d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove redundant files.

Browse Source 
Approved by:    glebius (mentor)
Approved by:    re (blanket)
This commit is contained in:
Cy Schubert 2013-09-21 14:23:20 +00:00
parent 8464e56e2a
commit c4d0c9d04e
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=255762
529 changed files with 0 additions and 30779 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

619
contrib/ipfilter/BSD/Makefile
View File

@ -1,619 +0,0 @@
#
# Copyright (C) 2012 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
BINDEST=/usr/sbin
SBINDEST=/sbin
MANDIR=/usr/share/man
SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i<NF;i++){print $$i;}}' - | sort -u
CC=gcc -Wall -Wuninitialized -Wstrict-prototypes -O -Wmissing-prototypes -Wpointer-arith -Wno-sign-compare -Wno-traditional -Werror
#UFLAGS=-fprofile-arcs -ftest-coverage
CFLAGS=-g -I$(TOP)
#
# For NetBSD/FreeBSD
#
DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p'
CPU!=uname -m
COMPDIR!=/bin/ls -1tr /usr/src/sys/arch/${CPU}/compile | tail -1
INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch -I/usr/src/sys/arch/${CPU}/compile/${COMPDIR}
DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) -fno-builtin
IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST
VNODESHDIR=/sys/kern
MLD=$(ML)
ML=mln_ipl.c
LKM=ipflkm.o
LKMR=ipfrule.o
DLKM=
OBJ=.
DEST=$(OBJ)
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" "SYNC=$(SYNC)"
LIBS=-L. -lipf $(LIBBPF)
#
########## ########## ########## ########## ########## ########## ##########
#
CP=/bin/cp
RM=/bin/rm
CHMOD=/bin/chmod
INSTALL=install
#
MODOBJS=ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o ip_rules.o \
ip_scan.o ip_sync.o ip_nat6.o ip_dstlist.o radix_ipf.o
# ip_trafcon.o
DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF)
IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o
IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_nat6_u.o \
ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \
ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \
ippool_y.o ippool_l.o ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o \
md5_u.o radix_ipf_u.o ip_dstlist_u.o
# ip_syn_u.o
#ip_trafcon_u.o
TOOL=$(TOP)/tools
IPNAT=ipnat.o ipnat_y.o ipnat_l.o
IPMON=ipmon.o ipmon_y.o ipmon_l.o
IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o
IPTRAFCON=iptrafcon.o
PROXYLIST=$(TOP)/ip_dns_pxy.c $(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c \
$(TOP)/ip_irc_pxy.c $(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c \
$(TOP)/ip_rcmd_pxy.c $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c
FILS=ipfstat.o
LIBSRC=$(TOP)/lib
RANLIB=ranlib
AROPTS=cq
HERE!=pwd
CCARGS=-I. $(DEBUG) $(CFLAGS) $(UFLAGS)
KCARGS=-I. $(DEBUG) $(CFLAGS)
.if ${MACHINE_ARCH} == amd64
KCARGS+=-mcmodel=kernel -mno-red-zone -fno-omit-frame-pointer \
-mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow \
-msoft-float -fno-asynchronous-unwind-tables
.endif
#
# Extra is option kernel things we always want in user space.
#
EXTRA=$(ALLOPTS)
include $(TOP)/lib/Makefile
build all: machine $(OBJ)/libipf.a tools $(LKM) $(LKMR)
tools: ipf ipfs ipfstat ipftest ipmon ipnat ippool ipscan ipsyncm \
ipsyncs ipfsyncd
-sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs ipfsyncd; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done'
-/bin/rm -f ../tools ./tools
-ln -s ../tools .
-ln -s ../tools ..
bpf.h:
echo '#define DEV_BPF 1' > bpf.h
$(TOP)/ip_compat.h: bpf.h
machine: Makefile.kmod
if [ -f Makefile.kmod ] ; then \
make -f Makefile.kmod depend MKUPDATE=no; \
fi
Makefile.kmod:
if [ -f /usr/share/mk/bsd.kmod.mk -a "`uname -s`" = "NetBSD" ] ; then \
rm -f Makefile.kmod; \
ln -s /usr/share/mk/bsd.kmod.mk Makefile.kmod; \
fi
ipfstat: $(FILS) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
-o $@ $(LIBS) $(STATETOP_LIB) -lkvm
ipf: $(IPF) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF)
ipftest: $(IPT) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF)
ipnat: $(IPNAT) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lkvm -ll
ipfs: ipfs.o
$(CC) $(CCARGS) ipfs.o -o $@
ipsyncm: ipsyncm.o $(OBJ)/libipf.a
$(CC) $(CCARGS) ipsyncm.o -o $@ $(LIBS)
ipsyncs: ipsyncs.o $(OBJ)/libipf.a
$(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS)
ipfsyncd: ipfsyncd.o $(OBJ)/libipf.a
$(CC) $(CCARGS) ipfsyncd.o -o $@ $(LIBS)
ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h
$(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@
ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h
$(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@
ipfsyncd.o: $(TOOL)/ipfsyncd.c $(TOP)/ip_sync.h
$(CC) $(CCARGS) -c $(TOOL)/ipfsyncd.c -o $@
tests:
(cd test; make )
ipfstat.o: $(TOOL)/ipfstat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \
$(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h $(TOP)/opts.h
$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
-c $(TOOL)/ipfstat.c -o $@
ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \
$(TOP)/ip_nat.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipfs.c -o $@
fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
$(TOP)/opts.h $(TOP)/ip_rules.h
$(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -c $(TOP)/fil.c -o $@
fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \
$(TOP)/ip_rules.h
$(CC) $(KCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) $(COMPATIPF) \
-c $(TOP)/fil.c -o $@
ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipf.c -o $@
ipfcomp.o: $(TOOL)/ipfcomp.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipfcomp.c -o $@
ipftest.o: $(TOOL)/ipftest.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h \
$(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipftest.c -o $@
ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
$(TOP)/opts.h
$(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@
ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h $(TOP)/ip_fil.h $(TOP)/ip_nat.h
$(CC) $(CCARGS) -c ipnat_y.c -o $@
ipnat_l.o: ipnat_l.c ipnat_y.h
$(CC) $(CCARGS) -I. -c ipnat_l.c -o $@
ipnat_y.c: $(TOOL)/ipnat_y.y
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipnat_y.h: ipnat_y.c
ipnat_l.c: $(TOOL)/lexer.c $(TOP)/ip_nat.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipnat_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@
ip_nat6_u.o: $(TOP)/ip_nat6.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat6.c -o $@
ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@
ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_frag.c -o $@
ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_nat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_state.c -o $@
ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_auth.c -o $@
ip_fil_u.o: $(TOP)/ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_fil.c -o $@
ip_rules_u.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_rules.h
$(CC) $(CCARGS) $(EXTRA) -c ip_rules.c -o $@
ip_scan_u.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_scan.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_scan.c -o $@
ip_sync_u.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_sync.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_sync.c -o $@
ip_pool_u.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_pool.c -o $@
ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_htable.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@
ip_dstlist_u.o: $(TOP)/ip_dstlist.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_dstlist.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_dstlist.c -o $@
ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h \
$(TOP)/ip_dstlist.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@
ip_trafcon_u.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_trafcon.h
$(CC) $(CCARGS) -c $(TOP)/ip_trafcon.c -o $@
ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_log.c -o $@
md5_u.o: $(TOP)/md5.c $(TOP)/md5.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/md5.c -o $@
radix_ipf_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix_ipf.c -o $@
bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h
$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/bpf_filter.c -o $@
ipflkm.o: $(MODOBJS)
ld -r $(MODOBJS) -o $(LKM)
${RM} -f ipflkm
ipfrule.ko.5: ip_rulesx.o $(MLR)
.if ${MACHINE_ARCH} != amd64
ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) ip_rulesx.o $(MLR)
ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/)
.else
ld -warn-common -r -d -o $(.TARGET:S/.5$//) ip_rulesx.o $(MLR)
nm -g $(.TARGET:S/.5$//) | \
awk '/^[^[:space:]]+ [^AU] (.*)$$/ { print ($$2=="C" ? "-N" : "-L") $$3 }' | \
xargs -J% objcopy % $(.TARGET:S/.5$//)
.endif
ipfrule.ko: ip_rulesx.o $(MLR)
gensetdefs ip_rulesx.o $(MLR)
$(CC) $(KCARGS) -c setdef0.c
$(CC) $(KCARGS) -c setdef1.c
ld -Bshareable -o $@ setdef0.o ip_rulesx.o $(MLR) setdef1.o
ipf.ko.5 ipl.ko.5: $(MODOBJS)
.if ${MACHINE_ARCH} != amd64
ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) $(MODOBJS)
ld -Bshareable -d -warn-common -o $(LKM:S/.5$//) $(.TARGET:S/.ko/.kld/)
.else
ld -warn-common -r -d -o $(.TARGET:S/.5$//) $(MODOBJS)
nm -g $(.TARGET:S/.5$//) | \
awk '/^[^[:space:]]+ [^AU] (.*)$$/ { print ($$2=="C" ? "-N" : "-L") $$3 }' | \
xargs -J% objcopy % $(.TARGET:S/.5$//)
.endif
ipf.ko ipl.ko: $(MODOBJS)
gensetdefs $(MODOBJS)
$(CC) $(KCARGS) -c setdef0.c
$(CC) $(KCARGS) -c setdef1.c
ld -Bshareable -o $@ setdef0.o $(MODOBJS) setdef1.o
ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@
ip_nat6.o: $(TOP)/ip_nat6.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat6.c -o $@
ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@
ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(TOP)/ip_nat.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@
ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
$(TOP)/ip_fil.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@
ip_fil.c:
/bin/rm -f ip_fil.c
ln -s $(TOP)/ip_fil_`uname -s|tr A-Z a-z`.c ip_fil.c
ip_fil.o: ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h
$(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@
ip_fil_compat.o: $(TOP)/ip_fil_compat.c $(TOP)/ipl.h $(TOP)/ip_fil.h \
$(TOP)/ip_compat.h $(TOP)/ip_nat.h $(TOP)/ip_state.h
$(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) $(COMPATIPF) \
-c $(TOP)/ip_fil_compat.c -o $@
ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@
ip_scan.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_scan.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@
ip_sync.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_sync.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@
ip_pool.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_pool.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_pool.c -o $@
ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_htable.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@
ip_dstlist.o: $(TOP)/ip_dstlist.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_lookup.h $(TOP)/ip_dstlist.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_dstlist.c -o $@
ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h \
$(TOP)/ip_dstlist.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@
radix_ipf.o: $(TOP)/md5.c $(TOP)/radix_ipf.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/radix_ipf.c -o $@
ip_trafcon.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
$(TOP)/ip_trafcon.h
$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@
vnode_if.h: $(VNODESHDIR)/vnode_if.src
mkdir -p ../sys
mkdir -p ../rump/include/rump
mkdir -p ../rump/librump/rumpvfs
if [ -f $(VNODESHDIR)/vnode_if.sh ] ; then \
sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src; \
fi
if [ -f $(VNODESHDIR)/vnode_if.pl ] ; then \
perl $(VNODESHDIR)/vnode_if.pl $(VNODESHDIR)/vnode_if.src; \
fi
if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi
rmdir ../sys
rm -rf ../rump
ml_ipl.o: vnode_if.h $(TOP)/$(MLD) $(TOP)/ipl.h
-/bin/rm -f vnode_if.c
$(CC) -I. $(KCARGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@
ip_rules.o: ip_rules.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) $(COMPIPF) -c ip_rules.c -o $@
ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.c ipf
./ipf -cc -nf $(TOP)/rules/ip_rules
$(TOP)/ip_rules.h: ip_rules.c
if [ ! -f $(TOP)/ip_rules.h ] ; then \
/bin/mv -f ip_rules.h $(TOP); \
else \
touch $(TOP)/ip_rules.h; \
fi
ip_rulesx.o: ip_rules.c $(TOP)/ip_rules.h
$(CC) -I. $(KCARGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@
mlf_rule.o: $(TOP)/mlf_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlf_rule.c -o $@
mln_rule.o: $(TOP)/mln_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mln_rule.c -o $@
mlo_rule.o: $(TOP)/mlo_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlo_rule.c -o $@
mlfk_rule.o: $(TOP)/mlfk_rule.c $(TOP)/ip_rules.h
$(CC) -I. $(KCARGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@
ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
$(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@
ipf_l.o: ipf_l.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
$(CC) $(CCARGS) -I. -c ipf_l.c -o $@
ipf_y.c: $(TOOL)/ipf_y.y $(TOP)/ipf.h $(TOP)/opts.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipf_y.h: ipf_y.c
ipf_l.c: $(TOOL)/lexer.c $(TOP)/ipf.h $(TOP)/opts.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipf_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon: $(IPMON) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPMON) -o $@ $(LIBS) -ll
ipmon.o: $(TOOL)/ipmon.c $(TOP)/ipmon.h
$(CC) $(CCARGS) $(LOGFAC) -c $(TOOL)/ipmon.c -o $@
ipmon_y.o: ipmon_y.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h
$(CC) $(CCARGS) -c ipmon_y.c -o $@
ipmon_l.o: ipmon_l.c ipmon_y.h $(TOP)/ipmon.h
$(CC) $(CCARGS) -I. -c ipmon_l.c -o $@
ipmon_y.c: $(TOOL)/ipmon_y.y $(TOP)/ipmon.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon_y.h: ipmon_y.c
ipmon_l.c: $(TOOL)/lexer.c $(TOP)/ipmon.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipmon_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipscan: ipscan_y.o ipscan_l.o
$(CC) $(DEBUG) ipscan_y.o ipscan_l.o -o $@ -ll $(LIBS) -lkvm
ipscan_y.o: ipscan_y.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h
$(CC) $(CCARGS) -c ipscan_y.c -o $@
ipscan_l.o: ipscan_l.c ipscan_y.h $(TOP)/ip_scan.h
$(CC) $(CCARGS) -I. -c ipscan_l.c -o $@
ipscan_y.c: $(TOOL)/ipscan_y.y $(TOP)/ip_scan.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ipscan_y.h: ipscan_y.c
ipscan_l.c ipscan_l.h: $(TOOL)/lexer.c $(TOP)/ip_scan.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool: $(IPPOOL) $(OBJ)/libipf.a
$(CC) $(DEBUG) -I. $(CFLAGS) $(IPPOOL) -o $@ -ll -lkvm -L. -lipf
ippool.o: $(TOOL)/ippool.c $(TOP)/ip_pool.h
$(CC) $(CCARGS) -c $(TOOL)/ippool.c -o $@
ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h
$(CC) $(CCARGS) -c ippool_y.c -o $@
ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h
$(CC) $(CCARGS) -I. -c ippool_l.c -o $@
ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h ippool_y.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool_y.h: $(TOOL)/ippool_y.y
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool_l.c: $(TOOL)/lexer.c $(TOP)/ip_pool.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
ippool_l.h: $(TOOL)/lexer.h
(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
iptrafcon.o: $(TOP)/iptrafcon.c
$(CC) $(CCARGS) -c $< -o $@
iptrafcon: $(IPTRAFCON) $(OBJ)/libipf.a
$(CC) $(CCARGS) $(IPTRAFCON) -o $@ $(LIBS)
.y.c:
.l.c:
clean:
${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest
${RM} -f ../ipscan ../ipsyncm ../ipsyncs
${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon
${RM} -f ipflkm ipnat ipfrule.ko* ipf.kld* ipfrule.kld*
${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h
${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h
${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h
${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h
${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h
${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h
${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h bpf.h
${RM} -f *.da *.gcov *.bb *.bbg tools
${MAKE} -f Makefile.ipsend ${MFLAGS} clean
if [ -f Makefile.kmod ] ; then \
${MAKE} -f Makefile.kmod ${MFLAGS} clean; \
fi
-(for i in *; do \
if [ -d $${i} -a -f $${i}/Makefile ] ; then \
cd $${i}; (make TOP=../.. clean); cd ..; \
/bin/rm -f $${i}/Makefile $${i}/Makefile.ipsend; \
/bin/rm -f $${i}/Makefile.kmod; \
rmdir $${i}; \
fi \
done)
install:
for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
ip_frag.h ip_auth.h; do \
/bin/cp $(TOP)/$$i /usr/include/netinet/; \
$(CHMOD) 444 /usr/include/netinet/$$i; \
done
-if [ -d /lkm -a -f ipflkm.o ] ; then \
cp ipflkm.o /lkm; \
fi
-if [ -d /modules -a -f ipf.ko ] ; then \
if [ -f /modules/ipl.ko ] ; then \
cp ipf.ko /modules/ipl.ko; \
else \
cp ipf.ko /modules; \
fi \
fi
-if [ -d /modules -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /modules; \
fi
.if ${MACHINE_ARCH} != amd64
-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
if [ -f /boot/kernel/ipl.ko ] ; then \
cp ipf.ko /boot/kernel/ipl.ko; \
else \
cp ipf.ko /boot/kernel; \
fi \
fi
-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
cp ipfrule.ko /boot/kernel; \
fi
.else
-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
if [ -f /boot/kernel/ipl.ko ] ; then \
objcopy --only-keep-debug ipf.ko
/boot/kernel/ipl.ko.symbols; \
objcopy --strip-debug \
--add-gnu-debuglink=ipl.ko.symbols \
ipf.ko /boot/kernel/ipl.ko; \
else \
objcopy --only-keep-debug ipf.ko \
/boot/kernel/ipf.ko.symbols; \
objcopy --strip-debug \
--add-gnu-debuglink=ipl.ko.symbols \
ipf.ko /boot/kernel/ipf.ko; \
fi \
fi
-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
objcopy --only-keep-debug ipfrule.ko /boot/kernel/ipfrule.ko.symbols; \
objcopy --strip-debug --add-gnu-debuglink=ipfrule.ko.symbols ipfrule.ko /boot/kernel/ipfrule.ko; \
fi
.endif
-if [ -d /usr/lkm -a -f ipflkm.o ] ; then \
cp ipflkm.o /usr/lkm; \
fi
-$(INSTALL) -cs -g wheel -m 755 -o root ipscan $(SBINDEST)
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
@for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \
ippool:$(BINDEST) ipsyncm:$(BINDEST) ipsyncs:$(BINDEST) \
ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
def="`expr $$i : '[^:]*:\(.*\)'`"; \
p="`expr $$i : '\([^:]*\):.*'`"; \
dd=; \
for d in $(SEARCHDIRS); do \
if [ -f $$d/$$p ] ; then \
echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
dd=XXX; \
fi; \
done; \
if [ -z "$$dd" ] ; then \
echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
fi \
done
if [ -d /etc/rc.d ] ; then \
$(INSTALL) -c -g wheel -m 755 -o root ../ipfadm-rcd $(SBINDEST)/ipfadm; \
fi
(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
coverage:
ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -n > report
sort -n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += $$F[0]/100*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,$$t/$$lc*100;' >> report
clean-coverage:
/bin/rm -f *.gcov *.da

109
contrib/ipfilter/BSD/Makefile.ipsend
View File

@ -1,109 +0,0 @@
#
# $Id$
#
BINDEST=/usr/sbin
SBINDEST=/sbin
MANDIR=/usr/share/man
OBJS=ipsend.o ip.o ipsopt.o iplang_y.o iplang_l.o
IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o
ROBJS=ipresend.o ip.o resend.o
TOBJS=iptest.o iptests.o ip.o
UNIXOBJS=sbpf.o sock.o 44arp.o
OBJ=.
LIBS=-L$(OBJ) -lipf
CC=gcc -Wuninitialized -Wstrict-prototypes -O
CFLAGS=-g -I$(TOP)
#
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)"
#
build:
all bsd-bpf : ipsend ipresend iptest
iplang_y.o: $(TOP)/iplang/iplang_y.y
(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
iplang_l.o: $(TOP)/iplang/iplang_l.l
(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
.c.o:
$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
ipsend: $(OBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll
ipresend: $(ROBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS)
iptest: $(TOBJS) $(UNIXOBJS)
$(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS)
clean:
rm -rf *.o core a.out ipsend ipresend iptest iplang_y.* iplang_l.*
ipsend.o: $(TOP)/ipsend/ipsend.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@
ipsopt.o: $(TOP)/ipsend/ipsopt.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@
ipresend.o: $(TOP)/ipsend/ipresend.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@
ip.o: $(TOP)/ipsend/ip.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@
resend.o: $(TOP)/ipsend/resend.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@
ipft_sn.o: $(TOP)/ipft_sn.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@
ipft_pc.o: $(TOP)/ipft_pc.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@
iptest.o: $(TOP)/ipsend/iptest.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@
iptests.o: $(TOP)/ipsend/iptests.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@
sbpf.o: $(TOP)/ipsend/sbpf.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sbpf.c -o $@
snit.o: $(TOP)/ipsend/snit.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/snit.c -o $@
sock.o: $(TOP)/ipsend/sock.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@
arp.o: $(TOP)/ipsend/arp.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@
44arp.o: $(TOP)/ipsend/44arp.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/44arp.c -o $@
lsock.o: $(TOP)/ipsend/lsock.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/lsock.c -o $@
slinux.o: $(TOP)/ipsend/slinux.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/slinux.c -o $@
larp.o: $(TOP)/ipsend/larp.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/larp.c -o $@
dlcommon.o: $(TOP)/ipsend/dlcommon.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/dlcommon.c -o $@
sdlpi.o: $(TOP)/ipsend/sdlpi.c
$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@
install:
-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)

