contrib/ipfilter/COMPILE.2.5 | 4 + .../ipfilter/FWTK/fwtk-2.1-transparency.txt | 707 ++++++++++++++++++ contrib/ipfilter/FreeBSD-2.2/files.diffs | 10 +- contrib/ipfilter/HISTORY | 56 ++ contrib/ipfilter/IMPORTANT | 2 +- contrib/ipfilter/INST.FreeBSD-2.2 | 4 +- contrib/ipfilter/INSTALL.FreeBSD | 3 +- contrib/ipfilter/INSTALL.Linux | 11 +- contrib/ipfilter/INSTALL.NetBSD | 12 +- contrib/ipfilter/INSTALL.Sol2 | 2 +- contrib/ipfilter/INSTALL.SunOS | 8 +- contrib/ipfilter/INSTALL.xBSD | 9 +- contrib/ipfilter/Makefile | 50 +- contrib/ipfilter/README | 4 +- contrib/ipfilter/Y2K | 3 + contrib/ipfilter/buildsunos | 17 +- contrib/ipfilter/fil.c | 62 +- contrib/ipfilter/ip_auth.c | 5 +- contrib/ipfilter/ip_compat.h | 14 +- contrib/ipfilter/ip_fil.c | 7 +- contrib/ipfilter/ip_fil.h | 3 +- contrib/ipfilter/ip_frag.h | 3 +- contrib/ipfilter/ip_ftp_pxy.c | 14 +- contrib/ipfilter/ip_nat.c | 20 +- contrib/ipfilter/ip_nat.h | 11 +- contrib/ipfilter/ip_proxy.c | 42 +- contrib/ipfilter/ip_state.c | 148 +++- contrib/ipfilter/ip_state.h | 16 +- contrib/ipfilter/ipf.c | 38 +- contrib/ipfilter/ipft_tx.c | 8 +- contrib/ipfilter/ipl.h | 2 +- contrib/ipfilter/iplang/iplang_l.l | 269 +++---- contrib/ipfilter/iplang/iplang_y.y | 53 +- contrib/ipfilter/ipmon.c | 124 ++- contrib/ipfilter/ipnat.c | 40 +- contrib/ipfilter/ipsd/README | 2 +- contrib/ipfilter/ipsend/README | 2 +- contrib/ipfilter/ipsend/ip.c | 5 +- contrib/ipfilter/ipsend/ipresend.1 | 4 +- contrib/ipfilter/ipsend/ipsend.1 | 2 +- contrib/ipfilter/ipsend/ipsend.5 | 7 +- contrib/ipfilter/ipsend/ipsend.c | 4 +- contrib/ipfilter/ipsend/iptest.1 | 4 +- contrib/ipfilter/ipsend/iptests.c | 179 +++-- contrib/ipfilter/man/ipf.4 | 11 +- contrib/ipfilter/man/ipf.5 | 12 +- contrib/ipfilter/man/ipf.8 | 12 +- contrib/ipfilter/man/ipfstat.8 | 4 + contrib/ipfilter/man/ipftest.1 | 5 +- contrib/ipfilter/man/ipmon.8 | 6 +- contrib/ipfilter/man/ipnat.1 | 4 +- contrib/ipfilter/man/ipnat.4 | 7 +- contrib/ipfilter/man/ipnat.5 | 16 +- contrib/ipfilter/mlf_ipl.c | 6 +- contrib/ipfilter/mln_ipl.c | 5 +- contrib/ipfilter/parse.c | 28 +- contrib/ipfilter/rules/BASIC_1.FW | 2 +- contrib/ipfilter/rules/BASIC_2.FW | 2 +- contrib/ipfilter/solaris.c | 15 +- contrib/ipfilter/test/input/11 | 22 +- contrib/ipfilter/test/regress/10 | 36 +- contrib/ipfilter/todo | 5 + 62 files changed, 1644 insertions(+), 544 deletions(-) create mode 100644 contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt create mode 100644 contrib/ipfilter/Y2K diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5 index 6e96665f9c76..45442c5a4051 100644 --- a/contrib/ipfilter/COMPILE.2.5 +++ b/contrib/ipfilter/COMPILE.2.5 @@ -1,3 +1,7 @@ +If you have BOTH GNU make and the normal make shipped with your system, +DO NOT use the GNU make to build this package. If you have any errors +relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as +shipped with Solaris 2. If you get the following error whilst compiling: diff --git a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt new file mode 100644 index 000000000000..2e719383f32b --- /dev/null +++ b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt @@ -0,0 +1,707 @@ +diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c +*** ./ftp-gw/ftp-gw.c Thu Feb 5 19:05:43 1998 +--- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c Thu May 21 17:36:09 1998 +*************** +*** 44,49 **** +--- 44,51 ---- + + extern char *optarg; + ++ char *getdsthost(); ++ + #include "firewall.h" + + +*************** +*** 88,93 **** +--- 90,97 ---- + static int cmdcnt = 0; + static int timeout = PROXY_TIMEOUT; + ++ static int do_transparent = 0; ++ + + static int cmd_user(); + static int cmd_authorize(); +*************** +*** 101,106 **** +--- 105,111 ---- + static int cmd_passthru(); + static void saveline(); + static void flushsaved(); ++ static int connectdest(); + + #define OP_CONN 001 /* only valid if connected */ + #define OP_WCON 002 /* writethrough if connected */ +*************** +*** 173,178 **** +--- 178,184 ---- + char xuf[1024]; + char huf[512]; + char *passuser = (char *)0; /* passed user as av */ ++ char *psychic, *hotline; + + #ifndef LOG_DAEMON + openlog("ftp-gw",LOG_PID); +*************** +*** 317,322 **** +--- 323,332 ---- + } else + timeout = PROXY_TIMEOUT; + ++ psychic = getdsthost(0, NULL); ++ if (psychic) ++ do_transparent++; ++ + /* display a welcome file or message */ + if(passuser == (char *)0) { + if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { +*************** +*** 324,329 **** +--- 334,345 ---- + syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + exit(1); + } ++ if (do_transparent) { ++ if (sayfile2(0, cf->argv[0], 220)) { ++ syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]); ++ exit(1); ++ } ++ } else + if(sayfile(0,cf->argv[0],220)) { + syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]); + exit(1); +*************** +*** 336,341 **** +--- 352,360 ---- + if(say(0,"220-Proxy first requires authentication")) + exit(1); + ++ if (do_transparent) ++ sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR); ++ else + sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR); + if(say(0,xuf)) + exit(1); +*************** +*** 357,362 **** +--- 376,384 ---- + exit(1); + } + ++ if (do_transparent) ++ connectdest(psychic, 21); ++ + /* main loop */ + while(1) { + FD_ZERO(&rdy); +*************** +*** 653,658 **** +--- 675,696 ---- + return(sayn(0,noad,sizeof(noad)-1)); + } + ++ if (do_transparent) { ++ if((rfd == (-1)) && (x = connectdest(dest,port))) ++ return x; ++ ++ sprintf(buf,"USER %s",user); ++ ++ if (say(rfd, buf)) ++ return(1); ++ ++ x = getresp(rfd, buf, sizeof(buf), 1); ++ if (sendsaved(0, x)) ++ return(1); ++ ++ return(say(0, buf)); ++ } ++ + if(*dest == '\0') + dest = "localhost"; + +*************** +*** 694,705 **** + char ebuf[512]; + + strcpy(ebuf,buf); +! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } +! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); +! saveline(buf); + + /* we are now connected and need to try the autologin thing */ + x = getresp(rfd,buf,sizeof(buf),1); +--- 732,748 ---- + char ebuf[512]; + + strcpy(ebuf,buf); +! if (do_transparent) +! sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf); +! else +! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } +! if (!do_transparent) { +! sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); +! saveline(buf); +! } + + /* we are now connected and need to try the autologin thing */ + x = getresp(rfd,buf,sizeof(buf),1); +*************** +*** 1889,1891 **** +--- 1932,2050 ---- + dup(nread); + } + #endif ++ ++ static int connectdest(dest, port) ++ char *dest; ++ short port; ++ { ++ char buf[1024], mbuf[512]; ++ int msg_int, x; ++ ++ if(*dest == '\0') ++ dest = "localhost"; ++ ++ if(validests != (char **)0) { ++ char **xp; ++ int x; ++ ++ for(xp = validests; *xp != (char *)0; xp++) { ++ if(**xp == '!' && hostmatch(*xp + 1,dest)) { ++ return(baddest(0,dest)); ++ } else { ++ if(hostmatch(*xp,dest)) ++ break; ++ } ++ } ++ if(*xp == (char *)0) ++ return(baddest(0,dest)); ++ } ++ ++ /* Extended permissions processing goes in here for destination */ ++ if(extendperm) { ++ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0); ++ if(msg_int == 1) { ++ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest); ++ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser); ++ say(0,mbuf); ++ return(1); ++ } else { ++ if(msg_int == -1) { ++ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest); ++ say(0,mbuf); ++ return(1); ++ } ++ } ++ } ++ ++ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest); ++ ++ if((rfd = conn_server(dest,port,0,buf)) < 0) { ++ char ebuf[512]; ++ ++ strcpy(ebuf,buf); ++ if (do_transparent) ++ sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf); ++ else ++ sprintf(buf,"521 %s: %s",dest,ebuf); ++ rfd = -1; ++ return(say(0,buf)); ++ } ++ if (!do_transparent) { ++ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); ++ saveline(buf); ++ } ++ ++ /* we are now connected and need to try the autologin thing */ ++ x = getresp(rfd,buf,sizeof(buf),1); ++ if(x / 100 != COMPLETE) { ++ sendsaved(0,-1); ++ return(say(0,buf)); ++ } ++ saveline(buf); ++ ++ sendsaved(0,-1); ++ return 0; ++ } ++ ++ /* quick hack */ ++ sayfile2(fd,fn,code) ++ int fd; ++ char *fn; ++ int code; ++ { ++ FILE *f; ++ char buf[BUFSIZ]; ++ char yuf[BUFSIZ]; ++ char *c; ++ int x; ++ int saidsomething = 0; ++ ++ if((f = fopen(fn,"r")) == (FILE *)0) ++ return(1); ++ while(fgets(buf,sizeof(buf),f) != (char *)0) { ++ if((c = index(buf,'\n')) != (char *)0) ++ *c = '\0'; ++ x = fgetc(f); ++ if(feof(f)) ++ sprintf(yuf,"%3.3d-%s",code,buf); ++ else { ++ sprintf(yuf,"%3.3d-%s",code,buf); ++ ungetc(x,f); ++ } ++ if(say(fd,yuf)) { ++ fclose(f); ++ return(1); ++ } ++ saidsomething++; ++ } ++ fclose(f); ++ if (!saidsomething) { ++ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code); ++ sprintf(yuf, "%3.3d The file to display is empty",code); ++ if(say(fd,yuf)) { ++ fclose(f); ++ return(1); ++ } ++ } ++ return(0); ++ } +diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c +*** ./http-gw/http-gw.c Fri Feb 6 18:32:25 1998 +--- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c Thu May 21 17:00:47 1998 +*************** +*** 27,32 **** +--- 27,35 ---- + static char http_buffer[8192]; + static char reason[8192]; + static int checkBrowserType = 1; ++ static int do_transparent = 0; ++ ++ char * getdsthost(); + + static void do_logging() + { char *proto = "GOPHER"; +*************** +*** 473,478 **** +--- 476,490 ---- + /*(NOT A SPECIAL FORM)*/ + + if((rem_type & TYPE_LOCAL)== 0){ ++ char * psychic = getdsthost(sockfd, &def_port); ++ if (psychic) { ++ if (strlen(psychic) <= MAXHOSTNAMELEN) { ++ do_transparent ++; ++ strncpy(def_httpd, psychic, strlen(psychic)); ++ strncpy(def_server, psychic, strlen(psychic)); ++ } ++ } ++ + /* See if it can be forwarded */ + + if( can_forward(buf)){ +*************** +*** 1564,1570 **** + parse_vec[0], + parse_vec[1], + ourname, ourport); +! }else{ + sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", + parse_vec[0], parse_vec[2], + parse_vec[3], chk_type_ch, +--- 1576,1589 ---- + parse_vec[0], + parse_vec[1], + ourname, ourport); +! } +! else +! if (do_transparent) { +! sprintf(new_reply, "%s\t%s\t%s\t%s", +! parse_vec[0], parse_vec[1], +! parse_vec[2],parse_vec[3]); +! } +! else { + sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", + parse_vec[0], parse_vec[2], + parse_vec[3], chk_type_ch, +diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c +*** ./lib/hnam.c Tue Dec 10 13:08:48 1996 +--- ../../fwtk-2.1-violated/fwtk/lib/hnam.c Thu May 21 17:10:00 1998 +*************** +*** 23,28 **** +--- 23,33 ---- + + #include "firewall.h" + ++ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */ ++ #include ++ #include "ip_nat.h" ++ #endif /* __FreeBSD__ */ ++ + + char * + maphostname(name) +*************** +*** 49,52 **** +--- 54,132 ---- + } + bcopy(hp->h_addr,&sin.sin_addr,hp->h_length); + return(inet_ntoa(sin.sin_addr)); ++ } ++ ++ char *getdsthost(fd, ptr) ++ int fd; ++ int *ptr; ++ { ++ struct sockaddr_in sin; ++ struct hostent * hp; ++ int sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0; ++ char buf[255], hostbuf[255]; ++ #ifdef __FreeBSD__ ++ struct sockaddr_in rsin; ++ struct natlookup natlookup; ++ #endif ++ ++ #ifdef linux ++ if (!(err = getsockname(0, &sin, &sl))) { ++ if(ptr) ++ * ptr = ntohs(sin.sin_port); ++ ++ sprintf(buf, "%s", inet_ntoa(sin.sin_addr)); ++ gethostname(hostbuf, 254); ++ hp = gethostbyname(hostbuf); ++ while (hp->h_addr_list[i]) { ++ bzero(&sin, &sl); ++ memcpy(&sin.sin_addr, hp->h_addr_list[i++], ++ sizeof(hp->h_addr_list[i++])); ++ ++ if (!strcmp(buf, inet_ntoa(sin.sin_addr))) ++ local_h++; ++ } ++ ++ if(local_h) ++ return(NULL); ++ else ++ return(buf); ++ } ++ #endif ++ ++ #ifdef __FreeBSD__ ++ /* The basis for this block of code is Darren Reed's ++ * patches to the TIS ftwk's ftp-gw. ++ */ ++ bzero((char*)&sin, sizeof(sin)); ++ bzero((char*)&rsin, sizeof(rsin)); ++ ++ if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0) ++ return NULL; ++ ++ sl = sizeof(rsin); ++ ++ if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0) ++ return NULL; ++ ++ natlookup.nl_inport=sin.sin_port; ++ natlookup.nl_outport=rsin.sin_port; ++ natlookup.nl_inip=sin.sin_addr; ++ natlookup.nl_outip=rsin.sin_addr; ++ ++ if ((natfd = open("/dev/ipl",O_RDONLY)) < 0) ++ return NULL; ++ ++ if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1)) ++ return NULL; ++ ++ close(natfd); ++ ++ if (ptr) ++ *ptr = ntohs(natlookup.nl_inport); ++ ++ sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip)); ++ #endif ++ ++ /* No transparent proxy support */ ++ return(NULL); + } +diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c +*** ./plug-gw/plug-gw.c Thu Feb 5 19:07:35 1998 +--- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c Thu May 21 17:29:01 1998 +*************** +*** 43,48 **** +--- 43,50 ---- + static char **validdests = (char **)0; + static int net_write(); + ++ static int do_transparent = 0; ++ + main(ac,av) + int ac; + char *av[]; +*************** +*** 198,206 **** +--- 200,220 ---- + char *ptr; + int state = 0; + int ssl_plug = 0; ++ char * getdsthost(); ++ int pport = 0; + + struct timeval timo; + ++ /* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad ++ * idea .. ++ */ ++ dhost = getdsthost(0, &pport); ++ if (dhost) { ++ do_transparent++; ++ portid = pport; ++ } ++ ++ + if(c->flags & PERM_DENY) { + if (p == -1) + syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr); +*************** +*** 220,226 **** + syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln); + exit (1); + } +! dhost = av[x]; + continue; + } + +--- 234,241 ---- + syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln); + exit (1); + } +! if (!dhost) +! dhost = av[x]; + continue; + } + +diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c +*** ./rlogin-gw/rlogin-gw.c Thu Feb 5 19:08:38 1998 +--- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c Thu May 21 17:20:25 1998 +*************** +*** 103,108 **** +--- 103,111 ---- + static int trusted = 0; + static int doX = 0; + static char *prompt; ++ static int do_transparent = 0; ++ ++ char * getdsthost(); + + main(ac,av) + int ac; +*************** +*** 123,128 **** +--- 126,132 ---- + static char *tokav[56]; + int tokac; + struct timeval timo; ++ char * psychic; + + #ifndef LOG_NDELAY + openlog("rlogin-gw",LOG_PID); +*************** +*** 188,194 **** + xforwarder = cf->argv[0]; + } + +! + + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { +--- 192,203 ---- + xforwarder = cf->argv[0]; + } + +! psychic = getdsthost(0, NULL); +! if (psychic) { +! do_transparent++; +! strncpy(dest, psychic, 511); +! dest[511] = '\0'; +! } + + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { +*************** +*** 266,271 **** +--- 275,281 ---- + if((p = index(rusername,'@')) != (char *)0) { + char *namp; + ++ dest[0] = '\0'; + *p++ = '\0'; + if(*p == '\0') + p = "localhost"; +*************** +*** 297,302 **** +--- 307,326 ---- + + if(dest[0] != '\0') { + /* Setup connection directly to remote machine */ ++ if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { ++ if (cf->argc != 1) { ++ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); ++ exit(1); ++ } ++ ++ if (sayfile(0, cf->argv[0])) { ++ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); ++ exit(1); ++ } ++ } ++ ++ /* Hey fwtk developer people -- this connect_dest thing is *nasty!