350
contrib/ipfilter/BSD/ipfadm-rcd
View File

@ -1,350 +0,0 @@
#!/bin/sh
#
# Copyright (C) 2012 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
prog=$0
RCD=/etc/rc.conf.d
# This script is an interface to the following rc.d scripts:
# /etc/rc.d/ipfilter
# /etc/rc.d/ipfs
# /etc/rc.d/ipnat
# /etc/rc.d/ipmon
running=`ipf -V 2>/dev/null|sed -ne 's/Running: \(.*\)/\1/p'`
usage() {
echo "$prog status"
echo "$prog ipfilter <enable|disable|reload|resync|start|status|stop>"
echo "$prog ipfs <enable|disable|status|start|stop>"
echo "$prog ipmon <enable|disable|restart|start|status|stop>"
echo "$prog ipnat <enable|disable|reload|start|status|stop>"
exit 1
}
enable() {
old=${RCD}/$1.old
new=${RCD}/$1
mkdir ${RCD}/$1.d
if [ $? -eq 0 ] ; then
if [ -f ${RCD}/$1 ] ; then
cp ${RCD}/$1 ${RCD}/$1.old
sed -e "s/^${1} *\=.*/${1}\=YES/" ${old} > ${new}
/bin/rm ${old}
else
echo "$1=YES" > ${RCD}/$1
chmod go-wx ${RCD}/$1
fi
rmdir ${RCD}/$1.d
fi
}
disable() {
old=${RCD}/$1.old
new=${RCD}/$1
mkdir ${RCD}/$1.d
if [ $? -eq 0 ] ; then
if [ -f ${RCD}/$1 ] ; then
cp ${RCD}/$1 ${RCD}/$1.old
sed -e "s/^${1} *\=.*/${1}\=NO/" ${old} > ${new}
/bin/rm ${old}
else
echo "$1=NO" > ${RCD}/$1
chmod go-wx ${RCD}/$1
fi
rmdir ${RCD}/$1.d
fi
}
status() {
active=`/etc/rc.d/$1 rcvar|sed -ne "s/^$""${1}\=\(.*\)$/\1/p"`
case $active in
NO)
return 0
;;
YES)
return 1
;;
esac
return 2
}
status_ipmon() {
echo -n "ipmon "
pid=`pgrep ipmon`
status ipmon
case $? in
0)
if [ -n "$pid" ] ; then
echo "disabled-but-running"
else
echo "disabled"
fi
;;
1)
if [ -n "$pid" ] ; then
echo "enabled"
else
echo "enabled-not-running"
fi
;;
2)
if [ -n "$pid" ] ; then
echo "unknown-state-running"
else
echo "unknown-state"
fi
;;
esac
}
status_ipfilter() {
if [ -z "$running" ] ; then
rules=
emsg="-not-in-kernel"
dmsg=
else
case $running in
yes)
emsg=
dmsg="-rules-loaded"
rules=`ipfstat -io 2>/dev/null`
if [ -z "$rules" ] ; then
rules=`ipfstat -aio 2>/dev/null`
if [ -z "$rules" ] ; then
emsg="-no-rules"
dmsg=
fi
fi
;;
no)
rules=
emsg="-not-running"
dmsg=
;;
esac
fi
echo -n "ipfilter "
status ipfilter
case $? in
0)
echo "disabled${dmsg}"
;;
1)
echo "enabled${emsg}"
;;
2)
if [ -n "$rules" ] ; then
echo "unknown${dmsg}"
else
echo "unknown-state"
fi
;;
esac
}
status_ipnat() {
if [ -z "$running" ] ; then
rules=
emsg="-not-in-kernel"
dmsg=
else
case $running in
yes)
emsg=
dmsg="-rules-loaded"
rules=`ipnat -l 2>/dev/null | egrep '^map|rdr' 2>/dev/null`
if [ -z "$rules" ] ; then
emsg="-no-rules"
dmsg=
fi
;;
no)
rules=
emsg="-not-running"
dmsg=
;;
esac
fi
echo -n "ipnat "
status ipnat
case $? in
0)
echo "disabled${dmsg}"
;;
1)
echo "enabled${dmsg}"
;;
2)
if [ -n "$rules" ] ; then
echo "unknown${dmsg}"
else
echo "unknown-state"
fi
;;
esac
}
status_ipfs() {
status ipfs
report ipfs $?
}
report() {
echo -n "$1 "
case $2 in
0)
echo "disabled"
;;
1)
echo "enabled"
;;
2)
echo "unknown-status"
;;
*)
echo "$2"
;;
esac
}
do_ipfilter() {
case $1 in
enable)
enable ipfilter
;;
disable)
disable ipfilter
;;
reload)
/etc/rc.d/ipfilter reload
;;
resync)
/etc/rc.d/ipfilter resync
;;
start)
/etc/rc.d/ipfilter start
;;
status)
status_ipfilter
;;
stop)
/etc/rc.d/ipfilter stop
;;
*)
usage
;;
esac
}
do_ipfs() {
case $1 in
enable)
enable ipfs
;;
disable)
disble ipfs
;;
start)
/etc/rc.d/ipfs start
;;
status)
status_ipfs
;;
stop)
/etc/rc.d/ipfs stop
;;
*)
usage
;;
esac
}
do_ipmon() {
case $1 in
enable)
enable ipmon
;;
disable)
disble ipmon
;;
restart)
/etc/rc.d/ipmon restart
;;
start)
/etc/rc.d/ipmon start
;;
status)
status_ipmon
;;
stop)
/etc/rc.d/ipmon stop
;;
*)
usage
;;
esac
}
do_ipnat() {
case $1 in
enable)
enable ipnat
;;
disable)
disable ipnat
;;
reload)
/etc/rc.d/ipnat reload
;;
restart)
/etc/rc.d/ipnat restart
;;
start)
/etc/rc.d/ipnat start
;;
status)
status_ipnat
;;
stop)
/etc/rc.d/ipnat stop
;;
*)
usage
;;
esac
}
do_status_all() {
status_ipfilter
status_ipfs
status_ipmon
status_ipnat
}
case $1 in
status)
do_status_all
;;
ipfilter)
do_ipfilter $2
;;
ipfs)
do_ipfs $2
;;
ipmon)
do_ipmon $2
;;
ipnat)
do_ipnat $2
;;
*)
usage
;;
esac
exit 0

312
contrib/ipfilter/BSD/kupgrade
View File

@ -1,312 +0,0 @@
#!/bin/sh
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
argv0=`basename $0`
os=`uname -s`
rev=`uname -r`
maj=`expr $rev : '\([0-9]*\)\.'`
min=`expr $rev : '[0-9]*\.\([0-9]*\)'`
sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'`
# try to bomb out fast if anything fails....
set -e
fullrev=`printf '%02d%02d%02d' $maj $min $sub`
dir=`pwd`
karch=`uname -m`
archdir="/sys/arch/$karch"
ipfdir=/sys/netinet
if [ -d /sys/contrib/ipfilter ] ; then
ipfdir=/sys/contrib/ipfilter/netinet
fi
if [ -d /sys/dist/ipf ] ; then
ipfdir=/sys/dist/ipf/netinet
fi
mkdir -m 755 -p $ipfdir/../net
confdir="$archdir/conf"
if [ -f /dev/ipnat ] ; then
major=`ls -l /dev/ipnat | sed -e 's/.* \([0-9]*\),.*/\1/'`
echo "Major number for IP Filter is $major"
else
major=x
fi
if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
echo "Trying to build ip_rules.c and ip_rules.h"
make ip_rules.c
if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
echo "Please do a build of ipfilter and then run the following"
echo "command to build extra files:"
echo
echo "make ip_rules.c"
exit 1
fi
fi
echo -n "Installing into $ipfdir"
for j in auth frag nat proxy scan state sync pool dstlist htable lookup rules \
dstlist; do
for i in ip_$j.[ch]; do
if [ -f "$i" ] ; then
echo -n " $i"
cp $i $ipfdir
chmod 644 $ipfdir/$i
fi
done
done
echo -n " net/radix_ipf.h"
cp radix_ipf.h $ipfdir
chmod 644 $ipfdir/radix_ipf.h
echo -n " radix_ipf.c -> $ipfdir/radix_ipf.c"
cp radix_ipf.c $ipfdir/radix_ipf.c
chmod 644 $ipfdir/radix_ipf.c
case $os in
SunOS)
case `uname -r` in
5.*)
filc=ip_fil_solaris.c
;;
4.*)
filc=ip_fil_sunos.c
;;
esac
;;
*BSD)
filc=ip_fil_`echo $os | tr A-Z a-z`.c
case $os in
FreeBSD)
cp mlfk_ipl.c $ipfdir/
;;
*)
;;
esac
;;
esac
if [ -f $ipfdir/$filc ] ; then
echo -n "$filc -> $ipfdir/$filc "
cp $filc $ipfdir/$filc
chmod 644 $ipfdir/$filc
fi
if [ -f $ipfdir/ip_fil.c ] ; then
echo -n "$filc -> $ipfdir/ip_fil.c "
cp $filc $ipfdir/ip_fil.c
chmod 644 $ipfdir/ip_fil.c
fi
for i in ip_nat6.c ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c \
ip_fil_compat.c ipf_rb.h; do
echo -n " $i"
cp $i $ipfdir
chmod 644 $ipfdir/$i
done
echo ""
echo -n "Installing into /usr/include/netinet"
for j in auth compat fil frag nat proxy scan state sync pool htable dstlist \
lookup; do
i=ip_$j.h
if [ -f "$i" ] ; then
echo -n " $i"
cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
fi
done
for j in ipl.h ipf_rb.h; do
if [ -f "$j" ] ; then
echo -n " $j"
cp $j /usr/include/netinet/$j
chmod 644 /usr/include/netinet/$j
fi
done
echo
if [ -f /sys/netinet/ip_fil_compat.h ] ; then
echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h"
rm /sys/netinet/ip_fil_compat.h
ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h
fi
if [ $major != x ] ; then
if [ ! -e /dev/ipsync ] ; then
echo "Creating /dev/ipsync"
mknod /dev/ipsync c $major 4
fi
if [ ! -e /dev/ipsync ] ; then
echo "Creating /dev/ipscan"
mknod /dev/ipsync c $major 5
fi
if [ ! -e /dev/iplookup ] ; then
echo "Creating /dev/iplookup"
mknod /dev/iplookup c $major 6
fi
fi
set +e
os=`uname -s`
if [ $os = FreeBSD -a -f /sys/conf/files ] ; then
cd /sys/conf
if [ -f options ] ; then
if [ ! -f options.preipf4 ] ; then
mv options options.preipf4
cp -p options.preipf4 options
fi
for i in SCAN SYNC LOOKUP COMPILED; do
grep IPFILTER_$i options >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo >> options
echo "# extra option for IP Filter" >> options
echo "IPFILTER_$i opt_ipfilter.h" >> options
fi
done
fi
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
for i in dstlist htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "contrib/ipfilter/netinet/ip_$i.c optional ipfilter inet ipfilter_lookup" >> files
fi
done
grep ip_fil_compat.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_fil_compat.c optional ipfilter inet ipfilter_compat' >> files
fi
grep ip_sync.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_sync.c optional ipfilter inet' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_scan.c optional ipfilter inet ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'contrib/ipfilter/netinet/ip_rules.c optional ipfilter inet ipfilter_compiled' >> files
fi
fi
if [ $os = NetBSD -a -f /sys/conf/files ] ; then
if [ -f /sys/netinet/files.ipfilter ] ; then
if ! grep -q ip_fil_compat.c /sys/netinet/files.ipfilter; then
echo 'file dist/ipf/netinet/ip_fil_compat.c ipfilter & ipfilter_compat' >> /sys/netinet/files.ipfilter
echo 'defflag opt_ipfilter.h IPFILTER_COMPAT' >> /sys/netinet/files.ipfilter
fi
fi
cd /sys/conf
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then
for i in dstlist htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files
fi
done
grep ip_sync.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_sync.c ipfilter' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files
fi
fi
fi
if [ $os = OpenBSD -a -f /sys/conf/files ] ; then
cd /sys/conf
if [ ! -f files.preipf4 ] ; then
mv files files.preipf4
cp -p files.preipf4 files
fi
if [ $fullrev -ge 030400 ] ; then
for i in dstlist htable pool lookup; do
grep ip_$i.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files
fi
done
grep ip_fil_compat.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_fil_compat.c ipfilter & ipfilter_compat' >> files
fi
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_sync.c ipfilter' >> files
fi
grep ip_scan.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files
fi
grep ip_rules.c files >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files
fi
fi
fi
if [ -f /usr/src/sys/modules/ipfilter/Makefile -a \
! -f /usr/src/sys/modules/ipfilter/Makefile.orig ] ; then
cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__
*** Makefile.orig Mon Mar 28 09:10:11 2005
--- Makefile Mon Mar 28 09:12:51 2005
***************
*** 5,13 ****
KMOD= ipl
SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
! ip_log.c ip_fil.c fil.c
.if !defined(NOINET6)
CFLAGS+= -DUSE_INET6
.endif
CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter
! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS
--- 5,15 ----
KMOD= ipl
SRCS= mlfk_ipl.c ip_nat.c ip_nat6.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
! ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_dstlist.c ip_htable.c \\
! ip_sync.c ip_scan.c ip_rules.c ip_fil_compat.c
.if !defined(NOINET6)
CFLAGS+= -DUSE_INET6
.endif
CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter
! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS \\
! -DIPFILTER_LOOKUP -DIPFILTER_COMPILED
__EOF__
fi
CONF=/sys/netinet/files.ipfilter
if [ -f $CONF -a $os = NetBSD ] ; then
for i in ip_nat6.c ip_dstlist.c radix_ipf.c; do
echo "Checking for $i in $CONF"
grep $i $CONF >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "Adding $i to $CONF"
sed -n -e /ip_nat.c/s/ip_nat.c/$i/p $CONF >> $CONF
fi
done
fi
CONF=/sys/conf/files
if [ -f $CONF -a $os = FreeBSD ] ; then
for i in ip_nat6.c ip_dstlist.c radix_ipf.c; do
echo "Checking for $i in $CONF"
grep $i $CONF >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "Adding $i to $CONF"
sed -n -e /ip_nat.c/,/NORMAL/p $CONF | \
sed -e s/ip_nat.c/$i/p >> $CONF
fi
done
fi
exit 0

30
contrib/ipfilter/BSD/make-devices
View File

@ -1,30 +0,0 @@
#!/bin/sh
os=`uname -s`-`uname -r`
case "$os" in
FreeBSD-2.2*)
major=79
;;
FreeBSD-*)
major=20
;;
NetBSD-*)
echo "see /dev/MAKEDEV"
exit 0
;;
OpenBSD-*)
echo "see /dev/MAKEDEV"
exit 0
;;
*)
;;
esac
umask 037
mknod /dev/ipl c $major 0
mknod /dev/ipnat c $major 1
mknod /dev/ipstate c $major 2
mknod /dev/ipauth c $major 3
mknod /dev/ipsync c $major 4
mknod /dev/ipscan c $major 5

46
contrib/ipfilter/BSD/upgrade
View File

@ -1,46 +0,0 @@
#!/bin/sh
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
argv0=`basename $0`
case `pwd` in
*BSD)
;;
*)
cd BSD
;;
esac
os=`uname -s`
rev=`uname -r`
maj=`expr $rev : '\([0-9]*\)\.'`
min=`expr $rev : '[0-9]*\.\([0-9]*\)'`
sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'`
plat=`uname -p`
objdir=${os}-${rev}-${plat}
# try to bomb out fast if anything fails....
set -e
for i in ipf ipfstat ipmon ipnat ippool; do
if [ ! -f /sbin/${i}.dist -a -f /sbin/${i} ] ; then
mv /sbin/${i} /sbin/${i}.dist
cp -p /sbin/${i}.dist /sbin/${i}
cp ${objdir}/${i} /sbin/
fi
if [ ! -f /usr/sbin/${i}.dist -a -f /usr/sbin/${i} ] ; then
mv /usr/sbin/${i} /usr/sbin/${i}.dist
cp -p /usr/sbin/${i}.dist /usr/sbin/${i}
cp ${objdir}/${i} /usr/sbin/
fi
done
if [ -f /boot/kernel/ipl.ko ] ; then
if [ ! -f /boot/kernel/ipl.ko.dist ] ; then
mv /boot/kernel/ipl.ko /boot/kernel/ipl.ko.dist
cp -p /boot/kernel/ipl.ko.dist /boot/kernel/ipl.ko
fi
if [ ! -f /boot/kernel/ipl.ko.symbols.dist ] ; then
mv /boot/kernel/ipl.ko.symbols /boot/kernel/ipl.ko.symbols.dist
fi
cp ${objdir}/ipf.ko /boot/kernel/ipl.ko
fi
exit 0

104
contrib/ipfilter/FAQ.FreeBSD
View File

@ -1,104 +0,0 @@
These are Instructions for Configuring A FreeBSD Box For NAT
After you have installed IP-Filter.
You will need to change three files:
/etc/rc.local
/etc/sysconfig
/etc/natrules
You will have to:
1) Load the kernel module
2) Make the ipnat rules
3) Load the ipnat rules
4) Enable routing between interfaces
5) Add static routes for the subnet ranges
6) Configure your network interfaces
7) reboot the computer for the changes to take effect.
The FAQ was written by Chris Coleman <chris@@bbcc.ctc.edu>
This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE
_________________________________________________________
1) Loading the Kernel Module
If you are using a Kernal Loadable Module you need to edit your
/etc/rc.local file and load the module at boot time.
use the line:
modload /lkm/if_ipl.o
If you are not loading a kernel module, skip this step.
_________________________________________________________
2) Setting up the NAT Rules
Make a file called /etc/natrules
put in the rules that you need for your system.
If you want to use the whole 10 Network. Try:
map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000
_________________________________________________________
Here is an explaination of each part of the command:
map starts the command.
fpx0 is the interface with the real internet address.
10.0.0.0 is the subnet you want to use.
/8 is the subnet mask. ie 255.0.0.0
208.8.0.1 is the real ip address that you use.
/32 is the subnet mask 255.255.255.255, ie only use this ip address.
portmap tcp/udp 10000:65000
tells it to use the ports to redirect the tcp/udp calls through
The one line should work for the whole network.
_________________________________________________________
3) Loading the NAT Rules:
The NAT Rules will need to be loaded every time the computer
reboots.
In your /etc/rc.local put the line:
ipnat -f /etc/natrules
To check and see if it is loaded, as root type
ipnat -ls
_________________________________________________________
4) Enable Routing between interfaces.
Tell the kernel to route these addresses.
in the rc.local file put the line:
sysctl -w net.inet.ip.forwarding=1
_________________________________________________________
5) Static Routes to Subnet Ranges
Now you have to add a static routes for the subnet ranges.
Edit your /etc/sysconfig to add them at bootup.
static_routes="foo"
route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"
_________________________________________________________
6) Make sure that you have your interfaces configured.
I have two Intel Ether Express Pro B cards.
One is on 208.8.0.1 The other is on 10.0.0.1
You need to configure these in the /etc/sysconfig
network_interfaces="fxp0 fxp1"
ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"
_________________________________________________________

3
contrib/ipfilter/FWTK/Index
View File

@ -1,3 +0,0 @@
README - Readme for ftp-gw.diff and fwtkp
README.ipfilter - README for fwtk_transparent.diff
fwtk_transparent.diff - patches for 2.0beta

18
contrib/ipfilter/FWTK/README
View File

@ -1,18 +0,0 @@
There are two patch files in this directory, each allowing for the Firewall
Toolkit to be used in a transparent proxy configuration.
ftp-gw.diff - A patch written by myself for use only with IP Filter and
ftp-gw from the Firewall Toolkit. You need to copy ip_nat.h,
ip_fil.h and ip_compat.h to the ftp-gw directory to compile
once this patch has been applied.
fwtkp - A set of patches written by James B. Croall (jcroall@foo.org)
for use with both IP Filter and ipfwadm (for Linux) and more
of the various FWTK gateway plugins, including:
ftp-gw http-gw plug-gw rlogin-gw tn-gw
Both patches when applied to the Firewall toolkit require the same
configuration for IP Filter.
Darren

20
contrib/ipfilter/FWTK/README.ipfilter
View File

@ -1,20 +0,0 @@
there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall
(thanx for his work) which I put onto fwtk 2.0beta.
Now, if you decide to do transparent proxying with ip-filter you
have to put -DUSE_IP_FILTER to COPTS in Makefile.config.
With Solaris 2.x you have to correctly replace the path to your
ip_filter sources. (lib/hnam.c needs ip_nat.h)
I also patched plug-gw to be configured to accept not only one
destination with the parameter "-all-destinations" in netperm-table.
Perhaps this is a security hole...
The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1)
and Solaris 2.5 (ip_filter 3.1.5).
If you try to enhance the transparent proxy features for other
architectures, see lib/hnam.c (getdsthost).
Michael Kutzner, Michael.Kutzner@paderlinx.de