* */ ++ + sprintf(buf,"connect %.1000s",dest); + tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf)); + if (cmd_connect(tokac, tokav, buf) != 2) +*************** +*** 535,548 **** + char ebuf[512]; + + syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp); +! if(strlen(namp) > 20) +! namp[20] = '\0'; +! if(rusername[0] != '\0') +! sprintf(ebuf,"Trying %s@%s...",rusername,namp); +! else +! sprintf(ebuf,"Trying %s...",namp); +! if(say(0,ebuf)) +! return(1); + } else + syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]); + if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { +--- 559,574 ---- + char ebuf[512]; + + syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp); +! if (!do_transparent) { +! if(strlen(namp) > 20) +! namp[20] = '\0'; +! if(rusername[0] != '\0') +! sprintf(ebuf,"Trying %s@%s...",rusername,namp); +! else +! sprintf(ebuf,"Trying %s...",namp); +! if(say(0,ebuf)) +! return(1); +! } + } else + syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]); + if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { +diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c +*** ./tn-gw/tn-gw.c Thu Feb 5 19:11:36 1998 +--- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c Thu May 21 17:25:06 1998 +*************** +*** 91,96 **** +--- 91,100 ---- + static int cmd_xforward(); + static int cmd_timeout(); + ++ char * getdsthost(); ++ ++ static int do_transparent = 0; ++ + static int tn3270 = 1; /* don't do tn3270 stuff */ + static int doX; + +*************** +*** 144,149 **** +--- 148,155 ---- + char tokbuf[BSIZ]; + char *tokav[56]; + int tokac; ++ int port; ++ char * psychic; + + #ifndef LOG_DAEMON + openlog("tn-gw",LOG_PID); +*************** +*** 325,330 **** +--- 331,362 ---- + } + } + ++ psychic = getdsthost(0, &port); ++ if (psychic) { ++ if ((strlen(psychic) + 10) < 510) { ++ do_transparent++; ++ if (port) ++ sprintf(dest, "%s:%d", psychic, port); ++ else ++ sprintf(dest, "%s", psychic); ++ ++ if (!welcomedone) ++ if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) { ++ if (cf->argc != 1) { ++ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); ++ exit(1); ++ } ++ ++ if (sayfile(0, cf->argv[0])) { ++ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]); ++ exit(1); ++ } ++ ++ welcomedone = 1; ++ } ++ } ++ } ++ + while (argc > 1) { + argc--; + argv++; +*************** +*** 947,955 **** + char ebuf[512]; + + syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp); +! sprintf(ebuf,"Trying %.100s port %d...",namp,port); +! if(say(0,ebuf)) +! return(1); + } else + syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); + +--- 979,989 ---- + char ebuf[512]; + + syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp); +! if (!do_transparent) { +! sprintf(ebuf,"Trying %.100s port %d...",namp,port); +! if(say(0,ebuf)) +! return(1); +! } + } else + syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); + +*************** +*** 991,998 **** + + syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); +! sprintf(buf, "Connected to %.512s.", dest); +! say(0, buf); + return(2); + } + +--- 1025,1034 ---- + + syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); +! if (!do_transparent) { +! sprintf(buf, "Connected to %.512s.", dest); +! say(0, buf); +! } + return(2); + } + diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs index de05264b555d..10bce4b28e9b 100644 --- a/contrib/ipfilter/FreeBSD-2.2/files.diffs +++ b/contrib/ipfilter/FreeBSD-2.2/files.diffs @@ -1,8 +1,8 @@ -*** /sys/conf/files.orig Sat May 24 14:05:28 1997 ---- /sys/conf/files Sat May 24 14:06:44 1997 +*** files.orig Tue Sep 9 16:58:40 1997 +--- files Sat Apr 4 10:52:58 1998 *************** -*** 217,222 **** ---- 217,230 ---- +*** 222,227 **** +--- 222,236 ---- netinet/tcp_timer.c optional inet netinet/tcp_usrreq.c optional inet netinet/udp_usrreq.c optional inet @@ -17,4 +17,4 @@ + netinet/ip_log.c optional ipfilter inet netipx/ipx.c optional ipx netipx/ipx_cksum.c optional ipx - netipx/ipx_error.c optional ipx + netipx/ipx_input.c optional ipx diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index c708038e7dc8..50711eabd894 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -5,6 +5,62 @@ # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # +# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means +# to further support development of IP Filter under BSDI. +# +# Thanks also to all those who have contributed patches and other code, +# and especially those who have found the time to port IP Filter to new +# platforms. + +3.2.7 24/05/98 - Released + +u_long -> u_32_t conversions + +patches from Bernd Ernesti for NetBSD + +fixup ipmon to actually handle HUP's. + +Linux fixes from Michael H. Warfield (mhw@wittsend.com) + +update for keep state patch (not security related) - Guido + +dumphex() uses stdout rather than log + +3.2.6 18/05/98 - Released + +fix potential security loop hole in keep state code. + +update examples. + +3.2.5 09/05/98 - Released + +BSD/OS 3.1 .o files added for the kernel. + +fix sequence # skew vs window size check. + +fix minimum ICMP header size check. + +remove references to Cybersource. + +fix my email address. + +remove ntohl in ipnat - Thomas Tornblom + +3.2.4 09/04/98 - Released + +add script to make devices for /dev on BSD boxes + +fixup building into the kernel for FreeBSD 2.2.5 + +add -D command line option to ipmon to make it a daemon and SIGHUP causes +it to close and reopen the logfile + +fixup make clean and make package for SunOS5 - Marc Boucher + +postinstall keeps adding "minor=ipf ipl" - George Ross + +protected by IP Filter gif - Sergey Solyanik + 3.2.3 10/11/97 - Released fix some iplang bugs diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT index d706c3626da0..de2cc85b7c9c 100644 --- a/contrib/ipfilter/IMPORTANT +++ b/contrib/ipfilter/IMPORTANT @@ -42,5 +42,5 @@ If you have BOTH GNU make and the normal make shipped with your system, DO NOT use the GNU make to build this package. Darren -darrenr@cyber.com.au +darrenr@pobox.com **************************************** diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2 index b0bae0359237..78f7295e0894 100644 --- a/contrib/ipfilter/INST.FreeBSD-2.2 +++ b/contrib/ipfilter/INST.FreeBSD-2.2 @@ -44,6 +44,7 @@ To build a kernel with the IP filter, follow these steps: mknod /dev/ipl c 79 0 mknod /dev/ipnat c 79 1 mknod /dev/ipstate c 79 2 + mknod /dev/ipauth c 79 3 5b) For versions prior to FreeBSD 2.2: create devices for IP Filter as follows (assuming it was @@ -51,8 +52,9 @@ To build a kernel with the IP filter, follow these steps: mknod /dev/ipl c 20 0 mknod /dev/ipnat c 20 1 mknod /dev/ipstate c 20 2 + mknod /dev/ipauth c 20 3 6. install and reboot with the new kernel Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD index f64263691744..3f0a88503a00 100644 --- a/contrib/ipfilter/INSTALL.FreeBSD +++ b/contrib/ipfilter/INSTALL.FreeBSD @@ -41,8 +41,9 @@ To build a kernel with the IP filter, follow these steps: mknod /dev/ipl c 20 0 mknod /dev/ipnat c 20 1 mknod /dev/ipstate c 20 2 + mknod /dev/ipauth c 20 3 6. install and reboot with the new kernel Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.Linux b/contrib/ipfilter/INSTALL.Linux index c190095fddf1..1a5d15b59f02 100644 --- a/contrib/ipfilter/INSTALL.Linux +++ b/contrib/ipfilter/INSTALL.Linux @@ -19,11 +19,12 @@ The first step is to make the IP Filter binaries. Do this with a "make linux" from the ip_fil3.2.x directory. If this completes with no errors, install IP Filter with a "make install-linux". -Now that the user part of it is complete, it is time to work on the -kernel. To start this off, run "Linux/kinstall". This will patch your -kernel source code and configuration files so you can enabled IP Filter. -You must now go to /usr/src/linux and configure your kernel using one of -the available interfaces to enable IP Filter. IP Filter will be presented +Now that the user part of it is complete, it is time to work on the kernel. +To start this off, run "Linux/minstall". This will configure the devices +you will need for the IP Filter. Then run "Linux/kinstall". This will +patch your kernel source code and configuration files so you can enabled IP +Filter. You must now go to /usr/src/linux and configure your kernel using one +of the available interfaces to enable IP Filter. IP Filter will be presented as a three way choice "y/m/n" - select "m" to enable it. Save your kernel configuration file, rebuild, install and reboot with the new kernel. diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD index 847871203f66..012d6d7f8d2d 100644 --- a/contrib/ipfilter/INSTALL.NetBSD +++ b/contrib/ipfilter/INSTALL.NetBSD @@ -41,8 +41,14 @@ To build a kernel with the IP filter, follow these steps: 4. build a new kernel - 5. create /dev/ipl with "mknod /dev/ipl c 59 0". - (for NetBSD-1.2, use "mknod /dev/ipl c 49 0") + 5. Create device files. For NetBSD-1.2 (or later), use 49 as the + major number. For NetBSD-1.1 or earlier, use 59. Run these + commands as root, substituting for the appropriate number: + + mknod /dev/ipl c 0 + mknod /dev/ipnat c 1 + mknod /dev/ipstate c 2 + mknod /dev/ipauth c 3 ** NOTE: both the numbers 49 and 59 should be substituted with whatever number you inserted it into conf.c as. @@ -50,4 +56,4 @@ To build a kernel with the IP filter, follow these steps: 6. install and reboot with the new kernel Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2 index 1939c265663e..cc6600750e15 100644 --- a/contrib/ipfilter/INSTALL.Sol2 +++ b/contrib/ipfilter/INSTALL.Sol2 @@ -24,4 +24,4 @@ called "ipf.conf" using touch. The rc scripts have been written to look for the configuration file here, using the installed binaries in /sbin. Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.SunOS b/contrib/ipfilter/INSTALL.SunOS index 64392fdf3119..0d4dd8c5e07a 100644 --- a/contrib/ipfilter/INSTALL.SunOS +++ b/contrib/ipfilter/INSTALL.SunOS @@ -28,9 +28,13 @@ To install as part of a SunOS 4.1.x kernel: NOTE: This script sets up /dev/ipl as char. device 59,0 in /sys/sun/conf.c - 3. Do "mknod /dev/ipl c 59 0" as root. + 3. Run the following commands as root: + mknod /dev/ipl c 59 0 + mknod /dev/ipnat c 59 1 + mknod /dev/ipstate c 59 2 + mknod /dev/ipauth c 59 3 4. Reboot using the new kernel Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/INSTALL.xBSD b/contrib/ipfilter/INSTALL.xBSD index 9ab66f12932c..b06ad4b8ab3b 100644 --- a/contrib/ipfilter/INSTALL.xBSD +++ b/contrib/ipfilter/INSTALL.xBSD @@ -31,9 +31,14 @@ To build a kernel with the IP filter, follow these steps: 4. build a new kernel - 5. create /dev/ipl with "mknod /dev/ipl c 59 0". + 5. create devices for IP Filter as follows (assuming it was + installed into the device table as char dev 20): + mknod /dev/ipl c 20 0 + mknod /dev/ipnat c 20 1 + mknod /dev/ipstate c 20 2 + mknod /dev/ipauth c 20 3 6. install and reboot with the new kernel Darren -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index a48ad31e5907..65540956ccaa 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $ +# $Id: Makefile,v 2.0.2.26.2.10 1998/05/23 05:01:23 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -88,7 +88,11 @@ freebsd22 freebsd30: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" -rm -f BSD/$(CPUDIR)/ioconf.h @if [ -n $(IPFILKERN) ] ; then \ + if [ -f /sys/$(IPFILKERN)/compile/ioconf.h ] ; then \ + ln -s /sys/$(IPFILKERN)/compile/ioconf.h BSD/$(CPUDIR); \ + else \ ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPUDIR); \ + fi \ elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \ echo -n "Can't find ioconf.h in "; \ echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \ @@ -100,41 +104,41 @@ freebsd22 freebsd30: include netbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) openbsd openbsd21: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) freebsd freebsd20 freebsd21: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) bsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS); cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) bsdi bsdos: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..) + (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= ; cd ..) + (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..) irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" - (cd IRIX/$(CPUDIR); smake build "TOP=../.." $(MFLAGS); cd ..) - (cd IRIX/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd IRIX/$(CPUDIR); smake build TOP=../.. $(MFLAGS); cd ..) + (cd IRIX/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) linux: include make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)" ./buildlinux linuxrev: - (cd Linux/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..) - (cd Linux/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) + (cd Linux/$(CPUDIR); make build TOP=../.. $(MFLAGS) LKM= ; cd ..) + (cd Linux/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) setup: -if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi @@ -146,8 +150,8 @@ clean: ${RM} -rf netinet ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ vnode_if.h $(LKM) - (cd SunOS4; make clean) - (cd SunOS5; make clean) + if [ "`uname -s`" = "SunOS" ]; then (cd SunOS4; make clean); fi + if [ "`uname -s`" = "SunOS" ]; then (cd SunOS5; make clean); fi (cd BSD; make clean) (cd Linux; make clean) if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; make clean); fi @@ -187,12 +191,16 @@ sunos4 solaris1: (cd SunOS4; make -f Makefile.ipsend "CC=$(CC)" TOP=.. $(MFLAGS); cd ..) sunos5 solaris2: - (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) - (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) + (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) + (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) sunos5x86 solaris2x86: - (cd SunOS5/$(CPU); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) - (cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) + (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) + (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend TOP=../.. "CC=$(CC)" $(MFLAGS); cd ..) + +install-linux: + (cd Linux/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) + (cd Linux/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) install-bsd: (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) diff --git a/contrib/ipfilter/README b/contrib/ipfilter/README index 3fac6ecb2bf5..80ce748c5652 100644 --- a/contrib/ipfilter/README +++ b/contrib/ipfilter/README @@ -46,7 +46,7 @@ Bugs/Problems ------------- If you have a problem with IP Filter on your operating system, please email a copy of the file "BugReport" with the details of your setup as required -and email to darrenr@cyber.com.au. +and email to darrenr@pobox.com. Some general notes. ------------------- @@ -95,4 +95,4 @@ BNF - BNF rule set for the filter rules Darren Reed -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/Y2K b/contrib/ipfilter/Y2K new file mode 100644 index 000000000000..a8350a590070 --- /dev/null +++ b/contrib/ipfilter/Y2K @@ -0,0 +1,3 @@ +IP Filter is Year 2000 (Y2K) Compliant. + +Darren diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos index b3f65788cba2..ed8a034c8d01 100755 --- a/contrib/ipfilter/buildsunos +++ b/contrib/ipfilter/buildsunos @@ -1,23 +1,24 @@ #! /bin/sh -# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $ +# $Id: buildsunos,v 2.0.2.4.2.1 1998/05/21 14:46:04 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` cpu=`uname -m` +cpudir=${cpu}-`uname -r` if [ $rev = 5 ] ; then solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'` - mkdir -p SunOS5/${cpu} - /bin/rm -f SunOS5/${cpu}/Makefile - /bin/rm -f SunOS5/${cpu}/Makefile.ipsend - ln -s ../Makefile SunOS5/${cpu}/Makefile - ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend + mkdir -p SunOS5/${cpudir} + /bin/rm -f SunOS5/${cpudir}/Makefile + /bin/rm -f SunOS5/${cpudir}/Makefile.ipsend + ln -s ../Makefile SunOS5/${cpudir}/Makefile + ln -s ../Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend fi if [ $cpu = i86pc ] ; then - make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} + make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} exit $? fi if [ x$solrev = x ] ; then make ${1+"$@"} sunos$rev "ARCH=`uname -m`" exit $? fi -make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} +make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU=${cpu} CPUDIR=${cpudir} exit $? diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 58c28e14126b..f2b19a58aa92 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $"; #endif #include @@ -21,6 +21,7 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 d #else # include # include +# include #endif #include #if !defined(__SVR4) && !defined(__svr4__) @@ -194,6 +195,7 @@ fr_info_t *fin; { struct optlist *op; tcphdr_t *tcp; + icmphdr_t *icmp; fr_ip_t *fi = &fin->fin_fi; u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off; @@ -214,6 +216,7 @@ fr_info_t *fin; fin->fin_hlen = hlen; fin->fin_dlen = ip->ip_len - hlen; tcp = (tcphdr_t *)((char *)ip + hlen); + icmp = (icmphdr_t *)tcp; fin->fin_dp = (void *)tcp; (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); (*(((u_32_t *)fi) + 1)) = (*(((u_32_t *)ip) + 3)); @@ -226,12 +229,20 @@ fr_info_t *fin; switch (ip->ip_p) { case IPPROTO_ICMP : - if ((!IPMINLEN(ip, icmp) && !off) || + { + int minicmpsz = sizeof(struct icmp); + + if (!off && ip->ip_len > ICMP_MINLEN + hlen && + (icmp->icmp_type == ICMP_ECHOREPLY || + icmp->icmp_type == ICMP_UNREACH)) + minicmpsz = ICMP_MINLEN; + if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; if (fin->fin_dlen > 1) fin->fin_data[0] = *(u_short *)tcp; break; + } case IPPROTO_TCP : fi->fi_fl |= FI_TCPUDP; if ((!IPMINLEN(ip, tcphdr) && !off) || @@ -418,7 +429,7 @@ void *m; off = ip->ip_off & 0x1fff; pass |= (fi->fi_fl << 24); - if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) + if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) portcmp = 1; for (rulen = 0; fr; fr = fr->fr_next, rulen++) { @@ -475,24 +486,22 @@ void *m; * If a fragment, then only the first has what we're looking * for here... */ + if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || + fr->fr_tcpfm)) + continue; if (fi->fi_fl & FI_TCPUDP) { - if (portcmp) { - if (!fr_tcpudpchk(fr, fin)) - continue; - } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || - fr->fr_tcpfm) + if (!fr_tcpudpchk(fr, fin)) continue; - } else if (fi->fi_p == IPPROTO_ICMP) { - if (!off && (fin->fin_dlen > 1)) { - if ((fin->fin_data[0] & fr->fr_icmpm) != - fr->fr_icmp) { - FR_DEBUG(("i. %#x & %#x != %#x\n", - fin->fin_data[0], - fr->fr_icmpm, fr->fr_icmp)); - continue; - } - } else if (fr->fr_icmpm || fr->fr_icmp) + } else if (fr->fr_icmpm || fr->fr_icmp) { + if ((fi->fi_p != IPPROTO_ICMP) || off || + (fin->fin_dlen < 2)) continue; + if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { + FR_DEBUG(("i. %#x & %#x != %#x\n", + fin->fin_data[0], fr->fr_icmpm, + fr->fr_icmp)); + continue; + } } FR_VERBOSE(("*")); /* @@ -571,6 +580,15 @@ int out; # endif int up; +#ifdef M_CANFASTFWD + /* + * XXX For now, IP Filter and fast-forwarding of cached flows + * XXX are mutually exclusive. Eventually, IP Filter should + * XXX get a "can-fast-forward" filter rule. + */ + m->m_flags &= ~M_CANFASTFWD; +#endif /* M_CANFASTFWD */ + if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_ICMP)) { int plen = 0; @@ -887,7 +905,7 @@ u_short ipf_cksum(addr, len) register u_short *addr; register int len; { - register u_long sum = 0; + register u_32_t sum = 0; for (sum = 0; len > 1; len -= 2) sum += *addr++; @@ -920,7 +938,7 @@ int len; u_char c[2]; u_short s; } bytes; - u_long sum; + u_32_t sum; u_short *sp; # if SOLARIS || defined(__sgi) int add, hlen; @@ -1019,7 +1037,7 @@ int len; #endif /* SOLARIS */ if (len < 2) break; - if((u_long)sp & 1) { + if((u_32_t)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; } else @@ -1073,7 +1091,7 @@ int len; * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.0.2.41.2.9 1997/12/02 13:56:06 darrenr Exp $ + * $Id: fil.c,v 2.0.2.41.2.14 1998/05/23 19:20:30 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index 2640a77245cc..bdb3114f88bf 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.2 1997/11/12 10:45:51 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.3 1998/04/08 13:43:29 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) @@ -86,6 +86,9 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ #include "netinet/ip_auth.h" #if !SOLARIS && !defined(linux) # include +# ifdef __FreeBSD__ +# include +# endif #endif diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 1fe90c3cb677..1f91cf3c949b 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.0.2.31.2.8 1997/12/02 13:42:52 darrenr Exp $ + * $Id: ip_compat.h,v 2.0.2.31.2.11 1998/05/23 14:29:36 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -123,7 +123,7 @@ typedef unsigned int u_32_t; # else typedef unsigned long u_32_t; # endif -#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ */ +#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */ #ifndef MAX #define MAX(a,b) (((a) > (b)) ? (a) : (b)) @@ -369,6 +369,9 @@ typedef struct mbuf mb_t; * not be in other places or maybe one day linux will grow up and some * of these will turn up there too. */ +#ifndef ICMP_MINLEN +# define ICMP_MINLEN 8 +#endif #ifndef ICMP_UNREACH # define ICMP_UNREACH ICMP_DEST_UNREACH #endif @@ -680,6 +683,12 @@ typedef struct uio { # undef UINT_MAX # undef LONG_MAX # undef ULONG_MAX +# define s8 __s8 +# define u8 __u8 +# define s16 __s16 +# define u16 __u16 +# define s32 __s32 +# define u32 __u32 # include # undef __KERNEL__ # endif @@ -714,4 +723,5 @@ struct ether_addr { #ifndef ICMP_ROUTERSOLICIT # define ICMP_ROUTERSOLICIT 10 #endif + #endif /* __IP_COMPAT_H__ */ diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index d518d1793af0..09c4b6efacd9 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.7 1998/05/03 10:55:49 darrenr Exp $"; #endif #ifndef SOLARIS @@ -164,7 +164,7 @@ struct devsw iplsw = { }; #endif /* _BSDI_VERSION >= 199510 && _KERNEL */ -#if defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) # include # if defined(NETBSD_PF) # include @@ -933,7 +933,8 @@ frdest_t *fdp; if (ro->ro_rt->rt_flags & RTF_GATEWAY) dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; } - ro->ro_rt->rt_use++; + if (ro->ro_rt) + ro->ro_rt->rt_use++; /* * For input packets which are being "fastrouted", they won't diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index 2e2aaa7cb28d..edbd68556016 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.0.2.39.2.10 1997/12/03 10:02:30 darrenr Exp $ + * $Id: ip_fil.h,v 2.0.2.39.2.11 1998/05/23 14:29:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -518,4 +518,5 @@ extern int iplused[IPL_LOGMAX + 1]; extern struct frentry *ipfilter[2][2], *ipacct[2][2]; extern struct frgroup *ipfgroups[3][2]; extern struct filterstats frstats[]; + #endif /* __IP_FIL_H__ */ diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index ade7139e4933..9122f17a5115 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.0.2.12 1997/10/23 14:56:01 darrenr Exp $ + * $Id: ip_frag.h,v 2.0.2.12.2.1 1998/05/23 14:29:39 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -55,4 +55,5 @@ extern void ipfr_slowtimer __P((void)); #else extern int ipfr_slowtimer __P((void)); #endif + #endif /* __IP_FIL_H__ */ diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 5d6ce1fc002d..7ff8adb50e78 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -54,18 +54,18 @@ tcphdr_t *tcp; ap_session_t *aps; nat_t *nat; { - u_long sum1, sum2; + u_32_t sum1, sum2; short sel; if (tcp->th_sport == aps->aps_dport) { - sum2 = (u_long)ntohl(tcp->th_ack); + sum2 = (u_32_t)ntohl(tcp->th_ack); sel = aps->aps_sel; if ((aps->aps_after[!sel] > aps->aps_after[sel]) && (sum2 > aps->aps_after[!sel])) { sel = aps->aps_sel = !sel; /* switch to other set */ } if (aps->aps_seqoff[sel] && (sum2 > aps->aps_after[sel])) { - sum1 = (u_long)aps->aps_seqoff[sel]; + sum1 = (u_32_t)aps->aps_seqoff[sel]; tcp->th_ack = htonl(sum2 - sum1); return 2; } @@ -110,7 +110,7 @@ tcphdr_t *tcp; ap_session_t *aps; nat_t *nat; { - register u_long sum1, sum2; + register u_32_t sum1, sum2; char newbuf[IPF_MAXPORTLEN+1]; char portbuf[IPF_MAXPORTLEN+1], *s; int ch = 0, off = (ip->ip_hl << 2) + (tcp->th_off << 2); @@ -243,17 +243,17 @@ nat_t *nat; adjust_seqack: if (tcp->th_dport == aps->aps_dport) { - sum2 = (u_long)ntohl(tcp->th_seq); + sum2 = (u_32_t)ntohl(tcp->th_seq); off = aps->aps_sel; if ((aps->aps_after[!off] > aps->aps_after[off]) && (sum2 > aps->aps_after[!off])) { off = aps->aps_sel = !off; /* switch to other set */ } if (aps->aps_seqoff[off]) { - sum1 = (u_long)aps->aps_after[off] - + sum1 = (u_32_t)aps->aps_after[off] - aps->aps_seqoff[off]; if (sum2 > sum1) { - sum1 = (u_long)aps->aps_seqoff[off]; + sum1 = (u_32_t)aps->aps_seqoff[off]; sum2 += sum1; tcp->th_seq = htonl(sum2); ch = 1; diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 0b6c07fc9b4f..102d57f32ab9 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.7 1997/12/02 13:54:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.10 1998/05/23 19:05:29 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -130,10 +130,10 @@ static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *)); void fix_outcksum(sp, n) u_short *sp; -u_long n; +u_32_t n; { register u_short sumshort; - register u_long sum1; + register u_32_t sum1; if (!n) return; @@ -149,10 +149,10 @@ u_long n; void fix_incksum(sp, n) u_short *sp; -u_long n; +u_32_t n; { register u_short sumshort; - register u_long sum1; + register u_32_t sum1; if (!n) return; @@ -456,7 +456,7 @@ struct in_addr *inp; struct in_addr in; #if SOLARIS - in.s_addr = ill->ill_ipif->ipif_local_addr; + in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr); #else /* SOLARIS */ # if linux ; @@ -521,7 +521,7 @@ fr_info_t *fin; u_short flags; int direction; { - register u_long sum1, sum2, sumd, l; + register u_32_t sum1, sum2, sumd, l; u_short port = 0, sport = 0, dport = 0, nport = 0; struct in_addr in; tcphdr_t *tcp = NULL; @@ -779,7 +779,7 @@ int *nflags; */ if (flags & IPN_TCPUDP) { tcphdr_t *tcp = (tcphdr_t *)(oip + 1); - u_long sum1, sum2, sumd; + u_32_t sum1, sum2, sumd; struct in_addr in; if (nat->nat_dir == NAT_OUTBOUND) { @@ -964,7 +964,7 @@ int hlen; fr_info_t *fin; { register ipnat_t *np; - register u_long ipa; + register u_32_t ipa; tcphdr_t *tcp = NULL; u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; @@ -1281,7 +1281,7 @@ void *ifp; #endif { register nat_t *nat; - register u_long sum1, sum2, sumd; + register u_32_t sum1, sum2, sumd; struct in_addr in; ipnat_t *np; #if defined(_KERNEL) && !SOLARIS diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index f0cb517bb007..49f5d509d777 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.0.2.23.2.1 1997/11/05 11:08:18 darrenr Exp $ + * $Id: ip_nat.h,v 2.0.2.23.2.3 1998/05/23 18:52:44 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -44,8 +44,8 @@ typedef struct nat { u_long nat_age; int nat_flags; - u_long nat_sumd; - u_long nat_ipsumd; + u_32_t nat_sumd; + u_32_t nat_ipsumd; void *nat_data; struct in_addr nat_inip; struct in_addr nat_outip; @@ -175,6 +175,7 @@ extern int ip_natout __P((ip_t *, int, fr_info_t *)); extern int ip_natin __P((ip_t *, int, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_short)); -extern void fix_incksum __P((u_short *, u_long)); -extern void fix_outcksum __P((u_short *, u_long)); +extern void fix_incksum __P((u_short *, u_32_t)); +extern void fix_outcksum __P((u_short *, u_32_t)); + #endif /* __IP_NAT_H__ */ diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index cc3b9a0d032e..0fb7e95e1bb2 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.7 1998/05/18 11:15:22 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -111,15 +111,37 @@ ipnat_t *nat; } +static int +ap_matchsrcdst(aps, src, dst, tcp, sport, dport) +ap_session_t *aps; +struct in_addr src, dst; +void *tcp; +u_short sport, dport; +{ + if (aps->aps_dst.s_addr == dst.s_addr) { + if ((aps->aps_src.s_addr == src.s_addr) && + (!tcp || (sport == aps->aps_sport) && + (dport == aps->aps_dport))) + return 1; + } else if (aps->aps_dst.s_addr == src.s_addr) { + if ((aps->aps_src.s_addr == dst.s_addr) && + (!tcp || (sport == aps->aps_dport) && + (dport == aps->aps_sport))) + return 1; + } + return 0; +} + + static ap_session_t *ap_find(ip, tcp) ip_t *ip; tcphdr_t *tcp; { - struct in_addr src, dst; - register u_long hv; - register u_short sp, dp; - register ap_session_t *aps; register u_char p = ip->ip_p; + register ap_session_t *aps; + register u_short sp, dp; + register u_long hv; + struct in_addr src, dst; src = ip->ip_src, dst = ip->ip_dst; sp = dp = 0; /* XXX gcc -Wunitialized */ @@ -136,14 +158,8 @@ tcphdr_t *tcp; for (aps = ap_sess_tab[hv]; aps; aps = aps->aps_next) if ((aps->aps_p == p) && - IPPAIR(aps->aps_src, aps->aps_dst, src, dst)) { - if (tcp) { - if (PAIRS(aps->aps_sport, aps->aps_dport, - sp, dp)) - break; - } else - break; - } + ap_matchsrcdst(aps, src, dst, tcp, sp, dp)) + break; return aps; } diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index bffb17b7fa45..89a2c3bf358a 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.14 1998/05/24 03:53:04 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) @@ -85,6 +85,11 @@ ips_stat_t ips_stats; extern kmutex_t ipf_state; #endif +static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr, + fr_info_t *, void *, u_short, u_short)); +static int fr_state_flush __P((int)); +static ips_stat_t *fr_statetstats __P((void)); + #define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ @@ -97,7 +102,7 @@ u_long fr_tcpidletimeout = FIVE_DAYS, fr_icmptimeout = 120; -ips_stat_t *fr_statetstats() +static ips_stat_t *fr_statetstats() { ips_stats.iss_active = ips_num; ips_stats.iss_table = ips_table; @@ -111,7 +116,7 @@ ips_stat_t *fr_statetstats() * which == 1 : flush TCP connections which have started to close but are * stuck for some reason. */ -int fr_state_flush(which) +static int fr_state_flush(which) int which; { register int i; @@ -134,10 +139,10 @@ int which; break; case 1 : if ((is->is_p == IPPROTO_TCP) && - ((is->is_state[0] <= TCPS_ESTABLISHED) && - (is->is_state[1] > TCPS_ESTABLISHED)) || - ((is->is_state[1] <= TCPS_ESTABLISHED) && - (is->is_state[0] > TCPS_ESTABLISHED))) + (((is->is_state[0] <= TCPS_ESTABLISHED) && + (is->is_state[1] > TCPS_ESTABLISHED)) || + ((is->is_state[1] <= TCPS_ESTABLISHED) && + (is->is_state[0] > TCPS_ESTABLISHED)))) delete = 1; break; } @@ -237,7 +242,7 @@ u_int pass; switch (ic->icmp_type) { case ICMP_ECHO : - is->is_icmp.ics_type = 0; + is->is_icmp.ics_type = ICMP_ECHOREPLY; /* XXX */ hv += (is->is_icmp.ics_id = ic->icmp_id); hv += (is->is_icmp.ics_seq = ic->icmp_seq); break; @@ -301,11 +306,33 @@ u_int pass; bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); - is->is_next = ips_table[hv]; - ips_table[hv] = is; + is->is_pass = pass; is->is_pkts = 1; is->is_bytes = ip->ip_len; + /* + * Copy these from the rule itself. + */ + is->is_opt = fin->fin_fr->fr_ip.fi_optmsk; + is->is_optmsk = fin->fin_fr->fr_mip.fi_optmsk; + is->is_sec = fin->fin_fr->fr_ip.fi_secmsk; + is->is_secmsk = fin->fin_fr->fr_mip.fi_secmsk; + is->is_auth = fin->fin_fr->fr_ip.fi_auth; + is->is_authmsk = fin->fin_fr->fr_mip.fi_auth; + is->is_flags = fin->fin_fr->fr_ip.fi_fl; + is->is_flags |= fin->fin_fr->fr_mip.fi_fl << 4; + /* + * add into table. + */ + is->is_next = ips_table[hv]; + ips_table[hv] = is; + if (fin->fin_out) { + is->is_ifpin = NULL; + is->is_ifpout = fin->fin_ifp; + } else { + is->is_ifpin = fin->fin_ifp; + is->is_ifpout = NULL; + } if (pass & FR_LOGFIRST) is->is_pass &= ~(FR_LOGFIRST|FR_LOG); ips_num++; @@ -324,12 +351,11 @@ u_int pass; * change timeout depending on whether new packet is a SYN-ACK returning for a * SYN or a RST or FIN which indicate time to close up shop. */ -int fr_tcpstate(is, fin, ip, tcp, sport) +int fr_tcpstate(is, fin, ip, tcp) register ipstate_t *is; fr_info_t *fin; ip_t *ip; tcphdr_t *tcp; -u_short sport; { register int seqskew, ackskew; register u_short swin, dwin; @@ -341,7 +367,7 @@ u_short sport; */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); - source = (sport == is->is_sport); + source = (ip->ip_src.s_addr == is->is_src.s_addr); if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ ack = source ? is->is_ack : is->is_seq; @@ -385,7 +411,7 @@ u_short sport; swin = is->is_dwin; } - if ((seqskew <= swin) && (ackskew <= dwin)) { + if ((seqskew <= dwin) && (ackskew <= swin)) { if (source) { is->is_seq = seq; is->is_ack = ack; @@ -401,14 +427,81 @@ u_short sport; /* * Nearing end of connection, start timeout. */ - fr_tcp_age(&is->is_age, is->is_state, ip, fin, - tcp->th_sport == is->is_sport); + fr_tcp_age(&is->is_age, is->is_state, ip, fin, source); return 1; } return 0; } +static int fr_matchsrcdst(is, src, dst, fin, tcp, sp, dp) +ipstate_t *is; +struct in_addr src, dst; +fr_info_t *fin; +void *tcp; +u_short sp, dp; +{ + int ret = 0, rev, out; + void *ifp; + + rev = (is->is_dst.s_addr != dst.s_addr); + ifp = fin->fin_ifp; + out = fin->fin_out; + + if (!rev) { + if (out) { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } else { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } + } else { + if (out) { + if (!is->is_ifpin) + is->is_ifpin = ifp; + } else { + if (!is->is_ifpout) + is->is_ifpout = ifp; + } + } + + if (!rev) { + if (((out && is->is_ifpout == ifp) || + (!out && is->is_ifpin == ifp)) && + (is->is_dst.s_addr == dst.s_addr) && + (is->is_src.s_addr == src.s_addr) && + (!tcp || (sp == is->is_sport) && + (dp == is->is_dport))) { + ret = 1; + } + } else { + if (((out && is->is_ifpin == ifp) || + (!out && is->is_ifpout == ifp)) && + (is->is_dst.s_addr == src.s_addr) && + (is->is_src.s_addr == dst.s_addr) && + (!tcp || (sp == is->is_dport) && + (dp == is->is_sport))) { + ret = 1; + } + } + + /* + * Whether or not this should be here, is questionable, but the aim + * is to get this out of the main line. + */ + if (ret) { + if (((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || + ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || + ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth) || + ((fin->fin_fi.fi_fl & (is->is_flags >> 4)) != + (is->is_flags & 0xf))) + ret = 0; + } + return ret; +} + + /* * Check if a packet has a registered state. */ @@ -447,13 +540,8 @@ fr_info_t *fin; if ((is->is_p == pr) && (ic->icmp_id == is->is_icmp.ics_id) && (ic->icmp_seq == is->is_icmp.ics_seq) && - IPPAIR(src, dst, is->is_src, is->is_dst)) { - /* - * If we have type 0 stored, allow any icmp - * replies through. - */ - if (is->is_icmp.ics_type && - is->is_icmp.ics_type != ic->icmp_type) + fr_matchsrcdst(is, src, dst, fin, NULL, 0, 0)) { + if (is->is_icmp.ics_type != ic->icmp_type) continue; is->is_age = fr_icmptimeout; is->is_pkts++; @@ -473,11 +561,11 @@ fr_info_t *fin; hv += sport; hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) { + for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && - PAIRS(sport, dport, is->is_sport, is->is_dport) && - IPPAIR(src, dst, is->is_src, is->is_dst)) - if (fr_tcpstate(is, fin, ip, tcp, sport)) { + fr_matchsrcdst(is, src, dst, fin, tcp, + sport, dport)) { + if (fr_tcpstate(is, fin, ip, tcp)) { pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); @@ -491,7 +579,7 @@ fr_info_t *fin; #endif return pass; } - } + } MUTEX_EXIT(&ipf_state); break; } @@ -508,8 +596,8 @@ fr_info_t *fin; MUTEX_ENTER(&ipf_state); for (is = ips_table[hv]; is; is = is->is_next) if ((is->is_p == pr) && - PAIRS(sport, dport, is->is_sport, is->is_dport) && - IPPAIR(src, dst, is->is_src, is->is_dst)) { + fr_matchsrcdst(is, src, dst, fin, + tcp, sport, dport)) { ips_stats.iss_hits++; is->is_pkts++; is->is_bytes += ip->ip_len; diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index 3d87a2186c6d..f2ae94bb7020 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.0.2.14.2.1 1997/11/06 21:23:15 darrenr Exp $ + * $Id: ip_state.h,v 2.0.2.14.2.6 1998/05/24 05:18:04 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -47,10 +47,18 @@ typedef struct ipstate { u_int is_pass; U_QUAD_T is_pkts; U_QUAD_T is_bytes; + void *is_ifpin; + void *is_ifpout; struct in_addr is_src; struct in_addr is_dst; u_char is_p; u_char is_flags; + u_32_t is_opt; + u_32_t is_optmsk; + u_short is_sec; + u_short is_secmsk; + u_short is_auth; + u_short is_authmsk; union { icmpstate_t is_ics; tcpstate_t is_ts; @@ -120,14 +128,11 @@ extern u_long fr_tcptimeout; extern u_long fr_tcpclosed; extern u_long fr_udptimeout; extern u_long fr_icmptimeout; -extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, - tcphdr_t *, u_short)); -extern ips_stat_t *fr_statetstats __P((void)); +extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern int fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern int fr_checkstate __P((ip_t *, fr_info_t *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); -extern int fr_state_flush __P((int)); extern void fr_stateunload __P((void)); extern void ipstate_log __P((struct ipstate *, u_short)); #if defined(__NetBSD__) || defined(__OpenBSD__) @@ -135,4 +140,5 @@ extern int fr_state_ioctl __P((caddr_t, u_long, int)); #else extern int fr_state_ioctl __P((caddr_t, int, int)); #endif + #endif /* __IP_STATE_H__ */ diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index b4069e2ebcf1..28500198957e 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -40,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.2 1997/11/06 21:23:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.0.2.13.2.4 1998/05/23 14:29:44 darrenr Exp $"; #endif static void frsync __P((void)); @@ -204,12 +204,10 @@ char *name, *file; exit(1); } - while (getline(line, sizeof(line)-1, fp)) { + while (getline(line, sizeof(line), fp)) { /* - * treat both CR and LF as EOL + * treat CR as EOL. LF is converted to NUL by getline(). */ - if ((s = index(line, '\n'))) - *s = '\0'; if ((s = index(line, '\r'))) *s = '\0'; /* @@ -222,7 +220,7 @@ char *name, *file; continue; if (opts & OPT_VERBOSE) - (void)fprintf(stderr, "[%s]\n",line); + (void)fprintf(stderr, "[%s]\n", line); fr = parse(line); (void)fflush(stdout); @@ -269,24 +267,34 @@ char *name, *file; } } } + if (ferror(fp) || !feof(fp)) { + fprintf(stderr, "%s: %s: file error or line too long\n", + name, file); + exit(1); + } (void)fclose(fp); } /* - * Similar to fgets(3) but can handle '\\' + * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. + * Returns NULL if error occured, EOF encounterd or input line is too long. */ static char *getline(str, size, file) register char *str; size_t size; FILE *file; { - register char *p; - register int len; + char *p; + int s, len; do { - for (p = str; ; p += strlen(p) - 1) { - if (!fgets(p, size, file)) - return(NULL); + for (p = str, s = size;; p += len, s -= len) { + /* + * if an error occured, EOF was encounterd, or there + * was no room to put NUL, return NULL. + */ + if (fgets(p, s, file) == NULL) + return (NULL); len = strlen(p); p[len - 1] = '\0'; if (p[len - 1] != '\\') @@ -294,7 +302,7 @@ FILE *file; size -= len; } } while (*str == '\0' || *str == '\n'); - return(str); + return (str); } @@ -398,7 +406,9 @@ static void swapactive() static void frsync() { - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, 0) == -1) + int frsyn = 0; + + if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) perror("SIOCFRSYN"); else printf("filter sync'd\n"); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 9be852b6619a..36372a1ae26c 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.1 1997/11/12 10:56:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.0.2.11.2.3 1998/05/23 19:20:32 darrenr Exp $"; #endif extern int opts; @@ -62,7 +62,7 @@ struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; static int tfd = -1; -static u_long tx_hostnum __P((char *, int *)); +static u_32_t tx_hostnum __P((char *, int *)); static u_short tx_portnum __P((char *)); @@ -70,7 +70,7 @@ static u_short tx_portnum __P((char *)); * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -static u_long tx_hostnum(host, resolved) +static u_32_t tx_hostnum(host, resolved) char *host; int *resolved; { @@ -89,7 +89,7 @@ int *resolved; fprintf(stderr, "can't resolve hostname: %s\n", host); return 0; } - return np->n_net; + return htonl(np->n_net); } return *(u_32_t *)hp->h_addr; } diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 4ad6bd312f5d..d92ec79542ff 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -11,6 +11,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter v3.2.3" +#define IPL_VERSION "IP Filter v3.2.7" #endif diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index 458a85206996..89b77322ef25 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -1,7 +1,3 @@ -%e 1500 -%p 4000 -%a 4000 -%o 6000 %{ /* * Copyright (C) 1997 by Darren Reed. @@ -10,7 +6,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_l.l,v 2.0.2.15.2.2 1997/12/10 09:54:15 darrenr Exp $ + * $Id: iplang_l.l,v 2.0.2.15.2.5 1997/12/28 01:32:13 darrenr Exp $ */ #include #include @@ -46,134 +42,143 @@ int next_item __P((int)); int save_token __P((void)); void swallow __P((void)); int yylex __P((void)); -%} +struct wordtab { + char *word; + int state; + int next; +}; + +struct wordtab words[] = { + { "interface", IL_INTERFACE, -1 }, + { "iface", IL_INTERFACE, -1 }, + { "name", IL_IFNAME, IL_TOKEN }, + { "ifname", IL_IFNAME, IL_TOKEN }, + { "router", IL_DEFROUTER, IL_TOKEN }, + { "mtu", IL_MTU, IL_NUMBER }, + { "eaddr", IL_EADDR, IL_TOKEN }, + { "v4addr", IL_V4ADDR, IL_TOKEN }, + { "ipv4", IL_IPV4, -1 }, + { "v", IL_V4V, IL_TOKEN }, + { "proto", IL_V4PROTO, IL_TOKEN }, + { "hl", IL_V4HL, IL_TOKEN }, + { "id", IL_V4ID, IL_TOKEN }, + { "ttl", IL_V4TTL, IL_TOKEN }, + { "tos", IL_V4TOS, IL_TOKEN }, + { "src", IL_V4SRC, IL_TOKEN }, + { "dst", IL_V4DST, IL_TOKEN }, + { "opt", IL_OPT, -1 }, + { "len", IL_LEN, IL_TOKEN }, + { "off", IL_OFF, IL_TOKEN }, + { "sum", IL_SUM, IL_TOKEN }, + { "tcp", IL_TCP, -1 }, + { "sport", IL_SPORT, IL_TOKEN }, + { "dport", IL_DPORT, IL_TOKEN }, + { "seq", IL_TCPSEQ, IL_TOKEN }, + { "ack", IL_TCPACK, IL_TOKEN }, + { "flags", IL_TCPFL, IL_TOKEN }, + { "urp", IL_TCPURP, IL_TOKEN }, + { "win", IL_TCPWIN, IL_TOKEN }, + { "udp", IL_UDP, -1 }, + { "send", IL_SEND, -1 }, + { "via", IL_VIA, IL_TOKEN }, + { "arp", IL_ARP, -1 }, + { "data", IL_DATA, -1 }, + { "value", IL_DVALUE, IL_TOKEN }, + { "file", IL_DFILE, IL_TOKEN }, + { "nop", IL_IPO_NOP, -1 }, + { "eol", IL_IPO_EOL, -1 }, + { "rr", IL_IPO_RR, -1 }, + { "zsu", IL_IPO_ZSU, -1 }, + { "mtup", IL_IPO_MTUP, -1 }, + { "mtur", IL_IPO_MTUR, -1 }, + { "encode", IL_IPO_ENCODE, -1 }, + { "ts", IL_IPO_TS, -1 }, + { "tr", IL_IPO_TR, -1 }, + { "sec", IL_IPO_SEC, -1 }, + { "secclass", IL_IPO_SECCLASS, IL_TOKEN }, + { "lsrr", IL_IPO_LSRR, -1 }, + { "esec", IL_IPO_ESEC, -1 }, + { "cipso", IL_IPO_CIPSO, -1 }, + { "satid", IL_IPO_SATID, -1 }, + { "ssrr", IL_IPO_SSRR, -1 }, + { "addext", IL_IPO_ADDEXT, -1 }, + { "visa", IL_IPO_VISA, -1 }, + { "imitd", IL_IPO_IMITD, -1 }, + { "eip", IL_IPO_EIP, -1 }, + { "finn", IL_IPO_FINN, -1 }, + { "mss", IL_TCPO_MSS, IL_TOKEN }, + { "wscale", IL_TCPO_WSCALE, IL_TOKEN }, + { "reserv-4", IL_IPS_RESERV4, -1 }, + { "topsecret", IL_IPS_TOPSECRET, -1 }, + { "secret", IL_IPS_SECRET, -1 }, + { "reserv-3", IL_IPS_RESERV3, -1 }, + { "confid", IL_IPS_CONFID, -1 }, + { "unclass", IL_IPS_UNCLASS, -1 }, + { "reserv-2", IL_IPS_RESERV2, -1 }, + { "reserv-1", IL_IPS_RESERV1, -1 }, + { "icmp", IL_ICMP, -1 }, + { "type", IL_ICMPTYPE, -1 }, + { "code", IL_ICMPCODE, -1 }, + { "echorep", IL_ICMP_ECHOREPLY, -1 }, + { "unreach", IL_ICMP_UNREACH, -1 }, + { "squench", IL_ICMP_SOURCEQUENCH, -1 }, + { "redir", IL_ICMP_REDIRECT, -1 }, + { "echo", IL_ICMP_ECHO, -1 }, + { "routerad", IL_ICMP_ROUTERADVERT, -1 }, + { "routersol", IL_ICMP_ROUTERSOLICIT, -1 }, + { "timex", IL_ICMP_TIMXCEED, -1 }, + { "paramprob", IL_ICMP_PARAMPROB, -1 }, + { "timest", IL_ICMP_TSTAMP, -1 }, + { "timestrep", IL_ICMP_TSTAMPREPLY, -1 }, + { "inforeq", IL_ICMP_IREQ, -1 }, + { "inforep", IL_ICMP_IREQREPLY, -1 }, + { "maskreq", IL_ICMP_MASKREQ, -1 }, + { "maskrep", IL_ICMP_MASKREPLY, -1 }, + { "net-unr", IL_ICMP_UNREACH_NET, -1 }, + { "host-unr", IL_ICMP_UNREACH_HOST, -1 }, + { "proto-unr", IL_ICMP_UNREACH_PROTOCOL, -1 }, + { "port-unr", IL_ICMP_UNREACH_PORT, -1 }, + { "needfrag", IL_ICMP_UNREACH_NEEDFRAG, -1 }, + { "srcfail", IL_ICMP_UNREACH_SRCFAIL, -1 }, + { "net-unk", IL_ICMP_UNREACH_NET_UNKNOWN, -1 }, + { "host-unk", IL_ICMP_UNREACH_HOST_UNKNOWN, -1 }, + { "isolate", IL_ICMP_UNREACH_ISOLATED, -1 }, + { "net-prohib", IL_ICMP_UNREACH_NET_PROHIB, -1 }, + { "host-prohib", IL_ICMP_UNREACH_HOST_PROHIB, -1 }, + { "net-tos", IL_ICMP_UNREACH_TOSNET, -1 }, + { "host-tos", IL_ICMP_UNREACH_TOSHOST, -1 }, + { "filter-prohib", IL_ICMP_UNREACH_FILTER_PROHIB, -1 }, + { "host-preced", IL_ICMP_UNREACH_HOST_PRECEDENCE, -1 }, + { "cutoff-preced", IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1 }, + { "net-redir", IL_ICMP_REDIRECT_NET, -1 }, + { "host-redir", IL_ICMP_REDIRECT_HOST, -1 }, + { "tos-net-redir", IL_ICMP_REDIRECT_TOSNET, -1 }, + { "tos-host-redir", IL_ICMP_REDIRECT_TOSHOST, -1 }, + { "intrans", IL_ICMP_TIMXCEED_INTRANS, -1 }, + { "reass", IL_ICMP_TIMXCEED_REASS, -1 }, + { "optabsent", IL_ICMP_PARAMPROB_OPTABSENT, -1 }, + { "otime", IL_ICMP_OTIME, -1 }, + { "rtime", IL_ICMP_RTIME, -1 }, + { "ttime", IL_ICMP_TTIME, -1 }, + { "icmpseq", IL_ICMP_SEQ, -1 }, + { "icmpid", IL_ICMP_SEQ, -1 }, + { ".", IL_DOT, -1 }, + { NULL, 0, 0 } +}; +%} +white [ \t\r]+ %% -[ \t\r] ; +{white} ; \n { lineNum++; swallow(); } -interface | -iface { return next_state(IL_INTERFACE, -1); } -name | -ifname { return next_state(IL_IFNAME, IL_TOKEN); } -router { return next_state(IL_DEFROUTER, IL_TOKEN); } -mtu { return next_state(IL_MTU, IL_NUMBER); } -eaddr { return next_state(IL_EADDR, IL_TOKEN); } -v4addr { return next_state(IL_V4ADDR, IL_TOKEN); } -ipv4 { return next_state(IL_IPV4, -1); } -v { return next_state(IL_V4V, IL_TOKEN); } -proto { return next_state(IL_V4PROTO, IL_TOKEN); } -hl { return next_state(IL_V4HL, IL_TOKEN); } -id { return next_state(IL_V4ID, IL_TOKEN); } -ttl { return next_state(IL_V4TTL, IL_TOKEN); } -tos { return next_state(IL_V4TOS, IL_TOKEN); } -src { return next_state(IL_V4SRC, IL_TOKEN); } -dst { return next_state(IL_V4DST, IL_TOKEN); } -opt { return next_state(IL_OPT, -1); } -len { return next_state(IL_LEN, IL_TOKEN); } -off { return next_state(IL_OFF, IL_TOKEN); } -sum { return next_state(IL_SUM, IL_TOKEN); } -tcp { return next_state(IL_TCP, -1); } -sport { return next_state(IL_SPORT, IL_TOKEN); } -dport { return next_state(IL_DPORT, IL_TOKEN); } -seq { return next_state(IL_TCPSEQ, IL_TOKEN); } -ack { return next_state(IL_TCPACK, IL_TOKEN); } -flags { return next_state(IL_TCPFL, IL_TOKEN); } -urp { return next_state(IL_TCPURP, IL_TOKEN); } -win { return next_state(IL_TCPWIN, IL_TOKEN); } -udp { return next_state(IL_UDP, -1); } -send { return next_state(IL_SEND, -1); } -via { return next_state(IL_VIA, IL_TOKEN); } -arp { return next_state(IL_ARP, -1); } -data { return next_state(IL_DATA, -1); } -value { return next_state(IL_DVALUE, IL_TOKEN); } -file { return next_state(IL_DFILE, IL_TOKEN); } -nop { return next_state(IL_IPO_NOP, -1); } -eol { return next_state(IL_IPO_EOL, -1); } -rr { return next_state(IL_IPO_RR, -1); } -zsu { return next_state(IL_IPO_ZSU, -1); } -mtup { return next_state(IL_IPO_MTUP, -1); } -mtur { return next_state(IL_IPO_MTUR, -1); } -encode { return next_state(IL_IPO_ENCODE, -1); } -ts { return next_state(IL_IPO_TS, -1); } -tr { return next_state(IL_IPO_TR, -1); } -sec { return next_state(IL_IPO_SEC, -1); } -secclass { return next_state(IL_IPO_SECCLASS, IL_TOKEN); } -lsrr { return next_state(IL_IPO_LSRR, -1); } -esec { return next_state(IL_IPO_ESEC, -1); } -cipso { return next_state(IL_IPO_CIPSO, -1); } -satid { return next_state(IL_IPO_SATID, -1); } -ssrr { return next_state(IL_IPO_SSRR, -1); } -addext { return next_state(IL_IPO_ADDEXT, -1); } -visa { return next_state(IL_IPO_VISA, -1); } -imitd { return next_state(IL_IPO_IMITD, -1); } -eip { return next_state(IL_IPO_EIP, -1); } -finn { return next_state(IL_IPO_FINN, -1); } -mss { return next_state(IL_TCPO_MSS, IL_TOKEN); } -wscale { return next_state(IL_TCPO_MSS, IL_TOKEN); } -reserv-4 { return next_state(IL_IPS_RESERV4, -1); } -topsecret { return next_state(IL_IPS_TOPSECRET, -1); } -secret { return next_state(IL_IPS_SECRET, -1); } -reserv-3 { return next_state(IL_IPS_RESERV3, -1); } -confid { return next_state(IL_IPS_CONFID, -1); } -unclass { return next_state(IL_IPS_UNCLASS, -1); } -reserv-2 { return next_state(IL_IPS_RESERV2, -1); } -reserv-1 { return next_state(IL_IPS_RESERV1, -1); } -icmp { return next_state(IL_ICMP, -1); } -type { return next_state(IL_ICMPTYPE, -1); } -code { return next_state(IL_ICMPCODE, -1); } -echorep { return next_state(IL_ICMP_ECHOREPLY, -1); } -unreach { return next_state(IL_ICMP_UNREACH, -1); } -squench { return next_state(IL_ICMP_SOURCEQUENCH, -1); } -redir { return next_state(IL_ICMP_REDIRECT, -1); } -echo { return next_state(IL_ICMP_ECHO, -1); } -routerad { return next_state(IL_ICMP_ROUTERADVERT, -1); } -routersol { return next_state(IL_ICMP_ROUTERSOLICIT, -1); } -timex { return next_state(IL_ICMP_TIMXCEED, -1); } -paramprob { return next_state(IL_ICMP_PARAMPROB, -1); } -timest { return next_state(IL_ICMP_TSTAMP, -1); } -timestrep { return next_state(IL_ICMP_TSTAMPREPLY, -1); } -inforeq { return next_state(IL_ICMP_IREQ, -1); } -inforep { return next_state(IL_ICMP_IREQREPLY, -1); } -maskreq { return next_state(IL_ICMP_MASKREQ, -1); } -maskrep { return next_state(IL_ICMP_MASKREPLY, -1); } -net-unr { return next_state(IL_ICMP_UNREACH_NET, -1); } -host-unr { return next_state(IL_ICMP_UNREACH_HOST, -1); } -proto-unr { return next_state(IL_ICMP_UNREACH_PROTOCOL, -1); } -port-unr { return next_state(IL_ICMP_UNREACH_PORT, -1); } -needfrag { return next_state(IL_ICMP_UNREACH_NEEDFRAG, -1); } -srcfail { return next_state(IL_ICMP_UNREACH_SRCFAIL, -1); } -net-unk { return next_state(IL_ICMP_UNREACH_NET_UNKNOWN, -1); } -host-unk { return next_state(IL_ICMP_UNREACH_HOST_UNKNOWN, -1); } -isolate { return next_state(IL_ICMP_UNREACH_ISOLATED, -1); } -net-prohib { return next_state(IL_ICMP_UNREACH_NET_PROHIB, -1); } -host-prohib { return next_state(IL_ICMP_UNREACH_HOST_PROHIB, -1); } -net-tos { return next_state(IL_ICMP_UNREACH_TOSNET, -1); } -host-tos { return next_state(IL_ICMP_UNREACH_TOSHOST, -1); } -filter-prohib { return next_state(IL_ICMP_UNREACH_FILTER_PROHIB, -1); } -host-preced { return next_state(IL_ICMP_UNREACH_HOST_PRECEDENCE, -1); } -cutoff-preced { return next_state(IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1); } -net-redir { return next_state(IL_ICMP_REDIRECT_NET, -1); } -host-redir { return next_state(IL_ICMP_REDIRECT_HOST, -1); } -tos-net-redir { return next_state(IL_ICMP_REDIRECT_TOSNET, -1); } -tos-host-redir { return next_state(IL_ICMP_REDIRECT_TOSHOST, -1); } -intrans { return next_state(IL_ICMP_TIMXCEED_INTRANS, -1); } -reass { return next_state(IL_ICMP_TIMXCEED_REASS, -1); } -optabsent { return next_state(IL_ICMP_PARAMPROB_OPTABSENT, -1); } -otime { return next_state(IL_ICMP_OTIME, -1); } -rtime { return next_state(IL_ICMP_RTIME, -1); } -ttime { return next_state(IL_ICMP_TTIME, -1); } -icmpseq { return next_state(IL_ICMP_SEQ, -1); } -icmpid { return next_state(IL_ICMP_SEQ, -1); } -\377 { return 0; } /* EOF */ \{ { push_proto(); return next_item('{'); } \} { pop_proto(); return next_item('}'); } -\. { return next_item(IL_DOT); } ; { return next_item(';'); } [0-9]+ { return next_item(IL_NUMBER); } [0-9a-fA-F] { return next_item(IL_HEXDIGIT); } : { return next_item(IL_COLON); } #[^\n]* { return next_item(IL_COMMENT); } -[^ {}\n\t;]* { return next_item(IL_TOKEN); } +[^ \{\}\n\t;:{}]* { return next_item(IL_TOKEN); } \"[^\"]*\" { return next_item(IL_TOKEN); } %% void yyerror(msg) @@ -220,10 +225,21 @@ int save_token() int next_item(nstate) int nstate; { + struct wordtab *wt; + + if (opts & OPT_DEBUG) + printf("text=[%s] id=%d next=%d\n", yytext, nstate, next); if (next == IL_TOKEN) { next = -1; return save_token(); } + token++; + + for (wt = words; wt->word; wt++) + if (!strcasecmp(wt->word, yytext)) + return next_state(wt->state, wt->next); + if (opts & OPT_DEBUG) + printf("unknown keyword=[%s]\n", yytext); next = -1; if (nstate == IL_NUMBER) yylval.num = atoi(yytext); @@ -235,13 +251,6 @@ int nstate; int next_state(nstate, fornext) int nstate, fornext; { - token++; - - if (next == IL_TOKEN) { - next = -1; - return save_token(); - } - next = fornext; switch (nstate) diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index 090668041045..e01bb373a045 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -6,7 +6,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: iplang_y.y,v 2.0.2.18.2.5 1997/12/10 09:54:45 darrenr Exp $ + * $Id: iplang_y.y,v 2.0.2.18.2.7 1998/05/23 14:29:53 darrenr Exp $ */ #include @@ -48,7 +48,9 @@ #include "ipf.h" #include "iplang.h" +#ifndef __NetBSD__ extern struct ether_addr *ether_aton __P((char *)); +#endif extern int opts; extern struct ipopt_names ionames[]; @@ -345,7 +347,7 @@ tcpopts: tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); } | IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); } | IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);} - | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_MSS,&$2);} + | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_WSCALE,&$2);} | IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);} ; @@ -779,6 +781,8 @@ char **arg; *t++ = (u_char)(val & 0xff); todo = 0; } + if (todo) + continue; } if (quote) { if (isdigit(c)) { @@ -807,8 +811,8 @@ char **arg; *t++ = '\t'; break; } - quote = 0; } + quote = 0; continue; } @@ -817,6 +821,8 @@ char **arg; else *t++ = c; } + if (todo) + *t++ = (u_char)(val & 0xff); if (quote) *t++ = '\\'; len = t - (u_char *)canip->ah_data; @@ -910,7 +916,7 @@ char **arg; void set_ipv4off(arg) char **arg; { - ip->ip_off = strtol(*arg, NULL, 0); + ip->ip_off = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -961,7 +967,7 @@ char **arg; void set_ipv4id(arg) char **arg; { - ip->ip_id = strtol(*arg, NULL, 0); + ip->ip_id = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -999,7 +1005,7 @@ void new_tcpheader() ip->ip_p = IPPROTO_TCP; tcp = (tcphdr_t *)new_header(IPPROTO_TCP); - tcp->th_win = 4096; + tcp->th_win = htons(4096); tcp->th_off = sizeof(*tcp) >> 2; } @@ -1047,7 +1053,7 @@ char **arg; void set_tcpseq(arg) char **arg; { - tcp->th_seq = strtol(*arg, NULL, 0); + tcp->th_seq = htonl(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -1056,7 +1062,7 @@ char **arg; void set_tcpack(arg) char **arg; { - tcp->th_ack = strtol(*arg, NULL, 0); + tcp->th_ack = htonl(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -1078,7 +1084,7 @@ char **arg; void set_tcpurp(arg) char **arg; { - tcp->th_urp = strtol(*arg, NULL, 0); + tcp->th_urp = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -1087,7 +1093,7 @@ char **arg; void set_tcpwin(arg) char **arg; { - tcp->th_win = strtol(*arg, NULL, 0); + tcp->th_win = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } @@ -1298,7 +1304,8 @@ void packet_done() u_char *s = (u_char *)ipbuffer, *t = (u_char *)outline; if (opts & OPT_VERBOSE) { - for (i = ip->ip_len, j = 0; i; i--, j++, s++) { + ip->ip_len = htons(ip->ip_len); + for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) { if (j && !(j & 0xf)) { *t++ = '\n'; *t = '\0'; @@ -1338,6 +1345,7 @@ void packet_done() } fputs(outline, stdout); fflush(stdout); + ip->ip_len = ntohs(ip->ip_len); } prep_packet(); @@ -1542,35 +1550,35 @@ char **type; void set_icmpid(arg) int arg; { - icmp->icmp_id = arg; + icmp->icmp_id = htons(arg); } void set_icmpseq(arg) int arg; { - icmp->icmp_seq = arg; + icmp->icmp_seq = htons(arg); } void set_icmpotime(arg) int arg; { - icmp->icmp_otime = arg; + icmp->icmp_otime = htonl(arg); } void set_icmprtime(arg) int arg; { - icmp->icmp_rtime = arg; + icmp->icmp_rtime = htonl(arg); } void set_icmpttime(arg) int arg; { - icmp->icmp_ttime = arg; + icmp->icmp_ttime = htonl(arg); } @@ -1578,7 +1586,7 @@ void set_icmpmtu(arg) int arg; { #if BSD >= 199306 - icmp->icmp_nextmtu = arg; + icmp->icmp_nextmtu = htons(arg); #endif } @@ -1730,7 +1738,9 @@ void end_ipv4() aniphdr_t *aip; ip->ip_sum = 0; + ip->ip_len = htons(ip->ip_len); ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); + ip->ip_len = ntohs(ip->ip_len); free_anipheader(); for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_IP) @@ -1761,9 +1771,10 @@ void end_udp() iptmp.ip_p = ip->ip_p; iptmp.ip_src = ip->ip_src; iptmp.ip_dst = ip->ip_dst; - iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2); + iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); - udp->uh_sum = c_chksum((u_short *)udp, (u_int)iptmp.ip_len, sum); + udp->uh_ulen = htons(udp->uh_ulen); + udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum); free_anipheader(); for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_UDP) @@ -1781,10 +1792,10 @@ void end_tcp() iptmp.ip_p = ip->ip_p; iptmp.ip_src = ip->ip_src; iptmp.ip_dst = ip->ip_dst; - iptmp.ip_len = ip->ip_len - (ip->ip_hl << 2); + iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); tcp->th_sum = 0; - tcp->th_sum = c_chksum((u_short *)tcp, (u_int)iptmp.ip_len, sum); + tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum); free_anipheader(); for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_TCP) diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 4d738b6df3c2..283e9ff2034b 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $"; #endif #include @@ -18,6 +18,7 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 #include #if !defined(__SVR4) && !defined(__svr4__) #include +#include #include #else #include @@ -87,7 +88,11 @@ struct flags tcpfl[] = { static char line[2048]; static int opts = 0; +static FILE *newlog = NULL; +static char *logfile = NULL; +static int donehup = 0; static void usage __P((char *)); +static void handlehup __P((void)); static void flushlogs __P((char *, FILE *)); static void print_log __P((int, FILE *, char *, int)); static void print_ipflog __P((FILE *, char *, int)); @@ -99,6 +104,8 @@ char *hostname __P((int, struct in_addr)); char *portname __P((int, char *, u_short)); int main __P((int, char *[])); +static void logopts __P((int, char *)); + #define OPT_SYSLOG 0x001 #define OPT_RESOLVE 0x002 @@ -117,6 +124,17 @@ int main __P((int, char *[])); #endif +static void handlehup() +{ + FILE *fp; + + signal(SIGHUP, handlehup); + if (logfile && (fp = fopen(logfile, "a"))) + newlog = fp; + donehup = 1; +} + + static int read_log(fd, lenp, buf, bufsize, log) int fd, bufsize, *lenp; char *buf; @@ -181,7 +199,7 @@ int len; *t++ = '\n'; *t = '\0'; if (!(opts & OPT_SYSLOG)) - fputs(line, stdout); + fputs(line, log); else syslog(LOG_INFO, "%s", line); t = (u_char *)line; @@ -217,8 +235,8 @@ int len; *t = '\0'; } if (!(opts & OPT_SYSLOG)) { - fputs(line, stdout); - fflush(stdout); + fputs(line, log); + fflush(log); } else syslog(LOG_INFO, "%s", line); } @@ -232,19 +250,21 @@ int blen; iplog_t *ipl = (iplog_t *)buf; char *t = line; struct tm *tm; - int res; + int res, i, len; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { - (void) sprintf(t, "%2d/%02d/%4d ", - tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); - t += strlen(t); + (void) strftime(t, len, "%d/%m/%Y ", tm); + i = strlen(t); + len -= i; + t += i; } - (void) sprintf(t, "%02d:%02d:%02d.%-.6ld @%hd ", - tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec, - nl->nl_rule+1); + (void) strftime(t, len, "%T", tm); + t += strlen(t); + (void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1); t += strlen(t); if (nl->nl_type == NL_NEWMAP) @@ -295,18 +315,21 @@ int blen; struct protoent *pr; char *t = line, *proto, pname[6]; struct tm *tm; - int res; + int res, i, len; sl = (struct ipslog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; tm = localtime((time_t *)&ipl->ipl_sec); + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { - (void) sprintf(t, "%2d/%02d/%4d ", - tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); - t += strlen(t); + (void) strftime(t, len, "%d/%m/%Y ", tm); + i = strlen(t); + len -= i; + t += i; } - (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", - tm->tm_hour, tm->tm_min, tm->tm_sec, ipl->ipl_usec); + (void) strftime(t, len, "%T", tm); + t += strlen(t); + (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); if (sl->isl_type == ISL_NEW) @@ -364,13 +387,26 @@ char *buf; int logtype, blen; { iplog_t *ipl; + char *bp = NULL, *bpo = NULL; int psize; while (blen > 0) { ipl = (iplog_t *)buf; + if ((u_long)ipl & (sizeof(long)-1)) { + if (bp) + bpo = bp; + bp = (char *)malloc(blen); + bcopy((char *)ipl, bp, blen); + if (bpo) { + free(bpo); + bpo = NULL; + } + buf = bp; + continue; + } if (ipl->ipl_magic != IPL_MAGIC) { /* invalid data or out of sync */ - return; + break; } psize = ipl->ipl_dsize; switch (logtype) @@ -389,6 +425,9 @@ int logtype, blen; blen -= psize; buf += psize; } + if (bp) + free(bp); + return; } @@ -421,13 +460,16 @@ int blen; ip->ip_len = ntohs(ip->ip_len); #endif + len = sizeof(line); if (!(opts & OPT_SYSLOG)) { - (void) sprintf(t, "%2d/%02d/%4d ", - tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); - t += strlen(t); + (void) strftime(t, len, "%d/%m/%Y ", tm); + i = strlen(t); + len -= i; + t += i; } - (void) sprintf(t, "%02d:%02d:%02d.%-.6ld ", tm->tm_hour, tm->tm_min, - tm->tm_sec, ipl->ipl_usec); + (void) strftime(t, len, "%T", tm); + t += strlen(t); + (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); if (ipl->ipl_count > 1) { (void) sprintf(t, "%dx ", ipl->ipl_count); @@ -519,9 +561,9 @@ int blen; ic = (struct icmp *)((char *)ip + hl); (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); t += strlen(t); - (void) sprintf(t, "%s PR icmp len %hu (%hu) icmp %d/%d", - hostname(res, ip->ip_dst), hl, - ntohs(ip->ip_len), ic->icmp_type, ic->icmp_code); + (void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d", + hostname(res, ip->ip_dst), hl, ip->ip_len, + ic->icmp_type, ic->icmp_code); if (ic->icmp_type == ICMP_UNREACH || ic->icmp_type == ICMP_SOURCEQUENCH || ic->icmp_type == ICMP_PARAMPROB || @@ -663,7 +705,7 @@ char *argv[]; FILE *log = stdout; int fd[3], doread, n, i; int tr, nr, regular[3], c; - int fdt[3], devices = 0; + int fdt[3], devices = 0, make_daemon = 0; char buf[512], *iplfile[3]; extern int optind; extern char *optarg; @@ -674,12 +716,15 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1) + while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1) switch (c) { case 'a' : opts |= OPT_ALL; break; + case 'D' : + make_daemon = 1; + break; case 'f' : case 'I' : opts |= OPT_FILTER; fdt[0] = IPL_LOGIPF; @@ -768,7 +813,8 @@ char *argv[]; } if (!(opts & OPT_SYSLOG)) { - log = argv[optind] ? fopen(argv[optind], "a") : stdout; + logfile = argv[optind]; + log = logfile ? fopen(logfile, "a") : stdout; if (log == NULL) { (void) fprintf(stderr, "%s: fopen: %s\n", argv[optind], @@ -778,6 +824,17 @@ char *argv[]; setvbuf(log, NULL, _IONBF, 0); } + if (make_daemon && (log != stdout)) { + if (fork() > 0) + exit(0); + close(0); + close(1); + close(2); + setsid(); + } + + signal(SIGHUP, handlehup); + for (doread = 1; doread; ) { nr = 0; @@ -800,6 +857,15 @@ char *argv[]; nr += tr; tr = read_log(fd[i], &n, buf, sizeof(buf), log); + if (donehup) { + donehup = 0; + if (newlog) { + fclose(log); + log = newlog; + newlog = NULL; + } + } + switch (tr) { case -1 : diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index a97d1a3ff540..ae0f71d02be9 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #if !defined(__SVR4) && !defined(__svr4__) #include @@ -52,9 +53,16 @@ #include "netinet/ip_nat.h" #include "kmem.h" +#if defined(sun) && !SOLARIS2 +# define STRERROR(x) sys_errlist[x] +extern char *sys_errlist[]; +#else +# define STRERROR(x) strerror(x) +#endif + #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.6 1998/05/23 19:07:02 darrenr Exp $"; #endif @@ -65,14 +73,14 @@ static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.0.2.21.2.1 1997/11/08 04:55:55 extern char *optarg; ipnat_t *parse __P((char *)); -u_long hostnum __P((char *, int *)); -u_long hostmask __P((char *)); +u_32_t hostnum __P((char *, int *)); +u_32_t hostmask __P((char *)); u_short portnum __P((char *, char *)); void dostats __P((int, int)), flushtable __P((int, int)); void printnat __P((ipnat_t *, int, void *)); void parsefile __P((int, char *, int)); void usage __P((char *)); -int countbits __P((u_long)); +int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); @@ -133,7 +141,8 @@ char *argv[]; if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) && ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { - perror("open"); + (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, + STRERROR(errno)); exit(-1); } @@ -153,9 +162,9 @@ char *argv[]; * of bits. */ int countbits(ip) -u_long ip; +u_32_t ip; { - u_long ipn; + u_32_t ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip); @@ -233,7 +242,7 @@ void *ptr; else printf("%s", inet_ntoa(np->in_in[1])); printf(" -> %s/", inet_ntoa(np->in_out[0])); - bits = countbits(ntohl(np->in_out[1].s_addr)); + bits = countbits(np->in_out[1].s_addr); if (bits != -1) printf("%d ", bits); else @@ -408,18 +417,18 @@ char *name, *proto; } -u_long hostmask(msk) +u_32_t hostmask(msk) char *msk; { int bits = -1; - u_long mask; + u_32_t mask; if (!isdigit(*msk)) - return (u_long)-1; + return (u_32_t)-1; if (strchr(msk, '.')) return inet_addr(msk); if (strchr(msk, 'x')) - return (u_long)strtol(msk, NULL, 0); + return (u_32_t)strtol(msk, NULL, 0); /* * set x most significant bits */ @@ -436,7 +445,7 @@ char *msk; * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ -u_long hostnum(host, resolved) +u_32_t hostnum(host, resolved) char *host; int *resolved; { @@ -455,7 +464,7 @@ int *resolved; fprintf(stderr, "can't resolve hostname: %s\n", host); return 0; } - return np->n_net; + return htonl(np->n_net); } return *(u_32_t *)hp->h_addr; } @@ -760,7 +769,8 @@ int opts; if (strcmp(file, "-")) { if (!(fp = fopen(file, "r"))) { - perror(file); + (void) fprintf(stderr, "%s: open: %s\n", file, + STRERROR(errno)); exit(1); } } else diff --git a/contrib/ipfilter/ipsd/README b/contrib/ipfilter/ipsd/README index 6746d01d3852..eb6b7986cd77 100644 --- a/contrib/ipfilter/ipsd/README +++ b/contrib/ipfilter/ipsd/README @@ -29,4 +29,4 @@ Lastly, being passive means that no action is taken to stop port scans being done or discourage them. Darren -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/README b/contrib/ipfilter/ipsend/README index 6898cdd44b37..198556d834fb 100644 --- a/contrib/ipfilter/ipsend/README +++ b/contrib/ipfilter/ipsend/README @@ -5,4 +5,4 @@ http://coombs.anu.edu.au/~avalon/ip-filter.html Patches, bugs, etc, please send to: -darrenr@cyber.com.au +darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 459c09bdeca3..69149244ad16 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.3 1997/12/21 12:17:37 darrenr Exp $"; #endif #include #include @@ -117,7 +117,6 @@ int frag; last_gw.s_addr = gwip.s_addr; iplen = ip->ip_len; ip->ip_len = htons(iplen); - ip->ip_off = htons(ip->ip_off); if (!(frag & 2)) { if (!ip->ip_v) ip->ip_v = IPVERSION; @@ -260,7 +259,7 @@ struct in_addr gwip; i = sizeof(struct tcpiphdr) / sizeof(long); - if ((ti->ti_flags == TH_SYN) && !ip->ip_off && + if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) && (lbuf[i] != htonl(0x020405b4))) { lbuf[i] = htonl(0x020405b4); bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1 index 40f98256209f..448fa41e9e24 100644 --- a/contrib/ipfilter/ipsend/ipresend.1 +++ b/contrib/ipfilter/ipsend/ipresend.1 @@ -92,8 +92,6 @@ option combinations: .B \-X The input file is composed of text descriptions of IP packets. .TP -.SH FILES -.DT .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS @@ -103,5 +101,5 @@ Needs to be run as root. .PP Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. -If you find any, please send email to me at darrenr@cyber.com.au +If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/ipsend.1 b/contrib/ipfilter/ipsend/ipsend.1 index d99038ddca77..6554e585c036 100644 --- a/contrib/ipfilter/ipsend/ipsend.1 +++ b/contrib/ipfilter/ipsend/ipsend.1 @@ -106,4 +106,4 @@ ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p) Needs to be run as root. .SH BUGS .PP -If you find any, please send email to me at darrenr@cyber.com.au +If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5 index b6a3e0496775..9fa459355fb6 100644 --- a/contrib/ipfilter/ipsend/ipsend.5 +++ b/contrib/ipfilter/ipsend/ipsend.5 @@ -392,7 +392,10 @@ Address mask request. .B maskrep Address mask reply. .SH FILES -/etc/protocols -/etc/services /etc/hosts +.br +/etc/protocols +.br +/etc/services .SH SEE ALSO +ipsend(1), iptest(1), hosts(5), protocols(5), services(5) diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 1f47466f7366..5f0ca43a0e68 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19 1997/10/12 09:48:38 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $"; #endif #include #include @@ -357,7 +357,7 @@ char **argv; } if (ip->ip_p == IPPROTO_TCP) - for (s = argv[optind]; (c = *s); s++) + for (s = argv[optind]; s && (c = *s); s++) switch(c) { case 'S' : case 's' : diff --git a/contrib/ipfilter/ipsend/iptest.1 b/contrib/ipfilter/ipsend/iptest.1 index 3c98a4caab42..02036b905d4d 100644 --- a/contrib/ipfilter/ipsend/iptest.1 +++ b/contrib/ipfilter/ipsend/iptest.1 @@ -91,11 +91,11 @@ MTU's without setting them so. Run a... .DT .SH SEE ALSO -ipsend(1), ipresend(1), bpf(4), dlpi(7p) +ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p) .SH DIAGNOSTICS Only one of the numeric test options may be given when \fIiptest\fP is run. .PP Needs to be run as root. .SH BUGS .PP -If you find any, please send email to me at darrenr@cyber.com.au +If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index f12dbadd2024..16c830a006e9 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.2 1997/12/21 12:17:38 darrenr Exp $"; #endif #include #include @@ -98,24 +98,21 @@ int ptest; ip->ip_p = IPPROTO_UDP; ip->ip_sum = 0; u = (udphdr_t *)(ip + 1); - u->uh_sport = 1; - u->uh_dport = 9; + u->uh_sport = htons(1); + u->uh_dport = htons(9); u->uh_sum = 0; - u->uh_ulen = sizeof(*u) + 4; - ip->ip_len = sizeof(*ip) + u->uh_ulen; + u->uh_ulen = htons(sizeof(*u) + 4); + ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen); len = ip->ip_len; nfd = initdevice(dev, u->uh_sport, 1); - u->uh_sport = htons(u->uh_sport); - u->uh_dport = htons(u->uh_dport); - u->uh_ulen = htons(u->uh_ulen); if (!ptest || (ptest == 1)) { /* * Part1: hl < len */ ip->ip_id = 0; printf("1.1. sending packets with ip_hl < ip_len\n"); - for (i = 0; i < ((sizeof(*ip) + u->uh_ulen) >> 2); i++) { + for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) { ip->ip_hl = i >> 2; (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d\r", i); @@ -131,7 +128,7 @@ int ptest; */ ip->ip_id = 0; printf("1.2. sending packets with ip_hl > ip_len\n"); - for (; i < ((sizeof(*ip) * 2 + u->uh_ulen) >> 