232
contrib/ipfilter/FWTK/ftp-gw.diff
View File

@ -1,232 +0,0 @@
*** ftp-gw.c.orig Sun Jun 22 16:27:42 1997
--- ftp-gw.c Sun Jun 22 17:02:16 1997
***************
*** 11,31 ****
--- 11,41 ----
*/
static char RcsId[] = "$Header$";
+ /*
+ * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96
+ * darrenr@cyber.com.au
+ */
+ static char vIpFilter[] = "v3.1.11";
#include <stdio.h>
#include <ctype.h>
#include <syslog.h>
+ #include <unistd.h>
+ #include <fcntl.h>
#include <sys/signal.h>
#include <sys/ioctl.h>
#include <sys/errno.h>
extern int errno;
+ #ifdef sun
extern char *sys_errlist[];
+ #endif
#include <arpa/ftp.h>
#include <arpa/telnet.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
+ #include <net/if.h>
extern char *rindex();
extern char *index();
***************
*** 36,41 ****
--- 46,54 ----
#include "firewall.h"
+ #include "ip_compat.h"
+ #include "ip_fil.h"
+ #include "ip_nat.h"
#ifndef BSIZ
#define BSIZ 2048
***************
*** 83,88 ****
--- 96,103 ----
static int cmd_noop();
static int cmd_abor();
static int cmd_passthru();
+ static int nat_destination();
+ static int connectdest();
static void saveline();
static void flushsaved();
static void trap_sigurg();
***************
*** 317,323 ****
if(authallflg)
if(say(0,"220-Proxy first requires authentication"))
exit(1);
! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
if(say(0,xuf))
exit(1);
}
--- 332,341 ----
if(authallflg)
if(say(0,"220-Proxy first requires authentication"))
exit(1);
! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
! if(say(0,xuf))
! exit(1);
! sprintf(xuf,"220-%s TIS ftp-gw with IP Filter %s NAT extensions",huf,vIpFilter);
if(say(0,xuf))
exit(1);
}
***************
*** 338,343 ****
--- 356,363 ----
exit(1);
}
+ nat_destination(0);
+
/* main loop */
while(1) {
FD_ZERO(&rdy);
***************
*** 608,619 ****
static char narg[] = "501 Missing or extra username";
static char noad[] = "501 Use user@site to connect via proxy";
char buf[1024];
- char mbuf[512];
char *p;
char *dest;
char *user;
int x;
- int msg_int;
short port = FTPPORT;
/* kludgy but effective. if authorizing everything call auth instead */
--- 628,637 ----
***************
*** 643,648 ****
--- 661,687 ----
return(sayn(0,noad,sizeof(noad)));
}
+ if((rfd == -1) && (x = connectdest(dest,port)))
+ return x;
+ sprintf(buf,"USER %s",user);
+ if(say(rfd,buf))
+ return(1);
+ x = getresp(rfd,buf,sizeof(buf),1);
+ if(sendsaved(0,x))
+ return(1);
+ return(say(0,buf));
+ }
+
+ static int
+ connectdest(dest,port)
+ char *dest;
+ short port;
+ {
+ char buf[1024];
+ char mbuf[512];
+ int msg_int;
+ int x;
+
if(*dest == '\0')
dest = "localhost";
***************
*** 685,693 ****
char ebuf[512];
strcpy(ebuf,buf);
! sprintf(buf,"521 %s: %s",dest,ebuf);
return(say(0,buf));
}
sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
saveline(buf);
--- 724,733 ----
char ebuf[512];
strcpy(ebuf,buf);
! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
return(say(0,buf));
}
+
sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
saveline(buf);
***************
*** 698,711 ****
return(say(0,buf));
}
saveline(buf);
!
! sprintf(buf,"USER %s",user);
! if(say(rfd,buf))
! return(1);
! x = getresp(rfd,buf,sizeof(buf),1);
! if(sendsaved(0,x))
! return(1);
! return(say(0,buf));
}
--- 738,745 ----
return(say(0,buf));
}
saveline(buf);
! sendsaved(0,-1);
! return 0;
}
***************
*** 1591,1593 ****
--- 1625,1671 ----
dup(nread);
}
#endif
+
+
+ static int
+ nat_destination(fd)
+ int fd;
+ {
+ struct sockaddr_in laddr, faddr;
+ struct natlookup natlookup;
+ char *dest;
+ int slen, natfd;
+
+ bzero((char *)&laddr, sizeof(laddr));
+ bzero((char *)&faddr, sizeof(faddr));
+ slen = sizeof(laddr);
+ if(getsockname(fd,(struct sockaddr *)&laddr,&slen) < 0) {
+ perror("getsockname");
+ exit(1);
+ }
+ slen = sizeof(faddr);
+ if(getpeername(fd,(struct sockaddr *)&faddr,&slen) < 0) {
+ perror("getsockname");
+ exit(1);
+ }
+
+ natlookup.nl_inport = laddr.sin_port;
+ natlookup.nl_outport = faddr.sin_port;
+ natlookup.nl_inip = laddr.sin_addr;
+ natlookup.nl_outip = faddr.sin_addr;
+ natlookup.nl_flags = IPN_TCP;
+ if((natfd = open(IPL_NAT, O_RDONLY)) < 0) {
+ perror("open");
+ exit(1);
+ }
+ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
+ syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
+ close(natfd);
+ if(say(0,"220 Ready"))
+ exit(1);
+ return 0;
+ }
+ close(natfd);
+ return connectdest(inet_ntoa(natlookup.nl_realip),
+ ntohs(natlookup.nl_realport));
+ }

1025
contrib/ipfilter/FWTK/fwtk_transparent.diff
View File

File diff suppressed because it is too large Load Diff

812
contrib/ipfilter/FWTK/fwtkp
View File

@ -1,812 +0,0 @@
diff -c -r ./ftp-gw/ftp-gw.c ../../NEW/fwtk/ftp-gw/ftp-gw.c
*** ./ftp-gw/ftp-gw.c Fri Sep 6 12:55:05 1996
--- ../../NEW/fwtk/ftp-gw/ftp-gw.c Wed Oct 9 02:51:35 1996
***************
*** 40,47 ****
extern char *optarg;
! #include "firewall.h"
#ifndef BSIZ
#define BSIZ 2048
--- 40,48 ----
extern char *optarg;
! char *getdsthost();
+ #include "firewall.h"
#ifndef BSIZ
#define BSIZ 2048
***************
*** 84,89 ****
--- 85,92 ----
static int cmdcnt = 0;
static int timeout = PROXY_TIMEOUT;
+ static int do_transparent=0;
+
static int cmd_user();
static int cmd_authorize();
***************
*** 98,103 ****
--- 101,107 ----
static void saveline();
static void flushsaved();
static void trap_sigurg();
+ static int connectdest();
#define OP_CONN 001 /* only valid if connected */
#define OP_WCON 002 /* writethrough if connected */
***************
*** 170,175 ****
--- 174,180 ----
char xuf[1024];
char huf[128];
char *passuser = (char *)0; /* passed user as av */
+ char *psychic, *hotline;
#ifndef LOG_DAEMON
openlog("ftp-gw",LOG_PID);
***************
*** 314,319 ****
--- 319,326 ----
} else
timeout = 60*60;
+ psychic=getdsthost(0,NULL);
+ if(psychic) { do_transparent++; }
/* display a welcome file or message */
if(passuser == (char *)0) {
***************
*** 322,327 ****
--- 329,340 ----
syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
exit(1);
}
+ if(do_transparent) {
+ if(sayfile2(0,cf->argv[0],220)) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
+ exit(1);
+ }
+ } else
if(sayfile(0,cf->argv[0],220)) {
syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
exit(1);
***************
*** 332,338 ****
if(authallflg)
if(say(0,"220-Proxy first requires authentication"))
exit(1);
! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
if(say(0,xuf))
exit(1);
}
--- 345,357 ----
if(authallflg)
if(say(0,"220-Proxy first requires authentication"))
exit(1);
! /* foo */
! if(do_transparent)
! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
! else
! sprintf(xuf,"220 %s FTP Proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
! /* foo */
!
if(say(0,xuf))
exit(1);
}
***************
*** 353,358 ****
--- 372,381 ----
exit(1);
}
+ if(do_transparent) {
+ connectdest(psychic,21);
+ }
+
/* main loop */
while(1) {
FD_ZERO(&rdy);
***************
*** 676,681 ****
--- 699,713 ----
return(sayn(0,noad,sizeof(noad)-1));
}
+ if(do_transparent) {
+ if((rfd==(-1)) && (x=connectdest(dest,port))) return x;
+ sprintf(buf,"USER %s",user);
+ if(say(rfd,buf)) return(1);
+ x=getresp(rfd,buf,sizeof(buf),1);
+ if(sendsaved(0,x)) return(1);
+ return(say(0,buf));
+ }
+
if(*dest == '\0')
dest = "localhost";
***************
*** 701,708 ****
if(msg_int == 1) {
sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
! say(0,mbuf);
! return(1);
} else {
if(msg_int == -1) {
sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
--- 733,740 ----
if(msg_int == 1) {
sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
! say(0,mbuf);
! return(1);
} else {
if(msg_int == -1) {
sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
***************
*** 717,723 ****
char ebuf[512];
strcpy(ebuf,buf);
! sprintf(buf,"521 %s: %s",dest,ebuf);
rfd = -1;
return(say(0,buf));
}
--- 749,759 ----
char ebuf[512];
strcpy(ebuf,buf);
! if(do_transparent) {
! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
! } else {
! sprintf(buf,"521 %s: %s",dest,ebuf);
! }
rfd = -1;
return(say(0,buf));
}
***************
*** 732,737 ****
--- 768,778 ----
}
saveline(buf);
+ /* if(do_transparent) {
+ sendsaved(0,-1);
+ return(0);
+ } /* EEEk. I can't remember what this does. */
+
sprintf(buf,"USER %s",user);
if(say(rfd,buf))
return(1);
***************
*** 744,749 ****
--- 785,860 ----
return 0;
}
+ static int connectdest(dest, port)
+ char *dest;
+ short port;
+ {
+ char buf[1024], mbuf[512];
+ int msg_int, x;
+
+ if(*dest == '\0')
+ dest = "localhost";
+
+ if(validests != (char **)0) {
+ char **xp;
+ int x;
+
+ for(xp = validests; *xp != (char *)0; xp++) {
+ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
+ return(baddest(0,dest));
+ } else {
+ if(hostmatch(*xp,dest))
+ break;
+ }
+ }
+ if(*xp == (char *)0)
+ return(baddest(0,dest));
+ }
+
+ /* Extended permissions processing goes in here for destination */
+ if(extendperm) {
+ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
+ if(msg_int == 1) {
+ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
+ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
+ say(0,mbuf);
+ return(1);
+ } else {
+ if(msg_int == -1) {
+ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
+ say(0,mbuf);
+ return(1);
+ }
+ }
+ }
+
+ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
+
+ if((rfd = conn_server(dest,port,0,buf)) < 0) {
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+ sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+ if(!do_transparent) {
+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+ saveline(buf);
+ }
+
+ /* we are now connected and need to try the autologin thing */
+ x = getresp(rfd,buf,sizeof(buf),1);
+ if(x / 100 != COMPLETE) {
+ sendsaved(0,-1);
+ return(say(0,buf));
+ }
+ saveline(buf);
+
+ sendsaved(0,-1);
+ return 0;
+ }
+
static int
***************
*** 1053,1058 ****
--- 1164,1171 ----
static char nprn[] = "500 cannot get peername";
char buf[512];
+ /* syslog(LLEV,"DEBUG: port cmd"); */
+
if(ac < 2)
return(sayn(0,narg,sizeof(narg)-1));
***************
*** 1119,1124 ****
--- 1232,1238 ----
#define UC(c) (((int)c) & 0xff)
sprintf(buf,"PORT %d,%d,%d,%d,%d,%d\r\n",UC(k[0]),UC(k[1]),UC(k[2]),
UC(k[3]),UC(l[0]),UC(l[1]));
+ /* syslog(LLEV,"DEBUG: %s",buf); */
s = strlen(buf);
if (write(rfd, buf, s) != s)
return 1;
***************
*** 1330,1335 ****
--- 1444,1450 ----
callback()
{
/* if we haven't gotten a valid PORT scrub the connection */
+ /* syslog(LLEV,"DEBUG: callback()."); */
if((outgoing = accept(boundport,(struct sockaddr *)0,(int *)0)) < 0 || clntport.sin_port == 0)
goto bomb;
if(pasvport != -1) { /* incoming handled by PASVcallback */
***************
*** 1796,1801 ****
--- 1911,1960 ----
}
return(0);
}
+
+ /* ok, so i'm in a hurry. english paper due RSN. */
+ sayfile2(fd,fn,code)
+ int fd;
+ char *fn;
+ int code;
+ {
+ FILE *f;
+ char buf[BUFSIZ];
+ char yuf[BUFSIZ];
+ char *c;
+ int x;
+ int saidsomething = 0;
+
+ if((f = fopen(fn,"r")) == (FILE *)0)
+ return(1);
+ while(fgets(buf,sizeof(buf),f) != (char *)0) {
+ if((c = index(buf,'\n')) != (char *)0)
+ *c = '\0';
+ x = fgetc(f);
+ if(feof(f))
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ else {
+ sprintf(yuf,"%3.3d-%s",code,buf);
+ ungetc(x,f);
+ }
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ saidsomething++;
+ }
+ fclose(f);
+ if (!saidsomething) {
+ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
+ sprintf(yuf, "%3.3d The file to display is empty",code);
+ if(say(fd,yuf)) {
+ fclose(f);
+ return(1);
+ }
+ }
+ return(0);
+ }
+
porttoaddr(s,a)
diff -c -r ./http-gw/http-gw.c ../../NEW/fwtk/http-gw/http-gw.c
*** ./http-gw/http-gw.c Mon Sep 9 14:40:53 1996
--- ../../NEW/fwtk/http-gw/http-gw.c Wed Oct 9 02:51:57 1996
***************
*** 27,32 ****
--- 27,37 ----
static char http_buffer[8192];
static char reason[8192];
static int checkBrowserType = 1;
+ /* foo */
+ static int do_transparent=0;
+ /* foo */
+
+ char *getdsthost();
static void do_logging()
{ char *proto = "GOPHER";
***************
*** 422,427 ****
--- 427,443 ----
/*(NOT A SPECIAL FORM)*/
if((rem_type & TYPE_LOCAL)== 0){
+ /* foo */
+ char *psychic=getdsthost(sockfd,&def_port);
+ if(psychic) {
+ if(strlen(psychic)<=MAXHOSTNAMELEN) {
+ do_transparent++;
+ strncpy(def_httpd,psychic,strlen(psychic));
+ strncpy(def_server,psychic,strlen(psychic));
+ }
+ }
+
+ /* foo */
/* See if it can be forwarded */
if( can_forward(buf)){
***************
*** 1513,1519 ****
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }else{
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
--- 1529,1541 ----
parse_vec[0],
parse_vec[1],
ourname, ourport);
! }
! /* FOO */
! else if(do_transparent) {
! sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]);
! }
! /* FOO */
! else{
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
parse_vec[0], parse_vec[2],
parse_vec[3], chk_type_ch,
diff -c -r ./lib/hnam.c ../../NEW/fwtk/lib/hnam.c
*** ./lib/hnam.c Fri Nov 4 18:30:19 1994
--- ../../NEW/fwtk/lib/hnam.c Wed Oct 9 02:34:13 1996
***************
*** 22,27 ****
--- 22,31 ----
#include "firewall.h"
+ #ifdef __FreeBSD__
+ #include <net/if.h>
+ #include "ip_nat.h"
+ #endif /* __FreeBSD__ */
char *
***************
*** 44,47 ****
--- 48,115 ----
bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
return(inet_ntoa(sin.sin_addr));
+ }
+
+ char *getdsthost(fd, ptr)
+ int fd;
+ int *ptr;
+ {
+ struct sockaddr_in sin;
+ struct hostent *hp;
+ int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0;
+ char buf[255], hostbuf[255];
+ #ifdef __FreeBSD__
+ struct sockaddr_in rsin;
+ struct natlookup natlookup;
+ #endif
+
+ #ifdef linux
+ /* This should also work for UDP. Unfortunately, it doesn't.
+ Maybe when the Linux UDP proxy code gets a little cleaner.
+ */
+ if(!(err=getsockname(0,&sin,&sl))) {
+ if(ptr) *ptr=ntohs(sin.sin_port);
+ sprintf(buf,"%s",inet_ntoa(sin.sin_addr));
+ gethostname(hostbuf,254);
+ hp=gethostbyname(hostbuf);
+ while(hp->h_addr_list[i]) {
+ bzero(&sin,&sl);
+ memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++]));
+ if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++;
+ }
+ if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); }
+ else { return(buf); }
+ }
+ #endif
+
+ #ifdef __FreeBSD__
+ /* The basis for this block of code is Darren Reed's
+ patches to the TIS ftwk's ftp-gw.
+ */
+ bzero((char*)&sin,sizeof(sin));
+ bzero((char*)&rsin,sizeof(rsin));
+ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
+ return NULL;
+ }
+ sl=sizeof(rsin);
+ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
+ return NULL;
+ }
+ natlookup.nl_inport=sin.sin_port;
+ natlookup.nl_outport=rsin.sin_port;
+ natlookup.nl_inip=sin.sin_addr;
+ natlookup.nl_outip=rsin.sin_addr;
+ if((natfd=open(IPL_NAT,O_RDONLY))<0) {
+ return(NULL);
+ }
+ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
+ return(NULL);
+ }
+ close(natfd);
+ if(ptr) *ptr=ntohs(natlookup.nl_realport);
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
+ #endif
+
+ /* No transparent proxy support */
+ return(NULL);
}
Only in ./lib: hnam.c.orig
diff -c -r ./plug-gw/plug-gw.c ../../NEW/fwtk/plug-gw/plug-gw.c
*** ./plug-gw/plug-gw.c Thu Sep 5 15:36:33 1996
--- ../../NEW/fwtk/plug-gw/plug-gw.c Wed Oct 9 02:46:48 1996
***************
*** 39,44 ****
--- 39,48 ----
static char **validdests = (char **)0;
static Cfg *confp;
+ int do_transparent=0;
+
+ char *getdsthost();
+
main(ac,av)
int ac;
char *av[];
***************
*** 193,201 ****
--- 197,213 ----
char *ptr;
int state = 0;
int ssl_plug = 0;
+ int pport=0;
struct timeval timo;
+ /* Transparent plug-gw is probably a bad idea, but hey .. */
+ dhost=getdsthost(0,&pport);
+ if(dhost) {
+ do_transparent++;
+ portid=pport;
+ }
+
if(c->flags & PERM_DENY) {
if (p == -1)
syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
***************
*** 215,221 ****
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! dhost = av[x];
continue;
}
--- 227,234 ----
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
exit (1);
}
! if(!dhost) dhost = av[x];
! /* syslog(LLEV,"DEBUG: dhost now is [%s]",dhost); */
continue;
}
diff -c -r ./rlogin-gw/rlogin-gw.c ../../NEW/fwtk/rlogin-gw/rlogin-gw.c
*** ./rlogin-gw/rlogin-gw.c Fri Sep 6 12:56:33 1996
--- ../../NEW/fwtk/rlogin-gw/rlogin-gw.c Wed Oct 9 02:49:04 1996
***************
*** 39,45 ****
--- 39,47 ----
extern char *maphostname();
+ char *getdsthost();
+ int do_transparent=0;
static int cmd_quit();
static int cmd_help();
***************
*** 120,125 ****
--- 122,130 ----
static char *tokav[56];
int tokac;
struct timeval timo;
+ /* foo */
+ char *psychic;
+ /* foo */
#ifndef LOG_NDELAY
openlog("rlogin-gw",LOG_PID);
***************
*** 185,191 ****
xforwarder = cf->argv[0];
}
!
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
--- 190,203 ----
xforwarder = cf->argv[0];
}
! /* foo */
! psychic=getdsthost(0,NULL);
! if(psychic) {
! do_transparent++;
! strncpy(dest,psychic,511);
! dest[511]='\0';
! }
! /* foo */
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
if(cf->argc != 1) {
***************
*** 260,269 ****
}
/* if present a host name, chop and save username and hostname */
! dest[0] = '\0';
if((p = index(rusername,'@')) != (char *)0) {
char *namp;
*p++ = '\0';
if(*p == '\0')
p = "localhost";
--- 272,282 ----
}
/* if present a host name, chop and save username and hostname */
! /* dest[0] = '\0'; */
if((p = index(rusername,'@')) != (char *)0) {
char *namp;
+ dest[0] = '\0';
*p++ = '\0';
if(*p == '\0')
p = "localhost";
***************
*** 293,300 ****
--- 306,326 ----
goto leave;
}
+ /* syslog(LLEV,"DEBUG: Uh-oh, $dest = %s\n",dest); */
+
if(dest[0] != '\0') {
/* Setup connection directly to remote machine */
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+ if(sayfile(0,cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
+ exit(1);
+ }
+ }
+ /* Does this cmd_connect thing feel like a kludge or what? */
sprintf(buf,"connect %.1000s",dest);
tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
if (cmd_connect(tokac, tokav, buf) != 2)
***************
*** 526,539 ****
char ebuf[512];
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
if(strlen(namp) > 20)
namp[20] = '\0';
if(rusername[0] != '\0')
sprintf(ebuf,"Trying %s@%s...",rusername,namp);
else
sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
--- 552,567 ----
char ebuf[512];
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
+ if(!do_transparent) {
if(strlen(namp) > 20)
namp[20] = '\0';
if(rusername[0] != '\0')
sprintf(ebuf,"Trying %s@%s...",rusername,namp);
else
sprintf(ebuf,"Trying %s...",namp);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
diff -c -r ./tn-gw/tn-gw.c ../../NEW/fwtk/tn-gw/tn-gw.c
*** ./tn-gw/tn-gw.c Fri Sep 6 12:55:48 1996
--- ../../NEW/fwtk/tn-gw/tn-gw.c Wed Oct 9 02:50:17 1996
***************
*** 87,92 ****
--- 87,94 ----
static int cmd_xforward();
static int cmd_timeout();
+ char *getdsthost();
+
static int tn3270 = 1; /* don't do tn3270 stuff */
static int doX;
***************
*** 97,102 ****
--- 99,106 ----
static int timeout = PROXY_TIMEOUT;
static char timed_out_msg[] = "\r\nConnection closed due to inactivity";
+ int do_transparent=0;
+
typedef struct {
char *name;
char *hmsg;
***************
*** 140,145 ****
--- 144,151 ----
char tokbuf[BSIZ];
char *tokav[56];
int tokac;
+ int port;
+ char *psychic;
#ifndef LOG_DAEMON
openlog("tn-gw",LOG_PID);
***************
*** 308,313 ****
--- 314,346 ----
}
}
+ psychic=getdsthost(0,&port);
+ if(psychic) {
+ if((strlen(psychic) + 10) < 510) {
+ do_transparent++;
+ if(port)
+ sprintf(dest,"%s:%d",psychic,port);
+ else
+ sprintf(dest,"%s",psychic);
+
+
+ if(!welcomedone)
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
+ if(sayfile(0,cf->argv[0])) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
+ exit(1);
+ }
+ welcomedone = 1;
+ }
+
+
+ }
+ }
+
while (argc > 1) {
argc--;
argv++;
***************
*** 864,877 ****
}
}
-
if((namp = maphostname(av[1])) != (char *)0) {
char ebuf[512];
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
! sprintf(ebuf,"Trying %s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
} else
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
--- 897,911 ----
}
}
if((namp = maphostname(av[1])) != (char *)0) {
char ebuf[512];
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
! if(!do_transparent) {
! sprintf(ebuf,"Trying %s port %d...",namp,port);
! if(say(0,ebuf))
! return(1);
! }
} else
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
***************
*** 903,910 ****
syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! sprintf(buf, "Connected to %s.", dest);
! say(0, buf);
return(2);
}
--- 937,946 ----
syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
strncpy(dest,av[1], 511);
! if(!do_transparent) {
! sprintf(buf, "Connected to %s.", dest);
! say(0, buf);
! }
return(2);
}