2); i++) { + for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) { ip->ip_hl = i >> 2; (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d\r", i); @@ -181,10 +178,8 @@ int ptest; ip->ip_id = 0; ip->ip_v = IPVERSION; i = ip->ip_len + 1; - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); printf("1.5.0 ip_len < packet size (size++, long packets)\n"); - for (; i < (ntohs(ip->ip_len) * 2); i++) { + for (; i < (ip->ip_len * 2); i++) { ip->ip_id = htons(id++); ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); @@ -197,7 +192,7 @@ int ptest; printf("1.5.1 ip_len < packet size (ip_len-, short packets)\n"); for (i = len; i > 0; i--) { ip->ip_id = htons(id++); - ip->ip_len = htons(i); + ip->ip_len = i; ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); (void) send_ether(nfd, (char *)ip, len, gwip); @@ -216,7 +211,7 @@ int ptest; printf("1.6.0 ip_len > packet size (increase ip_len)\n"); for (i = len + 1; i < (len * 2); i++) { ip->ip_id = htons(id++); - ip->ip_len = htons(i); + ip->ip_len = i; ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); (void) send_ether(nfd, (char *)ip, len, gwip); @@ -225,7 +220,7 @@ int ptest; PAUSE(); } putchar('\n'); - ip->ip_len = htons(len); + ip->ip_len = len; printf("1.6.1 ip_len > packet size (size--, short packets)\n"); for (i = len; i > 0; i--) { ip->ip_id = htons(id++); @@ -288,7 +283,7 @@ int ptest; * about that here. */ ip->ip_p = IPPROTO_ICMP; - ip->ip_off = IP_MF; + ip->ip_off = htons(IP_MF); u->uh_dport = htons(9); ip->ip_id = htons(id++); printf("1.8.1 63k packet + 1k fragment at offset 0x1ffe\n"); @@ -299,14 +294,14 @@ int ptest; ip->ip_len = MIN(768 + 20, mtu - 68); i = 512; for (; i < (63 * 1024 + 768); i += 768) { - ip->ip_off = IP_MF | (i >> 3); + ip->ip_off = htons(IP_MF | (i >> 3)); (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); fflush(stdout); PAUSE(); } ip->ip_len = 896 + 20; - ip->ip_off = (i >> 3); + ip->ip_off = htons(i >> 3); (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); putchar('\n'); @@ -319,7 +314,7 @@ int ptest; * about that here. (Lossage here) */ ip->ip_p = IPPROTO_ICMP; - ip->ip_off = IP_MF; + ip->ip_off = htons(IP_MF); u->uh_dport = htons(9); ip->ip_id = htons(id++); printf("1.8.2 63k packet + 1k fragment at offset 0x1ffe\n"); @@ -333,7 +328,7 @@ int ptest; ip->ip_len = MIN(768 + 20, mtu - 68); i = 512; for (; i < (63 * 1024 + 768); i += 768) { - ip->ip_off = IP_MF | (i >> 3); + ip->ip_off = htons(IP_MF | (i >> 3)); if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); @@ -343,7 +338,7 @@ int ptest; PAUSE(); } ip->ip_len = 896 + 20; - ip->ip_off = (i >> 3); + ip->ip_off = htons(i >> 3); if ((rand() & 0x1f) != 0) { (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); @@ -359,7 +354,7 @@ int ptest; * about that here. */ ip->ip_p = IPPROTO_ICMP; - ip->ip_off = IP_MF; + ip->ip_off = htons(IP_MF); u->uh_dport = htons(9); ip->ip_id = htons(id++); printf("1.8.3 33k packet\n"); @@ -370,14 +365,14 @@ int ptest; ip->ip_len = MIN(768 + 20, mtu - 68); i = 512; for (; i < (32 * 1024 + 768); i += 768) { - ip->ip_off = IP_MF | (i >> 3); + ip->ip_off = htons(IP_MF | (i >> 3)); (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); fflush(stdout); PAUSE(); } ip->ip_len = 896 + 20; - ip->ip_off = (i >> 3); + ip->ip_off = htons(i >> 3); (void) send_ip(nfd, mtu, ip, gwip, 1); printf("%d\r", i); putchar('\n'); @@ -391,7 +386,7 @@ int ptest; * Part9: off & 0x8000 == 0x8000 */ ip->ip_id = 0; - ip->ip_off = 0x8000; + ip->ip_off = htons(0x8000); printf("1.9. ip_off & 0x8000 == 0x8000\n"); (void) send_ip(nfd, mtu, ip, gwip, 1); fflush(stdout); @@ -440,7 +435,7 @@ int ptest; u_char *s; s = (u_char *)(ip + 1); - nfd = initdevice(dev, 1, 1); + nfd = initdevice(dev, htons(1), 1); ip->ip_hl = 6; ip->ip_len = ip->ip_hl << 2; @@ -539,7 +534,7 @@ int ptest; ip->ip_sum = 0; ip->ip_len = sizeof(*ip) + sizeof(*icp); icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2)); - nfd = initdevice(dev, 1, 1); + nfd = initdevice(dev, htons(1), 1); if (!ptest || (ptest == 1)) { /* @@ -731,20 +726,20 @@ int ptest; ip->ip_p = IPPROTO_UDP; ip->ip_sum = 0; u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2)); - u->uh_sport = 1; - u->uh_dport = 1; - u->uh_ulen = sizeof(*u) + 4; + u->uh_sport = htons(1); + u->uh_dport = htons(1); + u->uh_ulen = htons(sizeof(*u) + 4); nfd = initdevice(dev, u->uh_sport, 1); if (!ptest || (ptest == 1)) { /* * Test 1. ulen > packet */ - u->uh_ulen = sizeof(*u) + 4; - ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen; + u->uh_ulen = htons(sizeof(*u) + 4); + ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); printf("4.1 UDP uh_ulen > packet size - short packets\n"); - for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) { - u->uh_ulen = i; + for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) { + u->uh_ulen = htons(i); (void) send_udp(nfd, 1500, ip, gwip); printf("%d\r", i); fflush(stdout); @@ -757,10 +752,10 @@ int ptest; /* * Test 2. ulen < packet */ - u->uh_ulen = sizeof(*u) + 4; - ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen; + u->uh_ulen = htons(sizeof(*u) + 4); + ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); printf("4.2 UDP uh_ulen < packet size - short packets\n"); - for (i = u->uh_ulen * 2; i > sizeof(*u) + 4; i--) { + for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) { ip->ip_len = i; (void) send_udp(nfd, 1500, ip, gwip); printf("%d\r", i); @@ -776,7 +771,7 @@ int ptest; * sport = 32768, sport = 65535 */ u->uh_ulen = sizeof(*u) + 4; - ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen; + ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); printf("4.3.1 UDP sport = 0\n"); u->uh_sport = 0; (void) send_udp(nfd, 1500, ip, gwip); @@ -784,26 +779,26 @@ int ptest; fflush(stdout); PAUSE(); printf("4.3.2 UDP sport = 1\n"); - u->uh_sport = 1; + u->uh_sport = htons(1); (void) send_udp(nfd, 1500, ip, gwip); printf("1\n"); fflush(stdout); PAUSE(); printf("4.3.3 UDP sport = 32767\n"); - u->uh_sport = 32767; + u->uh_sport = htons(32767); (void) send_udp(nfd, 1500, ip, gwip); printf("32767\n"); fflush(stdout); PAUSE(); printf("4.3.4 UDP sport = 32768\n"); - u->uh_sport = 32768; + u->uh_sport = htons(32768); (void) send_udp(nfd, 1500, ip, gwip); printf("32768\n"); putchar('\n'); fflush(stdout); PAUSE(); printf("4.3.5 UDP sport = 65535\n"); - u->uh_sport = 65535; + u->uh_sport = htons(65535); (void) send_udp(nfd, 1500, ip, gwip); printf("65535\n"); fflush(stdout); @@ -815,9 +810,9 @@ int ptest; * Test 4: dport = 0, dport = 1, dport = 32767 * dport = 32768, dport = 65535 */ - u->uh_ulen = sizeof(*u) + 4; - u->uh_sport = 1; - ip->ip_len = (ip->ip_hl << 2) + u->uh_ulen; + u->uh_ulen = ntohs(sizeof(*u) + 4); + u->uh_sport = htons(1); + ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); printf("4.4.1 UDP dport = 0\n"); u->uh_dport = 0; (void) send_udp(nfd, 1500, ip, gwip); @@ -825,25 +820,25 @@ int ptest; fflush(stdout); PAUSE(); printf("4.4.2 UDP dport = 1\n"); - u->uh_dport = 1; + u->uh_dport = htons(1); (void) send_udp(nfd, 1500, ip, gwip); printf("1\n"); fflush(stdout); PAUSE(); printf("4.4.3 UDP dport = 32767\n"); - u->uh_dport = 32767; + u->uh_dport = htons(32767); (void) send_udp(nfd, 1500, ip, gwip); printf("32767\n"); fflush(stdout); PAUSE(); printf("4.4.4 UDP dport = 32768\n"); - u->uh_dport = 32768; + u->uh_dport = htons(32768); (void) send_udp(nfd, 1500, ip, gwip); printf("32768\n"); fflush(stdout); PAUSE(); printf("4.4.5 UDP dport = 65535\n"); - u->uh_dport = 65535; + u->uh_dport = htons(65535); (void) send_udp(nfd, 1500, ip, gwip); printf("65535\n"); fflush(stdout); @@ -856,7 +851,7 @@ int ptest; * sizeof(ip_t) */ printf("4.5 UDP 20 <= MTU <= 32\n"); - for (i = sizeof(*ip); i <= u->uh_ulen; i++) { + for (i = sizeof(*ip); i <= ntohs(u->uh_ulen); i++) { (void) send_udp(nfd, i, ip, gwip); printf("%d\r", i); fflush(stdout); @@ -885,12 +880,12 @@ int ptest; t->th_x2 = 0; #endif t->th_off = 0; - t->th_sport = 1; - t->th_dport = 1; - t->th_win = 4096; + t->th_sport = htons(1); + t->th_dport = htons(1); + t->th_win = htons(4096); t->th_urp = 0; t->th_sum = 0; - t->th_seq = 1; + t->th_seq = htonl(1); t->th_ack = 0; ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); nfd = initdevice(dev, t->th_sport, 1); @@ -919,37 +914,37 @@ int ptest; * seq = 0xa000000, seq = 0xffffffff */ printf("5.2.1 TCP seq = 0\n"); - t->th_seq = 0; + t->th_seq = htonl(0); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.2.2 TCP seq = 1\n"); - t->th_seq = 1; + t->th_seq = htonl(1); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.2.3 TCP seq = 0x7fffffff\n"); - t->th_seq = 0x7fffffff; + t->th_seq = htonl(0x7fffffff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.2.4 TCP seq = 0x80000000\n"); - t->th_seq = 0x80000000; + t->th_seq = htonl(0x80000000); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.2.5 TCP seq = 0xc0000000\n"); - t->th_seq = 0xc0000000; + t->th_seq = htonl(0xc0000000); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.2.6 TCP seq = 0xffffffff\n"); - t->th_seq = 0xffffffff; + t->th_seq = htonl(0xffffffff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); @@ -968,31 +963,31 @@ int ptest; PAUSE(); printf("5.3.2 TCP ack = 1\n"); - t->th_ack = 1; + t->th_ack = htonl(1); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.3.3 TCP ack = 0x7fffffff\n"); - t->th_ack = 0x7fffffff; + t->th_ack = htonl(0x7fffffff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.3.4 TCP ack = 0x80000000\n"); - t->th_ack = 0x80000000; + t->th_ack = htonl(0x80000000); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.3.5 TCP ack = 0xc0000000\n"); - t->th_ack = 0xc0000000; + t->th_ack = htonl(0xc0000000); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.3.6 TCP ack = 0xffffffff\n"); - t->th_ack = 0xffffffff; + t->th_ack = htonl(0xffffffff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); @@ -1004,19 +999,19 @@ int ptest; * Test 4: win = 0, win = 32768, win = 65535 */ printf("5.4.1 TCP win = 0\n"); - t->th_seq = 0; + t->th_seq = htonl(0); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.4.2 TCP win = 32768\n"); - t->th_seq = 0x7fff; + t->th_seq = htonl(0x7fff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.4.3 TCP win = 65535\n"); - t->th_win = 0xffff; + t->th_win = htons(0xffff); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); @@ -1061,7 +1056,7 @@ int ptest; } KMCPY(&tcb, tcbp, sizeof(tcb)); ti.ti_win = tcb.rcv_adv; - ti.ti_seq = tcb.snd_nxt - 1; + ti.ti_seq = htonl(tcb.snd_nxt - 1); ti.ti_ack = tcb.rcv_nxt; if (!ptest || (ptest == 5)) { @@ -1075,7 +1070,7 @@ int ptest; (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); - t->th_seq = tcb.snd_nxt; + t->th_seq = htonl(tcb.snd_nxt); ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1; t->th_urp = htons(0x7fff); (void) send_tcp(nfd, mtu, ip, gwip); @@ -1086,7 +1081,7 @@ int ptest; t->th_urp = htons(0xffff); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); - t->th_urp = htons(0); + t->th_urp = 0; t->th_flags &= ~TH_URG; ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } @@ -1112,8 +1107,8 @@ int ptest; } skip_five_and_six: #endif - t->th_seq = 1; - t->th_ack = 1; + t->th_seq = htonl(1); + t->th_ack = htonl(1); t->th_off = 0; if (!ptest || (ptest == 7)) { @@ -1129,32 +1124,32 @@ int ptest; PAUSE(); printf("5.7.2 TCP sport = 1\n"); - t->th_sport = 1; + t->th_sport = htons(1); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.7.3 TCP sport = 32767\n"); - t->th_sport = 32767; + t->th_sport = htons(32767); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.7.4 TCP sport = 32768\n"); - t->th_sport = 32768; + t->th_sport = htons(32768); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.7.5 TCP sport = 65535\n"); - t->th_sport = 65535; + t->th_sport = htons(65535); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); } if (!ptest || (ptest == 8)) { - t->th_sport = 1; + t->th_sport = htons(1); t->th_flags = TH_SYN; /* * Test 8: dport = 0, dport = 1, dport = 32767 @@ -1167,25 +1162,25 @@ int ptest; PAUSE(); printf("5.8.2 TCP dport = 1\n"); - t->th_dport = 1; + t->th_dport = htons(1); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.8.3 TCP dport = 32767\n"); - t->th_dport = 32767; + t->th_dport = htons(32767); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.8.4 TCP dport = 32768\n"); - t->th_dport = 32768; + t->th_dport = htons(32768); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); printf("5.8.5 TCP dport = 65535\n"); - t->th_dport = 65535; + t->th_dport = htons(65535); (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); PAUSE(); @@ -1229,14 +1224,12 @@ int ptest; ip->ip_p = IPPROTO_UDP; ip->ip_sum = 0; u = (udphdr_t *)(ip + 1); - u->uh_sport = 1; - u->uh_dport = 9; + u->uh_sport = htons(1); + u->uh_dport = htons(9); u->uh_sum = 0; nfd = initdevice(dev, u->uh_sport, 1); - u->uh_sport = htons(u->uh_sport); - u->uh_dport = htons(u->uh_dport); - u->uh_ulen = 7168; + u->uh_ulen = htons(7168); printf("6. Exhaustive mbuf test.\n"); printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n"); @@ -1247,7 +1240,7 @@ int ptest; */ ip->ip_len = sizeof(*ip) + 768 + sizeof(*u); ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_off = IP_MF; + ip->ip_off = htons(IP_MF); (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d %d\r", i, 0); fflush(stdout); @@ -1256,7 +1249,7 @@ int ptest; * And again using 128 byte chunks. */ ip->ip_len = sizeof(*ip) + 128 + sizeof(*u); - ip->ip_off = IP_MF; + ip->ip_off = htons(IP_MF); (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d %d\r", i, 0); fflush(stdout); @@ -1264,7 +1257,7 @@ int ptest; for (j = 768; j < 3584; j += 768) { ip->ip_len = sizeof(*ip) + 768; - ip->ip_off = IP_MF|(j>>3); + ip->ip_off = htons(IP_MF|(j>>3)); (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d %d\r", i, j); fflush(stdout); @@ -1272,7 +1265,7 @@ int ptest; ip->ip_len = sizeof(*ip) + 128; for (k = j - 768; k < j; k += 128) { - ip->ip_off = IP_MF|(k>>3); + ip->ip_off = htons(IP_MF|(k>>3)); (void) send_ip(nfd, 1500, ip, gwip, 1); printf("%d %d\r", i, k); fflush(stdout); @@ -1326,7 +1319,7 @@ int ptest; for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++) *s = (rand() >> 13) & 0xff; pip->ip_v = IPVERSION; - pip->ip_off &= 0xc000; + pip->ip_off &= htons(0xc000); bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst, sizeof(struct in_addr)); pip->ip_sum = 0; diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 index 9d835506c50b..3519d522248f 100644 --- a/contrib/ipfilter/man/ipf.4 +++ b/contrib/ipfilter/man/ipf.4 @@ -3,6 +3,7 @@ ipf \- packet filtering kernel interface .SH SYNOPSIS #include +.br #include .SH IOCTLS .PP @@ -200,5 +201,13 @@ struct filterstats { #endif }; .fi +.SH FILES +/dev/ipauth +.br +/dev/ipl +.br +/dev/ipnat +.br +/dev/ipstate .SH SEE ALSO -ipfstat(8), ipf(8), ipf(5) +ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 1ee1584d1875..79ab393b1fd2 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -1,6 +1,6 @@ .TH IPF 5 .SH NAME -ipf \- IP packet filter rule syntax +ipf, ipf.conf \- IP packet filter rule syntax .SH DESCRIPTION .PP A rule file for \fBipf\fP may have any name or even be stdin. As @@ -477,8 +477,14 @@ Note, that if we wanted to say "port = telnet", "proto tcp" would need to be specified as the parser interprets each rule on its own and qualifies all service/port names with the protocol specified. .SH FILES -/etc/services +/dev/ipauth +.br +/dev/ipl +.br +/dev/ipstate .br /etc/hosts +.br +/etc/services .SH SEE ALSO -ipf(8), ipftest(1), mkfilters(1), ipmon(8) +ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index 11a1666e2e32..06d2723ffc15 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -66,7 +66,7 @@ lists. .B \-I Set the list to make changes to the inactive list. .TP -.B \-l \0 +.B \-l \0 Use of the \fB-l\fP flag toggles default logging of packets. Valid arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP. When an option is set, any packet which exits filtering and matches the @@ -106,12 +106,18 @@ display the statistics prior to them being zero'd. Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT +.SH FILES +/dev/ipauth +.br +/dev/ipl +.br +/dev/ipstate .SH SEE ALSO -ipfstat(8), ipftest(1), ipf(5), mkfilters(1) +ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually be affected inside the kernel. .SH BUGS .PP -If you find any, please send email to me at darrenr@cyber.com.au +If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index 166a114b26b6..94525eb2d491 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -69,6 +69,10 @@ kernel. .SH FILES /dev/kmem .br +/dev/ipl +.br +/dev/ipstate +.br /vmunix .SH SEE ALSO ipf(8) diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index e77ef96bc4be..aba216a87fdb 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -1,4 +1,4 @@ -.TH ipftest 8 +.TH ipftest 1 .SH NAME ipftest \- test packet filter rules with arbitary input. .SH SYNOPSIS @@ -119,9 +119,8 @@ Specify the filename from which to take input. Default is stdin. .TP .BR \-r \0 Specify the filename from which to read filter rules. -.SH FILES .SH SEE ALSO -ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) +ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index a4f7fc46ea0d..3fba05fe8d4b 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -101,6 +101,10 @@ saved and will abort if it fails an assertion which detects an anomoly in the recorded data. .SH FILES /dev/ipl +.br +/dev/ipnat +.br +/dev/ipstate .SH SEE ALSO -ipf(8), ipfstat(8) +ipl(4), ipf(8), ipfstat(8), ipnat(8) .SH BUGS diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1 index 9b29f4d21278..01b5100ab497 100644 --- a/contrib/ipfilter/man/ipnat.1 +++ b/contrib/ipfilter/man/ipnat.1 @@ -41,5 +41,7 @@ Remove matching NAT rules rather than add them to the internal lists .B \-v Turn verbose mode on. Displays information relating to rule processing. .DT +.SH FILES +/dev/ipnat .SH SEE ALSO -ipfstat(1), ipftest(8), ipf(8), ipnat(5) +ipnat(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 index 6af517f23db2..578c7fbd88d0 100644 --- a/contrib/ipfilter/man/ipnat.4 +++ b/contrib/ipfilter/man/ipnat.4 @@ -3,8 +3,11 @@ ipnat \- Network Address Translation kernel interface .SH SYNOPSIS #include +.br #include +.br #include +.br #include .SH IOCTLS .PP @@ -87,5 +90,7 @@ typedef struct natstat { .SH BUGS It would be nice if there were more flexibility when adding and deleting filter rules. +.SH FILES +/dev/ipnat .SH SEE ALSO -ipfstat(8), ipf(8), ipf(4), ipnat(5) +ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index 783262380b18..576e9c20ce8b 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -1,6 +1,6 @@ .TH IPNAT 5 .SH NAME -ipnat \- IP NAT file format +ipnat, ipnat.conf \- IP NAT file format .SH DESCRIPTION The format for files accepted by ipnat is described by the following grammar: .LP @@ -37,10 +37,10 @@ range of port numbers to remap into given as \fBport-number:port-number\fP. .SH Examples .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit -subnet at 209.1.2.0, the following would be used: +subnet at 209.1.2.0 through the ppp0 interface, the following would be used: .LP .nf -map 10.0.0.0/8 -> 209.1.2.0/24 +map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP The obvious problem here is we're trying to squeeze over 16,000,000 IP @@ -48,7 +48,7 @@ addresses into a 254 address space. To increase the scope, remapping for TCP and/or UDP, port remapping can be used; .LP .nf -map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 +map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 .fi .PP which falls only 527,566 `addresses' short of the space available in network @@ -56,15 +56,17 @@ which falls only 527,566 `addresses' short of the space available in network follows: .LP .nf -map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -map 10.0.0.0/8 -> 209.1.2.0/24 +map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 +map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as ICMP, only have their IP# changed. .SH FILES +/dev/ipnat +.br /etc/services .br /etc/hosts .SH SEE ALSO -ipnat(1), ipf(5), ipnat(4) +ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8) diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index d6601ba2ebc6..3cda6c19e749 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -27,6 +27,9 @@ # include # ifdef DEVFS # include +# if defined(IPFILTER) && defined(_KERNEL) +# include "opt_devfs.h" +# endif # endif /*DEVFS*/ #endif #include @@ -375,7 +378,8 @@ static void ipl_drvinit __P((void *unused)) } } -# ifdef IPFILTER_LKM +# if defined(IPFILTER_LKM) || \ + defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL) # endif /* IPFILTER_LKM */ #endif /* _FreeBSD_version */ diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 3d70831ff9b4..7f2166ed1994 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -48,6 +48,9 @@ #include "ip_compat.h" #include "ip_fil.h" +#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000 +#define vn_lock(v,f) VOP_LOCK(v) +#endif #if !defined(VOP_LEASE) && defined(LEASE_CHECK) #define VOP_LEASE LEASE_CHECK @@ -179,7 +182,7 @@ static int ipl_remove() if ((error = namei(&nd))) return (error); VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE); - VOP_LOCK(nd.ni_vp); + vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); } diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index bbc19257023e..76ee474ac9be 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -35,7 +35,7 @@ #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.5 1998/05/23 19:20:33 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -57,7 +57,7 @@ int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *)); int to_interface __P((frdest_t *, char *)); void print_toif __P((char *, frdest_t *)); void optprint __P((u_short, u_short, u_long, u_long)); -int countbits __P((u_long)); +int countbits __P((u_32_t)); char *portname __P((int, int)); @@ -475,12 +475,21 @@ char *line; /* * lazy users... */ - if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) && - (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { - (void)fprintf(stderr, - "no protocol given for TCP/UDP comparisons\n"); + if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { + (void)fprintf(stderr, "TCP protocol not specified\n"); return NULL; } + if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && + (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) { + if (!fil.fr_proto) { + fil.fr_ip.fi_fl |= FI_TCPUDP; + fil.fr_mip.fi_fl |= FI_TCPUDP; + } else { + (void)fprintf(stderr, + "port comparisons for non-TCP/UDP\n"); + return NULL; + } + } /* if ((fil.fr_flags & FR_KEEPFRAG) && (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { @@ -621,7 +630,7 @@ int *resolved; fprintf(stderr, "can't resolve hostname: %s\n", host); return 0; } - return np->n_net; + return htonl(np->n_net); } return *(u_32_t *)hp->h_addr; } @@ -980,7 +989,6 @@ struct frentry *fp; fp->fr_proto = IPPROTO_ICMP; if (isdigit(***cp)) { i = atoi(**cp); - (*cp)++; } else { for (t = icmptypes, i = 0; ; t++, i++) { if (!*t) @@ -1082,9 +1090,9 @@ struct frentry *fp; * of bits. */ int countbits(ip) -u_long ip; +u_32_t ip; { - u_long ipn; + u_32_t ipn; int cnt = 0, i, j; ip = ipn = ntohl(ip); diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW index 47cb941b2fd0..42d27927eb7c 100644 --- a/contrib/ipfilter/rules/BASIC_1.FW +++ b/contrib/ipfilter/rules/BASIC_1.FW @@ -48,7 +48,7 @@ pass out quick on lo0 all # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/16 to any group 100 +block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW index 1614e91ccb5d..b966dfb1160f 100644 --- a/contrib/ipfilter/rules/BASIC_2.FW +++ b/contrib/ipfilter/rules/BASIC_2.FW @@ -33,7 +33,7 @@ block out log on ed0 all head 250 # block in log quick from 10.0.0.0/8 to any group 100 block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/16 to any group 100 +block in log quick from 172.16.0.0/12 to any group 100 # # Prevent IP spoofing. # diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 4179133baa2a..fe2a243744ac 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $"; +#pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.4 1998/02/28 02:35:21 darrenr Exp $"; #include #include @@ -190,15 +190,16 @@ static int ipf_attach(dip, cmd) dev_info_t *dip; ddi_attach_cmd_t cmd; { +#ifdef IPFDEBUG int instance; -#ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_ATTACH: - instance = ddi_get_instance(dip); #ifdef IPFDEBUG + instance = ddi_get_instance(dip); + cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance); #endif if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF, @@ -895,7 +896,7 @@ void solattach() * Activate any rules directly associated with this interface */ mutex_enter(&ipf_mutex); - for (f = ipfilter[0][0]; f; f = f->fr_next) { + for (f = ipfilter[0][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { len = strlen(f->fr_ifname)+1; /* includes \0 */ if (len && (len == il->ill_name_length) && @@ -903,7 +904,7 @@ void solattach() f->fr_ifa = il; } } - for (f = ipfilter[1][0]; f; f = f->fr_next) { + for (f = ipfilter[1][fr_active]; f; f = f->fr_next) { if ((f->fr_ifa == (struct ifnet *)-1)) { len = strlen(f->fr_ifname)+1; /* includes \0 */ if (len && (len == il->ill_name_length) && @@ -996,10 +997,10 @@ int ipfsync() np->in_ifp = (struct ifnet *)-1; mutex_exit(&ipf_nat); mutex_enter(&ipf_mutex); - for (f = ipfilter[0][0]; f; f = f->fr_next) + for (f = ipfilter[0][fr_active]; f; f = f->fr_next) if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; - for (f = ipfilter[1][0]; f; f = f->fr_next) + for (f = ipfilter[1][fr_active]; f; f = f->fr_next) if (f->fr_ifa == (void *)qif->qf_ill) f->fr_ifa = (struct ifnet *)-1; diff --git a/contrib/ipfilter/test/input/11 b/contrib/ipfilter/test/input/11 index b6e2c1d977ad..4eda58eac04e 100644 --- a/contrib/ipfilter/test/input/11 +++ b/contrib/ipfilter/test/input/11 @@ -1,11 +1,11 @@ -in tcp 1.1.1.1,1 2.1.2.2,23 S -in tcp 1.1.1.1,1 2.1.2.2,23 A -in tcp 2.1.2.2,23 1.1.1.1,1 A -in tcp 1.1.1.1,1 2.1.2.2,23 F -in tcp 1.1.1.1,1 2.1.2.2,23 A -in tcp 1.1.1.1,2 2.1.2.2,23 A -in udp 1.1.1.1,1 4.4.4.4,53 -in udp 2.2.2.2,2 4.4.4.4,53 -in udp 4.4.4.4,53 1.1.1.1,1 -in udp 4.4.4.4,1023 1.1.1.1,2049 -in udp 4.4.4.4,2049 1.1.1.1,1023 +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F +in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A +in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A +in on e1 udp 1.1.1.1,1 4.4.4.4,53 +in on e1 udp 2.2.2.2,2 4.4.4.4,53 +in on e0 udp 4.4.4.4,53 1.1.1.1,1 +in on e0 udp 4.4.4.4,1023 1.1.1.1,2049 +in on e0 udp 4.4.4.4,2049 1.1.1.1,1023 diff --git a/contrib/ipfilter/test/regress/10 b/contrib/ipfilter/test/regress/10 index 444737a59b1c..355298308e72 100644 --- a/contrib/ipfilter/test/regress/10 +++ b/contrib/ipfilter/test/regress/10 @@ -1,18 +1,18 @@ -block in from any to any and not ipopts -pass in from any to any and not opt sec-class topsecret -block in from any to any and not opt ssrr,sec-class topsecret -pass in from any to any and not opt ssrr,sec-class topsecret -block in from any to any and not opt ts,sec-class topsecret -pass in from any to any and not opt ts,sec-class topsecret -block in from any to any and not opt sec-class secret -pass in from any to any and not opt sec-class secret -block in from any to any and not opt lsrr,ssrr -pass in from any to any and not opt lsrr,ssrr -pass in from any to any and not ipopts -block in from any to any and not opt lsrr -pass in from any to any and not opt lsrr -block in from any to any and not opt ssrr,ts -pass in from any to any and not opt ssrr,ts -block in from any to any and not opt rr -pass in from any to any and not opt rr -block in from any to any and not opt sec-class topsecret +block in from any to any with not ipopts +pass in from any to any with not opt sec-class topsecret +block in from any to any with not opt ssrr,sec-class topsecret +pass in from any to any with not opt ssrr,sec-class topsecret +block in from any to any with not opt ts,sec-class topsecret +pass in from any to any with not opt ts,sec-class topsecret +block in from any to any with not opt sec-class secret +pass in from any to any with not opt sec-class secret +block in from any to any with not opt lsrr,ssrr +pass in from any to any with not opt lsrr,ssrr +pass in from any to any with not ipopts +block in from any to any with not opt lsrr +pass in from any to any with not opt lsrr +block in from any to any with not opt ssrr,ts +pass in from any to any with not opt ssrr,ts +block in from any to any with not opt rr +pass in from any to any with not opt rr +block in from any to any with not opt sec-class topsecret diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo index f974adc77ad8..6900056ec560 100644 --- a/contrib/ipfilter/todo +++ b/contrib/ipfilter/todo @@ -34,3 +34,8 @@ done * ipfsync() should change IP#'s in current mappings as well as what's in rules. +document bimap + +document NAT rule order processing + +add more docs