24
contrib/ipfilter/FreeBSD-2.2/files.diffs
View File

@ -1,24 +0,0 @@
*** files.orig Tue Sep 9 16:58:40 1997
--- files Sat Apr 4 10:52:58 1998
***************
*** 222,227 ****
--- 222,240 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter inet
+ netinet/fil.c optional ipfilter inet
+ netinet/ip_nat.c optional ipfilter inet
+ netinet/ip_frag.c optional ipfilter inet
+ netinet/ip_state.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/mlf_ipl.c optional ipfilter inet
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_input.c optional ipx

24
contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
View File

@ -1,24 +0,0 @@
*** files.newconf.orig Sun Jun 25 02:17:29 1995
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,179 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/mlf_ipl.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

16
contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
View File

@ -1,16 +0,0 @@
*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997
--- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997
***************
*** 89,94 ****
--- 89,99 ----
void eoninput(), eonctlinput(), eonprotoinit();
#endif /* EON */
+ #if defined(IPFILTER) && !defined(IPFILTER_LKM)
+ void iplinit();
+ #define ip_init iplinit
+ #endif
+
extern struct domain inetdomain;
struct protosw inetsw[] = {

32
contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
View File

@ -1,32 +0,0 @@
*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997
--- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997
***************
*** 74,79 ****
--- 74,82 ----
#ifdef IPFIREWALL
#include <netinet/ip_fw.h>
#endif
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
int rsvp_on = 0;
static int ip_rsvp_on;
***************
*** 310,315 ****
--- 313,327 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ return;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
#ifdef COMPAT_IPFW
if (ip_fw_chk_ptr) {

67
contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
View File

@ -1,67 +0,0 @@
*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997
--- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997
***************
*** 67,72 ****
--- 67,76 ----
#else
#undef COMPAT_IPFW
#endif
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
+
u_short ip_id;
***************
*** 75,81 ****
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
static int ip_getmoptions
__P((int, struct ip_moptions *, struct mbuf **));
! static int ip_optcopy __P((struct ip *, struct ip *));
static int ip_pcbopts __P((struct mbuf **, struct mbuf *));
static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *));
--- 79,85 ----
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
static int ip_getmoptions
__P((int, struct ip_moptions *, struct mbuf **));
! int ip_optcopy __P((struct ip *, struct ip *));
static int ip_pcbopts __P((struct mbuf **, struct mbuf *));
static int ip_setmoptions
__P((int, struct ip_moptions **, struct mbuf *));
***************
*** 338,343 ****
--- 342,356 ----
* - Wrap: fake packet's addr/port <unimpl.>
* - Encapsulate: put it in another IP and send out. <unimp.>
*/
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
#ifdef COMPAT_IPFW
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
***************
*** 559,565 ****
* Copy options from ip to jp,
* omitting those not copied during fragmentation.
*/
! static int
ip_optcopy(ip, jp)
struct ip *ip, *jp;
{
--- 574,580 ----
* Copy options from ip to jp,
* omitting those not copied during fragmentation.
*/
! int
ip_optcopy(ip, jp)
struct ip *ip, *jp;
{

67
contrib/ipfilter/FreeBSD-2.2/kinstall
View File

@ -1,67 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Copying /usr/include/osreldate.h to /sys/sys"
cp /usr/include/osreldate.h /sys/sys
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch)
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

38
contrib/ipfilter/FreeBSD-2.2/minstall
View File

@ -1,38 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD-2.2 ) cd ..
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}${bak} )
set bak=".bak."$dot
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}$bak
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM\noptions IPFILTER_LOG"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

57
contrib/ipfilter/FreeBSD-2.2/unkinstall
View File

@ -1,57 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_compat.h ip_log.c \
mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

36
contrib/ipfilter/FreeBSD-2.2/unminstall
View File

@ -1,36 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

26
contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3
View File

@ -1,26 +0,0 @@
To build a kernel with the IP filter, follow these seven steps:
1. do "make freebsd3"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-3/kinstall" as root
4. build a new kernel
5. install the new kernel
6. If not using DEVFS, create devices for IP Filter as follows:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
7. reboot
Darren Reed
darrenr@pobox.com

52
contrib/ipfilter/FreeBSD-3/kinstall
View File

@ -1,52 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Rewriting $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
$confdir/$newconfig.bak > $confdir/$newconfig
echo "You will now need to run config on $newconfig and build a new kernel."
exit 0

45
contrib/ipfilter/FreeBSD-3/unkinstall
View File

@ -1,45 +0,0 @@
#!/bin/csh -f
#
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
ip_log.c mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
rm /sys/sys/osreldate.h
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

61
contrib/ipfilter/FreeBSD-4.0/ipv6-patch
View File

@ -1,61 +0,0 @@
*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
--- ip6_input.c Wed Apr 26 22:31:34 2000
***************
*** 121,126 ****
--- 121,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 302,307 ****
--- 303,317 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Fri Mar 10 01:57:16 2000
--- ip6_output.c Wed Apr 26 22:34:34 2000
***************
*** 108,113 ****
--- 108,115 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 754,759 ****
--- 756,770 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

63
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
View File

@ -1,63 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
--- ip6_input.c Wed Apr 26 22:31:34 2000
***************
*** 121,126 ****
--- 121,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 302,307 ****
--- 303,317 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Fri Mar 10 01:57:16 2000
--- ip6_output.c Wed Apr 26 22:34:34 2000
***************
*** 108,113 ****
--- 108,115 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 754,759 ****
--- 756,770 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

65
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
View File

@ -1,65 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************
*** 120,125 ****
--- 120,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 289,294 ****
--- 291,305 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Sat Jul 15 07:14:35 2000
--- ip6_output.c Thu Oct 19 17:13:53 2000
***************
*** 106,111 ****
--- 106,113 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 787,792 ****
--- 789,803 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

65
contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
View File

@ -1,65 +0,0 @@
.\" $FreeBSD$
.\"
*** ip6_input.c.orig Sat Jul 15 07:14:34 2000
--- ip6_input.c Thu Oct 19 17:14:37 2000
***************
*** 120,125 ****
--- 120,127 ----
extern struct domain inet6domain;
extern struct ip6protosw inet6sw[];
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
+ struct mbuf **));
u_char ip6_protox[IPPROTO_MAX];
static int ip6qmaxlen = IFQ_MAXLEN;
***************
*** 289,294 ****
--- 291,305 ----
ip6stat.ip6s_badvers++;
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
goto bad;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
+ 0, &m1) || !m1)
+ return;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
*** ip6_output.c.orig Sat Jul 15 07:14:35 2000
--- ip6_output.c Thu Oct 19 17:13:53 2000
***************
*** 106,111 ****
--- 106,113 ----
#include <netinet6/ip6_fw.h>
#endif
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
struct ip6_exthdrs {
***************
*** 787,792 ****
--- 789,803 ----
ip6->ip6_src.s6_addr16[1] = 0;
if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
ip6->ip6_dst.s6_addr16[1] = 0;
+ }
+
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
+ !m1)
+ goto done;
+ ip6 = mtod(m = m1, struct ip6_hdr *);
}
#ifdef IPV6FIREWALL

63
contrib/ipfilter/FreeBSD-4.0/kinstall
View File

@ -1,63 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
set ipfdir=/sys/netinet
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c mlfk_ipl.c ipl.h ip_compat.h ip_log.c )
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -N)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
grep -q IPFILTER $confdir/$newconfig
if ($status == 0) then
echo "IPFilter already configured in kernel config file"
exit 0
endif
echo "Rewriting $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
$confdir/$newconfig.bak > $confdir/$newconfig
echo "You will now need to run config on $newconfig and build a new kernel."
exit 0

49
contrib/ipfilter/FreeBSD-4.0/unkinstall
View File

@ -1,49 +0,0 @@
#!/bin/csh -f
#
#
set dir=`pwd`
set karch=`uname -m`
set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
ip_log.c mlf_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
rm /sys/sys/osreldate.h
echo "Removing patch to ip6_input.c and ip6_output.c"
cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -R)
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

46
contrib/ipfilter/FreeBSD/conf.c.diffs
View File

@ -1,46 +0,0 @@
*** conf.c.orig Sun Jan 14 15:39:32 1996
--- conf.c Sun Jan 14 15:48:21 1996
***************
*** 1128,1133 ****
--- 1128,1149 ----
#define labpcioctl nxioctl
#endif
+ #ifdef IPFILTER
+ d_open_t iplopen;
+ d_close_t iplclose;
+ d_ioctl_t iplioctl;
+ # ifdef IPFILTER_LOG
+ d_read_t iplread;
+ # else
+ #define iplread nxread
+ # endif
+ #else
+ #define iplopen nxopen
+ #define iplclose nxclose
+ #define iplioctl nxioctl
+ #define iplread nxread
+ #endif
+
/* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */
struct cdevsw cdevsw[] =
{
***************
*** 1199,1206 ****
* Otherwise, simply use the one reserved for local use.
*/
/* character device 20 is reserved for local use */
! { nxopen, nxclose, nxread, nxwrite, /*20*/
! nxioctl, nxstop, nxreset, nxdevtotty,/* reserved */
nxselect, nxmmap, NULL },
{ psmopen, psmclose, psmread, nowrite, /*21*/
psmioctl, nostop, nullreset, nodevtotty,/* psm mice */
--- 1215,1222 ----
* Otherwise, simply use the one reserved for local use.
*/
/* character device 20 is reserved for local use */
! { iplopen, iplclose, iplread, nxwrite, /*20*/
! iplioctl, nxstop, nxreset, nxdevtotty,/* reserved */
nxselect, nxmmap, NULL },
{ psmopen, psmclose, psmread, nowrite, /*21*/
psmioctl, nostop, nullreset, nodevtotty,/* psm mice */

23
contrib/ipfilter/FreeBSD/files.diffs
View File

@ -1,23 +0,0 @@
*** files.orig Sat Sep 30 18:01:55 1995
--- files Sun Jan 14 14:32:25 1996
***************
*** 208,213 ****
--- 208,225 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter inet
+ netinet/fil.c optional ipfilter inet
+ netinet/ip_nat.c optional ipfilter inet
+ netinet/ip_frag.c optional ipfilter inet
+ netinet/ip_state.c optional ipfilter inet
+ netinet/ip_auth.c optional ipfilter inet
+ netinet/ip_proxy.c optional ipfilter inet
+ netinet/ip_log.c optional ipfilter inet
+ netinet/ip_scan.c optional ipfilter inet
+ netinet/ip_sync.c optional ipfilter inet
+ netinet/ip_pool.c optional ipfilter_pool ipfilter inet
+ netinet/ip_rules.c optional ipfilter_compiled ipfilter inet
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

23
contrib/ipfilter/FreeBSD/files.newconf.diffs
View File

@ -1,23 +0,0 @@
*** files.newconf.orig Sun Jun 25 02:17:29 1995
--- files.newconf Sun Jun 25 02:19:10 1995
***************
*** 161,166 ****
--- 161,178 ----
file netinet/ip_input.c inet
file netinet/ip_mroute.c inet
file netinet/ip_output.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netinet/raw_ip.c inet
file netinet/tcp_debug.c inet
file netinet/tcp_input.c inet

23
contrib/ipfilter/FreeBSD/files.oldconf.diffs
View File

@ -1,23 +0,0 @@
*** files.oldconf.orig Sat Apr 29 19:59:31 1995
--- files.oldconf Sun Apr 23 17:54:18 1995
***************
*** 180,185 ****
--- 180,197 ----
netinet/tcp_timer.c optional inet
netinet/tcp_usrreq.c optional inet
netinet/udp_usrreq.c optional inet
+ netinet/ip_fil.c optional ipfilter requires inet
+ netinet/fil.c optional ipfilter requires inet
+ netinet/ip_nat.c optional ipfilter requires inet
+ netinet/ip_frag.c optional ipfilter requires inet
+ netinet/ip_state.c optional ipfilter requires inet
+ netinet/ip_proxy.c optional ipfilter requires inet
+ netinet/ip_auth.c optional ipfilter requires inet
+ netinet/ip_log.c optional ipfilter requires inet
+ netinet/ip_scan.c optional ipfilter requires inet
+ netinet/ip_sync.c optional ipfilter requires inet
+ netinet/ip_pool.c optional ipfilter_pool requires ipfilter
+ netinet/ip_rules.c optional ipfilter_compiled requires ipfilter
netiso/clnp_debug.c optional iso
netiso/clnp_er.c optional iso
netiso/clnp_frag.c optional iso

23
contrib/ipfilter/FreeBSD/filez.diffs
View File

@ -1,23 +0,0 @@
*** files.orig Sat Apr 29 20:00:02 1995
--- files Sun Apr 23 17:53:58 1995
***************
*** 222,227 ****
--- 222,235 ----
file netinet/tcp_timer.c inet
file netinet/tcp_usrreq.c inet
file netinet/udp_usrreq.c inet
+ file netinet/ip_fil.c ipfilter
+ file netinet/fil.c ipfilter
+ file netinet/ip_nat.c ipfilter
+ file netinet/ip_frag.c ipfilter
+ file netinet/ip_state.c ipfilter
+ file netinet/ip_proxy.c ipfilter
+ file netinet/ip_auth.c ipfilter
+ file netinet/ip_log.c ipfilter
+ file netinet/ip_scan.c ipfilter
+ file netinet/ip_sync.c ipfilter
+ file netinet/ip_pool.c ipfilter_pool
+ file netinet/ip_rules.c ipfilter_compiled
file netiso/clnp_debug.c iso
file netiso/clnp_er.c iso
file netiso/clnp_frag.c iso

16
contrib/ipfilter/FreeBSD/in_proto.c.diffs
View File

@ -1,16 +0,0 @@
*** in_proto.c.orig Wed Sep 6 20:31:34 1995
--- in_proto.c Mon Mar 11 22:40:03 1996
***************
*** 81,86 ****
--- 81,91 ----
void eoninput(), eonctlinput(), eonprotoinit();
#endif /* EON */
+ #ifdef IPFILTER
+ void iplinit();
+ #define ip_init iplinit
+ #endif
+
void rsvp_input(struct mbuf *, int);
void ipip_input(struct mbuf *, int);

88
contrib/ipfilter/FreeBSD/ip_input.c.diffs
View File

@ -1,88 +0,0 @@
*** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996
--- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997
***************
*** 93,98 ****
--- 93,102 ----
int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddr *in_ifaddr; /* first inet address */
struct ifqueue ipintrq;
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
struct ipstat ipstat;
struct ipq ipq;
***************
*** 219,226 ****
}
ip = mtod(m, struct ip *);
}
! ip->ip_sum = in_cksum(m, hlen);
! if (ip->ip_sum) {
ipstat.ips_badsum++;
goto bad;
}
--- 223,229 ----
}
ip = mtod(m, struct ip *);
}
! if (in_cksum(m, hlen)) {
ipstat.ips_badsum++;
goto bad;
}
***************
*** 267,272 ****
--- 270,288 ----
goto next;
}
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * Check if we want to allow this packet to be processed.
+ * Consider it to be bad if not.
+ */
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
+ goto next;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* Process options and, if not destined for us,
* ship it on. ip_dooptions returns 1 when an
***************
*** 527,532 ****
--- 533,540 ----
* if they are completely covered, dequeue them.
*/
while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) {
+ struct mbuf *m0;
+
i = (ip->ip_off + ip->ip_len) - q->ip_off;
if (i < q->ip_len) {
q->ip_len -= i;
***************
*** 526,534 ****
m_adj(dtom(q), i);
break;
}
q = q->ipf_next;
- m_freem(dtom(q->ipf_prev));
ip_deq(q->ipf_prev);
}
insert:
--- 542,551 ----
m_adj(dtom(q), i);
break;
}
+ m0 = dtom(q);
q = q->ipf_next;
ip_deq(q->ipf_prev);
+ m_freem(m0);
}
insert:

36
contrib/ipfilter/FreeBSD/ip_output.c.diffs
View File

@ -1,36 +0,0 @@
*** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996
--- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997
***************
*** 65,70 ****
--- 65,74 ----
static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *));
static void ip_mloopback
__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
***************
*** 330,335 ****
--- 334,351 ----
m->m_flags &= ~M_BCAST;
sendit:
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* Check with the firewall...
*/

72
contrib/ipfilter/FreeBSD/kinstall
View File

@ -1,72 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Installing "
foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
ip_*_pxy.c ip_compat.h ip_log.c )
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
switch ($i)
case *.h:
/bin/cp $i /usr/include/netinet/$i
chmod 644 /usr/include/netinet/$i
breaksw
endsw
end
echo ""
grep iplopen $archdir/$karch/conf.c >& /dev/null
if ( $status != 0 ) then
echo "Patching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
endif
grep fr_checkp /sys/netinet/ip_input.c >& /dev/null
if ( $status != 0 ) then
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
endif
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

51
contrib/ipfilter/FreeBSD/minstall
View File

@ -1,51 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo "Patching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch)
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Patching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
echo "Patching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
echo "Re-config'ing $newconfig..."
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \
$confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

58
contrib/ipfilter/FreeBSD/unkinstall
View File

@ -1,58 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
echo ""
echo "Unpatching $archdir/$karch/conf.c"
cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R)
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
endif
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

49
contrib/ipfilter/FreeBSD/unminstall
View File

@ -1,49 +0,0 @@
#!/bin/csh -f
#
set dir=`pwd`
set karch=`uname -m`
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
if ( -d /sys/$karch ) set archdir="/sys/$karch"
set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD ) cd ..
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
(cd /sys/netinet; patch -R)
if ( -f /sys/conf/files.newconf ) then
echo "Unpatching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
endif
if ( -f /sys/conf/files.oldconf ) then
echo "Unpatching /sys/conf/files.oldconf"
cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
echo "Unpatching /sys/conf/files"
cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
echo -n "Kernel configuration to update [$config] "
set newconfig=$<
if ( "$newconfig" != "" ) then
set config="$confdir/$newconfig"
else
set newconfig=$config
endif
if ( -f $confdir/$newconfig ) then
mv $confdir/$newconfig $confdir/$newconfig.bak
endif
if ( -d $archdir/../compile/$newconfig ) then
set bak=".bak"
set dot=0
while ( -d $archdir/../compile/${newconfig}.${bak} )
set bak=".bak.$dot"
set dot=`expr 1 + $dot`
end
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
endif
grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
echo 'You will now need to run "config" and build a new kernel.'
exit 0

11
contrib/ipfilter/IMPORTANT
View File

@ -1,11 +0,0 @@
****************************************
IMPORTANT NOTICE
****************************************
1)
If you have BOTH GNU make and the normal make shipped with your system,
DO NOT use the GNU make to build this package.
Darren
darrenr@pobox.com
****************************************

62
contrib/ipfilter/INST.FreeBSD-2.2
View File

@ -1,62 +0,0 @@
.\" $FreeBSD$
.\"
To build a kernel for use with the loadable kernel module, follow these
steps:
1. In /sys/i386/conf, create a new kernel config file (to be used
with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
2. build the object files, telling it the name of the kernel to be
used. "freebsd22" MUST be the target, so the command would be
something like this: "make freebsd22 IPFILKERN=FIREWALL"
3. do "make install-bsd"
(probably has to be done as root)
4. run "FreeBSD-2.2/minstall" as root
5. build a new kernel
6. install and reboot with the new kernel
7. use modload(8) to load the packet filter with:
modload if_ipl.o
8. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
*** KERNEL INSTALL CURRENTLY UNSUPPORTED ***
1. do "make freebsd22"
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD-2.2/kinstall" as root
4. build a new kernel
5a) For FreeBSD 2.2 (or later)
create devices for IP Filter as follows:
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
5b) For versions prior to FreeBSD 2.2:
create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren Reed
darrenr@pobox.com

61
contrib/ipfilter/INSTALL.FreeBSD
View File

@ -1,61 +0,0 @@
Thi file is for use with FreeBSD 4.x and 5.x only.
To build a kernel for use with the loadable kernel module, follow these
steps:
0. Run "config GENERIC" or similar in /sys/i386/conf or the
appropriate directory for your kernel.
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. Run "BSD/kupgrade"
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8)/kldload(8) to load the packet filter with:
modload if_ipl.o
kldload ipf.ko
7. do "modstat" or "kldstat" to confirm that it has been loaded
successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. For FreeBSD version:
4.* do make freebsd4
5.* do make freebsd5
2. do "make install-bsd"
(probably has to be done as root)
3. run "FreeBSD/kinstall" as root
4. build a new kernel
5.
b) If you are using FreeBSD-3 or later:
create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 79 0
mknod /dev/ipnat c 79 1
mknod /dev/ipstate c 79 2
mknod /dev/ipauth c 79 3
mknod /dev/ipsync c 79 4
mknod /dev/ipscan c 79 5
6. install and reboot with the new kernel
Darren Reed
darrenr@pobox.com

45
contrib/ipfilter/INSTALL.xBSD
View File

@ -1,45 +0,0 @@
# $FreeBSD$
To build a kernel for use with the loadable kernel module, follow these
steps:
1. do "make bsd"
2. cd to the "BSD" directory and type "make install"
3. run "4bsd/minstall" as root
4. build a new kernel
5. install and reboot with the new kernel
6. use modload(8) to load the packet filter with:
modload if_ipl.o
7. do "modstat" to confirm that it has been loaded successfully.
There is no need to use mknod to create the device in /dev;
- upon loading the module, it will create itself with the correct values,
under the name (IPL_NAME) from the Makefile. It will also remove itself
from /dev when it is modunload'd.
To build a kernel with the IP filter, follow these steps:
1. do "make bsd"
2. cd to the "BSD" directory and type "make install"
3. run "4bsd/kinstall" as root
4. build a new kernel
5. create devices for IP Filter as follows (assuming it was
installed into the device table as char dev 20):
mknod /dev/ipl c 20 0
mknod /dev/ipnat c 20 1
mknod /dev/ipstate c 20 2
mknod /dev/ipauth c 20 3
6. install and reboot with the new kernel
Darren
darrenr@pobox.com

465
contrib/ipfilter/IPF.KANJI
View File

@ -1,465 +0,0 @@
IP filter $B%7%g!<%H%,%$%I(B Dec, 1999
$B%[!<%`%Z!<%8(B: http://coombs.anu.edu.au/~avalon/ip-filter.html
FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
$B30;3(B $B=c@8(B <sumio@is.s.u-tokyo.ac.jp>
$B;3K\(B $BBY1'(B <ymmt@is.s.u-tokyo.ac.jp>
-----
$B$O$8$a$K(B
IP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B
$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B
$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B
$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B
Solaris/Solaris-x86 2.3 - 8 (early access)
SunOS 4.1.1 - 4.1.4
NetBSD 1.0 - 1.4
FreeBSD 2.0.0 - 2.2.8
BSD/OS-1.1 - 4
IRIX 6.2
$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B
$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B
$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B
$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B)
$B$+$i<h$C$F$/$k$+!"(BWorkshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F(B 64bit
driver $B$r:n$C$F$/$@$5$$!#(B
-----
$B@_Dj%U%!%$%k$N5-=RJ}K!(B
IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I(B
$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r(B block $B$9$k$+(B pass $B$9$k$+!"(B
$B$r;XDj$9$k$3$H$G9T$$$^$9!#(B
$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9(B
$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"(B
$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#(B
$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r(B
123.45.1.0/24
$B$H$7$FNc$r<($7$^$9!#(B24$B$O%5%V%M%C%H%^%9%/$G$9!#(B
$B$^$?!"(Bgateway $B$O(B
123.45.1.111 (hme0)
$B$,(B LAN$BB&$N%$%s%?!<%U%'!<%9!"(B
123.45.2.10 (hme1)
$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
===================== $B$3$3$^$G(B ====================
$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#(Bblock $B$O(B block $B$9(B
$B$k0UL#$G!"H?BP$KDL$9>l9g$O(B pass $B$H$J$j$^$9!#(B
log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G(B
$B$9!#%m%0$O(B /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"(B
$B$3$N%G%P%$%9$O(B bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F(B
$B$7$^$$$^$9!#(B
/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B
ipmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B
$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r(B rc $B%U%!%$%k(B
$B$K=q$/$H$h$$$G$7$g$&!#(B
ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B
$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B
local0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B
$BNc$($P!"(B
local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B
$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B
$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
===================== $B$3$3$^$G(B ====================
$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,(B
$BN`$7$^$9!#(Bhme0 $B$O(B LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D(B
(pass quick)$B$7$F$$$^$9!#(B
all $B$H$$$&$N$O!"(Bfrom any to any $B$N>JN,7A$G$9!#(B
$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B
$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B
$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&(B
$B0UL#$G$9!#(B
===================== $B$3$3$+$i(B ====================
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
===================== $B$3$3$^$G(B ====================
IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N(B
group 100 $B$H$$$&$N$O(B head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9(B
$B$k%k!<%k$H$$$&0UL#$G$9!#(B
-----
$B$3$3$^$G$G!"4pK\E*$K(BLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)(B
$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP(B
$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#(B
$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## OUTGOING
#
## allow ping out
#
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
===================== $B$3$3$^$G(B ====================
$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios
(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows
$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B
Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B
$B62$l$,$"$j$^$9!#(B
$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B
* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B
* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B
* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B
* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup
XXX$B$H$7$F;2>H$G$-$k(B
* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B)
group$B$K8BDj$G$-$k!#(B
$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B
from any to any port 136 >< 140
$B$H$$$&$N$O!"(B
$B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B
$B%"%I%l%9$X$N%Q%1%C%H!W(B
$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B
$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B
$B$?$H$($P(B
from any to any port = telnet
$B$H(B
from any to any port = 23
$B$OF1$80UL#$H$J$j$^$9!#(B
$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B
rule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B
$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B
$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B
$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B
$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B
block $B$7$F$$$kLu$G$9!#(B
$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B
$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B
----------
$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#(B
* $B%k!<%F%#%s%0>pJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B
pass in quick proto udp from any to any port = 520 keep state group 100
* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B
pass in quick proto icmp from any to any group 100
* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B
$B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O(Bpassive mode$B$G$J$$(BFTP$B$N5sF0(B
$B$G$9!#(B
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
$B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B
1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B
$B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B)
$B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B
$B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B
* sendmail$B$d(Bftpd$B$K7R$0$H!"Aj<j$,(Bident$B%]!<%H$X%"%/%;%9$7$F$/$k$3(B
$B$H$,$"$k$N$G!"(Bident port$B$r3+$1$^$9!#(Bident $B$ODL>o$O5/F0$5$l$F$$(B
$B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B
$B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B
$BAj<jB&$O(B timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"(BFTP $B$d(B mail $B$NAw?.(B
$B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#(B
$B$b$7(B 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K(B
$BDd;_$9$k$3$H$r4+$a$^$9!#(B
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
------
$B<!$K!"30It$+$i(B firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-(B
$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV(B
$B9f$r$D$1$^$9!#(B
===================== $B$3$3$+$i(B ====================
## grouping by host
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
===================== $B$3$3$^$G(B ====================
$B$3$l$G!"(B
$B30It$+$i(B 123.45.1.X $B$X$N@\B3$O(B group 110
$B30It$+$i(B 123.45.1.Y $B$X$N@\B3$O(B group 111
$B$G;2>H$9$k$3$H$,$G$-$^$9!#(B
$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B
$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B
$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B
$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B
$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B
$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B
$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B
X$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B
$B$H$K$7$^$9!#(B
* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B
pass in quick proto tcp from any to any port = telnet keep state group 110
* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B
($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
* X$B$X$N(Bssh$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 22 keep state group 110
* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B
$B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B
$B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B
$B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B
$B@_Dj$7$F$$$^$9!#(B
passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B
$B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B
$B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B
$B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B
passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B
$B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B
$B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B
$B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B
$B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B
$B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B
$B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess
$B$H$$$&%U%!%$%k$K(B
# passive ports <cidr> <min> <max>
passive ports 0.0.0.0/0 3000 3099
$B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B
* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 80 keep state group 111
* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = smtp keep state group 111
* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B
pass in quick proto tcp from any to any port = 110 keep state group 111
$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B
$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B
$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#(B
$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B
$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B
-----
$B$=$NB>$NCm0U(B
1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B
$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B
$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a,
b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B
$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111
$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B
($BNc(B)
#### grouping by host
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#### allow NNTP
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
gateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP
filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B
$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B
2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B
NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B
3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B
$B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding
$B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure
$B$GHFMQE*$JJ}K!$G$9!#(B
$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B
$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B
# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-----
$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B
$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C(B
$B$($^$9!#(B
## log blocked packets
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
------
$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#(B
===================== $B$3$3$+$i(B ====================
########## Packet Filtering Rules for 123.45.1. ##########
#
# The following routes should be configured, if not already:
#
# route add 123.45.1.111 localhost 0 (hme0) (LAN)
# route add 123.45.2.10 localhost 0 (hme1) (upstream)
#
########## quickly deny malicious packets
#
block in quick from any to any with short
block in log quick from any to any with ipopts
#
########## group setup
#
block in on hme1 all head 100
block out on hme1 all head 150
pass in quick on hme0 all
pass out quick on hme0 all
#
########## deny IP spoofing
#
block in log quick from 127.0.0.0/8 to any group 100
block in log quick from 123.45.2.10/32 to any group 100
block in log quick from 123.45.1.111/24 to any group 100
#
########## deny reserved addresses
#
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from 172.16.0.0/12 to any group 100
#
########## OUTGOING
#
## allow ping out
pass out quick proto icmp from any to any keep state group 150
#
## allow all outgoing UDP packets except for netbios ports (137-139).
#
pass out quick proto udp from any to any keep state head 160 group 150
block out log quick proto udp from any to any port 136 >< 140 group 160
#
## pass all TCP connection setup packets except for netbios ports (137-139).
#
pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
block out log quick proto tcp from any to any port 136 >< 140 group 170
#
######### INCOMING
## ICMP
pass in quick proto icmp from any to any group 100
## RIP
pass in quick proto udp from any to any port = 520 keep state group 100
## FTP
pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
## IDENT
pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
#
## grouping by host (112 & 113 is the gateway address)
block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
#
## telnet, ftp, ssh, www, smtp, pop
pass in quick proto tcp from any to any port = telnet keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 110
pass in quick proto tcp from any to any port = ftp-data keep state group 110
pass in quick proto tcp from any to any port = 22 keep state group 110
pass in quick proto tcp from any to any port = ftp keep state group 111
pass in quick proto tcp from any to any port = ftp-data keep state group 111
pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
pass in quick proto tcp from any to any port = 80 keep state group 111
pass in quick proto tcp from any to any port = smtp keep state group 111
pass in quick proto tcp from any to any port = 110 keep state
group 111
#
## allow NNTP on the gateway
pass in quick proto tcp from any to any port = nntp keep state group 112
pass in quick proto tcp from any to any port = nntp keep state group 113
#
## X connections
# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
#
## log blocked packets
## THIS MUST BE THE LAST RULE!
block in log quick from any to 123.45.1.111/24 group 100
block in log quick from any to 123.45.2.10 group 100
===================== $B$3$3$^$G(B ====================
----
$B$3$NJ8=q$N<h$j07$$$K$D$$$F(B
Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
Permission to modify this document and to distribute it is hereby
granted, as long as above notices and copyright notice are retained.

90
contrib/ipfilter/WhatsNew40.txt
View File

@ -1,90 +0,0 @@
What's new in IPFilter 4.1
==========================
(Well, compared to 3.*, anyway)
In no particular order, except headline alphabetical:
Administration:
- Run-time support for modifying ipf table size parameters.
- Run-time support for tuning other ipfilter parameters.
Content Scanning:
- Simple matching of content for TCP session startup.
Firewall Synchronising:
- Master/slave programs available.
General:
- All input files allow simple 'marco' definitions and expansion,
including nesting.
- Code has been rototilled to make maintenance and enhancements
eaiser for me and you.
- More configuration files and binaries.
- Takes up more memory.
- Probably slower.
- Versioned API to support changes in the ABI without breaking
existing binaries (4.0 onward only.)
- IP-Filter framework in place for handling multiple different
types of packet matching for firewalling.
- IP Id number rewriting available.
- Verification of checksums for recognised packet types.
- Optionally enable/disable IP forwarding when enabled/disabled.
IPF:
- BPF syntax available for matching packets in ipf rules (1).
- Can convert IPv4 ipf rules into C code and either:
* load them as an LKM o;
* compile them statically into the kernel (where possible.)
- Address pools allow for simpler rules covering large numbers of
addresses/networks (IPv4 only).
- Lookup functions available to map an IPv4 address to a group.
- Groups can be referenced by multiple heads for subroutine-like use.
- NAT/ipf rules can refer to each other via a tag, creating an implied
join that forms part of the packet matching.
- Extra packet attributes available for filter rules:
* source address/routing interface mismatch;
* multicast (3);
* broadcast (2,3);
* state lookup partially failed;
* out of the TCP window for a state connection;
* NAT lookup partially failed.
- PPS (packets per second) matching available for ipf rules.
- Rule collections (cf FreeBSD numbering) supported for ipf rules.
- Groups can now be names rather than just numbers
IPV6:
- understands extension headers.
- can filter on extension headers.
Logging:
- ipmon now comes with a configuration file for more advanced logging
behaviour.
- Can append arbitrary logging tags with ipf rules for easy matching.
NAT:
- "sticky" mapping available to ensure an address translation on
a per-address basis is always the same (while known) for a set
IP address.
Operating System Support:
- HP-UX 11 added.
- Tru64 5.1a added.
- Solaris/HP-UX now use pfil STREAMS module.
- Linux 2.4 on the way.
Proxies:
- PPTP proxy added.
- IRC proxy added.
- RPCBIND proxy added.
- FTP proxy support for EPSV (IPv4 only.)
Stateful Inspection:
- Can insist that all TCP data arrives in order.
- Can insist that all fragments pass through in order.
- The number of states created per-rule can be set where the total
across all rules may exceed the maximum allowed.
- Can elect not to automatically match ICMP error packets.
- TCP sequence number rewriting supported.
(1) - Requires libpcap for rule parsing
(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
(3) - Not supported on SunOS4

88
contrib/ipfilter/bsdinstall
View File

@ -1,88 +0,0 @@
#! /bin/sh
#
# @(#)install.sh 4.5 (Berkeley) 10/12/83
#
cmd=/bin/mv
strip=""
chmod="chmod 755"
if [ "`uname -s`" = "HP-UX" ] ; then
chown="chown root"
chgrp="chgrp bin"
else
chown="chown -f root"
chgrp="chgrp -f bin"
fi
while true ; do
case $1 in
-s ) strip="strip"
shift
;;
-c ) cmd="cp"
shift
;;
-m ) chmod="chmod $2"
shift
shift
;;
-o ) chown="chown -f $2"
shift
shift
;;
-g ) chgrp="chgrp -f $2"
shift
shift
;;
-d ) cmd="mkdir"
shift
;;
* ) break
;;
esac
done
if [ ! ${2-""} ]
then echo "install: no destination specified"
exit 1
fi
if [ ${3-""} ]
then echo "install: too many files specified -> $*"
exit 1
fi
if [ $1 = $2 -o $2 = . ]
then echo "install: can't move $1 onto itself"
exit 1
fi
case $cmd in
/bin/mkdir )
file=$2/$1
;;
* )
if [ '!' -f $1 ]
then echo "install: can't open $1"
exit 1
fi
if [ -d $2 ]
then file=$2/$1
else file=$2
fi
/bin/rm -f $file
;;
esac
case $cmd in
/bin/mkdir )
if [ ! -d "$file" ]
then $cmd $file
fi
;;
* )
$cmd $1 $file
if [ $strip ]
then $strip $file
fi
;;
esac
$chown $file
$chgrp $file
$chmod $file

104
contrib/ipfilter/etc/protocols
View File

@ -1,104 +0,0 @@
icmp 1 ICMP # Internet Control Message
igmp 2 IGMP # Internet Group Management
ggp 3 GGP # Gateway-to-Gateway
ip 4 IP # IP in IP (encasulation)
st 5 ST # Stream
tcp 6 TCP # Transmission Control
ucl 7 UCL # UCL
egp 8 EGP # Exterior Gateway Protocol
igp 9 IGP # any private interior gateway
bbn-rcc-mon 10 BBN-RCC-MON # BBN RCC Monitoring
nvp-ii 11 NVP-II # Network Voice Protocol
pup 12 PUP # PUP
argus 13 ARGUS # ARGUS
emcon 14 EMCON # EMCON
xnet 15 XNET # Cross Net Debugger
chaos 16 CHAOS # Chaos
udp 17 UDP # User Datagram
mux 18 MUX # Multiplexing
dcn-meas 19 DCN-MEAS # DCN Measurement Subsystems
hmp 20 HMP # Host Monitoring
prm 21 PRM # Packet Radio Measurement
xns-idp 22 XNS-IDP # XEROX NS IDP
trunk-1 23 TRUNK-1 # Trunk-1
trunk-2 24 TRUNK-2 # Trunk-2
leaf-1 25 LEAF-1 # Leaf-1
leaf-2 26 LEAF-2 # Leaf-2
rdp 27 RDP # Reliable Data Protocol
irtp 28 IRTP # Internet Reliable Transaction
iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
netblt 30 NETBLT # Bulk Data Transfer Protocol
mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
merit-inp 32 MERIT-INP # MERIT Internodal Protocol
sep 33 SEP # Sequential Exchange Protocol
3pc 34 3PC # Third Party Connect Protocol
idpr 35 IDPR # Inter-Domain Policy Routing Protocol
xtp 36 XTP # XTP
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
tp++ 39 TP++ # TP++ Transport Protocol
il 40 IL # IL Transport Protocol
ipv6 41 IPv6 # Internet Protocol, version 6
sip 41 SIP # Simple Internet Protocol
sdrp 42 SDRP # Source Demand Routing Protocol
ipv6-route 43 IPv6-Route # Routing Header for IPv6
sip-sr 43 SIP-SR # SIP Source Route
ipv6-frag 44 IPv6-Frag # Fragment Hedaer for IPv6
sip-frag 44 SIP-FRAG # SIP Fragment
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Reservation Protocol
gre 47 GRE # General Routing Encapsulation
mhrp 48 MHRP # Mobile Host Routing Protocol
bna 49 BNA # BNA
esp 50 esp # Encap Security Payload
ah 51 AH # Authentication Header
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
swipe 53 SWIPE # IP with Encryption
nhrp 54 NHRP # NBMA Next Hop Resolution Protocol
mobile 55 MOBILE # IP Mobility (IP tunneling)
ipv6-icmp 58 icmpv6 IPv6-ICMP ICMPv6 # ICMP version 6
ipv6-nonxt 59 IPv6-Nonxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
any 61 any # host internal protocol
cftp 62 CFTP # CFTP
any 63 any # local network
sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
kryptolan 65 KRYPTOLAN # Kryptolan
rvd 66 RVD # MIT Remote Virtual Disk Protocol
ippc 67 IPPC # Internet Pluribus Packet Core
any 68 any # distributed file system
sat-mon 69 SAT-MON # SATNET Monitoring
visa 70 VISA # VISA Protocol
ipcv 71 IPCV # Internet Packet Core Utility
cpnx 72 CPNX # Computer Protocol Network Executive
cphb 73 CPHB # Computer Protocol Heart Beat
wsn 74 WSN # Wang Span Network
pvp 75 PVP # Packet Video Protocol
br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
wb-mon 78 WB-MON # WIDEBAND Monitoring
wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
iso-ip 80 ISO-IP # ISO Internet Protocol
vmtp 81 VMTP # VMTP
secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
vines 83 VINES # VINES
ttp 84 TTP # TTP
nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
dgp 86 DGP # Dissimilar Gateway Protocol
tcf 87 TCF # TCF
igrp 88 IGRP # IGRP
ospfigp 89 OSPFIGP # OSPFIGP
sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
larp 91 LARP # Locus Address Resolution Protocol
mtp 92 MTP # Multicast Transport Protocol
ax.25 93 AX.25 # AX.25 Frames
ipip 94 IPIP # IP-within-IP Encapsulation Protocol
micp 95 MICP # Mobile Internetworking Control Pro.
scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
encap 98 ENCAP # Encapsulation Header
any 99 any # private encryption scheme
gmtp 100 GMTP # GMTP
pim 103 PIM # Protocol Independant Multicast
ipcomp 108 IPCOMP # IP Payload Compression Protocol
reserved 255 Reserved #

2536
contrib/ipfilter/etc/services
View File

File diff suppressed because it is too large Load Diff

639
contrib/ipfilter/perl/Ipfanaly.pl
View File

@ -1,639 +0,0 @@
#!/usr/local/bin/perl
# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com)
#
############### START SUBROUTINE DECLARATIONS ###########
sub usage {
print "\n" x 24;
print "USAGE: ipfanalyze.pl -h [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n";
print "\n arguments to -p -f -o REQUIRED\n";
print "\n -h show this help\n";
print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n";
print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n";
print " -s make security report only (no graphical or full port info generated) \n";
print " -o lowest port number incoming traffic can talk to and be regarded as safe\n";
print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n";
print " -t the ip address of the inerface on which you collected data!\n";
print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n";
print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n";
print "Will look at traffic to/from all ports and make graphs from file log1\n";
print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n";
print "Will look at SMTP traffic and make graphs from file log2\n";
print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n";
print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n";
print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n";
print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n";
}
sub makegifs {
local ($maxin,$maxout,$lookat,$xmax)=@_;
$YMAX=$maxin;
$XMAX=$xmax;
if ($maxout > $maxin)
{ $YMAX=$maxout;}
($dateis,$junk)=split " " , @recs[0];
($dayis,$monthis,$yearis)=split "/",$dateis;
$month=$months{$monthis};
$dateis="$dayis " . "$month " . "$yearis ";
# split graphs in to 6 four hour spans for 24 hours
$numgraphs=int($XMAX/240);
$junk=0;
$junk=$XMAX - 240*($numgraphs);
if($junk gt 0 )
{
$numgraphs++;
}
$cnt1=0;
$end=0;
$loop=0;
while ($cnt1++ < $numgraphs)
{
$filename1="in$cnt1.dat";
$filename2="out$cnt1.dat";
$filename3="graph$cnt1.conf";
open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n";
open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n";
$loop=$end;
$end=($end + 240);
# write all files as x time coord from 1 to 240 minutes
# set hour in graph via conf file
$arraycnt=0;
while ($loop++ < $end )
{
$arraycnt++;
$val1="";
$val2="";
$val1=$inwards[$loop] [1];
if($val1 eq "")
{$val1=0};
$val2=$outwards[$loop] [1];
if($val2 eq "")
{$val2=0};
print INDATA "$arraycnt:$val1\n";
print OUTDATA "$arraycnt:$val2\n";
}
close INDATA;
close OUTDATA;
$gnum=($cnt1 - 1);
open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n";
print INCONFIG "NUMBERYCELLGRIDSIZE:5\n";
print INCONFIG "MAXYVALUE:$YMAX\n";
print INCONFIG "MINYVALUE:0\n";
print INCONFIG "XCELLGRIDSIZE:1.3\n";
print INCONFIG "XMAX: 240\n";
print INCONFIG "Bar:0\n";
print INCONFIG "Average:0\n";
print INCONFIG "Graphnum:$gnum\n";
print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis \n";
print INCONFIG "Transparent:no\n";
print INCONFIG "Rbgcolour:0\n";
print INCONFIG "Gbgcolour:255\n";
print INCONFIG "Bbgcolour:255\n";
print INCONFIG "Rfgcolour:0\n";
print INCONFIG "Gfgcolour:0\n";
print INCONFIG "Bfgcolour:0\n";
print INCONFIG "Rcolour:0\n";
print INCONFIG "Gcolour:0\n";
print INCONFIG "Bcolour:255\n";
print INCONFIG "Racolour:255\n";
print INCONFIG "Gacolour:255\n";
print INCONFIG "Bacolour:0\n";
print INCONFIG "Rincolour:100\n";
print INCONFIG "Gincolour:100\n";
print INCONFIG "Bincolour:60\n";
print INCONFIG "Routcolour:60\n";
print INCONFIG "Goutcolour:100\n";
print INCONFIG "Boutcolour:100\n";
close INCONFIG;
}
$cnt1=0;
while ($cnt1++ < $numgraphs)
{
$filename1="in$cnt1.dat";
$out="out$cnt1.gif";
$filename2="out$cnt1.dat";
$filename3="graph$cnt1.conf";
system( "cp ./$filename1 ./in.dat;
cp ./$filename2 ./out.dat;
cp ./$filename3 ./graph.conf");
system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out");
system(" cp $out /isb/local/etc/httpd/htdocs/.");
}
} # end of subroutine make gifs
sub packbytime {
local ($xmax)=@_;
$XMAX=$xmax;
# pass in the dest port number or get graph for all packets
# at 1 minute intervals
# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
#
# dont uses hashes to store how many packets per minite as they
# return random x coordinate order
@inwards=();
@outwards=();
$cnt=-1;
$value5=0;
$maxin=0;
$maxout=0;
$xpos=0;
while ($cnt++ <= $#recs )
{
($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$cnt];
$bit=substr(@recs[$cnt],11);
($bit,$junkit)= split " " , $bit ;
($hour,$minute,$sec,$junk) = split ":", $bit;
#
# covert the time to decimal minutes and bucket to nearest minute
#
$xpos=($hour * 3600) + ($minute * 60) + ($sec) ;
# xpos is number of seconds since 00:00:00 on day......
$xpos=int($xpos / 60);
# if we just want to see all packet in/out activity
if("$lookat" eq "all")
{
if("$destip" eq "$gatekeep")
{
# TO GATEKEEP port lookat
# print "to gatekeep at $xpos\n";
$value5=$inwards[$xpos] [1];
$value5++ ;
# $maxin = $value5 if $maxin < $value5 ;
if($value5 > $maxin)
{
$maxin=$value5;
$timemaxin="$hour:$minute";
}
$inwards[$xpos][1]=$value5;
}
else
{
# FROM GATEKEEP to port lookat
# print "from gatekeep at $xpos\n";
$value4=$outwards[$xpos] [1];
$value4++ ;
# $maxout = $value4 if $maxout < $value4 ;
if($value4 > $maxout)
{
$maxout=$value4;
$timemaxout="$hour:$minute";
}
$outwards[$xpos][1]=$value4;
}
}
if("$destport" eq "$lookat")
{
if("$destip" eq "$gatekeep")
{
# TO GATEKEEP port lookat
# print "to gatekeep at $xpos\n";
$value5=$inwards[$xpos] [1];
$value5++ ;
$maxin = $value5 if $maxin < $value5 ;
$inwards[$xpos][1]=$value5;
}
else
{
# FROM GATEKEEP to port lookat
# print "from gatekeep at $xpos\n";
$value4=$outwards[$xpos] [1];
$value4++ ;
$maxout = $value4 if $maxout < $value4 ;
$outwards[$xpos][1]=$value4;
}
}
} # end while
# now call gif making stuff
if("$opt_g" eq "1")
{
print "Making plots of in files outN.gif\n";;
makegifs($maxin,$maxout,$lookat,$#inwards);
}
if ("$timemaxin" ne "")
{print "\nTime of peak packets/minute in was $timemaxin\n";}
if ("$timemaxout" ne "")
{print "\nTime of peak packets/minute OUT was $timemaxout\n";}
} # end of subroutine packets by time
sub posbadones {
$safenam="";
@dummy=$saferports;
foreach $it (split " ",$saferports) {
if ($it eq "icmp" )
{
$safenam = $safenam . " icmp";
}
else
{
$safenam = $safenam . " $services{$it}" ;
}
}
print "\n\n########################################################################\n";
print "well known ports are 0->1023\n";
print "Registered ports are 1024->49151\n";
print "Dynamic/Private ports are 49152->65535\n\n";
print "Sites that contacted gatekeep on 'less safe' ports (<$ITRUSTABOVE)\n";
print " 'safe' ports are $safenam \n";
print "\n variables saferports and safehosts hardwire what/who we trust\n";
print "########################################################################\n";
$loop=-1;
while ($loop++ <= $#recs )
{
($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop];
if ("$destip" eq "$gatekeep")
{
if ($destport < $ITRUSTABOVE )
{
# if index not found (ie < 0) then we have a low port attach to gatekeep
# that is not to a safer port (see top of this file)
# ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp
$where=index($saferports,$destport);
if ($where < 0)
{
$nameis=$services{$destport};
if ("$nameis" eq "" )
{
$nameis=$destport;
}
print " Warning: $srcip contacted gatekeep $nameis\n";
}
}
}
}
print "\n\n";
} # end of subroutine posbadones
sub toobusy_site {
$percsafe=1;
print "\n\n########################################################################\n";
print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n";
print "Trusted hosts are $safehosts\n";
print "\nTOTAL packets were $#recs \n";
print "########################################################################\n";
while(($ipadd,$numpacketsent)=each %numpacks)
{
$perc=$numpacketsent/$#recs*100;
if ($perc > $percsafe)
# dont believe safehosts are attacking!
{
$where=index($safehosts,$ipadd);
# if not found (ie < 0 then the source host IP address
# isn't in the saferhosts list, a list we trust......
if ($where < 0 )
{
printf "$ipadd sent %4.1f (\045) of all packets to gatekeep\n",$perc;
}
}
}
print "\n\n";
} # end of subroutine toobusy_site
############### END SUBROUTINE DECLARATIONS ###########
use Getopt::Std;
getopt('pfot');
if("$opt_t" eq "0")
{usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n";
exit;
}
if("$opt_h" eq "1")
{usage;exit 0};
if("$opt_H" eq "1")
{usage;exit 0};
if("$opt_v" eq "1")
{
$ITRUSTABOVE=1024;
$opt_s=1;
$opt_o=$ITRUSTABOVE;
print "\n" x 5;
print "NOTE: when the final section of the verbose report is generated\n";
print " every host IP address that contacted $gatekeep has \n";
print " a tally of how many times packets from a particular port on that host\n";
print " reached $gatekeep, and WHICH source port or source portname \n";
print " these packets originated from.\n";
print " Many non RFC obeying boxes do not use high ports and respond to requests from\n";
print " $gatekeep using reserved low ports... hence you'll see things like\n";
print " #### with 207.50.191.60 as the the source for packets ####\n";
print " 1 connections from topx to gatekeep\n\n\n\n";
}
if("$opt_o" eq "")
{usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0}
else
{
$ITRUSTABOVE=$opt_o;$opt_s=1;}
if("$opt_f" eq "")
{usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0};
$FILENAME=$opt_f;
if("$opt_p" eq "")
{usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0};
# -p arg must be all or AN INTEGER in range 1<=N<=64K
if ("$opt_p" ne "all")
{
$_=$opt_p;
unless (/^[+-]?\d+$/)
{
usage;
print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n";
exit 0;
}
}
# if we get here then the port option is either 'all' or an integer...
# good enough.....
$lookat=$opt_p;
# -o arg must be all or AN INTEGER in range 1<=N<=64K
$_=$opt_o;
unless (/^[+-]?\d+$/)
{
usage;
print "\n---->ERROR: Must specify port number (1-64K) with -o \n";
exit 0;
}
#---------------------------------------------------------------------
%danger=();
%numpacks=();
$saferports="25 53 113 123 icmp";
$gatekeep="192.216.16.2";
#genmagic is 192.216.25.254
$safehosts="$gatekeep 192.216.25.254";
# load hash with service numbers versus names
# hash called $services
print "Creating hash of service names / numbers \n";
$SERV="./services";
open (INFILE, $SERV) || die "Cant open $SERV: $!n";
while(<INFILE>)
{
($servnum,$servname,$junk)=split(/ /,$_);
# chop off null trailing.....
$servname =~ s/\n$//;
$services{$servnum}=$servname;
}
print "Create hash of month numbers as month names\n";
%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December");
print "Reading log file into an array\n";
#$FILENAME="./ipfilter.log";
open (REC, $FILENAME) || die "Cant open $FILENAME: \n";
($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC;
print "Log file $FILENAME is $size bytes in size\n";
#each record is an element of array rec[] now
while(<REC>)
{
@recs[$numrec++]=$_;
}
# get list of UNIQUE source IP addresses now, records look like
# 192.216.25.254,62910 -> 192.216.16.2,113 PR tcp len 20 40 -R
# this is slow on big log files, about 1minute for every 2.5M log file
print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n";
$loop=-1;
$where=-1;
while ($loop++ < $#recs )
{
# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly
$bit=substr(@recs[$loop],39);
$bit =~ s/,/ /g;
($sourceip,$junkit)= split " " , $bit ;
# NOTE the . is the string concat command NOT + .......!!!!
$sourceip =~ split " ", $sourceip;
$where=index($allips,$sourceip);
# if not found (ie < 0, add it)
if ($where < 0 )
{
$allips = $allips . "$sourceip " ;
}
}
print "Put all unique ip addresses into a 1D array\n";
@allips=split " ", $allips;
#set loop back to -1 as first array element in recs is element 0 NOT 1 !!
print "Making compact array of logged entries\n";
$loop=-1;
$icmp=" icmp ";
$ptr=" -> ";
$lenst=" len ";
$numpackets=0;
while ($loop++ < $#recs )
{
# this prints from 39 char to EOR
$a=substr(@recs[$loop],39);
($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " , $a ;
# need to rewrite icmp ping records.... they dont have service numbers
$whereicmp=index($a,"PR icmp");
if($whereicmp > 0 )
{
$a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ;
}
# dump the "->" and commas from logging
$a =~ s/->//g;
$a =~ s/PR//g;
$a =~ s/,/ /g;
# shortrec has records that look like
# 209.24.1.217 123 192.216.16.2 123 udp len 20 76
@shortrecs[$loop]= "$a";
# count number packets from each IP address into hash
($srcip,$junk) = split " ","$a";
$numpackets=$numpacks{"$srcip"};
$numpackets++ ;
$numpacks{"$srcip"}=$numpackets;
}
# call sub to analyse packets by time
# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
packbytime($XMAX);
if("$opt_s" eq "1")
{
# call subroutine to scan for connections to ports on gatekeep
# other than those listed in saferports, connections to high
# ports are assumed OK.....
posbadones;
# call subroutine to print out which sites had sent more than
# a defined % of packets to gatekeep
toobusy_site;
}
# verbose reporting?
if ("$opt_v" eq "1")
{
$cnt=-1;
# loop over ALL unique IP source destinations
while ($cnt++ < $#allips)
{
%tally=();
%unknownsrcports=();
$uniqip=@allips[$cnt];
$loop=-1;
$value=0;
$value1=0;
$value2=0;
$value3=0;
$set="N";
while ($loop++ < $#recs )
{
# get src IP num, src port number,
# destination IP num, destnation port number,protocol
($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop];
# loop over all records for the machine $uniqip
# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!!
if( "$uniqip" eq "$srcip")
{
# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT???
# its more than likely a request coming back in on a high port
# ....So...
# find out the destination port from the unknown (high) src port
# and tally these as they may be a port attack
if ("$srcport" eq "icmp")
{ $srcportnam="icmp";}
else
{
$srcportnam=$services{$srcport};
}
# try and get dest portname, if not there, leave it as the
# dest portnumber
if ("$destport" eq "icmp")
{ $destportnam="icmp";}
else
{
$destportnam=$services{$destport};
}
if ($destportnam eq "")
{
$destportnam=$destport;
}
if ($srcportnam eq "")
{
# increment number of times a (high)/unknown port has gone to destport
$value1=$unknownsrcports{$destportnam};
$value1++ ;
$unknownsrcports{$destportnam}=$value1;
}
else
{
# want tally(srcport) counter to be increased by 1
$value3=$tally{$srcportnam};
$value3++ ;
$tally{$srcportnam}=$value3;
}
}
}
# end of loop over ALL IP's
if ($set eq "N")
{
$set="Y";
print "\n#### with $uniqip as the the source for packets ####\n";
while(($key,$value)=each %tally)
{
if (not "$uniqip" eq "$gatekeep")
{
print "$value connections from $key to gatekeep\n";
}
else
{
print "$value connections from gatekeep to $key\n";
}
}
while(($key2,$value2)=each %unknownsrcports)
{
if (not "$uniqip" eq "$gatekeep")
{
print "$value2 high port connections to $key2 on gatekeep\n";
}
else
{
print "$value2 high port connections to $key2 from gatekeep\n";
}
}
}
# print if rests for UNIQIP IF flag is set to N then toggle flag
} # end of all IPs loop
} # end of if verbose option set block

297
contrib/ipfilter/perl/Isbgraph
View File

@ -1,297 +0,0 @@
#!/usr/local/bin/perl
# isbgraph
# an example in not so hot perl programming....
# based around GraphMaker from Fabrizio Pivari
# A graph maker perl script
use GD;
use Getopt::Long;
$hr=0;
sub main{
$opt_conf="./graphmaker.cnf";
@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX",
"Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour",
"Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour",
"Gcolour","Bcolour","Racolour","Gacolour","Bacolour");
%option=(
NUMBERYCELLGRIDSIZE => '8',
MAXYVALUE => '7748',
MINYVALUE => '6500',
XCELLGRIDSIZE => '18',
XMAX => '1000',
Data => './graphmaker.dat',
Graph => './graphmaker.gif',
Bar => '1',
Average => '1',
Graphnum => '1',
Title => 'GraphMaker 2.1',
Transparent => 'yes',
Rbgcolour => '255',
Gbgcolour => '255',
Bbgcolour => '255',
Rfgcolour => '0',
Gfgcolour => '0',
Bfgcolour => '0',
Rcolour => '0',
Gcolour => '0',
Bcolour => '255',
Racolour => '255',
Gacolour => '255',
Bacolour => '0');
&GetOptions("conf=s","help") || &printusage ;
if ($opt_help) {&printusage};
open (CNF, $opt_conf) || die;
while (<CNF>) {
s/\t/ /g; #replace tabs by space
next if /^\s*\#/; #ignore comment lines
next if /^\s*$/; #ignore empty lines
foreach $elem (@elem)
{
if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; }
}
}
close(CNF);
#########################################
#
#
#
# number datapoints/24 hours is 1440 (minutes)
#
# Split into N graphs where each graph has max of 240 datapoints (4 hours)
#
$barset=0;
$m=0;
$YGRIDSIZE = 400;
$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'};
$XINIT = 30;
$XEND = 8;
$YINIT =20;
$YEND = 20;
#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'});
#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'});
$XGRIDSIZE = 620;
$XGIF = $XGRIDSIZE + $XINIT + $XEND;
$XGRAPH = $XGRIDSIZE + $XINIT;
$YGIF = $YGRIDSIZE + $YEND + $YINIT;
$YGRAPH = $YGRIDSIZE + $YINIT;
$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'};
$SCALE=$YGRIDSIZE/$RANGE;
# NEW IMAGE
$im=new GD::Image($XGIF,$YGIF);
$white=$im->colorAllocate(255,255,255);
$black=$im->colorAllocate(0,0,0);
$pink=$im->colorAllocate(255,153,153);
$red=$im->colorAllocate(255,0,0);
$blue=$im->colorAllocate(0,0,255);
$green=$im->colorAllocate(0,192,51);
$orange=$im->colorAllocate(255,102,0);
$pink=$im->colorAllocate(255,153,153);
$teal=$im->colorAllocate(51,153,153);
# gif background is $bg
$bg=$white;
$fg=$blue;
# LINE COLOUR HELP BY VAR $colour
$colour=$red;
$acolour=$yellow;
# GRID
if ($option{'Transparent'} eq "yes") {$im->transparent($bg)};
$im->filledRectangle(0,0,$XGIF,$YGIF,$bg);
# Dot style
# vertical markers on Y axis grid
$im->setStyle($fg,$bg,$bg,$bg);
for $i (0..$option{'XMAX'})
{
$xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i;
# $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled);
$num = $i+1;
use integer;
{
$posis=$num - ($num/60)*60;
}
if ($posis eq 0)
{
$outhr=0;
$hr=($hr + 1) ;
$outhr=$hr+$option{'Graphnum'}*4;
# shift minutes coords to correct stat hour!
$im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg);
}
} # end of scan over X values (minutes)
$YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'};
for $i (0..$option{'NUMBERYCELLGRIDSIZE'})
{
$num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i);
$im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg);
}
$im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg);
$odd_even = $option{'XCELLGRIDSIZE'}%2;
#odd
if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
# start reading data
# open (DATA,$option{'Data'}) || die "cant open $option{'Data'}";
# nextdata becomes Y on reading of second data set....
$nextdata="N";
@datafiles=("./in.dat" , "./out.dat" );
foreach ( @datafiles )
{
$m=0;
$count=0;
$i=0;
$fname=$_;
print "fname $fname\n";
# change entry for red in colour table to green for packets LEAVING target host
open (DATA,$_) || die "cant open $_";
print "$nextdata nextdata\n";
while (<DATA>)
{
/(.*):(.*)/;
if ($option{'Average'} eq 1) {$m+=$2;$i++;}
if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next}
$X=$1; $Y=$2;
# +($X-1) are the pixel of the line
$xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1);
$xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1);
$yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE;
$yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE;
$barset=$option{'Bar'};
if ($barset eq 0)
{
if($nextdata eq "Y")
{
#$im->line($XINIT,$YGRAPH,$X,$Y,$orange);
$im->line($xspaceold,$yspaceold,$xspace,$yspace,$green);
}
else
{
$im->line($xspaceold,$yspaceold,$xspace,$yspace,$red);
}
}
else
{
if ($1 eq 2)
{
$im->filledRectangle($xspaceold,$yspaceold,
$xspaceold+$middle,$YGRAPH,$colour);
$im->rectangle($xspaceold,$yspaceold,
$xspaceold+$middle,$YGRAPH,$fg);
}
else
{
$im->filledRectangle($xspaceold-$middle,$yspaceold,
$xspaceold+$middle,$YGRAPH,$colour);
$im->rectangle($xspaceold-$middle,$yspaceold,
$xspaceold+$middle,$YGRAPH,$fg);
}
}
$XOLD=$X; $YOLD=$Y;
} # end of while DATA loop
$im->line(500,40,530,40,$red);
$im->line(500,60,530,60,$green);
$im->string(gdSmallFont,535,35,"Packets IN",$fg);
$im->string(gdSmallFont,535,55,"Packets OUT",$fg);
if ($option{'Bar'} ne 0)
{
if ($X eq $option{'XMAX'})
{
$im->filledRectangle($xspace-$middle,$yspace,
$xspace,$YGRAPH,$colour);
$im->rectangle($xspace-$middle,$yspace,
$xspace,$YGRAPH,$fg);
}
else
{
$im->filledRectangle($xspace-$middle,$yspace,
$xspace+$middle,$YGRAPH,$colour);
$im->rectangle($xspace-$middle,$yspace,
$xspace+$middle,$YGRAPH,$fg);
}
}
close (DATA);
$nextdata="Y";
# TOP LEFT is 0,0 on GIF (image)
# origin of plot is xinit,yinit
# print "little line\n";
$im->line($xspace,$yspace,$xspace,$YGRAPH,$blue);
$im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue);
# (0,0) in cartesian space time=0 minutes, rate 0 packets/s
$im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue);
$im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green);
} # close foreach loop on data file names
if ($option{'Average'} eq 1)
{
# Line style
$im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg);
$m=$m/$i;
$ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE;
$im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled)
}
$im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg);
$im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg);
$im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg);
$im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg);
$im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg);
open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n";
print GRAPH $im -> gif;
close (GRAPH);
} # end of subroutine main
main;
exit(0);
sub printusage {
print <<USAGEDESC;
usage:
graphmaker [-options ...]
where options include:
-help print out this message
-conf file the configuration file (default graphmaker.cnf)
If you want to know more about this tool, you might want
to read the docs. They came together with graphmaker!
Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html
USAGEDESC
exit(1);
}

6
contrib/ipfilter/perl/LICENSE
View File

@ -1,6 +0,0 @@
These shell scripts are provided "as is" by Ivan S. Bishop and any
express or implied warranties, including, but not limited to, the
implied warranties of merchantability and fitness for a particular
purpose are disclaimed.
Permission has been granted for their redistribution within this package.

2146
contrib/ipfilter/perl/Services
View File

File diff suppressed because it is too large Load Diff

22
contrib/ipfilter/perl/ipf-mrtg.pl
View File

@ -1,22 +0,0 @@
#!/usr/local/bin/perl
# reads stats and uptime for ip-filter for mrtg
# ron@rosie.18james.com, 2 Jan 2000
my $firewall = "IP Filter v3.3.3";
my($in_pkts,$out_pkts) = (0,0);
open(FW, "/sbin/ipfstat -hi|") || die "cannot open ipfstat -hi\n";
while (<FW>) {
$in_pkts += $1 if (/^(\d+)\s+pass\s+in\s+quick.*group\s+1\d0/);
}
close(FW);
open(FW, "/sbin/ipfstat -ho|") || die "cannot open ipfstat -ho\n";
while (<FW>) {
$out_pkts += $1 if (/^(\d+)\s+pass\s+out\s+quick.*group\s+1\d0/);
}
print "$in_pkts\n",
"$out_pkts\n";
my $uptime = `/usr/bin/uptime`;
$uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/;
print "$2 $3\n",
"$firewall\n";

210
contrib/ipfilter/perl/ipfmeta.pl
View File

@ -1,210 +0,0 @@
#!/usr/bin/perl -w
#
# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000
# ipfmeta is in the Public Domain.
#
use strict;
use Getopt::Std;
## PROCESS COMMANDLINE
our($opt_v); $opt_v=1;
getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n";
my $verbose = $opt_v + 0;
my $objfile = shift || "ipf.objs";
my $MAXRECURSION = 10;
## READ OBJECTS
open(FH, "$objfile") || die "cannot open $objfile: $!\n";
my @tokens;
while (<FH>) {
chomp;
s/#.*$//; # remove comments
s/^\s+//; # compress whitespace
s/\s+$//;
next if m/^$/; # skip empty lines
push (@tokens, split);
}
close(FH) || die "cannot close $objfile: $!\n";
# link objects with their values
my $obj="";
my %objs;
while (@tokens) {
my $token = shift(@tokens);
if ($token =~ m/^\[([^]]*)\]$/) {
# new object
$obj = $1;
} else {
# new value
push(@{$objs{$obj}}, $token) unless ($obj eq "");
}
}
# sort objects: longest first
my @objs = sort { length($b) <=> length($a) } keys %objs;
## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN
foreach (<STDIN>) {
foreach (expand($_, 0)) {
print;
}
}
## END
sub expand {
my $line = shift;
my $level = shift;
my @retlines = $line;
my $obj;
my $val;
# coarse protection
if ($level > $MAXRECURSION) {
print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n";
return;
}
foreach $obj (@objs) {
if ($line =~ m/$obj/) {
@retlines = "";
if ($level < $verbose) {
# add metarule as a comment
push(@retlines, "# ".$line);
}
foreach $val (@{$objs{$obj}}) {
my $newline = $line;
$newline =~ s/$obj/$val/;
push(@retlines, expand($newline, $level+1));
}
last;
}
}
return @retlines;
}
__END__
=head1 NAME
B<ipfmeta> - use objects in IP filter files
=head1 SYNOPSIS
B<ipfmeta> [F<options>] [F<objfile>]
=head1 DESCRIPTION
B<ipfmeta> is used to simplify the maintenance of your IP filter
ruleset. It does this through the use of 'objects'. A matching
object gets replaced by its values at runtime. This is similar to
what a macro processor like m4 does.
B<ipfmeta> is specifically geared towards IP filter. It is line
oriented, if an object has multiple values, the line with the object
is duplicated and substituted for each value. It is also recursive,
an object may have another object as a value.
Rules to be processed are read from stdin, output goes to stdout.
The verbose option allows for the inclusion of the metarules in the
output as comments.
Definition of the objects and their values is done in a separate
file, the filename defaults to F<ipf.objs>. An object is delimited
by square brackets. A value is delimited by whitespace. Comments
start with '#' and end with a newline. Empty lines and extraneous
whitespace are allowed. A value belongs to the first object that
precedes it.
It is recommended that you use all caps or another distinguishing
feature for object names. You can use B<ipfmeta> for NAT rules also,
for instance to keep them in sync with filter rules. Combine
B<ipfmeta> with a Makefile to save typing.
=head1 OPTIONS
=over 4
=item B<-v> I<verboselevel>
Include metarules in output as comments. Default is 1, the top level
metarules. Higher levels cause expanded metarules to be included.
Level 0 does not add comments at all.
=back
=head1 BUGS
A value can not have whitespace in it.
=head1 EXAMPLE
(this does not look good, formatted)
I<ipf.objs>
[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
[MULTICAST] 224.0.0.0/4
[UNWANTED] PRIVATE MULTICAST
[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32
[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32
[MGMT-PORTS] 22 23
I<ipf.metarules>
block in from UNWANTED to any
pass in from NOC to WEBSERVERS port = MGMT-PORTS
pass out all
I<Run>
ipfmeta ipf.objs <ipf.metarules >ipf.rules
I<Output>
# block in from UNWANTED to any
block in from 10.0.0.0/8 to any
block in from 127.0.0.0/8 to any
block in from 172.16.0.0/12 to any
block in from 192.168.0.0/16 to any
block in from 224.0.0.0/4 to any
# pass in from NOC to WEBSERVERS port = MGMT-PORTS
pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22
pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23
pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22
pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23
pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22
pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23
pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22
pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23
pass out all
=head1 AUTHOR
Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain.
=cut

181
contrib/ipfilter/perl/logfilter.pl
View File

@ -1,181 +0,0 @@
#!perl.exe
# Author: Chris Grant
# Copyright 1999, Codetalker Communications, Inc.
#
# This script takes a firewall log and breaks it into several
# different files. Each file is named based on the service that
# runs on the port that was recognized in log line. After
# this script has run, you should end up with several files.
# Of course you will have the original log file and then files
# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log,
# netbus.log, and unknown.log.
#
# The number of entries in unknown.log should be minimal. The
# mappings of the port numbers and file names are stored in the bottom
# of this file in the data section. Simply look at the ports being hit,
# find out what these ports do, and add them to the data section.
#
# You may be wondering why I haven't simply parsed RFC1700 to come up
# with a list of port numbers and files. The reason is that I don't
# believe reading firewall logs should be all that automated. You
# should be familiar with what probes are hitting your system. By
# manually adding entries to the data section this ensures that I
# have at least educated myself about what this protocol is, what
# the potential exposure is, and why you might be seeing this traffic.
%icmp = ();
%udp = ();
%tcp = ();
%openfiles = ();
$TIDBITSFILE = "unknown.log";
# Read the ports data from the end of this file and build the three hashes
while (<DATA>) {
chomp; # trim the newline
s/#.*//; # no comments
s/^\s+//; # no leading white
s/\s+$//; # no trailing white
next unless length; # anything left?
$_ = lc; # switch to lowercase
($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/;
SWITCH: {
if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; };
if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; };
if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; };
die "An unknown protocol listed in the proto defs\n$_\n";
}
}
$filename = shift;
unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; }
open(LOGFILE, $filename) || die "Could not open the firewall log file.\n";
$openfiles{$filename} = "LOGFILE";
$linenum = 0;
while($line = <LOGFILE>) {
chomp($line);
$linenum++;
# determine the protocol - send to unknown.log if not found
SWITCH: {
($line =~ m /\sicmp\s/) && do {
#
# ICMP Protocol
#
# Extract the icmp packet information specifying the type.
#
# Note: Must check for ICMP first because this may be an ICMP reply
# to a TCP or UDP connection (eg Port Unreachable).
($icmptype) = $line =~ m/icmp (\d+)\/\d+/;
$filename = $TIDBITSFILE;
$filename = $icmp{$icmptype} if (defined($icmp{$icmptype}));
last SWITCH;
};
($line =~ m /\stcp\s/) && do {
#
# TCP Protocol
#
# extract the source and destination ports and compare them to
# known ports in the tcp hash. For the first match, place this
# line in the file specified by the tcp hash. Ignore one of the
# port matches if both ports happen to be known services.
($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
#print "$line\n" unless (defined($sport) && defined($dport));
$filename = $TIDBITSFILE;
$filename = $tcp{$sport} if (defined($tcp{$sport}));
$filename = $tcp{$dport} if (defined($tcp{$dport}));
last SWITCH;
};
($line =~ m /\sudp\s/) && do {
#
# UDP Protocol - same procedure as with TCP, different hash
#
($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
$filename = $TIDBITSFILE;
$filename = $udp{$sport} if (defined($udp{$sport}));
$filename = $udp{$dport} if (defined($udp{$dport}));
last SWITCH;
};
#
# The default case is that the protocol was unknown
#
$filename = $TIDBITSFILE;
}
#
# write the line to the appropriate file as determined above
#
# check for filename in the openfiles hash. if it exists then write
# to the given handle. otherwise open a handle to the file and add
# it to the hash of open files.
if (defined($openfiles{$filename})) {
$handle = $openfiles{$filename};
} else {
$handle = "HANDLE" . keys %openfiles;
open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename";
$openfiles{$filename} = $handle;
}
print $handle "#$linenum\t $line\n";
}
# close all open file handles
foreach $key (keys %openfiles) {
close($openfiles{$key});
}
close(LOGFILE);
__DATA__
icmp 3 destunreach.log
icmp 8 ping.log
icmp 9 router.log
icmp 10 router.log
icmp 11 ttl.log
tcp 23 telnet.log
tcp 25 smtp.log
udp 25 smtp.log
udp 53 dns.log
tcp 80 http.log
tcp 110 pop3.log
tcp 111 rpc.log
udp 111 rpc.log
tcp 137 netbios.log
udp 137 netbios.log
tcp 143 imap.log
udp 161 snmp.log
udp 370 backweb.log
udp 371 backweb.log
tcp 443 https.log
udp 443 https.log
udp 512 syslog.log
tcp 635 nfs.log # NFS mount services
udp 635 nfs.log # NFS mount services
tcp 1080 socks.log
udp 1080 socks.log
tcp 6112 games.log # Battle net
tcp 6667 irc.log
tcp 7070 realaudio.log
tcp 8080 http.log
tcp 12345 netbus.log
udp 31337 backorifice.log

1061
contrib/ipfilter/perl/plog
View File

File diff suppressed because it is too large Load Diff

520
contrib/ipfilter/test/Makefile
View File

@ -1,520 +0,0 @@
#
# (C)opyright 1993-1996 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
POOLDEP=../ip_lookup.c ../ip_lookup.h ../ip_pool.c ../ip_pool.h \
../ip_htable.c ../ip_htable.h ../ip_dstlist.c ../ip_dstlist.h \
../tools/ippool_y.y
BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/share/man
all: expected.d results tests
expected.d:
(cd expected; make)
results:
mkdir -p results
tests: ipf nat logtests ipv6 pools
ipf: patests ftests
nat: intests ntests nitests
first:
-mkdir -p results
# Filtering tests
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f24 f25 f26 f27 f28 f29 f30
# Rule parsing tests
patests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
i20 i21 i22 i23
ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n15 n16 n17 n18 n100 n101 n102 n103 n104 n105 n106 n200
ntests6: n1_6 n2_6 n4_6 n5_6 n6_6 n7_6 n8_6 n9_6 n11_6 n12_6 n15_6
nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \
ni16 ni17 ni18 ni19 ni20 ni21 ni23
intests: in1 in2 in3 in4 in5 in6 in7 in8 in100 in101 in102
logtests: l1
pools: p1 p2 p3 p4 p5 p6 p7 p9 p10 p11 p12 p13 ip1 ip2 ip3
ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.4 ipv6.5 ipv6.6 ntests6
bpf: bpf1 bpf-f1
f1: expected/f1 input/f1 regress/f1
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f2: expected/f2 input/f2 regress/f2
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f3: expected/f3 input/f3 regress/f3
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f4: expected/f4 input/f4 regress/f4
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f5: expected/f5 input/f5 regress/f5
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f6: expected/f6 input/f6 regress/f6
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f7: expected/f7 input/f7 regress/f7
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f8: expected/f8 input/f8 regress/f8
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f9: expected/f9 input/f9 regress/f9
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f10: expected/f10 input/f10 regress/f10
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f11: expected/f11 input/f11 regress/f11
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f12: expected/f12 input/f12 regress/f12
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f13: expected/f13 input/f13 regress/f13
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f14: expected/f14 input/f14 regress/f14
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f19: expected/f15 input/f15 regress/f15
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f15: expected/f15 input/f15 regress/f15
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f16: expected/f16 input/f16 regress/f16
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f17: expected/f17 input/f17 regress/f17
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f18: expected/f18 input/f18 regress/f18
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f20: expected/f20 input/f20 regress/f20
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f21: expected/f21 input/f21 regress/f21
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f22: expected/f22 input/f22 regress/f22
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f24: expected/f24 input/f24 regress/f24
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f25: expected/f25 input/f25 regress/f25
@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
f26: expected/f26 input/f26 regress/f26
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f27: expected/f27 input/f27 regress/f27
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
f28: expected/f28 input/f28 regress/f28.ipf regress/f28.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
f29: expected/f29 input/f29 regress/f29.ipf regress/f29.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
f30: expected/f30 input/f30 regress/f30
@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
i1: expected/i1 regress/i1
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i2: expected/i2 regress/i2
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i3: expected/i3 regress/i3
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i4: expected/i4 regress/i4
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i5: expected/i5 regress/i5
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i6: expected/i6 regress/i6
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i7: expected/i7 regress/i7
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i8: expected/i8 regress/i8
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i9: expected/i9 regress/i9
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i10: expected/i10 regress/i10
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i11: expected/i11 regress/i11
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i12: expected/i12 regress/i12
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i13: expected/i13 regress/i13
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i14: expected/i14 regress/i14
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i15: expected/i15 regress/i15
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i16: expected/i16 regress/i16
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i17: expected/i17 regress/i17
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i18: expected/i18 regress/i18
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i19: expected/i19 regress/i19
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i20: expected/i20 regress/i20
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i21: expected/i21 regress/i21
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i22: expected/i22 regress/i22
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
i23: expected/i23 regress/i23
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
bpf1: expected/bpf1 regress/bpf1
@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
n1: expected/n1 regress/n1 input/n1
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n2: expected/n2 regress/n2 input/n2
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n3: expected/n3 regress/n3 input/n3
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n4: expected/n4 regress/n4 input/n4
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n5: expected/n5 regress/n5 input/n5
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n6: expected/n6 regress/n6 input/n6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n7: expected/n7 regress/n7 input/n7
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n8: expected/n8 regress/n8 input/n8
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n9: expected/n9 regress/n9 input/n9
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n10: expected/n10 regress/n10 input/n10
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n11: expected/n11 regress/n11 input/n11
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n12: expected/n12 regress/n12 input/n12
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n13: expected/n13 regress/n13 input/n13
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n14: expected/n14 regress/n14 input/n14
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n15: expected/n15 regress/n15 input/n15
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n16: expected/n16 regress/n16 input/n16
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n17: expected/n17 regress/n17 input/n17
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n18: expected/n18 regress/n18 input/n18
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n100: expected/n100 regress/n100 input/n100
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n101: expected/n101 regress/n101 input/n101
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n102: expected/n102 regress/n102 input/n102
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n103: expected/n103 regress/n103 input/n103
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n104: expected/n104 regress/n104 input/n104
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n105: expected/n105 regress/n105 input/n105
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n106: expected/n106 regress/n106 input/n106
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n200: expected/n200 regress/n200 input/n200
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n1_6: expected/n1_6 regress/n1_6 input/n1_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n2_6: expected/n2_6 regress/n2_6 input/n2_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n4_6: expected/n4_6 regress/n4_6 input/n4_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n5_6: expected/n5_6 regress/n5_6 input/n5_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n6_6: expected/n6_6 regress/n6_6 input/n6_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n7_6: expected/n7_6 regress/n7_6 input/n7_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n8_6: expected/n8_6 regress/n8_6 input/n8_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n9_6: expected/n9_6 regress/n9_6 input/n9_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n11_6: expected/n11_6 regress/n11_6 input/n11_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n12_6: expected/n12_6 regress/n12_6 input/n12_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
n15_6: expected/n15_6 regress/n15_6 input/n15_6
@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
ni2: expected/ni2 input/ni2 regress/ni2.nat regress/ni2.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni3: expected/ni3 input/ni3 regress/ni3.nat regress/ni3.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni4: expected/ni4 input/ni4 regress/ni4.nat regress/ni4.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni5: expected/ni5 input/ni5 regress/ni5.nat regress/ni5.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni7: expected/ni7 input/ni7 regress/ni7.nat regress/ni7.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni8: expected/ni8 input/ni8 regress/ni8.nat regress/ni8.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni9: expected/ni9 input/ni9 regress/ni9.nat regress/ni9.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni10: expected/ni10 input/ni10 regress/ni10.nat regress/ni10.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni11: expected/ni11 input/ni11 regress/ni11.nat regress/ni11.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni12: expected/ni12 input/ni12 regress/ni12.nat regress/ni12.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni13: expected/ni13 input/ni13 regress/ni13.nat regress/ni13.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni14: expected/ni14 input/ni14 regress/ni14.nat regress/ni14.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni15: expected/ni15 input/ni15 regress/ni15.nat regress/ni15.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni16: expected/ni16 input/ni16 regress/ni16.nat regress/ni16.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni19: expected/ni19 input/ni19 regress/ni19.nat regress/ni19.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni20: expected/ni20 input/ni20 regress/ni20.nat regress/ni20.ipf
@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
ni1: expected/ni1 input/ni1 regress/ni1.nat regress/ni1.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
ni6: expected/ni6 input/ni6 regress/ni6.nat regress/ni6.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
ni17: expected/ni17 input/ni17 regress/ni17.nat regress/ni17.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
ni18: expected/ni18 input/ni18 regress/ni18.nat regress/ni18.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
ni21: expected/ni21 input/ni21 regress/ni21.nat regress/ni21.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
ni23: expected/ni23 input/ni23 regress/ni23.nat regress/ni23.ipf
@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
in1: expected/in1 regress/in1
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in2: expected/in2 regress/in2
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in3: expected/in3 regress/in3
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in4: expected/in4 regress/in4
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in5: expected/in5 regress/in5
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in6: expected/in6 regress/in6
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in7: expected/in7 regress/in7
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in8: expected/in8 regress/in8
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in100: expected/in100 regress/in100
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in101: expected/in101 regress/in101
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
in102: expected/in102 regress/in102
@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
l1:
@/bin/sh ./logtest `awk "/^$@ / { print; } " test.format`
ipv6.1: expected/ipv6.1 input/ipv6.1 regress/ipv6.1
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
ipv6.2: expected/ipv6.2 input/ipv6.2 regress/ipv6.2
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
ipv6.3: expected/ipv6.3 input/ipv6.3 regress/ipv6.3
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
ipv6.4: expected/ipv6.4 input/ipv6.4 regress/ipv6.4
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
ipv6.5: expected/ipv6.5 input/ipv6.5 regress/ipv6.5
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
ipv6.6: expected/ipv6.6 input/ipv6.6 regress/ipv6.6
@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
p1: expected/p1 input/p1 regress/p1.ipf regress/p1.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p2: expected/p2 input/p2 regress/p2.ipf $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p3: expected/p3 input/p3 regress/p3.ipf regress/p3.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p4: expected/p4 input/p4 regress/p4.nat regress/p4.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p5: expected/p5 input/p5 regress/p5.ipf regress/p5.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p6: expected/p6 input/p6 regress/p6.ipf regress/p6.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p7: expected/p7 input/p7 regress/p7.nat regress/p7.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p9: expected/p9 input/p9 regress/p9.nat regress/p9.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p10: expected/p10 input/p10 regress/p10.nat regress/p10.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p11: expected/p11 input/p11 regress/p11.nat regress/p11.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p12: expected/p12 input/p12 regress/p12.nat regress/p12.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
p13: expected/p13 input/p13 regress/p13.ipf regress/p13.pool $(POOLDEP)
@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
ip1: expected/ip1 regress/ip1 $(POOLDEP)
@/bin/sh ./iptest `awk "/^$@ / { print; } " test.format`
ip2: expected/ip2 input/ip2.data regress/ip2 $(POOLDEP)
@/bin/sh ./iptest `awk "/^$@ / { print; } " test.format`
ip3: expected/ip3 regress/ip3 $(POOLDEP)
@/bin/sh ./iptest `awk "/^$@ / { print; } " test.format`
bpf-f1: expected/bpf-f1 regress/bpf-f1
/bin/sh ./bpftest `awk "/^$@ / { print; } " test.format`
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17
/bin/rm -f f18 f19 f20 f21 f22 f24 f25 f26 f27 f28 f29
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17
/bin/rm -f i18 i19 i20 i21 i22 i23
/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n15 n16 n17 n18 n100 n101 n102 n103 n104 n105 n106 n200
/bin/rm -f n1_6 n2_6 n4_6 n5_6 n6_6 n7_6 n8_6 n9_6 n11_6 n12_6 n15_6
/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9
/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni17 ni18 ni19 ni20 ni21 ni23
/bin/rm -f in1 in2 in3 in4 in5 in6 in7 in100 in101 in102
/bin/rm -f p1 p2 p3 p4 p5 p6 p7 p9 p10 p11 p12 p13 ip1 ip2 ip3
/bin/rm -f l1
/bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.4 ipv6.5 ipv6.6
/bin/rm -f bpf1 bpf-f1
/bin/rm -f results/* logout
(cd expected; make clean)
diffs:
-cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then diff -c $$i ../results/$$i >> ../diff.out; fi done
n6s:
for i in 1 2 4 5 6 7 11 13 14 15; do \
sh i4to6 < input/n$${i} > input/n$${i}_6; \
sh e4to6 < regress/n$${i} > regress/n$${i}_6; \
sh e4to6 < expected/n$${i} > expected/n$${i}_6; \
done
for i in 8 9 10 12 17; do \
sh e4to6 < regress/n$${i} > regress/n$${i}_6; \
perl h4to6 < input/n$${i} > input/n$${i}_6; \
done

30
contrib/ipfilter/test/README.TXT
View File

@ -1,30 +0,0 @@
The contents of this directory sub tree is dedicated to regression testing
of IPFilter.
The tests are broken down into these groups:
f - filter rule tests
i - parsing & printing test of ipf rules
in - parsing & printing test of ipnat rules
ipv6 - ipv6 filter rule tests
l - logging test
n - NAT testing
ni - combined NAT & IPF tests
TEST
f1 - block/pass, in/out.
f2 - proto
f3 - from IP#
f4 - to #IP
f5 - source port
f6 - destination port
f7 - icmp-type, code
f8 - flags
f9 - ipoptions
f10 - ipoptions
f11 - keep frag/state
f12 - short/frag
f13 - keep frag/state (fragmented packets)
f14 - from !host, to !host
f15 - groups
f16 - skip
f17 - TCP state transition on flags

19
contrib/ipfilter/test/bpftest
View File

@ -1,19 +0,0 @@
#!/bin/sh
name=$1
. ./ipflib.sh
test_init
echo "$name...";
input=`expr $name : 'bpf-\(.*\)'`
/bin/cp /dev/null results/$name
( while read rule; do
echo "$rule" | ../ipftest -Rbr - -i input/$input >> results/$name
if [ $? -ne 0 ] ; then
exit 1;
fi
echo "--------" >> results/$name
done ) < regress/$name
check_results $name
exit $status

33
contrib/ipfilter/test/dotest
View File

@ -1,33 +0,0 @@
#!/bin/sh
name=$1
format=$2
output=$3
tuning=$4
. ./ipflib.sh
test_init
if [ "$tuning" != "" ] ; then
case $tuning in
-*)
;;
*)
tuning="-T $tuning"
;;
esac
fi
echo "${name}...";
n=1
/bin/cp /dev/null results/${name}
( while read rule; do
set_core $name $n
echo "$rule" | ../ipftest -F $format -Rbr - -i input/${name} $tuning>> results/${name} &
back=$!
wait $back
test_end_leak $?
n=`expr $n + 1`
echo "--------" >> results/${name}
done ) < regress/${name}
check_results $name
exit $status

35
contrib/ipfilter/test/dotest6
View File

@ -1,35 +0,0 @@
#!/bin/sh
format=$2
mkdir -p results
if [ -f /usr/ucb/touch ] ; then
TOUCH=/usr/ucb/touch
else
if [ -f /usr/bin/touch ] ; then
TOUCH=/usr/bin/touch
else
if [ -f /bin/touch ] ; then
TOUCH=/bin/touch
fi
fi
fi
echo "$1...";
/bin/cp /dev/null results/$1
../ipftest -6 -r /dev/null -i /dev/null >/dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "skipping IPv6 tests"
$TOUCH $1
exit 0
fi
( while read rule; do
echo "$rule" | ../ipftest -F $format -6br - -i input/$1 >> results/$1;
if [ $? -ne 0 ] ; then
exit 1;
fi
echo "--------" >> results/$1
done ) < regress/$1
cmp expected/$1 results/$1
status=$?
if [ $status = 0 ] ; then
$TOUCH $1
fi
exit $status

61
contrib/ipfilter/test/e4to6
View File

@ -1,61 +0,0 @@
sed \
-e 's/192.168.126.0/c0a8:7e00::/' \
-e 's/\/32/\/128/g' \
-e 's/\/24/\/112/g' \
-e 's/\/16/\/32/g' \
-e 's/10\.2\.0\.0/10::2:0:0/g' \
-e 's/1\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/1:0:0:0:0:\1:\2:\3/g' \
-e 's/2\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/2:0:0:0:0:\1:\2:\3/g' \
-e 's/4\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/4:\1:\2:0:0:0:0:\3/g' \
-e 's/3\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/3:0:\1:0:0:0:\2:\3/g' \
-e 's/5\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/5:\1:0:0:0:0:\2:\3/g' \
-e 's/9\.\([0-9]\)\.\([0-9]\)\.\([0-9]\)/9:\1:\2:0:0:0:0:\3/g' \
-e 's/10\.1\.\([0-9]\)\.\([0-9]\)/10:1:\1:0:0:0:0:\2/g' \
-e 's/10\.10\.\([0-9]*\)\.\([0-9]\)/10:10:\1:0:0:0:0:\2/g' \
-e 's/10\.2\.\([0-9]\)\.\([0-9]\)/10:0:0:0:0:2:\1:\2/g' \
-e 's/10\.4\.3\.\([0-9]\)/10:4:3:0:0:0:0:\1/g' \
-e 's/10\.3\.4\.\([0-9]\)/10:0:0:0:0:3:4:\1/g' \
-e 's/10\.3\.\([0-9]\)\.\([0-9]\)/10:3:\1:0:0:0:0:\2/g' \
-e 's/0\.0\.0\.0/any/g' \
-e 's/ 0\/0 / any /g' \
-e 's/ip #0/ip6\/0/' \
-e 's/40(20) 6 /20 0 6 /' \
-e 's/28(20) 17 /8 0 17 /' \
-e 's/20(20) 0 /1 0 41 /' \
-e 's/48(20) 1 /88 0 58 /g' \
-e 's/20(20) 34 /1 0 34 /g' \
-e 's/20(20) 35 /1 0 35 /g' \
-e 's/20(20) 255 /1 0 255 /g' \
-e 's/ */ /g' | sed \
-e '/use/s/:0:0:0:0:/::/g' \
-e '/map/s/:0:0:0:0:/::/g' \
-e '/rdr/s/:0:0:0:0:/::/g' \
-e '/map/s/:0:0:0:/::/g' \
-e '/rdr/s/:0:0:0:/::/g' \
-e '/MAP/s/:0:0:0:0:0:/::/g' \
-e '/RDR/s/:0:0:0:0:0:/::/g' \
-e '/MAP/s/:0:0:0:0:/::/g' \
-e '/RDR/s/:0:0:0:0:/::/g' \
-e '/MAP/s/:0:0:0:/::/g' \
-e '/RDR/s/:0:0:0:/::/g' \
| sed \
-e '/MAP/s/ \([0-9][0-9][0-9][0-9]\) / \1 /g' \
-e '/MAP/s/ \([0-9][0-9][0-9]\) / \1 /g' \
-e '/MAP/s/ \([0-9][0-9]\) / \1 /g' \
-e '/RDR/s/ \([0-9][0-9][0-9][0-9]\) / \1 /g' \
-e '/RDR/s/ \([0-9][0-9][0-9]\) / \1 /g' \
-e '/RDR/s/ \([0-9][0-9]\) / \1 /g' \
-e 's/::0:0\//::\//g' \
-e 's/:0:0\//::\//g' \
-e 's/::0\([^:0-9]\)/::\1/g' \
-e 's/::0,/::,/g' \
-e 's/::0:0 \([^>]\)/:: \1/g' \
-e 's/:0:0 \([^>]\)/:: \1/g' \
-e 's/::0 \([^>]\)/:: \1/g' \
| sed \
-e 's@::\([0-9]*\)::/16@::/16@g' \
-e 's@::\([0-9]*\)::/32@::/32@g' \
-e 's@::\([0-9]*\)::@::\1:0:0@g' \
-e 's@::\([0-9]*\)::@::\1:0:0@g' \
-e 's@::[:0-9]*\([^0-9:]\)/16@::/16@g' \
-e 's@::[:0-9]*\([^0-9:]\)/32@::/32@g'

41
contrib/ipfilter/test/expected/Makefile
View File

@ -1,41 +0,0 @@
#
# (C)opyright 2007 by Darren Reed.
#
# See the IPFILTER.LICENCE file for details on licencing.
#
all: i19
i19: i19.dist Makefile
-if [ "`grep LOG_SECURITY /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
if [ "`grep LOG_AUDIT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
sed -e 's/security/!!!/g' i19.dist > i19.p1; \
else \
sed -e 's/security/audit/g' i19.dist > i19.p1; \
fi \
else \
/bin/cp i19.dist i19.p1; \
fi
-if [ "`grep LOG_AUTHPRIV /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
sed -e 's/authpriv/!!!/g' i19.p1 > i19.p2; \
else \
/bin/cp i19.p1 i19.p2; \
fi
-if [ "`grep LOG_LOGALERT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
sed -e 's/logalert/!!!/g' i19.p2 > i19.p1; \
else \
/bin/cp i19.p2 i19.p1; \
fi
-if [ "`grep LOG_FTP /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
sed -e 's/ftp/!!!/g' i19.p1 > i19.p2; \
else \
/bin/cp i19.p1 i19.p2; \
fi
-if [ "`egrep 'LOG_CRON.*15' /usr/include/sys/syslog.h 2>&1`" != "" ] ; then \
sed -e 's/cron/cron2/g' i19.p2 > i19; \
else \
/bin/cp i19.p2 i19; \
fi
/bin/rm i19.p?
clean:
/bin/rm -f i19

20
contrib/ipfilter/test/expected/bpf-f1
View File

@ -1,20 +0,0 @@
nomatch
pass
nomatch
nomatch
--------
nomatch
nomatch
nomatch
pass
--------
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
--------

4
contrib/ipfilter/test/expected/bpf1
View File

@ -1,4 +0,0 @@
pass in bpf-v4 { "0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
pass out bpf-v4 { "0 0 0 0 0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x1 0x6 0 0 0" }
pass in bpf-v4 { "0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
pass out bpf-v4 { "0 0 0 0 0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x1 0x6 0 0 0" }

20
contrib/ipfilter/test/expected/f1
View File

@ -1,20 +0,0 @@
block
block
nomatch
nomatch
--------
pass
pass
nomatch
nomatch
--------
nomatch
nomatch
block
block
--------
nomatch
nomatch
pass
pass
--------

126
contrib/ipfilter/test/expected/f10
View File

@ -1,126 +0,0 @@
nomatch
block
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
nomatch
nomatch
pass
--------
block
block
block
nomatch
nomatch
block
--------
pass
pass
pass
nomatch
nomatch
pass
--------
block
block
nomatch
nomatch
nomatch
block
--------
pass
pass
nomatch
nomatch
nomatch
pass
--------
block
block
block
block
block
block
--------
pass
pass
pass
pass
pass
pass
--------
nomatch
block
block
block
nomatch
block
--------
nomatch
pass
pass
pass
nomatch
pass
--------
nomatch
pass
nomatch
nomatch
nomatch
nomatch
--------
nomatch
block
block
block
block
block
--------
nomatch
pass
pass
pass
pass
pass
--------
block
block
nomatch
block
nomatch
block
--------
pass
pass
nomatch
pass
nomatch
pass
--------
block
block
block
block
block
block
--------
pass
pass
pass
pass
pass
pass
--------
block
block
block
nomatch
nomatch
block
--------

283
contrib/ipfilter/test/expected/f11
View File

@ -1,283 +0,0 @@
pass
nomatch
nomatch
pass
pass
nomatch
pass
nomatch
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
1 pass in proto tcp from any to any port = 23 flags S/SA keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
block
nomatch
nomatch
block
block
nomatch
block
nomatch
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
1 block in proto tcp from any to any port = 23 flags S/SA keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 pass in proto udp from any to any port = 53 keep frags
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
block
block
nomatch
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 block in proto udp from any to any port = 53 keep frags
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
pass
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
4:udp src:2.2.2.2,2 dst:4.4.4.4,53 240
FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[e1],X[] out X[],X[]
Sync status: not synchronized
4:udp src:1.1.1.1,1 dst:4.4.4.4,53 24
FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
REV: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[e1],X[e0] out X[],X[]
Sync status: not synchronized
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 pass in proto udp from any to any port = 53 keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
block
block
block
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
4:udp src:2.2.2.2,2 dst:4.4.4.4,53 240
FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008401 = block in keep state
interfaces: in X[e1],X[] out X[],X[]
Sync status: not synchronized
4:udp src:1.1.1.1,1 dst:4.4.4.4,53 24
FWD: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
REV: IN pkts 1 bytes 28 OUT pkts 0 bytes 0
tag 0 pass 0x2008401 = block in keep state
interfaces: in X[e1],X[e0] out X[],X[]
Sync status: not synchronized
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 block in proto udp from any to any port = 53 keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
4:tcp src:1.1.1.1,1 dst:2.1.2.2,25 state:3/4 864000
2:66 4096<<0:16384<<0
FWD: IN pkts 1 bytes 40 OUT pkts 0 bytes 0
REV: IN pkts 1 bytes 40 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[e0],X[e1] out X[],X[]
Sync status: not synchronized
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
1 pass in on e0 proto tcp from any to any port = 25 keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------

60
contrib/ipfilter/test/expected/f12
View File

@ -1,60 +0,0 @@
pass
pass
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
nomatch
--------
pass
pass
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
nomatch
--------
nomatch
nomatch
nomatch
bad-packet
block
nomatch
bad-packet
nomatch
nomatch
--------
nomatch
nomatch
block
bad-packet
block
nomatch
bad-packet
nomatch
nomatch
--------
nomatch
nomatch
nomatch
bad-packet
nomatch
nomatch
bad-packet
nomatch
pass
--------
nomatch
nomatch
nomatch
bad-packet
nomatch
nomatch
bad-packet
nomatch
block
--------

180
contrib/ipfilter/test/expected/f13
View File

@ -1,180 +0,0 @@
pass
bad-packet
nomatch
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
block
bad-packet
nomatch
block
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
bad-packet
nomatch
nomatch
bad-packet
nomatch
nomatch
bad-packet
pass
bad-packet
nomatch
nomatch
pass
pass
pass
nomatch
nomatch
nomatch
nomatch
--------
nomatch
bad-packet
nomatch
nomatch
bad-packet
nomatch
nomatch
bad-packet
block
bad-packet
nomatch
nomatch
block
block
block
nomatch
nomatch
nomatch
nomatch
--------
block
bad-packet
nomatch
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
pass
pass
--------
block
bad-packet
nomatch
block
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
block
nomatch
block
block
--------
nomatch
bad-packet
nomatch
nomatch
bad-packet
nomatch
nomatch
bad-packet
pass
bad-packet
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
--------
block
bad-packet
nomatch
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
pass
block
block
pass
--------
block
bad-packet
nomatch
pass
bad-packet
nomatch
nomatch
bad-packet
nomatch
bad-packet
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
pass
pass
--------

48
contrib/ipfilter/test/expected/f14
View File

@ -1,48 +0,0 @@
block
nomatch
block
block
block
--------
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
pass
pass
--------
block
nomatch
nomatch
nomatch
block
--------
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
block
block
block
block
--------
nomatch
nomatch
nomatch
nomatch
nomatch
--------

9
contrib/ipfilter/test/expected/f15
View File

@ -1,9 +0,0 @@
block return-rst
pass
block return-icmp
pass
block
nomatch
pass
pass
--------

9
contrib/ipfilter/test/expected/f16
View File

@ -1,9 +0,0 @@
block
block
pass
block
pass
pass
block
block
--------

7
contrib/ipfilter/test/expected/f17
View File

@ -1,7 +0,0 @@
pass
block return-rst
pass
pass
pass
pass
--------

27
contrib/ipfilter/test/expected/f18
View File

@ -1,27 +0,0 @@
pass
pass
pass
pass
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 pass in inet from 1.1.1.1/32 to any
Rules configured (set 0, out)
2 pass out inet from 2.2.2.2/32 to any
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
1 count in inet from 1.1.1.1/32 to 3.3.3.3/32
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
1 count out inet from 2.2.2.2/32 to 4.4.4.4/32
Accounting rules configured (set 1, out)
--------

10
contrib/ipfilter/test/expected/f19
View File

@ -1,10 +0,0 @@
pass
pass
pass
nomatch
--------
pass
nomatch
nomatch
nomatch
--------

42
contrib/ipfilter/test/expected/f2
View File

@ -1,42 +0,0 @@
block
block
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
block
block
nomatch
nomatch
--------
nomatch
nomatch
pass
pass
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
block
block
--------
nomatch
nomatch
nomatch
nomatch
pass
pass
--------

3
contrib/ipfilter/test/expected/f20
View File

@ -1,3 +0,0 @@
pass
nomatch
--------

5
contrib/ipfilter/test/expected/f21
View File

@ -1,5 +0,0 @@
pass
pass
nomatch
nomatch
--------

5
contrib/ipfilter/test/expected/f22
View File

@ -1,5 +0,0 @@
pass
pass
nomatch
nomatch
--------

5
contrib/ipfilter/test/expected/f24
View File

@ -1,5 +0,0 @@
pass
pass
pass
pass
--------

35
contrib/ipfilter/test/expected/f25
View File

@ -1,35 +0,0 @@
pass
pass
pass
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
4:udp src:192.168.1.235,8008 dst:239.255.255.250,1900 240
FWD: IN pkts 1 bytes 129 OUT pkts 0 bytes 0
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[hme0],X[] out X[],X[]
Sync status: not synchronized
4:udp src:192.168.1.235,8008 dst:192.168.1.254,1900 24
FWD: IN pkts 1 bytes 129 OUT pkts 0 bytes 0
REV: IN pkts 0 bytes 0 OUT pkts 1 bytes 264
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[hme0],X[] out X[],X[hme0]
Sync status: not synchronized
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
2 pass in on hme0 proto udp from any to any with mcast keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
--------

84
contrib/ipfilter/test/expected/f26
View File

@ -1,84 +0,0 @@
pass
pass
pass
pass
pass
pass
nomatch
pass
pass
nomatch
pass
pass
nomatch
--------
pass
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
pass
pass
pass
nomatch
pass
pass
nomatch
pass
pass
nomatch
--------
pass
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------

90
contrib/ipfilter/test/expected/f27
View File

@ -1,90 +0,0 @@
pass
pass
pass
pass
pass
pass
nomatch
pass
pass
nomatch
pass
pass
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
pass
pass
pass
nomatch
pass
pass
nomatch
pass
pass
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
--------

32
contrib/ipfilter/test/expected/f28
View File

@ -1,32 +0,0 @@
block
block
block
> nic0 ip #0 20(20) 0 4.4.3.1 > 4.2.3.2
pass
> nic1 ip #0 20(20) 0 4.4.1.1 > 4.2.1.2
pass
> nic2 ip #0 20(20) 0 4.4.2.1 > 4.2.2.2
pass
> nic3 ip #0 20(20) 0 4.4.3.1 > 4.2.3.2
pass
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
7 block in all
4 pass in on nic0 to dstlist/spread inet from 4.4.0.0/16 to any
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
-------------------------------

64
contrib/ipfilter/test/expected/f29
View File

@ -1,64 +0,0 @@
block
block
block
> nic0 ip #0 28(20) 17 4.4.3.1,1000 > 4.2.3.2,2000
pass
> nic0 ip #0 28(20) 17 4.4.3.1,1000 > 4.2.3.2,2000
pass
> nic1 ip #0 28(20) 17 4.4.1.1,1001 > 4.2.1.2,2001
pass
> nic1 ip #0 28(20) 17 4.4.1.1,1001 > 4.2.1.2,2001
pass
> nic2 ip #0 28(20) 17 4.4.2.1,1002 > 4.2.2.2,2002
pass
> nic2 ip #0 28(20) 17 4.4.2.1,1002 > 4.2.2.2,2002
pass
> nic3 ip #0 28(20) 17 4.4.3.1,1003 > 4.2.3.2,2003
pass
> nic3 ip #0 28(20) 17 4.4.3.1,1003 > 4.2.3.2,2003
pass
List of active MAP/Redirect filters:
List of active sessions:
Hostmap table:
List of active state sessions:
4:udp src:4.4.3.1,1003 dst:4.2.3.2,2003 240
FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[nic0],X[] out X[nic3],X[]
Sync status: not synchronized
4:udp src:4.4.2.1,1002 dst:4.2.2.2,2002 240
FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[nic0],X[] out X[nic2],X[]
Sync status: not synchronized
4:udp src:4.4.1.1,1001 dst:4.2.1.2,2001 240
FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[nic0],X[] out X[nic1],X[]
Sync status: not synchronized
4:udp src:4.4.3.1,1000 dst:4.2.3.2,2000 240
FWD: IN pkts 2 bytes 56 OUT pkts 2 bytes 56
REV: IN pkts 0 bytes 0 OUT pkts 0 bytes 0
tag 0 pass 0x2008402 = pass in keep state
interfaces: in X[nic0],X[] out X[nic0],X[]
Sync status: not synchronized
List of configured pools
List of configured hash tables
List of groups configured (set 0)
List of groups configured (set 1)
Rules configured (set 0, in)
7 block in all
4 pass in on nic0 to dstlist/spread inet from 4.4.0.0/16 to any keep state
Rules configured (set 0, out)
Rules configured (set 1, in)
Rules configured (set 1, out)
Accounting rules configured (set 0, in)
Accounting rules configured (set 0, out)
Accounting rules configured (set 1, in)
Accounting rules configured (set 1, out)
-------------------------------

48
contrib/ipfilter/test/expected/f3
View File

@ -1,48 +0,0 @@
nomatch
block
nomatch
nomatch
nomatch
--------
nomatch
pass
nomatch
nomatch
nomatch
--------
nomatch
block
block
nomatch
nomatch
--------
nomatch
pass
pass
nomatch
nomatch
--------
nomatch
block
block
block
nomatch
--------
nomatch
pass
pass
pass
nomatch
--------
block
block
block
block
block
--------
pass
pass
pass
pass
pass
--------

68
contrib/ipfilter/test/expected/f30
View File

@ -1,68 +0,0 @@
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
nomatch
pass
nomatch
nomatch
--------

48
contrib/ipfilter/test/expected/f4
View File

@ -1,48 +0,0 @@
nomatch
block
nomatch
nomatch
nomatch
--------
nomatch
pass
nomatch
nomatch
nomatch
--------
nomatch
block
block
nomatch
nomatch
--------
nomatch
pass
pass
nomatch
nomatch
--------
nomatch
block
block
block
nomatch
--------
nomatch
pass
pass
pass
nomatch
--------
block
block
block
block
block
--------
pass
pass
pass
pass
pass
--------

1392
contrib/ipfilter/test/expected/f5
View File

File diff suppressed because it is too large Load Diff

1392
contrib/ipfilter/test/expected/f6
View File

File diff suppressed because it is too large Load Diff

144
contrib/ipfilter/test/expected/f7
View File

@ -1,144 +0,0 @@
block
block
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
block
block
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
--------

42
contrib/ipfilter/test/expected/f8
View File

@ -1,42 +0,0 @@
block
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
nomatch
nomatch
nomatch
nomatch
nomatch
--------
block
nomatch
block
nomatch
nomatch
nomatch
--------
pass
nomatch
pass
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------

180
contrib/ipfilter/test/expected/f9
View File

@ -1,180 +0,0 @@
block
block
block
block
block
block
block
block
block
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
pass
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
block
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
pass
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
pass
pass
pass
pass
pass
pass
--------
block
block
block
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
pass
pass
pass
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
--------
nomatch
nomatch
nomatch
nomatch
nomatch
nomatch
block
block
nomatch
--------

17
contrib/ipfilter/test/expected/i1
View File

@ -1,17 +0,0 @@
pass in all
block out all
log in all
log body in all
count in from any to any
pass in from !any to any pps 10
block in from any to !any
pass in on ed0(!) inet from 127.0.0.1/32 to 127.0.0.1/32
pass in on ed0(!),vx0(!) inet from 127.0.0.1/32 to 127.0.0.1/32
block in log first on lo0(!) from any to any
pass in log body or-block quick from any to any
block return-rst in quick on le0(!) proto tcp from any to any
block return-icmp in on qe0(!) from any to any
block return-icmp(host-unr) in on qe0(!) from any to any
block return-icmp-as-dest in on le0(!) from any to any
block return-icmp-as-dest(port-unr) in on qe0(!) from any to any
pass out on longNICname0(!) inet from 254.220.186.152/32 to 254.220.186.152/32

5
contrib/ipfilter/test/expected/i10
View File

@ -1,5 +0,0 @@
pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with opt sec
pass in inet from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec
block in inet from any to any with not opt sec-class topsecret
block in inet from any to any with not opt sec-class topsecret,secret
pass in inet from any to any with opt sec-class topsecret,confid not opt sec-class unclass

Some files were not shown because too many files have changed in this diff Show More